RESOLVED FIXED 54590
Fix xssAuditor/form-action.html 
https://bugs.webkit.org/show_bug.cgi?id=54590
Summary Fix xssAuditor/form-action.html
Adam Barth
Reported 2011-02-16 14:47:36 PST
Fix xssAuditor/form-action.html
Attachments
Patch (3.77 KB, patch)
2011-02-16 14:49 PST, Adam Barth 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 2011-02-16 14:49:06 PST
Created attachment 82703 [details] Patch
Eric Seidel (no email)
Comment 2 2011-02-16 14:51:53 PST
Comment on attachment 82703 [details] Patch That diff looks strange due to the file previously being empty. But looks good.
WebKit Commit Bot
Comment 3 2011-02-16 20:01:14 PST
Comment on attachment 82703 [details] Patch Clearing flags on attachment: 82703 Committed r78780: <http://trac.webkit.org/changeset/78780>
WebKit Commit Bot
Comment 4 2011-02-16 20:01:19 PST
All reviewed patches have been landed. Closing bug.
Alexey Proskuryakov
Comment 5 2011-02-17 10:54:55 PST
+ We should block form actions. Although this technically can't be used + to run script, it's a pretty easy vector for stealing passwords. Doesn't the error message get too confusing then? +CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
Adam Barth
Comment 6 2011-02-17 12:28:36 PST
Yep. We should tailor the error message to what was blocked.
Note You need to log in before you can comment on or make changes to this bug.