Bug 60489 - XSSAuditor should be more selective about the <meta http-equivs> that it blocks
Summary: XSSAuditor should be more selective about the <meta http-equivs> that it blocks
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Adam Barth
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-05-09 11:48 PDT by Adam Barth
Modified: 2011-05-09 14:20 PDT (History)
3 users (show)

See Also:

Attachments
Patch (5.17 KB, patch)
2011-05-09 11:52 PDT, Adam Barth 		no flags Details | Formatted Diff | Diff
Patch for landing (5.44 KB, patch)
2011-05-09 12:03 PDT, Adam Barth 		no flags Details | Formatted Diff | Diff
Patch for landing (6.84 KB, patch)
2011-05-09 12:25 PDT, Adam Barth 		no flags Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Adam Barth 2011-05-09 11:48:28 PDT 
XSSAuditor should be more selective about the <meta http-equivs> that it blocks
Comment 1 Adam Barth 2011-05-09 11:52:37 PDT 
Created attachment 92815 [details]
Patch
Comment 2 Daniel Bates 2011-05-09 12:00:07 PDT 
Comment on attachment 92815 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=92815&action=review

> Source/WebCore/ChangeLog:28
> +        (WebCore::isNonCanonicalCharacter):
> +        (WebCore::canonicalize):
> +        (WebCore::isRequiredForInjection):
> +        (WebCore::hasName):
> +        (WebCore::findAttributeWithName):
> +        (WebCore::isNameOfInlineEventHandler):
> +        (WebCore::isDangerousHTTPEquiv):
> +        (WebCore::containsJavaScriptURL):
> +        (WebCore::decodeURL):
> +        (WebCore::XSSFilter::eraseAttributeIfInjected):

Most of the changes to these methods is because this patch moves them from being in an anonymous namespace to being static functions. So, as to demarcate the syntactic change from the actual change for this bug I suggest adding a remark to the right of isDangerousHTTPEquiv to mention that it was added and add some sort of remark to the other functions (or general sentence to the commit message) to describe the syntactic changes. Alternatively, you could split this into two patches/bugs. One to move the methods from being in an anonymous namespace to being static functions. And one patch/bug to actually make the change described in this bug.
Comment 3 Daniel Bates 2011-05-09 12:01:16 PDT 
Comment on attachment 92815 [details]
Patch

Also, can we test this change?
Comment 4 Adam Barth 2011-05-09 12:03:04 PDT 
Created attachment 92821 [details]
Patch for landing
Comment 5 Adam Barth 2011-05-09 12:03:34 PDT 
Comment on attachment 92821 [details]
Patch for landing

Updated patch.  Eric and I were discussing how and whether we want a test for this patch.
Comment 6 Adam Barth 2011-05-09 12:25:06 PDT 
Created attachment 92826 [details]
Patch for landing
Comment 7 WebKit Commit Bot 2011-05-09 14:20:32 PDT 
Comment on attachment 92826 [details]
Patch for landing

Clearing flags on attachment: 92826

Committed r86087: <http://trac.webkit.org/changeset/86087>
Comment 8 WebKit Commit Bot 2011-05-09 14:20:38 PDT 
All reviewed patches have been landed.  Closing bug.