http/tests/security/xss-DENIED-xsl-document-securityOrigin.xml introduced in http://trac.webkit.org/changeset/96984 (https://bugs.webkit.org/show_bug.cgi?id=69661), but fails on the Qt bot: --- /ramdisk/qt-linux-release/build/layout-test-results/http/tests/security/xss-DENIED-xsl-document-securityOrigin-expected.txt +++ /ramdisk/qt-linux-release/build/layout-test-results/http/tests/security/xss-DENIED-xsl-document-securityOrigin-actual.txt @@ -1,3 +1,4 @@ -CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL about:blank. Domains, protocols and ports must match. - -This test passes if it doesn't alert the contents of innocent-victim.html. +CONSOLE MESSAGE: line 2: <html xmlns='http://www.w3.org/1999/xhtml/'><body><p>Running an XSL-T 1.0 stylesheet with a 2.0 processor.</p></body></html> +CONSOLE MESSAGE: line 2: <html xmlns='http://www.w3.org/1999/xhtml/'><body><p>Running an XSL-T 1.0 stylesheet with a 2.0 processor.</p></body></html> +FAIL: Timed out waiting for notifyDone to be called +This test passes if it doesn't alert the contents of innocent-victim.html. bug69661 is security bug, so I can't comment it, but I cc-ed the author (Sergey), the reviewer (Adam) and a member of security group from Nokia (Tor Arne). Could you check if it is a security problem on Qt or not?
Skipped by http://trac.webkit.org/changeset/97008 until fix.
It's not a security problem. The test is just timing out for some reason.
Created attachment 110291 [details] Patch
Thanks Sergey.
Comment on attachment 110291 [details] Patch Clearing flags on attachment: 110291 Committed r97021: <http://trac.webkit.org/changeset/97021>
All reviewed patches have been landed. Closing bug.
Aw, it's failing again and the diff is nice: --- /ramdisk/qt-linux-release/build/layout-test-results/http/tests/security/xss-DENIED-xsl-document-securityOrigin-expected.txt +++ /ramdisk/qt-linux-release/build/layout-test-results/http/tests/security/xss-DENIED-xsl-document-securityOrigin-actual.txt @@ -1,3 +1,3 @@ CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL about:blank. Domains, protocols and ports must match. -This test passes if it doesn't alert the contents of innocent-victim.html. +This test passes if it doesn't alert the contents of innocent-victim.html.
Thanks for the fix. It seems the difference caused by a Qt-DRT bug, new bug report: https://bugs.webkit.org/show_bug.cgi?id=69718 And I added a Qt specific expected file to make our buildbot happy: http://trac.webkit.org/changeset/97024