RESOLVED FIXED 94547
XSSAuditor too tolerant of injected data: URLs from other "hostless" schemes. 
https://bugs.webkit.org/show_bug.cgi?id=94547
Summary XSSAuditor too tolerant of injected data: URLs from other "hostless" schemes.
Thomas Sepez
Reported 2012-08-20 16:39:21 PDT
Originally reported by sasha zivojinovic at crbug.com/142636 XSSAuditor's isSameOrignRequest() gets tripped up when the main page is loaded from say file:/// (which has no host portion) and the injected payload is from data: (which has no host portion). No risk of cookie theft from data: URLs, but can do nuisance things like navigate the top page. Unclear whether there are really any protocols that need this protection.
Attachments
Patch + test case. (6.03 KB, patch)
2012-08-20 16:48 PDT, Thomas Sepez 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Thomas Sepez
Comment 1 2012-08-20 16:48:11 PDT
Created attachment 159561 [details] Patch + test case.
Thomas Sepez
Comment 2 2012-08-20 16:51:00 PDT
Changed the name of the function so that it doesn't say "same origin" whilst completely ignoring scheme and port.
Adam Barth
Comment 3 2012-08-20 16:51:31 PDT
Comment on attachment 159561 [details] Patch + test case. Ok. We added this to weed out some false positives, but they were all for URLs that had hosts, so this is probably fine.
WebKit Review Bot
Comment 4 2012-08-20 19:11:18 PDT
Comment on attachment 159561 [details] Patch + test case. Clearing flags on attachment: 159561 Committed r126120: <http://trac.webkit.org/changeset/126120>
WebKit Review Bot
Comment 5 2012-08-20 19:11:22 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.