No subject
Mon Jan 28 08:41:14 PST 2013
0615">r160615</a> by <tsepez at chromium.org>
https://src.chromium.org/viewvc/blink?view=3Drev&revision=3D160615
Source/WebCore:
Test: http/tests/security/xssAuditor/iframe-srcdoc-property-blocked.html
* html/parser/XSSAuditor.cpp:
(WebCore::XSSAuditor::filterIframeToken):
LayoutTests:
* http/tests/security/xssAuditor/iframe-srcdoc-property-blocked-expected.=
txt: Added.
* http/tests/security/xssAuditor/iframe-srcdoc-property-blocked.html: Add=
ed.
* http/tests/security/xssAuditor/resources/echo-frame-src.pl: Added.</pre=
>
<h3>Modified Paths</h3>
<ul>
<li><a href=3D"#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a=
></li>
<li><a href=3D"#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeL=
og</a></li>
<li><a href=3D"#trunkSourceWebCorehtmlparserXSSAuditorcpp">trunk/Source/W=
ebCore/html/parser/XSSAuditor.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href=3D"#trunkLayoutTestshttptestssecurityxssAuditoriframesrcdocpr=
opertyblockedexpectedtxt">trunk/LayoutTests/http/tests/security/xssAudito=
r/iframe-srcdoc-property-blocked-expected.txt</a></li>
<li><a href=3D"#trunkLayoutTestshttptestssecurityxssAuditoriframesrcdocpr=
opertyblockedhtml">trunk/LayoutTests/http/tests/security/xssAuditor/ifram=
e-srcdoc-property-blocked.html</a></li>
<li><a href=3D"#trunkLayoutTestshttptestssecurityxssAuditorresourcesechof=
ramesrcpl">trunk/LayoutTests/http/tests/security/xssAuditor/resources/ech=
o-frame-src.pl</a></li>
</ul>
</div>
<div id=3D"patch">
<h3>Diff</h3>
<a id=3D"trunkLayoutTestsChangeLog"></a>
<div class=3D"modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (158675 =
=3D> 158676)</h4>
<pre class=3D"diff"><span>
<span class=3D"info">--- trunk/LayoutTests/ChangeLog 2013-11-05 16:23:33 =
UTC (rev 158675)
+++ trunk/LayoutTests/ChangeLog 2013-11-05 18:02:18 UTC (rev 158676)
</span><span class=3D"lines">@@ -1,3 +1,14 @@
</span><ins>+2013-11-05 Daniel Bates <dabates at apple.com>
+
+ XSSAuditor should catch reflected srcdoc properties even without=
a <frame> tag injection
+
+ From Blink r160615 by <tsepez at chromium.org>
+ https://src.chromium.org/viewvc/blink?view=3Drev&revision=3D=
160615
+
+ * http/tests/security/xssAuditor/iframe-srcdoc-property-blocked-=
expected.txt: Added.
+ * http/tests/security/xssAuditor/iframe-srcdoc-property-blocked.=
html: Added.
+ * http/tests/security/xssAuditor/resources/echo-frame-src.pl: Ad=
ded.
+
</ins><span class=3D"cx"> 2013-11-05 Micha=C5=82 Paku=C5=82a vel Rutka =
<m.pakula at samsung.com>
</span><span class=3D"cx">=20
</span><span class=3D"cx"> Unreviewed EFL gardening
</span></span></pre></div>
<a id=3D"trunkLayoutTestshttptestssecurityxssAuditoriframesrcdocpropertyb=
lockedexpectedtxt"></a>
<div class=3D"addfile"><h4>Added: trunk/LayoutTests/http/tests/security/x=
ssAuditor/iframe-srcdoc-property-blocked-expected.txt (0 =3D> 158676)</h4=
>
<pre class=3D"diff"><span>
<span class=3D"info">--- trunk/LayoutTests/http/tests/security/xssAuditor=
/iframe-srcdoc-property-blocked-expected.txt (rev=
0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/iframe-srcdoc-proper=
ty-blocked-expected.txt 2013-11-05 18:02:18 UTC (rev 158676)
</span><span class=3D"lines">@@ -0,0 +1,4 @@
</span><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute =
a script in 'http://localhost:8000/security/xssAuditor/resources/echo-fra=
me-src.pl?q=3D%22srcdoc=3D%22%3Cscript%3Ealert(0)%3C/script%3E' because i=
ts source code was found within the request. The auditor was enabled as t=
he server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy=
' header.
+Catch injected srcdoc properties when there is punctuation enabling the =
auditor
+
+
</ins></span></pre></div>
<a id=3D"trunkLayoutTestshttptestssecurityxssAuditoriframesrcdocpropertyb=
lockedhtml"></a>
<div class=3D"addfile"><h4>Added: trunk/LayoutTests/http/tests/security/x=
ssAuditor/iframe-srcdoc-property-blocked.html (0 =3D> 158676)</h4>
<pre class=3D"diff"><span>
<span class=3D"info">--- trunk/LayoutTests/http/tests/security/xssAuditor=
/iframe-srcdoc-property-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/iframe-srcdoc-proper=
ty-blocked.html 2013-11-05 18:02:18 UTC (rev 158676)
</span><span class=3D"lines">@@ -0,0 +1,15 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<p>Catch injected srcdoc properties when there is punctuation enab=
ling the auditor</p>
+<iframe src=3D'http://localhost:8000/security/xssAuditor/resources/ec=
ho-frame-src.pl?q=3D%22srcdoc=3D%22<script>alert(0)</script>'=
>
+</body>
+</html>
</ins></span></pre></div>
<a id=3D"trunkLayoutTestshttptestssecurityxssAuditorresourcesechoframesrc=
pl"></a>
<div class=3D"addfile"><h4>Added: trunk/LayoutTests/http/tests/security/x=
ssAuditor/resources/echo-frame-src.pl (0 =3D> 158676)</h4>
<pre class=3D"diff"><span>
<span class=3D"info">--- trunk/LayoutTests/http/tests/security/xssAuditor=
/resources/echo-frame-src.pl (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-frame=
-src.pl 2013-11-05 18:02:18 UTC (rev 158676)
</span><span class=3D"lines">@@ -0,0 +1,14 @@
</span><ins>+#!/usr/bin/perl -wT
+use strict;
+use CGI;
+
+my $cgi =3D new CGI;
+
+print "Content-Type: text/html; charset=3DUTF-8\n\n";
+
+print "<!DOCTYPE html>\n";
+print "<html>\n";
+print "<body>\n";
+print "<iframe src=3D\"".$cgi->param('q')."\&q=
uot;></iframe>\n";
+print "</body>\n";
+print "</html>\n";
</ins><span class=3D"cx">Property changes on: trunk/LayoutTests/http/test=
s/security/xssAuditor/resources/echo-frame-src.pl
</span><span class=3D"cx">_______________________________________________=
____________________
</span></span></pre></div>
<a id=3D"svnexecutable"></a>
<div class=3D"addfile"><h4>Added: svn:executable</h4></div>
<a id=3D"trunkSourceWebCoreChangeLog"></a>
<div class=3D"modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (1586=
75 =3D> 158676)</h4>
<pre class=3D"diff"><span>
<span class=3D"info">--- trunk/Source/WebCore/ChangeLog 2013-11-05 16:23:=
33 UTC (rev 158675)
+++ trunk/Source/WebCore/ChangeLog 2013-11-05 18:02:18 UTC (rev 158676)
</span><span class=3D"lines">@@ -1,3 +1,15 @@
</span><ins>+2013-11-05 Daniel Bates <dabates at apple.com>
+
+ XSSAuditor should catch reflected srcdoc properties even without=
a <frame> tag injection
+
+ From Blink r160615 by <tsepez at chromium.org>
+ https://src.chromium.org/viewvc/blink?view=3Drev&revision=3D=
160615
+
+ Test: http/tests/security/xssAuditor/iframe-srcdoc-property-bloc=
ked.html
+
+ * html/parser/XSSAuditor.cpp:
+ (WebCore::XSSAuditor::filterIframeToken):
+
</ins><span class=3D"cx"> 2013-11-05 =C3=89va Bal=C3=A1zsfalvi <bala=
zsfalvi.eva at stud.u-szeged.hu>
</span><span class=3D"cx">=20
</span><span class=3D"cx"> Delete maketokenizer.
</span></span></pre></div>
<a id=3D"trunkSourceWebCorehtmlparserXSSAuditorcpp"></a>
<div class=3D"modfile"><h4>Modified: trunk/Source/WebCore/html/parser/XSS=
Auditor.cpp (158675 =3D> 158676)</h4>
<pre class=3D"diff"><span>
<span class=3D"info">--- trunk/Source/WebCore/html/parser/XSSAuditor.cpp =
2013-11-05 16:23:33 UTC (rev 158675)
+++ trunk/Source/WebCore/html/parser/XSSAuditor.cpp 2013-11-05 18:02:18 U=
TC (rev 158676)
</span><span class=3D"lines">@@ -471,11 +471,10 @@
</span><span class=3D"cx"> ASSERT(request.token.type() =3D=3D HTMLTok=
en::StartTag);
</span><span class=3D"cx"> ASSERT(hasName(request.token, iframeTag));
</span><span class=3D"cx">=20
</span><del>- bool didBlockScript =3D false;
- if (isContainedInRequest(decodedSnippetForName(request))) {
</del><ins>+ bool didBlockScript =3D eraseAttributeIfInjected(request,=
srcdocAttr, String(), ScriptLikeAttribute);
+ if (isContainedInRequest(decodedSnippetForName(request)))
</ins><span class=3D"cx"> didBlockScript |=3D eraseAttributeIfInj=
ected(request, srcAttr, String(), SrcLikeAttribute);
</span><del>- didBlockScript |=3D eraseAttributeIfInjected(request=
, srcdocAttr, String(), ScriptLikeAttribute);
- }
</del><ins>+
</ins><span class=3D"cx"> return didBlockScript;
</span><span class=3D"cx"> }
</span><span class=3D"cx">=20
</span></span></pre>
</div>
</div>
</body>
</html>
More information about the webkit-changes
mailing list