<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[194978] trunk</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/194978">194978</a></dd>
<dt>Author</dt> <dd>commit-queue@webkit.org</dd>
<dt>Date</dt> <dd>2016-01-13 13:18:39 -0800 (Wed, 13 Jan 2016)</dd>
</dl>

<h3>Log Message</h3>
<pre>[XSS Auditor] Add test when XSS payload is in the path portion of the URL
https://bugs.webkit.org/show_bug.cgi?id=152871

Patch by Daniel Bates &lt;dabates@apple.com&gt; on 2016-01-13
Reviewed by Brent Fulgham.

Merged from Blink (patch by Tom Sepez &lt;tsepez@chromium.org&gt;):
&lt;https://src.chromium.org/viewvc/blink?revision=164746&amp;view=revision&gt;

Tools:

* Scripts/webkitpy/layout_tests/servers/lighttpd.conf:

LayoutTests:

Add infrastructure and a test for an XSS attack where the payload is
embedded in the path portion of the URL.

Many XSS Auditor tests pass the XSS payload to CGI scripts via the
query string portion of the URL. Now we also support calling these
same scripts with the payload embedded in the path portion of the
URL.

Loading &lt;http://127.0.0.1:8000/security/xssAuditor/intercept/X/Y&gt;
returns a response whose content is identical to &lt;http://127.0.0.1:8000/security/xssAuditor/resoures/X?q=Y&gt;,
where X is the filename of some CGI script in directory LayoutTests/http/tests/security/xssAuditor/resources
and Y is the XSS payload.

* http/tests/security/xssAuditor/intercept/.htaccess: Added.
* http/tests/security/xssAuditor/reflection-in-path-expected.txt: Added.
* http/tests/security/xssAuditor/reflection-in-path.html: Added.
* http/tests/security/xssAuditor/resources/echo-form-action.pl: Added.</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkToolsChangeLog">trunk/Tools/ChangeLog</a></li>
<li><a href="#trunkToolsScriptswebkitpylayout_testsserverslighttpdconf">trunk/Tools/Scripts/webkitpy/layout_tests/servers/lighttpd.conf</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li>trunk/LayoutTests/http/tests/security/xssAuditor/intercept/</li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorintercepthtaccess">trunk/LayoutTests/http/tests/security/xssAuditor/intercept/.htaccess</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorreflectioninpathexpectedtxt">trunk/LayoutTests/http/tests/security/xssAuditor/reflection-in-path-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorreflectioninpathhtml">trunk/LayoutTests/http/tests/security/xssAuditor/reflection-in-path.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityxssAuditorresourcesechoformactionpl">trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-form-action.pl</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (194977 => 194978)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog        2016-01-13 21:14:44 UTC (rev 194977)
+++ trunk/LayoutTests/ChangeLog        2016-01-13 21:18:39 UTC (rev 194978)
</span><span class="lines">@@ -1,3 +1,31 @@
</span><ins>+2016-01-13  Daniel Bates  &lt;dabates@apple.com&gt;
+
+        [XSS Auditor] Add test when XSS payload is in the path portion of the URL
+        https://bugs.webkit.org/show_bug.cgi?id=152871
+
+        Reviewed by Brent Fulgham.
+
+        Merged from Blink (patch by Tom Sepez &lt;tsepez@chromium.org&gt;):
+        &lt;https://src.chromium.org/viewvc/blink?revision=164746&amp;view=revision&gt;
+
+        Add infrastructure and a test for an XSS attack where the payload is
+        embedded in the path portion of the URL.
+
+        Many XSS Auditor tests pass the XSS payload to CGI scripts via the
+        query string portion of the URL. Now we also support calling these
+        same scripts with the payload embedded in the path portion of the
+        URL.
+
+        Loading &lt;http://127.0.0.1:8000/security/xssAuditor/intercept/X/Y&gt;
+        returns a response whose content is identical to &lt;http://127.0.0.1:8000/security/xssAuditor/resoures/X?q=Y&gt;,
+        where X is the filename of some CGI script in directory LayoutTests/http/tests/security/xssAuditor/resources
+        and Y is the XSS payload.
+
+        * http/tests/security/xssAuditor/intercept/.htaccess: Added.
+        * http/tests/security/xssAuditor/reflection-in-path-expected.txt: Added.
+        * http/tests/security/xssAuditor/reflection-in-path.html: Added.
+        * http/tests/security/xssAuditor/resources/echo-form-action.pl: Added.
+
</ins><span class="cx"> 2016-01-13  Adam Bergkvist  &lt;adam.bergkvist@ericsson.com&gt;
</span><span class="cx"> 
</span><span class="cx">         WebRTC: Add support for RTCRtpSender.replaceTrack()
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorintercepthtaccess"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/xssAuditor/intercept/.htaccess (0 => 194978)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/intercept/.htaccess                                (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/intercept/.htaccess        2016-01-13 21:18:39 UTC (rev 194978)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+RewriteEngine on
+RewriteRule ^(.*)/(.*) /security/xssAuditor/resources/$1?q=$2 [L,NS]
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorreflectioninpathexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/xssAuditor/reflection-in-path-expected.txt (0 => 194978)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/reflection-in-path-expected.txt                                (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/reflection-in-path-expected.txt        2016-01-13 21:18:39 UTC (rev 194978)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+CONSOLE MESSAGE: line 5: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/intercept/echo-form-action.pl/%22%20onmouseover=%22JavaScript:alert(document.domain)%22%20name=%22?m=login' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+
+
+--------
+Frame: '&lt;!--framePath //&lt;!--frame0--&gt;--&gt;'
+--------
+This is an iframe with a injected form
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorreflectioninpathhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/xssAuditor/reflection-in-path.html (0 => 194978)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/reflection-in-path.html                                (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/reflection-in-path.html        2016-01-13 21:18:39 UTC (rev 194978)
</span><span class="lines">@@ -0,0 +1,16 @@
</span><ins>+&lt;!DOCTYPE html&gt;
+&lt;html&gt;
+&lt;head&gt;
+&lt;script&gt;
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+    testRunner.setXSSAuditorEnabled(true);
+    testRunner.waitUntilDone();
+}
+&lt;/script&gt;
+&lt;/head&gt;
+&lt;body&gt;
+&lt;iframe src=&quot;http://localhost:8000/security/xssAuditor/intercept/echo-form-action.pl/%22%20onmouseover=%22JavaScript:alert(document.domain)%22%20name=%22?m=login&quot;&gt;&lt;/iframe&gt;
+&lt;/body&gt;
+&lt;/html&gt;
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityxssAuditorresourcesechoformactionpl"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-form-action.pl (0 => 194978)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-form-action.pl                                (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-form-action.pl        2016-01-13 21:18:39 UTC (rev 194978)
</span><span class="lines">@@ -0,0 +1,16 @@
</span><ins>+#!/usr/bin/perl -wT
+use strict;
+use CGI;
+
+my $cgi = new CGI;
+
+print &quot;Content-Type: text/html; charset=UTF-8\n\n&quot;;
+
+print &quot;&lt;!DOCTYPE html&gt;\n&quot;;
+print &quot;&lt;html&gt;\n&quot;;
+print &quot;&lt;body&gt;\n&quot;;
+print &quot;&lt;p&gt;This is an iframe with a injected form&lt;/p&gt;\n&quot;;
+print &quot;&lt;form method=\&quot;post\&quot; id=\&quot;login\&quot; action=\&quot;&quot;.$cgi-&gt;param('q').&quot;\&quot;&gt;&lt;/form&gt;\n&quot;;
+print &quot;&lt;script&gt;if (window.testRunner) testRunner.notifyDone();&lt;/script&gt;\n&quot;;
+print &quot;&lt;/body&gt;\n&quot;;
+print &quot;&lt;/html&gt;\n&quot;;
</ins><span class="cx">Property changes on: trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-form-action.pl
</span><span class="cx">___________________________________________________________________
</span></span></pre></div>
<a id="svnexecutable"></a>
<div class="addfile"><h4>Added: svn:executable</h4></div>
<a id="trunkToolsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Tools/ChangeLog (194977 => 194978)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Tools/ChangeLog        2016-01-13 21:14:44 UTC (rev 194977)
+++ trunk/Tools/ChangeLog        2016-01-13 21:18:39 UTC (rev 194978)
</span><span class="lines">@@ -1,3 +1,15 @@
</span><ins>+2016-01-13  Daniel Bates  &lt;dabates@apple.com&gt;
+
+        [XSS Auditor] Add test when XSS payload is in the path portion of the URL
+        https://bugs.webkit.org/show_bug.cgi?id=152871
+
+        Reviewed by Brent Fulgham.
+
+        Merged from Blink (patch by Tom Sepez &lt;tsepez@chromium.org&gt;):
+        &lt;https://src.chromium.org/viewvc/blink?revision=164746&amp;view=revision&gt;
+
+        * Scripts/webkitpy/layout_tests/servers/lighttpd.conf:
+
</ins><span class="cx"> 2016-01-08  Andy Estes  &lt;aestes@apple.com&gt;
</span><span class="cx"> 
</span><span class="cx">         [Content Filtering] Lazily load platform frameworks
</span></span></pre></div>
<a id="trunkToolsScriptswebkitpylayout_testsserverslighttpdconf"></a>
<div class="modfile"><h4>Modified: trunk/Tools/Scripts/webkitpy/layout_tests/servers/lighttpd.conf (194977 => 194978)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Tools/Scripts/webkitpy/layout_tests/servers/lighttpd.conf        2016-01-13 21:14:44 UTC (rev 194977)
+++ trunk/Tools/Scripts/webkitpy/layout_tests/servers/lighttpd.conf        2016-01-13 21:18:39 UTC (rev 194978)
</span><span class="lines">@@ -65,7 +65,8 @@
</span><span class="cx"> # LayoutTests/http/tests/appcache/resources/intercept/.htaccess
</span><span class="cx"> url.rewrite-once = (
</span><span class="cx">   &quot;^/uri/intercept/(.*)&quot; =&gt; &quot;/uri/resources/print-uri.php&quot;,
</span><del>-  &quot;^/appcache/resources/intercept/(.*)&quot; =&gt; &quot;/appcache/resources/print-uri.php&quot;
</del><ins>+  &quot;^/appcache/resources/intercept/(.*)&quot; =&gt; &quot;/appcache/resources/print-uri.php&quot;,
+  &quot;^/security/xssAuditor/intercept/([^/]*)/(.*)&quot; =&gt; &quot;/security/xssAuditor/resources/$1?q=$2&quot;
</ins><span class="cx"> )
</span><span class="cx"> 
</span><span class="cx"> # LayoutTests/http/tests/xmlhttprequest/response-encoding.html uses an htaccess
</span></span></pre>
</div>
</div>

</body>
</html>