<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[195257] releases/WebKitGTK/webkit-2.10</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/195257">195257</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2016-01-19 00:22:49 -0800 (Tue, 19 Jan 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/194927">r194927</a> - XSS Auditor should navigate to empty substitute data on full page block
https://bugs.webkit.org/show_bug.cgi?id=152868
<rdar://problem/18658448>
Reviewed by David Kilzer and Andy Estes.
Derived from Blink patch (by Tom Sepez <tsepez@chromium.org>):
<https://src.chromium.org/viewvc/blink?view=rev&revision=179240>
Source/WebCore:
Test: http/tests/security/xssAuditor/block-does-not-leak-that-page-was-blocked-using-empty-data-url.html
* html/parser/XSSAuditorDelegate.cpp:
(WebCore::XSSAuditorDelegate::didBlockScript): Modified to call NavigationScheduler::schedulePageBlock().
* loader/NavigationScheduler.cpp:
(WebCore::ScheduledPageBlock::ScheduledPageBlock): Added.
(WebCore::NavigationScheduler::schedulePageBlock): Navigate to empty substitute data with
the same URL as the originating document.
* loader/NavigationScheduler.h:
LayoutTests:
Added additional test block-does-not-leak-that-page-was-blocked-using-empty-data-url.html to explicitly
tests that we do redirect to an empty data URL when a full page block is triggered.
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt:
* http/tests/security/xssAuditor/block-does-not-leak-location-expected.txt:
* http/tests/security/xssAuditor/block-does-not-leak-referrer-expected.txt:
* http/tests/security/xssAuditor/block-does-not-leak-that-page-was-blocked-using-empty-data-url-expected.txt: Added.
* http/tests/security/xssAuditor/block-does-not-leak-that-page-was-blocked-using-empty-data-url.html: Added.
* http/tests/security/xssAuditor/full-block-base-href-expected.txt:
* http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt:
* http/tests/security/xssAuditor/full-block-javascript-link-expected.txt:
* http/tests/security/xssAuditor/full-block-link-onclick-expected.txt:
* http/tests/security/xssAuditor/full-block-object-tag-expected.txt:
* http/tests/security/xssAuditor/full-block-script-tag-cross-domain-expected.txt:
* http/tests/security/xssAuditor/full-block-script-tag-expected.txt:
* http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt:
* http/tests/security/xssAuditor/full-block-script-tag.html:
* http/tests/security/xssAuditor/xss-protection-parsing-03-expected.txt:
* http/tests/security/xssAuditor/xss-protection-parsing-04-expected.txt:</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestsChangeLog">releases/WebKitGTK/webkit-2.10/LayoutTests/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionallowblockexpectedtxt">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionblockallowexpectedtxt">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionblockblockexpectedtxt">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionblockfilterexpectedtxt">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionblockinvalidexpectedtxt">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionblockunsetexpectedtxt">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionfilterblockexpectedtxt">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectioninvalidblockexpectedtxt">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionunsetblockexpectedtxt">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestssecurityxssAuditorblockdoesnotleaklocationexpectedtxt">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-location-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestssecurityxssAuditorblockdoesnotleakreferrerexpectedtxt">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-referrer-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestssecurityxssAuditorfullblockbasehrefexpectedtxt">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-base-href-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestssecurityxssAuditorfullblockiframejavascripturlexpectedtxt">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestssecurityxssAuditorfullblockjavascriptlinkexpectedtxt">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-javascript-link-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestssecurityxssAuditorfullblocklinkonclickexpectedtxt">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-link-onclick-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestssecurityxssAuditorfullblockobjecttagexpectedtxt">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-object-tag-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestssecurityxssAuditorfullblockscripttagcrossdomainexpectedtxt">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-cross-domain-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestssecurityxssAuditorfullblockscripttagexpectedtxt">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestssecurityxssAuditorfullblockscripttagwithsourceexpectedtxt">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestssecurityxssAuditorfullblockscripttaghtml">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag.html</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestssecurityxssAuditorxssprotectionparsing03expectedtxt">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-03-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestssecurityxssAuditorxssprotectionparsing04expectedtxt">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-04-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit210SourceWebCoreChangeLog">releases/WebKitGTK/webkit-2.10/Source/WebCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit210SourceWebCorehtmlparserXSSAuditorDelegatecpp">releases/WebKitGTK/webkit-2.10/Source/WebCore/html/parser/XSSAuditorDelegate.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit210SourceWebCoreloaderNavigationSchedulercpp">releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/NavigationScheduler.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit210SourceWebCoreloaderNavigationSchedulerh">releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/NavigationScheduler.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestssecurityxssAuditorblockdoesnotleakthatpagewasblockedusingemptydataurlexpectedtxt">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-that-page-was-blocked-using-empty-data-url-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit210LayoutTestshttptestssecurityxssAuditorblockdoesnotleakthatpagewasblockedusingemptydataurlhtml">releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-that-page-was-blocked-using-empty-data-url.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit210LayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/ChangeLog (195256 => 195257)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/ChangeLog 2016-01-19 08:12:43 UTC (rev 195256)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/ChangeLog 2016-01-19 08:22:49 UTC (rev 195257)
</span><span class="lines">@@ -1,3 +1,42 @@
</span><ins>+2016-01-12 Daniel Bates <dabates@apple.com>
+
+ XSS Auditor should navigate to empty substitute data on full page block
+ https://bugs.webkit.org/show_bug.cgi?id=152868
+ <rdar://problem/18658448>
+
+ Reviewed by David Kilzer and Andy Estes.
+
+ Derived from Blink patch (by Tom Sepez <tsepez@chromium.org>):
+ <https://src.chromium.org/viewvc/blink?view=rev&revision=179240>
+
+ Added additional test block-does-not-leak-that-page-was-blocked-using-empty-data-url.html to explicitly
+ tests that we do redirect to an empty data URL when a full page block is triggered.
+
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt:
+ * http/tests/security/xssAuditor/block-does-not-leak-location-expected.txt:
+ * http/tests/security/xssAuditor/block-does-not-leak-referrer-expected.txt:
+ * http/tests/security/xssAuditor/block-does-not-leak-that-page-was-blocked-using-empty-data-url-expected.txt: Added.
+ * http/tests/security/xssAuditor/block-does-not-leak-that-page-was-blocked-using-empty-data-url.html: Added.
+ * http/tests/security/xssAuditor/full-block-base-href-expected.txt:
+ * http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt:
+ * http/tests/security/xssAuditor/full-block-javascript-link-expected.txt:
+ * http/tests/security/xssAuditor/full-block-link-onclick-expected.txt:
+ * http/tests/security/xssAuditor/full-block-object-tag-expected.txt:
+ * http/tests/security/xssAuditor/full-block-script-tag-cross-domain-expected.txt:
+ * http/tests/security/xssAuditor/full-block-script-tag-expected.txt:
+ * http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt:
+ * http/tests/security/xssAuditor/full-block-script-tag.html:
+ * http/tests/security/xssAuditor/xss-protection-parsing-03-expected.txt:
+ * http/tests/security/xssAuditor/xss-protection-parsing-04-expected.txt:
+
</ins><span class="cx"> 2016-01-12 Antti Koivisto <antti@apple.com>
</span><span class="cx">
</span><span class="cx"> Don't reuse memory cache entries with different charset
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionallowblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt (195256 => 195257)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt 2016-01-19 08:12:43 UTC (rev 195256)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt 2016-01-19 08:22:49 UTC (rev 195257)
</span><span class="lines">@@ -3,5 +3,5 @@
</span><span class="cx">
</span><span class="cx"> CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
</span><span class="cx">
</span><del>-ALERT: Loaded cross-origin frame.
</del><ins>+ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow&enable-full-block=1 into the IFrame.
</ins><span class="cx"> Testing behavior when "reflected-xss" is set to allow, and "X-XSS-Protection" is set to block.
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionblockallowexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt (195256 => 195257)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt 2016-01-19 08:12:43 UTC (rev 195256)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt 2016-01-19 08:22:49 UTC (rev 195257)
</span><span class="lines">@@ -3,5 +3,5 @@
</span><span class="cx">
</span><span class="cx"> CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
</span><span class="cx">
</span><del>-ALERT: Loaded cross-origin frame.
</del><ins>+ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&disable-protection=1 into the IFrame.
</ins><span class="cx"> Testing behavior when "reflected-xss" is set to block, and "X-XSS-Protection" is set to allow.
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionblockblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt (195256 => 195257)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt 2016-01-19 08:12:43 UTC (rev 195256)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt 2016-01-19 08:22:49 UTC (rev 195257)
</span><span class="lines">@@ -3,5 +3,5 @@
</span><span class="cx">
</span><span class="cx"> CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
</span><span class="cx">
</span><del>-ALERT: Loaded cross-origin frame.
</del><ins>+ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&enable-full-block=1 into the IFrame.
</ins><span class="cx"> Testing behavior when "reflected-xss" is set to block, and "X-XSS-Protection" is set to block.
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionblockfilterexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt (195256 => 195257)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt 2016-01-19 08:12:43 UTC (rev 195256)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt 2016-01-19 08:22:49 UTC (rev 195257)
</span><span class="lines">@@ -3,5 +3,5 @@
</span><span class="cx">
</span><span class="cx"> CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
</span><span class="cx">
</span><del>-ALERT: Loaded cross-origin frame.
</del><ins>+ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&valid-header=2 into the IFrame.
</ins><span class="cx"> Testing behavior when "reflected-xss" is set to block, and "X-XSS-Protection" is set to filter.
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionblockinvalidexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt (195256 => 195257)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt 2016-01-19 08:12:43 UTC (rev 195256)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt 2016-01-19 08:22:49 UTC (rev 195257)
</span><span class="lines">@@ -4,5 +4,5 @@
</span><span class="cx">
</span><span class="cx"> CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
</span><span class="cx">
</span><del>-ALERT: Loaded cross-origin frame.
</del><ins>+ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&malformed-header=1 into the IFrame.
</ins><span class="cx"> Testing behavior when "reflected-xss" is set to block, and "X-XSS-Protection" is set to invalid.
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionblockunsetexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt (195256 => 195257)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt 2016-01-19 08:12:43 UTC (rev 195256)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt 2016-01-19 08:22:49 UTC (rev 195257)
</span><span class="lines">@@ -3,5 +3,5 @@
</span><span class="cx">
</span><span class="cx"> CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
</span><span class="cx">
</span><del>-ALERT: Loaded cross-origin frame.
</del><ins>+ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block into the IFrame.
</ins><span class="cx"> Testing behavior when "reflected-xss" is set to block, and "X-XSS-Protection" is set to unset.
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionfilterblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt (195256 => 195257)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt 2016-01-19 08:12:43 UTC (rev 195256)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt 2016-01-19 08:22:49 UTC (rev 195257)
</span><span class="lines">@@ -3,5 +3,5 @@
</span><span class="cx">
</span><span class="cx"> CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
</span><span class="cx">
</span><del>-ALERT: Loaded cross-origin frame.
</del><ins>+ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&enable-full-block=1 into the IFrame.
</ins><span class="cx"> Testing behavior when "reflected-xss" is set to filter, and "X-XSS-Protection" is set to block.
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectioninvalidblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt (195256 => 195257)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt 2016-01-19 08:12:43 UTC (rev 195256)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt 2016-01-19 08:22:49 UTC (rev 195257)
</span><span class="lines">@@ -4,5 +4,5 @@
</span><span class="cx">
</span><span class="cx"> CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
</span><span class="cx">
</span><del>-ALERT: Loaded cross-origin frame.
</del><ins>+ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&enable-full-block=1 into the IFrame.
</ins><span class="cx"> Testing behavior when "reflected-xss" is set to invalid, and "X-XSS-Protection" is set to block.
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestssecuritycontentSecurityPolicy11reflectedxssandxssprotectionunsetblockexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt (195256 => 195257)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt 2016-01-19 08:12:43 UTC (rev 195256)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt 2016-01-19 08:22:49 UTC (rev 195257)
</span><span class="lines">@@ -3,5 +3,5 @@
</span><span class="cx">
</span><span class="cx"> CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
</span><span class="cx">
</span><del>-ALERT: Loaded cross-origin frame.
</del><ins>+ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&enable-full-block=1 into the IFrame.
</ins><span class="cx"> Testing behavior when "reflected-xss" is set to unset, and "X-XSS-Protection" is set to block.
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestssecurityxssAuditorblockdoesnotleaklocationexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-location-expected.txt (195256 => 195257)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-location-expected.txt 2016-01-19 08:12:43 UTC (rev 195256)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-location-expected.txt 2016-01-19 08:22:49 UTC (rev 195257)
</span><span class="lines">@@ -1,13 +1,9 @@
</span><span class="cx"> CONSOLE MESSAGE: line 7: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/block-does-not-leak-location.html&enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53));%3C/script%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
</span><del>-CONSOLE MESSAGE: line 172: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-CONSOLE MESSAGE: line 172: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
</del><ins>+CONSOLE MESSAGE: line 172: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 172: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</ins><span class="cx"> CONSOLE MESSAGE: line 176: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</span><del>-CONSOLE MESSAGE: line 347: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-CONSOLE MESSAGE: line 172: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
</del><ins>+CONSOLE MESSAGE: line 347: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 172: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</ins><span class="cx"> CONSOLE MESSAGE: line 176: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</span><span class="cx"> PASS xssed.contentDocument is null
</span><span class="cx"> PASS xssed.contentDocument is crossorigin.contentDocument
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestssecurityxssAuditorblockdoesnotleakreferrerexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-referrer-expected.txt (195256 => 195257)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-referrer-expected.txt 2016-01-19 08:12:43 UTC (rev 195256)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-referrer-expected.txt 2016-01-19 08:22:49 UTC (rev 195257)
</span><span class="lines">@@ -1,6 +1,5 @@
</span><span class="cx"> CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
</span><del>-CONSOLE MESSAGE: line 172: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
</del><ins>+CONSOLE MESSAGE: line 172: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</ins><span class="cx"> PASS frame.contentDocument is null
</span><span class="cx"> PASS successfullyParsed is true
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestssecurityxssAuditorblockdoesnotleakthatpagewasblockedusingemptydataurlexpectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-that-page-was-blocked-using-empty-data-url-expected.txt (0 => 195257)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-that-page-was-blocked-using-empty-data-url-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-that-page-was-blocked-using-empty-data-url-expected.txt 2016-01-19 08:22:49 UTC (rev 195257)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%3Ealert(/XSS/)%3C/script%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+This tests that the URL of an iframe whose page triggered a full page block is not "data:,".
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS received load event for iframe after initial iframe load led to a full page block.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestssecurityxssAuditorblockdoesnotleakthatpagewasblockedusingemptydataurlhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-that-page-was-blocked-using-empty-data-url.html (0 => 195257)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-that-page-was-blocked-using-empty-data-url.html (rev 0)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-that-page-was-blocked-using-empty-data-url.html 2016-01-19 08:22:49 UTC (rev 195257)
</span><span class="lines">@@ -0,0 +1,45 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="/resources/js-test-pre.js"></script>
+<script>
+if (window.testRunner)
+ testRunner.setXSSAuditorEnabled(true);
+
+window.jsTestIsAsync = true;
+
+var frame;
+
+function runTest()
+{
+ function done()
+ {
+ // The URL of the iframe is not "data:,"; Otherwise, we wouldn't get here.
+ testPassed("received load event for iframe after initial iframe load led to a full page block.");
+ finishJSTest();
+ }
+
+ function loadDifferentURL()
+ {
+ frame.onload = done;
+ frame.src = "data:,#dummy"; // We add #dummy so that the URL will be different enough to attempt a new load.
+ }
+ frame.onload = loadDifferentURL;
+ frame.src = "http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=<script>alert(/XSS/)</" + "script>";
+}
+
+window.onload = function ()
+{
+ frame = document.getElementById("frame");
+ runTest();
+}
+</script>
+</head>
+<body>
+ <script>
+ description("This tests that the URL of an iframe whose page triggered a full page block is not &quot;data:,&quot;.");
+ </script>
+ <iframe id="frame"></iframe>
+ <script src="/resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestssecurityxssAuditorfullblockbasehrefexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-base-href-expected.txt (195256 => 195257)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-base-href-expected.txt 2016-01-19 08:12:43 UTC (rev 195256)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-base-href-expected.txt 2016-01-19 08:22:49 UTC (rev 195257)
</span><span class="lines">@@ -1,7 +1,4 @@
</span><span class="cx"> CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-head-base-href.pl?enable-full-block=1&q=%3Cbase%20href='http://localhost:8000/security/xssAuditor/resources/base-href/'%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
</span><del>-CONSOLE MESSAGE: line 16: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-head-base-href.pl?enable-full-block=1&q=%3Cbase%20href='http://localhost:8000/security/xssAuditor/resources/base-href/'%3E
</del><span class="cx"> There should be no content in the iframe below:
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestssecurityxssAuditorfullblockiframejavascripturlexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt (195256 => 195257)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt 2016-01-19 08:12:43 UTC (rev 195256)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt 2016-01-19 08:22:49 UTC (rev 195257)
</span><span class="lines">@@ -1,7 +1,4 @@
</span><span class="cx"> CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-iframe-javascript-url.html&enable-full-block=1&q=%3Ciframe%20src=javascript:alert(document.domain)%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
</span><del>-CONSOLE MESSAGE: line 16: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-iframe-javascript-url.html&enable-full-block=1&q=%3Ciframe%20src=javascript:alert(document.domain)%3E
</del><span class="cx"> There should be no content in the iframe below:
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestssecurityxssAuditorfullblockjavascriptlinkexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-javascript-link-expected.txt (195256 => 195257)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-javascript-link-expected.txt 2016-01-19 08:12:43 UTC (rev 195256)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-javascript-link-expected.txt 2016-01-19 08:22:49 UTC (rev 195257)
</span><span class="lines">@@ -1,7 +1,4 @@
</span><span class="cx"> CONSOLE MESSAGE: line 14: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?enable-full-block=1&elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%280%29%3Etest%3C/a%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
</span><del>-CONSOLE MESSAGE: line 16: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?enable-full-block=1&elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%280%29%3Etest%3C/a%3E
</del><span class="cx"> There should be no content in the iframe below:
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestssecurityxssAuditorfullblocklinkonclickexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-link-onclick-expected.txt (195256 => 195257)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-link-onclick-expected.txt 2016-01-19 08:12:43 UTC (rev 195256)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-link-onclick-expected.txt 2016-01-19 08:22:49 UTC (rev 195257)
</span><span class="lines">@@ -1,7 +1,4 @@
</span><span class="cx"> CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-link-onclick.html&enable-full-block=1&q=%3Ca%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))'%3EClick%3C/a%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
</span><del>-CONSOLE MESSAGE: line 16: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-link-onclick.html&enable-full-block=1&q=%3Ca%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))'%3EClick%3C/a%3E
</del><span class="cx"> There should be no content in the iframe below:
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestssecurityxssAuditorfullblockobjecttagexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-object-tag-expected.txt (195256 => 195257)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-object-tag-expected.txt 2016-01-19 08:12:43 UTC (rev 195256)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-object-tag-expected.txt 2016-01-19 08:22:49 UTC (rev 195257)
</span><span class="lines">@@ -1,7 +1,4 @@
</span><span class="cx"> CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-object-tag.html&enable-full-block=1&q=%3Cobject%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://localhost:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
</span><del>-CONSOLE MESSAGE: line 16: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-object-tag.html&enable-full-block=1&q=%3Cobject%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://localhost:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E
</del><span class="cx"> There should be no content in the iframe below:
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestssecurityxssAuditorfullblockscripttagcrossdomainexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-cross-domain-expected.txt (195256 => 195257)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-cross-domain-expected.txt 2016-01-19 08:12:43 UTC (rev 195256)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-cross-domain-expected.txt 2016-01-19 08:22:49 UTC (rev 195257)
</span><span class="lines">@@ -1,8 +1,6 @@
</span><span class="cx"> CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-script-tag-cross-domain.html&enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
</span><del>-CONSOLE MESSAGE: line 25: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-CONSOLE MESSAGE: line 19: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
</del><ins>+CONSOLE MESSAGE: line 25: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 19: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</ins><span class="cx"> ALERT: URL mismatch: undefined vs. http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-script-tag-cross-domain.html&enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E
</span><span class="cx"> There should be no content in the iframe below:
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestssecurityxssAuditorfullblockscripttagexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-expected.txt (195256 => 195257)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-expected.txt 2016-01-19 08:12:43 UTC (rev 195256)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-expected.txt 2016-01-19 08:22:49 UTC (rev 195257)
</span><span class="lines">@@ -1,9 +1,5 @@
</span><span class="cx"> CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-script-tag.html&enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
</span><del>-CONSOLE MESSAGE: line 25: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-CONSOLE MESSAGE: line 19: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-script-tag.html&enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E
</del><ins>+CONSOLE MESSAGE: line 18: PASS: Referrer is the empty string.
</ins><span class="cx"> There should be no content in the iframe below:
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestssecurityxssAuditorfullblockscripttagwithsourceexpectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt (195256 => 195257)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt 2016-01-19 08:12:43 UTC (rev 195256)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt 2016-01-19 08:22:49 UTC (rev 195257)
</span><span class="lines">@@ -1,7 +1,4 @@
</span><span class="cx"> CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-script-tag-with-source.html&enable-full-block=1&q=%3Cscript%20src='http://localhost:8000/security/xssAuditor/resources/xss.js'%3E%3C/script%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
</span><del>-CONSOLE MESSAGE: line 16: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-script-tag-with-source.html&enable-full-block=1&q=%3Cscript%20src='http://localhost:8000/security/xssAuditor/resources/xss.js'%3E%3C/script%3E
</del><span class="cx"> There should be no content in the iframe below:
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestssecurityxssAuditorfullblockscripttaghtml"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag.html (195256 => 195257)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag.html 2016-01-19 08:12:43 UTC (rev 195256)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag.html 2016-01-19 08:22:49 UTC (rev 195257)
</span><span class="lines">@@ -13,9 +13,15 @@
</span><span class="cx"> function checkframe()
</span><span class="cx"> {
</span><span class="cx"> try {
</span><del>- var ref = document.getElementById("frame").contentDocument.referrer;
- alert('Referrer is "' + ref + '"');
- } catch (e) {}
</del><ins>+ var referrer = document.getElementById("frame").contentDocument.referrer;
+ if (referrer === "") {
+ console.log('PASS: Referrer is the empty string.');
+ } else {
+ console.log('FAIL: Referrer should be empty string. Was "' + referrer + '".');
+ }
+ } catch (e) {
+ console.log('FAIL: same-origin access threw: \'' + e.toString() + '\'.');
+ }
</ins><span class="cx"> checkIfFrameLocationMatchesSrcAndCallDone('frame');
</span><span class="cx"> }
</span><span class="cx"> </script>
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestssecurityxssAuditorxssprotectionparsing03expectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-03-expected.txt (195256 => 195257)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-03-expected.txt 2016-01-19 08:12:43 UTC (rev 195256)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-03-expected.txt 2016-01-19 08:22:49 UTC (rev 195257)
</span><span class="lines">@@ -1,7 +1,4 @@
</span><span class="cx"> CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/xss-protection-parsing-03.html&notifyDone=1&valid-header=3&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
</span><del>-CONSOLE MESSAGE: line 17: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/xss-protection-parsing-03.html&notifyDone=1&valid-header=3&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E
</del><span class="cx"> This tests that the X-XSS-Protection header is not ignored when there is a trailing semicolon following mode=blank. Although theoretically malformed, we tolerate this case without issuing an error.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210LayoutTestshttptestssecurityxssAuditorxssprotectionparsing04expectedtxt"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-04-expected.txt (195256 => 195257)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-04-expected.txt 2016-01-19 08:12:43 UTC (rev 195256)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-04-expected.txt 2016-01-19 08:22:49 UTC (rev 195257)
</span><span class="lines">@@ -1,7 +1,4 @@
</span><span class="cx"> CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/xss-protection-parsing-04.html&notifyDone=1&valid-header=4&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
</span><del>-CONSOLE MESSAGE: line 16: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/xss-protection-parsing-04.html&notifyDone=1&valid-header=4&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E
</del><span class="cx"> This tests that the X-XSS-Protection header is not ignored when the report and mode directives are swapped.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210SourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/ChangeLog (195256 => 195257)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/Source/WebCore/ChangeLog 2016-01-19 08:12:43 UTC (rev 195256)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/ChangeLog 2016-01-19 08:22:49 UTC (rev 195257)
</span><span class="lines">@@ -1,3 +1,24 @@
</span><ins>+2016-01-12 Daniel Bates <dabates@apple.com>
+
+ XSS Auditor should navigate to empty substitute data on full page block
+ https://bugs.webkit.org/show_bug.cgi?id=152868
+ <rdar://problem/18658448>
+
+ Reviewed by David Kilzer and Andy Estes.
+
+ Derived from Blink patch (by Tom Sepez <tsepez@chromium.org>):
+ <https://src.chromium.org/viewvc/blink?view=rev&revision=179240>
+
+ Test: http/tests/security/xssAuditor/block-does-not-leak-that-page-was-blocked-using-empty-data-url.html
+
+ * html/parser/XSSAuditorDelegate.cpp:
+ (WebCore::XSSAuditorDelegate::didBlockScript): Modified to call NavigationScheduler::schedulePageBlock().
+ * loader/NavigationScheduler.cpp:
+ (WebCore::ScheduledPageBlock::ScheduledPageBlock): Added.
+ (WebCore::NavigationScheduler::schedulePageBlock): Navigate to empty substitute data with
+ the same URL as the originating document.
+ * loader/NavigationScheduler.h:
+
</ins><span class="cx"> 2016-01-12 Antti Koivisto <antti@apple.com>
</span><span class="cx">
</span><span class="cx"> Don't reuse memory cache entries with different charset
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210SourceWebCorehtmlparserXSSAuditorDelegatecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/html/parser/XSSAuditorDelegate.cpp (195256 => 195257)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/Source/WebCore/html/parser/XSSAuditorDelegate.cpp 2016-01-19 08:12:43 UTC (rev 195256)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/html/parser/XSSAuditorDelegate.cpp 2016-01-19 08:22:49 UTC (rev 195257)
</span><span class="lines">@@ -112,7 +112,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (xssInfo.m_didBlockEntirePage)
</span><del>- m_document.frame()->navigationScheduler().scheduleLocationChange(&m_document, m_document.securityOrigin(), SecurityOrigin::urlWithUniqueSecurityOrigin(), String());
</del><ins>+ m_document.frame()->navigationScheduler().schedulePageBlock(m_document);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> } // namespace WebCore
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210SourceWebCoreloaderNavigationSchedulercpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/NavigationScheduler.cpp (195256 => 195257)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/NavigationScheduler.cpp 2016-01-19 08:12:43 UTC (rev 195256)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/NavigationScheduler.cpp 2016-01-19 08:22:49 UTC (rev 195257)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2006, 2007, 2008, 2009, 2010 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2006-2010, 2016 Apple Inc. All rights reserved.
</ins><span class="cx"> * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
</span><span class="cx"> * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.torchmobile.com/)
</span><span class="cx"> * Copyright (C) 2009 Adam Barth. All rights reserved.
</span><span class="lines">@@ -298,6 +298,31 @@
</span><span class="cx"> bool m_haveToldClient;
</span><span class="cx"> };
</span><span class="cx">
</span><ins>+class ScheduledPageBlock final : public ScheduledNavigation {
+public:
+ ScheduledPageBlock(Document& originDocument)
+ : ScheduledNavigation(0, LockHistory::Yes, LockBackForwardList::Yes, false, false)
+ , m_originDocument(originDocument)
+ {
+ }
+
+ void fire(Frame& frame) override
+ {
+ UserGestureIndicator gestureIndicator(wasUserGesture() ? DefinitelyProcessingUserGesture : DefinitelyNotProcessingUserGesture);
+
+ ResourceResponse replacementResponse(m_originDocument.url(), ASCIILiteral("text/plain"), 0, ASCIILiteral("UTF-8"));
+ SubstituteData replacementData(SharedBuffer::create(), m_originDocument.url(), replacementResponse, SubstituteData::SessionHistoryVisibility::Hidden);
+
+ ResourceRequest resourceRequest(m_originDocument.url(), emptyString(), ReloadIgnoringCacheData);
+ FrameLoadRequest frameRequest(m_originDocument.securityOrigin(), resourceRequest, lockHistory(), lockBackForwardList(), MaybeSendReferrer, AllowNavigationToInvalidURL::Yes, NewFrameOpenerPolicy::Allow, m_shouldOpenExternalURLsPolicy);
+ frameRequest.setSubstituteData(replacementData);
+ frame.loader().load(frameRequest);
+ }
+
+private:
+ Document& m_originDocument;
+};
+
</ins><span class="cx"> class ScheduledSubstituteDataLoad : public ScheduledNavigation {
</span><span class="cx"> public:
</span><span class="cx"> ScheduledSubstituteDataLoad(const URL& baseURL, const SubstituteData& substituteData)
</span><span class="lines">@@ -480,6 +505,12 @@
</span><span class="cx"> schedule(std::make_unique<ScheduledSubstituteDataLoad>(baseURL, substituteData));
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void NavigationScheduler::schedulePageBlock(Document& originDocument)
+{
+ if (shouldScheduleNavigation())
+ schedule(std::make_unique<ScheduledPageBlock>(originDocument));
+}
+
</ins><span class="cx"> void NavigationScheduler::timerFired()
</span><span class="cx"> {
</span><span class="cx"> if (!m_frame.page())
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit210SourceWebCoreloaderNavigationSchedulerh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/NavigationScheduler.h (195256 => 195257)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/NavigationScheduler.h 2016-01-19 08:12:43 UTC (rev 195256)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/loader/NavigationScheduler.h 2016-01-19 08:22:49 UTC (rev 195257)
</span><span class="lines">@@ -76,6 +76,7 @@
</span><span class="cx"> void scheduleRefresh(Document* initiatingDocument);
</span><span class="cx"> void scheduleHistoryNavigation(int steps);
</span><span class="cx"> void scheduleSubstituteDataLoad(const URL& baseURL, const SubstituteData&);
</span><ins>+ void schedulePageBlock(Document& originDocument);
</ins><span class="cx">
</span><span class="cx"> void startTimer();
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>