[webkit-dev] XSSAuditor regressions

Maciej Stachowiak mjs at apple.com
Sun Jul 12 14:44:53 PDT 2009

Hi everyone,

Recently Adam Barth turned on an exciting new feature, the XSS  
Auditor, by default. This provides a browser-side defense against  
sites that are vulnerable to reflexive XSS attacks. Because this  
feature operates by blocking script execution, it has the potential to  
break legitimate sites via overzealous enforcement. I'd like to ask  
everyone to be on the lookout for these. If a site fails mysteriously,  
especially if it's a regression, check the Web Inspector console for a  
message like "Refused to execute a JavaScript script. Source code of  
script found within request."

I made a new keyword, XSSAuditor, and bugs tagged with XSSAuditor and  
Regression can be assumed to be fallout from the change. You can see  
the current known regressions with this query: <http://tinyurl.com/mw4j3y 
 >. So far, there are two, but they are pretty major (Facebook and  
Outlook Web Access).

Hopefully we can quickly flush out and fix a lot of these false  
positive results, but if the bugs start piling up, it may be wise to  
turn the feature off by default until the initial crop of regressions  
is dealt with, so the nightlies remain usable for testing. (I don't  
think we're at that point yet and Adam seems to be on top of the  
incoming bugs.)


More information about the webkit-dev mailing list