[webkit-reviews] review granted: [Bug 100892] Support X-XSS-Protection: report=URL header syntax in XSSAuditor. : [Attachment 171745] More code for discussion
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Oct 31 23:06:12 PDT 2012
Adam Barth <abarth at webkit.org> has granted review:
Bug 100892: Support X-XSS-Protection: report=URL header syntax in XSSAuditor.
https://bugs.webkit.org/show_bug.cgi?id=100892
Attachment 171745: More code for discussion
https://bugs.webkit.org/attachment.cgi?id=171745&action=review
------- Additional Comments from Adam Barth <abarth at webkit.org>
View in context: https://bugs.webkit.org/attachment.cgi?id=171745&action=review
This looks great. Can you add a test that the report is only sent once even if
there are many violations on a page?
> Source/WebCore/html/parser/XSSAuditor.cpp:238
> + m_notifyReportURL = true;
You can also null out m_reportURL if you don't want to send the report.
> Source/WebCore/html/parser/XSSAuditor.cpp:317
> + m_notifyReportURL = false;
> + m_originalURL = String();
> + m_originalHTTPBody = String();
So, we only notify for the first failure, and then we drop the
m_originalHTTPBody.
Do we ever drop m_originalHTTPBody if there isn't an error? It's probably
worth dropping it at some point since we don't want to keep using the memory.
I guess the whole XSSAuditor gets deleted at some point. Maybe that's early
enough.
More information about the webkit-reviews
mailing list