[Webkit-unassigned] [Bug 32570] New: XSSAuditor breaks Gigya widgets

Tue Dec 15 12:11:26 PST 2009

https://bugs.webkit.org/show_bug.cgi?id=32570

           Summary: XSSAuditor breaks Gigya widgets
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
               URL: http://bit.ly/4BFjGc
        OS/Version: Mac OS X 10.5
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: collinj at webkit.org
                CC: abarth at webkit.org

Gigya is widget advertising network. Their server takes a query parameter

src=http://apps.cooliris.com/embed/cooliris.swf...

and replies with

<embed src="http://apps.cooliris.com/embed/cooliris.swf" ...

XSSAuditor blocks this. Gigya appears to be using some sort of hash to validate
the query parameters so this is probably a false positive.

I'm not sure how to fix it in WebKit other than allowing direct injections into
the src attribute of an embed tag. Another option is to respect
X-XSS-Protection (bug 27312) and then Gigya can opt out of XSSAuditor. We could
also ask Gigya to obfuscate their query parameters to sneak pass XSSAuditor.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.