[Webkit-unassigned] [Bug 32570] New: XSSAuditor breaks Gigya widgets
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Dec 15 12:11:26 PST 2009
https://bugs.webkit.org/show_bug.cgi?id=32570
Summary: XSSAuditor breaks Gigya widgets
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
URL: http://bit.ly/4BFjGc
OS/Version: Mac OS X 10.5
Status: NEW
Severity: Normal
Priority: P2
Component: WebCore Misc.
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: collinj at webkit.org
CC: abarth at webkit.org
Gigya is widget advertising network. Their server takes a query parameter
src=http://apps.cooliris.com/embed/cooliris.swf...
and replies with
<embed src="http://apps.cooliris.com/embed/cooliris.swf" ...
XSSAuditor blocks this. Gigya appears to be using some sort of hash to validate
the query parameters so this is probably a false positive.
I'm not sure how to fix it in WebKit other than allowing direct injections into
the src attribute of an embed tag. Another option is to respect
X-XSS-Protection (bug 27312) and then Gigya can opt out of XSSAuditor. We could
also ask Gigya to obfuscate their query parameters to sneak pass XSSAuditor.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list