[Webkit-unassigned] [Bug 26784] Enable XSSAuditor by default
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Jun 28 19:30:46 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=26784
------- Comment #2 from dbates at berkeley.edu 2009-06-28 19:30 PDT -------
Another known false negative is HTTP header injection.
(In reply to comment #0)
> We should try enabling the XSSAuditor by default in the nightly to get a sense
> for the false positive rate. Sam said we should do this once we have decent
> test coverage, and we now have 29 tests.
>
> Please CC me and Dan on any regressions / false positives we find. If we get a
> bunch of them, we can turn off the auditor again while we think about how to
> reduce them.
>
> We still have one known false negative (HTML entities), but we can work on
> fixing that in parallel. Also, we should support the "turn off XSS filtering"
> header that IE8 supports, but I'll file a separate bug about that.
>
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list