[Webkit-unassigned] [Bug 26784] Enable XSSAuditor by default

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Jun 28 19:30:46 PDT 2009


https://bugs.webkit.org/show_bug.cgi?id=26784





------- Comment #2 from dbates at berkeley.edu  2009-06-28 19:30 PDT -------
Another known false negative is HTTP header injection.

(In reply to comment #0)
> We should try enabling the XSSAuditor by default in the nightly to get a sense
> for the false positive rate.  Sam said we should do this once we have decent
> test coverage, and we now have 29 tests.
> 
> Please CC me and Dan on any regressions / false positives we find.  If we get a
> bunch of them, we can turn off the auditor again while we think about how to
> reduce them.
> 
> We still have one known false negative (HTML entities), but we can work on
> fixing that in parallel.  Also, we should support the "turn off XSS filtering"
> header that IE8 supports, but I'll file a separate bug about that.
> 


-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.



More information about the webkit-unassigned mailing list