[Webkit-unassigned] [Bug 26807] Crashes on 3 layout tests when XSS auditor is enabled
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jun 29 15:43:58 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=26807
------- Comment #4 from dbates at berkeley.edu 2009-06-29 15:43 PDT -------
Created an attachment (id=32023)
--> (https://bugs.webkit.org/attachment.cgi?id=32023&action=view)
temporary workaround
Temporary workaround.
I have not been able to reproduce the crash for the test:
http/tests/security/postMessage/javascript-page-still-sends-origin.html
With respect to the other cases: fast/loader/javascript-url-encoding-2.html and
fast/loader/opaque-base-url.html, these eventually cause the
FrameLoader::m_decoder to be nullified and never set again before the
XSSAuditor is called. So, frame->document()->decoder() is a null pointer and we
were dereferencing it; hence the crashes.
Both of these tests call FrameLoader::executeIfJavaScriptURL, which calls
FrameLoader::write(const String& str). Unlike in FrameLoader::write(const char*
str, int len, bool flush), the field FrameLoader::m_decoder is never set in
FrameLoader::write(const String& str). Moreover, it looks like
FrameLoader::executeIfJavaScriptURL is only method that calls
FrameLoader::write(const String& str).
I am unclear of the purpose of FrameLoader::write(const String& str). Why
doesn't it just call FrameLoader::write(const char* str, int len, bool flush)
with the appropriate arguments? I take it that it has something to do with
parsing a strict document? I was not sure if I should set m_decoder (in a
similar fashion) as in FrameLoader::write(const char* str, int len, bool
flush), it seems kinda weird that someone left this out. Any suggestions?
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list