[Webkit-unassigned] [Bug 30352] New: [XSSAuditor] Add an exception for local files

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Oct 14 04:12:12 PDT 2009


           Summary: [XSSAuditor] Add an exception for local files
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: sirdarckcat at gmail.com
                CC: abarth at webkit.org, dbates at webkit.org

I think something else can be done for XSSAuditor..
could it be an exception to src attributes on <script> tags if the URL is
in the same domain and is a single file with no querystring?

Something like:

<script type="text/javascript" src="/acs.js"></script>

Shouldn't be disabled by an attacker doing:

http://victim.com/?disable_script=<script type="text/javascript"

The part where I say "with no querystring" is that we shouldnt allow:

<script type="text/javascript" src="/index.php?asdf=asdf&asdf=asdf"></script>

Since in some weeeird cases that may be a vulnerability (its very dangerous
anyway, since if you can make valid JS, you could probably make valid XML and
load a crossdomain file for flash).. anyway, to be sure, only adding the
exception for "/acs.js" should be safe.

I ask this since if a user is already able to modify the content of a file in
the same domain then he can probably make a XSS directly anyway.. and if it's
not done this way, the attack of disabling essential scripts for the page will
be difficult.

This should reduce in some degree the attack scenario where an attacker disable
scripts on the guest page.. also this should increase compatibility..

Test case:


Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list