[Webkit-unassigned] [Bug 30352] New: [XSSAuditor] Add an exception for local files
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Oct 14 04:12:12 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=30352
Summary: [XSSAuditor] Add an exception for local files
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: WebCore Misc.
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: sirdarckcat at gmail.com
CC: abarth at webkit.org, dbates at webkit.org
I think something else can be done for XSSAuditor..
could it be an exception to src attributes on <script> tags if the URL is
in the same domain and is a single file with no querystring?
Something like:
<script type="text/javascript" src="/acs.js"></script>
Shouldn't be disabled by an attacker doing:
http://victim.com/?disable_script=<script type="text/javascript"
src="/acs.js"></script>
The part where I say "with no querystring" is that we shouldnt allow:
<script type="text/javascript" src="/index.php?asdf=asdf&asdf=asdf"></script>
Since in some weeeird cases that may be a vulnerability (its very dangerous
anyway, since if you can make valid JS, you could probably make valid XML and
load a crossdomain file for flash).. anyway, to be sure, only adding the
exception for "/acs.js" should be safe.
I ask this since if a user is already able to modify the content of a file in
the same domain then he can probably make a XSS directly anyway.. and if it's
not done this way, the attack of disabling essential scripts for the page will
be difficult.
This should reduce in some degree the attack scenario where an attacker disable
scripts on the guest page.. also this should increase compatibility..
Test case:
http://eaea.sirdarckcat.net/testhtml.html?disable_script=%3Cscript%20type=%22text/javascript%22%20src=%22acs.js%22%3E%3C/script%3E
Greetings!!
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list