[Webkit-unassigned] [Bug 29523] [XSSAuditor] JavaScript URLs that are URL-encoded twice can by bypass the XSSAuditor

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Sep 19 16:15:07 PDT 2009


--- Comment #3 from Daniel Bates <dbates at webkit.org>  2009-09-19 16:15:07 PDT ---
(In reply to comment #2)
> (From update of attachment 39824 [details])
> + m_frame->script()->isEnabled() && !m_frame->script()->isPaused()
> Why did we add these conditions that weren't there before?

This is an optimization.

I added these so that we can avoid calling the XSSAuditor when scripts aren't
enabled or paused. Notice, these cases are checked in
FrameLoader::executeScript and at present (i.e. without this patch) the
XSSAuditor is only called after these cases are checked.

Because we now call the XSSAuditor in FrameLoader::executeIfJavaScriptURL, in
particular before calling executeScript, we can save some processing
time/function call, by only calling the XSSAuditor when scripts are enabled and
not paused.

> Can we remove any of the other instances of canEvaluateJavaScriptURL?

Yes, I can clean up ScriptSourceController

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list