[Webkit-unassigned] [Bug 29523] [XSSAuditor] JavaScript URLs that are URL-encoded twice can by bypass the XSSAuditor
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Sep 19 16:15:50 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=29523
--- Comment #4 from Daniel Bates <dbates at webkit.org> 2009-09-19 16:15:50 PDT ---
I meant, cleanup ScriptController.
(In reply to comment #3)
> (In reply to comment #2)
> > (From update of attachment 39824 [details] [details])
> > + m_frame->script()->isEnabled() && !m_frame->script()->isPaused()
> >
> > Why did we add these conditions that weren't there before?
>
> This is an optimization.
>
> I added these so that we can avoid calling the XSSAuditor when scripts aren't
> enabled or paused. Notice, these cases are checked in
> FrameLoader::executeScript and at present (i.e. without this patch) the
> XSSAuditor is only called after these cases are checked.
>
> Because we now call the XSSAuditor in FrameLoader::executeIfJavaScriptURL, in
> particular before calling executeScript, we can save some processing
> time/function call, by only calling the XSSAuditor when scripts are enabled and
> not paused.
>
> > Can we remove any of the other instances of canEvaluateJavaScriptURL?
>
> Yes, I can clean up ScriptSourceController
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list