[Webkit-unassigned] [Bug 29523] [XSSAuditor] JavaScript URLs that are URL-encoded twice can by bypass the XSSAuditor

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Sep 19 16:15:50 PDT 2009


--- Comment #4 from Daniel Bates <dbates at webkit.org>  2009-09-19 16:15:50 PDT ---
I meant, cleanup ScriptController.

(In reply to comment #3)
> (In reply to comment #2)
> > (From update of attachment 39824 [details] [details])
> > + m_frame->script()->isEnabled() && !m_frame->script()->isPaused()
> > 
> > Why did we add these conditions that weren't there before?
> This is an optimization.
> I added these so that we can avoid calling the XSSAuditor when scripts aren't
> enabled or paused. Notice, these cases are checked in
> FrameLoader::executeScript and at present (i.e. without this patch) the
> XSSAuditor is only called after these cases are checked.
> Because we now call the XSSAuditor in FrameLoader::executeIfJavaScriptURL, in
> particular before calling executeScript, we can save some processing
> time/function call, by only calling the XSSAuditor when scripts are enabled and
> not paused.
> > Can we remove any of the other instances of canEvaluateJavaScriptURL?
> Yes, I can clean up ScriptSourceController

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list