[Webkit-unassigned] [Bug 49845] XSS Auditor severely affects loading performance after submitting a large form

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Feb 3 19:53:56 PST 2011


https://bugs.webkit.org/show_bug.cgi?id=49845





--- Comment #13 from Adam Barth <abarth at webkit.org>  2011-02-03 19:53:56 PST ---
Some discussion in IRC:

[7:50pm] dydz: abarth: Some of the expected results have more console messages than before...
[7:50pm] abarth: yeah
[7:50pm] abarth: that's because we block injected "type" attributes
[7:51pm] abarth: for objects now too
[7:51pm] abarth: in XSSAuditor, you could inject an object tag for Gears
[7:51pm] abarth: for example
[7:51pm] abarth: because that doesn't result in a load
[7:51pm] abarth: whereas XSSFilter will block that
[7:52pm] abarth: dydz: i think there's some kind of attack scenario there involving a plugin with a non-standard way of loading stuff
[7:52pm] abarth: dydz: but i don't have a concrete example

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list