[Webkit-unassigned] [Bug 72585] XSS Auditor : <form> action is blocked even if it is not a JavaScript URL
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Nov 17 02:23:25 PST 2011
https://bugs.webkit.org/show_bug.cgi?id=72585
--- Comment #2 from prakash.1729 at gmail.com 2011-11-17 02:23:25 PST ---
Though it is a false positive according to the design, it is in-fact protecting against <form> injection which is good. It is the same with <iframe> injection where the src attribute is removed even if the src is not a JavaScript URL .
One more corner case is that <iframe> from a same domain can be injected successfully. I assume this as a design decision .
p.s I couldn't find an example in which detecting an injected form is a false positive
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list