[Webkit-unassigned] [Bug 120595] New: REGRESSION(r154444 ): xss-DENIED test results changed
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Sep 2 01:38:37 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=120595
Summary: REGRESSION(r154444 ): xss-DENIED test results changed
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Keywords: Qt
Severity: Normal
Priority: P2
Component: Tools / Tests
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: zarvai at inf.u-szeged.hu
CC: allan.jensen at digia.com, hausmann at webkit.org,
ossy at webkit.org, kadam at inf.u-szeged.hu,
abrhm at inf.u-szeged.hu
Blocks: 120151
Created an attachment (id=210268)
--> (https://bugs.webkit.org/attachment.cgi?id=210268&action=review)
layout-test-results-debug-r154875
Some tests results changed after the patch in http://trac.webkit.org/changeset/154444.
After unsuccessful bisecting with applied patch in range r154300 and r154444, I applied the patch to r154291 and turned out the patch caused the failure.
On release bots:
http://build.webkit.sed.hu/results/x86-32%20Linux%20Qt%20Release%20NRWT/r154873%20%2836388%29/results.html
http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url.html
http/tests/security/aboutBlank/xss-DENIED-set-opener.html
http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open.html
http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-window-open.html
On my local machine additionally fails with release:
http/tests/security/javascriptURL/xss-DENIED-from-javascript-url-in-foreign-domain-window-open.html
http/tests/security/xss-DENIED-defineProperty.html
on debug bots:
http://build.webkit.sed.hu/results/x86-64%20Linux%20Qt%20Debug/r154870%20%2830291%29/results.html
same as release
http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url.html
http/tests/security/aboutBlank/xss-DENIED-set-opener.html
http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open.html
http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-window-open.html
additionally failes
http/tests/security/dataURL/xss-DENIED-from-data-url-to-data-url.html
http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-location-change.html
http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe.html
http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level.html
Debug r154875 test results are attached.
One example:
--- /home/azbest/webkit/WebKit/layout-test-results/http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url-expected.txt
+++ /home/azbest/webkit/WebKit/layout-test-results/http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url-actual.txt
@@ -1,5 +1,3 @@
-CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 1: TypeError: undefined is not an object (evaluating 'target.document.body')
This page opens a window to "", injects malicious code, and then navigates its opener to the victim. The opened window then tries to scripts its opener after reloading itself as a javascript URL.
Code injected into window:
<script>window.location = 'javascript:\'<script>function write(target, message) { target.document.body.innerHTML = message; }setTimeout(function() {write(window.opener, \\\'FAIL: XSS was allowed.\\\');}, 100);setTimeout(function() {write(window.opener.top.frames[1], \\\'SUCCESS: Window remained in original SecurityOrigin.\\\');}, 200);setTimeout(function() { if (window.testRunner) testRunner.globalFlag = true; }, 300);<\\\/script>\''</script>
@@ -13,4 +11,4 @@
--------
Frame: '<!--framePath //<!--frame1-->-->'
--------
-SUCCESS: Window remained in original SecurityOrigin.
+This page doesn't do anything special.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list