XSS Auditor should navigate to empty substitute data on full page block
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 12 Jan 2016 22:28:59 +0000 (22:28 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 12 Jan 2016 22:28:59 +0000 (22:28 +0000)
https://bugs.webkit.org/show_bug.cgi?id=152868
<rdar://problem/18658448>

Reviewed by David Kilzer and Andy Estes.

Derived from Blink patch (by Tom Sepez <tsepez@chromium.org>):
<https://src.chromium.org/viewvc/blink?view=rev&revision=179240>

Source/WebCore:

Test: http/tests/security/xssAuditor/block-does-not-leak-that-page-was-blocked-using-empty-data-url.html

* html/parser/XSSAuditorDelegate.cpp:
(WebCore::XSSAuditorDelegate::didBlockScript): Modified to call NavigationScheduler::schedulePageBlock().
* loader/NavigationScheduler.cpp:
(WebCore::ScheduledPageBlock::ScheduledPageBlock): Added.
(WebCore::NavigationScheduler::schedulePageBlock): Navigate to empty substitute data with
the same URL as the originating document.
* loader/NavigationScheduler.h:

LayoutTests:

Added additional test block-does-not-leak-that-page-was-blocked-using-empty-data-url.html to explicitly
tests that we do redirect to an empty data URL when a full page block is triggered.

* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt:
* http/tests/security/xssAuditor/block-does-not-leak-location-expected.txt:
* http/tests/security/xssAuditor/block-does-not-leak-referrer-expected.txt:
* http/tests/security/xssAuditor/block-does-not-leak-that-page-was-blocked-using-empty-data-url-expected.txt: Added.
* http/tests/security/xssAuditor/block-does-not-leak-that-page-was-blocked-using-empty-data-url.html: Added.
* http/tests/security/xssAuditor/full-block-base-href-expected.txt:
* http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt:
* http/tests/security/xssAuditor/full-block-javascript-link-expected.txt:
* http/tests/security/xssAuditor/full-block-link-onclick-expected.txt:
* http/tests/security/xssAuditor/full-block-object-tag-expected.txt:
* http/tests/security/xssAuditor/full-block-script-tag-cross-domain-expected.txt:
* http/tests/security/xssAuditor/full-block-script-tag-expected.txt:
* http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt:
* http/tests/security/xssAuditor/full-block-script-tag.html:
* http/tests/security/xssAuditor/xss-protection-parsing-03-expected.txt:
* http/tests/security/xssAuditor/xss-protection-parsing-04-expected.txt:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@194927 268f45cc-cd09-0410-ab3c-d52691b4dbfc

29 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt
LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-location-expected.txt
LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-referrer-expected.txt
LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-that-page-was-blocked-using-empty-data-url-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-that-page-was-blocked-using-empty-data-url.html [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/full-block-base-href-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-javascript-link-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-link-onclick-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-object-tag-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-cross-domain-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-script-tag.html
LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-03-expected.txt
LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-04-expected.txt
Source/WebCore/ChangeLog
Source/WebCore/html/parser/XSSAuditorDelegate.cpp
Source/WebCore/loader/NavigationScheduler.cpp
Source/WebCore/loader/NavigationScheduler.h

index 66b3a76..f8b26a2 100644 (file)
@@ -1,3 +1,42 @@
+2016-01-12  Daniel Bates  <dabates@apple.com>
+
+        XSS Auditor should navigate to empty substitute data on full page block
+        https://bugs.webkit.org/show_bug.cgi?id=152868
+        <rdar://problem/18658448>
+
+        Reviewed by David Kilzer and Andy Estes.
+
+        Derived from Blink patch (by Tom Sepez <tsepez@chromium.org>):
+        <https://src.chromium.org/viewvc/blink?view=rev&revision=179240>
+
+        Added additional test block-does-not-leak-that-page-was-blocked-using-empty-data-url.html to explicitly
+        tests that we do redirect to an empty data URL when a full page block is triggered.
+
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt:
+        * http/tests/security/xssAuditor/block-does-not-leak-location-expected.txt:
+        * http/tests/security/xssAuditor/block-does-not-leak-referrer-expected.txt:
+        * http/tests/security/xssAuditor/block-does-not-leak-that-page-was-blocked-using-empty-data-url-expected.txt: Added.
+        * http/tests/security/xssAuditor/block-does-not-leak-that-page-was-blocked-using-empty-data-url.html: Added.
+        * http/tests/security/xssAuditor/full-block-base-href-expected.txt:
+        * http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt:
+        * http/tests/security/xssAuditor/full-block-javascript-link-expected.txt:
+        * http/tests/security/xssAuditor/full-block-link-onclick-expected.txt:
+        * http/tests/security/xssAuditor/full-block-object-tag-expected.txt:
+        * http/tests/security/xssAuditor/full-block-script-tag-cross-domain-expected.txt:
+        * http/tests/security/xssAuditor/full-block-script-tag-expected.txt:
+        * http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt:
+        * http/tests/security/xssAuditor/full-block-script-tag.html:
+        * http/tests/security/xssAuditor/xss-protection-parsing-03-expected.txt:
+        * http/tests/security/xssAuditor/xss-protection-parsing-04-expected.txt:
+
 2016-01-12  Jiewen Tan  <jiewen_tan@apple.com>
 
         Null dereference loading Blink layout test fast/frames/navigation-in-pagehide.html
index 65dcea5..4e583a7 100644 (file)
@@ -3,5 +3,5 @@ CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from access
 
 CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
 
-ALERT: Loaded cross-origin frame.
+ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=allow&enable-full-block=1 into the IFrame.
 Testing behavior when "reflected-xss" is set to allow, and "X-XSS-Protection" is set to block.
index 7a80617..388b8e8 100644 (file)
@@ -3,5 +3,5 @@ CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from access
 
 CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
 
-ALERT: Loaded cross-origin frame.
+ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&disable-protection=1 into the IFrame.
 Testing behavior when "reflected-xss" is set to block, and "X-XSS-Protection" is set to allow.
index 2229e72..c4eef64 100644 (file)
@@ -3,5 +3,5 @@ CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from access
 
 CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
 
-ALERT: Loaded cross-origin frame.
+ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&enable-full-block=1 into the IFrame.
 Testing behavior when "reflected-xss" is set to block, and "X-XSS-Protection" is set to block.
index 286160d..714970d 100644 (file)
@@ -3,5 +3,5 @@ CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from access
 
 CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
 
-ALERT: Loaded cross-origin frame.
+ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&valid-header=2 into the IFrame.
 Testing behavior when "reflected-xss" is set to block, and "X-XSS-Protection" is set to filter.
index fcea229..170de44 100644 (file)
@@ -4,5 +4,5 @@ CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from access
 
 CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
 
-ALERT: Loaded cross-origin frame.
+ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block&malformed-header=1 into the IFrame.
 Testing behavior when "reflected-xss" is set to block, and "X-XSS-Protection" is set to invalid.
index 98fda48..d9b0150 100644 (file)
@@ -3,5 +3,5 @@ CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from access
 
 CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
 
-ALERT: Loaded cross-origin frame.
+ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=block into the IFrame.
 Testing behavior when "reflected-xss" is set to block, and "X-XSS-Protection" is set to unset.
index baef980..4b022a9 100644 (file)
@@ -3,5 +3,5 @@ CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from access
 
 CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
 
-ALERT: Loaded cross-origin frame.
+ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=filter&enable-full-block=1 into the IFrame.
 Testing behavior when "reflected-xss" is set to filter, and "X-XSS-Protection" is set to block.
index 40e2201..c5a6504 100644 (file)
@@ -4,5 +4,5 @@ CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from access
 
 CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
 
-ALERT: Loaded cross-origin frame.
+ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&csp=invalid&enable-full-block=1 into the IFrame.
 Testing behavior when "reflected-xss" is set to invalid, and "X-XSS-Protection" is set to block.
index e1bc2c1..bb5a611 100644 (file)
@@ -3,5 +3,5 @@ CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from access
 
 CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
 
-ALERT: Loaded cross-origin frame.
+ALERT: Loaded http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E&enable-full-block=1 into the IFrame.
 Testing behavior when "reflected-xss" is set to unset, and "X-XSS-Protection" is set to block.
index 43f0ed3..4336f5d 100644 (file)
@@ -1,13 +1,9 @@
 CONSOLE MESSAGE: line 7: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/block-does-not-leak-location.html&enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53));%3C/script%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
-CONSOLE MESSAGE: line 172: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-CONSOLE MESSAGE: line 172: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
+CONSOLE MESSAGE: line 172: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 172: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 CONSOLE MESSAGE: line 176: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 347: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-CONSOLE MESSAGE: line 172: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
+CONSOLE MESSAGE: line 347: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 172: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 CONSOLE MESSAGE: line 176: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 PASS xssed.contentDocument is null
 PASS xssed.contentDocument is crossorigin.contentDocument
index e4691c8..2faebf6 100644 (file)
@@ -1,6 +1,5 @@
 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
-CONSOLE MESSAGE: line 172: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
+CONSOLE MESSAGE: line 172: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 PASS frame.contentDocument is null
 PASS successfullyParsed is true
 
diff --git a/LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-that-page-was-blocked-using-empty-data-url-expected.txt b/LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-that-page-was-blocked-using-empty-data-url-expected.txt
new file mode 100644 (file)
index 0000000..a1ddc34
--- /dev/null
@@ -0,0 +1,11 @@
+CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Cscript%3Ealert(/XSS/)%3C/script%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
+This tests that the URL of an iframe whose page triggered a full page block is not "data:,".
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS received load event for iframe after initial iframe load led to a full page block.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-that-page-was-blocked-using-empty-data-url.html b/LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-that-page-was-blocked-using-empty-data-url.html
new file mode 100644 (file)
index 0000000..50cbaa8
--- /dev/null
@@ -0,0 +1,45 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="/resources/js-test-pre.js"></script>
+<script>
+if (window.testRunner)
+    testRunner.setXSSAuditorEnabled(true);
+
+window.jsTestIsAsync = true;
+
+var frame;
+
+function runTest()
+{
+    function done()
+    {
+        // The URL of the iframe is not "data:,"; Otherwise, we wouldn't get here.
+        testPassed("received load event for iframe after initial iframe load led to a full page block.");
+        finishJSTest();
+    }
+
+    function loadDifferentURL()
+    {
+        frame.onload = done;
+        frame.src = "data:,#dummy"; // We add #dummy so that the URL will be different enough to attempt a new load.
+    }
+    frame.onload = loadDifferentURL;
+    frame.src = "http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=<script>alert(/XSS/)</" + "script>";
+}
+
+window.onload = function ()
+{
+    frame = document.getElementById("frame");
+    runTest();
+}
+</script>
+</head>
+<body>
+    <script>
+        description("This tests that the URL of an iframe whose page triggered a full page block is not &quot;data:,&quot;.");
+    </script>
+    <iframe id="frame"></iframe>
+    <script src="/resources/js-test-post.js"></script>
+</body>
+</html>
index 20e948f..a7052ad 100644 (file)
@@ -1,7 +1,4 @@
 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-head-base-href.pl?enable-full-block=1&q=%3Cbase%20href='http://localhost:8000/security/xssAuditor/resources/base-href/'%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
-CONSOLE MESSAGE: line 16: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-head-base-href.pl?enable-full-block=1&q=%3Cbase%20href='http://localhost:8000/security/xssAuditor/resources/base-href/'%3E
 There should be no content in the iframe below:
 
 
index 47111d4..08ea1a4 100644 (file)
@@ -1,7 +1,4 @@
 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-iframe-javascript-url.html&enable-full-block=1&q=%3Ciframe%20src=javascript:alert(document.domain)%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
-CONSOLE MESSAGE: line 16: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-iframe-javascript-url.html&enable-full-block=1&q=%3Ciframe%20src=javascript:alert(document.domain)%3E
 There should be no content in the iframe below:
 
 
index 17514fd..a4591a5 100644 (file)
@@ -1,7 +1,4 @@
 CONSOLE MESSAGE: line 14: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?enable-full-block=1&elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%280%29%3Etest%3C/a%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
-CONSOLE MESSAGE: line 16: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?enable-full-block=1&elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%280%29%3Etest%3C/a%3E
 There should be no content in the iframe below:
 
 
index f35468b..62a04cd 100644 (file)
@@ -1,7 +1,4 @@
 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-link-onclick.html&enable-full-block=1&q=%3Ca%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))'%3EClick%3C/a%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
-CONSOLE MESSAGE: line 16: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-link-onclick.html&enable-full-block=1&q=%3Ca%20onclick='alert(String.fromCharCode(0x58,0x53,0x53))'%3EClick%3C/a%3E
 There should be no content in the iframe below:
 
 
index 37533a6..3414c24 100644 (file)
@@ -1,7 +1,4 @@
 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-object-tag.html&enable-full-block=1&q=%3Cobject%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://localhost:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
-CONSOLE MESSAGE: line 16: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-object-tag.html&enable-full-block=1&q=%3Cobject%20name='plugin'%20type='application/x-webkit-test-netscape'%3E%3Cparam%20name='movie'%20value='http://localhost:8000/security/xssAuditor/resources/dummy.swf'%20/%3E%3C/object%3E
 There should be no content in the iframe below:
 
 
index 93962a0..9ddacab 100644 (file)
@@ -1,8 +1,6 @@
 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-script-tag-cross-domain.html&enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
-CONSOLE MESSAGE: line 25: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-CONSOLE MESSAGE: line 19: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
+CONSOLE MESSAGE: line 25: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 19: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 ALERT: URL mismatch: undefined vs. http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-script-tag-cross-domain.html&enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E
 There should be no content in the iframe below:
 
index a3f0673..2dd074e 100644 (file)
@@ -1,9 +1,5 @@
 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-script-tag.html&enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
-CONSOLE MESSAGE: line 25: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-CONSOLE MESSAGE: line 19: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-script-tag.html&enable-full-block=1&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E
+CONSOLE MESSAGE: line 18: PASS: Referrer is the empty string.
 There should be no content in the iframe below:
 
 
index 1d435b5..e354b83 100644 (file)
@@ -1,7 +1,4 @@
 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-script-tag-with-source.html&enable-full-block=1&q=%3Cscript%20src='http://localhost:8000/security/xssAuditor/resources/xss.js'%3E%3C/script%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
-CONSOLE MESSAGE: line 16: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/full-block-script-tag-with-source.html&enable-full-block=1&q=%3Cscript%20src='http://localhost:8000/security/xssAuditor/resources/xss.js'%3E%3C/script%3E
 There should be no content in the iframe below:
 
 
index 2e445c8..68c322e 100644 (file)
@@ -13,9 +13,15 @@ if (window.testRunner) {
 function checkframe()
 {
     try {
-      var ref = document.getElementById("frame").contentDocument.referrer;
-      alert('Referrer is "' + ref + '"'); 
-    } catch (e) {}
+        var referrer = document.getElementById("frame").contentDocument.referrer;
+        if (referrer === "") {
+            console.log('PASS: Referrer is the empty string.');
+        } else {
+            console.log('FAIL: Referrer should be empty string. Was "' + referrer + '".');
+        }
+    } catch (e) {
+        console.log('FAIL: same-origin access threw: \'' + e.toString() + '\'.');
+    }
     checkIfFrameLocationMatchesSrcAndCallDone('frame');
 }
 </script>
index 43e204b..4395ed2 100644 (file)
@@ -1,7 +1,4 @@
 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/xss-protection-parsing-03.html&notifyDone=1&valid-header=3&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
-CONSOLE MESSAGE: line 17: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/xss-protection-parsing-03.html&notifyDone=1&valid-header=3&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E
 This tests that the X-XSS-Protection header is not ignored when there is a trailing semicolon following mode=blank. Although theoretically malformed, we tolerate this case without issuing an error.
 
 
index c7e3eda..5d4fe8b 100644 (file)
@@ -1,7 +1,4 @@
 CONSOLE MESSAGE: line 4: The XSS Auditor blocked access to 'http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/xss-protection-parsing-04.html&notifyDone=1&valid-header=4&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
-CONSOLE MESSAGE: line 16: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null".  The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
-
-ALERT: URL mismatch: undefined vs. http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/xss-protection-parsing-04.html&notifyDone=1&valid-header=4&q=%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E%3Cp%3EIf%20you%20see%20this%20message%20and%20no%20JavaScript%20alert()%20then%20the%20test%20PASSED.%3C/p%3E
 This tests that the X-XSS-Protection header is not ignored when the report and mode directives are swapped.
 
 
index e26ffd3..62f0465 100644 (file)
@@ -1,3 +1,24 @@
+2016-01-12  Daniel Bates  <dabates@apple.com>
+
+        XSS Auditor should navigate to empty substitute data on full page block
+        https://bugs.webkit.org/show_bug.cgi?id=152868
+        <rdar://problem/18658448>
+
+        Reviewed by David Kilzer and Andy Estes.
+
+        Derived from Blink patch (by Tom Sepez <tsepez@chromium.org>):
+        <https://src.chromium.org/viewvc/blink?view=rev&revision=179240>
+
+        Test: http/tests/security/xssAuditor/block-does-not-leak-that-page-was-blocked-using-empty-data-url.html
+
+        * html/parser/XSSAuditorDelegate.cpp:
+        (WebCore::XSSAuditorDelegate::didBlockScript): Modified to call NavigationScheduler::schedulePageBlock().
+        * loader/NavigationScheduler.cpp:
+        (WebCore::ScheduledPageBlock::ScheduledPageBlock): Added.
+        (WebCore::NavigationScheduler::schedulePageBlock): Navigate to empty substitute data with
+        the same URL as the originating document.
+        * loader/NavigationScheduler.h:
+
 2016-01-12  Dave Hyatt  <hyatt@apple.com>
 
         Avoid downloading the wrong image for <picture> elements.
index 2680f5d..bcdf882 100644 (file)
@@ -112,7 +112,7 @@ void XSSAuditorDelegate::didBlockScript(const XSSInfo& xssInfo)
     }
 
     if (xssInfo.m_didBlockEntirePage)
-        m_document.frame()->navigationScheduler().scheduleLocationChange(&m_document, m_document.securityOrigin(), SecurityOrigin::urlWithUniqueSecurityOrigin(), String());
+        m_document.frame()->navigationScheduler().schedulePageBlock(m_document);
 }
 
 } // namespace WebCore
index cb53c69..346f8fe 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006, 2007, 2008, 2009, 2010 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2010, 2016 Apple Inc. All rights reserved.
  * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
  * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.torchmobile.com/)
  * Copyright (C) 2009 Adam Barth. All rights reserved.
@@ -298,6 +298,31 @@ private:
     bool m_haveToldClient;
 };
 
+class ScheduledPageBlock final : public ScheduledNavigation {
+public:
+    ScheduledPageBlock(Document& originDocument)
+        : ScheduledNavigation(0, LockHistory::Yes, LockBackForwardList::Yes, false, false)
+        , m_originDocument(originDocument)
+    {
+    }
+
+    void fire(Frame& frame) override
+    {
+        UserGestureIndicator gestureIndicator(wasUserGesture() ? DefinitelyProcessingUserGesture : DefinitelyNotProcessingUserGesture);
+
+        ResourceResponse replacementResponse(m_originDocument.url(), ASCIILiteral("text/plain"), 0, ASCIILiteral("UTF-8"));
+        SubstituteData replacementData(SharedBuffer::create(), m_originDocument.url(), replacementResponse, SubstituteData::SessionHistoryVisibility::Hidden);
+
+        ResourceRequest resourceRequest(m_originDocument.url(), emptyString(), ReloadIgnoringCacheData);
+        FrameLoadRequest frameRequest(m_originDocument.securityOrigin(), resourceRequest, lockHistory(), lockBackForwardList(), MaybeSendReferrer, AllowNavigationToInvalidURL::Yes, NewFrameOpenerPolicy::Allow, m_shouldOpenExternalURLsPolicy);
+        frameRequest.setSubstituteData(replacementData);
+        frame.loader().load(frameRequest);
+    }
+
+private:
+    Document& m_originDocument;
+};
+
 class ScheduledSubstituteDataLoad : public ScheduledNavigation {
 public:
     ScheduledSubstituteDataLoad(const URL& baseURL, const SubstituteData& substituteData)
@@ -480,6 +505,12 @@ void NavigationScheduler::scheduleSubstituteDataLoad(const URL& baseURL, const S
         schedule(std::make_unique<ScheduledSubstituteDataLoad>(baseURL, substituteData));
 }
 
+void NavigationScheduler::schedulePageBlock(Document& originDocument)
+{
+    if (shouldScheduleNavigation())
+        schedule(std::make_unique<ScheduledPageBlock>(originDocument));
+}
+
 void NavigationScheduler::timerFired()
 {
     if (!m_frame.page())
index dd61a76..b5cedf4 100644 (file)
@@ -76,6 +76,7 @@ public:
     void scheduleRefresh(Document* initiatingDocument);
     void scheduleHistoryNavigation(int steps);
     void scheduleSubstituteDataLoad(const URL& baseURL, const SubstituteData&);
+    void schedulePageBlock(Document& originDocument);
 
     void startTimer();