XSSAuditor should catch reflected srcdoc properties even without a <frame> tag injection
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 5 Nov 2013 18:02:18 +0000 (18:02 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 5 Nov 2013 18:02:18 +0000 (18:02 +0000)
From Blink r160615 by <tsepez@chromium.org>
https://src.chromium.org/viewvc/blink?view=rev&revision=160615

Source/WebCore:

Test: http/tests/security/xssAuditor/iframe-srcdoc-property-blocked.html

* html/parser/XSSAuditor.cpp:
(WebCore::XSSAuditor::filterIframeToken):

LayoutTests:

* http/tests/security/xssAuditor/iframe-srcdoc-property-blocked-expected.txt: Added.
* http/tests/security/xssAuditor/iframe-srcdoc-property-blocked.html: Added.
* http/tests/security/xssAuditor/resources/echo-frame-src.pl: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@158676 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/security/xssAuditor/iframe-srcdoc-property-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/iframe-srcdoc-property-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/resources/echo-frame-src.pl [new file with mode: 0755]
Source/WebCore/ChangeLog
Source/WebCore/html/parser/XSSAuditor.cpp

index 22cc3a1..e22d45f 100644 (file)
@@ -1,3 +1,14 @@
+2013-11-05  Daniel Bates  <dabates@apple.com>
+
+        XSSAuditor should catch reflected srcdoc properties even without a <frame> tag injection
+
+        From Blink r160615 by <tsepez@chromium.org>
+        https://src.chromium.org/viewvc/blink?view=rev&revision=160615
+
+        * http/tests/security/xssAuditor/iframe-srcdoc-property-blocked-expected.txt: Added.
+        * http/tests/security/xssAuditor/iframe-srcdoc-property-blocked.html: Added.
+        * http/tests/security/xssAuditor/resources/echo-frame-src.pl: Added.
+
 2013-11-05  Michał Pakuła vel Rutka  <m.pakula@samsung.com>
 
         Unreviewed EFL gardening
diff --git a/LayoutTests/http/tests/security/xssAuditor/iframe-srcdoc-property-blocked-expected.txt b/LayoutTests/http/tests/security/xssAuditor/iframe-srcdoc-property-blocked-expected.txt
new file mode 100644 (file)
index 0000000..d8ec73d
--- /dev/null
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-frame-src.pl?q=%22srcdoc=%22%3Cscript%3Ealert(0)%3C/script%3E' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.
+Catch injected srcdoc properties when there is punctuation enabling the auditor
+
+
diff --git a/LayoutTests/http/tests/security/xssAuditor/iframe-srcdoc-property-blocked.html b/LayoutTests/http/tests/security/xssAuditor/iframe-srcdoc-property-blocked.html
new file mode 100644 (file)
index 0000000..3ebc6ea
--- /dev/null
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<p>Catch injected srcdoc properties when there is punctuation enabling the auditor</p>
+<iframe src='http://localhost:8000/security/xssAuditor/resources/echo-frame-src.pl?q=%22srcdoc=%22<script>alert(0)</script>'>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xssAuditor/resources/echo-frame-src.pl b/LayoutTests/http/tests/security/xssAuditor/resources/echo-frame-src.pl
new file mode 100755 (executable)
index 0000000..a88571f
--- /dev/null
@@ -0,0 +1,14 @@
+#!/usr/bin/perl -wT
+use strict;
+use CGI;
+
+my $cgi = new CGI;
+
+print "Content-Type: text/html; charset=UTF-8\n\n";
+
+print "<!DOCTYPE html>\n";
+print "<html>\n";
+print "<body>\n";
+print "<iframe src=\"".$cgi->param('q')."\"></iframe>\n";
+print "</body>\n";
+print "</html>\n";
index 358c539..923693e 100644 (file)
@@ -1,3 +1,15 @@
+2013-11-05  Daniel Bates  <dabates@apple.com>
+
+        XSSAuditor should catch reflected srcdoc properties even without a <frame> tag injection
+
+        From Blink r160615 by <tsepez@chromium.org>
+        https://src.chromium.org/viewvc/blink?view=rev&revision=160615
+
+        Test: http/tests/security/xssAuditor/iframe-srcdoc-property-blocked.html
+
+        * html/parser/XSSAuditor.cpp:
+        (WebCore::XSSAuditor::filterIframeToken):
+
 2013-11-05  Éva Balázsfalvi  <balazsfalvi.eva@stud.u-szeged.hu>
 
         Delete maketokenizer.
index fae0349..65f1468 100644 (file)
@@ -471,11 +471,10 @@ bool XSSAuditor::filterIframeToken(const FilterTokenRequest& request)
     ASSERT(request.token.type() == HTMLToken::StartTag);
     ASSERT(hasName(request.token, iframeTag));
 
-    bool didBlockScript = false;
-    if (isContainedInRequest(decodedSnippetForName(request))) {
+    bool didBlockScript = eraseAttributeIfInjected(request, srcdocAttr, String(), ScriptLikeAttribute);
+    if (isContainedInRequest(decodedSnippetForName(request)))
         didBlockScript |= eraseAttributeIfInjected(request, srcAttr, String(), SrcLikeAttribute);
-        didBlockScript |= eraseAttributeIfInjected(request, srcdocAttr, String(), ScriptLikeAttribute);
-    }
+
     return didBlockScript;
 }