2011-02-03 Adam Barth <abarth@webkit.org>
authorabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 3 Feb 2011 08:59:03 +0000 (08:59 +0000)
committerabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 3 Feb 2011 08:59:03 +0000 (08:59 +0000)
        Reviewed by Daniel Bates.

        Teach XSSFilter about data URLs
        https://bugs.webkit.org/show_bug.cgi?id=53662

        Tests that the XSS filter doesn't block script in data URLs.

        * http/tests/security/xssAuditor/data-urls-work-expected.txt: Added.
        * http/tests/security/xssAuditor/data-urls-work.html: Added.
2011-02-03  Adam Barth  <abarth@webkit.org>

        Reviewed by Daniel Bates.

        Teach XSSFilter about data URLs
        https://bugs.webkit.org/show_bug.cgi?id=53662

        The XSS filter doesn't really make sense for data URLs because
        everything in a "response" from a data URL was part of the request.

        Test: http/tests/security/xssAuditor/data-urls-work.html

        * html/parser/XSSFilter.cpp:
        (WebCore::XSSFilter::init):
        (WebCore::XSSFilter::filterToken):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77470 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/security/xssAuditor/data-urls-work-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/data-urls-work.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/parser/XSSFilter.cpp

index 5a6a718c3a8a443416a888ca6f709361a7f1fe39..1718c378fdfb1fc9334b2dd843e8be89feb2b336 100644 (file)
@@ -1,3 +1,15 @@
+2011-02-03  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Daniel Bates.
+
+        Teach XSSFilter about data URLs
+        https://bugs.webkit.org/show_bug.cgi?id=53662
+
+        Tests that the XSS filter doesn't block script in data URLs.
+
+        * http/tests/security/xssAuditor/data-urls-work-expected.txt: Added.
+        * http/tests/security/xssAuditor/data-urls-work.html: Added.
+
 2011-02-02  Chris Evans  <cevans@chromium.org>
 
         Reviewed by Darin Fisher.
diff --git a/LayoutTests/http/tests/security/xssAuditor/data-urls-work-expected.txt b/LayoutTests/http/tests/security/xssAuditor/data-urls-work-expected.txt
new file mode 100644 (file)
index 0000000..9c70321
--- /dev/null
@@ -0,0 +1,2 @@
+ALERT: PASS
+
diff --git a/LayoutTests/http/tests/security/xssAuditor/data-urls-work.html b/LayoutTests/http/tests/security/xssAuditor/data-urls-work.html
new file mode 100644 (file)
index 0000000..0f04fd4
--- /dev/null
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+  layoutTestController.dumpAsText();
+  layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src="data:text/html,<script>alert('PASS');</script>"></iframe>
+</body>
+</html>
index dfea3498f58a489c32b9a134fcd213f989ea7db4..09b515978cbb0542fc442e75347c62bac50b5535 100644 (file)
@@ -1,3 +1,19 @@
+2011-02-03  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Daniel Bates.
+
+        Teach XSSFilter about data URLs
+        https://bugs.webkit.org/show_bug.cgi?id=53662
+
+        The XSS filter doesn't really make sense for data URLs because
+        everything in a "response" from a data URL was part of the request.
+
+        Test: http/tests/security/xssAuditor/data-urls-work.html
+
+        * html/parser/XSSFilter.cpp:
+        (WebCore::XSSFilter::init):
+        (WebCore::XSSFilter::filterToken):
+
 2011-02-02  Chris Evans  <cevans@chromium.org>
 
         Reviewed by Darin Fisher.
index f806ca4a8ad7abf50a49653a758c23f19bc98530..212d2e53d812dcffcbff6a33fe56c6b502de06e5 100644 (file)
@@ -140,8 +140,12 @@ void XSSFilter::init()
     ASSERT(m_isEnabled);
 
     const TextEncoding& encoding = m_parser->document()->decoder()->encoding();
-    String url = m_parser->document()->url().string();
-    m_decodedURL = decodeURL(url, encoding);
+    const KURL& url = m_parser->document()->url();
+    if (url.protocolIsData()) {
+        m_isEnabled = false;
+        return;
+    }
+    m_decodedURL = decodeURL(url.string(), encoding);
 
     // In theory, the Document could have detached from the Frame after the
     // XSSFilter was constructed.
@@ -164,12 +168,12 @@ void XSSFilter::filterToken(HTMLToken& token)
     ASSERT_UNUSED(token, &token);
     return;
 #else
+    if (m_isEnabled && m_decodedURL.isEmpty())
+        init();
+
     if (!m_isEnabled || m_xssProtection == XSSProtectionDisabled)
         return;
 
-    if (m_decodedURL.isEmpty())
-        init();
-
     bool didBlockScript = false;
 
     switch (m_state) {