Diff
Modified: trunk/LayoutTests/ChangeLog (133248 => 133249)
--- trunk/LayoutTests/ChangeLog 2012-11-02 01:19:02 UTC (rev 133248)
+++ trunk/LayoutTests/ChangeLog 2012-11-02 01:22:15 UTC (rev 133249)
@@ -1,3 +1,17 @@
+2012-11-01 Tom Sepez <tse...@chromium.org>
+
+ XSS blocker false positive when page contains <iframe src=""
+ https://bugs.webkit.org/show_bug.cgi?id=93416
+
+ Reviewed by Adam Barth.
+
+ * http/tests/security/xssAuditor/iframe-injection-allowed-2-expected.txt: Added.
+ * http/tests/security/xssAuditor/iframe-injection-allowed-2.html: Added.
+ * http/tests/security/xssAuditor/iframe-injection-allowed-3-expected.txt: Added.
+ * http/tests/security/xssAuditor/iframe-injection-allowed-3.html: Added.
+ * http/tests/security/xssAuditor/iframe-injection-allowed-expected.txt: Added.
+ * http/tests/security/xssAuditor/iframe-injection-allowed.html: Added.
+
2012-11-01 Tien-Ren Chen <trc...@chromium.org>
Fix assertion failure in RenderGeometryMap::absoluteRect when frame scale != 1.0
Added: trunk/LayoutTests/http/tests/security/xssAuditor/iframe-injection-allowed-2-expected.txt (0 => 133249)
--- trunk/LayoutTests/http/tests/security/xssAuditor/iframe-injection-allowed-2-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/iframe-injection-allowed-2-expected.txt 2012-11-02 01:22:15 UTC (rev 133249)
@@ -0,0 +1,2 @@
+This test passes because the injected iframe is from about:blank and is harmless.
+
Added: trunk/LayoutTests/http/tests/security/xssAuditor/iframe-injection-allowed-2.html (0 => 133249)
--- trunk/LayoutTests/http/tests/security/xssAuditor/iframe-injection-allowed-2.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/iframe-injection-allowed-2.html 2012-11-02 01:22:15 UTC (rev 133249)
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+This test passes because the injected iframe is from about:blank and is harmless.<br/>
+<iframe src=""
+</iframe>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/xssAuditor/iframe-injection-allowed-3-expected.txt (0 => 133249)
--- trunk/LayoutTests/http/tests/security/xssAuditor/iframe-injection-allowed-3-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/iframe-injection-allowed-3-expected.txt 2012-11-02 01:22:15 UTC (rev 133249)
@@ -0,0 +1,2 @@
+This test passes because the injected iframe has an empty src and is harmless.
+
Added: trunk/LayoutTests/http/tests/security/xssAuditor/iframe-injection-allowed-3.html (0 => 133249)
--- trunk/LayoutTests/http/tests/security/xssAuditor/iframe-injection-allowed-3.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/iframe-injection-allowed-3.html 2012-11-02 01:22:15 UTC (rev 133249)
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+This test passes because the injected iframe has an empty src and is harmless.<br/>
+<iframe src=""
+</iframe>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/xssAuditor/iframe-injection-allowed-expected.txt (0 => 133249)
--- trunk/LayoutTests/http/tests/security/xssAuditor/iframe-injection-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/iframe-injection-allowed-expected.txt 2012-11-02 01:22:15 UTC (rev 133249)
@@ -0,0 +1,2 @@
+This test passes because the injected iframe is from the same host as the child frame.
+
Added: trunk/LayoutTests/http/tests/security/xssAuditor/iframe-injection-allowed.html (0 => 133249)
--- trunk/LayoutTests/http/tests/security/xssAuditor/iframe-injection-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/iframe-injection-allowed.html 2012-11-02 01:22:15 UTC (rev 133249)
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+This test passes because the injected iframe is from the same host as the child frame.<br/>
+<iframe src=""
+</iframe>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (133248 => 133249)
--- trunk/Source/WebCore/ChangeLog 2012-11-02 01:19:02 UTC (rev 133248)
+++ trunk/Source/WebCore/ChangeLog 2012-11-02 01:22:15 UTC (rev 133249)
@@ -1,3 +1,20 @@
+2012-11-01 Tom Sepez <tse...@chromium.org>
+
+ XSS blocker false positive when page contains <iframe src=""
+ https://bugs.webkit.org/show_bug.cgi?id=93416
+
+ Reviewed by Adam Barth.
+
+ Treat src="" and src="" as safe resources even if they appear
+ in the query parameters.
+
+ Tests: http/tests/security/xssAuditor/iframe-injection-allowed-2.html
+ http/tests/security/xssAuditor/iframe-injection-allowed-3.html
+ http/tests/security/xssAuditor/iframe-injection-allowed.html
+
+ * html/parser/XSSAuditor.cpp:
+ (WebCore::XSSAuditor::isLikelySafeResource):
+
2012-11-01 Tien-Ren Chen <trc...@chromium.org>
Fix assertion failure in RenderGeometryMap::absoluteRect when frame scale != 1.0
Modified: trunk/Source/WebCore/html/parser/XSSAuditor.cpp (133248 => 133249)
--- trunk/Source/WebCore/html/parser/XSSAuditor.cpp 2012-11-02 01:19:02 UTC (rev 133248)
+++ trunk/Source/WebCore/html/parser/XSSAuditor.cpp 2012-11-02 01:22:15 UTC (rev 133249)
@@ -614,6 +614,12 @@
bool XSSAuditor::isLikelySafeResource(const String& url)
{
+ // Give empty URLs and about:blank a pass. Making a resourceURL from an
+ // empty string below will likely later fail the "no query args test" as
+ // it inherits the document's query args.
+ if (url.isEmpty() || url == blankURL().string())
+ return true;
+
// If the resource is loaded from the same host as the enclosing page, it's
// probably not an XSS attack, so we reduce false positives by allowing the
// request, ignoring scheme and port considerations. If the resource has a