Title: [148491] branches/safari-536.30-branch
Revision
148491
Author
[email protected]
Date
2013-04-15 21:37:13 -0700 (Mon, 15 Apr 2013)

Log Message

Merged r142063.

    2013-02-06  Tom Sepez  <[email protected]>

document.referrer leakage with XSS Auditor page block
https://bugs.webkit.org/show_bug.cgi?id=109089

Reviewed by Adam Barth.

Source/WebCore:

Pass "about:blank" as referrer instead of "" so that the actual page
is not leaked when empty referrers are replaced later on in the
request.

* html/parser/XSSAuditorDelegate.cpp:
(WebCore::XSSAuditorDelegate::didBlockScript):

LayoutTests:

Test prints the referrer to show it isn't leaked.

* http/tests/security/xssAuditor/full-block-script-tag-expected.txt:
* http/tests/security/xssAuditor/full-block-script-tag.html:

Modified Paths

Diff

Modified: branches/safari-536.30-branch/LayoutTests/ChangeLog (148490 => 148491)


--- branches/safari-536.30-branch/LayoutTests/ChangeLog	2013-04-16 03:41:29 UTC (rev 148490)
+++ branches/safari-536.30-branch/LayoutTests/ChangeLog	2013-04-16 04:37:13 UTC (rev 148491)
@@ -1,5 +1,21 @@
 2013-04-15  Andy Estes  <[email protected]>
 
+        Merged r142063.
+
+    2013-02-06  Tom Sepez  <[email protected]>
+
+        document.referrer leakage with XSS Auditor page block
+        https://bugs.webkit.org/show_bug.cgi?id=109089
+
+        Reviewed by Adam Barth.
+
+        Test prints the referrer to show it isn't leaked.
+        
+        * http/tests/security/xssAuditor/full-block-script-tag-expected.txt:
+        * http/tests/security/xssAuditor/full-block-script-tag.html:
+
+2013-04-15  Andy Estes  <[email protected]>
+
         Merged r139111.
 
     2013-01-08  Tom Sepez  <[email protected]>

Modified: branches/safari-536.30-branch/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-expected.txt (148490 => 148491)


--- branches/safari-536.30-branch/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-expected.txt	2013-04-16 03:41:29 UTC (rev 148490)
+++ branches/safari-536.30-branch/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-expected.txt	2013-04-16 04:37:13 UTC (rev 148491)
@@ -1,5 +1,6 @@
 CONSOLE MESSAGE: Refused to execute a _javascript_ script. Source code of script found within request.
 
+ALERT: Referrer is ""
 There should be no content in the iframe below:
 
 

Modified: branches/safari-536.30-branch/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag.html (148490 => 148491)


--- branches/safari-536.30-branch/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag.html	2013-04-16 03:41:29 UTC (rev 148490)
+++ branches/safari-536.30-branch/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag.html	2013-04-16 04:37:13 UTC (rev 148491)
@@ -9,11 +9,20 @@
     layoutTestController.waitUntilDone();
     layoutTestController.setXSSAuditorEnabled(true);
 }
+
+function checkframe()
+{
+    try {
+      var ref = document.getElementById("frame").contentDocument.referrer;
+      alert('Referrer is "' + ref + '"'); 
+    } catch (e) {}
+    checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank');
+}
 </script>
 </head>
 <body>
 <p>There should be no content in the iframe below:</p>
-<iframe id="frame" _onload_="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src=""
+<iframe id="frame" _onload_="checkframe()" src=""
 </iframe>
 </body>
 </html>

Modified: branches/safari-536.30-branch/Source/WebCore/ChangeLog (148490 => 148491)


--- branches/safari-536.30-branch/Source/WebCore/ChangeLog	2013-04-16 03:41:29 UTC (rev 148490)
+++ branches/safari-536.30-branch/Source/WebCore/ChangeLog	2013-04-16 04:37:13 UTC (rev 148491)
@@ -1,5 +1,23 @@
 2013-04-15  Andy Estes  <[email protected]>
 
+        Merged r142063.
+
+    2013-02-06  Tom Sepez  <[email protected]>
+
+        document.referrer leakage with XSS Auditor page block
+        https://bugs.webkit.org/show_bug.cgi?id=109089
+
+        Reviewed by Adam Barth.
+
+        Pass "about:blank" as referrer instead of "" so that the actual page
+        is not leaked when empty referrers are replaced later on in the
+        request.
+        
+        * html/parser/XSSAuditorDelegate.cpp:
+        (WebCore::XSSAuditorDelegate::didBlockScript):
+
+2013-04-15  Andy Estes  <[email protected]>
+
         Merged r139111.
 
     2013-01-08  Tom Sepez  <[email protected]>

Modified: branches/safari-536.30-branch/Source/WebCore/html/parser/XSSAuditor.cpp (148490 => 148491)


--- branches/safari-536.30-branch/Source/WebCore/html/parser/XSSAuditor.cpp	2013-04-16 03:41:29 UTC (rev 148490)
+++ branches/safari-536.30-branch/Source/WebCore/html/parser/XSSAuditor.cpp	2013-04-16 04:37:13 UTC (rev 148491)
@@ -269,7 +269,7 @@
         }
 
         if (didBlockEntirePage)
-            m_parser->document()->frame()->navigationScheduler()->scheduleLocationChange(m_parser->document()->securityOrigin(), blankURL(), String());
+            m_parser->document()->frame()->navigationScheduler()->scheduleLocationChange(m_parser->document()->securityOrigin(), blankURL(), blankURL());
     }
 }
 
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to