Skip to site navigation (Press enter)

[webkit-changes] [142063] trunk

tsepez Wed, 06 Feb 2013 19:12:21 -0800

Title: [142063] trunk

Revision: 142063
Author: tse...@chromium.org
Date: 2013-02-06 19:14:15 -0800 (Wed, 06 Feb 2013)

Log Message

document.referrer leakage with XSS Auditor page block
https://bugs.webkit.org/show_bug.cgi?id=109089


Reviewed by Adam Barth.

Source/WebCore:

Pass "about:blank" as referrer instead of "" so that the actual page
is not leaked when empty referrers are replaced later on in the
request.

* html/parser/XSSAuditorDelegate.cpp:
(WebCore::XSSAuditorDelegate::didBlockScript):

LayoutTests:

Test prints the referrer to show it isn't leaked.

* http/tests/security/xssAuditor/full-block-script-tag-expected.txt:
* http/tests/security/xssAuditor/full-block-script-tag.html:

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-expected.txt
trunk/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag.html
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/html/parser/XSSAuditorDelegate.cpp

Diff

Modified: trunk/LayoutTests/ChangeLog (142062 => 142063)


--- trunk/LayoutTests/ChangeLog	2013-02-07 02:50:52 UTC (rev 142062)
+++ trunk/LayoutTests/ChangeLog	2013-02-07 03:14:15 UTC (rev 142063)
@@ -1,3 +1,15 @@
+2013-02-06  Tom Sepez  <tse...@chromium.org>
+
+        document.referrer leakage with XSS Auditor page block
+        https://bugs.webkit.org/show_bug.cgi?id=109089
+
+        Reviewed by Adam Barth.
+
+        Test prints the referrer to show it isn't leaked.
+        
+        * http/tests/security/xssAuditor/full-block-script-tag-expected.txt:
+        * http/tests/security/xssAuditor/full-block-script-tag.html:
+
 2013-02-06  Matt Falkenhagen  <fal...@chromium.org>
 
         Unreviewed gardening. Marking gl-vertexattribpointer.html as slow.

Modified: trunk/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-expected.txt (142062 => 142063)


--- trunk/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-expected.txt	2013-02-07 02:50:52 UTC (rev 142062)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-expected.txt	2013-02-07 03:14:15 UTC (rev 142063)
@@ -1,5 +1,6 @@
 CONSOLE MESSAGE: line 4: Refused to execute a _javascript_ script. Source code of script found within request.
 
+ALERT: Referrer is ""
 There should be no content in the iframe below:

Modified: trunk/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag.html (142062 => 142063)


--- trunk/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag.html	2013-02-07 02:50:52 UTC (rev 142062)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag.html	2013-02-07 03:14:15 UTC (rev 142063)
@@ -9,11 +9,20 @@
     testRunner.waitUntilDone();
     testRunner.setXSSAuditorEnabled(true);
 }
+
+function checkframe()
+{
+    try {
+      var ref = document.getElementById("frame").contentDocument.referrer;
+      alert('Referrer is "' + ref + '"'); 
+    } catch (e) {}
+    checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank');
+}
 </script>
 </head>
 <body>
 <p>There should be no content in the iframe below:</p>
-<iframe id="frame" _onload_="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src=""
+<iframe id="frame" _onload_="checkframe()" src=""
 </iframe>
 </body>
 </html>

Modified: trunk/Source/WebCore/ChangeLog (142062 => 142063)


--- trunk/Source/WebCore/ChangeLog	2013-02-07 02:50:52 UTC (rev 142062)
+++ trunk/Source/WebCore/ChangeLog	2013-02-07 03:14:15 UTC (rev 142063)
@@ -1,3 +1,17 @@
+2013-02-06  Tom Sepez  <tse...@chromium.org>
+
+        document.referrer leakage with XSS Auditor page block
+        https://bugs.webkit.org/show_bug.cgi?id=109089
+
+        Reviewed by Adam Barth.
+
+        Pass "about:blank" as referrer instead of "" so that the actual page
+        is not leaked when empty referrers are replaced later on in the
+        request.
+        
+        * html/parser/XSSAuditorDelegate.cpp:
+        (WebCore::XSSAuditorDelegate::didBlockScript):
+
 2013-02-06  Kentaro Hara  <hara...@chromium.org>
 
         [V8] Make an Isolate parameter mandatory in GetTemplate() and GetRawTemplate()

Modified: trunk/Source/WebCore/html/parser/XSSAuditorDelegate.cpp (142062 => 142063)


--- trunk/Source/WebCore/html/parser/XSSAuditorDelegate.cpp	2013-02-07 02:50:52 UTC (rev 142062)
+++ trunk/Source/WebCore/html/parser/XSSAuditorDelegate.cpp	2013-02-07 03:14:15 UTC (rev 142063)
@@ -83,7 +83,7 @@
     }
 
     if (xssInfo.m_didBlockEntirePage)
-        m_document->frame()->navigationScheduler()->scheduleLocationChange(m_document->securityOrigin(), blankURL(), String());
+        m_document->frame()->navigationScheduler()->scheduleLocationChange(m_document->securityOrigin(), blankURL(), blankURL());
 }
 
 } // namespace WebCore

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes