Issue 128823003: XSSAuditor takes post body from current request, not the original request.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Issue 128823003: XSSAuditor takes post body from current request, not the original request. (Closed)

Created:
6 years, 11 months ago by Tom Sepez

Modified:
6 years, 11 months ago

Reviewers:
abarth-chromium

CC:
blink-reviews, dglazkov+blink, adamk+blink_chromium.org

Base URL:
svn://svn.chromium.org/blink/trunk

Visibility:
Public.

More Reviews

Description

XSSAuditor takes post body from current request, not the original request. In the face of a redirect, the information in the original body can't be reflected in the final page, when we redirect from post to get, since the get has no body. And for a 307-style redirect from post to post, the body will appear in the final post. This avoids some false positives and also the possibility of some info leaks from the original post. BUG=331725 R=abarth@chromium.org Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=164749

Patch Set 1 #

Patch Set 2 : re-upload following branch #

Created: 6 years, 11 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Stats (+39 lines, -6 lines)			Patch
A +	LayoutTests/http/tests/security/xssAuditor/resources/static-script.html	View	1 chunk	+2 lines, -5 lines	0 comments	Download
A	LayoutTests/http/tests/security/xssAuditor/script-tag-post-redirect.html	View	1 chunk	+26 lines, -0 lines	0 comments	Download
A	LayoutTests/http/tests/security/xssAuditor/script-tag-post-redirect-expected.txt	View	1 chunk	+10 lines, -0 lines	0 comments	Download
M	Source/core/html/parser/XSSAuditor.cpp	View	1 chunk	+1 line, -1 line	0 comments	Download

Messages

Total messages: 4 (0 generated)

Expand Messages | Collapse Messages

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/tsepez@chromium.org/128823003/30001

6 years, 11 months ago (2014-01-09 06:05:14 UTC) #3

Message was sent while issue was closed.

Change committed as 164749

Expand Messages | Collapse Messages