Block Service Workers containing parts of their query string as XSS.

Block Service Workers containing parts of their query string as XSS.

In particular, this avoids errors with ?callback= URLs serving data as
text/javascript.

BUG=422966

[jww, 2015-08-21 17:55:46]

jww@chromium.org changed reviewers:
+ jww@chromium.org

[jww, 2015-08-21 17:55:47]

https://codereview.chromium.org/1308703002/diff/1/Source/web/WebEmbeddedWorke...
File Source/web/WebEmbeddedWorkerImpl.h (right):

https://codereview.chromium.org/1308703002/diff/1/Source/web/WebEmbeddedWorke...
Source/web/WebEmbeddedWorkerImpl.h:131: String checkForReflectedXSS();
We might want to generalize this in some way into a utility function, in case we
want to extend this to other types of dynamically loaded script eventually.

[jeremyarcher, 2015-08-27 06:47:21]

jeremyarcher@google.com changed reviewers:
+ tsepez@chromium.org

[jeremyarcher, 2015-08-27 06:47:22]

+tsepez for security review (once !OoO)
+falken, kinuko for code structure. Feel free to bump to R=

[Tom Sepez, 2015-08-31 16:41:19]

I suspect this will be easy to bypass and will have large false positive rates,
etc.

Take a look at the details of XSSAuditor.cpp.  I', sorry but I don't think this
buys us much without a lot more sophistication.

https://codereview.chromium.org/1308703002/diff/1/Source/web/WebEmbeddedWorke...
File Source/web/WebEmbeddedWorkerImpl.cpp (right):

https://codereview.chromium.org/1308703002/diff/1/Source/web/WebEmbeddedWorke...
Source/web/WebEmbeddedWorkerImpl.cpp:339: if (segment.sizeInBytes() > 20) {
why 20?

https://codereview.chromium.org/1308703002/diff/1/Source/web/WebEmbeddedWorke...
Source/web/WebEmbeddedWorkerImpl.cpp:341: if (script.contains(segment)) {
what about multiple decodings? e.g. %2525332 etc. See XSSAuditor.