Chromium Code Reviews
Help | Chromium Project | Sign in
(163)

Issue 18865003: Do not allow HTTP refresh headers to refresh to javascript: URLs. (Closed)

Can't Edit
Can't Publish+Mail
Start Review
Created:
9 months, 2 weeks ago by Tom Sepez
Modified:
9 months, 1 week ago
Reviewers:
abarth
CC:
blink-reviews_chromium.org, dglazkov+blink_chromium.org, Nate Chapin, eae+blinkwatch_chromium.org, adamk+blink_chromium.org, gavinp+loader_chromium.org
Visibility:
Public.

Description

Do not allow HTTP refresh headers to refresh to javascript: URLs.

This behaviour has been standard in IE since IE7. This makes us both
more compatible and less vulnerable to XSS.

BUG=258151
R=abarth@chromium.org

Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=153912

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+33 lines, -7 lines) Lint Patch
A + LayoutTests/http/tests/security/no-javascript-refresh.php View 1 chunk +6 lines, -5 lines 0 comments ? errors Download
A LayoutTests/http/tests/security/no-javascript-refresh-expected.txt View 1 chunk +2 lines, -0 lines 0 comments ? errors Download
A LayoutTests/http/tests/security/no-javascript-refresh-static.html View 1 chunk +11 lines, -0 lines 0 comments ? errors Download
A LayoutTests/http/tests/security/no-javascript-refresh-static-expected.txt View 1 chunk +2 lines, -0 lines 0 comments ? errors Download
M Source/core/dom/Document.cpp View 1 chunk +6 lines, -1 line 0 comments 2 errors Download
M Source/core/loader/FrameLoader.cpp View 1 chunk +6 lines, -1 line 0 comments 2 errors Download
Commit:

Messages

Total messages: 4
Tom Sepez
Adam, please review.
9 months, 2 weeks ago #1
abarth
LGTM. We might want to mention this change in the blog post for M30. Would ...
9 months, 2 weeks ago #2
I haz the power (commit-bot)
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/tsepez@chromium.org/18865003/1
9 months, 1 week ago #3
I haz the power (commit-bot)
9 months, 1 week ago #4
Message was sent while issue was closed.
Change committed as 153912
Sign in to reply to this message.

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld 1280:2d3e6564b7b6