|
Implement NavigationScheduler::schedulePageBlock() as a redirect to empty substitute data.
This replaces the long-standing kludge of navigating to "data:," so that
we preserve the URL of the page that was blocked. Otherwise, cross-origin
detection of the XSSAuditor is possible via a variety of techniques owing
to the change in the URL.
We lose the benefit of the unique origin, however. I don't think actually
provides any benefit, if only blank content is going into the replacement
page. As a consequence, the parent frame will successfully see same-origin
content in some of the tests. The cross-origin test remains unmodified,
showing that there aren't new leaks (full-block-script-tag-cross-domain).
The upside is I can remove a lot of logic that was introduced recently to
preserve pages for view-source of the blocked page. The window-open-block-mode
test is such an example. There will be more cleanup possible on the
chrome side once this CL lands.
BUG= 396544
Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=179240
Total comments: 2
|
Unified diffs |
Side-by-side diffs |
Delta from patch set |
Stats (+34 lines, -65 lines) |
Patch |
|
M |
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt
|
View
|
|
1 chunk |
+1 line, -1 line |
0 comments
|
Download
|
|
M |
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt
|
View
|
|
1 chunk |
+1 line, -1 line |
0 comments
|
Download
|
|
M |
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt
|
View
|
|
1 chunk |
+1 line, -1 line |
0 comments
|
Download
|
|
M |
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt
|
View
|
|
1 chunk |
+1 line, -1 line |
0 comments
|
Download
|
|
M |
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt
|
View
|
|
1 chunk |
+1 line, -1 line |
0 comments
|
Download
|
|
M |
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt
|
View
|
|
1 chunk |
+1 line, -1 line |
0 comments
|
Download
|
|
M |
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt
|
View
|
|
1 chunk |
+1 line, -1 line |
0 comments
|
Download
|
|
M |
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt
|
View
|
|
1 chunk |
+1 line, -1 line |
0 comments
|
Download
|
|
M |
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt
|
View
|
|
1 chunk |
+1 line, -1 line |
0 comments
|
Download
|
|
M |
LayoutTests/http/tests/security/xssAuditor/full-block-base-href-expected.txt
|
View
|
|
1 chunk |
+0 lines, -1 line |
0 comments
|
Download
|
|
M |
LayoutTests/http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt
|
View
|
|
1 chunk |
+0 lines, -1 line |
0 comments
|
Download
|
|
M |
LayoutTests/http/tests/security/xssAuditor/full-block-javascript-link-expected.txt
|
View
|
|
1 chunk |
+0 lines, -1 line |
0 comments
|
Download
|
|
M |
LayoutTests/http/tests/security/xssAuditor/full-block-link-onclick-expected.txt
|
View
|
|
1 chunk |
+0 lines, -1 line |
0 comments
|
Download
|
|
M |
LayoutTests/http/tests/security/xssAuditor/full-block-object-tag-expected.txt
|
View
|
|
1 chunk |
+0 lines, -1 line |
0 comments
|
Download
|
|
M |
LayoutTests/http/tests/security/xssAuditor/full-block-script-tag.html
|
View
|
|
2 chunks |
+3 lines, -3 lines |
0 comments
|
Download
|
|
M |
LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-expected.txt
|
View
|
|
1 chunk |
+1 line, -2 lines |
0 comments
|
Download
|
|
M |
LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt
|
View
|
|
1 chunk |
+0 lines, -1 line |
0 comments
|
Download
|
|
D |
LayoutTests/http/tests/security/xssAuditor/window-open-block-mode.html
|
View
|
|
1 chunk |
+0 lines, -29 lines |
0 comments
|
Download
|
|
D |
LayoutTests/http/tests/security/xssAuditor/window-open-block-mode-expected.txt
|
View
|
|
1 chunk |
+0 lines, -13 lines |
0 comments
|
Download
|
|
M |
LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-03-expected.txt
|
View
|
|
1 chunk |
+0 lines, -1 line |
0 comments
|
Download
|
|
M |
LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-04-expected.txt
|
View
|
|
1 chunk |
+0 lines, -1 line |
0 comments
|
Download
|
|
M |
Source/core/loader/NavigationScheduler.cpp
|
View
|
|
3 chunks |
+21 lines, -1 line |
2 comments
|
Download
|
Total messages: 7 (0 generated)
|