Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(900)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: Source/core/html/parser/XSSAuditor.cpp

Issue 644663003: Apply XSSAuditor to html5 import (i.e. <link rel="import">) tags. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Created 6 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« Source/core/html/parser/XSSAuditor.h ('K') | « Source/core/html/parser/XSSAuditor.h ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: Source/core/html/parser/XSSAuditor.cpp
diff --git a/Source/core/html/parser/XSSAuditor.cpp b/Source/core/html/parser/XSSAuditor.cpp
index f42c05a9b72e1e6920d8497a4c4d7c38d1aa3dd1..657867943439a345b9ebbd5ea657a00b70cc05cd 100644
--- a/Source/core/html/parser/XSSAuditor.cpp
+++ b/Source/core/html/parser/XSSAuditor.cpp
@@ -444,6 +444,8 @@ bool XSSAuditor::filterStartToken(const FilterTokenRequest& request)
didBlockScript |= filterInputToken(request);
else if (hasName(request.token, buttonTag))
didBlockScript |= filterButtonToken(request);
+ else if (hasName(request.token, linkTag))
+ didBlockScript |= filterLinkToken(request);
return didBlockScript;
}
@@ -600,6 +602,22 @@ bool XSSAuditor::filterButtonToken(const FilterTokenRequest& request)
return eraseAttributeIfInjected(request, formactionAttr, kURLWithUniqueOrigin, SrcLikeAttributeTruncation);
}
+bool XSSAuditor::filterLinkToken(const FilterTokenRequest& request)
+{
+ ASSERT(request.token.type() == HTMLToken::StartTag);
+ ASSERT(hasName(request.token, linkTag));
+
+ size_t indexOfAttribute = 0;
+ if (!findAttributeWithName(request.token, relAttr, indexOfAttribute))
+ return false;
+
+ const HTMLToken::Attribute& attribute = request.token.attributes().at(indexOfAttribute);
+ if (!equalIgnoringCase(String(attribute.value), "import"))
+ return false;
+
+ return eraseAttributeIfInjected(request, hrefAttr, kURLWithUniqueOrigin, SrcLikeAttributeTruncation, AllowSameOriginHref);
+}
+
bool XSSAuditor::eraseDangerousAttributesIfInjected(const FilterTokenRequest& request)
{
DEFINE_STATIC_LOCAL(String, safeJavaScriptURL, ("javascript:void(0)"));
@@ -633,7 +651,7 @@ bool XSSAuditor::eraseDangerousAttributesIfInjected(const FilterTokenRequest& re
return didBlockScript;
}
-bool XSSAuditor::eraseAttributeIfInjected(const FilterTokenRequest& request, const QualifiedName& attributeName, const String& replacementValue, TruncationKind treatment)
+bool XSSAuditor::eraseAttributeIfInjected(const FilterTokenRequest& request, const QualifiedName& attributeName, const String& replacementValue, TruncationKind treatment, HrefRestriction restriction)
{
size_t indexOfAttribute = 0;
if (!findAttributeWithName(request.token, attributeName, indexOfAttribute))
@@ -643,7 +661,7 @@ bool XSSAuditor::eraseAttributeIfInjected(const FilterTokenRequest& request, con
if (!isContainedInRequest(canonicalize(snippetFromAttribute(request, attribute), treatment)))
return false;
- if (threadSafeMatch(attributeName, srcAttr)) {
+ if (threadSafeMatch(attributeName, srcAttr) || (restriction == AllowSameOriginHref && threadSafeMatch(attributeName, hrefAttr))) {
if (isLikelySafeResource(String(attribute.value)))
return false;
} else if (threadSafeMatch(attributeName, http_equivAttr)) {
« Source/core/html/parser/XSSAuditor.h ('K') | « Source/core/html/parser/XSSAuditor.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698