Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(592)

Issue 7011006: Merge 86087 - 2011-05-09 Adam Barth <abarth@webkit.org> (Closed)

Created:
9 years, 7 months ago by abarth-chromium
Modified:
9 years, 7 months ago
Reviewers:
abarth-chromium
CC:
chromium-reviews
Base URL:
http://svn.webkit.org/repository/webkit/branches/chromium/742/
Visibility:
Public.

Description

Merge 86087 - 2011-05-09 Adam Barth <abarth@webkit.org>; Reviewed by Daniel Bates. XSSAuditor should be more selective about the <meta http-equivs> that it blocks https://bugs.webkit.org/show_bug.cgi?id=60489 We don't need to filter most http-equiv attributes. This patch introduces a blacklist for two that we probably do want to filter. It's possible a whitelist would be more appropriate, but I'm inclined to start with a blacklist and see how it works. This patch will hopefully fix a false positive that is causing errors with copy-and-pasted text in Gmail in some configurations (due to using the <meta> tag to request UTF-8 encoding both in the pasted text and in the page itself). * html/parser/XSSFilter.cpp: (WebCore::isNonCanonicalCharacter): (WebCore::canonicalize): (WebCore::isRequiredForInjection): (WebCore::hasName): (WebCore::findAttributeWithName): (WebCore::isNameOfInlineEventHandler): (WebCore::isDangerousHTTPEquiv): - This function is new in the patch and includes a blacklist of dangerous http-equivs. Many of the other functions listed here are just being moved from an anonymous namespace to use static for internal linkage. (WebCore::containsJavaScriptURL): (WebCore::decodeURL): (WebCore::XSSFilter::eraseAttributeIfInjected): TBR=abarth@webkit.org Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=86260

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+14 lines, -10 lines) Patch
A + LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options.html View 0 chunks +-1 lines, --1 lines 0 comments Download
A + LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-expected.txt View 0 chunks +-1 lines, --1 lines 0 comments Download
M Source/WebCore/html/parser/XSSFilter.cpp View 7 chunks +16 lines, -12 lines 0 comments Download

Messages

Total messages: 1 (0 generated)
abarth-chromium
9 years, 7 months ago (2011-05-11 20:53:59 UTC) #1

          

Powered by Google App Engine
This is Rietveld 408576698