Chromium Code Reviews (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out

Issue 7011006: Merge 86087 - 2011-05-09 Adam Barth <> (Closed)

9 years, 7 months ago by abarth-chromium
9 years, 7 months ago
Base URL:


Merge 86087 - 2011-05-09 Adam Barth <>; Reviewed by Daniel Bates. XSSAuditor should be more selective about the <meta http-equivs> that it blocks We don't need to filter most http-equiv attributes. This patch introduces a blacklist for two that we probably do want to filter. It's possible a whitelist would be more appropriate, but I'm inclined to start with a blacklist and see how it works. This patch will hopefully fix a false positive that is causing errors with copy-and-pasted text in Gmail in some configurations (due to using the <meta> tag to request UTF-8 encoding both in the pasted text and in the page itself). * html/parser/XSSFilter.cpp: (WebCore::isNonCanonicalCharacter): (WebCore::canonicalize): (WebCore::isRequiredForInjection): (WebCore::hasName): (WebCore::findAttributeWithName): (WebCore::isNameOfInlineEventHandler): (WebCore::isDangerousHTTPEquiv): - This function is new in the patch and includes a blacklist of dangerous http-equivs. Many of the other functions listed here are just being moved from an anonymous namespace to use static for internal linkage. (WebCore::containsJavaScriptURL): (WebCore::decodeURL): (WebCore::XSSFilter::eraseAttributeIfInjected): Committed:

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+14 lines, -10 lines) Patch
A + LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options.html View 0 chunks +-1 lines, --1 lines 0 comments Download
A + LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-expected.txt View 0 chunks +-1 lines, --1 lines 0 comments Download
M Source/WebCore/html/parser/XSSFilter.cpp View 7 chunks +16 lines, -12 lines 0 comments Download


Total messages: 1 (0 generated)
9 years, 7 months ago (2011-05-11 20:53:59 UTC) #1


Powered by Google App Engine
This is Rietveld 408576698