Chromium Code Reviews
Help | Chromium Project | Gerrit Changes | Sign in
(648)

Issue 90993003: X-XSS-Protection parser shoud reject '0; mode=block' (Closed)

Created:
6 years, 10 months ago by Mike West
Modified:
3 years, 2 months ago
Reviewers:
Tom Sepez
CC:
blink-reviews, abarth-chromium
Visibility:
Public.

Description

X-XSS-Protection parser shoud reject '0; mode=block' A recent study[1] notes that ~480 sites serve the invalid header 'X-XSS-Protection: 0;mode=block'. We currently accept this header as disabling the XSSAuditor. This CL changes our behavior to reject any XSS protection header that begins with 0 and has any other non-whitespace character after the 0. [1]: http://www.veracode.com/blog/2013/11/security-headers-on-the-top-1000000-websites-november-2013-report/ BUG=323853

Patch Set 1 #

Total comments: 1
Unified diffs Side-by-side diffs Delta from patch set Stats (+24 lines, -4 lines) Patch
A + LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-10.html View 1 chunk +2 lines, -2 lines 0 comments Download
A LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-10-expected.txt View 1 chunk +10 lines, -0 lines 0 comments Download
M LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl View 1 chunk +3 lines, -0 lines 0 comments Download
M Source/platform/network/HTTPParsers.cpp View 2 chunks +9 lines, -2 lines 1 comment Download

Messages

Total messages: 4 (0 generated)
Mike West
Hey Tom! Mind taking a look at this slight modification to XSSAuditor parsing? -mike
6 years, 10 months ago (2013-11-27 12:01:33 UTC) #1
Tom Sepez
> -mike The code LGTM, but I'm not sure what the right behaviour should be. ...
6 years, 10 months ago (2013-11-27 18:09:53 UTC) #2
Tom Sepez
What about accepting "x-xss-protection: 0;" ?
6 years, 10 months ago (2013-11-28 00:04:46 UTC) #3
Tom Sepez
6 years, 10 months ago (2013-11-28 00:09:15 UTC) #4
https://codereview.chromium.org/90993003/diff/1/Source/platform/network/HTTPP...
File Source/platform/network/HTTPParsers.cpp (right):

https://codereview.chromium.org/90993003/diff/1/Source/platform/network/HTTPP...
Source/platform/network/HTTPParsers.cpp:376: return AllowReflectedXSS;
I'm almost inclined to suggest getting rid of the early returns and parse out
all the ;-separated options, and in the end barf if AllowReflectedXSS &&
modeDirectiveSeen and so forth.

Powered by Google App Engine
This is Rietveld 408576698