Issue 90993003: X-XSS-Protection parser shoud reject '0; mode=block'

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Issue 90993003: X-XSS-Protection parser shoud reject '0; mode=block' (Closed)

Created:
7 years ago by Mike West

Modified:
3 years, 5 months ago

Reviewers:
Tom Sepez

CC:
blink-reviews, abarth-chromium

Base URL:
svn://svn.chromium.org/blink/trunk

Visibility:
Public.

More Reviews

Description

X-XSS-Protection parser shoud reject '0; mode=block' A recent study[1] notes that ~480 sites serve the invalid header 'X-XSS-Protection: 0;mode=block'. We currently accept this header as disabling the XSSAuditor. This CL changes our behavior to reject any XSS protection header that begins with 0 and has any other non-whitespace character after the 0. [1]: http://www.veracode.com/blog/2013/11/security-headers-on-the-top-1000000-websites-november-2013-report/ BUG=323853

Patch Set 1 #

Total comments: 1

Created: 7 years ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Stats (+24 lines, -4 lines)			Patch
A +	LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-10.html	View	1 chunk	+2 lines, -2 lines	0 comments	Download
A	LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-10-expected.txt	View	1 chunk	+10 lines, -0 lines	0 comments	Download
M	LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl	View	1 chunk	+3 lines, -0 lines	0 comments	Download
M	Source/platform/network/HTTPParsers.cpp	View	2 chunks	+9 lines, -2 lines	1 comment	Download

Messages

Total messages: 4 (0 generated)

Expand Messages | Collapse Messages

Mike West

Hey Tom! Mind taking a look at this slight modification to XSSAuditor parsing? -mike

7 years ago (2013-11-27 12:01:33 UTC) #1

Tom Sepez

> -mike The code LGTM, but I'm not sure what the right behaviour should be. ...

7 years ago (2013-11-27 18:09:53 UTC) #2

Tom Sepez

7 years ago (2013-11-28 00:09:15 UTC) #4

https://codereview.chromium.org/90993003/diff/1/Source/platform/network/HTTPP...
File Source/platform/network/HTTPParsers.cpp (right):

https://codereview.chromium.org/90993003/diff/1/Source/platform/network/HTTPP...
Source/platform/network/HTTPParsers.cpp:376: return AllowReflectedXSS;
I'm almost inclined to suggest getting rid of the early returns and parse out
all the ;-separated options, and in the end barf if AllowReflectedXSS &&
modeDirectiveSeen and so forth.

Expand Messages | Collapse Messages