12010-06-09 Adam Barth <abarth@webkit.org>
2
3 Reviewed by NOBODY (OOPS!).
4
5 Use allowRequestIfNoIllegalURICharacters instead of context for XSSAuditor::canLoadExternalScriptFromSrc
6 https://bugs.webkit.org/show_bug.cgi?id=40404
7
8 We originally added the context parameter to
9 canLoadExternalScriptFromSrc to work around some false positives caused
10 by folks checking external script URLs on the server. Our thought was
11 that we could tell these were not real XSS attacks because the
12 surrounding context wouldn't match in the URL and the document.
13
14 Implementing this feature in the HTML5 parser is hard because it
15 pierces a layer of abstraction (the token abstraction of the input
16 stream). We could hack this into the new parser, but instead I think
17 it's better to switch to using the allowRequestIfNoIllegalURICharacters
18 heuristic.
19
20 We designed the allowRequestIfNoIllegalURICharacters after the context
21 heuristic to deal with other cases where the server was validating
22 input before echoing it. However, we never tried applying it to
23 canLoadExternalScriptFromSrc.
24
25 It's possible that this will cause false positives and will need to be
26 reverted, which is why I've left in some of the infrustructure for
27 computing context. We don't have a good way to know if that will
28 happen except to try. We do know, however, that this heuristic will
29 work for the original false positives we saw.
30
31 * html/HTML5Tokenizer.cpp:
32 (WebCore::HTML5Tokenizer::shouldLoadExternalScriptFromSrc):
33 * html/HTMLTokenizer.cpp:
34 (WebCore::HTMLTokenizer::parseTag):
35 * page/XSSAuditor.cpp:
36 (WebCore::XSSAuditor::canLoadExternalScriptFromSrc):
37 * page/XSSAuditor.h:
38