diff options
Diffstat (limited to 'WebCore/page/XSSAuditor.cpp')
-rw-r--r-- | WebCore/page/XSSAuditor.cpp | 36 |
1 files changed, 23 insertions, 13 deletions
diff --git a/WebCore/page/XSSAuditor.cpp b/WebCore/page/XSSAuditor.cpp index 890c3fa..72c2591 100644 --- a/WebCore/page/XSSAuditor.cpp +++ b/WebCore/page/XSSAuditor.cpp @@ -144,14 +144,7 @@ bool XSSAuditor::canLoadExternalScriptFromSrc(const String& context, const Strin if (!isEnabled()) return true; - // If the script is loaded from the same URL as the enclosing page, it's - // probably not an XSS attack, so we reduce false positives by allowing the - // script. If the script has a query string, we're more suspicious, - // however, because that's pretty rare and the attacker might be able to - // trick a server-side script into doing something dangerous with the query - // string. - KURL scriptURL(m_frame->document()->url(), url); - if (m_frame->document()->url().host() == scriptURL.host() && scriptURL.query().isEmpty()) + if (isSameOriginResource(url)) return true; if (findInRequest(context + url)) { @@ -167,8 +160,11 @@ bool XSSAuditor::canLoadObject(const String& url) const if (!isEnabled()) return true; + if (isSameOriginResource(url)) + return true; + if (findInRequest(url)) { - DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request")); + String consoleMessage = String::format("Refused to load an object. URL found within request: \"%s\".\n", url.utf8().data()); m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String()); return false; } @@ -179,10 +175,12 @@ bool XSSAuditor::canSetBaseElementURL(const String& url) const { if (!isEnabled()) return true; - - KURL baseElementURL(m_frame->document()->url(), url); - if (m_frame->document()->url().host() != baseElementURL.host() && findInRequest(url)) { - DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request")); + + if (isSameOriginResource(url)) + return true; + + if (findInRequest(url)) { + DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to load from document base URL. URL found within request.\n")); m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String()); return false; } @@ -255,6 +253,18 @@ String XSSAuditor::decodeHTMLEntities(const String& string, bool leaveUndecodabl return String::adopt(result); } +bool XSSAuditor::isSameOriginResource(const String& url) const +{ + // If the resource is loaded from the same URL as the enclosing page, it's + // probably not an XSS attack, so we reduce false positives by allowing the + // request. If the resource has a query string, we're more suspicious, + // however, because that's pretty rare and the attacker might be able to + // trick a server-side script into doing something dangerous with the query + // string. + KURL resourceURL(m_frame->document()->url(), url); + return (m_frame->document()->url().host() == resourceURL.host() && resourceURL.query().isEmpty()); +} + bool XSSAuditor::findInRequest(const String& string, bool decodeEntities, bool allowRequestIfNoIllegalURICharacters, bool decodeURLEscapeSequencesTwice) const { |