Diff
Modified: trunk/LayoutTests/ChangeLog (133065 => 133066)
--- trunk/LayoutTests/ChangeLog 2012-10-31 20:02:36 UTC (rev 133065)
+++ trunk/LayoutTests/ChangeLog 2012-10-31 20:07:22 UTC (rev 133066)
@@ -1,3 +1,30 @@
+2012-10-31 Tom Sepez <[email protected]>
+
+ Malformed X-XSS-Protection headers not reported
+ https://bugs.webkit.org/show_bug.cgi?id=100538
+
+ Reviewed by Adam Barth.
+
+ * http/tests/security/xssAuditor/malformed-xss-protection-header-expected.txt: Removed.
+ * http/tests/security/xssAuditor/malformed-xss-protection-header.html: Removed.
+ * http/tests/security/xssAuditor/malformed-xss-protection-header-1.html: Copied from LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header.html.
+ * http/tests/security/xssAuditor/malformed-xss-protection-header-expected-1.txt: Copied from LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-expected.txt.
+ renamed to -1 to match convention.
+ * http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt: Added.
+ * http/tests/security/xssAuditor/malformed-xss-protection-header-2.html: Added.
+ * http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt: Added.
+ * http/tests/security/xssAuditor/malformed-xss-protection-header-3.html: Added.
+ * http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt: Added.
+ * http/tests/security/xssAuditor/malformed-xss-protection-header-4.html: Added.
+ New test to cover new error message cases.
+ * http/tests/security/xssAuditor/resources/echo-intertag.pl:
+ Added more x-xss-protection header values to its set of values.
+ * http/tests/security/xssAuditor/xss-protection-parsing-01.html:
+ Converted for interface change to echo_intertag.pl
+ * http/tests/security/xssAuditor/xss-protection-parsing-02-expected.txt: Added.
+ * http/tests/security/xssAuditor/xss-protection-parsing-02.html: Added.
+ New test for testing x-xss-protect: 0; (allow trailing semicolon).
+
2012-10-31 Stephen White <[email protected]>
[chromium] Fix incorrect test names landed in
Added: trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-1-expected.txt (0 => 133066)
--- trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-1-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-1-expected.txt 2012-10-31 20:07:22 UTC (rev 133066)
@@ -0,0 +1,11 @@
+CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon. The default protections will be applied.
+CONSOLE MESSAGE: Refused to execute a _javascript_ script. Source code of script found within request.
+
+This tests that a malformed X-XSS-Protection header is not ignored when the length of its value exceeds 16 characters, and that an error is reported.
+
+
+
+--------
+Frame: 'frame'
+--------
+If you see this message and no _javascript_ alert() then the test PASSED.
Copied: trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-1.html (from rev 133064, trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header.html) (0 => 133066)
--- trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-1.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-1.html 2012-10-31 20:07:22 UTC (rev 133066)
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.waitUntilDone();
+ testRunner.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<p>This tests that a malformed X-XSS-Protection header is not ignored when the length of its value exceeds <a href="" characters, and that an error is reported.</a></p>
+<iframe id="frame" _onload_="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src="" you see this message and no _javascript_ alert() then the test PASSED.</p>">
+</iframe>
+</body>
+</html>
Copied: trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt (from rev 133064, trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-expected.txt) (0 => 133066)
--- trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt 2012-10-31 20:07:22 UTC (rev 133066)
@@ -0,0 +1,11 @@
+CONSOLE MESSAGE: Error parsing header X-XSS-Protection: red: first non-blank character must be 0 or 1. The default protections will be applied.
+CONSOLE MESSAGE: Refused to execute a _javascript_ script. Source code of script found within request.
+
+This tests that the X-XSS-Protection header is not ignored when the first character is not 0 or 1, and that we issue an error.
+
+
+
+--------
+Frame: 'frame'
+--------
+If you see this message and no _javascript_ alert() then the test PASSED.
Copied: trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-2.html (from rev 133064, trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header.html) (0 => 133066)
--- trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-2.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-2.html 2012-10-31 20:07:22 UTC (rev 133066)
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.waitUntilDone();
+ testRunner.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<p>This tests that the X-XSS-Protection header is not ignored when the first character is not 0 or 1, and that we issue an error.</p>
+<iframe id="frame" _onload_="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src="" you see this message and no _javascript_ alert() then the test PASSED.</p>">
+</iframe>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt (0 => 133066)
--- trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt 2012-10-31 20:07:22 UTC (rev 133066)
@@ -0,0 +1,11 @@
+CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 1; mode=purple: invalid mode directive. The default protections will be applied.
+CONSOLE MESSAGE: Refused to execute a _javascript_ script. Source code of script found within request.
+
+This tests that a malformed X-XSS-Protection header is not ignored and an error is reported when the mode= token is invalid.
+
+
+
+--------
+Frame: 'frame'
+--------
+If you see this message and no _javascript_ alert() then the test PASSED.
Copied: trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-3.html (from rev 133064, trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header.html) (0 => 133066)
--- trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-3.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-3.html 2012-10-31 20:07:22 UTC (rev 133066)
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.waitUntilDone();
+ testRunner.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<p>This tests that a malformed X-XSS-Protection header is not ignored and an error is reported when the mode= token is invalid.</p>
+<iframe id="frame" _onload_="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src="" you see this message and no _javascript_ alert() then the test PASSED.</p>">
+</iframe>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt (0 => 133066)
--- trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt 2012-10-31 20:07:22 UTC (rev 133066)
@@ -0,0 +1,11 @@
+CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 1; mode=block-a-block-block: extra characters follow valid header. The default protections will be applied.
+CONSOLE MESSAGE: Refused to execute a _javascript_ script. Source code of script found within request.
+
+This tests that the X-XSS-Protection header is not ignored when there is a trailing garbage after mode=block, and we issue an error
+
+
+
+--------
+Frame: 'frame'
+--------
+If you see this message and no _javascript_ alert() then the test PASSED.
Copied: trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-4.html (from rev 133064, trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header.html) (0 => 133066)
--- trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-4.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-4.html 2012-10-31 20:07:22 UTC (rev 133066)
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.waitUntilDone();
+ testRunner.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<p>This tests that the X-XSS-Protection header is not ignored when there is a trailing garbage after mode=block, and we issue an error</p>
+<iframe id="frame" _onload_="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src="" you see this message and no _javascript_ alert() then the test PASSED.</p>">
+</iframe>
+</body>
+</html>
Deleted: trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-expected.txt (133065 => 133066)
--- trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-expected.txt 2012-10-31 20:02:36 UTC (rev 133065)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-expected.txt 2012-10-31 20:07:22 UTC (rev 133066)
@@ -1,10 +0,0 @@
-CONSOLE MESSAGE: Refused to execute a _javascript_ script. Source code of script found within request.
-
-This tests that the X-XSS-Protection header is not ignored when the length of its value exceeds 16 characters.
-
-
-
---------
-Frame: 'frame'
---------
-If you see this message and no _javascript_ alert() then the test PASSED.
Deleted: trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header.html (133065 => 133066)
--- trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header.html 2012-10-31 20:02:36 UTC (rev 133065)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header.html 2012-10-31 20:07:22 UTC (rev 133066)
@@ -1,19 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-<script src=""
-<script>
-if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.dumpChildFramesAsText();
- testRunner.waitUntilDone();
- testRunner.setXSSAuditorEnabled(true);
-}
-</script>
-</head>
-<body>
-<p>This tests that the X-XSS-Protection header is not ignored when the length of its value exceeds <a href="" characters.</a></p>
-<iframe id="frame" _onload_="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src="" 12345678901234567&q=<script>alert(String.fromCharCode(0x58,0x53,0x53))</script><p>If you see this message and no _javascript_ alert() then the test PASSED.</p>">
-</iframe>
-</body>
-</html>
Modified: trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl (133065 => 133066)
--- trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl 2012-10-31 20:02:36 UTC (rev 133065)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl 2012-10-31 20:07:22 UTC (rev 133066)
@@ -4,18 +4,33 @@
my $cgi = new CGI;
+# Passing semicolons through the url to this script is problematic. The raw
+# form truncates the input and the %-encoded form isn't being decoded. Hence
+# this set of hard-coded headers.
+if ($cgi->param('disable-protection')) {
+ print "X-XSS-Protection: 0\n";
+}
if ($cgi->param('enable-full-block')) {
print "X-XSS-Protection: 1; mode=block\n";
}
-if ($cgi->param('disable-protection')) {
- print "X-XSS-Protection: 0\n";
-}
-if ($cgi->param('crazy-header')) {
+if ($cgi->param('valid-header') == 1) {
print "X-XSS-Protection: 1 ;MoDe = bLocK \n";
}
-if ($cgi->param('custom-header')) {
- print $cgi->param('custom-header') . "\n";
+if ($cgi->param('valid-header') == 2) {
+ print "X-XSS-Protection: 1; \n";
}
+if ($cgi->param('malformed-header') == 1) {
+ print "X-XSS-Protection: 12345678901234567\n";
+}
+if ($cgi->param('malformed-header') == 2) {
+ print "X-XSS-Protection: red\n";
+}
+if ($cgi->param('malformed-header') == 3) {
+ print "X-XSS-Protection: 1; mode=purple\n";
+}
+if ($cgi->param('malformed-header') == 4) {
+ print "X-XSS-Protection: 1; mode=block-a-block-block\n";
+}
print "Content-Type: text/html; charset=";
print $cgi->param('charset') ? $cgi->param('charset') : "UTF-8";
Modified: trunk/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-01.html (133065 => 133066)
--- trunk/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-01.html 2012-10-31 20:02:36 UTC (rev 133065)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-01.html 2012-10-31 20:07:22 UTC (rev 133066)
@@ -16,7 +16,7 @@
}
window._onload_ = function()
{
- sendRequestFromIFrame("http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl","crazy-header=1&q=<script>alert(String.fromCharCode(0x58,0x53,0x53))<\/script>","POST", done);
+ sendRequestFromIFrame("http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl","valid-header=1&q=<script>alert(String.fromCharCode(0x58,0x53,0x53))<\/script>","POST", done);
};
</script>
</head>
Copied: trunk/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-02-expected.txt (from rev 133064, trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-expected.txt) (0 => 133066)
--- trunk/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-02-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-02-expected.txt 2012-10-31 20:07:22 UTC (rev 133066)
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: Refused to execute a _javascript_ script. Source code of script found within request.
+
+This tests that the X-XSS-Protection header is not ignored when there is a trailing semicolon. Although theoretically malformed, we tolerate this case without issuing an error.
+
+
+
+--------
+Frame: 'frame'
+--------
+If you see this message and no _javascript_ alert() then the test PASSED.
Copied: trunk/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-02.html (from rev 133064, trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header.html) (0 => 133066)
--- trunk/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-02.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-02.html 2012-10-31 20:07:22 UTC (rev 133066)
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.waitUntilDone();
+ testRunner.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<p>This tests that the X-XSS-Protection header is not ignored when there is a trailing semicolon.
+Although theoretically malformed, we tolerate this case without issuing an error. </p>
+<iframe id="frame" _onload_="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src="" you see this message and no _javascript_ alert() then the test PASSED.</p>">
+</iframe>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (133065 => 133066)
--- trunk/Source/WebCore/ChangeLog 2012-10-31 20:02:36 UTC (rev 133065)
+++ trunk/Source/WebCore/ChangeLog 2012-10-31 20:07:22 UTC (rev 133066)
@@ -1,3 +1,34 @@
+2012-10-31 Tom Sepez <[email protected]>
+
+ Malformed X-XSS-Protection headers not reported.
+ https://bugs.webkit.org/show_bug.cgi?id=100538
+
+ Reviewed by Adam Barth.
+
+ Re-writes X-XSS-Protection header parser to be more particular, and to
+ return better information on error.
+
+ Tests: http/tests/security/xssAuditor/malformed-xss-protection-header-1.html
+ http/tests/security/xssAuditor/malformed-xss-protection-header-2.html
+ http/tests/security/xssAuditor/malformed-xss-protection-header-4.html
+ http/tests/security/xssAuditor/xss-protection-parsing-02.html
+
+ * html/parser/XSSAuditor.cpp:
+ (WebCore::XSSAuditor::init):
+ Detect error return code and log console message with details
+ * platform/network/HTTPParsers.cpp:
+ (WebCore):
+ (WebCore::skipWhiteSpace):
+ Use safe less-than comparsion in case called with pos already out of range.
+ (WebCore::skipToken):
+ Fix comparison to properly reject substrings at end of input. Prevent advancing
+ returned position when match fails, so that this may someday be used to match
+ optional tokens.
+ (WebCore::parseXSSProtectionHeader):
+ Return detailled error status. Avoid needless string copy.
+ * platform/network/HTTPParsers.h:
+ Add new error returns for x-xss-protection header parser.
+
2012-10-31 Simon Fraser <[email protected]>
REGRESSION (tile cache layers): bits of tiled layers are missing with certain 3D transforms
Modified: trunk/Source/WebCore/html/parser/XSSAuditor.cpp (133065 => 133066)
--- trunk/Source/WebCore/html/parser/XSSAuditor.cpp 2012-10-31 20:02:36 UTC (rev 133065)
+++ trunk/Source/WebCore/html/parser/XSSAuditor.cpp 2012-10-31 20:07:22 UTC (rev 133066)
@@ -216,7 +216,16 @@
if (DocumentLoader* documentLoader = m_parser->document()->frame()->loader()->documentLoader()) {
DEFINE_STATIC_LOCAL(String, XSSProtectionHeader, (ASCIILiteral("X-XSS-Protection")));
- m_xssProtection = parseXSSProtectionHeader(documentLoader->response().httpHeaderField(XSSProtectionHeader));
+ String headerValue = documentLoader->response().httpHeaderField(XSSProtectionHeader);
+ String errorDetails;
+ m_xssProtection = parseXSSProtectionHeader(headerValue, errorDetails);
+ if (m_xssProtection == XSSProtectionInvalid) {
+ DEFINE_STATIC_LOCAL(String, consoleMessageStart, (ASCIILiteral("Error parsing header X-XSS-Protection: ")));
+ DEFINE_STATIC_LOCAL(String, consoleMessageSeparator, (ASCIILiteral(": ")));
+ DEFINE_STATIC_LOCAL(String, consoleMessageEnd, (ASCIILiteral(". The default protections will be applied.")));
+ m_parser->document()->addConsoleMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessageStart + headerValue + consoleMessageSeparator + errorDetails + consoleMessageEnd);
+ m_xssProtection = XSSProtectionEnabled;
+ }
FormData* httpBody = documentLoader->originalRequest().httpBody();
if (httpBody && !httpBody->isEmpty()) {
Modified: trunk/Source/WebCore/platform/network/HTTPParsers.cpp (133065 => 133066)
--- trunk/Source/WebCore/platform/network/HTTPParsers.cpp 2012-10-31 20:02:36 UTC (rev 133065)
+++ trunk/Source/WebCore/platform/network/HTTPParsers.cpp 2012-10-31 20:07:22 UTC (rev 133066)
@@ -43,34 +43,41 @@
namespace WebCore {
-// true if there is more to parse
+// true if there is more to parse, after incrementing pos past whitespace.
+// Note: Might return pos == str.length()
static inline bool skipWhiteSpace(const String& str, unsigned& pos, bool fromHttpEquivMeta)
{
unsigned len = str.length();
if (fromHttpEquivMeta) {
- while (pos != len && str[pos] <= ' ')
+ while (pos < len && str[pos] <= ' ')
++pos;
} else {
- while (pos != len && (str[pos] == '\t' || str[pos] == ' '))
+ while (pos < len && (str[pos] == '\t' || str[pos] == ' '))
++pos;
}
- return pos != len;
+ return pos < len;
}
-// Returns true if the function can match the whole token (case insensitive).
+// Returns true if the function can match the whole token (case insensitive)
+// incrementing pos on match, otherwise leaving pos unchanged.
// Note: Might return pos == str.length()
static inline bool skipToken(const String& str, unsigned& pos, const char* token)
{
unsigned len = str.length();
+ unsigned current = pos;
- while (pos != len && *token) {
- if (toASCIILower(str[pos]) != *token++)
+ while (current < len && *token) {
+ if (toASCIILower(str[current]) != *token++)
return false;
- ++pos;
+ ++current;
}
+ if (*token)
+ return false;
+
+ pos = current;
return true;
}
@@ -313,31 +320,52 @@
}
}
-XSSProtectionDisposition parseXSSProtectionHeader(const String& header)
+XSSProtectionDisposition parseXSSProtectionHeader(const String& header, String& failureReason)
{
- String stippedHeader = header.stripWhiteSpace();
+ DEFINE_STATIC_LOCAL(String, failureReasonInvalidToggle, (ASCIILiteral("first non-blank character must be 0 or 1")));
+ DEFINE_STATIC_LOCAL(String, failureReasonInvalidSeparator, (ASCIILiteral("expected semicolon")));
+ DEFINE_STATIC_LOCAL(String, failureReasonInvalidMode, (ASCIILiteral("invalid mode directive")));
+ DEFINE_STATIC_LOCAL(String, failureReasonInvalidExtra, (ASCIILiteral("extra characters follow valid header")));
- if (stippedHeader.isEmpty())
+ unsigned pos = 0;
+
+ if (!skipWhiteSpace(header, pos, false))
return XSSProtectionEnabled;
- if (stippedHeader[0] == '0')
+ if (header[pos] == '0')
return XSSProtectionDisabled;
- unsigned length = header.length();
- unsigned pos = 0;
- if (stippedHeader[pos++] == '1'
- && skipWhiteSpace(stippedHeader, pos, false)
- && stippedHeader[pos++] == ';'
- && skipWhiteSpace(stippedHeader, pos, false)
- && skipToken(stippedHeader, pos, "mode")
- && skipWhiteSpace(stippedHeader, pos, false)
- && stippedHeader[pos++] == '='
- && skipWhiteSpace(stippedHeader, pos, false)
- && skipToken(stippedHeader, pos, "block")
- && pos == length)
- return XSSProtectionBlockEnabled;
+ if (header[pos++] != '1') {
+ failureReason = failureReasonInvalidToggle;
+ return XSSProtectionInvalid;
+ }
- return XSSProtectionEnabled;
+ if (!skipWhiteSpace(header, pos, false))
+ return XSSProtectionEnabled;
+
+ if (header[pos++] != ';') {
+ failureReason = failureReasonInvalidSeparator;
+ return XSSProtectionInvalid;
+ }
+
+ if (!skipWhiteSpace(header, pos, false))
+ return XSSProtectionEnabled;
+
+ if (!(skipToken(header, pos, "mode")
+ && skipWhiteSpace(header, pos, false)
+ && header[pos++] == '='
+ && skipWhiteSpace(header, pos, false)
+ && skipToken(header, pos, "block"))) {
+ failureReason = failureReasonInvalidMode;
+ return XSSProtectionInvalid;
+ }
+
+ if (skipWhiteSpace(header, pos, false)) {
+ failureReason = failureReasonInvalidExtra;
+ return XSSProtectionInvalid;
+ }
+
+ return XSSProtectionBlockEnabled;
}
String extractReasonPhraseFromHTTPStatusLine(const String& statusLine)
Modified: trunk/Source/WebCore/platform/network/HTTPParsers.h (133065 => 133066)
--- trunk/Source/WebCore/platform/network/HTTPParsers.h 2012-10-31 20:02:36 UTC (rev 133065)
+++ trunk/Source/WebCore/platform/network/HTTPParsers.h 2012-10-31 20:07:22 UTC (rev 133066)
@@ -40,6 +40,7 @@
class ResourceResponseBase;
enum XSSProtectionDisposition {
+ XSSProtectionInvalid,
XSSProtectionDisabled,
XSSProtectionEnabled,
XSSProtectionBlockEnabled
@@ -60,7 +61,7 @@
String extractMIMETypeFromMediaType(const String&);
String extractCharsetFromMediaType(const String&);
void findCharsetInMediaType(const String& mediaType, unsigned int& charsetPos, unsigned int& charsetLen, unsigned int start = 0);
-XSSProtectionDisposition parseXSSProtectionHeader(const String&);
+XSSProtectionDisposition parseXSSProtectionHeader(const String& header, String& failureReason);
String extractReasonPhraseFromHTTPStatusLine(const String&);
// -1 could be set to one of the return parameters to indicate the value is not specified.
