Hi everyone,
Recently Adam Barth turned on an exciting new feature, the XSS Auditor, by default. This provides a browser-side defense against sites that are vulnerable to reflexive XSS attacks. Because this feature operates by blocking script execution, it has the potential to break legitimate sites via overzealous enforcement. I'd like to ask everyone to be on the lookout for these. If a site fails mysteriously, especially if it's a regression, check the Web Inspector console for a message like "Refused to execute a JavaScript script. Source code of script found within request."
I made a new keyword, XSSAuditor, and bugs tagged with XSSAuditor and Regression can be assumed to be fallout from the change. You can see the current known regressions with this query: <http://tinyurl.com/mw4j3y >. So far, there are two, but they are pretty major (Facebook and Outlook Web Access).
Hopefully we can quickly flush out and fix a lot of these false positive results, but if the bugs start piling up, it may be wise to turn the feature off by default until the initial crop of regressions is dealt with, so the nightlies remain usable for testing. (I don't think we're at that point yet and Adam seems to be on top of the incoming bugs.)
Regards, Maciej _______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
