-
abarth@webkit.org authored
2009-06-18 Adam Barth <abarth@webkit.org> Reviewed by Sam Weinig. https://bugs.webkit.org/show_bug.cgi?id=26199 Added an experimental reflective XSS filter. The filter is disabled by default. Test: http/tests/security/xssAuditor/script-tag.html * GNUmakefile.am: * WebCore.base.exp: * WebCore.pro: * WebCore.vcproj/WebCore.vcproj: * WebCore.xcodeproj/project.pbxproj: * bindings/js/ScriptController.cpp: (WebCore::ScriptController::ScriptController): (WebCore::ScriptController::evaluate): * bindings/js/ScriptController.h: (WebCore::ScriptController::xssAuditor): * bindings/js/ScriptEventListener.cpp: (WebCore::createAttributeEventListener): * dom/Tokenizer.h: (WebCore::Tokenizer::xssAuditor): (WebCore::Tokenizer::setXSSAuditor): (WebCore::Tokenizer::Tokenizer): * html/HTMLTokenizer.cpp: (WebCore::HTMLTokenizer::scriptHandler): * loader/FrameLoader.cpp: (WebCore::FrameLoader::begin): (WebCore::FrameLoader::requestObject): * page/Settings.cpp: (WebCore::Settings::Settings): (WebCore::Settings::setXSSAuditorEnabled): * page/Settings.h: (WebCore::Settings::xssAuditorEnabled): * page/XSSAuditor.cpp: Added. (WebCore::isControlCharacter): (WebCore::XSSAuditor::XSSAuditor): (WebCore::XSSAuditor::~XSSAuditor): (WebCore::XSSAuditor::canEvaluate): (WebCore::XSSAuditor::canCreateInlineEventListener): (WebCore::XSSAuditor::canLoadExternalScriptFromSrc): (WebCore::XSSAuditor::canLoadObject): (WebCore::XSSAuditor::decodeURL): (WebCore::XSSAuditor::findInRequest): * page/XSSAuditor.h: Added. (WebCore::XSSAuditor::isEnabled): (WebCore::XSSAuditor::setXSSAuditorEnabled): WebKit/mac: 2009-06-18 Adam Barth <abarth@webkit.org> Reviewed by Sam Weinig. https://bugs.webkit.org/show_bug.cgi?id=26199 Added preference to enable the XSSAuditor. * WebView/WebPreferenceKeysPrivate.h: * WebView/WebPreferences.mm: (+[WebPreferences initialize]): (-[WebPreferences isXSSAuditorEnabled]): (-[WebPreferences setXSSAuditorEnabled:]): * WebView/WebPreferencesPrivate.h: * WebView/WebView.mm: (-[WebView _preferencesChangedNotification:]): WebKit/win: 2009-06-18 Adam Barth <abarth@webkit.org> Reviewed by Sam Weinig. https://bugs.webkit.org/show_bug.cgi?id=26199 Added preference to enable the XSSAuditor. * Interfaces/IWebPreferencesPrivate.idl: * WebPreferenceKeysPrivate.h: * WebPreferences.cpp: (WebPreferences::initializeDefaultSettings): (WebPreferences::isXSSAuditorEnabled): (WebPreferences::setXSSAuditorEnabled): * WebPreferences.h: * WebView.cpp: (WebView::notifyPreferencesChanged): WebKitTools: 2009-06-18 Adam Barth <abarth@webkit.org> Reviewed by Sam Weinig. https://bugs.webkit.org/show_bug.cgi?id=26199 Add support for testing the XSSAuditor. * DumpRenderTree/LayoutTestController.cpp: (setXSSAuditorEnabledCallback): (LayoutTestController::staticFunctions): * DumpRenderTree/LayoutTestController.h: * DumpRenderTree/gtk/LayoutTestControllerGtk.cpp: (LayoutTestController::setXSSAuditorEnabled): * DumpRenderTree/mac/DumpRenderTree.mm: (resetWebViewToConsistentStateBeforeTesting): * DumpRenderTree/mac/LayoutTestControllerMac.mm: (LayoutTestController::setXSSAuditorEnabled): * DumpRenderTree/win/DumpRenderTree.cpp: (resetWebViewToConsistentStateBeforeTesting): * DumpRenderTree/win/LayoutTestControllerWin.cpp: (LayoutTestController::setXSSAuditorEnabled): (LayoutTestController::setPopupBlockingEnabled): * DumpRenderTree/wx/LayoutTestControllerWx.cpp: (LayoutTestController::setXSSAuditorEnabled): LayoutTests: 2009-06-18 Adam Barth <abarth@webkit.org> Reviewed by Sam Weinig. https://bugs.webkit.org/show_bug.cgi?id=26199 Added a basic test for the XSSAuditor. * http/tests/security/xssAuditor/resources/echo-intertag.php: Added. * http/tests/security/xssAuditor/script-tag-expected.txt: Added. * http/tests/security/xssAuditor/script-tag.html: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@44846 268f45cc-cd09-0410-ab3c-d52691b4dbfc
33c12c69