WebCore/ChangeLog · a796cc07a7b1f88e97944a116a2e553864998d6b · App_Technologies / webkit

WebCore: · a796cc07
abarth@webkit.org authored Nov 01, 2008
2008-11-01  Adam Barth  <abarth@webkit.org>

        Reviewed by Sam Weinig.

        Be sure to check the final URLs of requested resources to make sure we
        don't get fooled by HTTP redirects.

        https://bugs.webkit.org/show_bug.cgi?id=21963

        Tests: http/tests/security/xss-DENIED-xsl-document-redirect.xml
               http/tests/security/xss-DENIED-xsl-external-entity-redirect.xml

        * dom/XMLTokenizerLibxml2.cpp:
        (WebCore::openFunc):
        * loader/DocLoader.cpp:
        (WebCore::DocLoader::canRequest):
        (WebCore::DocLoader::requestResource):
        * loader/DocLoader.h:
        * xml/XSLTProcessor.cpp:
        (WebCore::docLoaderFunc):

LayoutTests:

2008-11-01  Adam Barth  <abarth@webkit.org>

        Reviewed by Sam Weinig.

        Test that we properly block non-same-origin redirects for these
        esoteric loads.

        https://bugs.webkit.org/show_bug.cgi?id=21963

        * http/tests/security/resources/xsl-using-document-redirect.xsl: Added.
        * http/tests/security/resources/xsl-using-external-entity-redirect.xsl: Added.
        * http/tests/security/xss-DENIED-xsl-document-redirect-expected.txt: Copied from LayoutTests/http/tests/security/xss-DENIED-xsl-document-expected.txt.
        * http/tests/security/xss-DENIED-xsl-document-redirect.xml: Added.
        * http/tests/security/xss-DENIED-xsl-external-entity-redirect-expected.txt: Copied from LayoutTests/http/tests/security/xss-DENIED-xsl-external-entity-expected.txt.
        * http/tests/security/xss-DENIED-xsl-external-entity-redirect.xml: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@38065 268f45cc-cd09-0410-ab3c-d52691b4dbfc
a796cc07