New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 654794 link

Starred by 15 users

Issue metadata

Status: Started
Owner:
OOO until 4th
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 3
Type: Task


Show other hotlists

Hotlists containing this issue:
Hotlist-1


Sign in to add a comment

XSS Auditor: Block by default, remove filtering.

Project Member Reported by mkwst@chromium.org, Oct 11 2016

Issue description

Change description:
Chrome's XSS Auditor should block pages by default, rather than filtering out suspected reflected XSS. Moreover, we should remove the filtering option, as breaking specific pieces of page's script has been an XSS vector itself in the past.

Changes to API surface:
1. We will default to acting as though `X-XSS-Protection: 1; mode=block` was sent.

2. If `X-XSS-Protection: 1` is sent, we will treat it like `X-XSS-Protection: 1; mode=block`.

Links:
Public standards discussion: The XSS auditor is a proprietary pile of heuristics.

Support in other browsers:
IE has an auditor which is a proprietary pile of heuristics.
Safari has an auditor which is a proprietary pile of heuristics.
Firefox has no auditor.

 
Project Member

Comment 1 by bugdroid1@chromium.org, Nov 24 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c

commit b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c
Author: mkwst <mkwst@chromium.org>
Date: Thu Nov 24 19:02:54 2016

Add an error page for resources blocked via XSS Auditor.

Currently, when the XSS Auditor blocks a page, we render a lovely white
rectangle for the user. This, though calming and serene, is not terribly
informative.

This patch wires XSS Auditor blocks up to the general error page
mechanism, giving users some clue as to what's going on.

BUG=654794

Review-Url: https://codereview.chromium.org/2425663002
Cr-Commit-Position: refs/heads/master@{#434375}

[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/components/error_page/common/localized_error.cc
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/components/error_page/renderer/net_error_helper_core.cc
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/components/error_page_strings.grdp
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/components/test_runner/web_frame_test_client.cc
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/components/test_runner/web_frame_test_client.h
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/content/renderer/render_frame_impl.cc
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/content/renderer/render_frame_impl.h
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/net/base/net_error_list.h
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/LayoutTests/http/tests/security/frameNavigation/resources/iframe-that-performs-top-navigation-without-user-gesture.html
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/LayoutTests/http/tests/security/frameNavigation/xss-DENIED-top-navigation-user-gesture-in-parent.html
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/LayoutTests/http/tests/security/frameNavigation/xss-DENIED-top-navigation-without-user-gesture-expected.txt
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/LayoutTests/http/tests/security/frameNavigation/xss-DENIED-top-navigation-without-user-gesture.html
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-base-href-expected.txt
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-base-href.html
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-javascript-url.html
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-javascript-link-expected.txt
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-javascript-link.html
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-link-onclick-expected.txt
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-link-onclick.html
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-object-tag-expected.txt
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-object-tag.html
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-expected.txt
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-with-source.html
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/utilities.js
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-03-expected.txt
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-03.html
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-04-expected.txt
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-04.html
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/Source/core/frame/Frame.cpp
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/Source/core/html/parser/XSSAuditorDelegate.cpp
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/Source/core/loader/EmptyClients.h
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/Source/core/loader/FrameLoaderClient.h
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/Source/core/loader/NavigationScheduler.cpp
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/Source/core/loader/NavigationScheduler.h
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/Source/platform/network/ResourceError.h
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/Source/web/FrameLoaderClientImpl.cpp
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/Source/web/FrameLoaderClientImpl.h
[modify] https://crrev.com/b5a70d6b91eeabba6752f56cf9d79b8eb57fcf8c/third_party/WebKit/public/web/WebFrameClient.h

Project Member

Comment 2 by bugdroid1@chromium.org, Nov 24 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/46b2f19290555de613e09226348ae711db179f58

commit 46b2f19290555de613e09226348ae711db179f58
Author: mkwst <mkwst@chromium.org>
Date: Thu Nov 24 21:48:42 2016

XSS Auditor: Block by default.

This patch changes the default behavior of the XSS auditor from "filter"
to "block". It also fixes a bug exposed by this change: blocking a page
in the middle of parsing/processing `document.write()` crashes the
renderer due to a null deref.

The vast majority of this change is changing layout tests to specify
filtering behavior rather than default behavior.

Intent to Ship: https://groups.google.com/a/chromium.org/d/msg/blink-dev/aZsNygF84JM/86EbD_q0CAAJ

BUG=654794

Review-Url: https://codereview.chromium.org/2524013002
Cr-Commit-Position: refs/heads/master@{#434392}

[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/fast/frames/xss-auditor-handles-file-urls-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char.html
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event.html
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-javascript-URL-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-javascript-URL.html
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location.html
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location2-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location2.html
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/base-href-control-char-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/base-href-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/base-href-null-char-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/base-href-unterminated-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/cookie-injection-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/dom-write-URL-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/dom-write-URL.html
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/dom-write-innerHTML.html
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/dom-write-location-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/dom-write-location-inline-event-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/dom-write-location-inline-event.html
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/dom-write-location-javascript-URL-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/dom-write-location-javascript-URL.html
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/dom-write-location.html
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/embed-tag-code-attribute-2-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/embed-tag-code-attribute-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/embed-tag-control-char-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/embed-tag-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/embed-tag-in-path-unterminated-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/embed-tag-null-char-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/form-action-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/formaction-on-button-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/formaction-on-input-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/frameset-injection-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/get-from-iframe-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/html5-import-CORS-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/html5-import-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/html5-import-list-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/html5-import-sol-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/iframe-injection-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-more-encoding-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode2-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode3-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/iframe-onload-GBK-char-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/iframe-onload-in-svg-tag-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/iframe-srcdoc-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/iframe-srcdoc-property-blocked-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/img-onerror-GBK-char-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/img-onerror-accented-char-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-default-encoding-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/img-tag-with-comma-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/inline-event-HTML-entities-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-control-char-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-named-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/javascript-link-HTML-entities-null-char-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/javascript-link-ampersand-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/javascript-link-control-char-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/javascript-link-control-char2-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/javascript-link-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/javascript-link-null-char-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/javascript-link-one-plus-one-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/javascript-link-safe.html
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/link-onclick-control-char-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/link-onclick-entities-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/link-onclick-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/link-onclick-null-char-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/link-opens-new-window-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/malformed-HTML-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-1-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-5-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-6-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-7-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-8-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-9-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-javascript-url-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/object-tag-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/open-attribute-body-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/open-event-handler-iframe-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/open-iframe-src-01-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/open-iframe-src-02-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/open-iframe-src-03-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/open-script-src-01-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/open-script-src-02-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/open-script-src-03-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/open-script-src-04-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/post-from-iframe-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/property-escape-comment-01-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/property-escape-comment-02-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/property-escape-comment-03-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/property-escape-entity-01-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/property-escape-entity-02-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/property-escape-entity-03-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/property-escape-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/property-escape-long-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/property-escape-quote-01-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/property-escape-quote-02-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/property-escape-quote-03-expected.txt
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/reflection-in-path-expected.txt
[rename] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/anchor-url-dom-write-location-click.php
[rename] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-dom-write-URL.php
[rename] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-dom-write-innerHTML.php
[rename] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-dom-write-location.php
[rename] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-dom-write-unescaped-location.php
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-form-action.pl
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-frame-src.pl
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-head-base-href-direct.pl
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-head-base-href.pl
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-head.pl
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-inner-tag.pl
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-inspan.pl
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag-addslashes.pl
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag-click-and-notify.pl
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag-default-encode.pl
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-object-src.pl
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-property-noquotes.pl
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-property.pl
[modify] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-script-src.pl
[rename] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/javascript-link-safe.php
[rename] https://crrev.com/46b2f19290555de613e09226348ae711db179f58/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/safe.php.html
[rename] https://crrev.com/46b2f19290555de613e0922
Totally agree with bugdroid1@chromium.org comment:

"Currently, when the XSS Auditor blocks a page, we render a lovely white
rectangle for the user. This, though calming and serene, is not terribly
informative."


In some circumstances, the behavior of the XSS Auditor is predictable.

Search any web page and visualize its source code. Then look for any <script

Add the value of the tag as a url parameter and the XSS Auditor automatically blocks the page leaving it blank.

Examples:

Google (in Spanish): https://www.google.es

vie-source:
<script>window.gbar&&gbar.up&&gbar.up.tp&&gbar.up.tp();</script>

Url:
https://www.google.es?xss=%3Cscript+window.gbar&&gbar.up&&gbar.up.tp&&gbar.up.tp();

______________________________________________________________

Blogger: https://www.blogger.com/about/

vie-source:
<script>(function(i,s,o,g,r,a,m){i[%22GoogleAnalyticsObject%22]=r;i[r]=i[r]||function(){(i[r].q=i[r].q||[]).push(arguments)}...

Url:
https://www.blogger.com/about/?xss=%3Cscript+(function(i,s,o,g,r,a,m){i[%22GoogleAnalyticsObject%22]=r;i[r]=i[r]||function(){(i[r].q=i[r].q||[]).push(arguments)}

______________________________________________________________

Google Maps: https://www.google.es/maps

vie-source:
<script>tick('start');tick('p0');</script>

Url:
https://www.google.es/maps?xss=%3Cscript+tick(%27start%27);tick(%27p0%27);

______________________________________________________________

Google Recaptcha: https://www.google.com/recaptcha/intro/comingsoon/index.html

vie-source:
<script>(function(i,s,o,g,r,a,m){i[%27GoogleAnalyticsObject%27]=r;i[r]=i[r]||function(){...

Url:
https://www.google.com/recaptcha/intro/comingsoon/index.html?xss=%3Cscript+(function(i,s,o,g,r,a,m){i[%27GoogleAnalyticsObject%27]=r;i[r]=i[r]||function(){

Etc...
In other circumstances, the behavior of the XSS Auditor is difficult to understand

Access the url:

https://plus.google.com/u/0/_/notifications/frame?sourceid=%3Cscript%20window.jstiming.load.tick(%27bl%27);

*) Google Chrome Version 57.0.2945.0 (Build oficial) canary (64 bits):

Message from website:

This page isn’t working
Chrome detected unusual code on this page and blocked it to protect your personal information (for example, passwords, phone numbers, and credit cards).
Try visiting the site's homepage.
ERR_BLOCKED_BY_XSS_AUDITOR


*) Google Chrome Versión 55.0.2883.75 m

Console message:

The XSS Auditor blocked access to 'https://plus.google.com/u/0/_/notifications/frame?sourceid=%3Cscript%20window.jstiming.load.tick(%27bl%27);' because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.

Despite the message, the browser opens tabs indefinitely
(https://bugs.chromium.org/p/chromium/issues/detail?id=643114)

Comment 5 by mkwst@chromium.org, Dec 9 2016

Status: Fixed (was: Assigned)
To some extent, it's all a matter of timing: the XSS Auditor acts upon an active page. Script is executing during parsing, so it's entirely possible for a page to pop things up before we block it. It seems like Chrome 57's behavior is correct in the case you noted, while Chrome 55 blocks later than it ought to. Since we changed the blocking behavior to have an exciting error page, this is expected.

Comment 6 by mkwst@chromium.org, Dec 9 2016

Status: Started (was: Fixed)
Whoops. Not fixed. Started. We're now blocking by default, but haven't yet removed filtering as an option.

Comment 7 by mkwst@chromium.org, Feb 23 2017

Labels: xssauditor
ERR_BLOCKED_BY_XSS_AUDITOR being received falsely now on my Vbulletin forums site when submitting posts.  This just began with the current version of Chrome Version 57.0.2987.133 (64-bit).

Please revert it to the way it was.  This messaging is scaring people away from our site thinking we are hacked.  Please!
You can disable the auditor by sending an X-XSS-Protection: 0 header.  This may be required if you are allowing the users to post HTML back to your site. 

Well, do I understand correctly then that it does basically means that all the site using a WYSIWYG editor is going to be blocked by an XSS protection on Chrome ? Isn't that going a little to far in the end user protection ?
We feel that these are the exceptions, rather than the rules, and that sending X-XSS-Protection: 0 is always available.
Issue 702542 makes me wonder whether sites were impacted by the XSS Auditor more commonly than anyone realized until we started blocking by default in M57?

For the IE XSS Filter, it was deemed a non-starter to try to apply the filter on same-origin navigations due to false positives. It might be interesting to look at metrics on what % of the XSS Auditor blocks are on same-origin vs. cross-origin navigations.

Comment 13 Deleted

For the record: This actually makes it really difficult for applications to provide WYSIWYG editors or forms where HTML/Scripts is actually allowed to be inserted.

Those might be the exception in the wild of the web, but it is not uncommon for actual business applications with a web-based GUI.

As for the "sending X-XSS-Protection: 0 is always available" argument: Well, no! Application pen-testers frequently force application developers to send restrictive X-XSS-Protection headers (and others).

Also: Applications are built from frameworks that might not allow you to send such headers in some parts of the GUI and some parts not.

This forces application developers to come up with hacky solutions. Like POSTing base64 encoded blobs or whatnot. Is this really the way forward?


Labels: migrated-launch-owp Type-Task
This issue has been automatically relabelled type=task because type=launch-owp issues are now officially deprecated. The deprecation is because they were creating confusion about how to get launch approvals, which should be instead done via type=launch issues.

We recommend this issue be used for implementation tracking (for public visibility), but if you already have an issue for that, you may mark this as duplicate.

For more details see here: https://docs.google.com/document/d/1JA6RohjtZQc26bTrGoIE_bSXGXUDQz8vc6G0n_sZJ2o/edit

For any questions, please contact owencm, sshruthi, larforge
Labels: Hotlist-EnamelAndFriendsFixIt
Labels: -Hotlist-EnamelAndFriendsFixIt

Sign in to add a comment