Issue metadata
Sign in to add a comment
|
ERR_BLOCKED_BY_XSS_AUDITOR when using crbug.com with a query including ">"? |
||||||||||||||||||||||
Issue descriptionChrome Version: 57.0.2986.0 (Official Build) dev (64-bit) OS: Linux This is an apparent regression. The bug does not happen on Chrome 55 Stable. What steps will reproduce the problem? (1) Go to https://bugs.chromium.org/p/chromium/issues/list?can=2&q=component%3Ablink%3Eserviceworker%2CBlink%3EWorkers++NextAction%3Ctoday-1+&colspec=ID+Pri+M+Stars+ReleaseBlock+Component+Status+Owner+Summary+OS+Modified&x=m&y=releaseblock&cells=ids (2) (3) What is the expected result? See the bug listing. What happens instead? Get the error: This page isn’t working Chrome detected unusual code on this page and blocked it to protect your personal information (for example, passwords, phone numbers, and credit cards). Try visiting the site's homepage. ERR_BLOCKED_BY_XSS_AUDITOR If I remove the NextAction part of the query, it works.
,
Jan 25 2017
I was able to repro the issue in the latest Canary 58.0.2991.0 on Mac OS. It seems to be a request failure after the response is received. I captured the net logs dump, and looking at the the original request, we seemed to have no problem. However, those URLRequests to bugs.chromium.org/static/js/... are aborted.
,
Jan 25 2017
+mkwst who has been making changes to XSS auditor, afair. Most likely not a networking issue.
,
Jan 25 2017
Looks like a false-positive due to some strange markup that monorail generates (I think the unquoted empty attribute in `<form id='bulkremoveissues' method="POST" action=>` is confusing the Auditor). Filed https://bugs.chromium.org/p/monorail/issues/detail?id=2142 against Monorail, as that markup seems broken, but we should probably tune the auditor as well. Tom, would you mind taking a look?
,
Jan 25 2017
(Removing the network label since this is originating from Blink.)
,
Jan 26 2017
I just hit this too (and then was frustrated that my queries attempting to find bugs modified recently mentioning ERR_BLOCKED_BY_XSS_AUDITOR weren't working). This is a recent regression (Chrome 55 seems fine), right? Seems potentially urgent - marking P1 release blocking proactively.
,
Jan 26 2017
Let's get a bisect to see what CL broke this. For the record here's one URL that triggers this error in Chrome 57 but works in Chrome 55: https://bugs.chromium.org/p/chromium/issues/list?can=1&q=touch-action+cc%3Arbyers+Status%3AWontFix+closed>today-60
,
Jan 26 2017
I'm not sure if BLOCKED_BY_XSS_AUDITOR shows up in net error codes (which are only logged if the request does not complete). It would be a good idea to ensure xss monitor has metrics so we can properly detect significance of issues like this.
,
Jan 26 2017
I was ready to up the priority but I suppose I can do triage on a stable release. For the record, the problem is not the ">", it's the length of the string combined with certain characters. For example, this works Component:Blink>Paint,Blink>Paint>Invalidation status=Unconfirmed,Untriaged but this does not Component:Blink>Paint,Blink>Paint>Invalidation status=Unconfirmed,Untriaged -has:NextACtion
,
Jan 26 2017
To be precise, it's not just the ">", it's the ">" combined with the length or something else.
,
Jan 26 2017
I deployed a new version of Monorail that fixes the <form action=> markup. The original link in this issue description now works on Chrome 58.0.2993.0 canary 64-bit on mac.
,
Jan 26 2017
First off, you need one of [><"'] in the URL or the auditor doesn't even run. From the example in the original description, we may matching |action=| in the page against |NextAction<Today|, which should have failed since we're supposed to include the equals sign and the value (in this case empty).
,
Jan 26 2017
For unquoted attributes at the end of a tag, we've been silently losing the equals sign for comparison, matching the name only, and then re-writing this as name=, which changes nothing until blocking was enabled by default. CL at https://codereview.chromium.org/2663433002/
,
Jan 27 2017
Its working fine now on Ubuntu 14.04,Mac 10.12.2 and Win 10 using 57.0.2987.8,55.0.2883.87/95 and canary 58.0.2993.0. Removed the Needs-Bisect and RealeaseBloack-stable labels for now, please ad again if its reproducible again.
,
Jan 27 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/92e34fe0db746b9a2d1112a942410124bfaf6259 commit 92e34fe0db746b9a2d1112a942410124bfaf6259 Author: tsepez <tsepez@chromium.org> Date: Fri Jan 27 21:11:36 2017 XSSAuditor: Include equals-sign for final unquoted empty attributes. This will help reduce the false positive rate. BUG= 683798 Review-Url: https://codereview.chromium.org/2663433002 Cr-Commit-Position: refs/heads/master@{#446768} [add] https://crrev.com/92e34fe0db746b9a2d1112a942410124bfaf6259/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/form-action-unquoted-empty-expected.txt [add] https://crrev.com/92e34fe0db746b9a2d1112a942410124bfaf6259/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/form-action-unquoted-empty.html [add] https://crrev.com/92e34fe0db746b9a2d1112a942410124bfaf6259/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-form-action-unquoted.pl [modify] https://crrev.com/92e34fe0db746b9a2d1112a942410124bfaf6259/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp
,
Feb 14 2017
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by falken@chromium.org
, Jan 24 2017