XSSAuditor: do not look for reflection in URL fragment.

The server never sees it, so it can't be part of a reflected XSS. It may be part of a DOM XSS, but XSSAuditor doesn't handle these, except for a few document.write() cases that aren't likely to manifest in the wild (but are hit by tests). Bug: 877347 Change-Id: I6835c7702d0a8db829f5fde17be15015112a5e13 Reviewed-on: https://chromium-review.googlesource.com/c/1336368Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Tom Sepez <tsepez@chromium.org> Cr-Commit-Position: refs/heads/master@{#608430}

XSSAuditor: do not look for reflection in URL fragment.
The server never sees it, so it can't be part of a reflected XSS. It may be part of a DOM XSS, but XSSAuditor doesn't handle these, except for a few document.write() cases that aren't likely to manifest in the wild (but are hit by tests). Bug: 877347 Change-Id: I6835c7702d0a8db829f5fde17be15015112a5e13 Reviewed-on: https://chromium-review.googlesource.com/c/1336368Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Tom Sepez <tsepez@chromium.org> Cr-Commit-Position: refs/heads/master@{#608430}
fae997a2 · Tom Sepez · Commit Bot · b268b3ed · b268b3ed · b268b3ed
Commit fae997a2 authored Nov 15, 2018 by Tom Sepez Committed by Commit Bot Nov 15, 2018
9 changed files
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt
-CONSOLE ERROR: line 6: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-dom-write-location.php?#%3Cscript%3Ealert(String.fromCharCode(0x58,0x53,0x53))%3C/script%3E' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-expected.txt
-CONSOLE ERROR: line 21: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.php#%3Ca%20id%3D%22anchorLink%22%20href%3D%22%23%22%20onclick%3D%22alert%280%29%22%3EClick%3C/a%3E' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char-expected.txt
-CONSOLE ERROR: line 21: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.php#%3Ca%20id%3D%22anchorLink%22%20href%3D%22%23%22%20onclick%3D%22al%00ert%280%29%22%3EClick%3C/a%3E' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char.html
-<!DOCTYPE html>
-<html>
-<head>
-<script>
-if (window.testRunner) {
-    testRunner.dumpAsText();
-    testRunner.waitUntilDone();
-    testRunner.setXSSAuditorEnabled(true);
-}
-</script>
-</head>
-<body>
-<iframe src='http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.php#%3Ca%20id%3D%22anchorLink%22%20href%3D%22%23%22%20onclick%3D%22al%00ert%280%29%22%3EClick%3C/a%3E'>
-</iframe>
-</body>
-</html>
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event.html
-<!DOCTYPE html>
-<html>
-<head>
-<script>
-if (window.testRunner) {
-    testRunner.dumpAsText();
-    testRunner.waitUntilDone();
-    testRunner.setXSSAuditorEnabled(true);
-}
-</script>
-</head>
-<body>
-<iframe src='http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.php#%3Ca%20id%3D%22anchorLink%22%20href%3D%22%23%22%20onclick%3D%22alert%280%29%22%3EClick%3C/a%3E'>
-</iframe>
-</body>
-</html>
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-javascript-URL-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-javascript-URL-expected.txt
-CONSOLE ERROR: line 21: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.php#%3Ca%20id=%22anchorLink%22%20href=%22javascript:alert(String.fromCharCode(0x58,0x53,0x53))%22%3EClick%3C/a%3E' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-javascript-URL.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-javascript-URL.html
-<!DOCTYPE html>
-<html>
-<head>
-<script>
-if (window.testRunner) {
-    testRunner.dumpAsText();
-    testRunner.waitUntilDone();
-    testRunner.setXSSAuditorEnabled(true);
-}
-</script>
-</head>
-<body>
-<iframe src='http://localhost:8000/security/xssAuditor/resources/anchor-url-dom-write-location-click.php#%3Ca%20id=%22anchorLink%22%20href=%22javascript:alert(String.fromCharCode(0x58,0x53,0x53))%22%3EClick%3C/a%3E'>
-</iframe>
-</body>
-</html>
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location.html
-<!DOCTYPE html>
-<html>
-<head>
-<script>
-if (window.testRunner) {
-    testRunner.dumpAsText();
-    testRunner.setXSSAuditorEnabled(true);
-}
-</script>
-</head>
-<body>
-<iframe src='http://localhost:8000/security/xssAuditor/resources/echo-dom-write-location.php?#<script>alert(String.fromCharCode(0x58,0x53,0x53))</script>'>
-</iframe>
-</body>
-</html>
--- a/third_party/blink/renderer/core/html/parser/xss_auditor.cc
+++ b/third_party/blink/renderer/core/html/parser/xss_auditor.cc
@@ -374,7 +374,9 @@ void XSSAuditor::Init(Document* document,
  if (!is_enabled_)
    return;
-  document_url_ = document->Url().Copy();
+  document_url_ = document->Url();
+  document_url_.RemoveFragmentIdentifier();
+  document_url_ = document_url_.Copy();  // Make thread safe.
  // In theory, the Document could have detached from the LocalFrame after the
  // XSSAuditor was constructed.