2010-02-01 Daniel Bates <dbates@webkit.org>

Reviewed by Adam Barth. https://bugs.webkit.org/show_bug.cgi?id=27312 Implements support for full page blocking via the X-XSS-Protection header. Tests: http/tests/security/xssAuditor/full-block-base-href.html http/tests/security/xssAuditor/full-block-get-from-iframe.html http/tests/security/xssAuditor/full-block-iframe-javascript-url.html http/tests/security/xssAuditor/full-block-iframe-no-inherit.php http/tests/security/xssAuditor/full-block-javascript-link.html http/tests/security/xssAuditor/full-block-link-onclick.html http/tests/security/xssAuditor/full-block-object-tag.html http/tests/security/xssAuditor/full-block-post-from-iframe.html http/tests/security/xssAuditor/full-block-script-tag-with-source.html http/tests/security/xssAuditor/full-block-script-tag.html http/tests/security/xssAuditor/malformed-xss-protection-header.html * page/XSSAuditor.cpp: (WebCore::XSSAuditor::shouldFullPageBlockForXSSProtectionHeader): Added. (WebCore::XSSAuditor::findInRequest): Modified to call method XSSAuditor::shouldFullPageBlockForXSSProtectionHeader. * page/XSSAuditor.h: Defined method shouldFullPageBlockForXSSProtectionHeader and fixed misspelled words in large comment block. 2010-02-01 Daniel Bates <dbates@webkit.org> Reviewed by Adam Barth. https://bugs.webkit.org/show_bug.cgi?id=27312 Tests that the header "X-XSS-Protection: full-block" leads to a full page block when an XSS attack is detected. * http/tests/security/xssAuditor/full-block-base-href-expected.txt: Added. * http/tests/security/xssAuditor/full-block-base-href.html: Added. * http/tests/security/xssAuditor/full-block-get-from-iframe-expected.txt: Added. * http/tests/security/xssAuditor/full-block-get-from-iframe.html: Added. * http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt: Added. * http/tests/security/xssAuditor/full-block-iframe-javascript-url.html: Added. * http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt: Added. * http/tests/security/xssAuditor/full-block-iframe-no-inherit.php: Added. * http/tests/security/xssAuditor/full-block-javascript-link-expected.txt: Added. * http/tests/security/xssAuditor/full-block-javascript-link.html: Added. * http/tests/security/xssAuditor/full-block-link-onclick-expected.txt: Added. * http/tests/security/xssAuditor/full-block-link-onclick.html: Added. * http/tests/security/xssAuditor/full-block-object-tag-expected.txt: Added. * http/tests/security/xssAuditor/full-block-object-tag.html: Added. * http/tests/security/xssAuditor/full-block-post-from-iframe-expected.txt: Added. * http/tests/security/xssAuditor/full-block-post-from-iframe.html: Added. * http/tests/security/xssAuditor/full-block-script-tag-expected.txt: Added. * http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt: Added. * http/tests/security/xssAuditor/full-block-script-tag-with-source.html: Added. * http/tests/security/xssAuditor/full-block-script-tag.html: Added. * http/tests/security/xssAuditor/malformed-xss-protection-header-expected.txt: Added. * http/tests/security/xssAuditor/malformed-xss-protection-header.html: Added. * http/tests/security/xssAuditor/resources/echo-head-base-href.pl: Modified to optionally enable full page blocking. * http/tests/security/xssAuditor/resources/echo-intertag-click-and-notify.pl: Ditto. * http/tests/security/xssAuditor/resources/echo-intertag.pl: Ditto. * http/tests/security/xssAuditor/resources/utilities.js: (checkIfFrameLocationMatchesURLAndCallDone): Added. (sendRequestFromIFrame): Modified to optionally call callback function when done. git-svn-id: svn://svn.chromium.org/blink/trunk@54202 bbb929c8-8fbe-4397-9dbb-9b2b20218538

2010-02-01 Daniel Bates <dbates@webkit.org>
Reviewed by Adam Barth. https://bugs.webkit.org/show_bug.cgi?id=27312 Implements support for full page blocking via the X-XSS-Protection header. Tests: http/tests/security/xssAuditor/full-block-base-href.html http/tests/security/xssAuditor/full-block-get-from-iframe.html http/tests/security/xssAuditor/full-block-iframe-javascript-url.html http/tests/security/xssAuditor/full-block-iframe-no-inherit.php http/tests/security/xssAuditor/full-block-javascript-link.html http/tests/security/xssAuditor/full-block-link-onclick.html http/tests/security/xssAuditor/full-block-object-tag.html http/tests/security/xssAuditor/full-block-post-from-iframe.html http/tests/security/xssAuditor/full-block-script-tag-with-source.html http/tests/security/xssAuditor/full-block-script-tag.html http/tests/security/xssAuditor/malformed-xss-protection-header.html * page/XSSAuditor.cpp: (WebCore::XSSAuditor::shouldFullPageBlockForXSSProtectionHeader): Added. (WebCore::XSSAuditor::findInRequest): Modified to call method XSSAuditor::shouldFullPageBlockForXSSProtectionHeader. * page/XSSAuditor.h: Defined method shouldFullPageBlockForXSSProtectionHeader and fixed misspelled words in large comment block. 2010-02-01 Daniel Bates <dbates@webkit.org> Reviewed by Adam Barth. https://bugs.webkit.org/show_bug.cgi?id=27312 Tests that the header "X-XSS-Protection: full-block" leads to a full page block when an XSS attack is detected. * http/tests/security/xssAuditor/full-block-base-href-expected.txt: Added. * http/tests/security/xssAuditor/full-block-base-href.html: Added. * http/tests/security/xssAuditor/full-block-get-from-iframe-expected.txt: Added. * http/tests/security/xssAuditor/full-block-get-from-iframe.html: Added. * http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt: Added. * http/tests/security/xssAuditor/full-block-iframe-javascript-url.html: Added. * http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt: Added. * http/tests/security/xssAuditor/full-block-iframe-no-inherit.php: Added. * http/tests/security/xssAuditor/full-block-javascript-link-expected.txt: Added. * http/tests/security/xssAuditor/full-block-javascript-link.html: Added. * http/tests/security/xssAuditor/full-block-link-onclick-expected.txt: Added. * http/tests/security/xssAuditor/full-block-link-onclick.html: Added. * http/tests/security/xssAuditor/full-block-object-tag-expected.txt: Added. * http/tests/security/xssAuditor/full-block-object-tag.html: Added. * http/tests/security/xssAuditor/full-block-post-from-iframe-expected.txt: Added. * http/tests/security/xssAuditor/full-block-post-from-iframe.html: Added. * http/tests/security/xssAuditor/full-block-script-tag-expected.txt: Added. * http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt: Added. * http/tests/security/xssAuditor/full-block-script-tag-with-source.html: Added. * http/tests/security/xssAuditor/full-block-script-tag.html: Added. * http/tests/security/xssAuditor/malformed-xss-protection-header-expected.txt: Added. * http/tests/security/xssAuditor/malformed-xss-protection-header.html: Added. * http/tests/security/xssAuditor/resources/echo-head-base-href.pl: Modified to optionally enable full page blocking. * http/tests/security/xssAuditor/resources/echo-intertag-click-and-notify.pl: Ditto. * http/tests/security/xssAuditor/resources/echo-intertag.pl: Ditto. * http/tests/security/xssAuditor/resources/utilities.js: (checkIfFrameLocationMatchesURLAndCallDone): Added. (sendRequestFromIFrame): Modified to optionally call callback function when done. git-svn-id: svn://svn.chromium.org/blink/trunk@54202 bbb929c8-8fbe-4397-9dbb-9b2b20218538
fc8a2755 · dbates@webkit.org · 8db1691e · fc8a2755 · fc8a2755 · fc8a2755
Commit fc8a2755 authored Feb 02, 2010 by dbates@webkit.org
30 changed files
--- a/third_party/WebKit/LayoutTests/ChangeLog
+++ b/third_party/WebKit/LayoutTests/ChangeLog
+2010-02-01  Daniel Bates  <dbates@webkit.org>
+
+        Reviewed by Adam Barth.
+
+        https://bugs.webkit.org/show_bug.cgi?id=27312
+
+        Tests that the header "X-XSS-Protection: full-block" leads to a full page block
+        when an XSS attack is detected.
+
+        * http/tests/security/xssAuditor/full-block-base-href-expected.txt: Added.
+        * http/tests/security/xssAuditor/full-block-base-href.html: Added.
+        * http/tests/security/xssAuditor/full-block-get-from-iframe-expected.txt: Added.
+        * http/tests/security/xssAuditor/full-block-get-from-iframe.html: Added.
+        * http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt: Added.
+        * http/tests/security/xssAuditor/full-block-iframe-javascript-url.html: Added.
+        * http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt: Added.
+        * http/tests/security/xssAuditor/full-block-iframe-no-inherit.php: Added.
+        * http/tests/security/xssAuditor/full-block-javascript-link-expected.txt: Added.
+        * http/tests/security/xssAuditor/full-block-javascript-link.html: Added.
+        * http/tests/security/xssAuditor/full-block-link-onclick-expected.txt: Added.
+        * http/tests/security/xssAuditor/full-block-link-onclick.html: Added.
+        * http/tests/security/xssAuditor/full-block-object-tag-expected.txt: Added.
+        * http/tests/security/xssAuditor/full-block-object-tag.html: Added.
+        * http/tests/security/xssAuditor/full-block-post-from-iframe-expected.txt: Added.
+        * http/tests/security/xssAuditor/full-block-post-from-iframe.html: Added.
+        * http/tests/security/xssAuditor/full-block-script-tag-expected.txt: Added.
+        * http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt: Added.
+        * http/tests/security/xssAuditor/full-block-script-tag-with-source.html: Added.
+        * http/tests/security/xssAuditor/full-block-script-tag.html: Added.
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-expected.txt: Added.
+        * http/tests/security/xssAuditor/malformed-xss-protection-header.html: Added.
+        * http/tests/security/xssAuditor/resources/echo-head-base-href.pl: Modified to optionally
+        enable full page blocking.
+        * http/tests/security/xssAuditor/resources/echo-intertag-click-and-notify.pl: Ditto.
+        * http/tests/security/xssAuditor/resources/echo-intertag.pl: Ditto.
+        * http/tests/security/xssAuditor/resources/utilities.js:
+        (checkIfFrameLocationMatchesURLAndCallDone): Added.
+        (sendRequestFromIFrame): Modified to optionally call callback function when done.
+
 2010-02-01  Shinichiro Hamaji  <hamaji@chromium.org>

        Reviewed by Dmitry Titov.

--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-base-href-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-base-href-expected.txt
+CONSOLE MESSAGE: line 1: Refused to load from document base URL. URL found within request.
+
+There should be no content in the iframe below:
+
+
+
+--------
+Frame: 'frame'
+--------
+
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-base-href.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-base-href.html
+<!DOCTYPE html>
+<html>
+<head>
+<script src="http://localhost:8000/security/xssAuditor/resources/utilities.js"></script>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.dumpChildFramesAsText();
+    layoutTestController.waitUntilDone();
+    layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<p>There should be no content in the iframe below:</p>
+<iframe id="frame" onload="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src="http://127.0.0.1:8000/security/xssAuditor/resources/echo-head-base-href.pl?enable-full-block=1&q=<base href='http://localhost:8000/security/xssAuditor/resources/base-href/'>">
+</iframe>
+</body>
+</html>
+
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-get-from-iframe-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-get-from-iframe-expected.txt
+CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
+
+
+
+--------
+Frame: 'frame'
+--------
+
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-get-from-iframe.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-get-from-iframe.html
+<!DOCTYPE html>
+<html>
+<head>
+<script src="http://localhost:8000/security/xssAuditor/resources/utilities.js"></script>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.dumpChildFramesAsText();
+    layoutTestController.waitUntilDone();
+    layoutTestController.setXSSAuditorEnabled(true);
+}
+function done()
+{
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+window.onload = function()
+{
+    sendRequestFromIFrame("http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl","enable-full-block=1&q=<script>alert(/XSS/)<\/script>","GET", done);
+};
+</script>
+</head>
+<body>
+</body>
+</html>
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt
+CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
+
+There should be no content in the iframe below:
+
+
+
+--------
+Frame: 'frame'
+--------
+
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-javascript-url.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-javascript-url.html
+<!DOCTYPE html>
+<html>
+<head>
+<script src="http://localhost:8000/security/xssAuditor/resources/utilities.js"></script>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.dumpChildFramesAsText();
+    layoutTestController.waitUntilDone();
+    layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<p>There should be no content in the iframe below:</p>
+<iframe id="frame" onload="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src='http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Ciframe%20src=javascript:alert(document.domain)%3E'>
+</iframe>
+</body>
+</html>
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt
+CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
+
+This tests that the header X-XSS-Protection is not inherited by the iframe below:
+
+
+
+--------
+Frame: 'frame'
+--------
+If you see this message and no JavaScript alert() then the test PASSED.
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-no-inherit.php
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-no-inherit.php
+<?php
+header("X-XSS-Protection: full-block");
+?>
+<!DOCTYPE html>
+<html>
+<head>
+<script src="http://127.0.0.1:8000/security/xssAuditor/resources/utilities.js"></script>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.dumpChildFramesAsText();
+    layoutTestController.waitUntilDone();
+    layoutTestController.setXSSAuditorEnabled(true);
+}
+function checkIfDone()
+{
+    checkIfFrameLocationMatchesURLAndCallDone('frame', encodeURI(document.getElementById('frame').src));
+}
+</script>
+</head>
+<body>
+<p>This tests that the header X-XSS-Protection is not inherited by the iframe below:</p>
+<iframe id="frame" onload="checkIfDone()" src="http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=<script>alert(/XSS/)</script><p>If you see this message and no JavaScript alert() then the test PASSED.</p>">
+</iframe>
+</body>
+</html>
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-javascript-link-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-javascript-link-expected.txt
+CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
+
+There should be no content in the iframe below:
+
+
+
+--------
+Frame: 'frame'
+--------
+
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-javascript-link.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-javascript-link.html
+<!DOCTYPE html>
+<html>
+<head>
+<script src="http://localhost:8000/security/xssAuditor/resources/utilities.js"></script>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.dumpChildFramesAsText();
+    layoutTestController.waitUntilDone();
+    layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<p>There should be no content in the iframe below:</p>
+<iframe id="frame" onload="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src='http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?enable-full-block=1&elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%28/XSS/%29%3Etest%3C/a%3E'>
+</iframe>
+</body>
+</html>
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-link-onclick-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-link-onclick-expected.txt
+CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
+
+There should be no content in the iframe below:
+
+
+
+--------
+Frame: 'frame'
+--------
+
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-link-onclick.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-link-onclick.html
+<!DOCTYPE html>
+<html>
+<head>
+<script src="http://localhost:8000/security/xssAuditor/resources/utilities.js"></script>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.dumpChildFramesAsText();
+    layoutTestController.waitUntilDone();
+    layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<p>There should be no content in the iframe below:</p>
+<iframe id="frame" onload="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src="http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=<a%20onclick='alert(/XSS/)'>Click</a>">
+</iframe>
+</body>
+</html>
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-object-tag-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-object-tag-expected.txt
+CONSOLE MESSAGE: line 1: Refused to load an object. URL found within request: "http://localhost:8000/security/xssAuditor/resources/dummy.swf".
+
+There should be no content in the iframe below:
+
+
+
+--------
+Frame: 'frame'
+--------
+
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-object-tag.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-object-tag.html
+<!DOCTYPE html>
+<html>
+<head>
+<script src="http://localhost:8000/security/xssAuditor/resources/utilities.js"></script>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.dumpChildFramesAsText();
+    layoutTestController.waitUntilDone();
+    layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<p>There should be no content in the iframe below:</p>
+<iframe id="frame" onload="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src="http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=<object name='plugin' type='application/x-webkit-test-netscape'><param name='movie' value='http://localhost:8000/security/xssAuditor/resources/dummy.swf' /></object>">
+</iframe>
+</body>
+</html>
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-post-from-iframe-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-post-from-iframe-expected.txt
+CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
+
+
+
+--------
+Frame: 'frame'
+--------
+
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-post-from-iframe.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-post-from-iframe.html
+<!DOCTYPE html>
+<html>
+<head>
+<script src="http://localhost:8000/security/xssAuditor/resources/utilities.js"></script>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.dumpChildFramesAsText();
+    layoutTestController.waitUntilDone();
+    layoutTestController.setXSSAuditorEnabled(true);
+}
+function done()
+{
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+window.onload = function()
+{
+    sendRequestFromIFrame("http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl","enable-full-block=1&q=<script>alert(/XSS/)<\/script>","POST", done);
+};
+</script>
+</head>
+<body>
+</body>
+</html>
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-expected.txt
+CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
+
+There should be no content in the iframe below:
+
+
+
+--------
+Frame: 'frame'
+--------
+
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt
+CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
+
+There should be no content in the iframe below:
+
+
+
+--------
+Frame: 'frame'
+--------
+
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-with-source.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-with-source.html
+<!DOCTYPE html>
+<html>
+<head>
+<script src="http://localhost:8000/security/xssAuditor/resources/utilities.js"></script>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.dumpChildFramesAsText();
+    layoutTestController.waitUntilDone();
+    layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<p>There should be no content in the iframe below:</p>
+<iframe id="frame" onload="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src="http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=<script src='http://localhost:8000/security/xssAuditor/resources/xss.js'></script>">
+</iframe>
+</body>
+</html>
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag.html
+<!DOCTYPE html>
+<html>
+<head>
+<script src="http://localhost:8000/security/xssAuditor/resources/utilities.js"></script>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.dumpChildFramesAsText();
+    layoutTestController.waitUntilDone();
+    layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<p>There should be no content in the iframe below:</p>
+<iframe id="frame" onload="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src="http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=<script>alert(/XSS/)</script>">
+</iframe>
+</body>
+</html>
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-expected.txt
+CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
+
+This tests that the X-XSS-Protection header is not ignored when the length of its value exceeds 16 characters.
+
+
+
+--------
+Frame: 'frame'
+--------
+
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header.html
+<!DOCTYPE html>
+<html>
+<head>
+<script src="http://localhost:8000/security/xssAuditor/resources/utilities.js"></script>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.dumpChildFramesAsText();
+    layoutTestController.waitUntilDone();
+    layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<p>This tests that the X-XSS-Protection header is not ignored when the length of its value exceeds <a href="https://bugs.webkit.org/show_bug.cgi?id=27312#c13">16 characters.</a></p>
+<iframe id="frame" onload="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src="http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?custom-header=X-XSS-Protection: 12345678901234567&q=<script>alert(/XSS/)</script><p>If you see this message and no JavaScript alert() then the test PASSED.</p>">
+</iframe>
+</body>
+</html>
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-head-base-href.pl
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-head-base-href.pl
@@ -4,6 +4,9 @@ use CGI;

 my $cgi = new CGI;

+if ($cgi->param('enable-full-block')) {
+    print "X-XSS-Protection: 12\n";
+}
 print "Content-Type: text/html; charset=UTF-8\n\n";

 print "<!DOCTYPE html>\n";

--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag-click-and-notify.pl
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag-click-and-notify.pl
@@ -4,6 +4,9 @@ use CGI;

 my $cgi = new CGI;

+if ($cgi->param('enable-full-block')) {
+    print "X-XSS-Protection: 12\n";
+}
 print "Content-Type: text/html; charset=UTF-8\n\n";

 print "<!DOCTYPE html>\n";
@@ -20,9 +23,17 @@ print "</script>\n";
 print "</head>\n";
 print "<body>\n";
 print $cgi->param('q');
-print "<script>\n";
-print "if (window.layoutTestController)\n";
-print "    layoutTestController.notifyDone();\n";
-print "</script>\n";
+if ($cgi->param('enable-full-block')) {
+    # Note, when testing a full-page-block, we can't call layoutTestController.notifyDone()
+    # on the generated page because it takes some time for the frame to be redirected to
+    # about:blank. Hence, the caller of this Perl script must call layoutTestController.notifyDone()
+    # after the redirect has occurred.
+    print "<p>If you see this message then the test FAILED.</p>\n";
+} else {
+    print "<script>\n";
+    print "if (window.layoutTestController)\n";
+    print "    layoutTestController.notifyDone();\n";
+    print "</script>\n";
+}
 print "</body>\n";
 print "</html>\n";
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl
@@ -4,6 +4,12 @@ use CGI;

 my $cgi = new CGI;

+if ($cgi->param('enable-full-block')) {
+    print "X-XSS-Protection: 12\n";
+}
+if ($cgi->param('custom-header')) {
+    print $cgi->param('custom-header') . "\n";
+}
 print "Content-Type: text/html; charset=UTF-8\n\n";

 print "<!DOCTYPE html>\n";
@@ -16,5 +22,8 @@ if ($cgi->param('notifyDone')) {
    print "    layoutTestController.notifyDone();\n";
    print "</script>\n";
 }
+if ($cgi->param('enable-full-block')) {
+    print "<p>If you see this message then the test FAILED.</p>\n";
+}
 print "</body>\n";
 print "</html>\n";
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/utilities.js
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/utilities.js
-function sendRequestFromIFrame(url, params, HTTPMethod)
+function checkIfFrameLocationMatchesURLAndCallDone(frameId, expectedURL)
+{
+    if (!window.layoutTestController)
+        return;
+    if (document.getElementById(frameId).contentWindow.location == expectedURL)
+        layoutTestController.notifyDone();
+}
+
+function sendRequestFromIFrame(url, params, HTTPMethod, callbackWhenDone)
 {
    if (!params || !params.length)
        return;
@@ -23,5 +31,7 @@ function sendRequestFromIFrame(url, params, HTTPMethod)
    }
    frameContent.write('</form>');
    frameContent.close();
+    if (callbackWhenDone)
+        iFrameObj.onload = callbackWhenDone;
    frameContent.getElementById('form').submit();
-}
\ No newline at end of file
+}
--- a/third_party/WebKit/WebCore/ChangeLog
+++ b/third_party/WebKit/WebCore/ChangeLog
+2010-02-01  Daniel Bates  <dbates@webkit.org>
+
+        Reviewed by Adam Barth.
+
+        https://bugs.webkit.org/show_bug.cgi?id=27312
+
+        Implements support for full page blocking via the X-XSS-Protection header.
+
+        Tests: http/tests/security/xssAuditor/full-block-base-href.html
+               http/tests/security/xssAuditor/full-block-get-from-iframe.html
+               http/tests/security/xssAuditor/full-block-iframe-javascript-url.html
+               http/tests/security/xssAuditor/full-block-iframe-no-inherit.php
+               http/tests/security/xssAuditor/full-block-javascript-link.html
+               http/tests/security/xssAuditor/full-block-link-onclick.html
+               http/tests/security/xssAuditor/full-block-object-tag.html
+               http/tests/security/xssAuditor/full-block-post-from-iframe.html
+               http/tests/security/xssAuditor/full-block-script-tag-with-source.html
+               http/tests/security/xssAuditor/full-block-script-tag.html
+               http/tests/security/xssAuditor/malformed-xss-protection-header.html
+
+        * page/XSSAuditor.cpp:
+        (WebCore::XSSAuditor::shouldFullPageBlockForXSSProtectionHeader): Added.
+        (WebCore::XSSAuditor::findInRequest): Modified to call method
+        XSSAuditor::shouldFullPageBlockForXSSProtectionHeader.
+        * page/XSSAuditor.h: Defined method shouldFullPageBlockForXSSProtectionHeader
+        and fixed misspelled words in large comment block.
+
 2010-02-01  Kwang Yul Seo  <skyul@company100.net>

        Reviewed by Eric Seidel.

--- a/third_party/WebKit/WebCore/page/XSSAuditor.cpp
+++ b/third_party/WebKit/WebCore/page/XSSAuditor.cpp
@@ -290,14 +290,38 @@ bool XSSAuditor::isSameOriginResource(const String& url) const
    return (m_frame->document()->url().host() == resourceURL.host() && resourceURL.query().isEmpty());
 }

+bool XSSAuditor::shouldFullPageBlockForXSSProtectionHeader() const
+{
+    // If we detect an XSS attack and find the HTTP header "X-XSS-Protection: 12" then
+    // we will stop loading the page as opposed to ignoring the script. The value "12"
+    // came from a personal communication, see <https://bugs.webkit.org/show_bug.cgi?id=27312>
+    // for more details.
+    DEFINE_STATIC_LOCAL(String, XSSProtectionHeader, ("X-XSS-Protection"));
+
+    Frame* frame = m_frame;
+    if (frame->document()->url() == blankURL())
+        frame = m_frame->tree()->parent();
+
+    // We strip any whitespace characters to conform to the behavior in Internet Explorer.
+    String xssProtectionValue = frame->loader()->documentLoader()->response().httpHeaderField(XSSProtectionHeader).stripWhiteSpace();
+    return (xssProtectionValue.length() >= 2 && xssProtectionValue[0] == '1' && xssProtectionValue[1] == '2');
+}
+
 bool XSSAuditor::findInRequest(const FindTask& task) const
 {
    bool result = false;
    Frame* parentFrame = m_frame->tree()->parent();
+    Frame* blockFrame = parentFrame;
    if (parentFrame && m_frame->document()->url() == blankURL())
        result = findInRequest(parentFrame, task);
-    if (!result)
+    if (!result) {
        result = findInRequest(m_frame, task);
+        blockFrame = m_frame;
+    }
+    if (result && blockFrame && shouldFullPageBlockForXSSProtectionHeader()) {
+        blockFrame->loader()->stopAllLoaders();
+        blockFrame->redirectScheduler()->scheduleLocationChange(blankURL(), String());
+    }
    return result;
 }


--- a/third_party/WebKit/WebCore/page/XSSAuditor.h
+++ b/third_party/WebKit/WebCore/page/XSSAuditor.h
@@ -36,7 +36,7 @@ namespace WebCore {
    class ScriptSourceCode;

    // The XSSAuditor class is used to prevent type 1 cross-site scripting
-    // vulnerabilites (also known as reflected vulnerabilities).
+    // vulnerabilities (also known as reflected vulnerabilities).
    //
    // More specifically, the XSSAuditor class decides whether the execution of
    // a script is to be allowed or denied based on the content of any
@@ -53,7 +53,7 @@ namespace WebCore {
    //
    // Bindings
    //
-    // An XSSAuditor is instantiated within the contructor of a
+    // An XSSAuditor is instantiated within the constructor of a
    // ScriptController object and passed the Frame the script originated. The
    // ScriptController calls back to the XSSAuditor to determine whether a
    // JavaScript script is safe to execute before executing it. The following
@@ -144,6 +144,8 @@ namespace WebCore {
        bool findInRequest(const FindTask&) const;
        bool findInRequest(Frame*, const FindTask&) const;

+        bool shouldFullPageBlockForXSSProtectionHeader() const;
+
        // The frame to audit.
        Frame* m_frame;