diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-01-29 11:39:27 +0100 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-02-02 10:39:02 +0000 |
commit | 72eab06955a66abd4139f4f607d4d761a4c38619 (patch) | |
tree | 84c9679289c691172c2646c40e2a9728e3da4b0c | |
parent | 1d1c8edbe6d76db52326f64cb35b173583bc8271 (diff) | |
download | qtwebengine-chromium-72eab06955a66abd4139f4f607d4d761a4c38619.tar.gz |
[Backport] Restrict the xss audit report URL to same origin
BUG=441275
R=tsepez@chromium.org,mkwst@chromium.org
Reviewed-on: https://chromium-review.googlesource.com/768367
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#516666}
(CVE-2018-6051)
Change-Id: I528f4f40ced3ae1dd8b852089aeb7079462fa2cf
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/chromium/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp b/chromium/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp index d9c414864bb..b393b513922 100644 --- a/chromium/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp +++ b/chromium/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp @@ -411,6 +411,13 @@ void XSSAuditor::Init(Document* document, xss_protection_header == kBlockReflectedXSS) && !report_url.IsEmpty()) { xss_protection_report_url = document->CompleteURL(report_url); + if (!SecurityOrigin::Create(xss_protection_report_url) + ->IsSameSchemeHostPort(document->GetSecurityOrigin())) { + error_details = + "reporting URL is not same scheme, host, and port as page"; + xss_protection_header = kReflectedXSSInvalid; + xss_protection_report_url = KURL(); + } if (MixedContentChecker::IsMixedContent(document->GetSecurityOrigin(), xss_protection_report_url)) { error_details = "insecure reporting URL for secure page"; |