Issue 98787 in chromium: Reflective XSS Protection appears to target legitimate iframes as a false positive
chro...@googlecode.com
Owner: ----
Labels: Type-Bug Pri-2 Area-Undefined OS-Windows
New issue 98787 by sbandyop...@gmail.com: Reflective XSS Protection appears
to target legitimate iframes as a false positive
http://code.google.com/p/chromium/issues/detail?id=98787
Chrome Version : 14.0.835.186
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
URLs (if applicable) : N/A
Other browsers tested:
Add OK or FAIL after other browsers where you have tested this issue:
Safari 5:
Firefox 4.x: OK
IE 7/8/9: OK
What steps will reproduce the problem?
1. Pick a CMS (content management system), like Drupal, that allows users
to input raw HTML as content.
2. Pick a YouTube video and grab its embed code -- or, frankly, anything in
an iframe.
3. Put the iframe embed code into a new piece of content, and save the
content -- thereby redirecting you to the newly created piece of content.
What is the expected result?
The iframe should show up correctly, every single time.
What happens instead?
The first time the saved piece of content is viewed (immediately after the
HTML is input), the iframe appears blank (see attached screenshot). The
iframe shows up correctly the second time the page is viewed, and every
time afterwards as well.
Please provide any additional information below. Attach a screenshot if
possible.
Upon further inspection, the original HTML code is rewritten to:
<iframe src="" [other parameters untouched]></iframe>
To be specific, the src attribute is blanked out entirely. Nothing else is
changed.
And finally, the following error is returned: "Refused to execute a
JavaScript script. Source code of script found within request." This is a
particularly interesting error because there IS NO JAVASCRIPT on my test
page!! In fact, to be double sure, I turned off javascript in Chrome
entirely... and I still got this error! Chrome indicates it's attempting
(but ultimately refusing) to run a JavaScript script, regardless of whether
there is any javascript on the page, and regardless of whether javascript
is even enabled in the browser.
It seems to me that the Reflective XSS Protection is kicking in and picking
the iframe as a false positive, since the iframe that's being displayed on
the page was also in the request that fetched this page -- namely, the
content editing form that was just submitted.
I don't mean to beat a dead horse, but let me stress again that there is no
javascript on this page at all. And I tested various Google products as the
src for the iframe, including YouTube videos as well as the google.com
homepage itself. It fails to load every time, and returns the same error
("Refused to execute a JavaScript script. Source code of script found
within request.") every time.
UserAgentString: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1
(KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Attachments:
20111001-iframe-bug.png 35.4 KB
chro...@googlecode.com
Comment #1 on issue 98787 by sbandyop...@gmail.com: Reflective XSS
http://code.google.com/p/chromium/issues/detail?id=98787
For those who are familiar with Drupal, there may be questions whether I
took the necessary steps to confirm that this error lies with Chrome, and
not with Drupal. Just to provide further evidence that the bug is not being
generated from Drupal, and is entirely a result of Chrome's filtering, I'll
note that I entered the YouTube embed code (and other test iframes) into a
specially-created input format in Drupal (namely, the PHP filter). The
iframe was not being filtered out by Drupal. Indeed, other browsers show
the iframe just fine. Furthermore, I hacked my test version of Drupal
(right in index.php) to print out the HTML code it was about to output
above the page it was producing, and the HTML code that is output by Drupal
(per the hack in Drupal's index.php) DOES include the correct source --
even the first time, immediately after saving. (This is more powerful proof
than simply viewing the page source code and seeing the iframe's src there,
since viewing the source on Chrome technically counts as a 2nd page view,
not the first -- and as noted above, this error only occurs on the first
page view.)
chro...@googlecode.com
Cc: aba...@chromium.org
Comment #2 on issue 98787 by will...@chromium.org: Reflective XSS
Protection appears to target legitimate iframes as a false positive
http://code.google.com/p/chromium/issues/detail?id=98787
(No comment was entered for this change.)
chro...@googlecode.com
Comment #4 on issue 98787 by sbandyop...@gmail.com: Reflective XSS
http://code.google.com/p/chromium/issues/detail?id=98787
Thanks for the prompt reply, and for keeping track of issues like these.
Obviously the compatibility gain from option (2) is great, but luckily
option (1) doesn't sound too difficult.
chro...@googlecode.com
Cc: aba...@chromium.org tk...@chromium.org
Comment #5 on issue 98787 by aba...@chromium.org: Reflective XSS Protection
appears to target legitimate iframes as a false positive
http://code.google.com/p/chromium/issues/detail?id=98787
Issue 83503 has been merged into this issue.
chro...@googlecode.com
Comment #10 on issue 98787 by rowntree...@gmail.com: Reflective XSS
http://code.google.com/p/chromium/issues/detail?id=98787
java script error ( xss ) in render of youtube home page in chrome beta ...
Error RC from dev-tools console in chrome Requesting http://youtube.com....
Unsafe JavaScript attempt to access frame with URL http://www.youtube.com/
from frame with URL
http://ad-g.doubleclick.net/adi/com.ythome/_default;sz=970x250,960x250;tile=1;dcopt=ist;klg=en;kcr=us;kauth=1;kga=-1;kgg=-1;kt=U;dc_dedup=1;kmyd=ad_creative_1;kbsg=HPUS111210;ord=6366836398763006?.
Domains, protocols and ports must match.
extensions/extension_process_bindings.js:184Uncaught Error: You do not have
permission to use 'windows.getAll'. Be sure to declare in your manifest
what permissions you need.
sendRequestextensions/extension_process_bindings.js:184
(anonymous function)extensions/extension_process_bindings.js:630
sendMessagechrome-extension://gpmpangiimbdkhbhmbbhkplffgkiomkh/lib/messaging.js:49
document.body.style.displaychrome-extension://gpmpangiimbdkhbhmbbhkplffgkiomkh/lib/aci-injected.js:17
d.extend._Deferred.f.resolveWithchrome-extension://gpmpangiimbdkhbhmbbhkplffgkiomkh/lib/jquery-1.5.2.min.js:16
d.extend.ready
OS env _
OS winX64 vista business SP2
chrome 16.0.912.63 beta-m
Flash (3 files) - Version: 11.0.31.200
Shockwave Flash 11.0 r31
Name: Shockwave Flash
Description: Shockwave Flash 11.0 r31
Version: 11.0.31.200
Location: C:\Users\rob\AppData\Local\Google\Chrome\User
Data\PepperFlash\11.0.31.200\pepflashplayer.dll
Disable
MIME types:
MIME type Description File extensions
application/x-shockwave-flash Shockwave Flash
.swf
application/futuresplash Shockwave Flash
.spl
Name: Shockwave Flash
Description: Shockwave Flash 11.1 r102
Version: 11,1,102,55
Location:
C:\Users\rob\AppData\Local\Google\Chrome\Application\16.0.912.63\gcswf32.dll
Disable
MIME types:
MIME type Description File extensions
application/x-shockwave-flash Adobe Flash movie
.swf
application/futuresplash FutureSplash movie
.spl
Name: Shockwave Flash
Description: Shockwave Flash 10.2 r152
Version: 10,2,152,26
Location: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
Disable
chro...@googlecode.com
Comment #11 on issue 98787 by rowntree...@gmail.com: Reflective XSS
http://code.google.com/p/chromium/issues/detail?id=98787
Update - in chrome , i disabled all the extensions and the issue with xss
filter on youtbe homepage was resolved
chro...@googlecode.com
Comment #12 on issue 98787 by rowntree...@gmail.com: Reflective XSS
http://code.google.com/p/chromium/issues/detail?id=98787
clea.nr Videos for YouTube™3.0.2
chro...@googlecode.com
Comment #13 on issue 98787 by fbin...@gmail.com: Reflective XSS Protection
http://code.google.com/p/chromium/issues/detail?id=98787
As of 17.0.963.56 this has grown beyond just breaking on source references
being the problem.
We have an <img src="" /> within a richtext editor. User presses "preview"
to see what the post would look like once parsed. A $_POST is sent and
away we go to see what the post would look like parsed. We also populate
editor again with the same content.
Now the existence of the <img src="" /> from the previous page is throwing
the infernal XSS error and disabling javascript on the page. This <img
src="" > is an element, not a string in a text node. It is displaying an
image in the text editor.
chro...@googlecode.com
Comment #14 on issue 98787 by fbin...@gmail.com: Reflective XSS Protection
http://code.google.com/p/chromium/issues/detail?id=98787
It is worse than I thought.
Say you have an editor and in your page source you have a script reference,
say
<script type="text/javascript"
src="https://www.vbulletin.com/forum/clientscript/vbulletin-core.js?v=4110c"></script>
Now say, within the editor you type:
src="https://www.vbulletin.com"
Or even better, your editor has an image in it like
<img src="https://www.vbulletin.com/me.png" />
Now you preview, and bang, javascript is dead because Chrome insists on ANY
usage of src="yourdomain" appearing in the request means that an XSS has
been triggered.
Previously I would had to have this in my request to trigger the problem:
src="https://www.vbulletin.com/forum/clientscript/vbulletin-core.js?v=4110c">
Now you've pared it down to just this
src="https://www.vbulletin.com">
chro...@googlecode.com
Comment #15 on issue 98787 by aba...@chromium.org: Reflective XSS
http://code.google.com/p/chromium/issues/detail?id=98787
As noted in Comment #3, you can disable the XSS filter on these pages by
sending the following header:
X-XSS-Protection: 0
chro...@googlecode.com
Comment #23 on issue 98787 by ku...@cersoft.pl: Reflective XSS Protection
http://code.google.com/p/chromium/issues/detail?id=98787
My version was 18.0.1025.151 m, I've just updated to 18.0.1025.152 m and
problem still persists.
chro...@googlecode.com
Comment #25 on issue 98787 by ku...@cersoft.pl: Reflective XSS Protection
http://code.google.com/p/chromium/issues/detail?id=98787
Tried with 19.0.1084.15 beta-m, unfortunately it doesn't work.
This is example what I'm posting
<br><embed src="http://www.youtube.com/v/s0ujF8D6-5k"
type="application/x-shockwave-flash" wmode="transparent" width="425"
height="355">
This is what I receive after posting (page fragment)
<br><embed src="http://www.youtube.com/v/s0ujF8D6-5k"
type="application/x-shockwave-flash" wmode="transparent"
style="width:425px;height:355px;">
This is what I see after posting in insepector html view
<embed src="about:blank" type="" wmode="transparent"
style="width:425px;height:355px;">