Edgewall Software

Opened 3 years ago

Closed 2 years ago

Last modified 2 years ago

#12926 closed defect (fixed)

Chrome blocks preview with ERR_BLOCKED_BY_XSS_AUDITOR

Reported by: Ryan J Ollos Owned by: Jun Omae
Priority: normal Milestone: 1.0.17
Component: general Version:
Severity: normal Keywords:
Cc: Branch:
Release Notes:

Fixed ERR_BLOCKED_BY_XSS_AUDITOR during preview for certain content with Chrome browser.

API Changes:
Internal Changes:


Issue occurs when using WikiProcessor in text such as:

<form action="">

The workaround noted by Jun is to add X-XSS-Protection: 0 header when the method is POST (or to add the header to all preview features).

More info in X-XSS-Protection.

Attachments (0)

Change History (10)

comment:1 by Ryan J Ollos, 3 years ago

Owner: set to Ryan J Ollos
Release Notes: modified (diff)
Status: newassigned

comment:2 by Ryan J Ollos, 3 years ago


Milestone renamed

comment:3 by Ryan J Ollos, 3 years ago

I'm not sure this is the right solution since it depends on inspecting args for the preview key:

  • trac/web/api.py

    diff --git a/trac/web/api.py b/trac/web/api.py
    index b2e76f948..8cc18de72 100644
    a b class Request(object):  
    684684        self.send_header('Cache-Control', 'must-revalidate')
    685685        self.send_header('Expires', 'Fri, 01 Jan 1999 00:00:00 GMT')
    686686        self.send_header('Content-Type', content_type + ';charset=utf-8')
     687        if self.method == 'POST' and 'preview' in self.args:
     688            self.send_header('X-XSS-Protection', 1)  # Ticket #12926
    687689        if isinstance(content, basestring):
    688690            self.send_header('Content-Length', len(content))
    689691        self.end_headers()

Any ideas for improvement?

comment:4 by Jun Omae, 3 years ago

I noticed other rare cases.

  1. Using comment of wiki page:
    1. Edit any wiki page
    2. Enter [[html(<form action="">)]] to comment of the page
    3. Click Review Changes or Preview Page button
  2. Using arguments of newticket page:
    1. Visit https://trac.edgewall.org/demo-1.0/newticket?description=[[html(%3Cform%20action=%22%22%3E%29%5D%5D
Last edited 3 years ago by Jun Omae (previous) (diff)

comment:5 by Jun Omae, 3 years ago

I don't think it is good to use self.args to detect preview feature….

Instead, what about to disable XSS protection when method is POST and Content-Type is text/html?

  • trac/web/api.py

    diff --git a/trac/web/api.py b/trac/web/api.py
    index e12b3498f..3753c2bf7 100644
    a b class Request(object):  
    339339        self._write = None
    340340        self._status = '200 OK'
    341341        self._response = None
     342        self._content_type = None
    343344        self._outheaders = []
    344345        self._outcharset = None
    class Request(object):  
    461462        """
    462463        lower_name = name.lower()
    463464        if lower_name == 'content-type':
     465            self._content_type = value.split(';', 1)[0]
    464466            ctpos = value.find('charset=')
    465467            if ctpos >= 0:
    466468                self._outcharset = value[ctpos + 8:].strip()
    class Request(object):  
    472474        """Must be called after all headers have been sent and before the
    473475        actual content is written.
    474476        """
     477        if self.method == 'POST' and self._content_type == 'text/html':
     478            # Disable XSS protection (#12926)
     479            self.send_header('X-XSS-Protection', 0)
    475480        self._send_cookie_headers()
    476481        self._write = self._start_response(self._status, self._outheaders)

comment:6 by Ryan J Ollos, 3 years ago

Owner: Ryan J Ollos removed
Status: assignednew

comment:7 by Ryan J Ollos, 3 years ago

I'm unsure of the consequences of adding the header for all text/html POST requests. Please feel free to take ownership of the ticket if you'd like to push the fix.

Last edited 3 years ago by Ryan J Ollos (previous) (diff)

comment:8 by Ryan J Ollos, 2 years ago

Resolution: fixed
Status: newclosed

Committed to 1.0-stable in r16495, merged in r16496, r16497.

comment:9 by Ryan J Ollos, 2 years ago

Owner: set to Jun Omae

comment:10 by matthewcotton.cs@…, 2 years ago

I realize this was closed recently, but I wanted to note that in Trac 1.2.2 — coupled with Chrome Version 66.0.3359.139 — there are still issues with this bug. Specifically, when trying to embed an iframe wrapped with the {{{#!html ... }}} syntax.

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain Jun Omae.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Jun Omae to the specified user.

Add Comment

E-mail address and name can be saved in the Preferences .
Note: See TracTickets for help on using tickets.