Edgewall Software

Opened 15 months ago

Closed 8 months ago

Last modified 7 months ago

#12926 closed defect (fixed)

Chrome blocks preview with ERR_BLOCKED_BY_XSS_AUDITOR

Reported by: Ryan J Ollos Owned by: Jun Omae
Priority: normal Milestone: 1.0.17
Component: general Version:
Severity: normal Keywords:
Release Notes:

Fixed ERR_BLOCKED_BY_XSS_AUDITOR during preview for certain content with Chrome browser.

API Changes:


Issue occurs when using WikiProcessor in text such as:

<form action="">

The workaround noted by Jun is to add X-XSS-Protection: 0 header when the method is POST (or to add the header to all preview features).

More info in X-XSS-Protection.

Attachments (0)

Change History (10)

comment:1 Changed 15 months ago by Ryan J Ollos

Owner: set to Ryan J Ollos
Release Notes: modified (diff)
Status: newassigned

comment:2 Changed 15 months ago by Ryan J Ollos


Milestone renamed

comment:3 Changed 15 months ago by Ryan J Ollos

I'm not sure this is the right solution since it depends on inspecting args for the preview key:

  • trac/web/api.py

    diff --git a/trac/web/api.py b/trac/web/api.py
    index b2e76f948..8cc18de72 100644
    a b class Request(object):  
    684684        self.send_header('Cache-Control', 'must-revalidate')
    685685        self.send_header('Expires', 'Fri, 01 Jan 1999 00:00:00 GMT')
    686686        self.send_header('Content-Type', content_type + ';charset=utf-8')
     687        if self.method == 'POST' and 'preview' in self.args:
     688            self.send_header('X-XSS-Protection', 1)  # Ticket #12926
    687689        if isinstance(content, basestring):
    688690            self.send_header('Content-Length', len(content))
    689691        self.end_headers()

Any ideas for improvement?

comment:4 Changed 15 months ago by Jun Omae

I noticed other rare cases.

  1. Using comment of wiki page:
    1. Edit any wiki page
    2. Enter [[html(<form action="">)]] to comment of the page
    3. Click Review Changes or Preview Page button
  2. Using arguments of newticket page:
    1. Visit https://trac.edgewall.org/demo-1.0/newticket?description=[[html(%3Cform%20action=%22%22%3E%29%5D%5D
Last edited 15 months ago by Jun Omae (previous) (diff)

comment:5 Changed 15 months ago by Jun Omae

I don't think it is good to use self.args to detect preview feature….

Instead, what about to disable XSS protection when method is POST and Content-Type is text/html?

  • trac/web/api.py

    diff --git a/trac/web/api.py b/trac/web/api.py
    index e12b3498f..3753c2bf7 100644
    a b class Request(object):  
    339339        self._write = None
    340340        self._status = '200 OK'
    341341        self._response = None
     342        self._content_type = None
    343344        self._outheaders = []
    344345        self._outcharset = None
    class Request(object):  
    461462        """
    462463        lower_name = name.lower()
    463464        if lower_name == 'content-type':
     465            self._content_type = value.split(';', 1)[0]
    464466            ctpos = value.find('charset=')
    465467            if ctpos >= 0:
    466468                self._outcharset = value[ctpos + 8:].strip()
    class Request(object):  
    472474        """Must be called after all headers have been sent and before the
    473475        actual content is written.
    474476        """
     477        if self.method == 'POST' and self._content_type == 'text/html':
     478            # Disable XSS protection (#12926)
     479            self.send_header('X-XSS-Protection', 0)
    475480        self._send_cookie_headers()
    476481        self._write = self._start_response(self._status, self._outheaders)

comment:6 Changed 14 months ago by Ryan J Ollos

Owner: Ryan J Ollos deleted
Status: assignednew

comment:7 Changed 14 months ago by Ryan J Ollos

I'm unsure of the consequences of adding the header for all text/html POST requests. Please feel free to take ownership of the ticket if you'd like to push the fix.

Last edited 14 months ago by Ryan J Ollos (previous) (diff)

comment:8 Changed 8 months ago by Ryan J Ollos

Resolution: fixed
Status: newclosed

Committed to 1.0-stable in r16495, merged in r16496, r16497.

comment:9 Changed 8 months ago by Ryan J Ollos

Owner: set to Jun Omae

comment:10 Changed 7 months ago by matthewcotton.cs@…

I realize this was closed recently, but I wanted to note that in Trac 1.2.2 — coupled with Chrome Version 66.0.3359.139 — there are still issues with this bug. Specifically, when trying to embed an iframe wrapped with the {{{#!html ... }}} syntax.

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain Jun Omae.
The resolution will be deleted.
to The owner will be changed from Jun Omae to the specified user.

Add Comment

E-mail address and name can be saved in the Preferences .
Note: See TracTickets for help on using tickets.