#12926 closed defect (fixed)
Chrome blocks preview with ERR_BLOCKED_BY_XSS_AUDITOR
| Reported by: | Ryan J Ollos | Owned by: | Jun Omae |
|---|---|---|---|
| Priority: | normal | Milestone: | 1.0.17 |
| Component: | general | Version: | |
| Severity: | normal | Keywords: | |
| Cc: | Branch: | ||
| Release Notes: |
Fixed |
||
| API Changes: | |||
| Internal Changes: | |||
Description
Issue occurs when using WikiProcessor in text such as:
{{{#!html
<form action="">
}}}
The workaround noted by Jun is to add X-XSS-Protection: 0 header when the method is POST (or to add the header to all preview features).
More info in X-XSS-Protection.
Attachments (0)
Change History (10)
comment:1 by , 7 years ago
| Owner: | set to |
|---|---|
| Release Notes: | modified (diff) |
| Status: | new → assigned |
comment:2 by , 7 years ago
| Milestone: | 1.0.16 → 1.0.17 |
|---|
comment:3 by , 7 years ago
I'm not sure this is the right solution since it depends on inspecting args for the preview key:
-
trac/web/api.py
diff --git a/trac/web/api.py b/trac/web/api.py index b2e76f948..8cc18de72 100644
a b class Request(object): 684 684 self.send_header('Cache-Control', 'must-revalidate') 685 685 self.send_header('Expires', 'Fri, 01 Jan 1999 00:00:00 GMT') 686 686 self.send_header('Content-Type', content_type + ';charset=utf-8') 687 if self.method == 'POST' and 'preview' in self.args: 688 self.send_header('X-XSS-Protection', 1) # Ticket #12926 687 689 if isinstance(content, basestring): 688 690 self.send_header('Content-Length', len(content)) 689 691 self.end_headers()
Any ideas for improvement?
comment:4 by , 7 years ago
I noticed other rare cases.
- Using comment of wiki page:
- Edit any wiki page
- Enter
[[html(<form action="">)]]to comment of the page - Click Review Changes or Preview Page button
- Using arguments of newticket page:
comment:5 by , 7 years ago
I don't think it is good to use self.args to detect preview feature….
Instead, what about to disable XSS protection when method is POST and Content-Type is text/html?
-
trac/web/api.py
diff --git a/trac/web/api.py b/trac/web/api.py index e12b3498f..3753c2bf7 100644
a b class Request(object): 339 339 self._write = None 340 340 self._status = '200 OK' 341 341 self._response = None 342 self._content_type = None 342 343 343 344 self._outheaders = [] 344 345 self._outcharset = None … … class Request(object): 461 462 """ 462 463 lower_name = name.lower() 463 464 if lower_name == 'content-type': 465 self._content_type = value.split(';', 1)[0] 464 466 ctpos = value.find('charset=') 465 467 if ctpos >= 0: 466 468 self._outcharset = value[ctpos + 8:].strip() … … class Request(object): 472 474 """Must be called after all headers have been sent and before the 473 475 actual content is written. 474 476 """ 477 if self.method == 'POST' and self._content_type == 'text/html': 478 # Disable XSS protection (#12926) 479 self.send_header('X-XSS-Protection', 0) 475 480 self._send_cookie_headers() 476 481 self._write = self._start_response(self._status, self._outheaders) 477 482
comment:6 by , 7 years ago
| Owner: | removed |
|---|---|
| Status: | assigned → new |
comment:7 by , 7 years ago
I'm unsure of the consequences of adding the header for all text/html POST requests. Please feel free to take ownership of the ticket if you'd like to push the fix.
comment:8 by , 7 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
comment:9 by , 7 years ago
| Owner: | set to |
|---|
comment:10 by , 7 years ago
I realize this was closed recently, but I wanted to note that in Trac 1.2.2 — coupled with Chrome Version 66.0.3359.139 — there are still issues with this bug. Specifically, when trying to embed an iframe wrapped with the {{{#!html ... }}} syntax.
Milestone renamed