#12926 closed defect (fixed)
Chrome blocks preview with ERR_BLOCKED_BY_XSS_AUDITOR
| Reported by: | Ryan J Ollos | Owned by: | Jun Omae |
|---|---|---|---|
| Priority: | normal | Milestone: | 1.0.17 |
| Component: | general | Version: | |
| Severity: | normal | Keywords: | |
| Cc: | Branch: | ||
| Release Notes: |
Fixed |
||
| API Changes: | |||
| Internal Changes: | |||
Description
Issue occurs when using WikiProcessor in text such as:
{{{#!html
<form action="">
}}}
The workaround noted by Jun is to add X-XSS-Protection: 0 header when the method is POST (or to add the header to all preview features).
More info in X-XSS-Protection.
Attachments (0)
Change History (10)
comment:1 by , 7 years ago
| Owner: | set to |
|---|---|
| Release Notes: | modified (diff) |
| Status: | new → assigned |
comment:2 by , 7 years ago
| Milestone: | 1.0.16 → 1.0.17 |
|---|
comment:3 by , 7 years ago
I'm not sure this is the right solution since it depends on inspecting args for the preview key:
-
trac/web/api.py
diff --git a/trac/web/api.py b/trac/web/api.py index b2e76f948..8cc18de72 100644
a b class Request(object): 684 684 self.send_header('Cache-Control', 'must-revalidate') 685 685 self.send_header('Expires', 'Fri, 01 Jan 1999 00:00:00 GMT') 686 686 self.send_header('Content-Type', content_type + ';charset=utf-8') 687 if self.method == 'POST' and 'preview' in self.args: 688 self.send_header('X-XSS-Protection', 1) # Ticket #12926 687 689 if isinstance(content, basestring): 688 690 self.send_header('Content-Length', len(content)) 689 691 self.end_headers()
Any ideas for improvement?
comment:4 by , 7 years ago
I noticed other rare cases.
- Using comment of wiki page:
- Edit any wiki page
- Enter
[[html(<form action="">)]]to comment of the page - Click Review Changes or Preview Page button
- Using arguments of newticket page:
comment:5 by , 7 years ago
I don't think it is good to use self.args to detect preview feature….
Instead, what about to disable XSS protection when method is POST and Content-Type is text/html?
-
trac/web/api.py
diff --git a/trac/web/api.py b/trac/web/api.py index e12b3498f..3753c2bf7 100644
a b class Request(object): 339 339 self._write = None 340 340 self._status = '200 OK' 341 341 self._response = None 342 self._content_type = None 342 343 343 344 self._outheaders = [] 344 345 self._outcharset = None … … class Request(object): 461 462 """ 462 463 lower_name = name.lower() 463 464 if lower_name == 'content-type': 465 self._content_type = value.split(';', 1)[0] 464 466 ctpos = value.find('charset=') 465 467 if ctpos >= 0: 466 468 self._outcharset = value[ctpos + 8:].strip() … … class Request(object): 472 474 """Must be called after all headers have been sent and before the 473 475 actual content is written. 474 476 """ 477 if self.method == 'POST' and self._content_type == 'text/html': 478 # Disable XSS protection (#12926) 479 self.send_header('X-XSS-Protection', 0) 475 480 self._send_cookie_headers() 476 481 self._write = self._start_response(self._status, self._outheaders) 477 482
comment:6 by , 7 years ago
| Owner: | removed |
|---|---|
| Status: | assigned → new |
comment:7 by , 7 years ago
I'm unsure of the consequences of adding the heading for all POST requests. Please feel free to take ownership of the ticket if you'd like to push the fix.
comment:8 by , 6 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
comment:9 by , 6 years ago
| Owner: | set to |
|---|
comment:10 by , 6 years ago
I realize this was closed recently, but I wanted to note that in Trac 1.2.2 — coupled with Chrome Version 66.0.3359.139 — there are still issues with this bug. Specifically, when trying to embed an iframe wrapped with the {{{#!html ... }}} syntax.
Milestone renamed