Issue 18865003: Do not allow HTTP refresh headers to refresh to javascript: URLs.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Issue 18865003: Do not allow HTTP refresh headers to refresh to javascript: URLs. (Closed)

Created:
7 years, 5 months ago by Tom Sepez

Modified:
7 years, 5 months ago

Reviewers:
abarth-chromium

CC:
blink-reviews, dglazkov+blink, Nate Chapin, eae+blinkwatch, adamk+blink_chromium.org, gavinp+loader_chromium.org

Base URL:
svn://svn.chromium.org/blink/trunk

Visibility:
Public.

Do not allow HTTP refresh headers to refresh to javascript: URLs. This behaviour has been standard in IE since IE7. This makes us both more compatible and less vulnerable to XSS. BUG=258151 [email protected] Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=153912

Created: 7 years, 5 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Stats (+33 lines, -7 lines)			Patch
A +	LayoutTests/http/tests/security/no-javascript-refresh.php	View	1 chunk	+6 lines, -5 lines	0 comments	Download
A	LayoutTests/http/tests/security/no-javascript-refresh-expected.txt	View	1 chunk	+2 lines, -0 lines	0 comments	Download
A	LayoutTests/http/tests/security/no-javascript-refresh-static.html	View	1 chunk	+11 lines, -0 lines	0 comments	Download
A	LayoutTests/http/tests/security/no-javascript-refresh-static-expected.txt	View	1 chunk	+2 lines, -0 lines	0 comments	Download
M	Source/core/dom/Document.cpp	View	1 chunk	+6 lines, -1 line	0 comments	Download
M	Source/core/loader/FrameLoader.cpp	View	1 chunk	+6 lines, -1 line	0 comments	Download

Total messages: 4 (0 generated)

abarth-chromium

LGTM. We might want to mention this change in the blog post for M30. Would ...

7 years, 5 months ago (2013-07-09 21:11:15 UTC) #2

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/[email protected]/18865003/1

7 years, 5 months ago (2013-07-10 16:16:15 UTC) #3

Message was sent while issue was closed.

Change committed as 153912