Side navigation
#13546 closed bug (notabug)
Opened March 01, 2013 02:30PM UTC
Closed March 13, 2013 12:46AM UTC
Last modified March 19, 2013 07:50AM UTC
X-XSS-Protection Flag and jQuery 1.9.0 opens about:blank
| Reported by: | db | Owned by: | |
|---|---|---|---|
| Priority: | undecided | Milestone: | None |
| Component: | unfiled | Version: | 1.9.0 |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
Old ipod or ipad can't submit HTML forms when using jQuery 1.9.0+ with active X-XSS-Protection Header.
UserAgent of an old ipad
Mozilla/5.0 (iPad; U; CPU OS 4_3_3 like Mac OS X; de-de) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5
When submitting an form - the XSS Protection redirects you to about:blank
You get the following error:
Refused to execute a JavaScript script. Source code of script found within a request.
out.php
header('X-XSS-Protection: 1; mode=block');
echo '<!DOCTYPE html>';
echo '<html lang="de" dir="ltr" itemscope itemtype="http://schema.org/WebPage">';
echo '<head>';
echo '<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>';
echo '<title>jQuery 1.9.0 Bug</title>';
echo '<script src="//ajax.googleapis.com/ajax/libs/jquery/1.9.0/jquery.min.js"></script>';
echo '</head>';
echo '<body>';
echo '<form id="myform" enctype="multipart/form-data" accept-charset="UTF-8" method="post" action="out.php">';
echo '<input type="submit" value="OK" />';
echo '</form>';
echo '</body>';
echo '</html>';
change the jquery/1.9.0 to jquery/1.8.3 everything works fine.
Attachments (0)
Change History (5)
Changed March 07, 2013 11:50AM UTC by comment:1
Changed March 13, 2013 12:46AM UTC by comment:2
| resolution: | → notabug |
|---|---|
| status: | new → closed |
This is not a bug in jQuery.
Changed March 18, 2013 03:39PM UTC by comment:3
Hi,
although ticket is closed I wanted to share my insights so others are not searching forever.
We at XING.com had the same issue of users being redirected to "about:blank" in older Safari versions when using jQuery 1.9 and the "X-XSS-Protection" header delivered as "1; mode=block". After an additional "Browser back" the page was working as usual so it could have not been related to jQuery at first sight.
But I could reproduce it frequently when logging in to xing.com on a Safari 5.0.5 but not with Safari 5.1.7 anymore. There was no problem when jquery.js was excluded from the page. SO I took a much deeper look. It happened when the following code in jquery.js (Version 1.9.1, line 1441 - 1447) was executed:
// Support: IE<9 (lack submit/change bubble), Firefox 17+ (lack focusin event)
// Beware of CSP restrictions (https://developer.mozilla.org/en/Security/CSP), test/csp.php
for ( i in { submit: true, change: true, focusin: true }) {
div.setAttribute( eventName = "on" + i, "t" ); // this line caused trouble
support[ i + "Bubbles" ] = eventName in window || div.attributes[ eventName ].expando === false;
}
We only had rare people encountering that problem and it only happened after the login process (technically a redirect chain with a domain change). It seems it is related to a false positive in XSS filters because I cannot see anything evil. I could work around this issue by using "t;" instead of "t" (might be that after the login redirect the browser investigated the on*-handlers and found something from the current location... well, "t" is not so unusual).
Cheers,
Tobi
Changed March 18, 2013 07:25PM UTC by comment:4
Replying to [comment:2 timmywil]:
This is not a bug in jQuery.
Can you explain me what exactly happens or do you know a good resource for deeper information? I could not find any concrete information about what Safari does when this header is set so I could only try things out to work around it. Now thinking about it... I did not try to use credentials without a "t". Maybe this is only happening when there is a "t" in the login credentials (submitted form parameters). But still I do not understand why the browser redirects me to about:blank without any further information.
Changed March 19, 2013 07:50AM UTC by comment:5
Replying to [comment:4 Tobias Krogh <tobias.krogh@…>]:
Replying to [comment:2 timmywil]: > This is not a bug in jQuery. Can you explain me what exactly happens or do you know a good resource for deeper information? I could not find any concrete information about what Safari does when this header is set so I could only try things out to work around it. Now thinking about it... I did not try to use credentials without a "t". Maybe this is only happening when there is a "t" in the login credentials (submitted form parameters). But still I do not understand why the browser redirects me to about:blank without any further information.
I noticed that the string that is applied to "on" + i is compared against the used credentials. If for example the password contains the string applied to "on" + i the redirect to about:blank is executed. So for everyone who runs into this issue: change the string that is applied to "on" + i in the lines mentioned above (I used "return;" now as I assume no one will have this in his credentials while at the same time using such an old Safari). I encountered no further (side) issues.
I can reproduce this error with:
It is not possible to open a post request
Hints:
It works with jquery 1.8.3.