Bug Tracker

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#13546 closed bug (notabug)

X-XSS-Protection Flag and jQuery 1.9.0 opens about:blank

Reported by: db Owned by:
Priority: undecided Milestone: None
Component: unfiled Version: 1.9.0
Keywords: Cc:
Blocked by: Blocking:

Description

Old ipod or ipad can't submit HTML forms when using jQuery 1.9.0+ with active X-XSS-Protection Header.

UserAgent of an old ipad Mozilla/5.0 (iPad; U; CPU OS 4_3_3 like Mac OS X; de-de) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5

When submitting an form - the XSS Protection redirects you to about:blank

You get the following error: Refused to execute a JavaScript script. Source code of script found within a request.

out.php

header('X-XSS-Protection: 1; mode=block');

echo '<!DOCTYPE html>';
echo '<html lang="de" dir="ltr" itemscope itemtype="http://schema.org/WebPage">';
echo '<head>';
echo '<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>';
echo '<title>jQuery 1.9.0 Bug</title>';
echo '<script src="//ajax.googleapis.com/ajax/libs/jquery/1.9.0/jquery.min.js"></script>';
echo '</head>';

echo '<body>';

echo '<form id="myform" enctype="multipart/form-data" accept-charset="UTF-8" method="post" action="out.php">';
echo '<input type="submit" value="OK" />';
echo '</form>';

echo '</body>';

echo '</html>';

change the jquery/1.9.0 to jquery/1.8.3 everything works fine.

Change History (5)

comment:1 Changed 7 years ago by anonymous

I can reproduce this error with:

  • Safari and Mercury on an iPod touch 2g (iOS 4.2.1).
  • with jquery 1.9.0 and jquery 1.9.1

It is not possible to open a post request

Hints:

  • iOS 4.2.1 is the latest version for this device
  • its not possible to update safari (its the latest version for this device)

It works with jquery 1.8.3.

comment:2 Changed 7 years ago by timmywil

Resolution: notabug
Status: newclosed

This is not a bug in jQuery.

comment:3 Changed 7 years ago by Tobias Krogh <tobias.krogh@…>

Hi,

although ticket is closed I wanted to share my insights so others are not searching forever.

We at XING.com had the same issue of users being redirected to "about:blank" in older Safari versions when using jQuery 1.9 and the "X-XSS-Protection" header delivered as "1; mode=block". After an additional "Browser back" the page was working as usual so it could have not been related to jQuery at first sight.

But I could reproduce it frequently when logging in to xing.com on a Safari 5.0.5 but not with Safari 5.1.7 anymore. There was no problem when jquery.js was excluded from the page. SO I took a much deeper look. It happened when the following code in jquery.js (Version 1.9.1, line 1441 - 1447) was executed:

	// Support: IE<9 (lack submit/change bubble), Firefox 17+ (lack focusin event)
	// Beware of CSP restrictions (https://developer.mozilla.org/en/Security/CSP), test/csp.php
	for ( i in { submit: true, change: true, focusin: true }) {
		div.setAttribute( eventName = "on" + i, "t" ); // this line caused trouble

		support[ i + "Bubbles" ] = eventName in window || div.attributes[ eventName ].expando === false;
	}

We only had rare people encountering that problem and it only happened after the login process (technically a redirect chain with a domain change). It seems it is related to a false positive in XSS filters because I cannot see anything evil. I could work around this issue by using "t;" instead of "t" (might be that after the login redirect the browser investigated the on*-handlers and found something from the current location... well, "t" is not so unusual).

Cheers, Tobi

comment:4 in reply to:  2 ; Changed 7 years ago by Tobias Krogh <tobias.krogh@…>

Replying to timmywil:

This is not a bug in jQuery.

Can you explain me what exactly happens or do you know a good resource for deeper information? I could not find any concrete information about what Safari does when this header is set so I could only try things out to work around it. Now thinking about it... I did not try to use credentials without a "t". Maybe this is only happening when there is a "t" in the login credentials (submitted form parameters). But still I do not understand why the browser redirects me to about:blank without any further information.

comment:5 in reply to:  4 Changed 7 years ago by Tobias Krogh <tobias.krogh@…>

Replying to Tobias Krogh <tobias.krogh@…>:

Replying to timmywil:

This is not a bug in jQuery.

Can you explain me what exactly happens or do you know a good resource for deeper information? I could not find any concrete information about what Safari does when this header is set so I could only try things out to work around it. Now thinking about it... I did not try to use credentials without a "t". Maybe this is only happening when there is a "t" in the login credentials (submitted form parameters). But still I do not understand why the browser redirects me to about:blank without any further information.

I noticed that the string that is applied to "on" + i is compared against the used credentials. If for example the password contains the string applied to "on" + i the redirect to about:blank is executed. So for everyone who runs into this issue: change the string that is applied to "on" + i in the lines mentioned above (I used "return;" now as I assume no one will have this in his credentials while at the same time using such an old Safari). I encountered no further (side) issues.

Note: See TracTickets for help on using tickets.