Changeset 186983 in webkit

Timestamp:

Jul 17, 2015 9:44:13 PM (9 years ago)

Author:

aestes@apple.com

Message:

Merge r186982. rdar://problem/21709404

Location:

branches/safari-600.1.4.17-branch

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/contentdispositionattachmentsandbox (added)
• LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled-expected.txt (added)
• LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled.html (added)
• LayoutTests/http/tests/contentdispositionattachmentsandbox/form-submission-disabled-expected.txt (added)
• LayoutTests/http/tests/contentdispositionattachmentsandbox/form-submission-disabled.html (added)
• LayoutTests/http/tests/contentdispositionattachmentsandbox/http-equiv-disabled-expected.txt (added)
• LayoutTests/http/tests/contentdispositionattachmentsandbox/http-equiv-disabled.html (added)
• LayoutTests/http/tests/contentdispositionattachmentsandbox/plugins-disabled-expected.html (added)
• LayoutTests/http/tests/contentdispositionattachmentsandbox/plugins-disabled.html (added)
• LayoutTests/http/tests/contentdispositionattachmentsandbox/resources (added)
• LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/cross-origin-frames-frame.php (added)
• LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/form-submission-frame.php (added)
• LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/http-equiv-frame.php (added)
• LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/plugins-frame.php (added)
• LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/scripts-frame.php (added)
• LayoutTests/http/tests/contentdispositionattachmentsandbox/scripts-disabled-expected.txt (added)
• LayoutTests/http/tests/contentdispositionattachmentsandbox/scripts-disabled.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/dom/Document.cpp (modified) (4 diffs)
• Source/WebCore/dom/Document.h (modified) (3 diffs)
• Source/WebCore/loader/cache/CachedResourceLoader.cpp (modified) (1 diff)
• Source/WebCore/page/Settings.in (modified) (1 diff)
• Source/WebKit/mac/ChangeLog (modified) (1 diff)
• Source/WebKit/mac/WebView/WebView.mm (modified) (1 diff)
• Source/WebKit2/ChangeLog (modified) (1 diff)
• Source/WebKit2/WebProcess/WebPage/WebPage.cpp (modified) (1 diff)
• Tools/ChangeLog (modified) (1 diff)
• Tools/WebKitTestRunner/InjectedBundle/InjectedBundlePage.cpp (modified) (1 diff)

branches/safari-600.1.4.17-branch/LayoutTests/ChangeLog

@@ +1 @@
+2015-07-17  Andy Estes  <aestes@apple.com>
+
+        Merge r186982. rdar://problem/21709404
+
+    2015-07-17  Andy Estes  <aestes@apple.com>
+
+        [iOS] Further tighten the sandbox around pages fetched with Content-Disposition: attachment
+        https://bugs.webkit.org/show_bug.cgi?id=147044
+        rdar://problem/21567820
+
+        Reviewed by Brady Eidson.
+
+        * http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled-expected.txt: Added.
+        * http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled.html: Added.
+        * http/tests/contentdispositionattachmentsandbox/form-submission-disabled-expected.txt: Added.
+        * http/tests/contentdispositionattachmentsandbox/form-submission-disabled.html: Added.
+        * http/tests/contentdispositionattachmentsandbox/http-equiv-disabled-expected.txt: Added.
+        * http/tests/contentdispositionattachmentsandbox/http-equiv-disabled.html: Added.
+        * http/tests/contentdispositionattachmentsandbox/plugins-disabled-expected.html: Added.
+        * http/tests/contentdispositionattachmentsandbox/plugins-disabled.html: Added.
+        * http/tests/contentdispositionattachmentsandbox/resources/cross-origin-frames-frame.php: Added.
+        * http/tests/contentdispositionattachmentsandbox/resources/form-submission-frame.php: Added.
+        * http/tests/contentdispositionattachmentsandbox/resources/http-equiv-frame.php: Added.
+        * http/tests/contentdispositionattachmentsandbox/resources/plugins-frame.php: Added.
+        * http/tests/contentdispositionattachmentsandbox/resources/scripts-frame.php: Added.
+        * http/tests/contentdispositionattachmentsandbox/scripts-disabled-expected.txt: Added.
+        * http/tests/contentdispositionattachmentsandbox/scripts-disabled.html: Added.
+
 2015-07-13  David Kilzer  <ddkilzer@apple.com>
 

branches/safari-600.1.4.17-branch/Source/WebCore/ChangeLog

@@ +1 @@
+2015-07-17  Andy Estes  <aestes@apple.com>
+
+        Merge r186982. rdar://problem/21709404
+
+    2015-07-17  Andy Estes  <aestes@apple.com>
+
+        [iOS] Further tighten the sandbox around pages fetched with Content-Disposition: attachment
+        https://bugs.webkit.org/show_bug.cgi?id=147044
+        rdar://problem/21567820
+
+        Reviewed by Brady Eidson.
+
+        In addition to placing resources fetched with 'Content-Disposition: attachment' in a unique origin,
+        this change does the following:
+
+        - Switches the sandbox type from SandboxOrigin to SandboxAll, which enforces the same restrictions as <iframe sandbox>.
+        - Disables processing of <meta http-equiv> elements.
+        - Disables loading of cross-origin subframes.
+
+        Tests: http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled.html
+               http/tests/contentdispositionattachmentsandbox/form-submission-disabled.html
+               http/tests/contentdispositionattachmentsandbox/http-equiv-disabled.html
+               http/tests/contentdispositionattachmentsandbox/plugins-disabled.html
+               http/tests/contentdispositionattachmentsandbox/scripts-disabled.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::processHttpEquiv): Switched to calling Document::httpEquivPolicy(). Logged an error to the console for policies other than Enabled.
+        (WebCore::Document::initSecurityContext): Switched sandbox enforcement from SandboxOrigin to SandboxAll.
+        (WebCore::Document::httpEquivPolicy): Returned a HttpEquivPolicy based on shouldEnforceContentDispositionAttachmentSandbox() and Settings::httpEquivEnabled().
+        (WebCore::Document::shouldEnforceContentDispositionAttachmentSandbox): Returned true if Settings::contentDispositionAttachmentSandboxEnabled()
+        and the document was fetched as an attachment.
+        * dom/Document.h:
+        * loader/cache/CachedResourceLoader.cpp: 
+        (WebCore::CachedResourceLoader::canRequest): When requesting a subframe main resource when the parent frame enforces an attachment sandbox,
+        only continue if the parent frame's SecurityOrigin allows the request.
+        * page/Settings.in: Added contentDispositionAttachmentSandboxEnabled with an initial value of false.
+
 2015-07-13  David Kilzer  <ddkilzer@apple.com>
 

branches/safari-600.1.4.17-branch/Source/WebCore/dom/Document.cpp

@@ -2808 +2808 @@
     ASSERT(!equiv.isNull() && !content.isNull());
 
-    if (page() && !page()->settings().httpEquivEnabled())
-        return;
+    HttpEquivPolicy policy = httpEquivPolicy();
+    if (policy != HttpEquivPolicy::Enabled) {
+        String reason;
+        switch (policy) {
+        case HttpEquivPolicy::Enabled:
+            ASSERT_NOT_REACHED();
+            break;
+        case HttpEquivPolicy::DisabledBySettings:
+            reason = "by the embedder.";
+            break;
+        case HttpEquivPolicy::DisabledByContentDispositionAttachmentSandbox:
+            reason = "for documents with Content-Disposition: attachment.";
+            break;
+        }
+        String message = "http-equiv '" + equiv + "' is disabled " + reason;
+        addConsoleMessage(MessageSource::Security, MessageLevel::Error, message);
+        return;
+    }
 
     Frame* frame = this->frame();
@@ -4673 +4689 @@
     enforceSandboxFlags(m_frame->loader().effectiveSandboxFlags());
 
-#if PLATFORM(IOS)
-    // On iOS we display attachments inline regardless of whether the response includes
-    // the HTTP header "Content-Disposition: attachment". So, we enforce a unique
-    // security origin for such documents. As an optimization, we don't need to parse
-    // the responde header (i.e. call ResourceResponse::isAttachment()) for a synthesized
-    // document because such documents cannot be an attachment.
-    if (!m_isSynthesized && m_frame->loader().activeDocumentLoader()->response().isAttachment())
-        enforceSandboxFlags(SandboxOrigin);
-#endif
+    if (shouldEnforceContentDispositionAttachmentSandbox())
+        enforceSandboxFlags(SandboxAll);
 
     setSecurityOrigin(isSandboxed(SandboxOrigin) ? SecurityOrigin::createUnique() : SecurityOrigin::create(m_url));
@@ -5758 +5767 @@
     ++m_wheelEventHandlerCount;
     wheelEventHandlerCountChanged(this);
+}
+
+HttpEquivPolicy Document::httpEquivPolicy() const
+{
+    if (shouldEnforceContentDispositionAttachmentSandbox())
+        return HttpEquivPolicy::DisabledByContentDispositionAttachmentSandbox;
+    if (page() && !page()->settings().httpEquivEnabled())
+        return HttpEquivPolicy::DisabledBySettings;
+    return HttpEquivPolicy::Enabled;
 }
 
@@ -6211 +6229 @@
 #endif
 
+bool Document::shouldEnforceContentDispositionAttachmentSandbox() const
+{
+    if (m_isSynthesized)
+        return false;
+
+    bool contentDispositionAttachmentSandboxEnabled = settings() && settings()->contentDispositionAttachmentSandboxEnabled();
+    bool responseIsAttachment = false;
+    if (DocumentLoader* documentLoader = m_frame ? m_frame->loader().activeDocumentLoader() : nullptr)
+        responseIsAttachment = documentLoader->response().isAttachment();
+
+    return contentDispositionAttachmentSandboxEnabled && responseIsAttachment;
+}
+
 } // namespace WebCore

branches/safari-600.1.4.17-branch/Source/WebCore/dom/Document.h

@@ -255 +255 @@
 };
 
+enum class HttpEquivPolicy {
+    Enabled,
+    DisabledBySettings,
+    DisabledByContentDispositionAttachmentSandbox
+};
+
 class Document : public ContainerNode, public TreeScope, public ScriptExecutionContext {
 public:
@@ -1281 +1287 @@
     bool hasStyleWithViewportUnits() const { return m_hasStyleWithViewportUnits; }
     void updateViewportUnitsOnResize();
+    bool shouldEnforceContentDispositionAttachmentSandbox() const;
 
 protected:
@@ -1356 +1363 @@
 
     void addListenerType(ListenerType listenerType) { m_listenerTypes |= listenerType; }
+
+    HttpEquivPolicy httpEquivPolicy() const;
 
     void didAssociateFormControlsTimerFired(Timer<Document>&);

branches/safari-600.1.4.17-branch/Source/WebCore/loader/cache/CachedResourceLoader.cpp

@@ -312 +312 @@
     switch (type) {
     case CachedResource::MainResource:
+        if (HTMLFrameOwnerElement* ownerElement = frame() ? frame()->ownerElement() : nullptr) {
+            if (ownerElement->document().shouldEnforceContentDispositionAttachmentSandbox() && !ownerElement->document().securityOrigin()->canRequest(url)) {
+                printAccessDeniedMessage(url);
+                return false;
+            }
+        }
+        FALLTHROUGH;
     case CachedResource::ImageResource:
     case CachedResource::CSSStyleSheet:

branches/safari-600.1.4.17-branch/Source/WebCore/page/Settings.in

@@ -232 +232 @@
 
 httpEquivEnabled initial=true
+
+# Some ports (e.g. iOS) might choose to display attachments inline, regardless of whether the response includes the
+# HTTP header "Content-Disposition: attachment". This setting enables a sandbox around these attachments. The sandbox
+# enforces all frame sandbox flags (see enum SandboxFlag in SecurityContext.h), and also disables <meta http-equiv>
+# processing and subframe loading.
+contentDispositionAttachmentSandboxEnabled initial=false

branches/safari-600.1.4.17-branch/Source/WebKit/mac/ChangeLog

@@ +1 @@
+2015-07-17  Andy Estes  <aestes@apple.com>
+
+        Merge r186982. rdar://problem/21709404
+
+    2015-07-17  Andy Estes  <aestes@apple.com>
+
+        [iOS] Further tighten the sandbox around pages fetched with Content-Disposition: attachment
+        https://bugs.webkit.org/show_bug.cgi?id=147044
+        rdar://problem/21567820
+
+        Reviewed by Brady Eidson.
+
+        * WebView/WebView.mm:
+        (-[WebView _commonInitializationWithFrameName:groupName:]): Enabled Content-Disposition: attachment sandbox on iOS.
+
 2015-07-13  David Kilzer  <ddkilzer@apple.com>
 

branches/safari-600.1.4.17-branch/Source/WebKit/mac/WebView/WebView.mm

@@ -1048 +1048 @@
     [self _scheduleGlibContextIterations];
 #endif
+
+#if PLATFORM(IOS)
+    _private->page->settings().setContentDispositionAttachmentSandboxEnabled(true);
+#endif
 }
 

branches/safari-600.1.4.17-branch/Source/WebKit2/ChangeLog

@@ +1 @@
+2015-07-17  Andy Estes  <aestes@apple.com>
+
+        Merge r186982. rdar://problem/21709404
+
+    2015-07-17  Andy Estes  <aestes@apple.com>
+
+        [iOS] Further tighten the sandbox around pages fetched with Content-Disposition: attachment
+        https://bugs.webkit.org/show_bug.cgi?id=147044
+        rdar://problem/21567820
+
+        Reviewed by Brady Eidson.
+
+        * WebProcess/WebPage/WebPage.cpp:
+        (WebKit::WebPage::WebPage): Enabled Content-Disposition: attachment sandbox on iOS.
+
 2015-07-15  David Kilzer  <ddkilzer@apple.com>
 

branches/safari-600.1.4.17-branch/Source/WebKit2/WebProcess/WebPage/WebPage.cpp

@@ -481 +481 @@
     for (auto& mimeType : parameters.mimeTypesWithCustomContentProviders)
         m_mimeTypesWithCustomContentProviders.add(mimeType);
+
+#if PLATFORM(IOS)
+    m_page->settings().setContentDispositionAttachmentSandboxEnabled(true);
+#endif
 }
 

branches/safari-600.1.4.17-branch/Tools/ChangeLog

@@ +1 @@
+2015-07-17  Andy Estes  <aestes@apple.com>
+
+        Merge r186982. rdar://problem/21709404
+
+    2015-07-17  Andy Estes  <aestes@apple.com>
+
+        [iOS] Further tighten the sandbox around pages fetched with Content-Disposition: attachment
+        https://bugs.webkit.org/show_bug.cgi?id=147044
+        rdar://problem/21567820
+
+        Reviewed by Brady Eidson.
+
+        * WebKitTestRunner/InjectedBundle/InjectedBundlePage.cpp:
+        (WTR::InjectedBundlePage::decidePolicyForResponse): Only log the message about attachments if the custom policy delegate is enabled.
+        This matches the behavior of DumpRenderTree.
+
 2015-07-13  David Kilzer  <ddkilzer@apple.com>
 

branches/safari-600.1.4.17-branch/Tools/WebKitTestRunner/InjectedBundle/InjectedBundlePage.cpp

@@ -1261 +1261 @@
 WKBundlePagePolicyAction InjectedBundlePage::decidePolicyForResponse(WKBundlePageRef page, WKBundleFrameRef, WKURLResponseRef response, WKURLRequestRef, WKTypeRef*)
 {
-    if (WKURLResponseIsAttachment(response)) {
+    if (InjectedBundle::singleton().testRunner()->isPolicyDelegateEnabled() && WKURLResponseIsAttachment(response)) {
         StringBuilder stringBuilder;
         WKRetainPtr<WKStringRef> filename = adoptWK(WKURLResponseCopySuggestedFilename(response));