Changeset 29266 in webkit

Timestamp:

Jan 7, 2008, 5:30:27 PM (17 years ago)

Author:

weinig@apple.com

Message:

WebCore:

Reviewed by Sam Weinig

Fixes: ​http://bugs.webkit.org/show_bug.cgi?id=16523
<rdar://problem/5657447>

When a frame is created with the URL "about:blank" or "", it should
inherit its SecurityOrigin from its opener. However, once it has
decided on that SecurityOrigin, it should not change its mind.
Prior to this patch, several events could induce the frame to change
its SecurityOrigin, permitting an attacker to inject script into an
arbitrary SecurityOrigin.

This patch makes several changes:

1) Documents refuse to change from one SecurityOrigin to another

unless explicitly instructed to do so.

2) Navigating to a JavaScript URL that produces a value

preserves the current SecurityOrigin explicitly instead of
relying on the URL to preserve the origin (which fails for
about:blank URLs and SecurityOrigins with document.domain set).

Ideally, we should not preserve the URL at all. Instead, the
frame's URL should be the JavaScript URL, as in Firefox, but this
would require changes that are too risky for this patch. I'll
file this as a separate issue.

3) Various methods of navigating to JavaScript URLs were not

properly handling JavaScript that returned a value (and should
therefore replace the current document). This patch unifies
those code paths with the path that works.

There are still a handful of bugs relating to the handling of
JavaScript URLs, but I'll file those as separate issues.

Tests: http/tests/security/aboutBlank/xss-DENIED-navigate-opener-document-write.html

http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url.html
http/tests/security/aboutBlank/xss-DENIED-set-opener.html

• dom/Document.cpp: (WebCore::Document::initSecurityOrigin):
• dom/Document.h: (WebCore::Document::setSecurityOrigin):
• loader/FrameLoader.cpp: (WebCore::FrameLoader::changeLocation): (WebCore::FrameLoader::urlSelected): (WebCore::FrameLoader::requestFrame): (WebCore::FrameLoader::submitForm): (WebCore::FrameLoader::executeIfJavaScriptURL): (WebCore::FrameLoader::begin):
• loader/FrameLoader.h:
• platform/SecurityOrigin.cpp: (WebCore::SecurityOrigin::setForURL): (WebCore::SecurityOrigin::createForFrame):
• platform/SecurityOrigin.h:

LayoutTests:

Reviewed by Sam Weinig.

Fixes: ​http://bugs.webkit.org/show_bug.cgi?id=16523

Adds new LayoutTests for scripting from about:blank windows. These
windows should inherit its SecurityOrigin from its opener and should
refuse to change their origins when their opener changes exogenously
(the navigate-opener tests) or explicitly (the set-opener test).

• http/tests/security/aboutBlank: Added.
• http/tests/security/aboutBlank/xss-DENIED-navigate-opener-document-write-expected.txt: Added.
• http/tests/security/aboutBlank/xss-DENIED-navigate-opener-document-write.html: Added.
• http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url-expected.txt: Added.
• http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url.html: Added.
• http/tests/security/aboutBlank/xss-DENIED-set-opener-expected.txt: Added.
• http/tests/security/aboutBlank/xss-DENIED-set-opener.html: Added.
• http/tests/security/resources/innocent-victim-with-notify.html: Added.
• http/tests/security/resources/innocent-victim.html: Added.
• http/tests/security/resources/libwrapjs.js: Added.
• http/tests/security/resources/open-window.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/aboutBlank (added)
• LayoutTests/http/tests/security/aboutBlank/xss-DENIED-navigate-opener-document-write-expected.txt (added)
• LayoutTests/http/tests/security/aboutBlank/xss-DENIED-navigate-opener-document-write.html (added)
• LayoutTests/http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url-expected.txt (added)
• LayoutTests/http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url.html (added)
• LayoutTests/http/tests/security/aboutBlank/xss-DENIED-set-opener-expected.txt (added)
• LayoutTests/http/tests/security/aboutBlank/xss-DENIED-set-opener.html (added)
• LayoutTests/http/tests/security/resources/innocent-victim-with-notify.html (added)
• LayoutTests/http/tests/security/resources/innocent-victim.html (added)
• LayoutTests/http/tests/security/resources/libwrapjs.js (added)
• LayoutTests/http/tests/security/resources/open-window.html (added)
• LayoutTests/platform/win/Skipped (modified) (1 diff)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/dom/Document.cpp (modified) (1 diff)
• WebCore/dom/Document.h (modified) (1 diff)
• WebCore/loader/FrameLoader.cpp (modified) (7 diffs)
• WebCore/loader/FrameLoader.h (modified) (4 diffs)
• WebCore/platform/SecurityOrigin.cpp (modified) (3 diffs)
• WebCore/platform/SecurityOrigin.h (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2008-01-07  Adam Barth  <hk9565@gmail.com>
+
+        Reviewed by Sam Weinig.
+
+        Fixes: http://bugs.webkit.org/show_bug.cgi?id=16523
+
+        Adds new LayoutTests for scripting from about:blank windows.  These
+        windows should inherit its SecurityOrigin from its opener and should
+        refuse to change their origins when their opener changes exogenously
+        (the navigate-opener tests) or explicitly (the set-opener test).
+
+        * http/tests/security/aboutBlank: Added.
+        * http/tests/security/aboutBlank/xss-DENIED-navigate-opener-document-write-expected.txt: Added.
+        * http/tests/security/aboutBlank/xss-DENIED-navigate-opener-document-write.html: Added.
+        * http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url-expected.txt: Added.
+        * http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url.html: Added.
+        * http/tests/security/aboutBlank/xss-DENIED-set-opener-expected.txt: Added.
+        * http/tests/security/aboutBlank/xss-DENIED-set-opener.html: Added.
+        * http/tests/security/resources/innocent-victim-with-notify.html: Added.
+        * http/tests/security/resources/innocent-victim.html: Added.
+        * http/tests/security/resources/libwrapjs.js: Added.
+        * http/tests/security/resources/open-window.html: Added.
+
 2008-01-07  Adele Peterson  <adele@apple.com>
 

trunk/LayoutTests/platform/win/Skipped

@@ -197 +197 @@
 http/tests/security/javascriptURL/xss-DENIED-from-javascript-url-in-foreign-domain-window-open.html
 http/tests/security/javascriptURL/xss-DENIED-to-javascript-url-in-foreign-domain-window-open.html
+http/tests/security/aboutBlank/xss-DENIED-set-opener.html
+http/tests/security/aboutBlank/xss-DENIED-navigate-opener-document-write.html
+http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url.html
 
 # DRT is not fully implemented in boomer <rdar://problem/5128261>

trunk/WebCore/ChangeLog

@@ +1 @@
+2008-01-07  Adam Barth  <hk9565@gmail.com>
+
+        Reviewed by Sam Weinig
+
+        Fixes: http://bugs.webkit.org/show_bug.cgi?id=16523
+        <rdar://problem/5657447>
+
+        When a frame is created with the URL "about:blank" or "", it should
+        inherit its SecurityOrigin from its opener.  However, once it has
+        decided on that SecurityOrigin, it should not change its mind.
+        Prior to this patch, several events could induce the frame to change
+        its SecurityOrigin, permitting an attacker to inject script into an
+        arbitrary SecurityOrigin.
+
+        This patch makes several changes:
+
+        1) Documents refuse to change from one SecurityOrigin to another
+           unless explicitly instructed to do so.
+
+        2) Navigating to a JavaScript URL that produces a value
+           preserves the current SecurityOrigin explicitly instead of
+           relying on the URL to preserve the origin (which fails for
+           about:blank URLs and SecurityOrigins with document.domain set).
+
+           Ideally, we should not preserve the URL at all.  Instead, the
+           frame's URL should be the JavaScript URL, as in Firefox, but this
+           would require changes that are too risky for this patch.  I'll
+           file this as a separate issue.
+
+        3) Various methods of navigating to JavaScript URLs were not
+           properly handling JavaScript that returned a value (and should
+           therefore replace the current document).  This patch unifies
+           those code paths with the path that works.
+
+           There are still a handful of bugs relating to the handling of
+           JavaScript URLs, but I'll file those as separate issues.
+
+        Tests: http/tests/security/aboutBlank/xss-DENIED-navigate-opener-document-write.html
+               http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url.html
+               http/tests/security/aboutBlank/xss-DENIED-set-opener.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::initSecurityOrigin):
+        * dom/Document.h:
+        (WebCore::Document::setSecurityOrigin):
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::changeLocation):
+        (WebCore::FrameLoader::urlSelected):
+        (WebCore::FrameLoader::requestFrame):
+        (WebCore::FrameLoader::submitForm):
+        (WebCore::FrameLoader::executeIfJavaScriptURL):
+        (WebCore::FrameLoader::begin):
+        * loader/FrameLoader.h:
+        * platform/SecurityOrigin.cpp:
+        (WebCore::SecurityOrigin::setForURL):
+        (WebCore::SecurityOrigin::createForFrame):
+        * platform/SecurityOrigin.h:
+
 2008-01-07  Adele Peterson  <adele@apple.com>
 

trunk/WebCore/dom/Document.cpp

@@ -3717 +3717 @@
 void Document::initSecurityOrigin()
 {
+    if (m_securityOrigin && !m_securityOrigin->isEmpty())
+        return;  // m_securityOrigin has already been initialized.
+
     m_securityOrigin = SecurityOrigin::createForFrame(m_frame);
 }

trunk/WebCore/dom/Document.h

@@ -850 +850 @@
     SecurityOrigin* securityOrigin() const { return m_securityOrigin.get(); }
 
+    // Explicitly override the security origin for this document.
+    // Note: It is dangerous to change the security origin of a document
+    //       that already contains content.
+    void setSecurityOrigin(SecurityOrigin* o) { m_securityOrigin = o; }
+
     bool processingLoadEvent() const { return m_processingLoadEvent; }
 

trunk/WebCore/loader/FrameLoader.cpp

@@ -375 +375 @@
 void FrameLoader::changeLocation(const KURL& url, const String& referrer, bool lockHistory, bool userGesture)
 {
-    if (url.deprecatedString().find("javascript:", 0, false) == 0) {
-        String script = KURL::decode_string(url.deprecatedString().mid(strlen("javascript:")));
-        JSValue* result = executeScript(script, userGesture);
-        String scriptResult;
-        if (getString(result, scriptResult)) {
-            begin(m_URL);
-            write(scriptResult);
-            end();
-        }
-        return;
-    }
-
     ResourceRequestCachePolicy policy = (m_cachePolicy == CachePolicyReload) || (m_cachePolicy == CachePolicyRefresh)
         ? ReloadIgnoringCacheData : UseProtocolCachePolicy;
@@ -396 +384 @@
 void FrameLoader::urlSelected(const ResourceRequest& request, const String& _target, Event* triggeringEvent, bool lockHistory, bool userGesture)
 {
+    if (executeIfJavaScriptURL(request.url(), userGesture))
+        return;
+
     String target = _target;
     if (target.isEmpty() && m_frame->document())
         target = m_frame->document()->baseTarget();
-
-    const KURL& url = request.url();
-    if (url.deprecatedString().startsWith("javascript:", false)) {
-        executeScript(KURL::decode_string(url.deprecatedString().mid(strlen("javascript:"))), true);
-        return;
-    }
 
     FrameLoadRequest frameRequest(request, target);
@@ -443 +428 @@
 
     if (!scriptURL.isEmpty())
-        frame->loader()->replaceContentsWithScriptResult(scriptURL);
+        frame->loader()->executeIfJavaScriptURL(scriptURL);
 
     return true;
@@ -519 +504 @@
     if (urlString.startsWith("javascript:", false)) {
         m_isExecutingJavaScriptFormAction = true;
-        executeScript(KURL::decode_string(urlString.mid(strlen("javascript:"))));
+        executeIfJavaScriptURL(u);
         m_isExecutingJavaScriptFormAction = false;
         return;
@@ -728 +713 @@
 }
 
-void FrameLoader::replaceContentsWithScriptResult(const KURL& url)
-{
-    JSValue* result = executeScript(KURL::decode_string(url.deprecatedString().mid(strlen("javascript:"))));
+bool FrameLoader::executeIfJavaScriptURL(const KURL& url, bool userGesture)
+{
+    if (!url.deprecatedString().startsWith("javascript:", false))
+        return false;
+
+    String script = KURL::decode_string(url.deprecatedString().mid(strlen("javascript:")));
+    JSValue* result = executeScript(script, userGesture);
+
     String scriptResult;
     if (!getString(result, scriptResult))
-        return;
-    begin();
+        return true;
+
+    SecurityOrigin* currentSecurityOrigin = 0;
+    if (m_frame->document())
+        currentSecurityOrigin = m_frame->document()->securityOrigin();
+
+    begin(m_URL, true, currentSecurityOrigin);
     write(scriptResult);
     end();
+
+    return true;
 }
 
@@ -875 +872 @@
 }
 
-void FrameLoader::begin(const KURL& url, bool dispatch)
-{
+void FrameLoader::begin(const KURL& url, bool dispatch, SecurityOrigin* origin)
+{
+    // We need to take a reference to the security origin because |clear|
+    // might destroy the document that owns it.
+    RefPtr<SecurityOrigin> forcedSecurityOrigin = origin;
+
     bool resetScripting = !(m_isDisplayingInitialEmptyDocument && m_frame->document() && m_frame->document()->securityOrigin()->isSecureTransitionTo(url));
     clear(resetScripting, resetScripting);
@@ -908 +909 @@
     if (m_decoder)
         document->setDecoder(m_decoder.get());
+    if (forcedSecurityOrigin)
+        document->setSecurityOrigin(forcedSecurityOrigin.get());
 
     updatePolicyBaseURL();

trunk/WebCore/loader/FrameLoader.h

@@ -76 +76 @@
     class ResourceRequest;
     class ResourceResponse;
+    class SecurityOrigin;
     class SharedBuffer;
     class SubstituteData;
@@ -310 +311 @@
 
         void begin();
-        void begin(const KURL&, bool dispatchWindowObjectAvailable = true);
+        void begin(const KURL&, bool dispatchWindowObjectAvailable = true, SecurityOrigin* forcedSecurityOrigin = 0);
 
         void write(const char* str, int len = -1, bool flush = false);
@@ -319 +320 @@
         void setEncoding(const String& encoding, bool userChosen);
         String encoding() const;
+
+        // Returns true if url is a JavaScript URL.
+        bool executeIfJavaScriptURL(const KURL& url, bool userGesture = false);
 
         KJS::JSValue* executeScript(const String& url, int baseLine, const String& script);
@@ -477 +481 @@
         void setPolicyBaseURL(const String&);
 
-        void replaceContentsWithScriptResult(const KURL&);
-
         // Also not cool.
         void stopLoadingSubframes();

trunk/WebCore/platform/SecurityOrigin.cpp

@@ -40 +40 @@
 namespace WebCore {
 
-SecurityOrigin::SecurityOrigin()
+SecurityOrigin::SecurityOrigin(const KURL& url)
     : m_port(0)
     , m_portSet(false)
@@ -46 +46 @@
     , m_domainWasSetInDOM(false)
 {
-}
+    if (url.isEmpty())
+      return;
 
-void SecurityOrigin::clear()
-{
-    m_protocol = String();
-    m_host = String();
-    m_port = 0;
-    m_portSet = false;
-    m_noAccess = false;
-    m_domainWasSetInDOM = false;
+    m_protocol = url.protocol().lower();
+
+    // These protocols do not represent principals.
+    if (m_protocol == "about" || m_protocol == "javascript")
+        m_protocol = String();
+
+    if (m_protocol.isEmpty())
+        return;
+
+    // data: URLs are not allowed access to anything other than themselves.
+    if (m_protocol == "data")
+        m_noAccess = true;
+
+    m_host = url.host().lower();
+    m_port = url.port();
+
+    if (m_port)
+        m_portSet = true;
 }
 
@@ -63 +74 @@
 }
 
-void SecurityOrigin::setForURL(const KURL& url)
-{
-    clear();
-
-    if (url.isEmpty())
-      return;
-
-    m_protocol = url.protocol().lower();
-    m_host = url.host().lower();
-    m_port = url.port();
-
-    if (m_port)
-        m_portSet = true;
-
-    // data: URLs are not allowed access to anything other than themselves.
-    if (m_protocol == "data")
-        m_noAccess = true;
-}
-
 PassRefPtr<SecurityOrigin> SecurityOrigin::createForFrame(Frame* frame)
 {
-    RefPtr<SecurityOrigin> origin = new SecurityOrigin();
+    if (!frame)
+        return new SecurityOrigin(KURL());
 
-    if (!frame)
+    FrameLoader* loader = frame->loader();
+
+    RefPtr<SecurityOrigin> origin = new SecurityOrigin(loader->url());
+    if (!origin->isEmpty())
         return origin;
 
-    FrameLoader* loader = frame->loader();
-    const KURL& securityPolicyURL = loader->url();
-
-    origin->setForURL(securityPolicyURL);
-
-    if (!origin->isEmpty() && origin->m_protocol != "about")
-        return origin;
-
-    // In the case of about:blank or javascript: URLs (which create 
-    // documents using the "about" protocol) do we want to use the
-    // parent or openers origin.
+    // If we do not obtain a principal from the URL, then we try to find a
+    // principal via the frame hierarchy.
 
     Frame* openerFrame = frame->tree()->parent();

trunk/WebCore/platform/SecurityOrigin.h

@@ -51 +51 @@
         bool isSecureTransitionTo(const KURL&) const;
 
+        bool isEmpty() const;
         String toString() const;
         
@@ -56 +57 @@
         
     private:
-        SecurityOrigin();
-        bool isEmpty() const;
-
-        void clear();
-        void setForURL(const KURL& url);
+        SecurityOrigin(const KURL& url);
 
         String m_protocol;