Changeset 280870 in webkit

Timestamp:

Aug 10, 2021 4:19:03 PM (11 months ago)

Author:

Chris Dumez

Message:

Meta HTTP refresh should not navigate if document has sandboxed automatic features browsing context flag set
​https://bugs.webkit.org/show_bug.cgi?id=228965

Reviewed by Darin Adler.

LayoutTests/imported/w3c:

Rebaseline WPT tests that are now passing.

• web-platform-tests/html/semantics/document-metadata/the-meta-element/pragma-directives/attr-meta-http-equiv-refresh/allow-scripts-flag-changing-1-expected.txt:
• web-platform-tests/html/semantics/document-metadata/the-meta-element/pragma-directives/attr-meta-http-equiv-refresh/allow-scripts-flag-changing-2-expected.txt:

Source/WebCore:

Meta HTTP refresh should not navigate if document has sandboxed automatic features browsing context flag set:

• ​https://html.spec.whatwg.org/multipage/semantics.html#shared-declarative-refresh-steps (Step 13)

Firefox and Chrome already behave this way.

No new tests, rebaselined existing tests.

• dom/Document.cpp:

(WebCore::Document::processMetaHttpEquiv):

• dom/Document.h:
• html/HTMLMetaElement.cpp:

(WebCore::HTMLMetaElement::process):

• loader/DocumentLoader.cpp:

(WebCore::DocumentLoader::responseReceived):

• loader/FrameLoader.cpp:

(WebCore::FrameLoader::receivedFirstData):
(WebCore::FrameLoader::scheduleRefreshIfNeeded):

• loader/FrameLoader.h:
• loader/FrameLoaderTypes.h:
• loader/NavigationScheduler.cpp:

(WebCore::ScheduledRedirect::ScheduledRedirect):
(WebCore::NavigationScheduler::scheduleRedirect):

• loader/NavigationScheduler.h:

LayoutTests:

Unskip tests that should no longer be flaky now that they are passing.

• TestExpectations:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/TestExpectations (modified) (1 diff)
• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/html/semantics/document-metadata/the-meta-element/pragma-directives/attr-meta-http-equiv-refresh/allow-scripts-flag-changing-1-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/html/semantics/document-metadata/the-meta-element/pragma-directives/attr-meta-http-equiv-refresh/allow-scripts-flag-changing-2-expected.txt (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/dom/Document.cpp (modified) (2 diffs)
• Source/WebCore/dom/Document.h (modified) (1 diff)
• Source/WebCore/html/HTMLMetaElement.cpp (modified) (1 diff)
• Source/WebCore/loader/DocumentLoader.cpp (modified) (1 diff)
• Source/WebCore/loader/FrameLoader.cpp (modified) (3 diffs)
• Source/WebCore/loader/FrameLoader.h (modified) (1 diff)
• Source/WebCore/loader/FrameLoaderTypes.h (modified) (1 diff)
• Source/WebCore/loader/NavigationScheduler.cpp (modified) (5 diffs)
• Source/WebCore/loader/NavigationScheduler.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2021-08-10  Chris Dumez  <cdumez@apple.com>
+
+        Meta HTTP refresh should not navigate if document has sandboxed automatic features browsing context flag set
+        https://bugs.webkit.org/show_bug.cgi?id=228965
+
+        Reviewed by Darin Adler.
+
+        Unskip tests that should no longer be flaky now that they are passing.
+
+        * TestExpectations:
+
 2021-08-10  Ayumi Kojima  <ayumi_kojima@apple.com>
 

trunk/LayoutTests/TestExpectations

@@ -1505 +1505 @@
 # Flaky tests at import time
 imported/w3c/web-platform-tests/css/css-scoping/css-scoping-shadow-host-namespace.html [ ImageOnlyFailure ]
-
-# Those WPT tests are flaky when failing.
-imported/w3c/web-platform-tests/html/semantics/document-metadata/the-meta-element/pragma-directives/attr-meta-http-equiv-refresh/allow-scripts-flag-changing-1.html [ Pass Failure ]
-imported/w3c/web-platform-tests/html/semantics/document-metadata/the-meta-element/pragma-directives/attr-meta-http-equiv-refresh/allow-scripts-flag-changing-2.html [ Pass Failure ]
 
 # WPT tests for custom elements

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2021-08-10  Chris Dumez  <cdumez@apple.com>
+
+        Meta HTTP refresh should not navigate if document has sandboxed automatic features browsing context flag set
+        https://bugs.webkit.org/show_bug.cgi?id=228965
+
+        Reviewed by Darin Adler.
+
+        Rebaseline WPT tests that are now passing.
+
+        * web-platform-tests/html/semantics/document-metadata/the-meta-element/pragma-directives/attr-meta-http-equiv-refresh/allow-scripts-flag-changing-1-expected.txt:
+        * web-platform-tests/html/semantics/document-metadata/the-meta-element/pragma-directives/attr-meta-http-equiv-refresh/allow-scripts-flag-changing-2-expected.txt:
+
 2021-08-10  Chris Dumez  <cdumez@apple.com>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/document-metadata/the-meta-element/pragma-directives/attr-meta-http-equiv-refresh/allow-scripts-flag-changing-1-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: TypeError: Argument 1 ('node') to Node.appendChild must be an instance of Node
+CONSOLE MESSAGE: Unable to do meta refresh due to sandboxing
 
-FAIL Meta refresh is blocked by the allow-scripts sandbox flag at its creation time, not when refresh comes due TypeError: Argument 1 ('node') to Node.appendChild must be an instance of Node
+PASS Meta refresh is blocked by the allow-scripts sandbox flag at its creation time, not when refresh comes due
 

trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/document-metadata/the-meta-element/pragma-directives/attr-meta-http-equiv-refresh/allow-scripts-flag-changing-2-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: TypeError: Argument 1 ('node') to Node.appendChild must be an instance of Node
+CONSOLE MESSAGE: Unable to do meta refresh due to sandboxing
 
-FAIL Meta refresh of the original iframe is not blocked if moved into a sandboxed iframe TypeError: Argument 1 ('node') to Node.appendChild must be an instance of Node
+PASS Meta refresh of the original iframe is not blocked if moved into a sandboxed iframe
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2021-08-10  Chris Dumez  <cdumez@apple.com>
+
+        Meta HTTP refresh should not navigate if document has sandboxed automatic features browsing context flag set
+        https://bugs.webkit.org/show_bug.cgi?id=228965
+
+        Reviewed by Darin Adler.
+
+        Meta HTTP refresh should not navigate if document has sandboxed automatic features browsing context flag set:
+        - https://html.spec.whatwg.org/multipage/semantics.html#shared-declarative-refresh-steps (Step 13)
+
+        Firefox and Chrome already behave this way.
+
+        No new tests, rebaselined existing tests.
+
+        * dom/Document.cpp:
+        (WebCore::Document::processMetaHttpEquiv):
+        * dom/Document.h:
+        * html/HTMLMetaElement.cpp:
+        (WebCore::HTMLMetaElement::process):
+        * loader/DocumentLoader.cpp:
+        (WebCore::DocumentLoader::responseReceived):
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::receivedFirstData):
+        (WebCore::FrameLoader::scheduleRefreshIfNeeded):
+        * loader/FrameLoader.h:
+        * loader/FrameLoaderTypes.h:
+        * loader/NavigationScheduler.cpp:
+        (WebCore::ScheduledRedirect::ScheduledRedirect):
+        (WebCore::NavigationScheduler::scheduleRedirect):
+        * loader/NavigationScheduler.h:
+
 2021-08-10  Ryosuke Niwa  <rniwa@webkit.org>
 

trunk/Source/WebCore/dom/Document.cpp

@@ -3737 +3737 @@
 }
 
-void Document::processHttpEquiv(const String& equiv, const String& content, bool isInDocumentHead)
+void Document::processMetaHttpEquiv(const String& equiv, const String& content, bool isInDocumentHead)
 {
     ASSERT(!equiv.isNull());
@@ -3782 +3782 @@
     case HTTPHeaderName::Refresh:
         if (frame)
-            frame->loader().scheduleRefreshIfNeeded(*this, content);
+            frame->loader().scheduleRefreshIfNeeded(*this, content, IsMetaRefresh::Yes);
         break;
 

trunk/Source/WebCore/dom/Document.h

@@ -893 +893 @@
     // tag. This enables scripts to use meta tags to perform refreshes and set expiry dates in addition to them being
     // specified in an HTML file.
-    void processHttpEquiv(const String& equiv, const String& content, bool isInDocumentHead);
+    void processMetaHttpEquiv(const String& equiv, const String& content, bool isInDocumentHead);
 
 #if PLATFORM(IOS_FAMILY)

trunk/Source/WebCore/html/HTMLMetaElement.cpp

@@ -182 +182 @@
     const AtomString& httpEquivValue = attributeWithoutSynchronization(http_equivAttr);
     if (!httpEquivValue.isNull())
-        document().processHttpEquiv(httpEquivValue, contentValue, isDescendantOf(document().head()));
+        document().processMetaHttpEquiv(httpEquivValue, contentValue, isDescendantOf(document().head()));
 }
 

trunk/Source/WebCore/loader/DocumentLoader.cpp

@@ -928 +928 @@
             if (auto loginDomains = NetworkStorageSession::subResourceDomainsInNeedOfStorageAccessForFirstParty(firstPartyDomain)) {
                 if (!Quirks::hasStorageAccessForAllLoginDomains(*loginDomains, firstPartyDomain)) {
-                    m_frame->navigationScheduler().scheduleRedirect(document, 0, microsoftTeamsRedirectURL());
+                    m_frame->navigationScheduler().scheduleRedirect(document, 0, microsoftTeamsRedirectURL(), IsMetaRefresh::No);
                     return;
                 }

trunk/Source/WebCore/loader/FrameLoader.cpp

@@ -714 +714 @@
     LinkLoader::loadLinksFromHeader(documentLoader.response().httpHeaderField(HTTPHeaderName::Link), document.url(), document, LinkLoader::MediaAttributeCheck::MediaAttributeEmpty);
 
-    scheduleRefreshIfNeeded(document, documentLoader.response().httpHeaderField(HTTPHeaderName::Refresh));
+    scheduleRefreshIfNeeded(document, documentLoader.response().httpHeaderField(HTTPHeaderName::Refresh), IsMetaRefresh::No);
 }
 
@@ -2969 +2969 @@
 }
 
-void FrameLoader::scheduleRefreshIfNeeded(Document& document, const String& content)
+void FrameLoader::scheduleRefreshIfNeeded(Document& document, const String& content, IsMetaRefresh isMetaRefresh)
 {
     double delay = 0;
@@ -2976 +2976 @@
         auto completedURL = urlString.isEmpty() ? document.url() : document.completeURL(urlString);
         if (!completedURL.protocolIsJavaScript())
-            m_frame.navigationScheduler().scheduleRedirect(document, delay, completedURL);
+            m_frame.navigationScheduler().scheduleRedirect(document, delay, completedURL, isMetaRefresh);
         else {
             String message = "Refused to refresh " + document.url().stringCenterEllipsizedToLength() + " to a javascript: URL";

trunk/Source/WebCore/loader/FrameLoader.h

@@ -320 +320 @@
     void updateRequestAndAddExtraFields(ResourceRequest&, IsMainResource, FrameLoadType = FrameLoadType::Standard, ShouldUpdateAppInitiatedValue = ShouldUpdateAppInitiatedValue::Yes);
 
-    void scheduleRefreshIfNeeded(Document&, const String& content);
+    void scheduleRefreshIfNeeded(Document&, const String& content, IsMetaRefresh);
 
     void switchBrowsingContextsGroup();

trunk/Source/WebCore/loader/FrameLoaderTypes.h

@@ -70 +70 @@
 };
 
+enum class IsMetaRefresh : bool { No, Yes };
 enum class WillContinueLoading : bool { No, Yes };
 

trunk/Source/WebCore/loader/NavigationScheduler.cpp

@@ -168 +168 @@
 class ScheduledRedirect : public ScheduledURLNavigation {
 public:
-    ScheduledRedirect(Document& initiatingDocument, double delay, SecurityOrigin* securityOrigin, const URL& url, LockHistory lockHistory, LockBackForwardList lockBackForwardList)
+    ScheduledRedirect(Document& initiatingDocument, double delay, SecurityOrigin* securityOrigin, const URL& url, LockHistory lockHistory, LockBackForwardList lockBackForwardList, IsMetaRefresh isMetaRefresh)
         : ScheduledURLNavigation(initiatingDocument, delay, securityOrigin, url, String(), lockHistory, lockBackForwardList, false, false)
+        , m_isMetaRefresh(isMetaRefresh)
     {
         clearUserGesture();
@@ -181 +182 @@
     void fire(Frame& frame) override
     {
+        if (m_isMetaRefresh == IsMetaRefresh::Yes) {
+            if (auto document = frame.document(); document && document->isSandboxed(SandboxAutomaticFeatures)) {
+                document->addConsoleMessage(MessageSource::Security, MessageLevel::Error, "Unable to do meta refresh due to sandboxing"_s);
+                return;
+            }
+        }
+
         UserGestureIndicator gestureIndicator { userGestureToForward() };
 
@@ -195 +203 @@
         frame.loader().changeLocation(WTFMove(frameLoadRequest));
     }
+
+private:
+    IsMetaRefresh m_isMetaRefresh;
 };
 
@@ -408 +419 @@
 }
 
-void NavigationScheduler::scheduleRedirect(Document& initiatingDocument, double delay, const URL& url)
+void NavigationScheduler::scheduleRedirect(Document& initiatingDocument, double delay, const URL& url, IsMetaRefresh isMetaRefresh)
 {
     if (!shouldScheduleNavigation(url))
@@ -420 +431 @@
     if (!m_redirect || delay <= m_redirect->delay()) {
         auto lockBackForwardList = delay <= 1 ? LockBackForwardList::Yes : LockBackForwardList::No;
-        schedule(makeUnique<ScheduledRedirect>(initiatingDocument, delay, &m_frame.document()->securityOrigin(), url, LockHistory::Yes, lockBackForwardList));
+        schedule(makeUnique<ScheduledRedirect>(initiatingDocument, delay, &m_frame.document()->securityOrigin(), url, LockHistory::Yes, lockBackForwardList, isMetaRefresh));
     }
 }

trunk/Source/WebCore/loader/NavigationScheduler.h

@@ -55 +55 @@
     bool locationChangePending();
 
-    void scheduleRedirect(Document& initiatingDocument, double delay, const URL&);
+    void scheduleRedirect(Document& initiatingDocument, double delay, const URL&, IsMetaRefresh);
     void scheduleLocationChange(Document& initiatingDocument, SecurityOrigin&, const URL&, const String& referrer, LockHistory = LockHistory::Yes, LockBackForwardList = LockBackForwardList::Yes, CompletionHandler<void()>&& = [] { });
     void scheduleFormSubmission(Ref<FormSubmission>&&);