Changeset 100213 in webkit

Timestamp:

Nov 14, 2011 4:24:33 PM (12 years ago)

Author:

abarth@webkit.org

Message:

Unique origins shouldn't remember their scheme, host, or port
​https://bugs.webkit.org/show_bug.cgi?id=72308

Reviewed by Eric Seidel.

Source/WebCore:

This patch contains the bulk (all?) of the behavior differences in this
patch series. Unique origins shouldn't remember their schemes. Doing
so causes some privileges (e.g., local access) to leak into unique
origins.

• page/SecurityOrigin.cpp:

(WebCore::SecurityOrigin::SecurityOrigin):

• Explicitly clear out the protocol, host, and port for unique origins. A future patch will refactor all this code to be more elegant.

• platform/SchemeRegistry.cpp:

(WebCore::schemesWithUniqueOrigins):

• Merge "about" and "javascript" in with the general case now that we don't have a separate notion of an empty origin.

LayoutTests:

• fast/filesystem/async-operations-expected.txt:
• fast/filesystem/not-enough-arguments-expected.txt:
• fast/filesystem/read-directory-expected.txt:
• fast/filesystem/simple-persistent-expected.txt:
• fast/filesystem/simple-readonly-expected.txt:
• fast/filesystem/simple-temporary-expected.txt:
  • Update test results to show that we no longer leak the scheme in storage identifiers.
• fast/frames/resources/sandboxed-iframe-storage-disallowed.html:
  • Inline script because the sandbox iframe isn't allowed to load local resources.
• fast/frames/sandboxed-iframe-attribute-parsing.html:
• fast/frames/sandboxed-iframe-forms-dynamic.html:
• fast/frames/sandboxed-iframe-forms.html:
• fast/frames/sandboxed-iframe-navigation-top-by-constant-name.html:
• fast/frames/sandboxed-iframe-navigation-top-by-constant-name2.html:
• fast/frames/sandboxed-iframe-navigation-top-by-name.html:
• fast/frames/sandboxed-iframe-navigation-top.html:
• media/video-controls-no-scripting.html:
  • Previously sandboxed local iframes still got universal access when we're running with universal access for file URLs! Now that they correctly get unique origins, we need to update these tests to allow-same-origin access in order for them to function properly.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/filesystem/async-operations-expected.txt (modified) (1 diff)
• LayoutTests/fast/filesystem/not-enough-arguments-expected.txt (modified) (1 diff)
• LayoutTests/fast/filesystem/read-directory-expected.txt (modified) (1 diff)
• LayoutTests/fast/filesystem/simple-persistent-expected.txt (modified) (1 diff)
• LayoutTests/fast/filesystem/simple-readonly-expected.txt (modified) (1 diff)
• LayoutTests/fast/filesystem/simple-temporary-expected.txt (modified) (1 diff)
• LayoutTests/fast/frames/resources/sandboxed-iframe-storage-disallowed.html (modified) (1 diff)
• LayoutTests/fast/frames/sandboxed-iframe-attribute-parsing.html (modified) (6 diffs)
• LayoutTests/fast/frames/sandboxed-iframe-forms-dynamic.html (modified) (2 diffs)
• LayoutTests/fast/frames/sandboxed-iframe-forms.html (modified) (3 diffs)
• LayoutTests/fast/frames/sandboxed-iframe-navigation-top-by-constant-name.html (modified) (1 diff)
• LayoutTests/fast/frames/sandboxed-iframe-navigation-top-by-constant-name2.html (modified) (1 diff)
• LayoutTests/fast/frames/sandboxed-iframe-navigation-top-by-name.html (modified) (1 diff)
• LayoutTests/fast/frames/sandboxed-iframe-navigation-top.html (modified) (1 diff)
• LayoutTests/media/video-controls-no-scripting.html (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/page/SecurityOrigin.cpp (modified) (4 diffs)
• Source/WebCore/platform/SchemeRegistry.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-11-14  Adam Barth  <abarth@webkit.org>
+
+        Unique origins shouldn't remember their scheme, host, or port
+        https://bugs.webkit.org/show_bug.cgi?id=72308
+
+        Reviewed by Eric Seidel.
+
+        * fast/filesystem/async-operations-expected.txt:
+        * fast/filesystem/not-enough-arguments-expected.txt:
+        * fast/filesystem/read-directory-expected.txt:
+        * fast/filesystem/simple-persistent-expected.txt:
+        * fast/filesystem/simple-readonly-expected.txt:
+        * fast/filesystem/simple-temporary-expected.txt:
+            - Update test results to show that we no longer leak the scheme in
+              storage identifiers.
+        * fast/frames/resources/sandboxed-iframe-storage-disallowed.html:
+            - Inline script because the sandbox iframe isn't allowed to load
+              local resources.
+        * fast/frames/sandboxed-iframe-attribute-parsing.html:
+        * fast/frames/sandboxed-iframe-forms-dynamic.html:
+        * fast/frames/sandboxed-iframe-forms.html:
+        * fast/frames/sandboxed-iframe-navigation-top-by-constant-name.html:
+        * fast/frames/sandboxed-iframe-navigation-top-by-constant-name2.html:
+        * fast/frames/sandboxed-iframe-navigation-top-by-name.html:
+        * fast/frames/sandboxed-iframe-navigation-top.html:
+        * media/video-controls-no-scripting.html:
+            - Previously sandboxed local iframes still got universal access
+              when we're running with universal access for file URLs!  Now that
+              they correctly get unique origins, we need to update these tests
+              to allow-same-origin access in order for them to function
+              properly.
+
 2011-11-14  Julien Chaffraix  <jchaffraix@webkit.org>
 

trunk/LayoutTests/fast/filesystem/async-operations-expected.txt

@@ -5 +5 @@
 
 requested FileSystem.
-Got FileSystem:file__0:Temporary
+Got FileSystem:__0:Temporary
 Starting async test stage 1.
 Starting async test stage 2.

trunk/LayoutTests/fast/filesystem/not-enough-arguments-expected.txt

@@ -4 +4 @@
 
 
-Successfully obtained Persistent FileSystem:file__0:Temporary
+Successfully obtained Persistent FileSystem:__0:Temporary
 PASS fileSystem.root.moveTo() threw exception TypeError: Not enough arguments.
 PASS fileSystem.root.copyTo() threw exception TypeError: Not enough arguments.

trunk/LayoutTests/fast/filesystem/read-directory-expected.txt

@@ -4 +4 @@
 
 
-Successfully obtained Persistent FileSystem:file__0:Temporary
+Successfully obtained Persistent FileSystem:__0:Temporary
 PASS readEntriesCount is entriesCallbackCount
 PASS resultEntries.length is testEntriesCount

trunk/LayoutTests/fast/filesystem/simple-persistent-expected.txt

@@ -4 +4 @@
 
 
-Successfully obtained PERSISTENT FileSystem:file__0:Persistent
+Successfully obtained PERSISTENT FileSystem:__0:Persistent
 PASS fileSystem.name.length > 0 is true
 PASS fileSystem.root.fullPath is "/"

trunk/LayoutTests/fast/filesystem/simple-readonly-expected.txt

@@ -7 +7 @@
 trying to set readonly property fileSystem.name
 fileSystem.name = 'bar'
-PASS fileSystem.name is still file__0:Temporary
+PASS fileSystem.name is still __0:Temporary
 root = fileSystem.root
 root.getFile('foo', {create:true}, getFileCallback, errorCallback)

trunk/LayoutTests/fast/filesystem/simple-temporary-expected.txt

@@ -4 +4 @@
 
 
-Successfully obtained TEMPORARY FileSystem:file__0:Temporary
+Successfully obtained TEMPORARY FileSystem:__0:Temporary
 PASS fileSystem.name.length > 0 is true
 PASS fileSystem.root.fullPath is "/"

trunk/LayoutTests/fast/frames/resources/sandboxed-iframe-storage-disallowed.html

@@ -1 +1 @@
 <html>
 <head>
-<script src="../../js/resources/js-test-pre.js"></script>
+<script>
+// This code is inlined from js-test-pre.js because this document is displayed
+// in a sandboxed iframe and cannot load local resources.
+
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+function debug(msg)
+{
+    var span = document.createElement("span");
+    document.getElementById("console").appendChild(span);
+    span.innerHTML = msg + '<br />';
+}
+
+function escapeHTML(text)
+{
+    return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/\0/g, "\\0");
+}
+
+function testPassed(msg)
+{
+    debug('<span><span class="pass">PASS</span> ' + escapeHTML(msg) + '</span>');
+}
+
+function testFailed(msg)
+{
+    debug('<span><span class="fail">FAIL</span> ' + escapeHTML(msg) + '</span>');
+}
+
+function shouldThrow(_a, _e)
+{
+  var exception;
+  var _av;
+  try {
+     _av = eval(_a);
+  } catch (e) {
+     exception = e;
+  }
+
+  var _ev;
+  if (_e)
+      _ev =  eval(_e);
+
+  if (exception) {
+    if (typeof _e == "undefined" || exception == _ev)
+      testPassed(_a + " threw exception " + exception + ".");
+    else
+      testFailed(_a + " should throw " + (typeof _e == "undefined" ? "an exception" : _ev) + ". Threw exception " + exception + ".");
+  } else if (typeof _av == "undefined")
+    testFailed(_a + " should throw " + (typeof _e == "undefined" ? "an exception" : _ev) + ". Was undefined.");
+  else
+    testFailed(_a + " should throw " + (typeof _e == "undefined" ? "an exception" : _ev) + ". Was " + _av + ".");
+}
+</script>
 <script>
 

trunk/LayoutTests/fast/frames/sandboxed-iframe-attribute-parsing.html

@@ -57 +57 @@
 
     <!-- plain, proper attribute value -->
-    <iframe sandbox="allow-scripts"
+    <iframe sandbox="allow-scripts allow-same-origin"
             name="f1"
             src="resources/sandboxed-iframe-attribute-parsing-allowed.html">
@@ -67 +67 @@
 allow-scripts
 
-"
+allow-same-origin"
             name="f2"
             src="resources/sandboxed-iframe-attribute-parsing-allowed.html">
@@ -104 +104 @@
         'Kyssarna' ('The kisses'), Esaias Tegnér, 1782-1846
 
-    allow-scripts
+    allow-scripts allow-same-origin
     
         int main(void)
@@ -115 +115 @@
 
     <!-- tab characters before and after attribute value -->
-    <iframe sandbox="           allow-scripts           "
+    <iframe sandbox="           allow-scripts           allow-same-origin"
             name="f4"
             src="resources/sandboxed-iframe-attribute-parsing-allowed.html">
@@ -121 +121 @@
 
     <!-- mixed case -->
-    <iframe sandbox="AlLoW-sCrIpTs"
+    <iframe sandbox="AlLoW-sCrIpTs allow-same-origin"
             name="f5"
             src="resources/sandboxed-iframe-attribute-parsing-allowed.html">
@@ -128 +128 @@
     <!-- iframes where script execution is disallowed -->
 
-    <iframe sandbox="allowscripts"
+    <iframe sandbox="allowscripts allow-same-origin"
             src="resources/sandboxed-iframe-attribute-parsing-disallowed.html">
     </iframe>
 
-    <iframe sandbox="allows-cripts"
+    <iframe sandbox="allows-cripts allow-same-origin"
             src="resources/sandboxed-iframe-attribute-parsing-disallowed.html">
     </iframe>
 
-    <iframe sandbox="-allow-scripts"
+    <iframe sandbox="-allow-scripts allow-same-origin"
             src="resources/sandboxed-iframe-attribute-parsing-disallowed.html">
     </iframe>
 
-    <iframe sandbox="allow_scripts"
+    <iframe sandbox="allow_scripts allow-same-origin"
             src="resources/sandboxed-iframe-attribute-parsing-disallowed.html">
     </iframe>
 
-    <iframe sandbox="allowScripts"
+    <iframe sandbox="allowScripts allow-same-origin"
             src="resources/sandboxed-iframe-attribute-parsing-disallowed.html">
     </iframe>
 
-    <iframe sandbox="aallow-scripts"
+    <iframe sandbox="aallow-scripts allow-same-origin"
             src="resources/sandboxed-iframe-attribute-parsing-disallowed.html">
     </iframe>
 
-    <iframe sandbox="allow-scriptss"
+    <iframe sandbox="allow-scriptss allow-same-origin"
             src="resources/sandboxed-iframe-attribute-parsing-disallowed.html">
     </iframe>

trunk/LayoutTests/fast/frames/sandboxed-iframe-forms-dynamic.html

@@ -31 +31 @@
     frameElements = document.getElementsByTagName("iframe");
 
-    frameElements[0].sandbox = "allow-scripts";
-    frameElements[1].sandbox = "allow-scripts allow-forms";
-    frameElements[2].sandbox = "allow-scripts";
+    frameElements[0].sandbox = "allow-scripts allow-same-origin";
+    frameElements[1].sandbox = "allow-scripts allow-forms allow-same-origin";
+    frameElements[2].sandbox = "allow-scripts allow-same-origin";
 
     frames[0].postMessage("go", "*");
@@ -46 +46 @@
 
     <iframe style="width: 60px; height: 60px;"
-        sandbox="allow-scripts allow-forms"
+        sandbox="allow-scripts allow-forms allow-same-origin"
         src="resources/sandboxed-iframe-form-dynamic-allowed.html">
     </iframe>
     <iframe style="width: 60px; height: 60px;"
-        sandbox="allow-scripts"
+        sandbox="allow-scripts allow-same-origin"
         src="resources/sandboxed-iframe-form-dynamic-disallowed.html">
     </iframe>
     <iframe style="width: 60px; height: 60px;"
-        sandbox="allow-scripts allow-forms"
+        sandbox="allow-scripts allow-forms allow-same-origin"
         src="resources/sandboxed-iframe-form-dynamic-allowed.html">
     </iframe>

trunk/LayoutTests/fast/frames/sandboxed-iframe-forms.html

@@ -42 +42 @@
 
     <iframe style="width: 60px; height: 60px;"
-        sandbox="allow-scripts allow-forms"
+        sandbox="allow-scripts allow-forms allow-same-origin"
         src="resources/sandboxed-iframe-form-allowed.html">
     </iframe>
     <iframe style="width: 60px; height: 60px;"
-        sandbox="allow-scripts allow-forms"
+        sandbox="allow-scripts allow-forms allow-same-origin"
         src="resources/sandboxed-iframe-form-allowed.html">
     </iframe>
     <iframe style="width: 60px; height: 60px;"
-        sandbox="allow-scripts allow-forms"
+        sandbox="allow-scripts allow-forms allow-same-origin"
         src="resources/sandboxed-iframe-form-allowed.html">
     </iframe>
     <iframe style="width: 60px; height: 60px;"
-        sandbox="allow-scripts allow-forms"
+        sandbox="allow-scripts allow-forms allow-same-origin"
         src="resources/sandboxed-iframe-form-allowed.html">
     </iframe>
     <iframe style="width: 60px; height: 60px;"
-        sandbox="allow-scripts allow-forms"
+        sandbox="allow-scripts allow-forms allow-same-origin"
         src="resources/sandboxed-iframe-form-allowed.html">
     </iframe>
@@ -65 +65 @@
 
     <iframe style="width: 60px; height: 60px;"
-        sandbox="allow-scripts"
+        sandbox="allow-scripts allow-same-origin"
         src="resources/sandboxed-iframe-form-disallowed.html">
     </iframe>
@@ -72 +72 @@
 
     <iframe style="width: 60px; height: 60px;"
-        sandbox="allow-scripts allow-forms"
+        sandbox="allow-scripts allow-forms allow-same-origin"
         src="resources/sandboxed-iframe-form-allowed.html">
     </iframe>
     <iframe style="width: 60px; height: 60px;"
-        sandbox="allow-scripts allow-forms"
+        sandbox="allow-scripts allow-forms allow-same-origin"
         src="resources/sandboxed-iframe-form-allowed.html">
     </iframe>
     <iframe style="width: 60px; height: 60px;"
-        sandbox="allow-scripts allow-forms"
+        sandbox="allow-scripts allow-forms allow-same-origin"
         src="resources/sandboxed-iframe-form-allowed.html">
     </iframe>
     <iframe style="width: 60px; height: 60px;"
-        sandbox="allow-scripts allow-forms"
+        sandbox="allow-scripts allow-forms allow-same-origin"
         src="resources/sandboxed-iframe-form-allowed.html">
     </iframe>
     <iframe style="width: 60px; height: 60px;"
-        sandbox="allow-scripts allow-forms"
+        sandbox="allow-scripts allow-forms allow-same-origin"
         src="resources/sandboxed-iframe-form-allowed.html">
     </iframe>

trunk/LayoutTests/fast/frames/sandboxed-iframe-navigation-top-by-constant-name.html

@@ -10 +10 @@
 <body>
 <p>This test verifies that a sandboxed IFrame can navigate the top-level frame with allow-top-navigation.</p>
-<iframe sandbox="allow-scripts allow-top-navigation"
+<iframe sandbox="allow-scripts allow-top-navigation allow-same-origin"
         src="resources/navigate-top-by-constant-name-to-pass.html">
 </body>

trunk/LayoutTests/fast/frames/sandboxed-iframe-navigation-top-by-constant-name2.html

@@ -10 +10 @@
 <body>
 <p>This test verifies that a sandboxed IFrame can navigate the top-level frame with allow-top-navigation.</p>
-<iframe sandbox="allow-scripts allow-top-navigation"
+<iframe sandbox="allow-scripts allow-top-navigation allow-same-origin"
         src="resources/navigate-top-by-constant-name2-to-pass.html">
 </body>

trunk/LayoutTests/fast/frames/sandboxed-iframe-navigation-top-by-name.html

@@ -11 +11 @@
 <body>
 <p>This test verifies that a sandboxed IFrame can navigate the top-level frame with allow-top-navigation.</p>
-<iframe sandbox="allow-scripts allow-top-navigation"
+<iframe sandbox="allow-scripts allow-top-navigation allow-same-origin"
         src="resources/navigate-top-by-name-to-pass.html">
 </body>

trunk/LayoutTests/fast/frames/sandboxed-iframe-navigation-top.html

@@ -10 +10 @@
 <body>
 <p>This test verifies that a sandboxed IFrame can navigate the top-level frame with allow-top-navigation.</p>
-<iframe sandbox="allow-scripts allow-top-navigation"
+<iframe sandbox="allow-scripts allow-top-navigation allow-same-origin"
         src="resources/navigate-top-to-pass.html">
 </body>

trunk/LayoutTests/media/video-controls-no-scripting.html

@@ -28 +28 @@
     <body>
 
-        <iframe sandbox src="resources/video-controls-no-scripting-iframe.html" id="fr" style="width: 400px; height: 320px; border: 1px solid black;"></iframe>
+        <iframe sandbox="allow-same-origin" src="resources/video-controls-no-scripting-iframe.html" id="fr" style="width: 400px; height: 320px; border: 1px solid black;"></iframe>
 
         <p>Tests that the built-in controls are always enabled when JavaScript is disabled.</p>

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-11-14  Adam Barth  <abarth@webkit.org>
+
+        Unique origins shouldn't remember their scheme, host, or port
+        https://bugs.webkit.org/show_bug.cgi?id=72308
+
+        Reviewed by Eric Seidel.
+
+        This patch contains the bulk (all?) of the behavior differences in this
+        patch series.  Unique origins shouldn't remember their schemes.  Doing
+        so causes some privileges (e.g., local access) to leak into unique
+        origins.
+
+        * page/SecurityOrigin.cpp:
+        (WebCore::SecurityOrigin::SecurityOrigin):
+            - Explicitly clear out the protocol, host, and port for unique
+              origins.  A future patch will refactor all this code to be more
+              elegant.
+        * platform/SchemeRegistry.cpp:
+        (WebCore::schemesWithUniqueOrigins):
+            - Merge "about" and "javascript" in with the general case now that
+              we don't have a separate notion of an empty origin.
+
 2011-11-14  Adam Barth  <abarth@webkit.org>
 

trunk/Source/WebCore/page/SecurityOrigin.cpp

@@ -42 +42 @@
 namespace WebCore {
 
+const int InvalidPort = 0;
 const int MaxAllowedPort = 65535;
 
@@ -66 +67 @@
     , m_enforceFilePathSeparation(false)
 {
-    // These protocols do not create security origins; the owner frame provides the origin
-    if (m_protocol == "about" || m_protocol == "javascript")
-        m_protocol = "";
-
 #if ENABLE(BLOB) || ENABLE(FILE_SYSTEM)
     bool isBlobOrFileSystemProtocol = false;
@@ -94 +91 @@
     if (schemeRequiresAuthority(m_protocol) && m_host.isEmpty())
         m_isUnique = true;
+
     if (m_protocol.isEmpty())
         m_isUnique = true;
@@ -117 +115 @@
 
     if (isDefaultPortForProtocol(m_port, m_protocol))
-        m_port = 0;
+        m_port = InvalidPort;
+
+    // Don't leak details from URLs into unique origins.
+    if (m_isUnique) {
+        m_protocol = "";
+        m_host = "";
+        m_port = InvalidPort;
+    }
 }
 

trunk/Source/WebCore/platform/SchemeRegistry.cpp

@@ -69 +69 @@
     DEFINE_STATIC_LOCAL(URLSchemesMap, schemesWithUniqueOrigins, ());
 
-    // This is a willful violation of HTML5.
-    // See https://bugs.webkit.org/show_bug.cgi?id=11885
-    if (schemesWithUniqueOrigins.isEmpty())
+    if (schemesWithUniqueOrigins.isEmpty()) {
+        schemesWithUniqueOrigins.add("about");
+        schemesWithUniqueOrigins.add("javascript");
+        // This is a willful violation of HTML5.
+        // See https://bugs.webkit.org/show_bug.cgi?id=11885
         schemesWithUniqueOrigins.add("data");
+    }
 
     return schemesWithUniqueOrigins;