Changeset 100877 in webkit

Timestamp:

Nov 20, 2011 6:26:16 PM (12 years ago)

Author:

abarth@webkit.org

Message:

REGRESSION(r100691): Safari error pages and Growl notifications fail to load stylesheets
​https://bugs.webkit.org/show_bug.cgi?id=72836

Reviewed by Sam Weinig.

Source/WebCore:

This patch removes a (minor) security mitigation. Previously, we tried
sequester "directory listings" into unique origins to make it more
difficult for an attacker to crawl the user's local file system.
Unfortunately, this mitigation doesn't really buy us much security
because if the attacker has access to local files, we've probably lost
anyway.

The larger problem, however, is that this condition is overly
complicated and has broken in sublte ways several times in its
(relatively short) lifetime. In the cases reported in this bug, we see
that this check affects error pages in Safari and Growl notifications,
even those have nothing to do with directory listings.

If we have our heart set on this directory listing mitigation, we'll
need a more robust way of triggering the behavior than examining URLs
and guess whether they contain directory listings. For example, if we
implement Allow-From or Access-Control-Deny-Origin, then the embedder
can supply those policies along with the directory listings. Those
seem like much better solutions than the in-engine hack this patch
removes.

• page/SecurityOrigin.cpp:

(WebCore::shouldTreatAsUniqueOrigin):

LayoutTests:

Update test results to show that XMLHttpRequets for directory listings
aren't blocked.

• fast/xmlhttprequest/resources/xmlhttprequest-nonexistent-file-real.html:
• fast/xmlhttprequest/xmlhttprequest-nonexistent-file-expected.txt:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/xmlhttprequest/resources/xmlhttprequest-nonexistent-file-real.html (modified) (1 diff)
• LayoutTests/fast/xmlhttprequest/xmlhttprequest-nonexistent-file-expected.txt (modified) (2 diffs)
• LayoutTests/platform/chromium-win/fast/xmlhttprequest/xmlhttprequest-nonexistent-file-expected.txt (deleted)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/page/SecurityOrigin.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-11-20  Adam Barth  <abarth@webkit.org>
+
+        REGRESSION(r100691): Safari error pages and Growl notifications fail to load stylesheets
+        https://bugs.webkit.org/show_bug.cgi?id=72836
+
+        Reviewed by Sam Weinig.
+
+        Update test results to show that XMLHttpRequets for directory listings
+        aren't blocked.
+
+        * fast/xmlhttprequest/resources/xmlhttprequest-nonexistent-file-real.html:
+        * fast/xmlhttprequest/xmlhttprequest-nonexistent-file-expected.txt:
+
 2011-11-19  James Robinson  <jamesr@chromium.org>
 

trunk/LayoutTests/fast/xmlhttprequest/resources/xmlhttprequest-nonexistent-file-real.html

@@ -21 +21 @@
         {
             log("ReadyState handler: readyState = " + xhr.readyState);
+
             if (xhr.readyState == 4 && window.layoutTestController) {
+                var results = window.top.document.getElementById('results');
+                results.innerHTML = document.body.innerHTML;
+
                 setTimeout("layoutTestController.notifyDone()", 0);
             }

trunk/LayoutTests/fast/xmlhttprequest/xmlhttprequest-nonexistent-file-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load . Cross origin requests are only supported for HTTP.
 
 Bug 22475: REGRESSION: Async XMLHttpRequest never finishes on nonexistent files anymore
@@ -13 +12 @@
 ReadyState handler: readyState = 1
 ReadyState handler: readyState = 4
-Error handler: readyState = 4
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-11-20  Adam Barth  <abarth@webkit.org>
+
+        REGRESSION(r100691): Safari error pages and Growl notifications fail to load stylesheets
+        https://bugs.webkit.org/show_bug.cgi?id=72836
+
+        Reviewed by Sam Weinig.
+
+        This patch removes a (minor) security mitigation.  Previously, we tried
+        sequester "directory listings" into unique origins to make it more
+        difficult for an attacker to crawl the user's local file system.
+        Unfortunately, this mitigation doesn't really buy us much security
+        because if the attacker has access to local files, we've probably lost
+        anyway.
+
+        The larger problem, however, is that this condition is overly
+        complicated and has broken in sublte ways several times in its
+        (relatively short) lifetime.  In the cases reported in this bug, we see
+        that this check affects error pages in Safari and Growl notifications,
+        even those have nothing to do with directory listings.
+
+        If we have our heart set on this directory listing mitigation, we'll
+        need a more robust way of triggering the behavior than examining URLs
+        and guess whether they contain directory listings.  For example, if we
+        implement Allow-From or Access-Control-Deny-Origin, then the embedder
+        can supply those policies along with the directory listings.  Those
+        seem like much better solutions than the in-engine hack this patch
+        removes.
+
+        * page/SecurityOrigin.cpp:
+        (WebCore::shouldTreatAsUniqueOrigin):
+
 2011-10-17  Antonio Gomes  <agomes@rim.com>
 

trunk/Source/WebCore/page/SecurityOrigin.cpp

@@ -87 +87 @@
 }
 
-static bool isDirectory(const String& path)
-{
-    return path.endsWith("/");
-}
-
 static bool shouldTreatAsUniqueOrigin(const KURL& url)
 {
@@ -114 +109 @@
     if (SchemeRegistry::shouldTreatURLSchemeAsNoAccess(protocol))
         return true;
-
-    // We use unique origins for directory listings to make it harder to crawl
-    // a local filesystem. Notice that we apply this protection only when we
-    // use the outer URL for the security context because schemes that wrap
-    // other URLs don't have directory listings.
-    if (SchemeRegistry::shouldTreatURLSchemeAsLocal(protocol) && !shouldUseInnerURL(url)) {
-        if (!innerURL.hasPath() || isDirectory(innerURL.path()))
-            return true;
-    }
 
     // This is the common case.