Changeset 125335 in webkit
- Timestamp:
- Aug 10, 2012 4:13:37 PM (12 years ago)
- Location:
- trunk
- Files:
-
- 13 added
- 9 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r125334 r125335 1 2012-08-09 Jeffrey Pfau <jpfau@apple.com> 2 3 Allow blocking of third-party localStorage and sessionStorage 4 https://bugs.webkit.org/show_bug.cgi?id=93390 5 6 Reviewed by Adam Barth. 7 8 Created tests for testing accessing localStorage and selfStorage from a third party and first party when third-party blocking is on and off. 9 10 * http/tests/security/cross-origin-local-storage-allowed-expected.txt: Added. 11 * http/tests/security/cross-origin-local-storage-allowed.html: Added. 12 * http/tests/security/cross-origin-local-storage-expected.txt: Added. 13 * http/tests/security/cross-origin-local-storage.html: Added. 14 * http/tests/security/cross-origin-session-storage-allowed-expected.txt: Added. 15 * http/tests/security/cross-origin-session-storage-allowed.html: Added. 16 * http/tests/security/cross-origin-session-storage-expected.txt: Added. 17 * http/tests/security/cross-origin-session-storage.html: Added. 18 * http/tests/security/same-origin-document-domain-storage-allowed-expected.html: Added. 19 * http/tests/security/same-origin-document-domain-storage-allowed.html: Added. 20 * http/tests/security/resources/document-domain-iframe-for-local-storage.html: Added. 21 * http/tests/security/resources/cross-origin-iframe-for-local-storage.html: Added. 22 * http/tests/security/resources/cross-origin-iframe-for-session-storage.html: Added. 23 1 24 2012-08-10 Arko Saha <arko@motorola.com> 2 25 -
trunk/Source/WebCore/ChangeLog
r125334 r125335 1 2012-08-09 Jeffrey Pfau <jpfau@apple.com> 2 3 Allow blocking of third-party localStorage and sessionStorage 4 https://bugs.webkit.org/show_bug.cgi?id=93390 5 6 Reviewed by Adam Barth. 7 8 Add checks for if a page is third-party and third-party storage blocking is enabled while accessing storage. 9 10 Tests: http/tests/security/cross-origin-local-storage-allowed.html 11 http/tests/security/cross-origin-local-storage.html 12 http/tests/security/cross-origin-session-storage-allowed.html 13 http/tests/security/cross-origin-session-storage.html 14 http/tests/security/same-origin-document-domain-storage-allowed.html 15 16 * dom/Document.cpp: 17 (WebCore::Document::initSecurityContext): Initialize securityOrigin with knowledge of if we should block third-party storage. 18 * page/DOMWindow.cpp: Check if the origin trying to access storage is third-party relative to the top document. 19 (WebCore::DOMWindow::sessionStorage): 20 (WebCore::DOMWindow::localStorage): 21 * page/SecurityOrigin.cpp: Add a call in Security origin to see if another origin counts as a third-party. 22 (WebCore::SecurityOrigin::SecurityOrigin): 23 (WebCore::SecurityOrigin::canAccessLocalStorage): 24 (WebCore): 25 (WebCore::SecurityOrigin::isThirdParty): 26 * page/SecurityOrigin.h: 27 (WebCore::SecurityOrigin::blockThirdPartyStorage): 28 (SecurityOrigin): 29 * testing/InternalSettings.cpp: Add an internals.settings hook for setting third-party storage blocking enabled. 30 (WebCore::InternalSettings::setThirdPartyStorageBlockingEnabled): 31 (WebCore): 32 * testing/InternalSettings.h: 33 (InternalSettings): 34 * testing/InternalSettings.idl: 35 1 36 2012-08-10 Arko Saha <arko@motorola.com> 2 37 -
trunk/Source/WebCore/dom/Document.cpp
r125265 r125335 5016 5016 } 5017 5017 } 5018 if (settings->thirdPartyStorageBlockingEnabled()) 5019 securityOrigin()->blockThirdPartyStorage(); 5018 5020 } 5019 5021 -
trunk/Source/WebCore/page/DOMWindow.cpp
r125149 r125335 744 744 return 0; 745 745 746 if (!document->securityOrigin()->canAccessLocalStorage( )) {746 if (!document->securityOrigin()->canAccessLocalStorage(document->topDocument()->securityOrigin())) { 747 747 ec = SECURITY_ERR; 748 748 return 0; … … 771 771 return 0; 772 772 773 if (!document->securityOrigin()->canAccessLocalStorage( )) {773 if (!document->securityOrigin()->canAccessLocalStorage(document->topDocument()->securityOrigin())) { 774 774 ec = SECURITY_ERR; 775 775 return 0; -
trunk/Source/WebCore/page/SecurityOrigin.cpp
r120855 r125335 134 134 , m_universalAccess(false) 135 135 , m_domainWasSetInDOM(false) 136 , m_blockThirdPartyStorage(false) 136 137 , m_enforceFilePathSeparation(false) 137 138 , m_needsDatabaseIdentifierQuirkForFiles(false) … … 159 160 , m_domainWasSetInDOM(false) 160 161 , m_canLoadLocalResources(false) 162 , m_blockThirdPartyStorage(false) 161 163 , m_enforceFilePathSeparation(false) 162 164 , m_needsDatabaseIdentifierQuirkForFiles(false) … … 175 177 , m_domainWasSetInDOM(other->m_domainWasSetInDOM) 176 178 , m_canLoadLocalResources(other->m_canLoadLocalResources) 179 , m_blockThirdPartyStorage(other->m_blockThirdPartyStorage) 177 180 , m_enforceFilePathSeparation(other->m_enforceFilePathSeparation) 178 181 , m_needsDatabaseIdentifierQuirkForFiles(other->m_needsDatabaseIdentifierQuirkForFiles) … … 389 392 } 390 393 394 bool SecurityOrigin::canAccessLocalStorage(const SecurityOrigin* topOrigin) const 395 { 396 if (isUnique()) 397 return false; 398 399 if (m_blockThirdPartyStorage && topOrigin->isThirdParty(this)) 400 return false; 401 402 return true; 403 } 404 391 405 SecurityOrigin::Policy SecurityOrigin::canShowNotifications() const 392 406 { … … 396 410 return AlwaysDeny; 397 411 return Ask; 412 } 413 414 bool SecurityOrigin::isThirdParty(const SecurityOrigin* child) const 415 { 416 if (child->m_universalAccess) 417 return false; 418 419 if (this == child) 420 return false; 421 422 if (isUnique() || child->isUnique()) 423 return true; 424 425 return !isSameSchemeHostPort(child); 398 426 } 399 427 -
trunk/Source/WebCore/page/SecurityOrigin.h
r119883 r125335 122 122 void grantUniversalAccess(); 123 123 124 void blockThirdPartyStorage() { m_blockThirdPartyStorage = true; } 125 124 126 bool canAccessDatabase() const { return !isUnique(); } 125 bool canAccessLocalStorage( ) const { return !isUnique(); }127 bool canAccessLocalStorage(const SecurityOrigin* topOrigin) const; 126 128 bool canAccessCookies() const { return !isUnique(); } 127 129 bool canAccessPasswordManager() const { return !isUnique(); } … … 190 192 // FIXME: Rename this function to something more semantic. 191 193 bool passesFileCheck(const SecurityOrigin*) const; 194 bool isThirdParty(const SecurityOrigin*) const; 192 195 193 196 String m_protocol; … … 201 204 bool m_domainWasSetInDOM; 202 205 bool m_canLoadLocalResources; 206 bool m_blockThirdPartyStorage; 203 207 bool m_enforceFilePathSeparation; 204 208 bool m_needsDatabaseIdentifierQuirkForFiles; -
trunk/Source/WebCore/testing/InternalSettings.cpp
r124372 r125335 621 621 } 622 622 623 } 623 void InternalSettings::setThirdPartyStorageBlockingEnabled(bool enabled, ExceptionCode& ec) 624 { 625 InternalSettingsGuardForSettings(); 626 settings()->setThirdPartyStorageBlockingEnabled(enabled); 627 } 628 629 } -
trunk/Source/WebCore/testing/InternalSettings.h
r124372 r125335 140 140 String configurationForViewport(float devicePixelRatio, int deviceWidth, int deviceHeight, int availableWidth, int availableHeight, ExceptionCode&); 141 141 void setMemoryInfoEnabled(bool, ExceptionCode&); 142 void setThirdPartyStorageBlockingEnabled(bool, ExceptionCode&); 142 143 private: 143 144 explicit InternalSettings(Page*); -
trunk/Source/WebCore/testing/InternalSettings.idl
r124372 r125335 79 79 #endif 80 80 void setMemoryInfoEnabled(in boolean enabled) raises(DOMException); 81 void setThirdPartyStorageBlockingEnabled(in boolean enabled) raises(DOMException); 81 82 }; 82 83 }
Note: See TracChangeset
for help on using the changeset viewer.