Context Navigation

← Previous Changeset
Next Changeset →

Changeset 126785 in webkit

Timestamp:

Aug 27, 2012 1:08:39 PM (12 years ago)

Author:

commit-queue@webkit.org

Message:

'self' in a CSP directive should match blob: and filesystem: URLs.
https://bugs.webkit.org/show_bug.cgi?id=94918

Patch by Mike West <mkwst@chromium.org> on 2012-08-27
Reviewed by Adam Barth.

Source/WebCore:

'blob:' and 'filesystem:' URLs are same-origin with the page on which
they were created. Currently, we're using the wrong URL for comparison
when matching against CSP directive source lists. This patch adjusts the
matching logic to compare against the blob's inner URL, rather than
directly against the blob itself.

Tests: http/tests/security/contentSecurityPolicy/blob-urls-match-self.html

http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html
http/tests/security/contentSecurityPolicy/source-list-parsing-08.html

page/ContentSecurityPolicy.cpp:

(WebCore::CSPSourceList::matches):

If we should use the inner URL of a given resource, extract it into
a local variable, and pass that into CSPSource for comparison.

page/SecurityOrigin.cpp:

(WebCore::SecurityOrigin::shouldUseInnerURL):
(WebCore::SecurityOrigin::extractInnerURL):

Move shouldUseInnerURL and extractInnerURL to SecurityOrigin's
public signature.

(WebCore::shouldTreatAsUniqueOrigin):
(WebCore::SecurityOrigin::create):
(WebCore::SecurityOrigin::isSecure):

shouldUseInnerURL and extractInnerURL are now static methods of
SecurityOrigin: updating calls to mathc.

page/SecurityOrigin.h:

LayoutTests:

http/tests/security/contentSecurityPolicy/blob-urls-match-self-expected.txt: Added.
http/tests/security/contentSecurityPolicy/blob-urls-match-self.html: Added.
http/tests/security/contentSecurityPolicy/filesystem-urls-match-self-expected.txt: Added.
http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html: Added.

Test the new functionality.

http/tests/security/contentSecurityPolicy/resources/multiple-iframe-test.js:

(test):

Adding support for data: URLs.

http/tests/security/contentSecurityPolicy/source-list-parsing-08-expected.txt: Added.
http/tests/security/contentSecurityPolicy/source-list-parsing-08.html: Added.

Adding data: URL tests to ensure that grabbing the inner URL of the
URL to test doesn't inadvertently regress that behavior.

platform/efl/Skipped:
platform/mac/Skipped:
platform/qt/Skipped:
platform/win/Skipped:

Skipping filessytem test on ports where it's not enabled.

Location:

trunk

Files:

: 6 added
: 10 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/http/tests/security/contentSecurityPolicy/blob-urls-match-self-expected.txt (added)
LayoutTests/http/tests/security/contentSecurityPolicy/blob-urls-match-self.html (added)
LayoutTests/http/tests/security/contentSecurityPolicy/filesystem-urls-match-self-expected.txt (added)
LayoutTests/http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html (added)
LayoutTests/http/tests/security/contentSecurityPolicy/resources/multiple-iframe-test.js (modified) (1 diff)
LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-08-expected.txt (added)
LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-08.html (added)
LayoutTests/platform/efl/Skipped (modified) (1 diff)
LayoutTests/platform/mac/Skipped (modified) (1 diff)
LayoutTests/platform/qt/Skipped (modified) (1 diff)
LayoutTests/platform/win/Skipped (modified) (1 diff)
Source/WebCore/ChangeLog (modified) (1 diff)
Source/WebCore/page/ContentSecurityPolicy.cpp (modified) (1 diff)
Source/WebCore/page/SecurityOrigin.cpp (modified) (3 diffs)
Source/WebCore/page/SecurityOrigin.h (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r126782
+                      r126785
+-08-27  Mike West  <mkwst@chromium.org>
+        'self' in a CSP directive should match blob: and filesystem: URLs.
+        https://bugs.webkit.org/show_bug.cgi?id=94918
+        Reviewed by Adam Barth.
+        * http/tests/security/contentSecurityPolicy/blob-urls-match-self-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/blob-urls-match-self.html: Added.
+        * http/tests/security/contentSecurityPolicy/filesystem-urls-match-self-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html: Added.
+            Test the new functionality.
+        * http/tests/security/contentSecurityPolicy/resources/multiple-iframe-test.js:
+        (test):
+            Adding support for data: URLs.
+        * http/tests/security/contentSecurityPolicy/source-list-parsing-08-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/source-list-parsing-08.html: Added.
+            Adding data: URL tests to ensure that grabbing the inner URL of the
+            URL to test doesn't inadvertently regress that behavior.
+        * platform/efl/Skipped:
+        * platform/mac/Skipped:
+        * platform/qt/Skipped:
+        * platform/win/Skipped:
+            Skipping filessytem test on ports where it's not enabled.
 -08-27  Simon Fraser  <simon.fraser@apple.com>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/multiple-iframe-test.js

-                      r121883
+                      r126785
                  "should_run=" + escape(current[0]) +
                  "&csp=" + escape(current[1]) +
+                 "&q=" + baseURL + escape(current[2]);
+                 "&q=" + (current[2].match(/^data:/) ?
+                     escape(current[2]) :
+                     baseURL + escape(current[2]));
     if (current[3])
       iframe.src += "&nonce=" + escape(current[3]);

trunk/LayoutTests/platform/efl/Skipped

r126192	r126785
1063	1063	# Requires ENABLE(FILE_SYSTEM)
1064	1064	fast/forms/file/input-file-entries.html
	1065	http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html
1065	1066
1066	1067	# Transparent image being produced

trunk/LayoutTests/platform/mac/Skipped

r126700	r126785
340	340	http/tests/filesystem
341	341	http/tests/inspector/filesystem
	342	http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html
342	343	http/tests/security/filesystem-iframe-from-remote.html
343	344	http/tests/security/mixedContent/filesystem-url-in-iframe.html

trunk/LayoutTests/platform/qt/Skipped

r126753	r126785
119	119	http/tests/filesystem
120	120	http/tests/inspector/filesystem
	121	http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html
121	122	http/tests/security/filesystem-iframe-from-remote.html
122	123	http/tests/security/mixedContent/filesystem-url-in-iframe.html

trunk/LayoutTests/platform/win/Skipped

r126684	r126785
1301	1301	http/tests/filesystem
1302	1302	http/tests/inspector/filesystem
	1303	http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html
1303	1304	http/tests/security/filesystem-iframe-from-remote.html
1304	1305	http/tests/websocket/tests/hybi/send-file-blob.html

trunk/Source/WebCore/ChangeLog

-                      r126783
+                      r126785
+-08-27  Mike West  <mkwst@chromium.org>
+        'self' in a CSP directive should match blob: and filesystem: URLs.
+        https://bugs.webkit.org/show_bug.cgi?id=94918
+        Reviewed by Adam Barth.
+        'blob:' and 'filesystem:' URLs are same-origin with the page on which
+        they were created. Currently, we're using the wrong URL for comparison
+        when matching against CSP directive source lists. This patch adjusts the
+        matching logic to compare against the blob's inner URL, rather than
+        directly against the blob itself.
+        Tests: http/tests/security/contentSecurityPolicy/blob-urls-match-self.html
+               http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html
+               http/tests/security/contentSecurityPolicy/source-list-parsing-08.html
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::CSPSourceList::matches):
+            If we should use the inner URL of a given resource, extract it into
+            a local variable, and pass that into CSPSource for comparison.
+        * page/SecurityOrigin.cpp:
+        (WebCore::SecurityOrigin::shouldUseInnerURL):
+        (WebCore::SecurityOrigin::extractInnerURL):
+            Move shouldUseInnerURL and extractInnerURL to SecurityOrigin's
+            public signature.
+        (WebCore::shouldTreatAsUniqueOrigin):
+        (WebCore::SecurityOrigin::create):
+        (WebCore::SecurityOrigin::isSecure):
+            shouldUseInnerURL and extractInnerURL are now static methods of
+            SecurityOrigin: updating calls to mathc.
+        * page/SecurityOrigin.h:
 -08-27  Kevin Funk  <kevin.funk@kdab.com>

trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

-                      r126488
+                      r126785
         return true;
+    KURL effectiveURL = SecurityOrigin::shouldUseInnerURL(url) ? SecurityOrigin::extractInnerURL(url) : url;
     for (size_t i = 0; i < m_list.size(); ++i) {
         if (m_list[i].matches(url))
+        if (m_list[i].matches(effectiveURL))
             return true;
+    }

trunk/Source/WebCore/page/SecurityOrigin.cpp

-                      r126365
+                      r126785
+}
+// Some URL schemes use nested URLs for their security context. For example,
+// filesystem URLs look like the following:
+//
+//   filesystem:http://example.com/temporary/path/to/file.png
+//
+// We're supposed to use "http://example.com" as the origin.
+//
+// Generally, we add URL schemes to this list when WebKit support them. For
+// example, we don't include the "jar" scheme, even though Firefox understands
+// that jar uses an inner URL for it's security origin.
+//
+static bool shouldUseInnerURL(const KURL& url)
+bool SecurityOrigin::shouldUseInnerURL(const KURL& url)
+{
 #if ENABLE(BLOB)
 …
 // that all the URL schemes we currently support that use inner URLs for their
 // security origin can be parsed using this algorithm.
 static KURL extractInnerURL(const KURL& url)
+KURL SecurityOrigin::extractInnerURL(const KURL& url)
+{
     if (url.innerURL())
 …
     // FIXME: Do we need to unwrap the URL further?
     KURL innerURL = shouldUseInnerURL(url) ? extractInnerURL(url) : url;
+    KURL innerURL = SecurityOrigin::shouldUseInnerURL(url) ? SecurityOrigin::extractInnerURL(url) : url;
     // FIXME: Check whether innerURL is valid.

trunk/Source/WebCore/page/SecurityOrigin.h

-                      r126365
+                      r126785
     static PassRefPtr<SecurityOrigin> create(const String& protocol, const String& host, int port);
+    // Some URL schemes use nested URLs for their security context. For example,
+    // filesystem URLs look like the following:
+    //
+    //   filesystem:http://example.com/temporary/path/to/file.png
+    //
+    // We're supposed to use "http://example.com" as the origin.
+    //
+    // Generally, we add URL schemes to this list when WebKit support them. For
+    // example, we don't include the "jar" scheme, even though Firefox
+    // understands that "jar" uses an inner URL for it's security origin.
+    static bool shouldUseInnerURL(const KURL&);
+    static KURL extractInnerURL(const KURL&);
     // Create a deep copy of this SecurityOrigin. This method is useful
     // when marshalling a SecurityOrigin to another thread.

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 126785 in webkit

Legend:

Download in other formats: