Changeset 149326 in webkit


Ignore:
Timestamp:
Apr 29, 2013 3:44:35 PM (11 years ago)
Author:
jpfau@apple.com
Message:

Change approach to third-party blocking for LocalStorage
https://bugs.webkit.org/show_bug.cgi?id=115004

Reviewed by Maciej Stachowiak.

Source/WebCore:

Instead of outright blocking LocalStorage that's used in a third-party
context, silently partition it based on the origin of the top context.
These partitions are then discarded when the page group is unloaded.

No new tests; modified existing tests to account for changes.

  • page/DOMWindow.cpp:

(WebCore::DOMWindow::localStorage):

  • page/PageGroup.cpp:

(WebCore::PageGroup::localStorage):
(WebCore):
(WebCore::PageGroup::transientLocalStorage):

  • page/PageGroup.h:

(PageGroup):

  • page/SecurityOrigin.cpp:

(WebCore::SecurityOrigin::canAccessStorage):

LayoutTests:

  • http/tests/security/cross-origin-local-storage-allowed-expected.txt:
  • http/tests/security/cross-origin-local-storage-allowed.html:
  • http/tests/security/cross-origin-local-storage-expected.txt:
  • http/tests/security/cross-origin-local-storage-wk1.html:
  • http/tests/security/cross-origin-local-storage-wk1-expected.txt:
  • http/tests/security/cross-origin-local-storage.html:
  • http/tests/security/resources/cross-origin-iframe-for-local-storage.html:
  • http/tests/security/resources/load-local-storage.html: Added.
  • platform/mac-wk2/http/tests/security/cross-origin-local-storage-wk1-expected.txt:
  • platform/mac/http/tests/security/cross-origin-local-storage-wk1-expected.txt:
Location:
trunk
Files:
1 added
15 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r149322 r149326  
     12013-04-22  Jeffrey Pfau  <jpfau@apple.com>
     2
     3        Change approach to third-party blocking for LocalStorage
     4        https://bugs.webkit.org/show_bug.cgi?id=115004
     5
     6        Reviewed by Maciej Stachowiak.
     7
     8        * http/tests/security/cross-origin-local-storage-allowed-expected.txt:
     9        * http/tests/security/cross-origin-local-storage-allowed.html:
     10        * http/tests/security/cross-origin-local-storage-expected.txt:
     11        * http/tests/security/cross-origin-local-storage-wk1.html:
     12        * http/tests/security/cross-origin-local-storage-wk1-expected.txt:
     13        * http/tests/security/cross-origin-local-storage.html:
     14        * http/tests/security/resources/cross-origin-iframe-for-local-storage.html:
     15        * http/tests/security/resources/load-local-storage.html: Added.
     16        * platform/mac-wk2/http/tests/security/cross-origin-local-storage-wk1-expected.txt:
     17        * platform/mac/http/tests/security/cross-origin-local-storage-wk1-expected.txt:
     18
    1192013-04-29  Yi Shen  <max.hong.shen@gmail.com>
    220

  • trunk/LayoutTests/http/tests/security/cross-origin-local-storage-allowed-expected.txt

    r125335 r149326  
    1 This iframe should not return any errors:
    2 
    3 
    4 This iframe should not return any errors:
    5 
    6 
    7 
    8 --------
    9 Frame: '<!--framePath //<!--frame0-->-->'
    10 --------
    11 No exception
    12 
    13 --------
    14 Frame: '<!--framePath //<!--frame1-->-->'
    15 --------
    16 No exception
     1Got value: value

  • trunk/LayoutTests/http/tests/security/cross-origin-local-storage-allowed.html

    r125335 r149326  
    44if (window.testRunner) {
    55        testRunner.dumpAsText();
    6         testRunner.dumpChildFramesAsText();
     6        testRunner.waitUntilDone();
     7        internals.settings.setStorageBlockingPolicy('AllowAll');
     8}
     9
     10function continueTest() {
     11        window.location.href = 'http://localhost:8000/security/resources/load-local-storage.html';
    712}
    813</script>
    914</head>
    1015<body>
    11 <p>This iframe should not return any errors:</p>
    12 <iframe src="http://localhost:8000/security/resources/cross-origin-iframe-for-local-storage.html"></iframe>
    13 <p>This iframe should not return any errors:</p>
    14 <iframe src="http://127.0.0.1:8000/security/resources/cross-origin-iframe-for-local-storage.html"></iframe>
     16<iframe src="http://localhost:8000/security/resources/cross-origin-iframe-for-local-storage.html" onload="continueTest()"></iframe>
    1517</body>
    1618</html>

  • trunk/LayoutTests/http/tests/security/cross-origin-local-storage-expected.txt

    r135162 r149326  
    1 This iframe should return a security error:
    2 
    3 
    4 This iframe should not return any errors:
    5 
    6 
    7 
    8 --------
    9 Frame: '<!--framePath //<!--frame0-->-->'
    10 --------
    11 SecurityError
    12 
    13 --------
    14 Frame: '<!--framePath //<!--frame1-->-->'
    15 --------
    16 No exception
     1No value

  • trunk/LayoutTests/http/tests/security/cross-origin-local-storage-wk1-expected.txt

    r129567 r149326  
    1 This iframe should return a security error:
    2 
    3 
    4 This iframe should not return any errors:
    5 
    6 
    7 
    8 --------
    9 Frame: '<!--framePath //<!--frame0-->-->'
    10 --------
    11 No exception
    12 
    13 --------
    14 Frame: '<!--framePath //<!--frame1-->-->'
    15 --------
    16 No exception
     1Got value: value

  • trunk/LayoutTests/http/tests/security/cross-origin-local-storage-wk1.html

    r129567 r149326  
    22<head>
    33<script>
    4 var frames = 2;
    54if (window.testRunner) {
    65        testRunner.dumpAsText();
    7         testRunner.dumpChildFramesAsText();
     6        testRunner.waitUntilDone();
    87        testRunner.overridePreference('WebKitStorageBlockingPolicy', 1);
    98}
    109
    11 function decrement() {
    12         --frames;
    13         if (!frames && window.testRunner)
    14                 testRunner.overridePreference('WebKitStorageBlockingPolicy', 0);
     10function continueTest() {
     11        window.location.href = 'http://localhost:8000/security/resources/load-local-storage.html';
    1512}
    1613</script>
    1714</head>
    1815<body>
    19 <p>This iframe should return a security error:</p>
    20 <iframe src="http://localhost:8000/security/resources/cross-origin-iframe-for-local-storage.html" onload="decrement()"></iframe>
    21 <p>This iframe should not return any errors:</p>
    22 <iframe src="http://127.0.0.1:8000/security/resources/cross-origin-iframe-for-local-storage.html" onload="decrement()"></iframe>
     16<iframe src="http://localhost:8000/security/resources/cross-origin-iframe-for-local-storage.html" onload="continueTest()"></iframe>
    2317</body>
    2418</html>

  • trunk/LayoutTests/http/tests/security/cross-origin-local-storage.html

    r127956 r149326  
    22<head>
    33<script>
    4 var frames = 2;
    54if (window.testRunner) {
    65        testRunner.dumpAsText();
    7         testRunner.dumpChildFramesAsText();
     6        testRunner.waitUntilDone();
    87        internals.settings.setStorageBlockingPolicy('BlockThirdParty');
    98}
    109
    11 function decrement() {
    12         --frames;
    13         if (!frames && window.testRunner)
    14                 internals.settings.setStorageBlockingPolicy('AllowAll');
     10function continueTest() {
     11        window.location.href = 'http://localhost:8000/security/resources/load-local-storage.html';
    1512}
    1613</script>
    1714</head>
    1815<body>
    19 <p>This iframe should return a security error:</p>
    20 <iframe src="http://localhost:8000/security/resources/cross-origin-iframe-for-local-storage.html" onload="decrement()"></iframe>
    21 <p>This iframe should not return any errors:</p>
    22 <iframe src="http://127.0.0.1:8000/security/resources/cross-origin-iframe-for-local-storage.html" onload="decrement()"></iframe>
     16<iframe src="http://localhost:8000/security/resources/cross-origin-iframe-for-local-storage.html" onload="continueTest()"></iframe>
    2317</body>
    2418</html>

  • trunk/LayoutTests/http/tests/security/resources/cross-origin-iframe-for-local-storage.html

    r125335 r149326  
    44try {
    55        var c = window.localStorage;
     6        c['test'] = 'value';
    67        document.write('No exception');
    78} catch (exception) {

  • trunk/LayoutTests/platform/mac-wk2/http/tests/security/cross-origin-local-storage-wk1-expected.txt

    r143779 r149326  
    1 This iframe should return a security error:
    2 
    3 
    4 This iframe should not return any errors:
    5 
    6 
    7 
    8 --------
    9 Frame: '<!--framePath //<!--frame0-->-->'
    10 --------
    11 No exception
    12 
    13 --------
    14 Frame: '<!--framePath //<!--frame1-->-->'
    15 --------
    16 No exception
     1Got value: value

  • trunk/LayoutTests/platform/mac/http/tests/security/cross-origin-local-storage-wk1-expected.txt

    r135162 r149326  
    1 This iframe should return a security error:
    2 
    3 
    4 This iframe should not return any errors:
    5 
    6 
    7 
    8 --------
    9 Frame: '<!--framePath //<!--frame0-->-->'
    10 --------
    11 SecurityError
    12 
    13 --------
    14 Frame: '<!--framePath //<!--frame1-->-->'
    15 --------
    16 No exception
     1No value

  • trunk/Source/WebCore/ChangeLog

    r149322 r149326  
     12013-04-22  Jeffrey Pfau  <jpfau@apple.com>
     2
     3        Change approach to third-party blocking for LocalStorage
     4        https://bugs.webkit.org/show_bug.cgi?id=115004
     5
     6        Reviewed by Maciej Stachowiak.
     7
     8        Instead of outright blocking LocalStorage that's used in a third-party
     9        context, silently partition it based on the origin of the top context.
     10        These partitions are then discarded when the page group is unloaded.
     11
     12        No new tests; modified existing tests to account for changes.
     13
     14        * page/DOMWindow.cpp:
     15        (WebCore::DOMWindow::localStorage):
     16        * page/PageGroup.cpp:
     17        (WebCore::PageGroup::localStorage):
     18        (WebCore):
     19        (WebCore::PageGroup::transientLocalStorage):
     20        * page/PageGroup.h:
     21        (PageGroup):
     22        * page/SecurityOrigin.cpp:
     23        (WebCore::SecurityOrigin::canAccessStorage):
     24
    1252013-04-29  Yi Shen  <max.hong.shen@gmail.com>
    226

  • trunk/Source/WebCore/page/DOMWindow.cpp

    r148545 r149326  
    792792        return 0;
    793793
    794     if (!document->securityOrigin()->canAccessLocalStorage(document->topOrigin())) {
     794    if (!document->securityOrigin()->canAccessLocalStorage(0)) {
    795795        ec = SECURITY_ERR;
    796796        return 0;
     
    812812        return 0;
    813813
    814     RefPtr<StorageArea> storageArea = page->group().localStorage()->storageArea(document->securityOrigin());
     814    RefPtr<StorageArea> storageArea;
     815    if (!document->securityOrigin()->canAccessLocalStorage(document->topOrigin()))
     816        storageArea = page->group().transientLocalStorage(document->topOrigin())->storageArea(document->securityOrigin());
     817    else
     818        storageArea = page->group().localStorage()->storageArea(document->securityOrigin());
     819
    815820    if (!storageArea->canAccessStorage(m_frame)) {
    816821        ec = SECURITY_ERR;

  • trunk/Source/WebCore/page/PageGroup.cpp

    r148683 r149326  
    264264}
    265265
     266StorageNamespace* PageGroup::transientLocalStorage(const SecurityOrigin* topOrigin)
     267{
     268    String topOriginString = topOrigin->toString();
     269    if (!m_transientLocalStorage.get(topOriginString))
     270        m_transientLocalStorage.set(topOriginString, StorageNamespace::sessionStorageNamespace(*this->pages().begin()));
     271
     272    return m_transientLocalStorage.get(topOriginString).get();
     273}
     274
    266275void PageGroup::addUserScriptToWorld(DOMWrapperWorld* world, const String& source, const KURL& url,
    267276                                     const Vector<String>& whitelist, const Vector<String>& blacklist,

  • trunk/Source/WebCore/page/PageGroup.h

    r145826 r149326  
    8888        bool hasLocalStorage() { return m_localStorage; }
    8989
     90        StorageNamespace* transientLocalStorage(const SecurityOrigin* topOrigin);
     91
    9092        void addUserScriptToWorld(DOMWrapperWorld*, const String& source, const KURL&,
    9193                                  const Vector<String>& whitelist, const Vector<String>& blacklist,
     
    129131        unsigned m_identifier;
    130132        RefPtr<StorageNamespace> m_localStorage;
     133        HashMap<String, RefPtr<StorageNamespace> > m_transientLocalStorage;
    131134
    132135        OwnPtr<UserScriptMap> m_userScripts;

  • trunk/Source/WebCore/page/SecurityOrigin.cpp

    r147671 r149326  
    389389        return false;
    390390
     391    if (m_storageBlockingPolicy == BlockAllStorage)
     392        return false;
     393
    391394    // FIXME: This check should be replaced with an ASSERT once we can guarantee that topOrigin is not null.
    392395    if (!topOrigin)
    393396        return true;
    394397
    395     if (m_storageBlockingPolicy == BlockAllStorage || topOrigin->m_storageBlockingPolicy == BlockAllStorage)
     398    if (topOrigin->m_storageBlockingPolicy == BlockAllStorage)
    396399        return false;
    397400
Note: See TracChangeset for help on using the changeset viewer.