Changeset 194209 in webkit

Timestamp:

Dec 16, 2015 9:53:40 PM (8 years ago)

Author:

aestes@apple.com

Message:

[iOS] Block loading external stylesheets in the Content-Disposition: attachment sandbox
​https://bugs.webkit.org/show_bug.cgi?id=152375
<rdar://problem/22020902>

Reviewed by Darin Adler.

Source/WebCore:

Tests: http/tests/contentdispositionattachmentsandbox/at-import-stylesheets-disabled.html

http/tests/contentdispositionattachmentsandbox/external-stylesheets-disabled.html
http/tests/contentdispositionattachmentsandbox/xml-stylesheet-processing-instructions-disabled.html

• loader/cache/CachedResourceLoader.cpp:

(WebCore::CachedResourceLoader::canRequest): Moved handling of CachedResource::MainResource to canRequestInContentDispositionAttachmentSandbox().
(WebCore::CachedResourceLoader::canRequestInContentDispositionAttachmentSandbox): In addition to handling CachedResource::MainResource,
added handling for CachedResource::CSSStyleSheet. Added a FIXME asking whether we should handle other types of resources, too.

• loader/cache/CachedResourceLoader.h:

LayoutTests:

• http/tests/contentdispositionattachmentsandbox/at-import-stylesheets-disabled-expected.txt: Added.
• http/tests/contentdispositionattachmentsandbox/at-import-stylesheets-disabled.html: Added.
• http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled-expected.txt:
• http/tests/contentdispositionattachmentsandbox/external-stylesheets-disabled-expected.txt: Added.
• http/tests/contentdispositionattachmentsandbox/external-stylesheets-disabled.html: Added.
• http/tests/contentdispositionattachmentsandbox/resources/at-import-stylesheets-frame.php: Added.
• http/tests/contentdispositionattachmentsandbox/resources/external-stylesheets-frame.php: Added.
• http/tests/contentdispositionattachmentsandbox/resources/xml-stylesheet-processing-instructions-frame.php: Added.
• http/tests/contentdispositionattachmentsandbox/xml-stylesheet-processing-instructions-disabled-expected.txt: Added.
• http/tests/contentdispositionattachmentsandbox/xml-stylesheet-processing-instructions-disabled.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/contentdispositionattachmentsandbox/at-import-stylesheets-disabled-expected.txt (added)
• LayoutTests/http/tests/contentdispositionattachmentsandbox/at-import-stylesheets-disabled.html (added)
• LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/contentdispositionattachmentsandbox/external-stylesheets-disabled-expected.txt (added)
• LayoutTests/http/tests/contentdispositionattachmentsandbox/external-stylesheets-disabled.html (added)
• LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/at-import-stylesheets-frame.php (added)
• LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/external-stylesheets-frame.php (added)
• LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/xml-stylesheet-processing-instructions-frame.php (added)
• LayoutTests/http/tests/contentdispositionattachmentsandbox/xml-stylesheet-processing-instructions-disabled-expected.txt (added)
• LayoutTests/http/tests/contentdispositionattachmentsandbox/xml-stylesheet-processing-instructions-disabled.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/loader/cache/CachedResourceLoader.cpp (modified) (3 diffs)
• Source/WebCore/loader/cache/CachedResourceLoader.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2015-12-16  Andy Estes  <aestes@apple.com>
+
+        [iOS] Block loading external stylesheets in the Content-Disposition: attachment sandbox
+        https://bugs.webkit.org/show_bug.cgi?id=152375
+        <rdar://problem/22020902>
+
+        Reviewed by Darin Adler.
+
+        * http/tests/contentdispositionattachmentsandbox/at-import-stylesheets-disabled-expected.txt: Added.
+        * http/tests/contentdispositionattachmentsandbox/at-import-stylesheets-disabled.html: Added.
+        * http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled-expected.txt:
+        * http/tests/contentdispositionattachmentsandbox/external-stylesheets-disabled-expected.txt: Added.
+        * http/tests/contentdispositionattachmentsandbox/external-stylesheets-disabled.html: Added.
+        * http/tests/contentdispositionattachmentsandbox/resources/at-import-stylesheets-frame.php: Added.
+        * http/tests/contentdispositionattachmentsandbox/resources/external-stylesheets-frame.php: Added.
+        * http/tests/contentdispositionattachmentsandbox/resources/xml-stylesheet-processing-instructions-frame.php: Added.
+        * http/tests/contentdispositionattachmentsandbox/xml-stylesheet-processing-instructions-disabled-expected.txt: Added.
+        * http/tests/contentdispositionattachmentsandbox/xml-stylesheet-processing-instructions-disabled.html: Added.
+
 2015-12-16  Ryan Haddad  <ryanhaddad@apple.com>
 

trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Unsafe attempt to load URL data:text/html,FAIL.
+CONSOLE MESSAGE: line 2: Unsafe attempt to load URL data:text/html,FAIL from document with Content-Disposition: attachment at URL http://127.0.0.1:8000/contentdispositionattachmentsandbox/resources/cross-origin-frames-frame.php.
 This test verifies that cross-origin frames are disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2015-12-16  Andy Estes  <aestes@apple.com>
+
+        [iOS] Block loading external stylesheets in the Content-Disposition: attachment sandbox
+        https://bugs.webkit.org/show_bug.cgi?id=152375
+        <rdar://problem/22020902>
+
+        Reviewed by Darin Adler.
+
+        Tests: http/tests/contentdispositionattachmentsandbox/at-import-stylesheets-disabled.html
+               http/tests/contentdispositionattachmentsandbox/external-stylesheets-disabled.html
+               http/tests/contentdispositionattachmentsandbox/xml-stylesheet-processing-instructions-disabled.html
+
+        * loader/cache/CachedResourceLoader.cpp:
+        (WebCore::CachedResourceLoader::canRequest): Moved handling of CachedResource::MainResource to canRequestInContentDispositionAttachmentSandbox().
+        (WebCore::CachedResourceLoader::canRequestInContentDispositionAttachmentSandbox): In addition to handling CachedResource::MainResource,
+        added handling for CachedResource::CSSStyleSheet. Added a FIXME asking whether we should handle other types of resources, too.
+        * loader/cache/CachedResourceLoader.h:
+
 2015-12-16  Simon Fraser  <simon.fraser@apple.com>
 

trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp

@@ -375 +375 @@
     switch (type) {
     case CachedResource::MainResource:
-        if (HTMLFrameOwnerElement* ownerElement = frame() ? frame()->ownerElement() : nullptr) {
-            if (ownerElement->document().shouldEnforceContentDispositionAttachmentSandbox() && !ownerElement->document().securityOrigin()->canRequest(url)) {
-                printAccessDeniedMessage(url);
-                return false;
-            }
-        }
-        FALLTHROUGH;
     case CachedResource::ImageResource:
     case CachedResource::CSSStyleSheet:
@@ -464 +457 @@
     }
 
+    if (!canRequestInContentDispositionAttachmentSandbox(type, url))
+        return false;
+
     // Last of all, check for insecure content. We do this last so that when
     // folks block insecure content with a CSP policy, they don't get a warning.
@@ -473 +469 @@
 
     return true;
+}
+
+bool CachedResourceLoader::canRequestInContentDispositionAttachmentSandbox(CachedResource::Type type, const URL& url) const
+{
+    Document* document;
+    
+    // FIXME: Do we want to expand this to all resource types that the mixed content checker would consider active content?
+    switch (type) {
+    case CachedResource::MainResource:
+        if (auto ownerElement = frame() ? frame()->ownerElement() : nullptr) {
+            document = &ownerElement->document();
+            break;
+        }
+        return true;
+    case CachedResource::CSSStyleSheet:
+        document = m_document;
+        break;
+    default:
+        return true;
+    }
+
+    if (!document->shouldEnforceContentDispositionAttachmentSandbox() || document->securityOrigin()->canRequest(url))
+        return true;
+
+    String message = "Unsafe attempt to load URL " + url.stringCenterEllipsizedToLength() + " from document with Content-Disposition: attachment at URL " + document->url().stringCenterEllipsizedToLength() + ".";
+    document->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message);
+    return false;
 }
 

trunk/Source/WebCore/loader/cache/CachedResourceLoader.h

@@ -158 +158 @@
     bool clientDefersImage(const URL&) const;
     void reloadImagesIfNotDeferred();
+
+    bool canRequestInContentDispositionAttachmentSandbox(CachedResource::Type, const URL&) const;
     
     HashSet<String> m_validatedURLs;