Changeset 198395 in webkit

Timestamp:

Mar 18, 2016 4:17:09 AM (8 years ago)

Author:

youenn.fablet@crf.canon.fr

Message:

crossorigin element resource loading should check HTTP redirection
​https://bugs.webkit.org/show_bug.cgi?id=130578

Reviewed by Daniel Bates and Brent Fulgham.

Source/WebCore:

Moved part of DocumentThreadableLoader redirection cross origin control code
into functions in CrossOriginAccessControl.cpp. Added cross origin control for
redirections in SubResourceLoader when policy is set to PotentiallyCrossOriginEnabled
using CrossOriginAccessControl.cpp new functions. Added a new test that checks that
cross-origin redirections are checked against CORS.

Test: http/tests/security/shape-image-cors-redirect.html

• loader/CrossOriginAccessControl.cpp:

(WebCore::isValidCrossOriginRedirectionURL): Returns true if the redirected URL is a valid URL for cross-origin requests.
(WebCore::cleanRedirectedRequestForAccessControl): Removes all headers added by the network backend that may cause the response CORS validation to fail.

• loader/CrossOriginAccessControl.h: Added above function prototypes.
• loader/DocumentThreadableLoader.cpp:

(WebCore::DocumentThreadableLoader::redirectReceived): Used new CORS redirection methods of CrossOriginAccessControl.cpp.

• loader/SubresourceLoader.cpp:

(WebCore::SubresourceLoader::init): Initialize the SecurityOrigin to be used for loading the resource.
(WebCore::SubresourceLoader::willSendRequest): Added cross-origin redirection response check.
(WebCore::SubresourceLoader::checkCrossOriginAccessControl): Checks CORS and update request if needed. Returns true if control checks passed.

• loader/SubresourceLoader.h: Added checkCrossOriginAccessControl declaration and m_origin declaration.

LayoutTests:

shape-image-cors-redirect.html checks that cross-origin redirections are checked against CORS.
It also checks that same-origin redirections are not checked against CORS.

• http/tests/security/resources/redirect-allow-star.php: Added.
• http/tests/security/shape-image-cors-redirect-expected.html: Added.
• http/tests/security/shape-image-cors-redirect.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/TestExpectations (modified) (1 diff)
• LayoutTests/http/tests/security/resources/redirect-allow-star.php (added)
• LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt (added)
• LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-1.html (added)
• LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt (added)
• LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-2.html (added)
• LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-3-expected.txt (added)
• LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-3.html (added)
• LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-4-expected.txt (added)
• LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-4.html (added)
• LayoutTests/http/tests/security/shape-image-cors-redirect-expected.html (added)
• LayoutTests/http/tests/security/shape-image-cors-redirect.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/loader/CrossOriginAccessControl.cpp (modified) (2 diffs)
• Source/WebCore/loader/CrossOriginAccessControl.h (modified) (2 diffs)
• Source/WebCore/loader/DocumentThreadableLoader.cpp (modified) (2 diffs)
• Source/WebCore/loader/SubresourceLoader.cpp (modified) (4 diffs)
• Source/WebCore/loader/SubresourceLoader.h (modified) (3 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-03-18  Youenn Fablet  <youenn.fablet@crf.canon.fr>
+
+        crossorigin element resource loading should check HTTP redirection
+        https://bugs.webkit.org/show_bug.cgi?id=130578
+
+        Reviewed by Daniel Bates and Brent Fulgham.
+
+        shape-image-cors-redirect.html checks that cross-origin redirections are checked against CORS.
+        It also checks that same-origin redirections are not checked against CORS.
+
+        * http/tests/security/resources/redirect-allow-star.php: Added.
+        * http/tests/security/shape-image-cors-redirect-expected.html: Added.
+        * http/tests/security/shape-image-cors-redirect.html: Added.
+
 2016-03-18  Youenn Fablet  <youenn.fablet@crf.canon.fr>
 

trunk/LayoutTests/TestExpectations

@@ -806 +806 @@
 webkit.org/b/52185 fast/css/vertical-align-baseline-rowspan-010.html [ ImageOnlyFailure ]
 
+webkit.org/b/155634 http/tests/security/shape-image-cors-redirect-error-message-logging-1.html [ Pass Failure ]
+webkit.org/b/155634 http/tests/security/shape-image-cors-redirect-error-message-logging-2.html [ Pass Failure ]
+webkit.org/b/155634 http/tests/security/shape-image-cors-redirect-error-message-logging-3.html [ Pass Failure ]
+webkit.org/b/155634 http/tests/security/shape-image-cors-redirect-error-message-logging-4.html [ Pass Failure ]
+
 # Content Security Policy failures
 webkit.org/b/85558 http/tests/security/contentSecurityPolicy/1.1

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-03-18  Youenn Fablet  <youenn.fablet@crf.canon.fr>
+
+        crossorigin element resource loading should check HTTP redirection
+        https://bugs.webkit.org/show_bug.cgi?id=130578
+
+        Reviewed by Daniel Bates and Brent Fulgham.
+
+        Moved part of DocumentThreadableLoader redirection cross origin control code
+        into functions in CrossOriginAccessControl.cpp. Added cross origin control for
+        redirections in SubResourceLoader when policy is set to PotentiallyCrossOriginEnabled 
+        using CrossOriginAccessControl.cpp new functions. Added a new test that checks that 
+        cross-origin redirections are checked against CORS.
+
+        Test: http/tests/security/shape-image-cors-redirect.html
+
+        * loader/CrossOriginAccessControl.cpp:
+        (WebCore::isValidCrossOriginRedirectionURL): Returns true if the redirected URL is a valid URL for cross-origin requests.
+        (WebCore::cleanRedirectedRequestForAccessControl): Removes all headers added by the network backend that may cause the response CORS validation to fail.
+        * loader/CrossOriginAccessControl.h: Added above function prototypes.
+        * loader/DocumentThreadableLoader.cpp:
+        (WebCore::DocumentThreadableLoader::redirectReceived): Used new CORS redirection methods of CrossOriginAccessControl.cpp.
+        * loader/SubresourceLoader.cpp:
+        (WebCore::SubresourceLoader::init): Initialize the SecurityOrigin to be used for loading the resource.
+        (WebCore::SubresourceLoader::willSendRequest): Added cross-origin redirection response check.
+        (WebCore::SubresourceLoader::checkCrossOriginAccessControl): Checks CORS and update request if needed. Returns true if control checks passed.
+        * loader/SubresourceLoader.h: Added checkCrossOriginAccessControl declaration and m_origin declaration.
+
 2016-03-18  Darin Adler  <darin@apple.com>
 

trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp

@@ -32 +32 @@
 #include "ResourceRequest.h"
 #include "ResourceResponse.h"
+#include "SchemeRegistry.h"
 #include "SecurityOrigin.h"
 #include <mutex>
@@ -134 +135 @@
 }
 
+bool isValidCrossOriginRedirectionURL(const URL& redirectURL)
+{
+    return SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(redirectURL.protocol())
+        && redirectURL.user().isEmpty()
+        && redirectURL.pass().isEmpty();
+}
+
+void cleanRedirectedRequestForAccessControl(ResourceRequest& request)
+{
+    // Remove headers that may have been added by the network layer that cause access control to fail.
+    request.clearHTTPContentType();
+    request.clearHTTPReferrer();
+    request.clearHTTPOrigin();
+    request.clearHTTPUserAgent();
+    request.clearHTTPAccept();
+    request.clearHTTPAcceptEncoding();
+}
+
 bool passesAccessControlCheck(const ResourceResponse& response, StoredCredentials includeCredentials, SecurityOrigin* securityOrigin, String& errorDescription)
 {

trunk/Source/WebCore/loader/CrossOriginAccessControl.h

@@ -42 +42 @@
 class ResourceResponse;
 class SecurityOrigin;
+class URL;
 
 bool isSimpleCrossOriginAccessRequest(const String& method, const HTTPHeaderMap&);
@@ -51 +52 @@
 ResourceRequest createAccessControlPreflightRequest(const ResourceRequest&, SecurityOrigin*);
 
+bool isValidCrossOriginRedirectionURL(const URL&);
+void cleanRedirectedRequestForAccessControl(ResourceRequest&);
+
 bool passesAccessControlCheck(const ResourceResponse&, StoredCredentials, SecurityOrigin*, String& errorDescription);
 void parseAccessControlExposeHeadersAllowList(const String& headerValue, HTTPHeaderSet&);

trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp

@@ -209 +209 @@
         if (m_simpleRequest) {
             String accessControlErrorDescription;
-            allowRedirect = SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(request.url().protocol())
-                            && request.url().user().isEmpty()
-                            && request.url().pass().isEmpty()
+            allowRedirect = isValidCrossOriginRedirectionURL(request.url())
                             && (m_sameOriginRequest || passesAccessControlCheck(redirectResponse, m_options.allowCredentials(), securityOrigin(), accessControlErrorDescription));
         }
@@ -234 +232 @@
                 m_options.setAllowCredentials(DoNotAllowStoredCredentials);
 
-            // Remove any headers that may have been added by the network layer that cause access control to fail.
-            request.clearHTTPContentType();
-            request.clearHTTPReferrer();
-            request.clearHTTPOrigin();
-            request.clearHTTPUserAgent();
-            request.clearHTTPAccept();
-            request.clearHTTPAcceptEncoding();
+            cleanRedirectedRequestForAccessControl(request);
+
             makeCrossOriginAccessRequest(request);
             return;

trunk/Source/WebCore/loader/SubresourceLoader.cpp

@@ -31 +31 @@
 
 #include "CachedResourceLoader.h"
+#include "CrossOriginAccessControl.h"
 #include "DiagnosticLoggingClient.h"
 #include "DiagnosticLoggingKeys.h"
@@ -147 +148 @@
     m_state = Initialized;
     m_documentLoader->addSubresourceLoader(this);
+
+    // FIXME: https://bugs.webkit.org/show_bug.cgi?id=155633.
+    // SubresourceLoader could use the document origin as a default and set PotentiallyCrossOriginEnabled requests accordingly.
+    // This would simplify resource loader users as they would only need to set the policy to PotentiallyCrossOriginEnabled.
+    if (options().requestOriginPolicy() == PotentiallyCrossOriginEnabled)
+        m_origin = SecurityOrigin::createFromString(request.httpOrigin());
+
     return true;
 }
@@ -183 +191 @@
             return;
         }
+
+        if (options().requestOriginPolicy() == PotentiallyCrossOriginEnabled && !checkCrossOriginAccessControl(request(), redirectResponse, newRequest)) {
+            cancel();
+            return;
+        }
+
         if (m_resource->isImage() && m_documentLoader->cachedResourceLoader().shouldDeferImageLoad(newRequest.url())) {
             cancel();
@@ -371 +385 @@
 }
 
+bool SubresourceLoader::checkCrossOriginAccessControl(const ResourceRequest& previousRequest, const ResourceResponse& redirectResponse, ResourceRequest& newRequest)
+{
+    if (m_origin->canRequest(newRequest.url()))
+        return true;
+
+    String errorDescription;
+    bool responsePassesCORS = m_origin->canRequest(previousRequest.url())
+        || passesAccessControlCheck(redirectResponse, options().allowCredentials(), m_origin.get(), errorDescription);
+    if (!responsePassesCORS || !isValidCrossOriginRedirectionURL(newRequest.url())) {
+        if (m_frame && m_frame->document()) {
+            String errorMessage = "Cross-origin redirection denied by Cross-Origin Resource Sharing policy: " +
+                (!responsePassesCORS ? errorDescription : "Redirected to either a non-HTTP URL or a URL that contains credentials.");
+            m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, errorMessage);
+        }
+        return false;
+    }
+
+    // If the request URL origin is not the same as the original origin, the request origin should be set to a globally unique identifier.
+    m_origin = SecurityOrigin::createUnique();
+    cleanRedirectedRequestForAccessControl(newRequest);
+    updateRequestForAccessControl(newRequest, m_origin.get(), options().allowCredentials());
+
+    return true;
+}
+
 void SubresourceLoader::didFinishLoading(double finishTime)
 {

trunk/Source/WebCore/loader/SubresourceLoader.h

@@ -41 +41 @@
 class Document;
 class ResourceRequest;
+class SecurityOrigin;
 
 class SubresourceLoader final : public ResourceLoader {
@@ -92 +93 @@
 
     bool checkForHTTPStatusCodeError();
+    bool checkCrossOriginAccessControl(const ResourceRequest&, const ResourceResponse&, ResourceRequest& newRequest);
 
     void didReceiveDataOrBuffer(const char*, int, PassRefPtr<SharedBuffer>, long long encodedDataLength, DataPayloadType);
@@ -125 +127 @@
     SubresourceLoaderState m_state;
     std::unique_ptr<RequestCountTracker> m_requestCountTracker;
+    RefPtr<SecurityOrigin> m_origin;
 };