Changeset 199221 in webkit

Timestamp:

Apr 8, 2016 12:17:50 AM (8 years ago)

Author:

commit-queue@webkit.org

Message:

CSP: Block XHR when calling XMLHttpRequest.send() and throw network error.
​https://bugs.webkit.org/show_bug.cgi?id=153598
<rdar://problem/24391483>

Patch by John Wilander <​wilander@apple.com> on 2016-04-08
Reviewed by Darin Adler.

Source/WebCore:

No new tests. Changes to existing tests are sufficient.

• xml/XMLHttpRequest.cpp:

(WebCore::XMLHttpRequest::open):
(WebCore::XMLHttpRequest::initSend):

Moved the CSP check from XMLHttpRequest::open() to XMLHttpRequest::initSend().
Changed the thrown error type from Security to Network for synchronous requests.
Changed from throwing an error to firing an error event for asynchronous requests.
These changes are in conformance with connect-src of Content Security Policy Level 2.
​https://www.w3.org/TR/CSP2/#directive-connect-src (W3C Candidate Recommendation, 21 July 2015)

LayoutTests:

• fast/workers/resources/worker-inherits-csp-blocks-xhr.js:

(catch):

• fast/workers/worker-inherits-csp-blocks-xhr-expected.txt:

Changed expected error from DOMException.SECURITY_ERR to DOMException.NETWORK_ERR.

• http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked-expected.txt:
• http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html:

Now tests that XMLHttpRequest.send() is blocked if the URL voilates the connect-src directive in CSP.

• http/tests/security/contentSecurityPolicy/resources/worker.php:

Added two additional calls to XMLHttpRequest.send() and switched to receiving an error event to make
existing tests work with code changes.

• http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta.html:

Added an additional call to XMLHttpRequest.send() and switched to receiving an error event to make
existing test work with code changes.

• http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr-expected.txt:
• http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr.html:

Added an additional call to XMLHttpRequest.send() and switched to receiving an error event to make
existing tests work with code changes.
Refactored test mechnism with additional parameters to cover synchronous/asynchronous as well as
same-origin/cross-origin in isolated worlds.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/workers/resources/worker-inherits-csp-blocks-xhr.js (modified) (1 diff)
• LayoutTests/fast/workers/worker-inherits-csp-blocks-xhr-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker.php (modified) (2 diffs)
• LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta.html (modified) (1 diff)
• LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr-expected.txt (modified) (2 diffs)
• LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr.html (modified) (4 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/xml/XMLHttpRequest.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-04-08  John Wilander  <wilander@apple.com>
+
+        CSP: Block XHR when calling XMLHttpRequest.send() and throw network error.
+        https://bugs.webkit.org/show_bug.cgi?id=153598
+        <rdar://problem/24391483>
+
+        Reviewed by Darin Adler.
+
+        * fast/workers/resources/worker-inherits-csp-blocks-xhr.js:
+        (catch):
+        * fast/workers/worker-inherits-csp-blocks-xhr-expected.txt:
+            Changed expected error from DOMException.SECURITY_ERR to DOMException.NETWORK_ERR.
+        * http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked-expected.txt:
+        * http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html:
+            Now tests that XMLHttpRequest.send() is blocked if the URL voilates the connect-src directive in CSP.
+        * http/tests/security/contentSecurityPolicy/resources/worker.php:
+            Added two additional calls to XMLHttpRequest.send() and switched to receiving an error event to make
+            existing tests work with code changes.
+        * http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta.html:
+            Added an additional call to XMLHttpRequest.send() and switched to receiving an error event to make 
+            existing test work with code changes.
+        * http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr-expected.txt:
+        * http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr.html:
+            Added an additional call to XMLHttpRequest.send() and switched to receiving an error event to make 
+            existing tests work with code changes.
+            Refactored test mechnism with additional parameters to cover synchronous/asynchronous as well as 
+            same-origin/cross-origin in isolated worlds.
+
 2016-04-07  Darin Adler  <darin@apple.com>
 

trunk/LayoutTests/fast/workers/resources/worker-inherits-csp-blocks-xhr.js

@@ -8 +8 @@
     exception = e;
 }
-// FIXME: We should be throwing a DOMException.NETWORK_ERR. See <https://bugs.webkit.org/show_bug.cgi?id=153598>.
-var expectedExceptionCode = 18; // DOMException.SECURITY_ERR
+
+var expectedExceptionCode = 19; // DOMException.NETWORK_ERR
 if (!exception)
     self.postMessage("FAIL should throw " + expectedExceptionCode + ". But did not throw an exception.");

trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-xhr-expected.txt

@@ -2 +2 @@
 This tests that the Content Security Policy (CSP) of the owner document (this page) blocks a file-URL Web Worker from making an XHR request because the parent's CSP contains "connect-src 'none'"
 
-PASS threw exception Error: SecurityError: DOM Exception 18.
+PASS threw exception Error: NetworkError: DOM Exception 19.

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: Refused to connect to http://localhost:8000/xmlhttprequest/resources/get.txt because it does not appear in the connect-src directive of the Content Security Policy.
-Pass
+CONSOLE MESSAGE: Refused to connect to http://localhost:8000/xmlhttprequest/resources/get.txt because it does not appear in the connect-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to connect to http://localhost:8000/xmlhttprequest/resources/get.txt because it does not appear in the connect-src directive of the Content Security Policy.
+This tests that a Content Security Policy violation for an XHR is triggered when calling XMLHttpRequest.send().
 
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS xhrSync.open("GET", "http://localhost:8000/xmlhttprequest/resources/get.txt", false) did not throw exception.
+PASS xhrSync.send() threw exception Error: NetworkError: DOM Exception 19.
+PASS xhrAsync.open("GET", "http://localhost:8000/xmlhttprequest/resources/get.txt", true) did not throw exception.
+PASS xhrAsync.send() did not throw exception.
+PASS xhrAsyncAbort.open("GET", "http://localhost:8000/xmlhttprequest/resources/get.txt", true) did not throw exception.
+PASS xhrAsyncAbort.send();xhrAsyncAbort.abort();  did not throw exception.
+PASS An error event was received for the asynchronous call.
+PASS An error event was received for the aborted asynchronous call.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html

@@ -3 +3 @@
 <head>
 <meta http-equiv="Content-Security-Policy" content="connect-src http://127.0.0.1:8000">
-<script>
-if (window.testRunner)
-    testRunner.dumpAsText();
-</script>
+<script src="../../../resources/js-test-pre.js"></script>
 </head>
 <body>
-<pre id="console"></pre>
 <script>
-function log(msg)
-{
-    document.getElementById("console").appendChild(document.createTextNode(msg + "\n"));
-}
+description("This tests that a Content Security Policy violation for an XHR is triggered when calling XMLHttpRequest.send().");
 
-try {
-    var xhr = new XMLHttpRequest;
-    xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/get.txt", true); 
-    log("Fail");
-} catch(e) {
-    log("Pass");
-}
+jsTestIsAsync = true;
+
+var xhrSync = new XMLHttpRequest;
+xhrSync.addEventListener("error", function () {
+    debug("FAIL An error event should not have been received.");
+});
+
+var xhrAsync = new XMLHttpRequest;
+xhrAsync.addEventListener("error", function () {
+    debug("PASS An error event was received for the asynchronous call.");
+});
+
+var xhrAsyncAbort = new XMLHttpRequest;
+xhrAsyncAbort.addEventListener("error", function () {
+    debug("PASS An error event was received for the aborted asynchronous call.");
+    finishJSTest();
+});
+
+shouldNotThrow('xhrSync.open("GET", "http://localhost:8000/xmlhttprequest/resources/get.txt", false)'); // Synchronous request
+shouldThrow("xhrSync.send()", "'Error: NetworkError: DOM Exception 19'");
+
+shouldNotThrow('xhrAsync.open("GET", "http://localhost:8000/xmlhttprequest/resources/get.txt", true)'); // Asynchronous request
+shouldNotThrow("xhrAsync.send()");
+
+shouldNotThrow('xhrAsyncAbort.open("GET", "http://localhost:8000/xmlhttprequest/resources/get.txt", true)'); // Asynchronous request
+shouldNotThrow("xhrAsyncAbort.send();xhrAsyncAbort.abort(); ");
 
 </script>
+<script src="/js-test-resources/js-test-post.js"></script>
 </body>
 </html>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker.php

@@ -59 +59 @@
 ?>
 
-try {
-    var xhr = new XMLHttpRequest;
-    xhr.open("GET", "http://127.0.0.1:8000/xmlhttprequest/resources/get.txt", true);
+var xhr = new XMLHttpRequest;
+xhr.addEventListener("load", function () {
     postMessage("xhr allowed");
-} catch(e) {
+});
+xhr.addEventListener("error", function () {
     postMessage("xhr blocked");
-}
+});
+xhr.open("GET", "http://127.0.0.1:8000/xmlhttprequest/resources/get.txt", true);
+xhr.send();
 
 <?php
@@ -116 +118 @@
 ?>
 
-try {
-    var xhr = new XMLHttpRequest;
-    xhr.open("GET", "http://127.0.0.1:8000/xmlhttprequest/resources/get.txt", true);
+var xhr = new XMLHttpRequest;
+xhr.addEventListener("load", function () {
     postMessage("xhr allowed");
-} catch(e) {
+});
+xhr.addEventListener("error", function () {
     postMessage("xhr blocked");
-}
+});
+xhr.open("GET", "http://127.0.0.1:8000/xmlhttprequest/resources/get.txt", true);
+xhr.send();
 
 var id = 0;

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta.html

@@ -18 +18 @@
 try {
     var xhr = new XMLHttpRequest;
-    xhr.open("GET", "http://127.0.0.1:8000/xmlhttprequest/resources/get.txt", true); 
+    xhr.open("GET", "http://127.0.0.1:8000/xmlhttprequest/resources/get.txt", false);
+    xhr.send();
     log("Fail");
 } catch(e) {

trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/isolatedWorld/resources/cross-origin-xhr.txt because it does not appear in the connect-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to connect to http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi because it does not appear in the connect-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to connect to http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi because it does not appear in the connect-src directive of the Content Security Policy.
 Tests that isolated worlds can have XHRs that the page's CSP wouldn't allow.
 
@@ -5 +6 @@
 
 
-XHR from main world
-PASS: XHR.open threw an exception.
-XHR from isolated world
-PASS: XHR.open did not throw an exception.
+Synchronous XHR same-origin from main world
+PASS: XHR.send threw an exception.
+Asynchronous XHR same-origin from main world
+PASS: XHR.send did not throw an exception.
+PASS: XHR.send received an error event.
+Synchronous XHR same-origin from isolated world
+PASS: XHR.send did not throw an exception.
+Asynchronous XHR same-origin from isolated world
+PASS: XHR.send did not throw an exception.
+PASS: XHR.send received a load event.
+Synchronous XHR cross-origin from isolated world
+PASS: XHR.send did not throw an exception.
+Asynchronous XHR cross-origin from isolated world
+PASS: XHR.send did not throw an exception.
+PASS: XHR.send received a load event.
 PASS successfullyParsed is true
 

trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr.html

@@ -1 +1 @@
 <!DOCTYPE html>
 <html>
+<head>
     <script src="../../js-test-resources/js-test-pre.js"></script>
     <meta http-equiv="Content-Security-Policy" content="connect-src 'none'">
+</head>
 <body>
 <p id="description"></p>
@@ -12 +14 @@
 jsTestIsAsync = true;
 
+const SameOrigin = true;
+const CrossOrigin = false;
+const Asynchronous = true;
+const Synchronous = false;
+const ShouldBlock = true;
+const ShouldNotBlock = false;
+
 var tests = [
     function() {
-        debug('XHR from main world');
-        xhr(true);
+        debug('Synchronous XHR same-origin from main world');
+        xhr({sameOrigin : true}, Synchronous, ShouldBlock);
     },
     function() {
-        debug('XHR from isolated world');
-        runTestInWorld(1, 'xhr', 'false');
+        debug('Asynchronous XHR same-origin from main world');
+        xhr({sameOrigin : true}, Asynchronous, ShouldBlock);
     },
+    function() {
+        debug('Synchronous XHR same-origin from isolated world');
+        invokeInWorld(1, xhr, SameOrigin, Synchronous, ShouldNotBlock);
+    },
+    function() {
+        debug('Asynchronous XHR same-origin from isolated world');
+        invokeInWorld(2, xhr, SameOrigin, Asynchronous, ShouldNotBlock);
+    },
+    function() {
+        debug('Synchronous XHR cross-origin from isolated world');
+        invokeInWorld(3, xhr, CrossOrigin, Synchronous, ShouldNotBlock);
+    },
+    function() {
+        debug('Asynchronous XHR cross-origin from isolated world');
+        invokeInWorld(4, xhr, CrossOrigin, Asynchronous, ShouldNotBlock);
+    }
 ];
 var currentTest = 0;
@@ -53 +78 @@
 }
 
-function runTestInWorld(worldId, funcName, param)
-{
-    testRunner.evaluateScriptInIsolatedWorld(
-        worldId, String(eval(funcName)) + "\n" + funcName + "(" + param + ");");
+// This function will only successfully pass on JSON-stringifieable arguments such as numbers and strings to aNamedFunction
+function invokeInWorld(worldId, aNamedFunction) {
+    console.assert(aNamedFunction.name);
+    var argumentsToPass = Array.prototype.slice.call(arguments, 2);
+    var script = aNamedFunction.toString() + '; ' + aNamedFunction.name + '(' + argumentsToPass.map(JSON.stringify).join(', ') + ');';
+    testRunner.evaluateScriptInIsolatedWorld(worldId, script);
 }
 
-function xhr(shouldBlock)
-{
+function xhr(isSameOrigin, isAsync, shouldBlock) {
     function debug(message) {
         window.postMessage(JSON.stringify({
@@ -69 +95 @@
     }
 
+    var url = (isSameOrigin ? 'http://127.0.0.1:8000/' : 'http://localhost:8000/') + 'xmlhttprequest/resources/access-control-basic-allow.cgi';
     var xhr = new XMLHttpRequest();
+    var asyncCallDone = false;
+    var finallyClauseDone = false;
+
+    xhr.open('GET', url, isAsync);
+
+    if (isAsync) {
+        xhr.addEventListener('load', function() {
+            if (shouldBlock)
+                debug('FAIL: XHR.send should not have received a load event.');
+            else
+                debug('PASS: XHR.send received a load event.');
+
+            if (finallyClauseDone)
+                window.postMessage(JSON.stringify({'type': 'test-done'}), '*');
+            else
+                asyncCallDone = true;
+        });
+
+        xhr.addEventListener('error', function() {
+            if (shouldBlock)
+                debug('PASS: XHR.send received an error event.');
+            else
+                debug('FAIL: XHR.send should not have received an error event.');
+
+            if (finallyClauseDone)
+                window.postMessage(JSON.stringify({'type': 'test-done'}), '*');
+            else
+                asyncCallDone = true;
+        });
+    }
+
     try {
-        xhr.open('GET', 'http://localhost:8000/security/isolatedWorld/resources/cross-origin-xhr.txt', true);
-        if (shouldBlock)
-            debug('FAIL: XHR.open should have thrown an exception.');
+        xhr.send();
+        if (shouldBlock && !isAsync)
+            debug('FAIL: XHR.send should have thrown an exception.');
         else
-            debug('PASS: XHR.open did not throw an exception.');
+            debug('PASS: XHR.send did not throw an exception.');
     } catch (e) {
-        if (shouldBlock)
-            debug('PASS: XHR.open threw an exception.');
+        if (shouldBlock && !isAsync)
+            debug('PASS: XHR.send threw an exception.');
         else
-            debug('FAIL: XHR.open should not have thrown an exception.');
+            debug('FAIL: XHR.send should not have thrown an exception.');
     } finally {
-        window.postMessage(JSON.stringify({'type': 'test-done'}), '*');
+        if (!isAsync || asyncCallDone)
+            window.postMessage(JSON.stringify({'type': 'test-done'}), '*');
+        else
+            finallyClauseDone = true;
     }
 }
-
 </script>
-
 <script src="../../js-test-resources/js-test-post.js"></script>
 </body>

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-04-08  John Wilander  <wilander@apple.com>
+
+        CSP: Block XHR when calling XMLHttpRequest.send() and throw network error.
+        https://bugs.webkit.org/show_bug.cgi?id=153598
+        <rdar://problem/24391483>
+
+        Reviewed by Darin Adler.
+
+        No new tests. Changes to existing tests are sufficient.
+
+        * xml/XMLHttpRequest.cpp:
+        (WebCore::XMLHttpRequest::open):
+        (WebCore::XMLHttpRequest::initSend):
+            Moved the CSP check from XMLHttpRequest::open() to XMLHttpRequest::initSend().
+            Changed the thrown error type from Security to Network for synchronous requests.
+            Changed from throwing an error to firing an error event for asynchronous requests.
+            These changes are in conformance with connect-src of Content Security Policy Level 2.
+            https://www.w3.org/TR/CSP2/#directive-connect-src (W3C Candidate Recommendation, 21 July 2015)
+
 2016-04-07  Darin Adler  <darin@apple.com>
 

trunk/Source/WebCore/xml/XMLHttpRequest.cpp

@@ -498 +498 @@
     }
 
-    // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
-    if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectToSource(url, scriptExecutionContext()->shouldBypassMainWorldContentSecurityPolicy())) {
-        // FIXME: Should this be throwing an exception?
-        ec = SECURITY_ERR;
-        return;
-    }
-
     if (!async && scriptExecutionContext()->isDocument()) {
         if (document()->settings() && !document()->settings()->syncXHRInDocumentsEnabled()) {
@@ -573 +566 @@
     }
     ASSERT(!m_loader);
+
+    // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
+    if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectToSource(m_url, scriptExecutionContext()->shouldBypassMainWorldContentSecurityPolicy())) {
+        if (m_async) {
+            setPendingActivity(this);
+            m_timeoutTimer.stop();
+            m_networkErrorTimer.startOneShot(0);
+        } else
+            ec = NETWORK_ERR;
+        return false;
+    }
 
     m_error = false;