Changeset 199795 in webkit

Timestamp:

Apr 20, 2016 3:56:40 PM (8 years ago)

Author:

commit-queue@webkit.org

Message:

[GTK] Expose AllowUniversalAccessFromFileURLs preference now that calling localStorage.getItem() results in SecurityError: DOM Exception 18
Source/WebKit2:

Patch by Dustin Falgout <​dustin@falgout.us> on 2016-04-20
Reviewed by Michael Catanzaro.

As of r197858 JavaScript loaded in the context of a file scheme url cannot access local storage. That is a major
breaking change as many applications that serve files locally rely on having access to local storage. The point
of that security fix is to avoid cases of downloaded HTML content (such as e-mail attachments or JS injected
into local contexts) from having access to your local file system and arbitrary local storage. If you are serving
local files in your applications, you can use the WebKitAllowUniversalAccessFromFileURLs preference key to tell
Webkit that you are approve of these kinds of interactions.

​https://bugs.webkit.org/show_bug.cgi?id=156651

• UIProcess/API/gtk/WebKitSettings.cpp:

(webKitSettingsSetProperty):
(webKitSettingsGetProperty):
(webkit_settings_class_init):
(webkit_settings_get_allow_universal_access_from_file_urls):
(webkit_settings_set_allow_universal_access_from_file_urls):

• UIProcess/API/gtk/WebKitSettings.h:
• UIProcess/API/gtk/docs/webkit2gtk-4.0-sections.txt:

Tools:

​https://bugs.webkit.org/show_bug.cgi?id=156651

Patch by Dustin Falgout <​dustin@falgout.us> on 2016-04-20
Reviewed by Michael Catanzaro.

• TestWebKitAPI/Tests/WebKit2Gtk/TestWebKitSettings.cpp:

(testWebKitSettings):

Location:

trunk

Files:

• Source/WebKit2/ChangeLog (modified) (1 diff)
• Source/WebKit2/UIProcess/API/gtk/WebKitSettings.cpp (modified) (5 diffs)
• Source/WebKit2/UIProcess/API/gtk/WebKitSettings.h (modified) (1 diff)
• Source/WebKit2/UIProcess/API/gtk/docs/webkit2gtk-4.0-sections.txt (modified) (1 diff)
• Tools/ChangeLog (modified) (1 diff)
• Tools/TestWebKitAPI/Tests/WebKit2Gtk/TestWebKitSettings.cpp (modified) (1 diff)

trunk/Source/WebKit2/ChangeLog

@@ +1 @@
+2016-04-20  Dustin Falgout  <dustin@falgout.us>
+
+        [GTK] Expose AllowUniversalAccessFromFileURLs preference now that calling localStorage.getItem() results in SecurityError: DOM Exception 18
+        
+        Reviewed by Michael Catanzaro.
+                
+        As of r197858 JavaScript loaded in the context of a file scheme url cannot access local storage. That is a major 
+        breaking change as many applications that serve files locally rely on having access to local storage. The point  
+        of that security fix is to avoid cases of downloaded HTML content (such as e-mail attachments or JS injected
+        into local contexts) from having access to your local file system and arbitrary local storage. If you are serving 
+        local files in your applications, you can use the WebKitAllowUniversalAccessFromFileURLs preference key to tell 
+        Webkit that you are approve of these kinds of interactions.
+                                              
+        https://bugs.webkit.org/show_bug.cgi?id=156651
+
+        * UIProcess/API/gtk/WebKitSettings.cpp:
+        (webKitSettingsSetProperty):
+        (webKitSettingsGetProperty):
+        (webkit_settings_class_init):
+        (webkit_settings_get_allow_universal_access_from_file_urls):
+        (webkit_settings_set_allow_universal_access_from_file_urls):
+        * UIProcess/API/gtk/WebKitSettings.h:
+        * UIProcess/API/gtk/docs/webkit2gtk-4.0-sections.txt:
+
 2016-04-20  Brady Eidson  <beidson@apple.com>
 

trunk/Source/WebKit2/UIProcess/API/gtk/WebKitSettings.cpp

@@ -145 +145 @@
     PROP_ENABLE_SPATIAL_NAVIGATION,
     PROP_ENABLE_MEDIASOURCE,
-    PROP_ALLOW_FILE_ACCESS_FROM_FILE_URLS
+    PROP_ALLOW_FILE_ACCESS_FROM_FILE_URLS,
+    PROP_ALLOW_UNIVERSAL_ACCESS_FROM_FILE_URLS
 };
 
@@ -314 +315 @@
         webkit_settings_set_allow_file_access_from_file_urls(settings, g_value_get_boolean(value));
         break;
+    case PROP_ALLOW_UNIVERSAL_ACCESS_FROM_FILE_URLS:
+        webkit_settings_set_allow_universal_access_from_file_urls(settings, g_value_get_boolean(value));
+        break;
     default:
         G_OBJECT_WARN_INVALID_PROPERTY_ID(object, propId, paramSpec);
@@ -471 +475 @@
     case PROP_ALLOW_FILE_ACCESS_FROM_FILE_URLS:
         g_value_set_boolean(value, webkit_settings_get_allow_file_access_from_file_urls(settings));
+        break;
+    case PROP_ALLOW_UNIVERSAL_ACCESS_FROM_FILE_URLS:
+        g_value_set_boolean(value, webkit_settings_get_allow_universal_access_from_file_urls(settings));
         break;
     default:
@@ -1243 +1250 @@
             FALSE,
             readWriteConstructParamFlags));
+
+    /**
+     * WebKitSettings:allow-universal-access-from-file-urls:
+     *
+     * Whether or not JavaScript running in the context of a file scheme URL
+     * should be allowed to access content from any origin.  By default, when
+     * something is loaded in a #WebKitWebView using a file scheme URL,
+     * access to the local file system and arbitrary local storage is not
+     * allowed. This setting allows you to change that behaviour, so that
+     * it would be possible to use local storage, for example.
+     *
+     * Since: 2.14
+     */
+    g_object_class_install_property(gObjectClass,
+        PROP_ALLOW_UNIVERSAL_ACCESS_FROM_FILE_URLS,
+        g_param_spec_boolean("allow-universal-access-from-file-urls",
+            _("Allow universal access from the context of file scheme URLs"),
+            _("Whether or not universal access is allowed from the context of file scheme URLs"),
+            FALSE,
+            readWriteConstructParamFlags));
 }
 
@@ -3063 +3090 @@
     g_object_notify(G_OBJECT(settings), "allow-file-access-from-file-urls");
 }
+
+/**
+ * webkit_settings_get_allow_universal_access_from_file_urls:
+ * @settings: a #WebKitSettings
+ *
+ * Get the #WebKitSettings:allow-universal-access-from-file-urls property.
+ *
+ * Returns: %TRUE If universal access from file URLs is allowed or %FALSE otherwise.
+ *
+ * Since: 2.14
+ */
+gboolean webkit_settings_get_allow_universal_access_from_file_urls(WebKitSettings* settings)
+{
+    g_return_val_if_fail(WEBKIT_IS_SETTINGS(settings), FALSE);
+
+    return settings->priv->preferences->allowUniversalAccessFromFileURLs();
+}
+
+/**
+ * webkit_settings_set_allow_universal_access_from_file_urls:
+ * @settings: a #WebKitSettings
+ * @allowed: Value to be set
+ *
+ * Set the #WebKitSettings:allow-universal-access-from-file-urls property.
+ *
+ * Since: 2.14
+ */
+void webkit_settings_set_allow_universal_access_from_file_urls(WebKitSettings* settings, gboolean allowed)
+{
+    g_return_if_fail(WEBKIT_IS_SETTINGS(settings));
+
+    WebKitSettingsPrivate* priv = settings->priv;
+    if (priv->preferences->allowUniversalAccessFromFileURLs() == allowed)
+        return;
+
+    priv->preferences->setAllowUniversalAccessFromFileURLs(allowed);
+    g_object_notify(G_OBJECT(settings), "allow-universal-access-from-file-urls");
+}

trunk/Source/WebKit2/UIProcess/API/gtk/WebKitSettings.h

@@ -422 +422 @@
                                                                 gboolean        allowed);
 
+WEBKIT_API gboolean
+webkit_settings_get_allow_universal_access_from_file_urls      (WebKitSettings *settings);
+
+WEBKIT_API void
+webkit_settings_set_allow_universal_access_from_file_urls      (WebKitSettings *settings,
+                                                                gboolean        allowed);
+
 G_END_DECLS
 

trunk/Source/WebKit2/UIProcess/API/gtk/docs/webkit2gtk-4.0-sections.txt

@@ -454 +454 @@
 webkit_settings_get_allow_file_access_from_file_urls
 webkit_settings_set_allow_file_access_from_file_urls
+webkit_settings_get_allow_universal_access_from_file_urls
+webkit_settings_set_allow_universal_access_from_file_urls
 
 <SUBSECTION Standard>

trunk/Tools/ChangeLog

@@ +1 @@
+2016-04-20  Dustin Falgout  <dustin@falgout.us>
+
+        [GTK] Expose AllowUniversalAccessFromFileURLs preference now that calling localStorage.getItem() results in SecurityError: DOM Exception 18
+        https://bugs.webkit.org/show_bug.cgi?id=156651
+
+        Reviewed by Michael Catanzaro.
+
+        * TestWebKitAPI/Tests/WebKit2Gtk/TestWebKitSettings.cpp:
+        (testWebKitSettings):
+
 2016-04-20  Brady Eidson  <beidson@apple.com>
 

trunk/Tools/TestWebKitAPI/Tests/WebKit2Gtk/TestWebKitSettings.cpp

@@ -279 +279 @@
     g_assert(webkit_settings_get_allow_file_access_from_file_urls(settings));
 
+    // Universal access from file URLs is not allowed by default.
+    g_assert(!webkit_settings_get_allow_universal_access_from_file_urls(settings));
+    webkit_settings_set_allow_universal_access_from_file_urls(settings, TRUE);
+    g_assert(webkit_settings_get_allow_universal_access_from_file_urls(settings));
+
     g_object_unref(G_OBJECT(settings));
 }