Changeset 201895 in webkit

Timestamp:

Jun 9, 2016 5:21:16 PM (8 years ago)

Author:

Brent Fulgham

Message:

Restrict HTTP/0.9 responses to default ports and cancel HTTP/0.9 resource loads if the document was loaded with another HTTP protocol
​https://bugs.webkit.org/show_bug.cgi?id=158589
<rdar://problem/25757454>

Patch by John Wilander <​wilander@apple.com> on 2016-06-09
Reviewed by Brent Fulgham.

No new tests. Our layout test environment does not allow for headerless responses
nor does it allow you to set an explicit HTTP/0.9 status header in PHP. I have
manually tested this change with a Python socket setup doing both headerless and
HTTP/0.9 header tests for positive and negative cases.

• loader/DocumentLoader.cpp:

(WebCore::DocumentLoader::responseReceived):

Cancel loads if the request was made to a non-default port.

• loader/ResourceLoader.cpp:

(WebCore::ResourceLoader::didReceiveResponse):

Cancel loads if the request was made to a non-default port or if the document
was loaded with another protocol. Cancelation is handled as a fail so as to
fire the onerror event and allow sites to handle it gracefully.

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• loader/DocumentLoader.cpp (modified) (3 diffs)
• loader/ResourceLoader.cpp (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-06-09  John Wilander  <wilander@apple.com>
+
+        Restrict HTTP/0.9 responses to default ports and cancel HTTP/0.9 resource loads if the document was loaded with another HTTP protocol
+        https://bugs.webkit.org/show_bug.cgi?id=158589
+        <rdar://problem/25757454>
+
+        Reviewed by Brent Fulgham.
+
+        No new tests. Our layout test environment does not allow for headerless responses
+        nor does it allow you to set an explicit HTTP/0.9 status header in PHP. I have
+        manually tested this change with a Python socket setup doing both headerless and
+        HTTP/0.9 header tests for positive and negative cases.
+
+        * loader/DocumentLoader.cpp:
+        (WebCore::DocumentLoader::responseReceived):
+            Cancel loads if the request was made to a non-default port.
+        * loader/ResourceLoader.cpp:
+        (WebCore::ResourceLoader::didReceiveResponse):
+            Cancel loads if the request was made to a non-default port or if the document
+            was loaded with another protocol. Cancelation is handled as a fail so as to
+            fire the onerror event and allow sites to handle it gracefully.
+
 2016-06-09  Alex Christensen  <achristensen@webkit.org>
 

trunk/Source/WebCore/loader/DocumentLoader.cpp

@@ -652 +652 @@
     unsigned long identifier = m_identifierForLoadWithoutResourceLoader ? m_identifierForLoadWithoutResourceLoader : m_mainResource->identifier();
     ASSERT(identifier);
-
-    ContentSecurityPolicy contentSecurityPolicy(SecurityOrigin::create(response.url()), m_frame);
+    
+    auto url = response.url();
+
+    ContentSecurityPolicy contentSecurityPolicy(SecurityOrigin::create(url), m_frame);
     contentSecurityPolicy.didReceiveHeaders(ContentSecurityPolicyResponseHeaders(response));
-    if (!contentSecurityPolicy.allowFrameAncestors(*m_frame, response.url())) {
+    if (!contentSecurityPolicy.allowFrameAncestors(*m_frame, url)) {
         stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied(identifier, response);
         return;
@@ -664 +666 @@
     if (it != commonHeaders.end()) {
         String content = it->value;
-        if (frameLoader()->shouldInterruptLoadForXFrameOptions(content, response.url(), identifier)) {
-            String message = "Refused to display '" + response.url().stringCenterEllipsizedToLength() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'.";
+        if (frameLoader()->shouldInterruptLoadForXFrameOptions(content, url, identifier)) {
+            String message = "Refused to display '" + url.stringCenterEllipsizedToLength() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'.";
             m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, identifier);
             stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied(identifier, response);
@@ -714 +716 @@
 
     if (m_response.isHttpVersion0_9()) {
+        // Non-HTTP responses are interpreted as HTTP/0.9 which may allow exfiltration of data
+        // from non-HTTP services. Therefore cancel if the request was to a non-default port.
+        if (!isDefaultPortForProtocol(url.port(), url.protocol())) {
+            String message = "Stopped document load from '" + url.string() + "' because it is using HTTP/0.9 on a non-default port.";
+            m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, identifier);
+            stopLoading();
+            return;
+        }
+
         ASSERT(m_identifierForLoadWithoutResourceLoader || m_mainResource);
         unsigned long identifier = m_identifierForLoadWithoutResourceLoader ? m_identifierForLoadWithoutResourceLoader : m_mainResource->identifier();
-        String message = "Sandboxing '" + response.url().string() + "' because it is using HTTP/0.9.";
+        String message = "Sandboxing '" + url.string() + "' because it is using HTTP/0.9.";
         m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, identifier);
         frameLoader()->forceSandboxFlags(SandboxScripts | SandboxPlugins);

trunk/Source/WebCore/loader/ResourceLoader.cpp

@@ -433 +433 @@
 
     if (m_response.isHttpVersion0_9()) {
+        auto url = m_response.url();
+        // Non-HTTP responses are interpreted as HTTP/0.9 which may allow exfiltration of data
+        // from non-HTTP services. Therefore cancel if the document was loaded with different
+        // HTTP version or if the resource request was to a non-default port.
+        if (!m_documentLoader->response().isHttpVersion0_9()) {
+            String message = "Cancelled resource load from '" + url.string() + "' because it is using HTTP/0.9 and the document was loaded with a different HTTP version.";
+            m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, identifier());
+            ResourceError error("", 0, url, message);
+            didFail(error);
+            return;
+        }
+        if (!isDefaultPortForProtocol(url.port(), url.protocol())) {
+            String message = "Cancelled resource load from '" + url.string() + "' because it is using HTTP/0.9 on a non-default port.";
+            m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, identifier());
+            ResourceError error("", 0, url, message);
+            didFail(error);
+            return;
+        }
+            
         String message = "Sandboxing '" + m_response.url().string() + "' because it is using HTTP/0.9.";
         m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, m_identifier);