Changeset 201895 in webkit
- Timestamp:
- Jun 9, 2016 5:21:16 PM (8 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r201894 r201895 1 2016-06-09 John Wilander <wilander@apple.com> 2 3 Restrict HTTP/0.9 responses to default ports and cancel HTTP/0.9 resource loads if the document was loaded with another HTTP protocol 4 https://bugs.webkit.org/show_bug.cgi?id=158589 5 <rdar://problem/25757454> 6 7 Reviewed by Brent Fulgham. 8 9 No new tests. Our layout test environment does not allow for headerless responses 10 nor does it allow you to set an explicit HTTP/0.9 status header in PHP. I have 11 manually tested this change with a Python socket setup doing both headerless and 12 HTTP/0.9 header tests for positive and negative cases. 13 14 * loader/DocumentLoader.cpp: 15 (WebCore::DocumentLoader::responseReceived): 16 Cancel loads if the request was made to a non-default port. 17 * loader/ResourceLoader.cpp: 18 (WebCore::ResourceLoader::didReceiveResponse): 19 Cancel loads if the request was made to a non-default port or if the document 20 was loaded with another protocol. Cancelation is handled as a fail so as to 21 fire the onerror event and allow sites to handle it gracefully. 22 1 23 2016-06-09 Alex Christensen <achristensen@webkit.org> 2 24 -
trunk/Source/WebCore/loader/DocumentLoader.cpp
r201856 r201895 652 652 unsigned long identifier = m_identifierForLoadWithoutResourceLoader ? m_identifierForLoadWithoutResourceLoader : m_mainResource->identifier(); 653 653 ASSERT(identifier); 654 655 ContentSecurityPolicy contentSecurityPolicy(SecurityOrigin::create(response.url()), m_frame); 654 655 auto url = response.url(); 656 657 ContentSecurityPolicy contentSecurityPolicy(SecurityOrigin::create(url), m_frame); 656 658 contentSecurityPolicy.didReceiveHeaders(ContentSecurityPolicyResponseHeaders(response)); 657 if (!contentSecurityPolicy.allowFrameAncestors(*m_frame, response.url())) {659 if (!contentSecurityPolicy.allowFrameAncestors(*m_frame, url)) { 658 660 stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied(identifier, response); 659 661 return; … … 664 666 if (it != commonHeaders.end()) { 665 667 String content = it->value; 666 if (frameLoader()->shouldInterruptLoadForXFrameOptions(content, response.url(), identifier)) {667 String message = "Refused to display '" + response.url().stringCenterEllipsizedToLength() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'.";668 if (frameLoader()->shouldInterruptLoadForXFrameOptions(content, url, identifier)) { 669 String message = "Refused to display '" + url.stringCenterEllipsizedToLength() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'."; 668 670 m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, identifier); 669 671 stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied(identifier, response); … … 714 716 715 717 if (m_response.isHttpVersion0_9()) { 718 // Non-HTTP responses are interpreted as HTTP/0.9 which may allow exfiltration of data 719 // from non-HTTP services. Therefore cancel if the request was to a non-default port. 720 if (!isDefaultPortForProtocol(url.port(), url.protocol())) { 721 String message = "Stopped document load from '" + url.string() + "' because it is using HTTP/0.9 on a non-default port."; 722 m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, identifier); 723 stopLoading(); 724 return; 725 } 726 716 727 ASSERT(m_identifierForLoadWithoutResourceLoader || m_mainResource); 717 728 unsigned long identifier = m_identifierForLoadWithoutResourceLoader ? m_identifierForLoadWithoutResourceLoader : m_mainResource->identifier(); 718 String message = "Sandboxing '" + response.url().string() + "' because it is using HTTP/0.9.";729 String message = "Sandboxing '" + url.string() + "' because it is using HTTP/0.9."; 719 730 m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, identifier); 720 731 frameLoader()->forceSandboxFlags(SandboxScripts | SandboxPlugins); -
trunk/Source/WebCore/loader/ResourceLoader.cpp
r201761 r201895 433 433 434 434 if (m_response.isHttpVersion0_9()) { 435 auto url = m_response.url(); 436 // Non-HTTP responses are interpreted as HTTP/0.9 which may allow exfiltration of data 437 // from non-HTTP services. Therefore cancel if the document was loaded with different 438 // HTTP version or if the resource request was to a non-default port. 439 if (!m_documentLoader->response().isHttpVersion0_9()) { 440 String message = "Cancelled resource load from '" + url.string() + "' because it is using HTTP/0.9 and the document was loaded with a different HTTP version."; 441 m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, identifier()); 442 ResourceError error("", 0, url, message); 443 didFail(error); 444 return; 445 } 446 if (!isDefaultPortForProtocol(url.port(), url.protocol())) { 447 String message = "Cancelled resource load from '" + url.string() + "' because it is using HTTP/0.9 on a non-default port."; 448 m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, identifier()); 449 ResourceError error("", 0, url, message); 450 didFail(error); 451 return; 452 } 453 435 454 String message = "Sandboxing '" + m_response.url().string() + "' because it is using HTTP/0.9."; 436 455 m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, m_identifier);
Note: See TracChangeset
for help on using the changeset viewer.