Context Navigation

← Previous Changeset
Next Changeset →

Changeset 211758 in webkit

Timestamp:

Feb 6, 2017 4:25:00 PM (7 years ago)

Author:

commit-queue@webkit.org

Message:

Allow some schemes to opt-out of CORS
https://bugs.webkit.org/show_bug.cgi?id=167795

Patch by Youenn Fablet <youennf@gmail.com> on 2017-02-06
Reviewed by Alex Christensen.

Source/WebCore:

Test: http/tests/security/bypassing-cors-checks-for-extension-urls.html

Adding the possibility to opt out of CORS for DocumentThreadableLoader clients (fetch and XHR).
This is made specific to the case of user extension URLs for pages running user scripts.
Introducing a boolean flag in Page for that purpose.
Introducing a helper routine in SchemeRegistry to centralize the various user script extension schemes.

loader/DocumentThreadableLoader.cpp:

(WebCore::DocumentThreadableLoader::DocumentThreadableLoader):

page/Frame.cpp:

(WebCore::Frame::injectUserScripts):

page/Page.h:

(WebCore::Page::setAsRunningUserScripts):
(WebCore::Page::isRunningUserScripts):

platform/SchemeRegistry.cpp:

(WebCore::SchemeRegistry::isUserExtensionScheme):

platform/SchemeRegistry.h:
testing/Internals.cpp:

(WebCore::Internals::setAsRunningUserScripts):

testing/Internals.h:
testing/Internals.idl:

LayoutTests:

http/tests/security/bypassing-cors-checks-for-extension-urls-expected.txt: Added.
http/tests/security/bypassing-cors-checks-for-extension-urls.html: Added.

Location:

trunk

Files:

: 2 added
: 10 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/http/tests/security/bypassing-cors-checks-for-extension-urls-expected.txt (added)
LayoutTests/http/tests/security/bypassing-cors-checks-for-extension-urls.html (added)
Source/WebCore/ChangeLog (modified) (1 diff)
Source/WebCore/loader/DocumentThreadableLoader.cpp (modified) (1 diff)
Source/WebCore/page/Frame.cpp (modified) (1 diff)
Source/WebCore/page/Page.h (modified) (2 diffs)
Source/WebCore/platform/SchemeRegistry.cpp (modified) (1 diff)
Source/WebCore/platform/SchemeRegistry.h (modified) (1 diff)
Source/WebCore/testing/Internals.cpp (modified) (1 diff)
Source/WebCore/testing/Internals.h (modified) (1 diff)
Source/WebCore/testing/Internals.idl (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r211756
+                      r211758
+-02-06  Youenn Fablet  <youennf@gmail.com>
+        Allow some schemes to opt-out of CORS
+        https://bugs.webkit.org/show_bug.cgi?id=167795
+        Reviewed by Alex Christensen.
+        * http/tests/security/bypassing-cors-checks-for-extension-urls-expected.txt: Added.
+        * http/tests/security/bypassing-cors-checks-for-extension-urls.html: Added.
 -02-06  Chris Dumez  <cdumez@apple.com>

trunk/Source/WebCore/ChangeLog

-                      r211756
+                      r211758
+-02-06  Youenn Fablet  <youennf@gmail.com>
+        Allow some schemes to opt-out of CORS
+        https://bugs.webkit.org/show_bug.cgi?id=167795
+        Reviewed by Alex Christensen.
+        Test: http/tests/security/bypassing-cors-checks-for-extension-urls.html
+        Adding the possibility to opt out of CORS for DocumentThreadableLoader clients (fetch and XHR).
+        This is made specific to the case of user extension URLs for pages running user scripts.
+        Introducing a boolean flag in Page for that purpose.
+        Introducing a helper routine in SchemeRegistry to centralize the various user script extension schemes.
+        * loader/DocumentThreadableLoader.cpp:
+        (WebCore::DocumentThreadableLoader::DocumentThreadableLoader):
+        * page/Frame.cpp:
+        (WebCore::Frame::injectUserScripts):
+        * page/Page.h:
+        (WebCore::Page::setAsRunningUserScripts):
+        (WebCore::Page::isRunningUserScripts):
+        * platform/SchemeRegistry.cpp:
+        (WebCore::SchemeRegistry::isUserExtensionScheme):
+        * platform/SchemeRegistry.h:
+        * testing/Internals.cpp:
+        (WebCore::Internals::setAsRunningUserScripts):
+        * testing/Internals.h:
+        * testing/Internals.idl:
 -02-06  Chris Dumez  <cdumez@apple.com>

trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp

-                      r210859
+                      r211758
         m_originalHeaders = request.httpHeaderFields();
+    if (document.page() && document.page()->isRunningUserScripts() && SchemeRegistry::isUserExtensionScheme(request.url().protocol().toStringWithoutCopying())) {
+        m_options.mode = FetchOptions::Mode::NoCors;
+        m_options.filteringPolicy = ResponseFilteringPolicy::Disable;
+    }
     // As per step 11 of https://fetch.spec.whatwg.org/#main-fetch, data scheme (if same-origin data-URL flag is set) and about scheme are considered same-origin.
     if (request.url().protocolIsData())

trunk/Source/WebCore/page/Frame.cpp

-                      r211741
+                      r211758
             return;
+        if (script.injectionTime() == injectionTime && UserContentURLPattern::matchesPatterns(document->url(), script.whitelist(), script.blacklist()))
+        if (script.injectionTime() == injectionTime && UserContentURLPattern::matchesPatterns(document->url(), script.whitelist(), script.blacklist())) {
+            m_page->setAsRunningUserScripts();
             m_script->evaluateInWorld(ScriptSourceCode(script.source(), script.url()), world);
+        }
     });
+}

trunk/Source/WebCore/page/Page.h

-                      r211254
+                      r211758
 #endif
+    void setAsRunningUserScripts() { m_isRunningUserScripts = true; }
+    bool isRunningUserScripts() const { return m_isRunningUserScripts; }
     void setDebugger(JSC::Debugger*);
     JSC::Debugger* debugger() const { return m_debugger; }
 …
     std::unique_ptr<PerformanceMonitor> m_performanceMonitor;
+    bool m_isRunningUserScripts { false };
 };

trunk/Source/WebCore/platform/SchemeRegistry.cpp

-                      r209641
+                      r211758
 #endif
+bool SchemeRegistry::isUserExtensionScheme(const String& scheme)
+{
+    UNUSED_PARAM(scheme);
+#if PLATFORM(MAC)
+    if (scheme == "safari-extension")
+        return true;
+#endif
+    return false;
+}
 } // namespace WebCore

trunk/Source/WebCore/platform/SchemeRegistry.h

r207769	r211758
100	100	static bool shouldPartitionCacheForURLScheme(const String& scheme);
101	101	#endif
	102
	103	static bool isUserExtensionScheme(const String& scheme);
102	104	};
103	105

trunk/Source/WebCore/testing/Internals.cpp

-                      r211741
+                      r211758
 #endif
+void Internals::setAsRunningUserScripts(Document& document)
+{
+    if (document.page())
+        document.page()->setAsRunningUserScripts();
+}
 } // namespace WebCore

trunk/Source/WebCore/testing/Internals.h

r211683	r211758
527	527	#endif
528	528
	529	void setAsRunningUserScripts(Document&);
	530
529	531	private:
530	532	explicit Internals(Document&);

trunk/Source/WebCore/testing/Internals.idl

r211683	r211758
500	500	void setQuickLookPassword(DOMString password);
501	501	#endif
502		};
	502
	503	[CallWith=Document] void setAsRunningUserScripts();
	504	};

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 211758 in webkit

Legend:

Download in other formats: