Changeset 219797 in webkit

Timestamp:

Jul 24, 2017 1:33:11 AM (7 years ago)

Author:

fred.wang@free.fr

Message:

Add attribute allow-top-navigation-by-user-activation to iframe sandbox
​https://bugs.webkit.org/show_bug.cgi?id=171327

Patch by Frederic Wang <​fwang@igalia.com> on 2017-07-11
Reviewed by Chris Dumez.

LayoutTests/imported/w3c:

This commit updates the expectation for the test verifying that a sandboxed iframe without
the allow-top-navigation-by-user-activation flag set can not perform top navigation if it is
not triggered by a user gesture. The navigation is still prohibited but the parsing of the
allow-top-navigation-by-user-activation flag should not raised any error message.
A similar update is done for the test verifying that the combination of the flags
allow-top-navigation-by-user-activation and allow-top-navigation.

• web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_allow_top_navigation_by_user_activation_without_user_gesture-expected.txt: Remove the error message.
• web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_allow_top_navigation-3-expected.txt: Ditto.

Source/WebCore:

Tests: http/tests/security/frameNavigation/sandbox-ALLOWED-top-navigation-with-user-gesture-1.html

http/tests/security/frameNavigation/sandbox-ALLOWED-top-navigation-with-user-gesture-2.html
imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_allow_top_navigation_by_user_activation_without_user_gesture-expected.txt
imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_allow_top_navigation-3-expected.txt

• dom/Document.cpp:

(WebCore::Document::canNavigate): Case 2 of conformance verification is refined to match the
current specification: Top navigation is allowed when it is triggered by user activation and
when allow-top-navigation-by-user-activation is set. Because we have additional "security
origin" rules with respect to the specification we also add some early return to ensure that
navigation is really allowed for this new case.

• dom/SecurityContext.cpp:

(WebCore::SecurityContext::isSupportedSandboxPolicy): Add allow-top-navigation-by-user-activation flag.
(WebCore::SecurityContext::parseSandboxPolicy): Parse the new flag to allow top user
navigation by user activation. Also, make sure that allow-top-navigation allows such
navigation as defined by the specification.

• dom/SecurityContext.h: Declare new sandboxing flag.

LayoutTests:

This patch adds tests to verify that a sandboxed iframe with the flag
'allow-top-navigation-by-user-activation' or 'allow-top-navigation' can navigate the top
level page, if navigation is triggered by a user gesture. This is based on a test from the
Chromium repository.
It also verifies that navigation fails when 'allow-top-navigation-by-user-activation' is
absent, even when it is triggered by a user gesture.

• http/tests/security/frameNavigation/resources/iframe-that-performs-parent-navigation-with-user-activation.html: Added. This is similar to iframe-that-performs-parent-navigation.html but it

performs navigation of its parent using user activation.

• http/tests/security/frameNavigation/sandbox-ALLOWED-top-navigation-with-user-gesture-1.html: Added.

Test top navigation for a sandboxed frame with 'allow-top-navigation-by-user-activation'

• http/tests/security/frameNavigation/sandbox-ALLOWED-top-navigation-with-user-gesture-1-expected.txt: Added.

Add PASS expectation.

• http/tests/security/frameNavigation/sandbox-ALLOWED-top-navigation-with-user-gesture-2.html: Added.

Test top navigation for a sandboxed frame with 'allow-top-navigation'.

• http/tests/security/frameNavigation/sandbox-ALLOWED-top-navigation-with-user-gesture-2-expected.txt: Added.

Add PASS expectation.

• http/tests/security/frameNavigation/sandbox-DENIED-top-navigation-with-user-gesture.html: Added.

Test user-triggered navigation for a sandboxed frame without 'allow-top-navigation-by-user-activation'.

• http/tests/security/frameNavigation/sandbox-DENIED-top-navigation-with-user-gesture-expected.txt: Added.

Add reference with navigation failure.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/frameNavigation/resources/iframe-that-performs-parent-navigation-with-user-activation.html (added)
• LayoutTests/http/tests/security/frameNavigation/sandbox-ALLOWED-top-navigation-with-user-gesture-1-expected.txt (added)
• LayoutTests/http/tests/security/frameNavigation/sandbox-ALLOWED-top-navigation-with-user-gesture-1.html (added)
• LayoutTests/http/tests/security/frameNavigation/sandbox-ALLOWED-top-navigation-with-user-gesture-2-expected.txt (added)
• LayoutTests/http/tests/security/frameNavigation/sandbox-ALLOWED-top-navigation-with-user-gesture-2.html (added)
• LayoutTests/http/tests/security/frameNavigation/sandbox-DENIED-top-navigation-with-user-gesture-expected.txt (added)
• LayoutTests/http/tests/security/frameNavigation/sandbox-DENIED-top-navigation-with-user-gesture.html (added)
• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_allow_top_navigation-3-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_allow_top_navigation_by_user_activation_without_user_gesture-expected.txt (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/dom/Document.cpp (modified) (4 diffs)
• Source/WebCore/dom/SecurityContext.cpp (modified) (3 diffs)
• Source/WebCore/dom/SecurityContext.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2017-07-11  Frederic Wang  <fwang@igalia.com>
+
+        Add attribute allow-top-navigation-by-user-activation to iframe sandbox
+        https://bugs.webkit.org/show_bug.cgi?id=171327
+
+        Reviewed by Chris Dumez.
+
+        This patch adds tests to verify that a sandboxed iframe with the flag
+        'allow-top-navigation-by-user-activation' or 'allow-top-navigation' can navigate the top
+        level page, if navigation is triggered by a user gesture. This is based on a test from the
+        Chromium repository.
+        It also verifies that navigation fails when 'allow-top-navigation-by-user-activation' is
+        absent, even when it is triggered by a user gesture.
+
+        * http/tests/security/frameNavigation/resources/iframe-that-performs-parent-navigation-with-user-activation.html: Added. This is similar to iframe-that-performs-parent-navigation.html but it
+        performs navigation of its parent using user activation.
+        * http/tests/security/frameNavigation/sandbox-ALLOWED-top-navigation-with-user-gesture-1.html: Added.
+        Test top navigation for a sandboxed frame with 'allow-top-navigation-by-user-activation'
+        * http/tests/security/frameNavigation/sandbox-ALLOWED-top-navigation-with-user-gesture-1-expected.txt: Added.
+        Add PASS expectation.
+        * http/tests/security/frameNavigation/sandbox-ALLOWED-top-navigation-with-user-gesture-2.html: Added.
+        Test top navigation for a sandboxed frame with 'allow-top-navigation'.
+        * http/tests/security/frameNavigation/sandbox-ALLOWED-top-navigation-with-user-gesture-2-expected.txt: Added.
+        Add PASS expectation.
+        * http/tests/security/frameNavigation/sandbox-DENIED-top-navigation-with-user-gesture.html: Added.
+        Test user-triggered navigation for a sandboxed frame without 'allow-top-navigation-by-user-activation'.
+        * http/tests/security/frameNavigation/sandbox-DENIED-top-navigation-with-user-gesture-expected.txt: Added.
+        Add reference with navigation failure.
+
 2017-07-22  Chris Dumez  <cdumez@apple.com>
 

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2017-07-11  Frederic Wang  <fwang@igalia.com>
+
+        Add attribute allow-top-navigation-by-user-activation to iframe sandbox
+        https://bugs.webkit.org/show_bug.cgi?id=171327
+
+        Reviewed by Chris Dumez.
+
+        This commit updates the expectation for the test verifying that a sandboxed iframe without
+        the allow-top-navigation-by-user-activation flag set can not perform top navigation if it is
+        not triggered by a user gesture. The navigation is still prohibited but the parsing of the
+        allow-top-navigation-by-user-activation flag should not raised any error message.
+        A similar update is done for the test verifying that the combination of the flags
+        allow-top-navigation-by-user-activation and allow-top-navigation.
+
+        * web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_allow_top_navigation_by_user_activation_without_user_gesture-expected.txt: Remove the error message.
+        * web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_allow_top_navigation-3-expected.txt: Ditto.
+
 2017-07-22  Chris Dumez  <cdumez@apple.com>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_allow_top_navigation-3-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 15: Error while parsing the 'sandbox' attribute: 'allow-top-navigation-by-user-activation' is an invalid sandbox flag.
-CONSOLE MESSAGE: line 15: Error while parsing the 'sandbox' attribute: 'allow-top-navigation-by-user-activation' is an invalid sandbox flag.
 
 

trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_allow_top_navigation_by_user_activation_without_user_gesture-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 17: Error while parsing the 'sandbox' attribute: 'allow-top-navigation-by-user-activation' is an invalid sandbox flag.
 CONSOLE MESSAGE: line 8: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_allow_top_navigation_by_user_activation_without_user_gesture.html' from frame with URL 'http://localhost:8800/html/semantics/embedded-content/the-iframe-element/support/iframe-that-performs-top-navigation-without-user-gesture-failed.html'. The frame attempting navigation of the top-level window is sandboxed, but the 'allow-top-navigation' flag is not set.
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-07-11  Frederic Wang  <fwang@igalia.com>
+
+        Add attribute allow-top-navigation-by-user-activation to iframe sandbox
+        https://bugs.webkit.org/show_bug.cgi?id=171327
+
+        Reviewed by Chris Dumez.
+
+        Tests: http/tests/security/frameNavigation/sandbox-ALLOWED-top-navigation-with-user-gesture-1.html
+               http/tests/security/frameNavigation/sandbox-ALLOWED-top-navigation-with-user-gesture-2.html
+               imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_allow_top_navigation_by_user_activation_without_user_gesture-expected.txt
+               imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_allow_top_navigation-3-expected.txt
+
+        * dom/Document.cpp:
+        (WebCore::Document::canNavigate): Case 2 of conformance verification is refined to match the
+        current specification: Top navigation is allowed when it is triggered by user activation and
+        when allow-top-navigation-by-user-activation is set. Because we have additional "security
+        origin" rules with respect to the specification we also add some early return to ensure that
+        navigation is really allowed for this new case.
+        * dom/SecurityContext.cpp:
+        (WebCore::SecurityContext::isSupportedSandboxPolicy): Add allow-top-navigation-by-user-activation flag.
+        (WebCore::SecurityContext::parseSandboxPolicy): Parse the new flag to allow top user
+        navigation by user activation. Also, make sure that allow-top-navigation allows such
+        navigation as defined by the specification.
+        * dom/SecurityContext.h: Declare new sandboxing flag.
+
 2017-07-23  Wenson Hsieh  <wenson_hsieh@apple.com>
 

trunk/Source/WebCore/dom/Document.cpp

@@ -187 +187 @@
 #include "TransformSource.h"
 #include "TreeWalker.h"
+#include "UserGestureIndicator.h"
 #include "ValidationMessageClient.h"
 #include "VisibilityChangeClient.h"
@@ -3094 +3095 @@
         return true;
 
-    // Cases (i) and (ii) pass the tests from the specifications but might not pass the "security origin" tests.
-    // Hence they are kept for backward compatibility.
+    // Cases (i), (ii) and (iii) pass the tests from the specifications but might not pass the "security origin" tests.
 
     // i. A frame can navigate its top ancestor when its 'allow-top-navigation' flag is set (sometimes known as 'frame-busting').
@@ -3101 +3101 @@
         return true;
 
-    // ii. A sandboxed frame can always navigate its descendants.
+    // ii. A frame can navigate its top ancestor when its 'allow-top-navigation-by-user-activation' flag is set and navigation is triggered by user activation.
+    if (!isSandboxed(SandboxTopNavigationByUserActivation) && UserGestureIndicator::processingUserGesture() && targetFrame == &m_frame->tree().top())
+        return true;
+
+    // iii. A sandboxed frame can always navigate its descendants.
     if (isSandboxed(SandboxNavigation) && targetFrame->tree().isDescendantOf(m_frame))
         return true;
@@ -3113 +3117 @@
     }
 
-    // 2. Otherwise, if B is a top-level browsing context, and is one of the ancestor browsing contexts of A, and A's active document's active sandboxing flag set has its sandboxed
-    // top-level navigation browsing context flag set, then abort these steps negatively.
-    if (m_frame != targetFrame && targetFrame == &m_frame->tree().top() && isSandboxed(SandboxTopNavigation)) {
-        printNavigationErrorMessage(targetFrame, url(), ASCIILiteral("The frame attempting navigation of the top-level window is sandboxed, but the 'allow-top-navigation' flag is not set."));
-        return false;
+    // 2. Otherwise, if B is a top-level browsing context, and is one of the ancestor browsing contexts of A, then:
+    if (m_frame != targetFrame && targetFrame == &m_frame->tree().top()) {
+        bool triggeredByUserActivation = UserGestureIndicator::processingUserGesture();
+        // 1. If this algorithm is triggered by user activation and A's active document's active sandboxing flag set has its sandboxed top-level navigation with user activation browsing context flag set, then abort these steps negatively.
+        if (triggeredByUserActivation && isSandboxed(SandboxTopNavigationByUserActivation)) {
+            printNavigationErrorMessage(targetFrame, url(), ASCIILiteral("The frame attempting navigation of the top-level window is sandboxed, but the 'allow-top-navigation-by-user-activation' flag is not set and navigation is not triggered by user activation."));
+            return false;
+        }
+        // 2. Otherwise, If this algorithm is not triggered by user activation and A's active document's active sandboxing flag set has its sandboxed top-level navigation without user activation browsing context flag set, then abort these steps negatively.
+        if (!triggeredByUserActivation && isSandboxed(SandboxTopNavigation)) {
+            printNavigationErrorMessage(targetFrame, url(), ASCIILiteral("The frame attempting navigation of the top-level window is sandboxed, but the 'allow-top-navigation' flag is not set."));
+            return false;
+        }
     }
 

trunk/Source/WebCore/dom/SecurityContext.cpp

@@ -86 +86 @@
 {
     static const char* const supportedPolicies[] = {
-        "allow-forms", "allow-same-origin", "allow-scripts", "allow-top-navigation", "allow-pointer-lock", "allow-popups", "allow-popups-to-escape-sandbox"
+        "allow-forms", "allow-same-origin", "allow-scripts", "allow-top-navigation", "allow-pointer-lock", "allow-popups", "allow-popups-to-escape-sandbox", "allow-top-navigation-by-user-activation"
     };
 
@@ -124 +124 @@
             flags &= ~SandboxScripts;
             flags &= ~SandboxAutomaticFeatures;
-        } else if (equalLettersIgnoringASCIICase(sandboxToken, "allow-top-navigation"))
+        } else if (equalLettersIgnoringASCIICase(sandboxToken, "allow-top-navigation")) {
             flags &= ~SandboxTopNavigation;
-        else if (equalLettersIgnoringASCIICase(sandboxToken, "allow-popups"))
+            flags &= ~SandboxTopNavigationByUserActivation;
+        } else if (equalLettersIgnoringASCIICase(sandboxToken, "allow-popups"))
             flags &= ~SandboxPopups;
         else if (equalLettersIgnoringASCIICase(sandboxToken, "allow-pointer-lock"))
@@ -132 +133 @@
         else if (equalLettersIgnoringASCIICase(sandboxToken, "allow-popups-to-escape-sandbox"))
             flags &= ~SandboxPropagatesToAuxiliaryBrowsingContexts;
+        else if (equalLettersIgnoringASCIICase(sandboxToken, "allow-top-navigation-by-user-activation"))
+            flags &= ~SandboxTopNavigationByUserActivation;
         else {
             if (numberOfTokenErrors)

trunk/Source/WebCore/dom/SecurityContext.h

@@ -51 +51 @@
     SandboxPointerLock          = 1 << 8,
     SandboxPropagatesToAuxiliaryBrowsingContexts = 1 << 9,
+    SandboxTopNavigationByUserActivation = 1 << 10,
     SandboxAll                  = -1 // Mask with all bits set to 1.
 };