Changeset 221193 in webkit


Ignore:
Timestamp:
Aug 25, 2017 10:28:53 AM (7 years ago)
Author:
fred.wang@free.fr
Message:

Add flag allow-modals to iframe sandbox
https://bugs.webkit.org/show_bug.cgi?id=171321

Source/WebCore:

This patch implements the "allow-modals" value for the iframe sandbox attribute. It changes
the behavior for sandboxed document so that alert, confirm, prompt, print as well as dialogs
generated from a beforeunload event are blocked when allow-modals is not set, as defined in
the specification. For consistency, we do the same for document.execCommand('print', ...).
Users should use the allow-modals flag in order to explictly allow modal dialogs.

See https://html.spec.whatwg.org/multipage/origin.html#sandboxed-modals-flag

Patch by Frederic Wang <fwang@igalia.com> on 2017-07-25
Reviewed by Brent Fulgham.

Tests: http/tests/security/sandboxed-iframe-ALLOWED-modals.html

http/tests/security/sandboxed-iframe-DENIED-modals.html

  • dom/SecurityContext.cpp: Implement parsing for allow-modals

(WebCore::SecurityContext::isSupportedSandboxPolicy):
(WebCore::SecurityContext::parseSandboxPolicy):

  • dom/SecurityContext.h: Introduce flag for allow-modals
  • loader/FrameLoader.cpp:

(WebCore::shouldAskForNavigationConfirmation): Prevent confirm dialog from beforeunload when
allow-modals is not set.

  • page/Chrome.h: Change the signature of print, so it may return a failure when the

allow-modals flag is not set.

  • page/Chrome.cpp:

(WebCore::Chrome::print): Returns false and print a message error when the allow-modals flag
on the frame's document is not set. Otherwise, execute the command and returns true.

  • editing/EditorCommand.cpp:

(WebCore::executePrint): Ensure that document.execCommand for 'print' returns false when the
allow-modals flag is not set.

  • page/DOMWindow.cpp: Add early exit when alert, confirm or prompt when the allow-modals flag

for that document is not set. Note that print is handled in Chrome.cpp.
(WebCore::DOMWindow::alert): Add early exit.
(WebCore::DOMWindow::confirm): Add early exit with the return value indicated in the spec.
(WebCore::DOMWindow::prompt): Ditto.

LayoutTests:

Patch by Frederic Wang <fwang@igalia.com> on 2017-07-25
Reviewed by Brent Fulgham.

The allow-modals flag is added to tests trying to open modal dialogs in sandboxed frames, now
that the default behavior has changed. New tests are also added to verify that the dialogs
are allowed or blocked according to the value of the allow-modals flag.

  • fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame.html: Add allow-modals.
  • fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame2.html: Ditto.
  • fast/forms/autofocus-in-sandbox-with-allow-scripts.html: Ditto.
  • fast/frames/sandboxed-iframe-navigation-top-by-name-denied.html: Ditto.
  • fast/frames/sandboxed-iframe-parsing-space-characters.html: Ditto.
  • fast/frames/sandboxed-iframe-scripting-02.html: Ditto.
  • http/tests/security/contentSecurityPolicy/resources/sandboxed-eval.php: Ditto.
  • http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-control.html: Ditto.
  • http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header.html: Ditto.
  • http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header2.php: Ditto.
  • http/tests/security/drag-drop-same-unique-origin.html: Ditto.
  • http/tests/security/no-indexeddb-from-sandbox.html: Ditto.
  • http/tests/security/no-popup-from-sandbox-top.html: Ditto.
  • http/tests/security/no-popup-from-sandbox.html: Ditto.
  • http/tests/security/popup-allowed-by-sandbox-is-sandboxed-control.html: Ditto.
  • http/tests/security/popup-allowed-by-sandbox-when-allowed.html: Ditto.
  • http/tests/security/xss-DENIED-window-name-alert.html: Ditto.
  • http/tests/security/sandboxed-iframe-ALLOWED-modals.html: Added. Verify that alert,

confirm, prompt and print dialogs are allowed when the allow-modals flag is set.

  • http/tests/security/sandboxed-iframe-ALLOWED-modals-expected.txt: Added.
  • http/tests/security/sandboxed-iframe-DENIED-modals.html: Added. Verify that alert,

confirm, prompt and print dialogs are denied when the allow-modals flag not set. The returned
values are also verified.

  • http/tests/security/sandboxed-iframe-DENIED-modals-expected.txt: Added.
  • http/tests/misc/iframe-beforeunload-dialog-allow-modals.html: Added. Verify that the

confirm dialog for beforeunload is displayed when allow-modals is set.

  • http/tests/misc/iframe-beforeunload-dialog-allow-modals-expected.txt: Added.
  • http/tests/misc/iframe-beforeunload-dialog-block-modals.html: Added. Verify that the

confirm dialog for beforeunload is not displayed when allow-modals is unset.

  • http/tests/misc/iframe-beforeunload-dialog-block-modals-expected.txt: Added.
Location:
trunk
Files:
8 added
26 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r221188 r221193  
     12017-07-25  Frederic Wang  <fwang@igalia.com>
     2
     3        Add flag allow-modals to iframe sandbox
     4        https://bugs.webkit.org/show_bug.cgi?id=171321
     5
     6        Reviewed by Brent Fulgham.
     7
     8        The allow-modals flag is added to tests trying to open modal dialogs in sandboxed frames, now
     9        that the default behavior has changed. New tests are also added to verify that the dialogs
     10        are allowed or blocked according to the value of the allow-modals flag.
     11
     12        * fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame.html: Add allow-modals.
     13        * fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame2.html: Ditto.
     14        * fast/forms/autofocus-in-sandbox-with-allow-scripts.html: Ditto.
     15        * fast/frames/sandboxed-iframe-navigation-top-by-name-denied.html: Ditto.
     16        * fast/frames/sandboxed-iframe-parsing-space-characters.html: Ditto.
     17        * fast/frames/sandboxed-iframe-scripting-02.html: Ditto.
     18        * http/tests/security/contentSecurityPolicy/resources/sandboxed-eval.php: Ditto.
     19        * http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-control.html: Ditto.
     20        * http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header.html: Ditto.
     21        * http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header2.php: Ditto.
     22        * http/tests/security/drag-drop-same-unique-origin.html: Ditto.
     23        * http/tests/security/no-indexeddb-from-sandbox.html: Ditto.
     24        * http/tests/security/no-popup-from-sandbox-top.html: Ditto.
     25        * http/tests/security/no-popup-from-sandbox.html: Ditto.
     26        * http/tests/security/popup-allowed-by-sandbox-is-sandboxed-control.html: Ditto.
     27        * http/tests/security/popup-allowed-by-sandbox-when-allowed.html: Ditto.
     28        * http/tests/security/xss-DENIED-window-name-alert.html: Ditto.
     29        * http/tests/security/sandboxed-iframe-ALLOWED-modals.html: Added. Verify that alert,
     30        confirm, prompt and print dialogs are allowed when the allow-modals flag is set.
     31        * http/tests/security/sandboxed-iframe-ALLOWED-modals-expected.txt: Added.
     32        * http/tests/security/sandboxed-iframe-DENIED-modals.html: Added. Verify that alert,
     33        confirm, prompt and print dialogs are denied when the allow-modals flag not set. The returned
     34        values are also verified.
     35        * http/tests/security/sandboxed-iframe-DENIED-modals-expected.txt: Added.
     36        * http/tests/misc/iframe-beforeunload-dialog-allow-modals.html: Added. Verify that the
     37        confirm dialog for beforeunload is displayed when allow-modals is set.
     38        * http/tests/misc/iframe-beforeunload-dialog-allow-modals-expected.txt: Added.
     39        * http/tests/misc/iframe-beforeunload-dialog-block-modals.html: Added. Verify that the
     40        confirm dialog for beforeunload is not displayed when allow-modals is unset.
     41        * http/tests/misc/iframe-beforeunload-dialog-block-modals-expected.txt: Added.
     42
    1432017-08-25  Jonathan Bedard  <jbedard@apple.com>
    244
  • trunk/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame.html

    r210112 r221193  
    1313<body>
    1414<iframe name="A"></iframe>
    15 <iframe id="B" sandbox="allow-scripts allow-same-origin allow-popups"></iframe>
     15<iframe id="B" sandbox="allow-scripts allow-same-origin allow-popups allow-modals"></iframe>
    1616<script>
    1717document.getElementById("B").contentWindow.eval('alert(window.open("about:blank", "A") ? "FAIL" : "PASS");');
  • trunk/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame2.html

    r210112 r221193  
    1313<body>
    1414<iframe name="A"></iframe>
    15 <iframe id="B" sandbox="allow-scripts allow-same-origin allow-popups"></iframe>
     15<iframe id="B" sandbox="allow-scripts allow-same-origin allow-popups allow-modals"></iframe>
    1616<script>
    1717document.getElementById("B").contentWindow.eval('alert(window.open.call(window.top, "about:blank", "A") ? "FAIL" : "PASS");');
  • trunk/LayoutTests/fast/forms/autofocus-in-sandbox-with-allow-scripts.html

    r176294 r221193  
    55This test passes if the activeElement is the input element rather than the body
    66(which it would be if the sandbox didn't allow autofocus although allow-scripts flag is set).
    7 <iframe sandbox="allow-scripts"
     7<iframe sandbox="allow-scripts allow-modals"
    88    src="data:text/html,<input autofocus onfocus><script>window.onload = function() { alert(document.activeElement.tagName) }</script>"></iframe>
  • trunk/LayoutTests/fast/frames/sandboxed-iframe-navigation-top-by-name-denied.html

    r121008 r221193  
    1111frame without allow-top-navigation.  This test passes if the navigation does
    1212not occur.</p>
    13 <iframe sandbox="allow-scripts"
     13<iframe sandbox="allow-scripts allow-modals"
    1414        src="resources/navigate-top-by-name-to-fail.html">
    1515</body>
  • trunk/LayoutTests/fast/frames/sandboxed-iframe-parsing-space-characters.html

    r121008 r221193  
    2323
    2424function testCharacter(possibleDelimiter, message) {
    25     var policy = "allow-scripts" + possibleDelimiter + "allow-forms";
     25    var policy = "allow-modals allow-scripts" + possibleDelimiter + "allow-forms";
    2626    var iframe = document.createElement('iframe');
    2727    iframe.sandbox = policy;
  • trunk/LayoutTests/fast/frames/sandboxed-iframe-scripting-02.html

    r155268 r221193  
    2424</head>
    2525<body>
    26     <iframe sandbox="allow-same-origin allow-scripts"
     26    <iframe sandbox="allow-same-origin allow-scripts allow-modals"
    2727            src="data:text/html,<script>alert('PASS: Executed script in data URL');window.parent.postMessage({'pass': true}, '*');</script>">
    2828    </iframe>
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/sandboxed-eval.php

    r133095 r221193  
    11<?php
    2 header("Content-Security-Policy: sandbox allow-scripts");
     2header("Content-Security-Policy: sandbox allow-scripts allow-modals");
    33?>
    44<script>
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-control.html

    r120174 r221193  
    11<!DOCTYPE html>
    2 <iframe src="resources/sandbox.php?sandbox=allow-scripts%20allow-same-origin"></iframe>
     2<iframe src="resources/sandbox.php?sandbox=allow-scripts%20allow-modals%20allow-same-origin"></iframe>
    33<script>
    44if (window.testRunner)
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header.html

    r205136 r221193  
    11<!DOCTYPE html>
    2 <iframe src="resources/sandbox.php?sandbox=allow-scripts"></iframe>
     2<iframe src="resources/sandbox.php?sandbox=allow-scripts%20allow-modals"></iframe>
    33<script>
    44if (window.testRunner)
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header2.php

    r196874 r221193  
    11<?php
    2     header("Content-Security-Policy: sandbox allow-scripts");
     2    header("Content-Security-Policy: sandbox allow-scripts allow-modals");
    33?>
    44<!DOCTYPE html>
  • trunk/LayoutTests/http/tests/security/drag-drop-same-unique-origin.html

    r120174 r221193  
    99</head>
    1010<body>
    11 <iframe src="http://127.0.0.1:8000/security/resources/drag-drop-allowed.html" sandbox="allow-scripts"></iframe>
     11<iframe src="http://127.0.0.1:8000/security/resources/drag-drop-allowed.html" sandbox="allow-scripts allow-modals"></iframe>
    1212</body>
    1313</html>
  • trunk/LayoutTests/http/tests/security/no-indexeddb-from-sandbox.html

    r141621 r221193  
    33    testRunner.dumpAsText();
    44</script>
    5 <iframe sandbox="allow-scripts"
     5<iframe sandbox="allow-scripts allow-modals"
    66    src="data:text/html,
    77         <script>
  • trunk/LayoutTests/http/tests/security/no-popup-from-sandbox-top.html

    r120174 r221193  
    66</script>
    77<p>To run this test outside of DumpRenderTree, please disable your popup blocker!</p>
    8 <iframe sandbox="allow-scripts"
     8<iframe sandbox="allow-scripts allow-modals"
    99  src="data:text/html,
    1010       <script>
  • trunk/LayoutTests/http/tests/security/no-popup-from-sandbox.html

    r120174 r221193  
    66</script>
    77<p>To run this test outside of DumpRenderTree, please disable your popup blocker!</p>
    8 <iframe sandbox="allow-scripts"
     8<iframe sandbox="allow-scripts allow-modals"
    99  src="data:text/html,
    1010       <script>
  • trunk/LayoutTests/http/tests/security/popup-allowed-by-sandbox-is-sandboxed-control.html

    r120174 r221193  
    99<p>To run this test outside of DumpRenderTree, please disable your popup blocker!</p>
    1010<p>If you change this test, please be sure to change popup-allowed-by-sandbox-is-sandboxed.html as well!</p>
    11 <iframe sandbox="allow-scripts allow-popups allow-forms"
     11<iframe sandbox="allow-scripts allow-modals allow-popups allow-forms"
    1212  src="data:text/html,
    1313       <script>
  • trunk/LayoutTests/http/tests/security/popup-allowed-by-sandbox-when-allowed.html

    r120174 r221193  
    88</script>
    99<p>To run this test outside of DumpRenderTree, please disable your popup blocker!</p>
    10 <iframe sandbox="allow-scripts allow-popups"
     10<iframe sandbox="allow-scripts allow-modals allow-popups"
    1111  src="data:text/html,
    1212       <script>
  • trunk/LayoutTests/http/tests/security/xss-DENIED-window-name-alert.html

    r168902 r221193  
    33    testRunner.dumpAsText();
    44</script>
    5 <iframe sandbox="allow-scripts"
     5<iframe sandbox="allow-scripts allow-modals"
    66        src="data:text/html,<script>
    77            window.name='alert2';
  • trunk/Source/WebCore/ChangeLog

    r221189 r221193  
     12017-07-25  Frederic Wang  <fwang@igalia.com>
     2
     3        Add flag allow-modals to iframe sandbox
     4        https://bugs.webkit.org/show_bug.cgi?id=171321
     5
     6        This patch implements the "allow-modals" value for the iframe sandbox attribute. It changes
     7        the behavior for sandboxed document so that alert, confirm, prompt, print as well as dialogs
     8        generated from a beforeunload event are blocked when allow-modals is not set, as defined in
     9        the specification. For consistency, we do the same for document.execCommand('print', ...).
     10        Users should use the allow-modals flag in order to explictly allow modal dialogs.
     11
     12        See https://html.spec.whatwg.org/multipage/origin.html#sandboxed-modals-flag
     13
     14        Reviewed by Brent Fulgham.
     15
     16        Tests: http/tests/security/sandboxed-iframe-ALLOWED-modals.html
     17               http/tests/security/sandboxed-iframe-DENIED-modals.html
     18
     19        * dom/SecurityContext.cpp: Implement parsing for allow-modals
     20        (WebCore::SecurityContext::isSupportedSandboxPolicy):
     21        (WebCore::SecurityContext::parseSandboxPolicy):
     22        * dom/SecurityContext.h: Introduce flag for allow-modals
     23        * loader/FrameLoader.cpp:
     24        (WebCore::shouldAskForNavigationConfirmation): Prevent confirm dialog from beforeunload when
     25        allow-modals is not set.
     26        * page/Chrome.h: Change the signature of print, so it may return a failure when the
     27        allow-modals flag is not set.
     28        * page/Chrome.cpp:
     29        (WebCore::Chrome::print): Returns false and print a message error when the allow-modals flag
     30        on the frame's document is not set. Otherwise, execute the command and returns true.
     31        * editing/EditorCommand.cpp:
     32        (WebCore::executePrint): Ensure that document.execCommand for 'print' returns false when the
     33        allow-modals flag is not set.
     34        * page/DOMWindow.cpp: Add early exit when alert, confirm or prompt when the allow-modals flag
     35        for that document is not set. Note that print is handled in Chrome.cpp.
     36        (WebCore::DOMWindow::alert): Add early exit.
     37        (WebCore::DOMWindow::confirm): Add early exit with the return value indicated in the spec.
     38        (WebCore::DOMWindow::prompt): Ditto.
     39
    1402017-08-25  Brady Eidson  <beidson@apple.com>
    241
  • trunk/Source/WebCore/dom/SecurityContext.cpp

    r219797 r221193  
    8686{
    8787    static const char* const supportedPolicies[] = {
    88         "allow-forms", "allow-same-origin", "allow-scripts", "allow-top-navigation", "allow-pointer-lock", "allow-popups", "allow-popups-to-escape-sandbox", "allow-top-navigation-by-user-activation"
     88        "allow-forms", "allow-same-origin", "allow-scripts", "allow-top-navigation", "allow-pointer-lock", "allow-popups", "allow-popups-to-escape-sandbox", "allow-top-navigation-by-user-activation", "allow-modals"
    8989    };
    9090
     
    135135        else if (equalLettersIgnoringASCIICase(sandboxToken, "allow-top-navigation-by-user-activation"))
    136136            flags &= ~SandboxTopNavigationByUserActivation;
     137        else if (equalLettersIgnoringASCIICase(sandboxToken, "allow-modals"))
     138            flags &= ~SandboxModals;
    137139        else {
    138140            if (numberOfTokenErrors)
  • trunk/Source/WebCore/dom/SecurityContext.h

    r221017 r221193  
    5454    SandboxTopNavigationByUserActivation = 1 << 10,
    5555    SandboxDocumentDomain       = 1 << 11,
     56    SandboxModals               = 1 << 12,
    5657    SandboxAll                  = -1 // Mask with all bits set to 1.
    5758};
  • trunk/Source/WebCore/editing/EditorCommand.cpp

    r219213 r221193  
    931931    if (!page)
    932932        return false;
    933     page->chrome().print(frame);
    934     return true;
     933    return page->chrome().print(frame);
    935934}
    936935
  • trunk/Source/WebCore/loader/FrameLoader.cpp

    r221162 r221193  
    30433043static bool shouldAskForNavigationConfirmation(Document& document, const BeforeUnloadEvent& event)
    30443044{
     3045    // Confirmation dialog should not be displayed when the allow-modals flag is not set.
     3046    if (document.isSandboxed(SandboxModals))
     3047        return false;
     3048
    30453049    bool userDidInteractWithPage = document.topDocument().userDidInteractWithPage();
    30463050    // Web pages can request we ask for confirmation before navigating by:
  • trunk/Source/WebCore/page/Chrome.cpp

    r221028 r221193  
    2424
    2525#include "ChromeClient.h"
     26#include "DOMWindow.h"
    2627#include "Document.h"
    2728#include "DocumentType.h"
     
    396397}
    397398
    398 void Chrome::print(Frame& frame)
     399bool Chrome::print(Frame& frame)
    399400{
    400401    // FIXME: This should have PageGroupLoadDeferrer, like runModal() or runJavaScriptAlert(), because it's no different from those.
     402
     403    if (frame.document()->isSandboxed(SandboxModals)) {
     404        frame.document()->domWindow()->printErrorMessage("Use of window.print is not allowed in a sandboxed frame when the allow-modals flag is not set.");
     405        return false;
     406    }
     407
    401408    m_client.print(frame);
     409    return true;
    402410}
    403411
  • trunk/Source/WebCore/page/Chrome.h

    r221028 r221193  
    145145    void setToolTip(const HitTestResult&);
    146146
    147     WEBCORE_EXPORT void print(Frame&);
     147    WEBCORE_EXPORT bool print(Frame&);
    148148
    149149    WEBCORE_EXPORT void enableSuddenTermination();
  • trunk/Source/WebCore/page/DOMWindow.cpp

    r220815 r221193  
    11281128        return;
    11291129
     1130    if (document()->isSandboxed(SandboxModals)) {
     1131        printErrorMessage("Use of window.alert is not allowed in a sandboxed frame when the allow-modals flag is not set.");
     1132        return;
     1133    }
     1134
    11301135    auto* page = m_frame->page();
    11311136    if (!page)
     
    11501155        return false;
    11511156   
     1157    if (document()->isSandboxed(SandboxModals)) {
     1158        printErrorMessage("Use of window.confirm is not allowed in a sandboxed frame when the allow-modals flag is not set.");
     1159        return false;
     1160    }
     1161
    11521162    auto* page = m_frame->page();
    11531163    if (!page)
     
    11711181    if (!m_frame)
    11721182        return String();
     1183
     1184    if (document()->isSandboxed(SandboxModals)) {
     1185        printErrorMessage("Use of window.prompt is not allowed in a sandboxed frame when the allow-modals flag is not set.");
     1186        return String();
     1187    }
    11731188
    11741189    auto* page = m_frame->page();
Note: See TracChangeset for help on using the changeset viewer.