Changeset 223195 in webkit

Timestamp:

Oct 11, 2017, 12:01:10 PM (8 years ago)

Author:

rniwa@webkit.org

Message:

Sanitize URL in pasteboard for other applications and cross origin content
​https://bugs.webkit.org/show_bug.cgi?id=178060
<rdar://problem/34874518>

Reviewed by Wenson Hsieh.

Source/WebCore:

This patch introduces the sanitization of URL when written from a web content to prevent web content from
exploiting the URL parser of other applications in the system particularly of those that actively monitor
system pasteboard (a.k.a. clipboard on non-Cocoa platforms) and decode or otherwise process URLs.

Because the Web compatibility requires that DataTransfer exposes the original URL to any document in the
same origin as the one which wrote the URL into the pasteboard, we store a string which uniquely identifies
the origin of an originating document into our custom pasteboard data. Note that we expose any URL which
didn't come from WebKit since we don't expect URLs to reveal privacy sensitive information. We use UUID for
the origin identifier of a null origin document.

An alternative approach is to store the pasteboard data from the same origin into the document and invalidate
it when the system pasteboard changes. However, Pasteboard object cannot know about Document (as Pasteboard
is a platform object and Document is a WebCore object), this turns out be quite tricky as there are multiple
places where we create Pasteboard objects, and they all need to be aware of this special same origin
Pasteboard object that hangs off of Document. Also, this approach would result in the same origin code paths
to diverge between null origin and non-null origin documents.

Tests: editing/pasteboard/data-transfer-get-data-on-copying-pasting-malformed-url-in-same-document.html

editing/pasteboard/data-transfer-set-data-ignore-copied-walformed-url-in-null-origin.html
editing/pasteboard/data-transfer-set-data-sanitlize-url-when-copying-in-null-origin.html
editing/pasteboard/data-transfer-set-data-sanitlize-url-when-dragging-in-null-origin.html
http/tests/security/clipboard/copy-paste-url-across-origin-sanitizes-url.html
CopyURL.ValidURL
CopyURL.UnescapedURL
CopyURL.MalformedURL
DataInteractionTests.DataTransferSetDataValidURL
DataInteractionTests.DataTransferSetDataUnescapedURL
DataInteractionTests.DataTransferSetDataInvalidURL

• dom/DataTransfer.cpp:

(WebCore::originForDocument): Extracted from createForCopyAndPaste.
(WebCore::DataTransfer::createForCopyAndPaste):
(WebCore::DataTransfer::getDataForItem const): Read the URL from the custom data when the originating content
is of the same origin. When the originating content is cross origin, or there is no custom data (e.g. written
by another native application; or sanitization didn't result in any difference), then callback to native value.
(WebCore::DataTransfer::setDataFromItemList): Sanitize the URL before writing it to the native pasteboard.
Store the original value if the sanitization resulted in any difference.
(WebCore::DataTransfer::types const):
(WebCore::DataTransfer::commitToPasteboard): Moved the code to write custom data to Pasteboard since we need
to write the origin string with it.
(WebCore::DataTransfer::createForDragStartEvent): Added Document as an argument to compute the origin string.
(WebCore::DataTransfer::createForDrop): Ditto.
(WebCore::DataTransfer::createForUpdatingDropTarget):
(WebCore::DataTransfer::moveDragState):

• dom/DataTransfer.h:
• dom/Document.cpp:

(WebCore::Document::uniqueIdentifier): Added. See above.

• dom/Document.h:
• editing/Editor.cpp:

(WebCore::createDataTransferForClipboardEvent):
(WebCore::dispatchClipboardEvent):

• page/DragController.cpp:

(WebCore::DragController::dispatchTextInputEventFor):

• page/EventHandler.cpp:

(WebCore::EventHandler::performDragAndDrop):
(WebCore::EventHandler::handleDrag):

• platform/Pasteboard.h:
• platform/PasteboardStrategy.h:
• platform/PlatformPasteboard.h:
• platform/StaticPasteboard.cpp:

(WebCore::StaticPasteboard::takeCustomData): Moved the logic to write to native pasteboard to DataTransfer.

• platform/StaticPasteboard.h:
• platform/cocoa/PasteboardCocoa.mm:

(WebCore::Pasteboard::typesSafeForBindings):
(WebCore::Pasteboard::readStringInCustomData): Rewritten using readCustomData. See below.
(WebCore::Pasteboard::readOrigin): Added.
(WebCore::Pasteboard::readCustomData): Added. Populates the cache. Because a single Pasteboard object is never
allowed to read values once its content is updated by other applications, we can permanently cache the result.

• platform/gtk/PasteboardGtk.cpp:

(WebCore::Pasteboard::typesSafeForBindings): Now takes the unused origin string.
(WebCore::Pasteboard::readOrigin): Added.

• platform/gtk/PlatformPasteboardGtk.cpp:

(WebCore::PlatformPasteboard::typesSafeForDOMToReadAndWrite const): Now takes the unused origin string.

• platform/ios/PlatformPasteboardIOS.mm:

(WebCore::originKeyKeyForTeamData): Added.
(WebCore::customTypesKeyForTeamData): Added. Replaces the use of PasteboardCustomData::cocoaType() in the team
data for clarity since the team data key isn't same as the pasteboard type. We don't have to worry about the
backwards compatibility since drag & drop session doesn't persist across iOS upgrades, and there is no publicly
released iOS with this team data support.
(WebCore::PlatformPasteboard::typesSafeForDOMToReadAndWrite const): Read the origin string and the custom data
off the team data. Don't expose custom types that are written by cross origin documents.
(WebCore::PlatformPasteboard::write): Add the orign string with custom pasteboard types in the team data.
(WebCore::PlatformPasteboard::readURL): Fixed a bug that this function was not reading NSURL when UIPasteboard
serializes NSURL as a plist. This code is exercised by CopyURL.ValidURL.

• platform/mac/PlatformPasteboardMac.mm:

(WebCore::PlatformPasteboard::typesSafeForDOMToReadAndWrite const): Don't add custom pasteboard types that are
added by cross origin documents.

• platform/win/PasteboardWin.cpp:

(WebCore::Pasteboard::typesSafeForBindings): Now takes the unused origin string.
(WebCore::Pasteboard::readOrigin): Added.

• platform/wpe/PasteboardWPE.cpp:

(WebCore::Pasteboard::typesSafeForBindings): Now takes the unused origin string.
(WebCore::Pasteboard::readOrigin): Added.

• platform/wpe/PlatformPasteboardWPE.cpp:

(WebCore::PlatformPasteboard::typesSafeForDOMToReadAndWrite const): Now takes the unused origin string.

Source/WebKit:

Plubmed the origin identifier through IPC from Pasteboard in WebContent process to PlatformPasteboard in UIProcess.

• UIProcess/Cocoa/WebPasteboardProxyCocoa.mm:

(WebKit::WebPasteboardProxy::typesSafeForDOMToReadAndWrite):

• UIProcess/WebPasteboardProxy.cpp:

(WebKit::WebPasteboardProxy::typesSafeForDOMToReadAndWrite):

• UIProcess/WebPasteboardProxy.h:
• UIProcess/WebPasteboardProxy.messages.in:
• WebProcess/WebCoreSupport/WebPlatformStrategies.cpp:

(WebKit::WebPlatformStrategies::typesSafeForDOMToReadAndWrite):

• WebProcess/WebCoreSupport/WebPlatformStrategies.h:

Source/WebKitLegacy/mac:

• WebCoreSupport/WebPlatformStrategies.h:
• WebCoreSupport/WebPlatformStrategies.mm:

(WebPlatformStrategies::typesSafeForDOMToReadAndWrite):

Tools:

Added API tests for sanitizing URLs copied from web content, and that the original URL is exposed to the web content.

• TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
• TestWebKitAPI/Tests/WebKitCocoa/CopyURL.mm: Added.

(readURLFromPasteboard): A helper function.

• TestWebKitAPI/Tests/WebKitCocoa/copy-url.html: Added.
• TestWebKitAPI/Tests/ios/DataInteractionTests.mm:

(DataInteractionTests.DataTransferGetDataWhenDroppingCustomData): Rebaselined. ​https://www.apple.com is no longer
normalized to ​https://www.apple.com/ by NSURL / UIPasteboard as expected.
(DataInteractionTests.DataTransferSetDataValidURL): Added.
(DataInteractionTests.DataTransferSetDataUnescapedURL): Added.
(DataInteractionTests.qDataTransferSetDataInvalidURL): Added.

LayoutTests:

Added tests for copying & pasting URLs. URLs should be %-escaped and any invalid URL should be stripped away and
invisible to a cross-origin content or a null origin document but the same origin content should have access to
its original form.

• TestExpectations:
• editing/pasteboard/data-transfer-get-data-on-copying-pasting-malformed-url-in-same-document-expected.txt: Added.
• editing/pasteboard/data-transfer-get-data-on-copying-pasting-malformed-url-in-same-document.html: Added.
• editing/pasteboard/data-transfer-get-data-on-drop-custom-expected.txt: Rebaselined. We no longer normalize

"​https://www.apple.com" into "​https://www.apple.com/" by NSURL / UIPasteboard within the same origin content.

• editing/pasteboard/data-transfer-get-data-on-paste-custom-expected.txt: Ditto.
• editing/pasteboard/data-transfer-set-data-ignore-copied-walformed-url-in-null-expected.txt: Added.
• editing/pasteboard/data-transfer-set-data-ignore-copied-walformed-url-in-null-origin-expected.txt: Added.
• editing/pasteboard/data-transfer-set-data-ignore-copied-walformed-url-in-null-origin.html: Added.
• editing/pasteboard/data-transfer-set-data-sanitlize-url-when-copying-in-null-origin-expected.txt: Added.
• editing/pasteboard/data-transfer-set-data-sanitlize-url-when-copying-in-null-origin.html: Added.
• editing/pasteboard/data-transfer-set-data-sanitlize-url-when-dragging-in-null-origin-expected.txt: Added.
• editing/pasteboard/data-transfer-set-data-sanitlize-url-when-dragging-in-null-origin.html: Added.
• editing/pasteboard/dataTransfer-setData-getData-expected.txt: Rebaselined. More test cases are passing.
• editing/pasteboard/dataTransfer-setData-getData.html: Updated expectations as the original URL is now preserved.
• http/tests/security/clipboard/copy-paste-url-across-origin-sanitizes-url-expected.txt: Added.
• http/tests/security/clipboard/copy-paste-url-across-origin-sanitizes-url.html: Added.
• http/tests/security/clipboard/resources/copy.html: Added.
• platform/mac-wk1/TestExpectations:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/TestExpectations (modified) (1 diff)
• LayoutTests/editing/pasteboard/data-transfer-get-data-on-copying-pasting-malformed-url-in-same-document-expected.txt (added)
• LayoutTests/editing/pasteboard/data-transfer-get-data-on-copying-pasting-malformed-url-in-same-document.html (added)
• LayoutTests/editing/pasteboard/data-transfer-get-data-on-drop-custom-expected.txt (modified) (1 diff)
• LayoutTests/editing/pasteboard/data-transfer-get-data-on-paste-custom-expected.txt (modified) (1 diff)
• LayoutTests/editing/pasteboard/data-transfer-set-data-ignore-copied-walformed-url-in-null-expected.txt (added)
• LayoutTests/editing/pasteboard/data-transfer-set-data-ignore-copied-walformed-url-in-null-origin-expected.txt (added)
• LayoutTests/editing/pasteboard/data-transfer-set-data-ignore-copied-walformed-url-in-null-origin.html (added)
• LayoutTests/editing/pasteboard/data-transfer-set-data-sanitlize-url-when-copying-in-null-origin-expected.txt (added)
• LayoutTests/editing/pasteboard/data-transfer-set-data-sanitlize-url-when-copying-in-null-origin.html (added)
• LayoutTests/editing/pasteboard/data-transfer-set-data-sanitlize-url-when-dragging-in-null-origin-expected.txt (added)
• LayoutTests/editing/pasteboard/data-transfer-set-data-sanitlize-url-when-dragging-in-null-origin.html (added)
• LayoutTests/editing/pasteboard/dataTransfer-setData-getData-expected.txt (modified) (1 diff)
• LayoutTests/editing/pasteboard/dataTransfer-setData-getData.html (modified) (4 diffs)
• LayoutTests/http/tests/security/clipboard/copy-paste-url-across-origin-sanitizes-url-expected.txt (added)
• LayoutTests/http/tests/security/clipboard/copy-paste-url-across-origin-sanitizes-url.html (added)
• LayoutTests/http/tests/security/clipboard/resources/copy.html (added)
• LayoutTests/platform/mac-wk1/TestExpectations (modified) (1 diff)
• LayoutTests/platform/win/TestExpectations (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/dom/DataTransfer.cpp (modified) (10 diffs)
• Source/WebCore/dom/DataTransfer.h (modified) (3 diffs)
• Source/WebCore/dom/Document.cpp (modified) (2 diffs)
• Source/WebCore/dom/Document.h (modified) (2 diffs)
• Source/WebCore/editing/Editor.cpp (modified) (4 diffs)
• Source/WebCore/page/DragController.cpp (modified) (1 diff)
• Source/WebCore/page/EventHandler.cpp (modified) (3 diffs)
• Source/WebCore/platform/Pasteboard.h (modified) (5 diffs)
• Source/WebCore/platform/PasteboardStrategy.h (modified) (1 diff)
• Source/WebCore/platform/PlatformPasteboard.h (modified) (1 diff)
• Source/WebCore/platform/StaticPasteboard.cpp (modified) (2 diffs)
• Source/WebCore/platform/StaticPasteboard.h (modified) (2 diffs)
• Source/WebCore/platform/cocoa/PasteboardCocoa.mm (modified) (2 diffs)
• Source/WebCore/platform/gtk/PasteboardGtk.cpp (modified) (2 diffs)
• Source/WebCore/platform/gtk/PlatformPasteboardGtk.cpp (modified) (1 diff)
• Source/WebCore/platform/ios/PlatformPasteboardIOS.mm (modified) (6 diffs)
• Source/WebCore/platform/mac/PlatformPasteboardMac.mm (modified) (1 diff)
• Source/WebCore/platform/win/PasteboardWin.cpp (modified) (2 diffs)
• Source/WebCore/platform/wpe/PasteboardWPE.cpp (modified) (2 diffs)
• Source/WebCore/platform/wpe/PlatformPasteboardWPE.cpp (modified) (1 diff)
• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm (modified) (1 diff)
• Source/WebKit/UIProcess/WebPasteboardProxy.cpp (modified) (1 diff)
• Source/WebKit/UIProcess/WebPasteboardProxy.h (modified) (1 diff)
• Source/WebKit/UIProcess/WebPasteboardProxy.messages.in (modified) (1 diff)
• Source/WebKit/WebProcess/WebCoreSupport/WebPlatformStrategies.cpp (modified) (1 diff)
• Source/WebKit/WebProcess/WebCoreSupport/WebPlatformStrategies.h (modified) (1 diff)
• Source/WebKitLegacy/mac/ChangeLog (modified) (1 diff)
• Source/WebKitLegacy/mac/WebCoreSupport/WebPlatformStrategies.h (modified) (1 diff)
• Source/WebKitLegacy/mac/WebCoreSupport/WebPlatformStrategies.mm (modified) (1 diff)
• Tools/ChangeLog (modified) (1 diff)
• Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj (modified) (6 diffs)
• Tools/TestWebKitAPI/Tests/WebKitCocoa/CopyURL.mm (added)
• Tools/TestWebKitAPI/Tests/WebKitCocoa/copy-url.html (added)
• Tools/TestWebKitAPI/Tests/ios/DataInteractionTests.mm (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2017-10-11  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Sanitize URL in pasteboard for other applications and cross origin content
+        https://bugs.webkit.org/show_bug.cgi?id=178060
+        <rdar://problem/34874518>
+
+        Reviewed by Wenson Hsieh.
+
+        Added tests for copying & pasting URLs. URLs should be %-escaped and any invalid URL should be stripped away and
+        invisible to a cross-origin content or a null origin document but the same origin content should have access to
+        its original form.
+
+        * TestExpectations:
+        * editing/pasteboard/data-transfer-get-data-on-copying-pasting-malformed-url-in-same-document-expected.txt: Added.
+        * editing/pasteboard/data-transfer-get-data-on-copying-pasting-malformed-url-in-same-document.html: Added.
+        * editing/pasteboard/data-transfer-get-data-on-drop-custom-expected.txt: Rebaselined. We no longer normalize
+        "https://www.apple.com" into "https://www.apple.com/" by NSURL / UIPasteboard within the same origin content.
+        * editing/pasteboard/data-transfer-get-data-on-paste-custom-expected.txt: Ditto.
+        * editing/pasteboard/data-transfer-set-data-ignore-copied-walformed-url-in-null-expected.txt: Added.
+        * editing/pasteboard/data-transfer-set-data-ignore-copied-walformed-url-in-null-origin-expected.txt: Added.
+        * editing/pasteboard/data-transfer-set-data-ignore-copied-walformed-url-in-null-origin.html: Added.
+        * editing/pasteboard/data-transfer-set-data-sanitlize-url-when-copying-in-null-origin-expected.txt: Added.
+        * editing/pasteboard/data-transfer-set-data-sanitlize-url-when-copying-in-null-origin.html: Added.
+        * editing/pasteboard/data-transfer-set-data-sanitlize-url-when-dragging-in-null-origin-expected.txt: Added.
+        * editing/pasteboard/data-transfer-set-data-sanitlize-url-when-dragging-in-null-origin.html: Added.
+        * editing/pasteboard/dataTransfer-setData-getData-expected.txt: Rebaselined. More test cases are passing.
+        * editing/pasteboard/dataTransfer-setData-getData.html: Updated expectations as the original URL is now preserved.
+        * http/tests/security/clipboard/copy-paste-url-across-origin-sanitizes-url-expected.txt: Added.
+        * http/tests/security/clipboard/copy-paste-url-across-origin-sanitizes-url.html: Added.
+        * http/tests/security/clipboard/resources/copy.html: Added.
+        * platform/mac-wk1/TestExpectations:
+
 2017-10-11  Andy Estes  <aestes@apple.com>
 

trunk/LayoutTests/TestExpectations

@@ -75 +75 @@
 editing/pasteboard/data-transfer-get-data-on-drop-url.html [ Skip ]
 editing/pasteboard/data-transfer-is-unique-for-dragenter-and-dragleave.html [ Skip ]
+editing/pasteboard/data-transfer-set-data-sanitlize-url-when-dragging-in-null-origin.html [ Skip ]
 editing/pasteboard/drag-end-crash-accessing-item-list.html [ Skip ]
 editing/pasteboard/data-transfer-item-list-add-file-on-drag.html [ Skip ]

trunk/LayoutTests/editing/pasteboard/data-transfer-get-data-on-drop-custom-expected.txt

@@ -15 +15 @@
         "text/html": "<b>年年年</b>",
         "bar/מקור השם עברית": "<i>מקור השם עברית</i>",
-        "text/uri-list": "https://www.apple.com/",
+        "text/uri-list": "https://www.apple.com",
         "baz/年年年": "https://www.webkit.org",
         "text/rtf": "AAAAAAAAAAA"

trunk/LayoutTests/editing/pasteboard/data-transfer-get-data-on-paste-custom-expected.txt

@@ -6 +6 @@
         "text/html": "<b>年年年</b>",
         "bar/מקור השם עברית": "<i>מקור השם עברית</i>",
-        "text/uri-list": "https://www.apple.com/",
+        "text/uri-list": "https://www.apple.com",
         "baz/年年年": "https://www.webkit.org",
         "text/rtf": "AAAAAAAAAAA"

trunk/LayoutTests/editing/pasteboard/dataTransfer-setData-getData-expected.txt

@@ -6 +6 @@
 --- Test set/get 'URL':
 PASS getDataResultType is "string"
-PASS getDataResult is "http://test.com/"
+PASS getDataResult is "http://test.com"
 --- Test set/get 'URL' with multiple URLs:
 PASS getDataResultType is "string"
-FAIL getDataResult should be http://test.com/. Was .
+FAIL getDataResult should be http://test.com. Was http://test.com
+http://check.com.
 --- Test set/get 'text/uri-list':
 PASS getDataResultType is "string"
-FAIL getDataResult should be http://test.com
-http://check.com. Was .
+PASS getDataResult is "http://test.com\r\nhttp://check.com"
 --- Test set/get 'text/uri-list' using '\n':
 PASS getDataResultType is "string"
-FAIL getDataResult should be http://test.com
-http://check.com. Was .
+PASS getDataResult is "http://test.com\nhttp://check.com"
 --- Test set 'text/uri-list', get 'URL':
 PASS getDataResultType is "string"
-FAIL getDataResult should be http://test.com/. Was .
+FAIL getDataResult should be http://test.com. Was http://test.com
+http://check.com.
 --- Test set 'URL', get 'text/uri-list':
 PASS getDataResultType is "string"
-FAIL getDataResult should be http://test.com
-http://check.com. Was .
+PASS getDataResult is "http://test.com\r\nhttp://check.com"
 --- Test set 'text/uri-list', get 'URL', using only '\n':
 PASS getDataResultType is "string"
-FAIL getDataResult should be http://test.com/. Was .
+FAIL getDataResult should be http://test.com. Was http://test.com
+http://check.com.
 --- Test set/get 'text/uri-list' with comments:
 PASS getDataResultType is "string"
-FAIL getDataResult should be # comment
-http://test.com
-http://check.com. Was .
+PASS getDataResult is "# comment\r\nhttp://test.com\r\nhttp://check.com"
 --- Test set 'text/uri-list', get 'URL' with comments:
 PASS getDataResultType is "string"
-FAIL getDataResult should be http://test.com/. Was .
+FAIL getDataResult should be http://test.com. Was # comment
+http://test.com
+http://check.com.
 --- Test set 'text/uri-list', get 'URL' with only comments:
 PASS getDataResultType is "string"
-PASS getDataResult is ""
+FAIL getDataResult should be . Was # comment
+# comment 2
+# comment 3.
 --- Test set/get 'text/plain':
 PASS getDataResultType is "string"

trunk/LayoutTests/editing/pasteboard/dataTransfer-setData-getData.html

@@ -86 +86 @@
     debug("--- Test set/get 'URL':");
     test("URL", "http://test.com", 
-         "URL", "http://test.com/");
+         "URL", "http://test.com");
 
     debug("--- Test set/get 'URL' with multiple URLs:");
     test("URL", "http://test.com\r\nhttp://check.com", 
-         "URL", "http://test.com/");
+         "URL", "http://test.com");
 
     debug("--- Test set/get 'text/uri-list':");
@@ -102 +102 @@
     debug("--- Test set 'text/uri-list', get 'URL':");
     test("text/uri-list", "http://test.com\r\nhttp://check.com", 
-         "URL", "http://test.com/");
+         "URL", "http://test.com");
 
     debug("--- Test set 'URL', get 'text/uri-list':");
@@ -110 +110 @@
     debug("--- Test set 'text/uri-list', get 'URL', using only '\\n':");
     test("text/uri-list", "http://test.com\nhttp://check.com",
-         "URL", "http://test.com/");
+         "URL", "http://test.com");
 
     debug("--- Test set/get 'text/uri-list' with comments:");
@@ -118 +118 @@
     debug("--- Test set 'text/uri-list', get 'URL' with comments:");
     test("text/uri-list", "# comment\r\nhttp://test.com\r\nhttp://check.com", 
-         "URL", "http://test.com/");
+         "URL", "http://test.com");
 
     debug("--- Test set 'text/uri-list', get 'URL' with only comments:");

trunk/LayoutTests/platform/mac-wk1/TestExpectations

@@ -13 +13 @@
 editing/pasteboard/data-transfer-get-data-on-drop-url.html [ Pass ]
 editing/pasteboard/data-transfer-is-unique-for-dragenter-and-dragleave.html [ Pass ]
+editing/pasteboard/data-transfer-set-data-sanitlize-url-when-dragging-in-null-origin.html [ Pass ]
 editing/pasteboard/drag-end-crash-accessing-item-list.html [ Pass ]
 editing/pasteboard/data-transfer-item-list-add-file-on-drag.html [ Pass ]

trunk/LayoutTests/platform/win/TestExpectations

@@ -1133 +1133 @@
 [ Debug ] editing/selection/4983858.html [ Skip ] # Debug Assertion
 [ Debug ] editing/selection/4975120.html [ Skip ] # Debug Assertion
+
+# Custom pasteboard data is not supported on Windows.
+http/tests/security/clipboard/copy-paste-url-across-origin-sanitizes-url.html
 
 webkit.org/b/140783 [ Release ] editing/pasteboard/copy-standalone-image.html [ Failure ImageOnlyFailure ]

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-10-11  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Sanitize URL in pasteboard for other applications and cross origin content
+        https://bugs.webkit.org/show_bug.cgi?id=178060
+        <rdar://problem/34874518>
+
+        Reviewed by Wenson Hsieh.
+
+        This patch introduces the sanitization of URL when written from a web content to prevent web content from
+        exploiting the URL parser of other applications in the system particularly of those that actively monitor
+        system pasteboard (a.k.a. clipboard on non-Cocoa platforms) and decode or otherwise process URLs.
+
+        Because the Web compatibility requires that DataTransfer exposes the original URL to any document in the
+        same origin as the one which wrote the URL into the pasteboard, we store a string which uniquely identifies
+        the origin of an originating document into our custom pasteboard data. Note that we expose any URL which
+        didn't come from WebKit since we don't expect URLs to reveal privacy sensitive information. We use UUID for
+        the origin identifier of a null origin document.
+
+        An alternative approach is to store the pasteboard data from the same origin into the document and invalidate
+        it when the system pasteboard changes. However, Pasteboard object cannot know about Document (as Pasteboard
+        is a platform object and Document is a WebCore object), this turns out be quite tricky as there are multiple
+        places where we create Pasteboard objects, and they all need to be aware of this special same origin
+        Pasteboard object that hangs off of Document. Also, this approach would result in the same origin code paths
+        to diverge between null origin and non-null origin documents.
+
+        Tests: editing/pasteboard/data-transfer-get-data-on-copying-pasting-malformed-url-in-same-document.html
+               editing/pasteboard/data-transfer-set-data-ignore-copied-walformed-url-in-null-origin.html
+               editing/pasteboard/data-transfer-set-data-sanitlize-url-when-copying-in-null-origin.html
+               editing/pasteboard/data-transfer-set-data-sanitlize-url-when-dragging-in-null-origin.html
+               http/tests/security/clipboard/copy-paste-url-across-origin-sanitizes-url.html
+               CopyURL.ValidURL
+               CopyURL.UnescapedURL
+               CopyURL.MalformedURL
+               DataInteractionTests.DataTransferSetDataValidURL
+               DataInteractionTests.DataTransferSetDataUnescapedURL
+               DataInteractionTests.DataTransferSetDataInvalidURL
+
+        * dom/DataTransfer.cpp:
+        (WebCore::originForDocument): Extracted from createForCopyAndPaste.
+        (WebCore::DataTransfer::createForCopyAndPaste):
+        (WebCore::DataTransfer::getDataForItem const): Read the URL from the custom data when the originating content
+        is of the same origin. When the originating content is cross origin, or there is no custom data (e.g. written
+        by another native application; or sanitization didn't result in any difference), then callback to native value.
+        (WebCore::DataTransfer::setDataFromItemList): Sanitize the URL before writing it to the native pasteboard.
+        Store the original value if the sanitization resulted in any difference.
+        (WebCore::DataTransfer::types const):
+        (WebCore::DataTransfer::commitToPasteboard): Moved the code to write custom data to Pasteboard since we need
+        to write the origin string with it.
+        (WebCore::DataTransfer::createForDragStartEvent): Added Document as an argument to compute the origin string.
+        (WebCore::DataTransfer::createForDrop): Ditto.
+        (WebCore::DataTransfer::createForUpdatingDropTarget):
+        (WebCore::DataTransfer::moveDragState):
+        * dom/DataTransfer.h:
+        * dom/Document.cpp:
+        (WebCore::Document::uniqueIdentifier): Added. See above.
+        * dom/Document.h:
+        * editing/Editor.cpp:
+        (WebCore::createDataTransferForClipboardEvent):
+        (WebCore::dispatchClipboardEvent):
+        * page/DragController.cpp:
+        (WebCore::DragController::dispatchTextInputEventFor):
+        * page/EventHandler.cpp:
+        (WebCore::EventHandler::performDragAndDrop):
+        (WebCore::EventHandler::handleDrag):
+        * platform/Pasteboard.h:
+        * platform/PasteboardStrategy.h:
+        * platform/PlatformPasteboard.h:
+        * platform/StaticPasteboard.cpp:
+        (WebCore::StaticPasteboard::takeCustomData): Moved the logic to write to native pasteboard to DataTransfer.
+        * platform/StaticPasteboard.h:
+        * platform/cocoa/PasteboardCocoa.mm:
+        (WebCore::Pasteboard::typesSafeForBindings):
+        (WebCore::Pasteboard::readStringInCustomData): Rewritten using readCustomData. See below.
+        (WebCore::Pasteboard::readOrigin): Added.
+        (WebCore::Pasteboard::readCustomData): Added. Populates the cache. Because a single Pasteboard object is never
+        allowed to read values once its content is updated by other applications, we can permanently cache the result.
+        * platform/gtk/PasteboardGtk.cpp:
+        (WebCore::Pasteboard::typesSafeForBindings): Now takes the unused origin string.
+        (WebCore::Pasteboard::readOrigin): Added.
+        * platform/gtk/PlatformPasteboardGtk.cpp:
+        (WebCore::PlatformPasteboard::typesSafeForDOMToReadAndWrite const): Now takes the unused origin string.
+        * platform/ios/PlatformPasteboardIOS.mm:
+        (WebCore::originKeyKeyForTeamData): Added.
+        (WebCore::customTypesKeyForTeamData): Added. Replaces the use of PasteboardCustomData::cocoaType() in the team
+        data for clarity since the team data key isn't same as the pasteboard type. We don't have to worry about the
+        backwards compatibility since drag & drop session doesn't persist across iOS upgrades, and there is no publicly
+        released iOS with this team data support.
+        (WebCore::PlatformPasteboard::typesSafeForDOMToReadAndWrite const): Read the origin string and the custom data
+        off the team data. Don't expose custom types that are written by cross origin documents.
+        (WebCore::PlatformPasteboard::write): Add the orign string with custom pasteboard types in the team data.
+        (WebCore::PlatformPasteboard::readURL): Fixed a bug that this function was not reading NSURL when UIPasteboard
+        serializes NSURL as a plist. This code is exercised by CopyURL.ValidURL.
+        * platform/mac/PlatformPasteboardMac.mm:
+        (WebCore::PlatformPasteboard::typesSafeForDOMToReadAndWrite const): Don't add custom pasteboard types that are
+        added by cross origin documents.
+        * platform/win/PasteboardWin.cpp:
+        (WebCore::Pasteboard::typesSafeForBindings): Now takes the unused origin string.
+        (WebCore::Pasteboard::readOrigin): Added.
+        * platform/wpe/PasteboardWPE.cpp:
+        (WebCore::Pasteboard::typesSafeForBindings): Now takes the unused origin string.
+        (WebCore::Pasteboard::readOrigin): Added.
+        * platform/wpe/PlatformPasteboardWPE.cpp:
+        (WebCore::PlatformPasteboard::typesSafeForDOMToReadAndWrite const): Now takes the unused origin string.
+
 2017-10-11  Antti Koivisto  <antti@apple.com>
 

trunk/Source/WebCore/dom/DataTransfer.cpp

@@ -42 +42 @@
 #include "Settings.h"
 #include "StaticPasteboard.h"
+#include "URLParser.h"
 #include "WebCorePasteboardFileReader.h"
 
@@ -78 +79 @@
 }
 
-Ref<DataTransfer> DataTransfer::createForCopyAndPaste(StoreMode storeMode, std::unique_ptr<Pasteboard>&& pasteboard)
-{
-    return adoptRef(*new DataTransfer(storeMode, WTFMove(pasteboard)));
+static String originIdentifierForDocument(Document& document)
+{
+    auto origin = document.securityOrigin().toString();
+    if (origin == "null")
+        return document.uniqueIdentifier();
+    return origin;
+}
+
+Ref<DataTransfer> DataTransfer::createForCopyAndPaste(Document& document, StoreMode storeMode, std::unique_ptr<Pasteboard>&& pasteboard)
+{
+    auto dataTransfer = adoptRef(*new DataTransfer(storeMode, WTFMove(pasteboard)));
+    dataTransfer->m_originIdentifier = originIdentifierForDocument(document);
+    return dataTransfer;
 }
 
@@ -122 +133 @@
 }
 
-static bool shouldReadOrWriteTypeAsCustomData(const String& type)
-{
-    return Settings::customPasteboardDataEnabled() && !Pasteboard::isSafeTypeForDOMToReadAndWrite(type);
-}
-
 void DataTransfer::clearData(const String& type)
 {
@@ -150 +156 @@
 
     auto lowercaseType = stripLeadingAndTrailingHTMLSpaces(type).convertToASCIILowercase();
-    if (shouldReadOrWriteTypeAsCustomData(lowercaseType))
-        return m_pasteboard->readStringInCustomData(lowercaseType);
-    return m_pasteboard->readString(lowercaseType);
+    if (!Settings::customPasteboardDataEnabled())
+        return m_pasteboard->readString(lowercaseType);
+
+    bool isSameOrigin = false;
+    if (is<StaticPasteboard>(*m_pasteboard)) {
+        // StaticPasteboard is only used to stage data written by websites before being committed to the system pasteboard.
+        isSameOrigin = true;
+    } else if (!m_originIdentifier.isNull()) {
+        String originOfPasteboard = m_pasteboard->readOrigin();
+        isSameOrigin = m_originIdentifier == originOfPasteboard;
+    }
+
+    if (!isSameOrigin) {
+        if (!Pasteboard::isSafeTypeForDOMToReadAndWrite(lowercaseType))
+            return { };
+        return m_pasteboard->readString(lowercaseType);
+    }
+
+    String value = m_pasteboard->readStringInCustomData(lowercaseType);
+    if (value.isNull() && Pasteboard::isSafeTypeForDOMToReadAndWrite(lowercaseType))
+        value = m_pasteboard->readString(lowercaseType);
+    return value;
 }
 
@@ -179 +204 @@
     RELEASE_ASSERT(is<StaticPasteboard>(*m_pasteboard));
 
-    if (shouldReadOrWriteTypeAsCustomData(type))
+    if (!Settings::customPasteboardDataEnabled()) {
+        m_pasteboard->writeString(type, data);
+        return;
+    }
+
+    String sanitizedData;
+    if (type == "text/uri-list") {
+        auto url = URLParser(data).result();
+        if (url.isValid())
+            sanitizedData = url.string();
+    } else if (type == "text/plain")
+        sanitizedData = data; // Nothing to sanitize.
+
+    if (sanitizedData != data)
         downcast<StaticPasteboard>(*m_pasteboard).writeStringInCustomData(type, data);
-    else
-        m_pasteboard->writeString(type, data);
+
+    if (Pasteboard::isSafeTypeForDOMToReadAndWrite(type) && !sanitizedData.isNull())
+        m_pasteboard->writeString(type, sanitizedData);
 }
 
@@ -237 +276 @@
 
     if (m_pasteboard->containsFiles()) {
-        ASSERT(!m_pasteboard->typesSafeForBindings().contains("Files"));
+        ASSERT(!m_pasteboard->typesSafeForBindings(m_originIdentifier).contains("Files"));
         return addFilesType == AddFilesType::Yes ? Vector<String> { ASCIILiteral("Files") } : Vector<String> { };
     }
 
-    auto types = m_pasteboard->typesSafeForBindings();
+    auto types = m_pasteboard->typesSafeForBindings(m_originIdentifier);
     ASSERT(!types.contains("Files"));
     return types;
@@ -323 +362 @@
 }
 
+void DataTransfer::commitToPasteboard(Pasteboard& nativePasteboard)
+{
+    ASSERT(is<StaticPasteboard>(*m_pasteboard) && !is<StaticPasteboard>(nativePasteboard));
+    PasteboardCustomData customData = downcast<StaticPasteboard>(*m_pasteboard).takeCustomData();
+    if (Settings::customPasteboardDataEnabled()) {
+        customData.origin = m_originIdentifier;
+        nativePasteboard.writeCustomData(customData);
+        return;
+    }
+
+    for (auto& entry : customData.platformData)
+        nativePasteboard.writeString(entry.key, entry.value);
+    for (auto& entry : customData.sameOriginCustomData)
+        nativePasteboard.writeString(entry.key, entry.value);
+}
+
 #if !ENABLE(DRAG_SUPPORT)
 
@@ -354 +409 @@
 }
 
-Ref<DataTransfer> DataTransfer::createForDragStartEvent()
-{
-    return adoptRef(*new DataTransfer(StoreMode::ReadWrite, std::make_unique<StaticPasteboard>(), Type::DragAndDropData));
-}
-
-Ref<DataTransfer> DataTransfer::createForDrop(std::unique_ptr<Pasteboard>&& pasteboard, DragOperation sourceOperation, bool draggingFiles)
+Ref<DataTransfer> DataTransfer::createForDragStartEvent(Document& document)
+{
+    auto dataTransfer = adoptRef(*new DataTransfer(StoreMode::ReadWrite, std::make_unique<StaticPasteboard>(), Type::DragAndDropData));
+    dataTransfer->m_originIdentifier = originIdentifierForDocument(document);
+    return dataTransfer;
+}
+
+Ref<DataTransfer> DataTransfer::createForDrop(Document& document, std::unique_ptr<Pasteboard>&& pasteboard, DragOperation sourceOperation, bool draggingFiles)
 {
     auto dataTransfer = adoptRef(*new DataTransfer(DataTransfer::StoreMode::Readonly, WTFMove(pasteboard), draggingFiles ? Type::DragAndDropFiles : Type::DragAndDropData));
     dataTransfer->setSourceOperation(sourceOperation);
+    dataTransfer->m_originIdentifier = originIdentifierForDocument(document);
     return dataTransfer;
 }
@@ -377 +435 @@
     auto dataTransfer = adoptRef(*new DataTransfer(mode, WTFMove(pasteboard), draggingFiles ? Type::DragAndDropFiles : Type::DragAndDropData));
     dataTransfer->setSourceOperation(sourceOperation);
+    dataTransfer->m_originIdentifier = originIdentifierForDocument(document);
     return dataTransfer;
 }
@@ -590 +649 @@
     // contain data that was in the static pasteboard.
     m_pasteboard->clear();
-    downcast<StaticPasteboard>(other->pasteboard()).commitToPasteboard(*m_pasteboard);
+    other->commitToPasteboard(*m_pasteboard);
 
     m_dropEffect = other->m_dropEffect;

trunk/Source/WebCore/dom/DataTransfer.h

@@ -46 +46 @@
     enum class StoreMode { Invalid, ReadWrite, Readonly, Protected };
 
-    static Ref<DataTransfer> createForCopyAndPaste(StoreMode, std::unique_ptr<Pasteboard>&&);
+    static Ref<DataTransfer> createForCopyAndPaste(Document&, StoreMode, std::unique_ptr<Pasteboard>&&);
     static Ref<DataTransfer> createForInputEvent(const String& plainText, const String& htmlText);
 
@@ -83 +83 @@
 
     Pasteboard& pasteboard() { return *m_pasteboard; }
+    void commitToPasteboard(Pasteboard&);
 
 #if ENABLE(DRAG_SUPPORT)
     static Ref<DataTransfer> createForDrag();
-    static Ref<DataTransfer> createForDragStartEvent();
-    static Ref<DataTransfer> createForDrop(std::unique_ptr<Pasteboard>&&, DragOperation, bool draggingFiles);
+    static Ref<DataTransfer> createForDragStartEvent(Document&);
+    static Ref<DataTransfer> createForDrop(Document&, std::unique_ptr<Pasteboard>&&, DragOperation, bool draggingFiles);
     static Ref<DataTransfer> createForUpdatingDropTarget(Document&, std::unique_ptr<Pasteboard>&&, DragOperation, bool draggingFiles);
 
@@ -125 +126 @@
     Vector<Ref<File>> filesFromPasteboardAndItemList() const;
 
+    String m_originIdentifier;
     StoreMode m_storeMode;
     std::unique_ptr<Pasteboard> m_pasteboard;

trunk/Source/WebCore/dom/Document.cpp

@@ -214 +214 @@
 #include <wtf/SetForScope.h>
 #include <wtf/SystemTracing.h>
+#include <wtf/UUID.h>
 #include <wtf/text/StringBuffer.h>
 #include <yarr/RegularExpression.h>
@@ -5304 +5305 @@
 #endif
 
+String Document::uniqueIdentifier()
+{
+    if (!m_uniqueIdentifier)
+        m_uniqueIdentifier = "null:" + createCanonicalUUIDString();
+    return m_uniqueIdentifier;
+}
+
 ExceptionOr<Ref<XPathExpression>> Document::createExpression(const String& expression, RefPtr<XPathNSResolver>&& resolver)
 {

trunk/Source/WebCore/dom/Document.h

@@ -958 +958 @@
     uint64_t domTreeVersion() const { return m_domTreeVersion; }
 
+    String uniqueIdentifier();
+
     // XPathEvaluator methods
     WEBCORE_EXPORT ExceptionOr<Ref<XPathExpression>> createExpression(const String& expression, RefPtr<XPathNSResolver>&&);
@@ -1518 +1520 @@
     uint64_t m_domTreeVersion;
     static uint64_t s_globalTreeVersion;
-    
+
+    String m_uniqueIdentifier;
+
     HashSet<NodeIterator*> m_nodeIterators;
     HashSet<Range*> m_ranges;

trunk/Source/WebCore/editing/Editor.cpp

@@ -346 +346 @@
 }
 
-static Ref<DataTransfer> createDataTransferForClipboardEvent(ClipboardEventKind kind)
+static Ref<DataTransfer> createDataTransferForClipboardEvent(Document& document, ClipboardEventKind kind)
 {
     switch (kind) {
     case ClipboardEventKind::Copy:
     case ClipboardEventKind::Cut:
-        return DataTransfer::createForCopyAndPaste(DataTransfer::StoreMode::ReadWrite, std::make_unique<StaticPasteboard>());
+        return DataTransfer::createForCopyAndPaste(document, DataTransfer::StoreMode::ReadWrite, std::make_unique<StaticPasteboard>());
     case ClipboardEventKind::PasteAsPlainText:
         if (Settings::customPasteboardDataEnabled()) {
@@ -358 +358 @@
             auto pasteboard = std::make_unique<StaticPasteboard>();
             pasteboard->writeString(plainTextType, plainText);
-            return DataTransfer::createForCopyAndPaste(DataTransfer::StoreMode::Readonly, WTFMove(pasteboard));
+            return DataTransfer::createForCopyAndPaste(document, DataTransfer::StoreMode::Readonly, WTFMove(pasteboard));
         }
         FALLTHROUGH;
     case ClipboardEventKind::Paste:
-        return DataTransfer::createForCopyAndPaste(DataTransfer::StoreMode::Readonly, Pasteboard::createForCopyAndPaste());
+        return DataTransfer::createForCopyAndPaste(document, DataTransfer::StoreMode::Readonly, Pasteboard::createForCopyAndPaste());
     case ClipboardEventKind::BeforeCopy:
     case ClipboardEventKind::BeforeCut:
     case ClipboardEventKind::BeforePaste:
-        return DataTransfer::createForCopyAndPaste(DataTransfer::StoreMode::Invalid, std::make_unique<StaticPasteboard>());
+        return DataTransfer::createForCopyAndPaste(document, DataTransfer::StoreMode::Invalid, std::make_unique<StaticPasteboard>());
     }
     ASSERT_NOT_REACHED();
-    return DataTransfer::createForCopyAndPaste(DataTransfer::StoreMode::Invalid, std::make_unique<StaticPasteboard>());
+    return DataTransfer::createForCopyAndPaste(document, DataTransfer::StoreMode::Invalid, std::make_unique<StaticPasteboard>());
 }
 
@@ -381 +381 @@
         return true;
 
-    auto dataTransfer = createDataTransferForClipboardEvent(kind);
+    auto dataTransfer = createDataTransferForClipboardEvent(target->document(), kind);
 
     ClipboardEvent::Init init;
@@ -394 +394 @@
         auto pasteboard = Pasteboard::createForCopyAndPaste();
         pasteboard->clear();
-        downcast<StaticPasteboard>(dataTransfer->pasteboard()).commitToPasteboard(*pasteboard);
+        dataTransfer->commitToPasteboard(*pasteboard);
     }
 

trunk/Source/WebCore/page/DragController.cpp

@@ -507 +507 @@
     String text = m_page.dragCaretController().isContentRichlyEditable() ? emptyString() : dragData.asPlainText();
     Element* target = innerFrame->editor().findEventTargetFrom(m_page.dragCaretController().caretPosition());
+    // FIXME: What guarantees target is not null?
     return target->dispatchEvent(TextEvent::createForDrop(innerFrame->document()->domWindow(), text));
 }

trunk/Source/WebCore/page/EventHandler.cpp

@@ -2390 +2390 @@
             preventedDefault = targetFrame->eventHandler().performDragAndDrop(event, WTFMove(pasteboard), sourceOperation, draggingFiles);
     } else if (m_dragTarget) {
-        auto dataTransfer = DataTransfer::createForDrop(WTFMove(pasteboard), sourceOperation, draggingFiles);
+        auto dataTransfer = DataTransfer::createForDrop(m_dragTarget->document(), WTFMove(pasteboard), sourceOperation, draggingFiles);
         preventedDefault = dispatchDragEvent(eventNames().dropEvent, *m_dragTarget, event, dataTransfer);
         dataTransfer->makeInvalidForSecurity();
@@ -3641 +3641 @@
     if (!m_mouseDownMayStartDrag)
         return !mouseDownMayStartSelect() && !m_mouseDownMayStartAutoscroll;
-    
+    ASSERT(dragState().source);
+
     if (!ExactlyOneBitSet(dragState().type)) {
         ASSERT((dragState().type & DragSourceActionSelection));
@@ -3678 +3679 @@
     
     if (dragState().shouldDispatchEvents) {
-        auto dragStartDataTransfer = DataTransfer::createForDragStartEvent();
+        ASSERT(dragState().source);
+        auto dragStartDataTransfer = DataTransfer::createForDragStartEvent(dragState().source->document());
         m_mouseDownMayStartDrag = dispatchDragStartEventOnSourceElement(dragStartDataTransfer);
         hasNonDefaultPasteboardData = dragStartDataTransfer->pasteboard().hasData() ? HasNonDefaultPasteboardData::Yes : HasNonDefaultPasteboardData::No;

trunk/Source/WebCore/platform/Pasteboard.h

@@ -194 +194 @@
 
     virtual bool hasData();
-    virtual Vector<String> typesSafeForBindings();
+    virtual Vector<String> typesSafeForBindings(const String& origin);
     virtual Vector<String> typesForLegacyUnsafeBindings();
+    virtual String readOrigin();
     virtual String readString(const String& type);
     virtual String readStringInCustomData(const String& type);
@@ -212 +213 @@
     virtual void write(const PasteboardWebContent&);
 
+    virtual void writeCustomData(const PasteboardCustomData&);
+
     virtual bool containsFiles();
     virtual bool canSmartReplace();
@@ -251 +254 @@
     const String& name() const { return m_pasteboardName; }
     long changeCount() const;
+    const PasteboardCustomData& readCustomData();
 #endif
 
@@ -262 +266 @@
 #endif
 
-    void writeCustomData(const PasteboardCustomData&);
-
 private:
 #if PLATFORM(IOS)
@@ -296 +298 @@
     String m_pasteboardName;
     long m_changeCount;
+    std::optional<PasteboardCustomData> m_customDataCache;
 #endif
 

trunk/Source/WebCore/platform/PasteboardStrategy.h

@@ -73 +73 @@
 #endif
 
-    virtual Vector<String> typesSafeForDOMToReadAndWrite(const String& pasteboardName) = 0;
+    virtual Vector<String> typesSafeForDOMToReadAndWrite(const String& pasteboardName, const String& origin) = 0;
     virtual long writeCustomData(const PasteboardCustomData&, const String& pasteboardName) = 0;
 

trunk/Source/WebCore/platform/PlatformPasteboard.h

@@ -96 +96 @@
 
     WEBCORE_EXPORT long write(const PasteboardCustomData&);
-    WEBCORE_EXPORT Vector<String> typesSafeForDOMToReadAndWrite() const;
+    WEBCORE_EXPORT Vector<String> typesSafeForDOMToReadAndWrite(const String& origin) const;
 
 #if PLATFORM(GTK)

trunk/Source/WebCore/platform/StaticPasteboard.cpp

@@ -26 +26 @@
 #include "config.h"
 #include "StaticPasteboard.h"
-
-#include "Settings.h"
-#include "SharedBuffer.h"
 
 namespace WebCore {
@@ -86 +83 @@
 }
 
-void StaticPasteboard::commitToPasteboard(Pasteboard& pasteboard)
+PasteboardCustomData StaticPasteboard::takeCustomData()
 {
-    if (m_platformData.isEmpty() && m_customData.isEmpty())
-        return;
-
-    if (Settings::customPasteboardDataEnabled()) {
-        pasteboard.writeCustomData({ { }, WTFMove(m_types), WTFMove(m_platformData), WTFMove(m_customData) });
-        return;
-    }
-
-    for (auto& entry : m_platformData)
-        pasteboard.writeString(entry.key, entry.value);
-    for (auto& entry : m_customData)
-        pasteboard.writeString(entry.key, entry.value);
+    return { { }, WTFMove(m_types), WTFMove(m_platformData), WTFMove(m_customData) };
 }
 

trunk/Source/WebCore/platform/StaticPasteboard.h

@@ -37 +37 @@
     StaticPasteboard();
 
-    void commitToPasteboard(Pasteboard&);
+    PasteboardCustomData takeCustomData();
 
     bool isStatic() const final { return true; }
 
     bool hasData() final;
-    Vector<String> typesSafeForBindings() final { return m_types; }
+    Vector<String> typesSafeForBindings(const String&) final { return m_types; }
     Vector<String> typesForLegacyUnsafeBindings() final { return m_types; }
+    String readOrigin() final { return { }; }
     String readString(const String& type) final;
     String readStringInCustomData(const String& type) final;
@@ -58 +59 @@
     void write(const PasteboardImage&) final { }
     void write(const PasteboardWebContent&) final { }
+
+    void writeCustomData(const PasteboardCustomData&) final { }
 
     bool containsFiles() final { return false; }

trunk/Source/WebCore/platform/cocoa/PasteboardCocoa.mm

@@ -144 +144 @@
 }
 
-Vector<String> Pasteboard::typesSafeForBindings()
-{
-    Vector<String> types = platformStrategies()->pasteboardStrategy()->typesSafeForDOMToReadAndWrite(m_pasteboardName);
+Vector<String> Pasteboard::typesSafeForBindings(const String& origin)
+{
+    Vector<String> types = platformStrategies()->pasteboardStrategy()->typesSafeForDOMToReadAndWrite(m_pasteboardName, origin);
 
     // Enforce changeCount ourselves for security. We check after reading instead of before to be
@@ -217 +217 @@
 String Pasteboard::readStringInCustomData(const String& type)
 {
-    auto buffer = readBufferForTypeWithSecurityCheck(PasteboardCustomData::cocoaType());
-    if (!buffer)
-        return { };
-
-    // Enforce changeCount ourselves for security. We check after reading instead of before to be
-    // sure it doesn't change between our testing the change count and accessing the data.
-    if (m_changeCount != platformStrategies()->pasteboardStrategy()->changeCount(m_pasteboardName))
-        return { };
-
-    return PasteboardCustomData::fromSharedBuffer(*buffer).sameOriginCustomData.get(type);
+    return readCustomData().sameOriginCustomData.get(type);
+}
+
+String Pasteboard::readOrigin()
+{
+    return readCustomData().origin;
+}
+
+const PasteboardCustomData& Pasteboard::readCustomData()
+{
+    if (m_customDataCache)
+        return *m_customDataCache;
+
+    if (auto buffer = readBufferForTypeWithSecurityCheck(PasteboardCustomData::cocoaType()))
+        m_customDataCache = PasteboardCustomData::fromSharedBuffer(*buffer);
+    else
+        m_customDataCache = PasteboardCustomData { };
+    return *m_customDataCache; 
 }
 

trunk/Source/WebCore/platform/gtk/PasteboardGtk.cpp

@@ -256 +256 @@
 }
 
-Vector<String> Pasteboard::typesSafeForBindings()
+Vector<String> Pasteboard::typesSafeForBindings(const String&)
 {
     notImplemented(); // webkit.org/b/177633: [GTK] Move to new Pasteboard API
@@ -285 +285 @@
 
     return types;
+}
+
+String Pasteboard::readOrigin()
+{
+    notImplemented(); // webkit.org/b/177633: [GTK] Move to new Pasteboard API
+    return { };
 }
 

trunk/Source/WebCore/platform/gtk/PlatformPasteboardGtk.cpp

@@ -47 +47 @@
 }
 
-Vector<String> PlatformPasteboard::typesSafeForDOMToReadAndWrite() const
+Vector<String> PlatformPasteboard::typesSafeForDOMToReadAndWrite(const String&) const
 {
     return { };

trunk/Source/WebCore/platform/ios/PlatformPasteboardIOS.mm

@@ -344 +344 @@
 }
 
-Vector<String> PlatformPasteboard::typesSafeForDOMToReadAndWrite() const
+static const char originKeyForTeamData[] = "com.apple.WebKit.drag-and-drop-team-data.origin";
+static const char customTypesKeyForTeamData[] = "com.apple.WebKit.drag-and-drop-team-data.custom-types";
+
+Vector<String> PlatformPasteboard::typesSafeForDOMToReadAndWrite(const String& origin) const
 {
     ListHashSet<String> domPasteboardTypes;
@@ -355 +358 @@
             continue;
 
-        id customTypes = [(NSDictionary *)teamDataObject objectForKey:@(PasteboardCustomData::cocoaType())];
+        id originInTeamData = [(NSDictionary *)teamDataObject objectForKey:@(originKeyForTeamData)];
+        if (![originInTeamData isKindOfClass:[NSString class]])
+            continue;
+        if (String((NSString *)originInTeamData) != origin)
+            continue;
+
+        id customTypes = [(NSDictionary *)teamDataObject objectForKey:@(customTypesKeyForTeamData)];
         if (![customTypes isKindOfClass:[NSArray class]])
             continue;
@@ -364 +373 @@
 
     if (NSData *serializedCustomData = [m_pasteboard dataForPasteboardType:@(PasteboardCustomData::cocoaType())]) {
-        auto buffer = SharedBuffer::create(serializedCustomData);
-        for (auto& type : PasteboardCustomData::fromSharedBuffer(buffer.get()).orderedTypes)
-            domPasteboardTypes.add(type);
+        auto data = PasteboardCustomData::fromSharedBuffer(SharedBuffer::create(serializedCustomData).get());
+        if (data.origin == origin) {
+            for (auto& type : data.orderedTypes)
+                domPasteboardTypes.add(type);
+        }
     }
 
@@ -403 +414 @@
             for (auto& type : data.orderedTypes)
                 [typesAsNSArray addObject:type];
-            [representationsToRegister setTeamData:[NSKeyedArchiver archivedDataWithRootObject:@{ @(PasteboardCustomData::cocoaType()) : typesAsNSArray }]];
+            [representationsToRegister setTeamData:[NSKeyedArchiver archivedDataWithRootObject:@{
+                @(originKeyForTeamData) : data.origin, @(customTypesKeyForTeamData) : typesAsNSArray }]];
             [representationsToRegister addData:serializedSharedBuffer.get() forType:@(PasteboardCustomData::cocoaType())];
         }
@@ -449 +461 @@
 }
 
-Vector<String> PlatformPasteboard::typesSafeForDOMToReadAndWrite() const
+Vector<String> PlatformPasteboard::typesSafeForDOMToReadAndWrite(const String&) const
 {
     return { };
@@ -517 +529 @@
 {
     NSIndexSet *indexSet = [NSIndexSet indexSetWithIndex:index];
-
     RetainPtr<NSArray> pasteboardItem = [m_pasteboard valuesForPasteboardType:type inItemSet:indexSet];
 
     if (![pasteboardItem count])
-        return URL();
+        return { };
 
     id value = [pasteboardItem objectAtIndex:0];
-    ASSERT([value isKindOfClass:[NSURL class]]);
-    if (![value isKindOfClass:[NSURL class]])
-        return URL();
-
-    if (!allowReadingURLAtIndex((NSURL *)value, index))
+    NSURL *url = nil;
+    if ([value isKindOfClass:[NSData class]]) {
+        id plist = [NSPropertyListSerialization propertyListWithData:(NSData *)value options:NSPropertyListImmutable format:NULL error:NULL];
+        if (![plist isKindOfClass:[NSArray class]])
+            return { };
+        NSArray *plistArray = (NSArray *)plist;
+        if (plistArray.count < 2)
+            return { };
+        if (plistArray.count == 2)
+            url = [NSURL URLWithString:plistArray[0]];
+        else // The first string is the relative URL.
+            url = [NSURL URLWithString:plistArray[0] relativeToURL:[NSURL URLWithString:plistArray[1]]];
+    } else {
+        ASSERT([value isKindOfClass:[NSURL class]]);
+        if (![value isKindOfClass:[NSURL class]])
+            return { };
+        url = (NSURL *)value;
+    }
+
+    if (!allowReadingURLAtIndex(url, index))
         return { };
 
 #if PLATFORM(IOS) && !(PLATFORM(WATCHOS) || PLATFORM(APPLETV))
-    title = [value _title];
+    title = [url _title];
 #else
     UNUSED_PARAM(title);
 #endif
 
-    return (NSURL *)value;
+    return url;
 }
 

trunk/Source/WebCore/platform/mac/PlatformPasteboardMac.mm

@@ -108 +108 @@
 }
 
-Vector<String> PlatformPasteboard::typesSafeForDOMToReadAndWrite() const
+Vector<String> PlatformPasteboard::typesSafeForDOMToReadAndWrite(const String& origin) const
 {
     ListHashSet<String> domPasteboardTypes;
     if (NSData *serializedCustomData = [m_pasteboard dataForType:@(PasteboardCustomData::cocoaType())]) {
-        auto buffer = SharedBuffer::create(serializedCustomData);
-        for (auto& type : PasteboardCustomData::fromSharedBuffer(buffer.get()).orderedTypes)
-            domPasteboardTypes.add(type);
+        auto data = PasteboardCustomData::fromSharedBuffer(SharedBuffer::create(serializedCustomData).get());
+        if (data.origin == origin) {
+            for (auto& type : data.orderedTypes)
+                domPasteboardTypes.add(type);
+        }
     }
 

trunk/Source/WebCore/platform/win/PasteboardWin.cpp

@@ -238 +238 @@
 }
 
-Vector<String> Pasteboard::typesSafeForBindings()
+Vector<String> Pasteboard::typesSafeForBindings(const String&)
 {
     notImplemented();
@@ -276 +276 @@
     copyToVector(results, vector);
     return vector;
+}
+
+String Pasteboard::readOrigin()
+{
+    notImplemented();
+    return { };
 }
 

trunk/Source/WebCore/platform/wpe/PasteboardWPE.cpp

@@ -50 +50 @@
 }
 
-Vector<String> Pasteboard::typesSafeForBindings()
+Vector<String> Pasteboard::typesSafeForBindings(const String&)
 {
     notImplemented();
@@ -61 +61 @@
     platformStrategies()->pasteboardStrategy()->getTypes(types);
     return types;
+}
+
+String Pasteboard::readOrigin()
+{
+    notImplemented(); // webkit.org/b/177633: [GTK] Move to new Pasteboard API
+    return { };
 }
 

trunk/Source/WebCore/platform/wpe/PlatformPasteboardWPE.cpp

@@ -117 +117 @@
 }
 
-Vector<String> PlatformPasteboard::typesSafeForDOMToReadAndWrite() const
+Vector<String> PlatformPasteboard::typesSafeForDOMToReadAndWrite(const String&) const
 {
     return { };

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2017-10-11  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Sanitize URL in pasteboard for other applications and cross origin content
+        https://bugs.webkit.org/show_bug.cgi?id=178060
+        <rdar://problem/34874518>
+
+        Reviewed by Wenson Hsieh.
+
+        Plubmed the origin identifier through IPC from Pasteboard in WebContent process to PlatformPasteboard in UIProcess.
+
+        * UIProcess/Cocoa/WebPasteboardProxyCocoa.mm:
+        (WebKit::WebPasteboardProxy::typesSafeForDOMToReadAndWrite):
+        * UIProcess/WebPasteboardProxy.cpp:
+        (WebKit::WebPasteboardProxy::typesSafeForDOMToReadAndWrite):
+        * UIProcess/WebPasteboardProxy.h:
+        * UIProcess/WebPasteboardProxy.messages.in:
+        * WebProcess/WebCoreSupport/WebPlatformStrategies.cpp:
+        (WebKit::WebPlatformStrategies::typesSafeForDOMToReadAndWrite):
+        * WebProcess/WebCoreSupport/WebPlatformStrategies.h:
+
 2017-10-11  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WebKit/UIProcess/Cocoa/WebPasteboardProxyCocoa.mm

@@ -160 +160 @@
 }
 
-void WebPasteboardProxy::typesSafeForDOMToReadAndWrite(const String& pasteboardName, Vector<String>& types)
-{
-    types = PlatformPasteboard(pasteboardName).typesSafeForDOMToReadAndWrite();
+void WebPasteboardProxy::typesSafeForDOMToReadAndWrite(const String& pasteboardName, const String& origin, Vector<String>& types)
+{
+    types = PlatformPasteboard(pasteboardName).typesSafeForDOMToReadAndWrite(origin);
 }
 

trunk/Source/WebKit/UIProcess/WebPasteboardProxy.cpp

@@ -64 +64 @@
 #if !PLATFORM(COCOA)
 
-void WebPasteboardProxy::typesSafeForDOMToReadAndWrite(const String&, Vector<String>& types)
+void WebPasteboardProxy::typesSafeForDOMToReadAndWrite(const String&, const String&, Vector<String>& types)
 {
     types = { };

trunk/Source/WebKit/UIProcess/WebPasteboardProxy.h

@@ -100 +100 @@
 
     void writeCustomData(const WebCore::PasteboardCustomData&, const String& pasteboardName, uint64_t& newChangeCount);
-    void typesSafeForDOMToReadAndWrite(const String& pasteboardName, Vector<String>& types);
+    void typesSafeForDOMToReadAndWrite(const String& pasteboardName, const String& origin, Vector<String>& types);
 
 #if PLATFORM(GTK)

trunk/Source/WebKit/UIProcess/WebPasteboardProxy.messages.in

@@ -37 +37 @@
 
     WriteCustomData(struct WebCore::PasteboardCustomData data, String pasteboardName) -> (uint64_t changeCount)
-    TypesSafeForDOMToReadAndWrite(String pasteboardName) -> (Vector<String> types)
+    TypesSafeForDOMToReadAndWrite(String pasteboardName, String origin) -> (Vector<String> types)
 
 #if PLATFORM(COCOA)

trunk/Source/WebKit/WebProcess/WebCoreSupport/WebPlatformStrategies.cpp

@@ -406 +406 @@
 #endif // PLATFORM(WPE)
 
-Vector<String> WebPlatformStrategies::typesSafeForDOMToReadAndWrite(const String& pasteboardName)
+Vector<String> WebPlatformStrategies::typesSafeForDOMToReadAndWrite(const String& pasteboardName, const String& origin)
 {
     Vector<String> types;
-    WebProcess::singleton().parentProcessConnection()->sendSync(Messages::WebPasteboardProxy::TypesSafeForDOMToReadAndWrite(pasteboardName), Messages::WebPasteboardProxy::TypesSafeForDOMToReadAndWrite::Reply(types), 0);
+    WebProcess::singleton().parentProcessConnection()->sendSync(Messages::WebPasteboardProxy::TypesSafeForDOMToReadAndWrite(pasteboardName, origin), Messages::WebPasteboardProxy::TypesSafeForDOMToReadAndWrite::Reply(types), 0);
     return types;
 }

trunk/Source/WebKit/WebProcess/WebCoreSupport/WebPlatformStrategies.h

@@ -98 +98 @@
 #endif
 
-    Vector<String> typesSafeForDOMToReadAndWrite(const String& pasteboardName) override;
+    Vector<String> typesSafeForDOMToReadAndWrite(const String& pasteboardName, const String& origin) override;
     long writeCustomData(const WebCore::PasteboardCustomData&, const String&) override;
 };

trunk/Source/WebKitLegacy/mac/ChangeLog

@@ +1 @@
+2017-10-11  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Sanitize URL in pasteboard for other applications and cross origin content
+        https://bugs.webkit.org/show_bug.cgi?id=178060
+        <rdar://problem/34874518>
+
+        Reviewed by Wenson Hsieh.
+
+        * WebCoreSupport/WebPlatformStrategies.h:
+        * WebCoreSupport/WebPlatformStrategies.mm:
+        (WebPlatformStrategies::typesSafeForDOMToReadAndWrite):
+
 2017-10-11  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WebKitLegacy/mac/WebCoreSupport/WebPlatformStrategies.h

@@ -82 +82 @@
 
     long writeCustomData(const WebCore::PasteboardCustomData&, const String& pasteboardName) override;
-    Vector<String> typesSafeForDOMToReadAndWrite(const String& pasteboardName) override;
+    Vector<String> typesSafeForDOMToReadAndWrite(const String& pasteboardName, const String& origin) override;
 
     long addTypes(const Vector<String>& pasteboardTypes, const String& pasteboardName) override;

trunk/Source/WebKitLegacy/mac/WebCoreSupport/WebPlatformStrategies.mm

@@ -179 +179 @@
 }
 
-Vector<String> WebPlatformStrategies::typesSafeForDOMToReadAndWrite(const String& pasteboardName)
-{
-    return PlatformPasteboard(pasteboardName).typesSafeForDOMToReadAndWrite();
+Vector<String> WebPlatformStrategies::typesSafeForDOMToReadAndWrite(const String& pasteboardName, const String& origin)
+{
+    return PlatformPasteboard(pasteboardName).typesSafeForDOMToReadAndWrite(origin);
 }
 

trunk/Tools/ChangeLog

@@ +1 @@
+2017-10-11  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Sanitize URL in pasteboard for other applications and cross origin content
+        https://bugs.webkit.org/show_bug.cgi?id=178060
+        <rdar://problem/34874518>
+
+        Reviewed by Wenson Hsieh.
+
+        Added API tests for sanitizing URLs copied from web content, and that the original URL is exposed to the web content.
+
+        * TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
+        * TestWebKitAPI/Tests/WebKitCocoa/CopyURL.mm: Added.
+        (readURLFromPasteboard): A helper function.
+        * TestWebKitAPI/Tests/WebKitCocoa/copy-url.html: Added.
+        * TestWebKitAPI/Tests/ios/DataInteractionTests.mm:
+        (DataInteractionTests.DataTransferGetDataWhenDroppingCustomData): Rebaselined. https://www.apple.com is no longer
+        normalized to https://www.apple.com/ by NSURL / UIPasteboard as expected.
+        (DataInteractionTests.DataTransferSetDataValidURL): Added.
+        (DataInteractionTests.DataTransferSetDataUnescapedURL): Added.
+        (DataInteractionTests.qDataTransferSetDataInvalidURL): Added.
+
 2017-10-11  Chris Dumez  <cdumez@apple.com>
 

trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj

@@ -546 +546 @@
                 9B270FEE1DDC2C0B002D53F3 /* closed-shadow-tree-test.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 9B270FED1DDC25FD002D53F3 /* closed-shadow-tree-test.html */; };
                 9B4F8FA7159D52DD002D9F94 /* HTMLCollectionNamedItem.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 9B4F8FA6159D52CA002D9F94 /* HTMLCollectionNamedItem.html */; };
+                9B62630C1F8C25C8007EE29B /* copy-url.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 9B62630B1F8C2510007EE29B /* copy-url.html */; };
+                9B7A37C41F8AEBA5004AA228 /* CopyURL.mm in Sources */ = {isa = PBXBuildFile; fileRef = 9B7A37C21F8AEBA5004AA228 /* CopyURL.mm */; };
                 9B7D740F1F8378770006C432 /* paste-rtfd.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 9B7D740E1F8377E60006C432 /* paste-rtfd.html */; };
                 9BD4239A1E04BD9800200395 /* AttributedSubstringForProposedRangeWithImage.mm in Sources */ = {isa = PBXBuildFile; fileRef = 9BD423991E04BD9800200395 /* AttributedSubstringForProposedRangeWithImage.mm */; };
@@ -842 +844 @@
                                 CD0BD0A81F79982D001AB2CF /* ContextMenuImgWithVideo.html in Copy Resources */,
                                 5C2936961D5C00ED00DEAB1E /* CookieMessage.html in Copy Resources */,
+                                9B62630C1F8C25C8007EE29B /* copy-url.html in Copy Resources */,
                                 7AEAD4811E20122700416EFE /* CrossPartitionFileSchemeAccess.html in Copy Resources */,
                                 F4AB578A1F65165400DB0DA1 /* custom-draggable-div.html in Copy Resources */,
@@ -1510 +1513 @@
                 9B4F8FA3159D52B1002D9F94 /* HTMLCollectionNamedItem.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = HTMLCollectionNamedItem.mm; sourceTree = "<group>"; };
                 9B4F8FA6159D52CA002D9F94 /* HTMLCollectionNamedItem.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = HTMLCollectionNamedItem.html; sourceTree = "<group>"; };
+                9B62630B1F8C2510007EE29B /* copy-url.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; path = "copy-url.html"; sourceTree = "<group>"; };
                 9B79164F1BD89D0D00D50B8F /* FirstResponderScrollingPosition.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = FirstResponderScrollingPosition.mm; sourceTree = "<group>"; };
+                9B7A37C21F8AEBA5004AA228 /* CopyURL.mm */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.objcpp; path = CopyURL.mm; sourceTree = "<group>"; };
                 9B7D740E1F8377E60006C432 /* paste-rtfd.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; path = "paste-rtfd.html"; sourceTree = "<group>"; };
                 9BD423991E04BD9800200395 /* AttributedSubstringForProposedRangeWithImage.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = AttributedSubstringForProposedRangeWithImage.mm; sourceTree = "<group>"; };
@@ -1983 +1988 @@
                                 5C2936911D5BF63E00DEAB1E /* CookieAcceptPolicy.mm */,
                                 9999108A1F393C8B008AD455 /* Copying.mm */,
+                                9B7A37C21F8AEBA5004AA228 /* CopyURL.mm */,
                                 2DC4CF761D2D9DD800ECCC94 /* DataDetection.mm */,
                                 CEC16EA41EE863BF00DE479A /* DecidePolicyForNavigationAction.mm */,
@@ -2231 +2237 @@
                                 A16F66B91C40EA2000BD4D24 /* ContentFiltering.html */,
                                 5C2936941D5BFD1900DEAB1E /* CookieMessage.html */,
+                                9B62630B1F8C2510007EE29B /* copy-url.html */,
                                 F4AB57891F65164B00DB0DA1 /* custom-draggable-div.html */,
                                 F486B1CF1F6794FF00F34BDD /* DataTransfer-setDragImage.html */,
@@ -3224 +3231 @@
                                 51D1249B1E785425002B2820 /* CookieManager.cpp in Sources */,
                                 9999108B1F393C96008AD455 /* Copying.mm in Sources */,
+                                9B7A37C41F8AEBA5004AA228 /* CopyURL.mm in Sources */,
                                 7CCE7EAC1A411A3400447C4C /* Counters.cpp in Sources */,
                                 7AEAD47F1E20116C00416EFE /* CrossPartitionFileSchemeAccess.mm in Sources */,

trunk/Tools/TestWebKitAPI/Tests/ios/DataInteractionTests.mm

@@ -1522 +1522 @@
             @"text/html" : @"<b>bold text</b>",
             @"bar/html" : @"<i>italic text</i>",
-            @"text/uri-list" : @"https://www.apple.com/",
+            @"text/uri-list" : @"https://www.apple.com",
             @"baz/uri-list" : @"https://www.webkit.org"
         }
@@ -1646 +1646 @@
 }
 
+TEST(DataInteractionTests, DataTransferSetDataValidURL)
+{
+    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:CGRectMake(0, 0, 320, 500)]);
+    [webView synchronouslyLoadTestPageNamed:@"dump-datatransfer-types"];
+    auto simulator = adoptNS([[DataInteractionSimulator alloc] initWithWebView:webView.get()]);
+
+    [webView stringByEvaluatingJavaScript:@"select(rich)"];
+    [webView stringByEvaluatingJavaScript:@"customData = { 'url' : 'https://webkit.org/b/123' }"];
+    [webView stringByEvaluatingJavaScript:@"writeCustomData = true"];
+
+    __block bool done = false;
+    [simulator.get() setOverridePerformDropBlock:^NSArray<UIDragItem *> *(id <UIDropSession> session)
+    {
+        EXPECT_EQ(1UL, session.items.count);
+        auto *item = session.items[0].itemProvider;
+        EXPECT_TRUE([item.registeredTypeIdentifiers containsObject:(NSString *)kUTTypeURL]);
+        EXPECT_TRUE([item canLoadObjectOfClass: [NSURL class]]);
+        [item loadObjectOfClass:[NSURL class] completionHandler:^(id<NSItemProviderReading> url, NSError *error) {
+            EXPECT_TRUE([url isKindOfClass: [NSURL class]]);
+            EXPECT_WK_STREQ([(NSURL *)url absoluteString], @"https://webkit.org/b/123");
+            done = true;
+        }];
+        return session.items;
+    }];
+    [simulator runFrom:CGPointMake(50, 225) to:CGPointMake(50, 375)];
+
+    checkJSONWithLogging([webView stringByEvaluatingJavaScript:@"output.value"], @{
+        @"dragover": @{
+            @"text/uri-list": @"",
+        },
+        @"drop": @{
+            @"text/uri-list": @"https://webkit.org/b/123",
+        }
+    });
+    TestWebKitAPI::Util::run(&done);
+}
+
+TEST(DataInteractionTests, DataTransferSetDataUnescapedURL)
+{
+    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:CGRectMake(0, 0, 320, 500)]);
+    [webView synchronouslyLoadTestPageNamed:@"dump-datatransfer-types"];
+    auto simulator = adoptNS([[DataInteractionSimulator alloc] initWithWebView:webView.get()]);
+
+    [webView stringByEvaluatingJavaScript:@"select(rich)"];
+    [webView stringByEvaluatingJavaScript:@"customData = { 'url' : 'http://webkit.org/b/\u4F60\u597D;?x=8 + 6' }"];
+    [webView stringByEvaluatingJavaScript:@"writeCustomData = true"];
+
+    __block bool done = false;
+    [simulator.get() setOverridePerformDropBlock:^NSArray<UIDragItem *> *(id <UIDropSession> session)
+    {
+        EXPECT_EQ(1UL, session.items.count);
+        auto *item = session.items[0].itemProvider;
+        EXPECT_TRUE([item.registeredTypeIdentifiers containsObject:(NSString *)kUTTypeURL]);
+        EXPECT_TRUE([item canLoadObjectOfClass: [NSURL class]]);
+        [item loadObjectOfClass:[NSURL class] completionHandler:^(id<NSItemProviderReading> url, NSError *error) {
+            EXPECT_TRUE([url isKindOfClass: [NSURL class]]);
+            EXPECT_WK_STREQ([(NSURL *)url absoluteString], @"http://webkit.org/b/%E4%BD%A0%E5%A5%BD;?x=8%20+%206");
+            done = true;
+        }];
+        return session.items;
+    }];
+    [simulator runFrom:CGPointMake(50, 225) to:CGPointMake(50, 375)];
+
+    checkJSONWithLogging([webView stringByEvaluatingJavaScript:@"output.value"], @{
+        @"dragover": @{
+            @"text/uri-list": @"",
+        },
+        @"drop": @{
+            @"text/uri-list": @"http://webkit.org/b/\u4F60\u597D;?x=8 + 6",
+        }
+    });
+    TestWebKitAPI::Util::run(&done);
+}
+
+TEST(DataInteractionTests, DataTransferSetDataInvalidURL)
+{
+    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:CGRectMake(0, 0, 320, 500)]);
+    [webView synchronouslyLoadTestPageNamed:@"dump-datatransfer-types"];
+    auto simulator = adoptNS([[DataInteractionSimulator alloc] initWithWebView:webView.get()]);
+
+    [webView stringByEvaluatingJavaScript:@"select(rich)"];
+    [webView stringByEvaluatingJavaScript:@"customData = { 'url' : 'some random string' }"];
+    [webView stringByEvaluatingJavaScript:@"writeCustomData = true"];
+
+    [simulator runFrom:CGPointMake(50, 225) to:CGPointMake(50, 375)];
+    NSArray *registeredTypes = [simulator.get().sourceItemProviders.firstObject registeredTypeIdentifiers];
+    EXPECT_FALSE([registeredTypes containsObject:(NSString *)kUTTypeURL]);
+    checkJSONWithLogging([webView stringByEvaluatingJavaScript:@"output.value"], @{
+        @"dragover": @{
+            @"text/uri-list": @"",
+        },
+        @"drop": @{
+            @"text/uri-list": @"some random string",
+        }
+    });
+}
+
 #endif // __IPHONE_OS_VERSION_MIN_REQUIRED >= 110300