Changeset 229540 in webkit

Timestamp:

Mar 12, 2018 10:53:39 AM (6 years ago)

Author:

commit-queue@webkit.org

Message:

Add a query and fragment exception to history API's unique origin restriction.
​https://bugs.webkit.org/show_bug.cgi?id=183028

Patch by Danyao Wang <​danyao@chromium.org> on 2018-03-12
Reviewed by Brent Fulgham.

Tests: http/tests/navigation/pushstate-at-unique-origin-denied.php

Tools/TestWebKitAPI/Tests/WebCore/URL.cpp

• page/History.cpp:

(WebCore::History::stateObjectAdded):

Location:

trunk

Files:

• LayoutTests/http/tests/navigation/pushstate-at-unique-origin-denied-expected.txt (added)
• LayoutTests/http/tests/navigation/pushstate-at-unique-origin-denied.php (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/page/History.cpp (modified) (1 diff)
• Source/WebCore/platform/URL.cpp (modified) (1 diff)
• Source/WebCore/platform/URL.h (modified) (1 diff)
• Tools/TestWebKitAPI/Tests/WebCore/URL.cpp (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2018-03-12  Danyao Wang  <danyao@chromium.org>
+
+        Add a query and fragment exception to history API's unique origin restriction.
+        https://bugs.webkit.org/show_bug.cgi?id=183028
+
+        Reviewed by Brent Fulgham.
+
+        Tests: http/tests/navigation/pushstate-at-unique-origin-denied.php
+               Tools/TestWebKitAPI/Tests/WebCore/URL.cpp
+
+        * page/History.cpp:
+        (WebCore::History::stateObjectAdded):
+
 2018-03-12  Antti Koivisto  <antti@apple.com>
 

trunk/Source/WebCore/page/History.cpp

@@ -193 +193 @@
     if (!protocolHostAndPortAreEqual(fullURL, documentURL) || fullURL.user() != documentURL.user() || fullURL.pass() != documentURL.pass())
         return createBlockedURLSecurityErrorWithMessageSuffix("Protocols, domains, ports, usernames, and passwords must match.");
-    if (!m_frame->document()->securityOrigin().canRequest(fullURL) && (fullURL.path() != documentURL.path() || fullURL.query() != documentURL.query()))
+
+    const auto& documentSecurityOrigin = m_frame->document()->securityOrigin();
+    // We allow sandboxed documents, 'data:'/'file:' URLs, etc. to use 'pushState'/'replaceState' to modify the URL query and fragments.
+    // See https://bugs.webkit.org/show_bug.cgi?id=183028 for the compatibility concerns.
+    bool allowSandboxException = (documentSecurityOrigin.isLocal() || documentSecurityOrigin.isUnique()) && equalIgnoringQueryAndFragment(documentURL, fullURL);
+
+    if (!allowSandboxException && !documentSecurityOrigin.canRequest(fullURL) && (fullURL.path() != documentURL.path() || fullURL.query() != documentURL.query()))
         return createBlockedURLSecurityErrorWithMessageSuffix("Paths and fragments must match for a sandboxed document.");
 

trunk/Source/WebCore/platform/URL.cpp

@@ -727 +727 @@
         if (a.string()[i] != b.string()[i])
             return false;
+    return true;
+}
+
+bool equalIgnoringQueryAndFragment(const URL& a, const URL& b)
+{
+    if (a.pathEnd() != b.pathEnd())
+        return false;
+    unsigned pathEnd = a.pathEnd();
+    for (unsigned i = 0; i < pathEnd; ++i) {
+        if (a.string()[i] != b.string()[i])
+            return false;
+    }
     return true;
 }

trunk/Source/WebCore/platform/URL.h

@@ -310 +310 @@
 
 WEBCORE_EXPORT bool equalIgnoringFragmentIdentifier(const URL&, const URL&);
+WEBCORE_EXPORT bool equalIgnoringQueryAndFragment(const URL&, const URL&);
 WEBCORE_EXPORT bool protocolHostAndPortAreEqual(const URL&, const URL&);
 WEBCORE_EXPORT bool hostsAreEqual(const URL&, const URL&);

trunk/Tools/TestWebKitAPI/Tests/WebCore/URL.cpp

@@ -214 +214 @@
 }
 
+TEST_F(URLTest, EqualIgnoringFragmentIdentifier)
+{
+    struct TestCase {
+        const char* url1;
+        const char* url2;
+        bool expected;
+    } cases[] = {
+        {"http://example.com/", "http://example.com/", true},
+        {"http://example.com/#hash", "http://example.com/", true},
+        {"http://example.com/path", "http://example.com/", false},
+        {"http://example.com/path", "http://example.com/path", true},
+        {"http://example.com/path#hash", "http://example.com/path", true},
+        {"http://example.com/path?query", "http://example.com/path", false},
+        {"http://example.com/path?query#hash", "http://example.com/path", false},
+        {"http://example.com/otherpath", "http://example.com/path", false},
+        {"http://example.com:80/", "http://example.com/", true},
+        {"http://example.com:80/#hash", "http://example.com/", true},
+        {"http://example.com:80/path", "http://example.com/", false},
+        {"http://example.com:80/path#hash", "http://example.com/path", true},
+        {"http://example.com:80/path?query", "http://example.com/path", false},
+        {"http://example.com:80/path?query#hash", "http://example.com/path", false},
+        {"http://example.com:80/otherpath", "http://example.com/path", false},
+        {"http://not-example.com:80/", "http://example.com/", false},
+        {"http://example.com:81/", "http://example.com/", false},
+        {"http://example.com:81/#hash", "http://example.com:81/", true},
+        {"http://example.com:81/path", "http://example.com:81", false},
+        {"http://example.com:81/path#hash", "http://example.com:81/path", true},
+        {"http://example.com:81/path?query", "http://example.com:81/path", false},
+        {"http://example.com:81/path?query#hash", "http://example.com:81/path", false},
+        {"http://example.com:81/otherpath", "http://example.com:81/path", false},
+        {"file:///path/to/file.html", "file:///path/to/file.html", true},
+        {"file:///path/to/file.html#hash", "file:///path/to/file.html", true},
+        {"file:///path/to/file.html?query", "file:///path/to/file.html", false},
+        {"file:///path/to/file.html?query#hash", "file:///path/to/file.html", false},
+        {"file:///path/to/other_file.html", "file:///path/to/file.html", false},
+        {"file:///path/to/other/file.html", "file:///path/to/file.html", false},
+        {"data:text/plain;charset=utf-8;base64,76O/76O/76O/", "data:text/plain;charset=utf-8;base64,760/760/760/", false},
+        {"http://example.com", "file://example.com", false},
+        {"http://example.com/#hash", "file://example.com", false},
+        {"http://example.com/?query", "file://example.com/", false},
+        {"http://example.com/?query#hash", "file://example.com/", false},
+    };
+
+    for (const auto& test : cases) {
+        URL url1 = createURL(test.url1);
+        URL url2 = createURL(test.url2);
+        EXPECT_EQ(test.expected, equalIgnoringFragmentIdentifier(url1, url2))
+            << "Test failed for " << test.url1 << " vs. " << test.url2;
+    }
+}
+
+TEST_F(URLTest, EqualIgnoringQueryAndFragment)
+{
+    struct TestCase {
+        const char* url1;
+        const char* url2;
+        bool expected;
+    } cases[] = {
+        {"http://example.com/", "http://example.com/", true},
+        {"http://example.com/#hash", "http://example.com/", true},
+        {"http://example.com/path", "http://example.com/", false},
+        {"http://example.com/path", "http://example.com/path", true},
+        {"http://example.com/path#hash", "http://example.com/path", true},
+        {"http://example.com/path?query", "http://example.com/path", true},
+        {"http://example.com/path?query#hash", "http://example.com/path", true},
+        {"http://example.com/otherpath", "http://example.com/path", false},
+        {"http://example.com:80/", "http://example.com/", true},
+        {"http://example.com:80/#hash", "http://example.com/", true},
+        {"http://example.com:80/path", "http://example.com/", false},
+        {"http://example.com:80/path#hash", "http://example.com/path", true},
+        {"http://example.com:80/path?query", "http://example.com/path", true},
+        {"http://example.com:80/path?query#hash", "http://example.com/path", true},
+        {"http://example.com:80/otherpath", "http://example.com/path", false},
+        {"http://not-example.com:80/", "http://example.com:80/", false},
+        {"http://example.com:81/", "http://example.com/", false},
+        {"http://example.com:81/#hash", "http://example.com:81/", true},
+        {"http://example.com:81/path", "http://example.com:81", false},
+        {"http://example.com:81/path#hash", "http://example.com:81/path", true},
+        {"http://example.com:81/path?query", "http://example.com:81/path", true},
+        {"http://example.com:81/path?query#hash", "http://example.com:81/path", true},
+        {"http://example.com:81/otherpath", "http://example.com:81/path", false},
+        {"file:///path/to/file.html", "file:///path/to/file.html", true},
+        {"file:///path/to/file.html#hash", "file:///path/to/file.html", true},
+        {"file:///path/to/file.html?query", "file:///path/to/file.html", true},
+        {"file:///path/to/file.html?query#hash", "file:///path/to/file.html", true},
+        {"file:///path/to/other_file.html", "file:///path/to/file.html", false},
+        {"file:///path/to/other/file.html", "file:///path/to/file.html", false},
+        {"data:text/plain;charset=utf-8;base64,76O/76O/76O/", "data:text/plain;charset=utf-8;base64,760/760/760/", false},
+        {"http://example.com", "file://example.com", false},
+        {"http://example.com/#hash", "file://example.com", false},
+        {"http://example.com/?query", "file://example.com/", false},
+        {"http://example.com/?query#hash", "file://example.com/", false},
+    };
+
+    for (const auto& test : cases) {
+        URL url1 = createURL(test.url1);
+        URL url2 = createURL(test.url2);
+        EXPECT_EQ(test.expected, equalIgnoringQueryAndFragment(url1, url2))
+            << "Test failed for " << test.url1 << " vs. " << test.url2;
+    }
+}
+
 TEST_F(URLTest, ProtocolIsInHTTPFamily)
 {