Changeset 255162 in webkit

Timestamp:

Jan 27, 2020 12:54:54 PM (4 years ago)

Author:

commit-queue@webkit.org

Message:

Support 'allow="fullscreen"' feature policy
​https://bugs.webkit.org/show_bug.cgi?id=206806
<rdar://problem/55640448>

Patch by Jer Noble <​jer.noble@apple.com> on 2020-01-27
Reviewed by Youenn Fablet.

Source/WebCore:

Test: http/tests/fullscreen/fullscreen-feature-policy.html

The unprefixed version of the Fullscreen API has deprecated the 'allowfullscreen' iframe
attribute in favor of the 'allow="fullscreen"' style attribute used by Feature Policy.
Add support for such, including the specified handling for the legacy 'allowfullscreen'
attribute.

Note: this patch will (intentionally) change the default behavior of <iframe>s. Previously
any <iframe> without the "allowfullscreen" attribute would not be allowed to enter fullscreen
mode. After this patch, <iframes> without the legacy attribute or an explicit fullscreen
Feature Policy will be allowed to enter fullscreen so long as their origin is the same as
the top document (and that all parent iframes are also allowed to enter fullscreen).

• dom/FullscreenManager.cpp:

(WebCore::FullscreenManager::requestFullscreenForElement):
(WebCore::FullscreenManager::isFullscreenEnabled const):
(WebCore::isAttributeOnAllOwners): Deleted.
(WebCore::FullscreenManager::fullscreenIsAllowedForElement const): Deleted.

• dom/FullscreenManager.h:
• html/FeaturePolicy.cpp:

(WebCore::isFeaturePolicyAllowedByDocumentAndAllOwners):
(WebCore::FeaturePolicy::parse):
(WebCore::FeaturePolicy::allows const):

• html/FeaturePolicy.h:
• html/HTMLIFrameElement.cpp:

(WebCore::HTMLIFrameElement::parseAttribute):
(WebCore::HTMLIFrameElement::featurePolicy const):

• xml/XMLHttpRequest.cpp:

(WebCore::XMLHttpRequest::createRequest):
(WebCore::isSyncXHRAllowedByFeaturePolicy): Deleted.

LayoutTests:

• fullscreen/full-screen-enabled-prefixed.html:
• fullscreen/full-screen-enabled.html:
• fullscreen/full-screen-frameset-expected.txt: Removed.
• fullscreen/full-screen-frameset.html: Removed.
• fullscreen/full-screen-iframe-not-allowed.html:
• fullscreen/full-screen-restrictions.html:
• http/tests/fullscreen/fullscreen-feature-policy-expected.txt: Added.
• http/tests/fullscreen/fullscreen-feature-policy.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fullscreen/full-screen-enabled-prefixed.html (modified) (1 diff)
• LayoutTests/fullscreen/full-screen-enabled.html (modified) (1 diff)
• LayoutTests/fullscreen/full-screen-frameset-expected.txt (deleted)
• LayoutTests/fullscreen/full-screen-frameset.html (deleted)
• LayoutTests/fullscreen/full-screen-iframe-not-allowed.html (modified) (1 diff)
• LayoutTests/fullscreen/full-screen-restrictions.html (modified) (1 diff)
• LayoutTests/http/tests/fullscreen/fullscreen-feature-policy-expected.txt (added)
• LayoutTests/http/tests/fullscreen/fullscreen-feature-policy.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/dom/FullscreenManager.cpp (modified) (5 diffs)
• Source/WebCore/dom/FullscreenManager.h (modified) (1 diff)
• Source/WebCore/html/FeaturePolicy.cpp (modified) (6 diffs)
• Source/WebCore/html/FeaturePolicy.h (modified) (2 diffs)
• Source/WebCore/html/HTMLIFrameElement.cpp (modified) (2 diffs)
• Source/WebCore/xml/XMLHttpRequest.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2020-01-27  Jer Noble  <jer.noble@apple.com>
+
+        Support 'allow="fullscreen"' feature policy
+        https://bugs.webkit.org/show_bug.cgi?id=206806
+        <rdar://problem/55640448>
+
+        Reviewed by Youenn Fablet.
+
+        * fullscreen/full-screen-enabled-prefixed.html:
+        * fullscreen/full-screen-enabled.html:
+        * fullscreen/full-screen-frameset-expected.txt: Removed.
+        * fullscreen/full-screen-frameset.html: Removed.
+        * fullscreen/full-screen-iframe-not-allowed.html:
+        * fullscreen/full-screen-restrictions.html:
+        * http/tests/fullscreen/fullscreen-feature-policy-expected.txt: Added.
+        * http/tests/fullscreen/fullscreen-feature-policy.html: Added.
+
 2020-01-27  Said Abou-Hallawa  <sabouhallawa@apple.com>
 

trunk/LayoutTests/fullscreen/full-screen-enabled-prefixed.html

@@ -7 +7 @@
     iframe.setAttribute('webkitallowfullscreen', 'true');
     var iframe2 = document.documentElement.appendChild(document.createElement('iframe'));
+    iframe2.setAttribute('allow', "fullscreen 'none'");
     testExpected('iframe.contentDocument.webkitFullscreenEnabled', true);
     testExpected('iframe2.contentDocument.webkitFullscreenEnabled', false);

trunk/LayoutTests/fullscreen/full-screen-enabled.html

@@ -7 +7 @@
     iframe.setAttribute('allowfullscreen', 'true');
     var iframe2 = document.documentElement.appendChild(document.createElement('iframe'));
+    iframe2.setAttribute('allow', "fullscreen 'none'");
     testExpected('iframe.contentDocument.webkitFullscreenEnabled', true);
     testExpected('iframe2.contentDocument.webkitFullscreenEnabled', false);

trunk/LayoutTests/fullscreen/full-screen-iframe-not-allowed.html

@@ -21 +21 @@
 }
 </script>
-<iframe id="frame" src="resources/inner.html" onload="runTest()">
+<iframe id="frame" src="resources/inner.html" onload="runTest()" allow="fullscreen 'none'">
 </iframe>

trunk/LayoutTests/fullscreen/full-screen-restrictions.html

@@ -19 +19 @@
             consoleWrite('"The context object\'s node document, or an ancestor browsing context\'s document does not have the fullscreen enabled flag set."')
             var iframe = document.documentElement.appendChild(document.createElement('iframe'));
+            iframe.setAttribute('allow', "fullscreen 'none'");
             var div = iframe.contentDocument.documentElement.appendChild(iframe.contentDocument.createElement('div'));
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2020-01-27  Jer Noble  <jer.noble@apple.com>
+
+        Support 'allow="fullscreen"' feature policy
+        https://bugs.webkit.org/show_bug.cgi?id=206806
+        <rdar://problem/55640448>
+
+        Reviewed by Youenn Fablet.
+
+        Test: http/tests/fullscreen/fullscreen-feature-policy.html
+
+        The unprefixed version of the Fullscreen API has deprecated the 'allowfullscreen' iframe
+        attribute in favor of the 'allow="fullscreen"' style attribute used by Feature Policy.
+        Add support for such, including the specified handling for the legacy 'allowfullscreen'
+        attribute.
+
+        Note: this patch will (intentionally) change the default behavior of <iframe>s. Previously
+        any <iframe> without the "allowfullscreen" attribute would not be allowed to enter fullscreen
+        mode. After this patch, <iframes> without the legacy attribute or an explicit fullscreen
+        Feature Policy will be allowed to enter fullscreen so long as their origin is the same as
+        the top document (and that all parent iframes are also allowed to enter fullscreen).
+
+        * dom/FullscreenManager.cpp:
+        (WebCore::FullscreenManager::requestFullscreenForElement):
+        (WebCore::FullscreenManager::isFullscreenEnabled const):
+        (WebCore::isAttributeOnAllOwners): Deleted.
+        (WebCore::FullscreenManager::fullscreenIsAllowedForElement const): Deleted.
+        * dom/FullscreenManager.h:
+        * html/FeaturePolicy.cpp:
+        (WebCore::isFeaturePolicyAllowedByDocumentAndAllOwners):
+        (WebCore::FeaturePolicy::parse):
+        (WebCore::FeaturePolicy::allows const):
+        * html/FeaturePolicy.h:
+        * html/HTMLIFrameElement.cpp:
+        (WebCore::HTMLIFrameElement::parseAttribute):
+        (WebCore::HTMLIFrameElement::featurePolicy const):
+        * xml/XMLHttpRequest.cpp:
+        (WebCore::XMLHttpRequest::createRequest):
+        (WebCore::isSyncXHRAllowedByFeaturePolicy): Deleted.
+
 2020-01-27  Peng Liu  <peng.liu6@apple.com>
 

trunk/Source/WebCore/dom/FullscreenManager.cpp

@@ -33 +33 @@
 #include "EventNames.h"
 #include "Frame.h"
-#include "HTMLFrameOwnerElement.h"
+#include "HTMLIFrameElement.h"
 #include "HTMLMediaElement.h"
 #include "Page.h"
@@ -45 +45 @@
 using namespace HTMLNames;
 
-static bool isAttributeOnAllOwners(const QualifiedName& attribute, const QualifiedName& prefixedAttribute, const HTMLFrameOwnerElement* owner)
-{
-    if (!owner)
-        return true;
-    do {
-        if (!(owner->hasAttribute(attribute) || owner->hasAttribute(prefixedAttribute)))
-            return false;
-    } while ((owner = owner->document().ownerElement()));
-    return true;
-}
-
 FullscreenManager::FullscreenManager(Document& document)
     : m_document { document }
@@ -62 +51 @@
 
 FullscreenManager::~FullscreenManager() = default;
-
-bool FullscreenManager::fullscreenIsAllowedForElement(Element& element) const
-{
-    return isAttributeOnAllOwners(allowfullscreenAttr, webkitallowfullscreenAttr, element.document().ownerElement());
-}
 
 void FullscreenManager::requestFullscreenForElement(Element* element, FullscreenCheckType checkType)
@@ -143 +127 @@
         // The context object's node document, or an ancestor browsing context's document does not have
         // the fullscreen enabled flag set.
-        if (checkType == EnforceIFrameAllowFullscreenRequirement && !fullscreenIsAllowedForElement(*element)) {
+        if (checkType == EnforceIFrameAllowFullscreenRequirement && !isFeaturePolicyAllowedByDocumentAndAllOwners(FeaturePolicy::Type::Fullscreen, document())) {
             failedPreflights(WTFMove(element));
             return;
@@ -346 +330 @@
 
     // Top-level browsing contexts are implied to have their allowFullscreen attribute set.
-    return isAttributeOnAllOwners(allowfullscreenAttr, webkitallowfullscreenAttr, document().ownerElement());
+    return isFeaturePolicyAllowedByDocumentAndAllOwners(FeaturePolicy::Type::Fullscreen, document());
 }
 

trunk/Source/WebCore/dom/FullscreenManager.h

@@ -84 +84 @@
 
     void dispatchFullscreenChangeEvents();
-    bool fullscreenIsAllowedForElement(Element&) const;
     void fullscreenElementRemoved();
 

trunk/Source/WebCore/html/FeaturePolicy.cpp

@@ -28 +28 @@
 
 #include "Document.h"
+#include "HTMLIFrameElement.h"
+#include "HTMLNames.h"
 #include "HTMLParserIdioms.h"
 #include "SecurityOrigin.h"
 
 namespace WebCore {
+
+using namespace HTMLNames;
+
+bool isFeaturePolicyAllowedByDocumentAndAllOwners(FeaturePolicy::Type type, const Document& document)
+{
+    auto& topDocument = document.topDocument();
+    auto ancestorDocument = &document;
+    while (ancestorDocument != &topDocument) {
+        if (!ancestorDocument)
+            return false;
+
+        auto ownerElement = ancestorDocument->ownerElement();
+        if (is<HTMLIFrameElement>(ownerElement)) {
+            auto featurePolicy = downcast<HTMLIFrameElement>(ownerElement)->featurePolicy();
+            if (!featurePolicy.allows(type, ancestorDocument->securityOrigin().data()))
+                return false;
+        }
+
+        ancestorDocument = ancestorDocument->parentDocument();
+    }
+
+    return true;
+}
 
 static bool isAllowedByFeaturePolicy(const FeaturePolicy::AllowRule& rule, const SecurityOriginData& origin)
@@ -95 +120 @@
 }
 
-FeaturePolicy FeaturePolicy::parse(Document& document, StringView allowAttributeValue)
+FeaturePolicy FeaturePolicy::parse(Document& document, const HTMLIFrameElement& iframe, StringView allowAttributeValue)
 {
     FeaturePolicy policy;
@@ -102 +127 @@
     bool isDisplayCaptureInitialized = false;
     bool isSyncXHRInitialized = false;
+    bool isFullscreenInitialized = false;
     for (auto allowItem : allowAttributeValue.split(';')) {
         auto item = allowItem.stripLeadingAndTrailingMatchedCharacters(isHTMLSpace<UChar>);
@@ -124 +150 @@
             continue;
         }
-    }
-
-    // By default, camera, microphone and display-capture policy is 'self'
+        if (item.startsWith("fullscreen")) {
+            isFullscreenInitialized = true;
+            updateList(document, policy.m_fullscreenRule, item.substring(11));
+            continue;
+        }
+    }
+
+    // By default, camera, microphone, display-capture, and fullscreen policy is 'self'
     if (!isCameraInitialized)
         policy.m_cameraRule.allowedList.add(document.securityOrigin().data());
@@ -133 +164 @@
     if (!isDisplayCaptureInitialized)
         policy.m_displayCaptureRule.allowedList.add(document.securityOrigin().data());
+
+    // https://w3c.github.io/webappsec-feature-policy/#process-feature-policy-attributes
+    // 9.5 Process Feature Policy Attributes
+    // 3.1 If element’s allowfullscreen attribute is specified, and container policy does
+    //     not contain an allowlist for fullscreen,
+    if (!isFullscreenInitialized) {
+        if (iframe.hasAttribute(allowfullscreenAttr) || iframe.hasAttribute(webkitallowfullscreenAttr)) {
+            // 3.1.1 Construct a new declaration for fullscreen, whose allowlist is the special value *.
+            policy.m_fullscreenRule.type = FeaturePolicy::AllowRule::Type::All;
+        } else {
+            // https://fullscreen.spec.whatwg.org/#feature-policy-integration
+            // The default allowlist is 'self'.
+            policy.m_fullscreenRule.allowedList.add(document.securityOrigin().data());
+        }
+    }
 
     if (!isSyncXHRInitialized)
@@ -151 +197 @@
     case Type::SyncXHR:
         return isAllowedByFeaturePolicy(m_syncXHRRule, origin);
+    case Type::Fullscreen:
+        return isAllowedByFeaturePolicy(m_fullscreenRule, origin);
     }
     ASSERT_NOT_REACHED();

trunk/Source/WebCore/html/FeaturePolicy.h

@@ -33 +33 @@
 
 class Document;
+class HTMLIFrameElement;
 
 class FeaturePolicy {
 public:
-    static FeaturePolicy parse(Document&, StringView);
+    static FeaturePolicy parse(Document&, const HTMLIFrameElement&, StringView);
 
-    enum class Type { Camera, Microphone, DisplayCapture, SyncXHR };
+    enum class Type { Camera, Microphone, DisplayCapture, SyncXHR, Fullscreen };
     bool allows(Type, const SecurityOriginData&) const;
 
@@ -52 +53 @@
     AllowRule m_displayCaptureRule;
     AllowRule m_syncXHRRule;
+    AllowRule m_fullscreenRule;
 };
 
+extern bool isFeaturePolicyAllowedByDocumentAndAllOwners(FeaturePolicy::Type, const Document&);
+
 } // namespace WebCore

trunk/Source/WebCore/html/HTMLIFrameElement.cpp

@@ -103 +103 @@
         if (!invalidTokens.isNull())
             document().addConsoleMessage(MessageSource::Other, MessageLevel::Error, "Error while parsing the 'sandbox' attribute: " + invalidTokens);
-    } else if (name == allowAttr)
+    } else if (name == allowAttr || name == allowfullscreenAttr || name == webkitallowfullscreenAttr)
         m_featurePolicy = WTF::nullopt;
     else
@@ -139 +139 @@
 {
     if (!m_featurePolicy)
-        m_featurePolicy = FeaturePolicy::parse(document(), attributeWithoutSynchronization(allowAttr));
+        m_featurePolicy = FeaturePolicy::parse(document(), *this, attributeWithoutSynchronization(allowAttr));
     return *m_featurePolicy;
 }

trunk/Source/WebCore/xml/XMLHttpRequest.cpp

@@ -579 +579 @@
 }
 
-static inline bool isSyncXHRAllowedByFeaturePolicy(Document& document)
-{
-    auto& topDocument = document.topDocument();
-    if (&document != &topDocument) {
-        for (auto* ancestorDocument = &document; ancestorDocument != &topDocument; ancestorDocument = ancestorDocument->parentDocument()) {
-            auto* element = ancestorDocument->ownerElement();
-            ASSERT(element);
-            if (element && is<HTMLIFrameElement>(*element)) {
-                auto& featurePolicy = downcast<HTMLIFrameElement>(*element).featurePolicy();
-                if (!featurePolicy.allows(FeaturePolicy::Type::SyncXHR, ancestorDocument->securityOrigin().data()))
-                    return false;
-            }
-        }
-    }
-    return true;
-}
-
 ExceptionOr<void> XMLHttpRequest::createRequest()
 {
@@ -669 +652 @@
             setPendingActivity(*this);
     } else {
-        if (scriptExecutionContext()->isDocument() && !isSyncXHRAllowedByFeaturePolicy(*document()))
+        if (scriptExecutionContext()->isDocument() && !isFeaturePolicyAllowedByDocumentAndAllOwners(FeaturePolicy::Type::SyncXHR, *document()))
             return Exception { NetworkError };