Changeset 264961 in webkit
- Timestamp:
- Jul 27, 2020 5:36:59 PM (4 years ago)
- Location:
- trunk/Source/WebKit
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebKit/ChangeLog
r264957 r264961 1 2020-07-27 Kate Cheney <katherine_cheney@apple.com> 2 3 Handle full browser apps that try to use prohibited Info.plist strings 4 https://bugs.webkit.org/show_bug.cgi?id=214852 5 <rdar://problem/66023860> 6 7 Reviewed by Brent Fulgham. 8 9 Full-web browsing applications which also use prohibited Info.plist 10 strings should be restricted from using certain powerful APIs like 11 JavaScript injection. These apps will have the equivalent privileges 12 of an app that opts into App-Bound Domains with an empty 13 WKAppBoundDomains key. 14 15 No new tests. Writing a test for this would require being able to 16 change TestWebKitAPI's Info.plist between tests, which we do not 17 support. I manually tested this by adding a prohibited 18 string to the TestWebKitAPI Info.plist then verified that restricted APIs, 19 like JS injection, were blocked. 20 21 * UIProcess/WebPageProxy.cpp: 22 (isFullWebBrowser): 23 (hasProhibitedUsageStrings): 24 (WebKit::WebPageProxy::loadData): 25 (WebKit::WebPageProxy::setIsNavigatingToAppBoundDomainAndCheckIfPermitted): 26 We do not need to set m_isNavigatingToAppBoundDomain in the case where 27 a full web browser does not use prohibited strings. In this case, we 28 want m_isNavigatingToAppBoundDomain to stay as WTF::nullopt so no API 29 restriction is enabled. 30 1 31 2020-07-27 David Kilzer <ddkilzer@apple.com> 2 32 -
trunk/Source/WebKit/UIProcess/WebPageProxy.cpp
r264810 r264961 292 292 #include <WebKitAdditions/WebPageProxyAdditions.h> 293 293 #else 294 #define WEB_PAGE_PROXY_ADDITIONS_SETISNAVIGATINGTOAPPBOUNDDOMAIN true 294 static bool isFullWebBrowser() { return true; } 295 #if PLATFORM(IOS_FAMILY) 296 static bool hasProhibitedUsageStrings() { return false; } 297 #endif 295 298 #endif 296 299 … … 1394 1397 RELEASE_LOG_IF_ALLOWED(Loading, "loadData:"); 1395 1398 1396 if (MIMEType == "text/html"_s && ! WEB_PAGE_PROXY_ADDITIONS_SETISNAVIGATINGTOAPPBOUNDDOMAIN)1399 if (MIMEType == "text/html"_s && !isFullWebBrowser()) 1397 1400 m_limitsNavigationsToAppBoundDomains = true; 1398 1401 … … 3135 3138 { 3136 3139 #if PLATFORM(IOS_FAMILY) 3137 if (WEB_PAGE_PROXY_ADDITIONS_SETISNAVIGATINGTOAPPBOUNDDOMAIN) 3140 if (isFullWebBrowser()) { 3141 if (hasProhibitedUsageStrings()) 3142 m_isNavigatingToAppBoundDomain = NavigatingToAppBoundDomain::No; 3138 3143 return true; 3144 } 3139 3145 if (!isNavigatingToAppBoundDomain) { 3140 3146 m_isNavigatingToAppBoundDomain = WTF::nullopt;
Note: See TracChangeset
for help on using the changeset viewer.