Context Navigation

← Previous Changeset
Next Changeset →

Changeset 37317 in webkit

Timestamp:

Oct 5, 2008 12:12:30 PM (16 years ago)

Author:

abarth@webkit.org

Message:

WebCore:

2008-10-04 Adam Barth <abarth@webkit.org>

Reviewed by Darin Alder.

Attach the Origin header to POST requests to help defend against
cross-site request forgery.

https://bugs.webkit.org/show_bug.cgi?id=20792

Collin Jackson <collinj@webkit.org> also contributed to this patch.

Tests: http/tests/security/originHeader/origin-header-for-data.html

http/tests/security/originHeader/origin-header-for-empty.html
http/tests/security/originHeader/origin-header-for-get.html
http/tests/security/originHeader/origin-header-for-https.html
http/tests/security/originHeader/origin-header-for-post.html

bindings/js/JSDOMWindowBase.cpp: (WebCore::createWindow):
loader/FrameLoader.cpp: (WebCore::FrameLoader::createWindow): (WebCore::FrameLoader::urlSelected): (WebCore::FrameLoader::submitForm): (WebCore::FrameLoader::outgoingOrigin): (WebCore::FrameLoader::loadURL): (WebCore::FrameLoader::addExtraFieldsToRequest): (WebCore::FrameLoader::loadPostRequest): (WebCore::FrameLoader::loadResourceSynchronously): (WebCore::FrameLoader::loadItem):
loader/FrameLoader.h:
loader/SubresourceLoader.cpp: (WebCore::SubresourceLoader::create):
loader/loader.cpp: (WebCore::Loader::Host::servePendingRequests):
platform/SecurityOrigin.cpp: (WebCore::SecurityOrigin::toHTTPOrigin):
platform/SecurityOrigin.h:
platform/network/ResourceRequestBase.h: (WebCore::ResourceRequestBase::httpOrigin): (WebCore::ResourceRequestBase::setHTTPOrigin): (WebCore::ResourceRequestBase::clearHTTPOrigin):
xml/XMLHttpRequest.cpp: (WebCore::XMLHttpRequest::makeSimpleCrossSiteAccessRequest): (WebCore::XMLHttpRequest::makeCrossSiteAccessRequestWithPreflight): (WebCore::XMLHttpRequest::handleAsynchronousPreflightResult): (WebCore::XMLHttpRequest::didReceiveResponsePreflight):

LayoutTests:

2008-10-04 Adam Barth <abarth@webkit.org>

Reviewed by Darin Adler.

Tests for the new Origin header.

https://bugs.webkit.org/show_bug.cgi?id=20792

Collin Jackson <collinj@webkit.org> also contributed to this patch.

http/tests/security/originHeader: Added.
http/tests/security/originHeader/origin-header-for-data-expected.txt: Added.
http/tests/security/originHeader/origin-header-for-data.html: Added.
http/tests/security/originHeader/origin-header-for-empty-expected.txt: Added.
http/tests/security/originHeader/origin-header-for-empty.html: Added.
http/tests/security/originHeader/origin-header-for-get-expected.txt: Added.
http/tests/security/originHeader/origin-header-for-get.html: Added.
http/tests/security/originHeader/origin-header-for-https-expected.txt: Added.
http/tests/security/originHeader/origin-header-for-https.html: Added.
http/tests/security/originHeader/origin-header-for-post-expected.txt: Added.
http/tests/security/originHeader/origin-header-for-post.html: Added.
http/tests/security/originHeader/origin-header-for-xmlhttprequest-expected.txt: Added.
http/tests/security/originHeader/origin-header-for-xmlhttprequest.html: Added.
http/tests/security/originHeader/resources: Added.
http/tests/security/originHeader/resources/origin-header-post-to-http.html: Added.
http/tests/security/originHeader/resources/print-origin.cgi: Added.

Location:

trunk

Files:

: 30 added
: 11 edited

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r37315
+                      r37317
+-10-05  Adam Barth  <abarth@webkit.org>
+        Reviewed by Darin Adler.
+        Tests for the new Origin header.
+        https://bugs.webkit.org/show_bug.cgi?id=20792
+        Collin Jackson <collinj@webkit.org> also contributed to this patch.
+        * http/tests/security/originHeader: Added.
+        * http/tests/security/originHeader/origin-header-for-data-expected.txt: Added.
+        * http/tests/security/originHeader/origin-header-for-data.html: Added.
+        * http/tests/security/originHeader/origin-header-for-empty-expected.txt: Added.
+        * http/tests/security/originHeader/origin-header-for-empty.html: Added.
+        * http/tests/security/originHeader/origin-header-for-get-expected.txt: Added.
+        * http/tests/security/originHeader/origin-header-for-get.html: Added.
+        * http/tests/security/originHeader/origin-header-for-https-expected.txt: Added.
+        * http/tests/security/originHeader/origin-header-for-https.html: Added.
+        * http/tests/security/originHeader/origin-header-for-post-expected.txt: Added.
+        * http/tests/security/originHeader/origin-header-for-post.html: Added.
+        * http/tests/security/originHeader/origin-header-for-xmlhttprequest-expected.txt: Added.
+        * http/tests/security/originHeader/origin-header-for-xmlhttprequest.html: Added.
+        * http/tests/security/originHeader/resources: Added.
+        * http/tests/security/originHeader/resources/origin-header-post-to-http.html: Added.
+        * http/tests/security/originHeader/resources/print-origin.cgi: Added.
 -10-05  Oliver Hunt  <oliver@apple.com>

trunk/WebCore/ChangeLog

-                      r37315
+                      r37317
+-10-05  Adam Barth  <abarth@webkit.org>
+        Reviewed by Darin Alder.
+        Attach the Origin header to POST requests to help defend against
+        cross-site request forgery.
+        https://bugs.webkit.org/show_bug.cgi?id=20792
+        Collin Jackson <collinj@webkit.org> also contributed to this patch.
+        Tests: http/tests/security/originHeader/origin-header-for-data.html
+               http/tests/security/originHeader/origin-header-for-empty.html
+               http/tests/security/originHeader/origin-header-for-get.html
+               http/tests/security/originHeader/origin-header-for-https.html
+               http/tests/security/originHeader/origin-header-for-post.html
+        * bindings/js/JSDOMWindowBase.cpp:
+        (WebCore::createWindow):
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::createWindow):
+        (WebCore::FrameLoader::urlSelected):
+        (WebCore::FrameLoader::submitForm):
+        (WebCore::FrameLoader::outgoingOrigin):
+        (WebCore::FrameLoader::loadURL):
+        (WebCore::FrameLoader::addExtraFieldsToRequest):
+        (WebCore::FrameLoader::loadPostRequest):
+        (WebCore::FrameLoader::loadResourceSynchronously):
+        (WebCore::FrameLoader::loadItem):
+        * loader/FrameLoader.h:
+        * loader/SubresourceLoader.cpp:
+        (WebCore::SubresourceLoader::create):
+        * loader/loader.cpp:
+        (WebCore::Loader::Host::servePendingRequests):
+        * platform/SecurityOrigin.cpp:
+        (WebCore::SecurityOrigin::toHTTPOrigin):
+        * platform/SecurityOrigin.h:
+        * platform/network/ResourceRequestBase.h:
+        (WebCore::ResourceRequestBase::httpOrigin):
+        (WebCore::ResourceRequestBase::setHTTPOrigin):
+        (WebCore::ResourceRequestBase::clearHTTPOrigin):
+        * xml/XMLHttpRequest.cpp:
+        (WebCore::XMLHttpRequest::makeSimpleCrossSiteAccessRequest):
+        (WebCore::XMLHttpRequest::makeCrossSiteAccessRequestWithPreflight):
+        (WebCore::XMLHttpRequest::handleAsynchronousPreflightResult):
+        (WebCore::XMLHttpRequest::didReceiveResponsePreflight):
 -10-04  Oliver Hunt  <oliver@apple.com>

trunk/WebCore/bindings/js/JSDOMWindowBase.cpp

r37257	r37317
273	273
274	274	request.setHTTPReferrer(activeFrame->loader()->outgoingReferrer());
	275	FrameLoader::addHTTPOriginIfNeeded(request, activeFrame->loader()->outgoingOrigin());
275	276	FrameLoadRequest frameRequest(request, frameName);
276	277

trunk/WebCore/loader/FrameLoader.cpp

-                      r37112
+                      r37317
     FrameLoadRequest requestWithReferrer = request;
     requestWithReferrer.resourceRequest().setHTTPReferrer(m_outgoingReferrer);
+    addHTTPOriginIfNeeded(requestWithReferrer.resourceRequest(), outgoingOrigin());
     Page* oldPage = m_frame->page();
 …
     if (copy.resourceRequest().httpReferrer().isEmpty())
         copy.resourceRequest().setHTTPReferrer(m_outgoingReferrer);
+    addHTTPOriginIfNeeded(copy.resourceRequest(), outgoingOrigin());
     loadFrameRequestWithFormAndValues(copy, lockHistory, event, 0, HashMap<String, String>());
 …
     frameRequest.resourceRequest().setURL(u);
+    addHTTPOriginIfNeeded(frameRequest.resourceRequest(), outgoingOrigin());
     submitForm(frameRequest, event);
 …
+{
     return m_outgoingReferrer;
+}
+String FrameLoader::outgoingOrigin() const
+{
+    if (m_frame->document())
+        return m_frame->document()->securityOrigin()->toHTTPOrigin();
+    return SecurityOrigin::createEmpty()->toHTTPOrigin();
+}
 …
     ResourceRequest request(newURL);
     if (!referrer.isEmpty())
+    if (!referrer.isEmpty()) {
         request.setHTTPReferrer(referrer);
+        RefPtr<SecurityOrigin> referrerOrigin = SecurityOrigin::createFromString(referrer);
+        addHTTPOriginIfNeeded(request, referrerOrigin->toHTTPOrigin());
+    }
     addExtraFieldsToRequest(request, true, event || isFormSubmission);
     if (newLoadType == FrameLoadTypeReload)
 …
     if (mainResource)
         request.setHTTPAccept("application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5");
+    // Make sure we send the Origin header.
+    addHTTPOriginIfNeeded(request, String());
+}
+void FrameLoader::addHTTPOriginIfNeeded(ResourceRequest& request, String origin)
+{
+    if (!request.httpOrigin().isEmpty())
+        return;  // Request already has an Origin header.
+    // Don't send an Origin header for GET or HEAD to avoid privacy issues.
+    // For example, if an intranet page has a hyperlink to an external web
+    // site, we don't want to include the Origin of the request because it
+    // will leak the internal host name. Similar privacy concerns have lead
+    // to the widespread suppression of the Referer header at the network
+    // layer.
+    if (request.httpMethod() == "GET" || request.httpMethod() == "HEAD")
+        return;
+    // For non-GET and non-HEAD methods, always send an Origin header so the
+    // server knows we support this feature.
+    if (origin.isEmpty()) {
+        // If we don't know what origin header to attach, we attach the value
+        // for an empty origin.
+        origin = SecurityOrigin::createEmpty()->toHTTPOrigin();
+    }
+    request.setHTTPOrigin(origin);
+}
 …
     RefPtr<FormData> formData = inRequest.httpBody();
     const String& contentType = inRequest.httpContentType();
+    String origin = inRequest.httpOrigin();
     ResourceRequest workingResourceRequest(url);
-    addExtraFieldsToRequest(workingResourceRequest, true, true);
     if (!referrer.isEmpty())
         workingResourceRequest.setHTTPReferrer(referrer);
+    workingResourceRequest.setHTTPOrigin(origin);
     workingResourceRequest.setHTTPMethod("POST");
     workingResourceRequest.setHTTPBody(formData);
     workingResourceRequest.setHTTPContentType(contentType);
+    addExtraFieldsToRequest(workingResourceRequest, true, true);
     NavigationAction action(url, FrameLoadTypeStandard, true, event);
 …
     if (!referrer.isEmpty())
         initialRequest.setHTTPReferrer(referrer);
+    addHTTPOriginIfNeeded(initialRequest, outgoingOrigin());
     if (Page* page = m_frame->page())
 …
             ResourceRequest request(itemURL);
-            addExtraFieldsToRequest(request, true, formData);
             // If this was a repost that failed the page cache, we might try to repost the form.
             NavigationAction action;
 …
                 request.setHTTPBody(formData);
                 request.setHTTPContentType(item->formContentType());
+                RefPtr<SecurityOrigin> securityOrigin = SecurityOrigin::createFromString(item->formReferrer());
+                addHTTPOriginIfNeeded(request, securityOrigin->toHTTPOrigin());
                 // FIXME: Slight hack to test if the NSURL cache contains the page we're going to.
 …
+            }
+            addExtraFieldsToRequest(request, true, formData);
             loadWithNavigationAction(request, action, loadType, 0);
+        }

trunk/WebCore/loader/FrameLoader.h

-                      r37112
+                      r37317
         String referrer() const;
         String outgoingReferrer() const;
+        String outgoingOrigin() const;
         void loadEmptyDocumentSynchronously();
 …
         void addExtraFieldsToRequest(ResourceRequest&, bool isMainResource, bool alwaysFromRequest);
+        static void addHTTPOriginIfNeeded(ResourceRequest&, String origin);
         FrameLoaderClient* client() const;

trunk/WebCore/loader/SubresourceLoader.cpp

r35435	r37317
94	94	else if (!request.httpReferrer())
95	95	newRequest.setHTTPReferrer(fl->outgoingReferrer());
	96	FrameLoader::addHTTPOriginIfNeeded(newRequest, fl->outgoingOrigin());
96	97
97	98	// Use the original request's cache policy for two reasons:

trunk/WebCore/loader/loader.cpp

-                      r36132
+                      r37317
 #include "ResourceRequest.h"
 #include "ResourceResponse.h"
+#include "SecurityOrigin.h"
 #include "SubresourceLoader.h"
 #include <wtf/Assertions.h>
 …
             referrer.setPath("/");
         resourceRequest.setHTTPReferrer(referrer.string());
+        FrameLoader::addHTTPOriginIfNeeded(resourceRequest, docLoader->doc()->securityOrigin()->toHTTPOrigin());
         if (resourceIsCacheValidator) {

trunk/WebCore/page/SecurityOrigin.cpp

-                      r37282
+                      r37317
+}
+String SecurityOrigin::toHTTPOrigin() const
+{
+    String origin = toString();
+    if (origin.isEmpty())
+        return "null";
+    return origin;
+}
 PassRefPtr<SecurityOrigin> SecurityOrigin::createFromString(const String& originString)
+{

trunk/WebCore/page/SecurityOrigin.h

-                      r37282
+                      r37317
         String toString() const;
+        // Convert this SecurityOrigin into a string for use in the HTTP Origin
+        // header. This is similar to toString(), except that the empty
+        // SecurityOrigin is represented as the string "null".
+        String toHTTPOrigin() const;
         // Serialize the security origin for storage in the database. This format is
         // deprecated and should be used only for compatibility with old databases;

trunk/WebCore/platform/network/ResourceRequestBase.h

-                      r36108
+                      r37317
         void clearHTTPReferrer() { m_httpHeaderFields.remove("Referer"); }
+        String httpOrigin() const { return httpHeaderField("Origin"); }
+        void setHTTPOrigin(const String& httpOrigin) { setHTTPHeaderField("Origin", httpOrigin); }
+        void clearHTTPOrigin() { m_httpHeaderFields.remove("Origin"); }
         String httpUserAgent() const { return httpHeaderField("User-Agent"); }
         void setHTTPUserAgent(const String& httpUserAgent) { setHTTPHeaderField("User-Agent", httpUserAgent); }

trunk/WebCore/xml/XMLHttpRequest.cpp

-                      r37190
+                      r37317
+}
-String XMLHttpRequest::accessControlOrigin() const
+{
-    String accessControlOrigin = m_doc->securityOrigin()->toString();
-    if (accessControlOrigin.isEmpty())
-        return "null";
-    return accessControlOrigin;
+}
 void XMLHttpRequest::makeSimpleCrossSiteAccessRequest(ExceptionCode& ec)
+{
 …
     request.setHTTPMethod(m_method);
     request.setAllowHTTPCookies(m_includeCredentials);
     request.setHTTPHeaderField("Origin", accessControlOrigin());
+    request.setHTTPOrigin(m_doc->securityOrigin()->toHTTPOrigin());
     if (m_requestHeaders.size() > 0)
 …
 void XMLHttpRequest::makeCrossSiteAccessRequestWithPreflight(ExceptionCode& ec)
+{
     String origin = accessControlOrigin();
+    String origin = m_doc->securityOrigin()->toHTTPOrigin();
     KURL url = m_url;
     url.setUser(String());
 …
     request.setHTTPMethod(m_method);
     request.setAllowHTTPCookies(m_includeCredentials);
     request.setHTTPHeaderField("Origin", accessControlOrigin());
+    request.setHTTPOrigin(m_doc->securityOrigin()->toHTTPOrigin());
     if (m_requestHeaders.size() > 0)
 …
         expiryDelta = 5;
     appendPreflightResultCacheEntry(accessControlOrigin(), m_url, expiryDelta, m_includeCredentials, methods.release(), headers.release());
+    appendPreflightResultCacheEntry(m_doc->securityOrigin()->toHTTPOrigin(), m_url, expiryDelta, m_includeCredentials, methods.release(), headers.release());
+}

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 37317 in webkit

Legend:

Download in other formats: