Diff
Modified: trunk/LayoutTests/ChangeLog (237143 => 237144)
--- trunk/LayoutTests/ChangeLog 2018-10-15 21:14:52 UTC (rev 237143)
+++ trunk/LayoutTests/ChangeLog 2018-10-15 21:21:07 UTC (rev 237144)
@@ -1,3 +1,19 @@
+2018-10-15 Chris Dumez <cdu...@apple.com>
+
+ Experiment: target=_blank on anchors should imply rel=noopener
+ https://bugs.webkit.org/show_bug.cgi?id=190481
+
+ Reviewed by Alex Christensen.
+
+ Update existing tests to reflect behavior change.
+
+ * TestExpectations:
+ * http/tests/navigation/no-referrer-reset.html:
+ * http/tests/security/resources/referrer-policy-redirect-link.html:
+ * http/tests/security/xss-DENIED-script-inject-into-inactive-window2-pson.html:
+ * http/tests/security/xss-DENIED-script-inject-into-inactive-window2.html:
+ * http/tests/security/xssAuditor/link-opens-new-window.html:
+
2018-10-15 Andy Estes <aes...@apple.com>
[Apple Pay] New shipping methods are ignored when updating after the shippingaddresschange event
Modified: trunk/LayoutTests/TestExpectations (237143 => 237144)
--- trunk/LayoutTests/TestExpectations 2018-10-15 21:14:52 UTC (rev 237143)
+++ trunk/LayoutTests/TestExpectations 2018-10-15 21:21:07 UTC (rev 237144)
@@ -2865,6 +2865,13 @@
# This newly imported test crashes in debug and flakily times out.
webkit.org/b/189917 imported/w3c/web-platform-tests/html/webappapis/dynamic-markup-insertion/document-write/contentType.window.html [ Skip ]
+# These tests started to time out or fail because of our experiment to have target=_blank on anchors imply rel=noopener (https://bugs.webkit.org/show_bug.cgi?id=190481).
+imported/w3c/web-platform-tests/html/browsers/windows/auxiliary-browsing-contexts/opener-closed.html [ Skip ]
+imported/w3c/web-platform-tests/html/browsers/windows/browsing-context-names/002.html [ Failure ]
+imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_escaping-2.html [ Skip ]
+imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_nonescaping-2.html [ Skip ]
+imported/w3c/web-platform-tests/html/browsers/windows/browsing-context-names/choose-_blank-003.html [ Failure ]
+
fast/gradients/conic-repeating.html [ Skip ]
fast/gradients/conic.html [ Skip ]
fast/gradients/conic-off-center.html [ Skip ]
Added: trunk/LayoutTests/http/tests/navigation/anchor-blank-target-implies-rel-noopener-expected.txt (0 => 237144)
--- trunk/LayoutTests/http/tests/navigation/anchor-blank-target-implies-rel-noopener-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/navigation/anchor-blank-target-implies-rel-noopener-expected.txt 2018-10-15 21:21:07 UTC (rev 237144)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 6: PASS: New window should not have an opener
+Tests that a new window opened via target=_blank does not have an opener
+
+
Added: trunk/LayoutTests/http/tests/navigation/anchor-blank-target-implies-rel-noopener.html (0 => 237144)
--- trunk/LayoutTests/http/tests/navigation/anchor-blank-target-implies-rel-noopener.html (rev 0)
+++ trunk/LayoutTests/http/tests/navigation/anchor-blank-target-implies-rel-noopener.html 2018-10-15 21:21:07 UTC (rev 237144)
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>Tests that a new window opened via target=_blank does not have an opener</p>
+<a id="testAnchor" href="" target="_blank"></a>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ testRunner.setCanOpenWindows();
+}
+
+_onload_ = function() {
+ setTimeout(() => {
+ testAnchor.click();
+ }, 0);
+}
+</script>
+</body>
+</html>
Modified: trunk/LayoutTests/http/tests/navigation/no-referrer-reset.html (237143 => 237144)
--- trunk/LayoutTests/http/tests/navigation/no-referrer-reset.html 2018-10-15 21:14:52 UTC (rev 237143)
+++ trunk/LayoutTests/http/tests/navigation/no-referrer-reset.html 2018-10-15 21:21:07 UTC (rev 237144)
@@ -4,7 +4,7 @@
2. Click a rel="noreferrer" link: referrer is null, but window.opener remains set since the link was not opened with target="_blank".<br/>
3. Click a link without rel="noreferrer": referrer is sent, but window.opener is still set.
<br/>
-<a id="link" href="" target="_blank">Start reset test</a>
+<a id="link" href="" target="_blank" rel="opener">Start reset test</a>
<script>
window.name = "consoleWindow";
window.noreferrerStepDone = false;
Added: trunk/LayoutTests/http/tests/navigation/resources/anchor-blank-target-implies-rel-noopener-win.html (0 => 237144)
--- trunk/LayoutTests/http/tests/navigation/resources/anchor-blank-target-implies-rel-noopener-win.html (rev 0)
+++ trunk/LayoutTests/http/tests/navigation/resources/anchor-blank-target-implies-rel-noopener-win.html 2018-10-15 21:21:07 UTC (rev 237144)
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+ if (!window.opener)
+ console.log("PASS: New window should not have an opener");
+ else
+ console.log("FAIL: New window should not have an opener");
+
+ if (window.testRunner)
+ testRunner.notifyDone();
+</script>
+</body>
+</html>
Modified: trunk/LayoutTests/http/tests/security/resources/referrer-policy-redirect-link.html (237143 => 237144)
--- trunk/LayoutTests/http/tests/security/resources/referrer-policy-redirect-link.html 2018-10-15 21:14:52 UTC (rev 237143)
+++ trunk/LayoutTests/http/tests/security/resources/referrer-policy-redirect-link.html 2018-10-15 21:21:07 UTC (rev 237144)
@@ -21,7 +21,7 @@
</script>
</head>
<body>
-<a id="link" target="_blank" href="" not running in DumpRenderTree, click this link</a>
+<a id="link" target="_blank" href="" rel="opener">If not running in DumpRenderTree, click this link</a>
<div id="log"></div>
</body>
</html>
Modified: trunk/LayoutTests/http/tests/security/xss-DENIED-script-inject-into-inactive-window2-pson.html (237143 => 237144)
--- trunk/LayoutTests/http/tests/security/xss-DENIED-script-inject-into-inactive-window2-pson.html 2018-10-15 21:14:52 UTC (rev 237143)
+++ trunk/LayoutTests/http/tests/security/xss-DENIED-script-inject-into-inactive-window2-pson.html 2018-10-15 21:21:07 UTC (rev 237144)
@@ -35,6 +35,7 @@
// Case: Initial load
var link = document.createElement("a");
link.target = "_blank";
+ link.rel = "opener";
link.href = ""
link.click(); // Open a new window.
}
Modified: trunk/LayoutTests/http/tests/security/xss-DENIED-script-inject-into-inactive-window2.html (237143 => 237144)
--- trunk/LayoutTests/http/tests/security/xss-DENIED-script-inject-into-inactive-window2.html 2018-10-15 21:14:52 UTC (rev 237143)
+++ trunk/LayoutTests/http/tests/security/xss-DENIED-script-inject-into-inactive-window2.html 2018-10-15 21:21:07 UTC (rev 237144)
@@ -35,6 +35,7 @@
// Case: Initial load
var link = document.createElement("a");
link.target = "_blank";
+ link.rel = "opener";
link.href = ""
link.click(); // Open a new window.
}
Modified: trunk/LayoutTests/http/tests/security/xssAuditor/link-opens-new-window.html (237143 => 237144)
--- trunk/LayoutTests/http/tests/security/xssAuditor/link-opens-new-window.html 2018-10-15 21:14:52 UTC (rev 237143)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/link-opens-new-window.html 2018-10-15 21:21:07 UTC (rev 237144)
@@ -19,6 +19,6 @@
</script>
</head>
<body>
-<a id="anchorLink" href="" target="_blank">Click me</a>
+<a id="anchorLink" href="" target="_blank" rel="opener">Click me</a>
</body>
</html>
Modified: trunk/Source/WebCore/ChangeLog (237143 => 237144)
--- trunk/Source/WebCore/ChangeLog 2018-10-15 21:14:52 UTC (rev 237143)
+++ trunk/Source/WebCore/ChangeLog 2018-10-15 21:21:07 UTC (rev 237144)
@@ -1,3 +1,28 @@
+2018-10-15 Chris Dumez <cdu...@apple.com>
+
+ Experiment: target=_blank on anchors should imply rel=noopener
+ https://bugs.webkit.org/show_bug.cgi?id=190481
+
+ Reviewed by Alex Christensen.
+
+ As an experiment, try and make it so that target=_blank on anchors implies `rel=noopener` for improved security.
+ WebContent can then request an opener relationship by using `rel=opener` instead.
+
+ This change was discussed at:
+ - https://github.com/whatwg/html/issues/4078
+
+ We want to attempt this change is STP to see if it is Web-compatible. Preliminary testing seems to indicate
+ that OAuth workflows still work.
+
+ * html/HTMLAnchorElement.cpp:
+ (WebCore::HTMLAnchorElement::parseAttribute):
+ (WebCore::HTMLAnchorElement::handleClick):
+ (WebCore::HTMLAnchorElement::effectiveTarget const):
+ * html/HTMLAnchorElement.h:
+ * page/RuntimeEnabledFeatures.h:
+ (WebCore::RuntimeEnabledFeatures::setBlankAnchorTargetImpliesNoOpenerEnabled):
+ (WebCore::RuntimeEnabledFeatures::blankAnchorTargetImpliesNoOpenerEnabled const):
+
2018-10-15 Andy Estes <aes...@apple.com>
[Apple Pay] New shipping methods are ignored when updating after the shippingaddresschange event
Modified: trunk/Source/WebCore/html/HTMLAnchorElement.cpp (237143 => 237144)
--- trunk/Source/WebCore/html/HTMLAnchorElement.cpp 2018-10-15 21:14:52 UTC (rev 237143)
+++ trunk/Source/WebCore/html/HTMLAnchorElement.cpp 2018-10-15 21:21:07 UTC (rev 237144)
@@ -250,6 +250,7 @@
// Update HTMLAnchorElement::relList() if more rel attributes values are supported.
static NeverDestroyed<AtomicString> noReferrer("noreferrer", AtomicString::ConstructFromLiteral);
static NeverDestroyed<AtomicString> noOpener("noopener", AtomicString::ConstructFromLiteral);
+ static NeverDestroyed<AtomicString> opener("opener", AtomicString::ConstructFromLiteral);
const bool shouldFoldCase = true;
SpaceSplitString relValue(value, shouldFoldCase);
if (relValue.contains(noReferrer))
@@ -256,6 +257,8 @@
m_linkRelations.add(Relation::NoReferrer);
if (relValue.contains(noOpener))
m_linkRelations.add(Relation::NoOpener);
+ if (relValue.contains(opener))
+ m_linkRelations.add(Relation::Opener);
if (m_relList)
m_relList->associatedAttributeValueChanged(value);
}
@@ -427,12 +430,28 @@
#endif
ShouldSendReferrer shouldSendReferrer = hasRel(Relation::NoReferrer) ? NeverSendReferrer : MaybeSendReferrer;
- auto newFrameOpenerPolicy = hasRel(Relation::NoOpener) ? std::make_optional(NewFrameOpenerPolicy::Suppress) : std::nullopt;
- frame->loader().urlSelected(completedURL, target(), &event, LockHistory::No, LockBackForwardList::No, shouldSendReferrer, document().shouldOpenExternalURLsPolicyToPropagate(), newFrameOpenerPolicy, downloadAttribute, systemPreviewInfo);
+ auto effectiveTarget = this->effectiveTarget();
+ std::optional<NewFrameOpenerPolicy> newFrameOpenerPolicy;
+ if (hasRel(Relation::Opener))
+ newFrameOpenerPolicy = NewFrameOpenerPolicy::Allow;
+ else if (hasRel(Relation::NoOpener) || (RuntimeEnabledFeatures::sharedFeatures().blankAnchorTargetImpliesNoOpenerEnabled() && equalIgnoringASCIICase(effectiveTarget, "_blank")))
+ newFrameOpenerPolicy = NewFrameOpenerPolicy::Suppress;
+
+ frame->loader().urlSelected(completedURL, effectiveTarget, &event, LockHistory::No, LockBackForwardList::No, shouldSendReferrer, document().shouldOpenExternalURLsPolicyToPropagate(), newFrameOpenerPolicy, downloadAttribute, systemPreviewInfo);
+
sendPings(completedURL);
}
+// Falls back to using <base> element's target if the anchor does not have one.
+String HTMLAnchorElement::effectiveTarget() const
+{
+ auto effectiveTarget = target();
+ if (effectiveTarget.isEmpty())
+ effectiveTarget = document().baseTarget();
+ return effectiveTarget;
+}
+
HTMLAnchorElement::EventType HTMLAnchorElement::eventType(Event& event)
{
if (!is<MouseEvent>(event))
Modified: trunk/Source/WebCore/html/HTMLAnchorElement.h (237143 => 237144)
--- trunk/Source/WebCore/html/HTMLAnchorElement.h 2018-10-15 21:14:52 UTC (rev 237143)
+++ trunk/Source/WebCore/html/HTMLAnchorElement.h 2018-10-15 21:21:07 UTC (rev 237144)
@@ -37,6 +37,7 @@
enum class Relation {
NoReferrer = 1 << 0,
NoOpener = 1 << 1,
+ Opener = 1 << 2,
};
class HTMLAnchorElement : public HTMLElement, public URLUtils<HTMLAnchorElement> {
@@ -90,6 +91,8 @@
int tabIndex() const final;
bool draggable() const final;
+ String effectiveTarget() const;
+
void sendPings(const URL& destinationURL);
void handleClick(Event&);
Modified: trunk/Source/WebCore/page/RuntimeEnabledFeatures.h (237143 => 237144)
--- trunk/Source/WebCore/page/RuntimeEnabledFeatures.h 2018-10-15 21:14:52 UTC (rev 237143)
+++ trunk/Source/WebCore/page/RuntimeEnabledFeatures.h 2018-10-15 21:21:07 UTC (rev 237144)
@@ -43,6 +43,9 @@
class RuntimeEnabledFeatures {
WTF_MAKE_NONCOPYABLE(RuntimeEnabledFeatures);
public:
+ void setBlankAnchorTargetImpliesNoOpenerEnabled(bool isEnabled) { m_blankAnchorTargetImpliesNoOpenerEnabled = isEnabled; }
+ bool blankAnchorTargetImpliesNoOpenerEnabled() const { return m_blankAnchorTargetImpliesNoOpenerEnabled; }
+
void setDisplayContentsEnabled(bool isEnabled) { m_isDisplayContentsEnabled = isEnabled; }
bool displayContentsEnabled() const { return m_isDisplayContentsEnabled; }
@@ -300,6 +303,7 @@
// Never instantiate.
RuntimeEnabledFeatures();
+ bool m_blankAnchorTargetImpliesNoOpenerEnabled { true };
bool m_areModernMediaControlsEnabled { false };
bool m_isLinkPreloadEnabled { true };
bool m_isLinkPrefetchEnabled { false };
Modified: trunk/Source/WebKit/ChangeLog (237143 => 237144)
--- trunk/Source/WebKit/ChangeLog 2018-10-15 21:14:52 UTC (rev 237143)
+++ trunk/Source/WebKit/ChangeLog 2018-10-15 21:21:07 UTC (rev 237144)
@@ -1,3 +1,12 @@
+2018-10-15 Chris Dumez <cdu...@apple.com>
+
+ Experiment: target=_blank on anchors should imply rel=noopener
+ https://bugs.webkit.org/show_bug.cgi?id=190481
+
+ Reviewed by Alex Christensen.
+
+ * Shared/WebPreferences.yaml:
+
2018-10-15 Alex Christensen <achristen...@webkit.org>
Remove unused parameters from FrameLoaderClient::createFrame
Modified: trunk/Source/WebKit/Shared/WebPreferences.yaml (237143 => 237144)
--- trunk/Source/WebKit/Shared/WebPreferences.yaml 2018-10-15 21:14:52 UTC (rev 237143)
+++ trunk/Source/WebKit/Shared/WebPreferences.yaml 2018-10-15 21:21:07 UTC (rev 237144)
@@ -1,3 +1,11 @@
+BlankAnchorTargetImpliesNoOpenerEnabled:
+ type: bool
+ defaultValue: true
+ webcoreBinding: RuntimeEnabledFeatures
+ humanReadableName: "Blank anchor target implies rel=noopener"
+ humanReadableDescription: "target=_blank on anchor elements implies rel=noopener"
+ category: experimental
+
_javascript_Enabled:
type: bool
defaultValue: true
Modified: trunk/Tools/ChangeLog (237143 => 237144)
--- trunk/Tools/ChangeLog 2018-10-15 21:14:52 UTC (rev 237143)
+++ trunk/Tools/ChangeLog 2018-10-15 21:21:07 UTC (rev 237144)
@@ -1,3 +1,15 @@
+2018-10-15 Chris Dumez <cdu...@apple.com>
+
+ Experiment: target=_blank on anchors should imply rel=noopener
+ https://bugs.webkit.org/show_bug.cgi?id=190481
+
+ Reviewed by Alex Christensen.
+
+ Add API test coverage to make sure we can now swap process when target=_blank
+ is specified on an anchor but rel=noopener is not.
+
+ * TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:
+
2018-10-15 Wenson Hsieh <wenson_hs...@apple.com>
[iOS] Can't select text after dismissing the keyboard when changing focus
Modified: trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm (237143 => 237144)
--- trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm 2018-10-15 21:14:52 UTC (rev 237143)
+++ trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm 2018-10-15 21:21:07 UTC (rev 237144)
@@ -280,7 +280,16 @@
</script>
)PSONRESOURCE";
-static const char* targetBlankCrossSiteWithOpenerTestBytes = R"PSONRESOURCE(
+static const char* targetBlankCrossSiteWithExplicitOpenerTestBytes = R"PSONRESOURCE(
+<a id="testLink" target="_blank" href="" rel="opener">Link</a>
+<script>
+window._onload_ = function() {
+ testLink.click();
+}
+</script>
+)PSONRESOURCE";
+
+static const char* targetBlankCrossSiteWithImplicitNoOpenerTestBytes = R"PSONRESOURCE(
<a id="testLink" target="_blank" href=""
<script>
window._onload_ = function() {
@@ -693,7 +702,7 @@
auto webViewConfiguration = adoptNS([[WKWebViewConfiguration alloc] init]);
[webViewConfiguration setProcessPool:processPool.get()];
auto handler = adoptNS([[PSONScheme alloc] init]);
- [handler addMappingFromURLString:@"pson://www.webkit.org/main.html" toData:targetBlankCrossSiteWithOpenerTestBytes];
+ [handler addMappingFromURLString:@"pson://www.webkit.org/main.html" toData:targetBlankCrossSiteWithExplicitOpenerTestBytes];
[webViewConfiguration setURLSchemeHandler:handler.get() forURLScheme:@"PSON"];
auto webView = adoptNS([[WKWebView alloc] initWithFrame:NSMakeRect(0, 0, 800, 600) configuration:webViewConfiguration.get()]);
@@ -724,6 +733,46 @@
EXPECT_EQ(pid1, pid2);
}
+TEST(ProcessSwap, CrossSiteBlankTargetImplicitNoOpener)
+{
+ auto processPoolConfiguration = adoptNS([[_WKProcessPoolConfiguration alloc] init]);
+ processPoolConfiguration.get().processSwapsOnNavigation = YES;
+ auto processPool = adoptNS([[WKProcessPool alloc] _initWithConfiguration:processPoolConfiguration.get()]);
+
+ auto webViewConfiguration = adoptNS([[WKWebViewConfiguration alloc] init]);
+ [webViewConfiguration setProcessPool:processPool.get()];
+ auto handler = adoptNS([[PSONScheme alloc] init]);
+ [handler addMappingFromURLString:@"pson://www.webkit.org/main.html" toData:targetBlankCrossSiteWithImplicitNoOpenerTestBytes];
+ [webViewConfiguration setURLSchemeHandler:handler.get() forURLScheme:@"PSON"];
+
+ auto webView = adoptNS([[WKWebView alloc] initWithFrame:NSMakeRect(0, 0, 800, 600) configuration:webViewConfiguration.get()]);
+ auto navigationDelegate = adoptNS([[PSONNavigationDelegate alloc] init]);
+ [webView setNavigationDelegate:navigationDelegate.get()];
+ auto uiDelegate = adoptNS([[PSONUIDelegate alloc] initWithNavigationDelegate:navigationDelegate.get()]);
+ [webView setUIDelegate:uiDelegate.get()];
+
+ numberOfDecidePolicyCalls = 0;
+ NSURLRequest *request = [NSURLRequest requestWithURL:[NSURL URLWithString:@"pson://www.webkit.org/main.html"]];
+ [webView loadRequest:request];
+
+ TestWebKitAPI::Util::run(&done);
+ done = false;
+
+ TestWebKitAPI::Util::run(&didCreateWebView);
+ didCreateWebView = false;
+
+ TestWebKitAPI::Util::run(&done);
+
+ EXPECT_EQ(3, numberOfDecidePolicyCalls);
+
+ auto pid1 = [webView _webProcessIdentifier];
+ EXPECT_TRUE(!!pid1);
+ auto pid2 = [createdWebView _webProcessIdentifier];
+ EXPECT_TRUE(!!pid2);
+
+ EXPECT_NE(pid1, pid2);
+}
+
TEST(ProcessSwap, CrossSiteBlankTargetNoOpener)
{
auto processPoolConfiguration = adoptNS([[_WKProcessPoolConfiguration alloc] init]);