[webkit-changes] [253654] trunk/Source/WebCore

[rniwa]

Title: [253654] trunk/Source/WebCore

Revision

253654

Author

rn...@webkit.org

Date

2019-12-17 15:35:18 -0800 (Tue, 17 Dec 2019)

Log Message

executeIfJavaScriptURL should check requester's security origin
https://bugs.webkit.org/show_bug.cgi?id=205324

Reviewed by Brent Fulgham.

Don't execute the _javascript_ in ScriptController::executeIfJavaScriptURL if the security origin
of the current document is no longer accessible from the request originator's security origin.

* bindings/js/ScriptController.cpp:
(WebCore::ScriptController::executeIfJavaScriptURL): Added a check.
* bindings/js/ScriptController.h:
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::urlSelected): Pass around the security origin of the requester.
(WebCore::FrameLoader::submitForm):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/bindings/js/ScriptController.cpp
• trunk/Source/WebCore/bindings/js/ScriptController.h
• trunk/Source/WebCore/loader/FrameLoader.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (253653 => 253654)

--- trunk/Source/WebCore/ChangeLog	2019-12-17 23:30:03 UTC (rev 253653)
+++ trunk/Source/WebCore/ChangeLog	2019-12-17 23:35:18 UTC (rev 253654)
@@ -1,3 +1,20 @@
+2019-12-17  Ryosuke Niwa  <rn...@webkit.org>
+
+        executeIfJavaScriptURL should check requester's security origin
+        https://bugs.webkit.org/show_bug.cgi?id=205324
+
+        Reviewed by Brent Fulgham.
+
+        Don't execute the _javascript_ in ScriptController::executeIfJavaScriptURL if the security origin
+        of the current document is no longer accessible from the request originator's security origin.
+
+        * bindings/js/ScriptController.cpp:
+        (WebCore::ScriptController::executeIfJavaScriptURL): Added a check.
+        * bindings/js/ScriptController.h:
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::urlSelected): Pass around the security origin of the requester.
+        (WebCore::FrameLoader::submitForm):
+
 2019-12-16  Ryosuke Niwa  <rn...@webkit.org>
 
         Document::setFocusedElement should not set m_focusedElement to an element in another document

Modified: trunk/Source/WebCore/bindings/js/ScriptController.cpp (253653 => 253654)

--- trunk/Source/WebCore/bindings/js/ScriptController.cpp	2019-12-17 23:30:03 UTC (rev 253653)
+++ trunk/Source/WebCore/bindings/js/ScriptController.cpp	2019-12-17 23:35:18 UTC (rev 253654)
@@ -625,11 +625,14 @@
     return m_frame.loader().client().allowScript(m_frame.settings().isScriptEnabled());
 }
 
-bool ScriptController::executeIfJavaScriptURL(const URL& url, ShouldReplaceDocumentIfJavaScriptURL shouldReplaceDocumentIfJavaScriptURL)
+bool ScriptController::executeIfJavaScriptURL(const URL& url, RefPtr<SecurityOrigin> requesterSecurityOrigin, ShouldReplaceDocumentIfJavaScriptURL shouldReplaceDocumentIfJavaScriptURL)
 {
     if (!WTF::protocolIsJavaScript(url))
         return false;
 
+    if (requesterSecurityOrigin && !requesterSecurityOrigin->canAccess(m_frame.document()->securityOrigin()))
+        return true;
+
     if (!m_frame.page() || !m_frame.document()->contentSecurityPolicy()->allowJavaScriptURLs(m_frame.document()->url(), eventHandlerPosition().m_line))
         return true;
 

Modified: trunk/Source/WebCore/bindings/js/ScriptController.h (253653 => 253654)

--- trunk/Source/WebCore/bindings/js/ScriptController.h	2019-12-17 23:30:03 UTC (rev 253653)
+++ trunk/Source/WebCore/bindings/js/ScriptController.h	2019-12-17 23:35:18 UTC (rev 253654)
@@ -27,6 +27,7 @@
 #include <_javascript_Core/JSBase.h>
 #include <_javascript_Core/Strong.h>
 #include <wtf/Forward.h>
+#include <wtf/Optional.h>
 #include <wtf/RefPtr.h>
 #include <wtf/WeakPtr.h>
 #include <wtf/text/TextPosition.h>
@@ -99,7 +100,7 @@
     bool shouldAllowUserAgentScripts(Document&) const;
 
     // Returns true if argument is a _javascript_ URL.
-    bool executeIfJavaScriptURL(const URL&, ShouldReplaceDocumentIfJavaScriptURL shouldReplaceDocumentIfJavaScriptURL = ReplaceDocumentIfJavaScriptURL);
+    bool executeIfJavaScriptURL(const URL&, RefPtr<SecurityOrigin> = nullptr, ShouldReplaceDocumentIfJavaScriptURL = ReplaceDocumentIfJavaScriptURL);
 
     // This function must be called from the main thread. It is safe to call it repeatedly.
     // Darwin is an exception to this rule: it is OK to call this function from any thread, even reentrantly.

Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (253653 => 253654)

--- trunk/Source/WebCore/loader/FrameLoader.cpp	2019-12-17 23:30:03 UTC (rev 253653)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp	2019-12-17 23:35:18 UTC (rev 253654)
@@ -424,7 +424,7 @@
 
     Ref<Frame> protect(m_frame);
 
-    if (m_frame.script().executeIfJavaScriptURL(frameRequest.resourceRequest().url(), frameRequest.shouldReplaceDocumentIfJavaScriptURL())) {
+    if (m_frame.script().executeIfJavaScriptURL(frameRequest.resourceRequest().url(), &frameRequest.requester().securityOrigin(), frameRequest.shouldReplaceDocumentIfJavaScriptURL())) {
         m_quickRedirectComing = false;
         return;
     }
@@ -462,7 +462,7 @@
             return;
         m_isExecutingJavaScriptFormAction = true;
         Ref<Frame> protect(m_frame);
-        m_frame.script().executeIfJavaScriptURL(submission->action(), DoNotReplaceDocumentIfJavaScriptURL);
+        m_frame.script().executeIfJavaScriptURL(submission->action(), nullptr, DoNotReplaceDocumentIfJavaScriptURL);
         m_isExecutingJavaScriptFormAction = false;
         return;
     }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes