Title: [253654] trunk/Source/WebCore
- Revision
- 253654
- Author
- rn...@webkit.org
- Date
- 2019-12-17 15:35:18 -0800 (Tue, 17 Dec 2019)
Log Message
executeIfJavaScriptURL should check requester's security origin
https://bugs.webkit.org/show_bug.cgi?id=205324
Reviewed by Brent Fulgham.
Don't execute the _javascript_ in ScriptController::executeIfJavaScriptURL if the security origin
of the current document is no longer accessible from the request originator's security origin.
* bindings/js/ScriptController.cpp:
(WebCore::ScriptController::executeIfJavaScriptURL): Added a check.
* bindings/js/ScriptController.h:
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::urlSelected): Pass around the security origin of the requester.
(WebCore::FrameLoader::submitForm):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (253653 => 253654)
--- trunk/Source/WebCore/ChangeLog 2019-12-17 23:30:03 UTC (rev 253653)
+++ trunk/Source/WebCore/ChangeLog 2019-12-17 23:35:18 UTC (rev 253654)
@@ -1,3 +1,20 @@
+2019-12-17 Ryosuke Niwa <rn...@webkit.org>
+
+ executeIfJavaScriptURL should check requester's security origin
+ https://bugs.webkit.org/show_bug.cgi?id=205324
+
+ Reviewed by Brent Fulgham.
+
+ Don't execute the _javascript_ in ScriptController::executeIfJavaScriptURL if the security origin
+ of the current document is no longer accessible from the request originator's security origin.
+
+ * bindings/js/ScriptController.cpp:
+ (WebCore::ScriptController::executeIfJavaScriptURL): Added a check.
+ * bindings/js/ScriptController.h:
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::urlSelected): Pass around the security origin of the requester.
+ (WebCore::FrameLoader::submitForm):
+
2019-12-16 Ryosuke Niwa <rn...@webkit.org>
Document::setFocusedElement should not set m_focusedElement to an element in another document
Modified: trunk/Source/WebCore/bindings/js/ScriptController.cpp (253653 => 253654)
--- trunk/Source/WebCore/bindings/js/ScriptController.cpp 2019-12-17 23:30:03 UTC (rev 253653)
+++ trunk/Source/WebCore/bindings/js/ScriptController.cpp 2019-12-17 23:35:18 UTC (rev 253654)
@@ -625,11 +625,14 @@
return m_frame.loader().client().allowScript(m_frame.settings().isScriptEnabled());
}
-bool ScriptController::executeIfJavaScriptURL(const URL& url, ShouldReplaceDocumentIfJavaScriptURL shouldReplaceDocumentIfJavaScriptURL)
+bool ScriptController::executeIfJavaScriptURL(const URL& url, RefPtr<SecurityOrigin> requesterSecurityOrigin, ShouldReplaceDocumentIfJavaScriptURL shouldReplaceDocumentIfJavaScriptURL)
{
if (!WTF::protocolIsJavaScript(url))
return false;
+ if (requesterSecurityOrigin && !requesterSecurityOrigin->canAccess(m_frame.document()->securityOrigin()))
+ return true;
+
if (!m_frame.page() || !m_frame.document()->contentSecurityPolicy()->allowJavaScriptURLs(m_frame.document()->url(), eventHandlerPosition().m_line))
return true;
Modified: trunk/Source/WebCore/bindings/js/ScriptController.h (253653 => 253654)
--- trunk/Source/WebCore/bindings/js/ScriptController.h 2019-12-17 23:30:03 UTC (rev 253653)
+++ trunk/Source/WebCore/bindings/js/ScriptController.h 2019-12-17 23:35:18 UTC (rev 253654)
@@ -27,6 +27,7 @@
#include <_javascript_Core/JSBase.h>
#include <_javascript_Core/Strong.h>
#include <wtf/Forward.h>
+#include <wtf/Optional.h>
#include <wtf/RefPtr.h>
#include <wtf/WeakPtr.h>
#include <wtf/text/TextPosition.h>
@@ -99,7 +100,7 @@
bool shouldAllowUserAgentScripts(Document&) const;
// Returns true if argument is a _javascript_ URL.
- bool executeIfJavaScriptURL(const URL&, ShouldReplaceDocumentIfJavaScriptURL shouldReplaceDocumentIfJavaScriptURL = ReplaceDocumentIfJavaScriptURL);
+ bool executeIfJavaScriptURL(const URL&, RefPtr<SecurityOrigin> = nullptr, ShouldReplaceDocumentIfJavaScriptURL = ReplaceDocumentIfJavaScriptURL);
// This function must be called from the main thread. It is safe to call it repeatedly.
// Darwin is an exception to this rule: it is OK to call this function from any thread, even reentrantly.
Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (253653 => 253654)
--- trunk/Source/WebCore/loader/FrameLoader.cpp 2019-12-17 23:30:03 UTC (rev 253653)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2019-12-17 23:35:18 UTC (rev 253654)
@@ -424,7 +424,7 @@
Ref<Frame> protect(m_frame);
- if (m_frame.script().executeIfJavaScriptURL(frameRequest.resourceRequest().url(), frameRequest.shouldReplaceDocumentIfJavaScriptURL())) {
+ if (m_frame.script().executeIfJavaScriptURL(frameRequest.resourceRequest().url(), &frameRequest.requester().securityOrigin(), frameRequest.shouldReplaceDocumentIfJavaScriptURL())) {
m_quickRedirectComing = false;
return;
}
@@ -462,7 +462,7 @@
return;
m_isExecutingJavaScriptFormAction = true;
Ref<Frame> protect(m_frame);
- m_frame.script().executeIfJavaScriptURL(submission->action(), DoNotReplaceDocumentIfJavaScriptURL);
+ m_frame.script().executeIfJavaScriptURL(submission->action(), nullptr, DoNotReplaceDocumentIfJavaScriptURL);
m_isExecutingJavaScriptFormAction = false;
return;
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes