Diff
Modified: trunk/LayoutTests/ChangeLog (96609 => 96610)
--- trunk/LayoutTests/ChangeLog 2011-10-04 17:49:46 UTC (rev 96609)
+++ trunk/LayoutTests/ChangeLog 2011-10-04 18:00:32 UTC (rev 96610)
@@ -1,3 +1,16 @@
+2011-10-03 Ken Buchanan <ke...@chromium.org>
+
+ Resource loader should block HTTP redirects to local resources
+ https://bugs.webkit.org/show_bug.cgi?id=68706
+
+ Reviewed by Adam Barth.
+
+ Adding a test to attempt an HTTP redirect to a file: URL.
+
+ * http/tests/security/redirect-BLOCKED-to-localURL.html: Added.
+ * http/tests/security/redirect-BLOCKED-to-localURL-expected.txt: Added.
+ * http/tests/security/resources/file-redirect-target.html: Added.
+
2011-10-04 Adam Barth <aba...@webkit.org>
Restore Linux baseline for this test. The Linux baseline got clobbered
Property changes on: trunk/LayoutTests/ChangeLog
___________________________________________________________________
Added: svn:executable
Added: trunk/LayoutTests/http/tests/security/redirect-BLOCKED-to-localURL-expected.txt (0 => 96610)
--- trunk/LayoutTests/http/tests/security/redirect-BLOCKED-to-localURL-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/redirect-BLOCKED-to-localURL-expected.txt 2011-10-04 18:00:32 UTC (rev 96610)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: line 0: Not allowed to load local resource: file-redirect-target.html
+
+This attempts to open a redirect link to a file URL, which should be blocked.
Property changes on: trunk/LayoutTests/http/tests/security/redirect-BLOCKED-to-localURL-expected.txt
___________________________________________________________________
Added: svn:executable
Added: trunk/LayoutTests/http/tests/security/redirect-BLOCKED-to-localURL.html (0 => 96610)
--- trunk/LayoutTests/http/tests/security/redirect-BLOCKED-to-localURL.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/redirect-BLOCKED-to-localURL.html 2011-10-04 18:00:32 UTC (rev 96610)
@@ -0,0 +1,11 @@
+<html>
+<body>
+<iframe src=""
+<script>
+ if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ }
+</script>
+<p>This attempts to open a redirect link to a file URL, which should be blocked.</p>
+</body>
+</html>
Property changes on: trunk/LayoutTests/http/tests/security/redirect-BLOCKED-to-localURL.html
___________________________________________________________________
Added: svn:executable
Added: trunk/LayoutTests/http/tests/security/resources/file-redirect-target.html (0 => 96610)
--- trunk/LayoutTests/http/tests/security/resources/file-redirect-target.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/resources/file-redirect-target.html 2011-10-04 18:00:32 UTC (rev 96610)
@@ -0,0 +1,3 @@
+<html>
+FAIL: This page shouldn't load via HTTP redirect to file:
+</html>
Property changes on: trunk/LayoutTests/http/tests/security/resources/file-redirect-target.html
___________________________________________________________________
Added: svn:executable
Modified: trunk/Source/WebCore/ChangeLog (96609 => 96610)
--- trunk/Source/WebCore/ChangeLog 2011-10-04 17:49:46 UTC (rev 96609)
+++ trunk/Source/WebCore/ChangeLog 2011-10-04 18:00:32 UTC (rev 96610)
@@ -1,3 +1,23 @@
+2011-10-03 Ken Buchanan <ke...@chromium.org>
+
+ Resource loader should block HTTP redirects to local resources
+ https://bugs.webkit.org/show_bug.cgi?id=68706
+
+ Reviewed by Adam Barth.
+
+ Modified MainResourceLoader to add an extra security check on
+ HTTP redirects. Also, moved isFeedWithNestedProtocolInHTTPFamily
+ to SecurityOrigin.cpp.
+
+ * loader/FrameLoader.cpp:
+ (WebCore::isFeedWithNestedProtocolInHTTPFamily):
+ (WebCore::FrameLoader::loadFrameRequest):
+ * loader/MainResourceLoader.cpp:
+ (WebCore::MainResourceLoader::willSendRequest):
+ * page/SecurityOrigin.cpp:
+ (WebCore::isFeedWithNestedProtocolInHTTPFamily):
+ (WebCore::SecurityOrigin::canDisplay):
+
2011-10-04 Cary Clark <carycl...@google.com>
Apply color profile found to decoded bitmap (Skia on Mac)
Property changes on: trunk/Source/WebCore/ChangeLog
___________________________________________________________________
Added: svn:executable
Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (96609 => 96610)
--- trunk/Source/WebCore/loader/FrameLoader.cpp 2011-10-04 17:49:46 UTC (rev 96609)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2011-10-04 18:00:32 UTC (rev 96610)
@@ -1125,21 +1125,6 @@
detachChildren();
}
-// This is a hack to allow keep navigation to http/https feeds working. To remove this
-// we need to introduce new API akin to registerURLSchemeAsLocal, that registers a
-// protocols navigation policy.
-static bool isFeedWithNestedProtocolInHTTPFamily(const KURL& url)
-{
- const String& urlString = url.string();
- if (!urlString.startsWith("feed", false))
- return false;
-
- return urlString.startsWith("feed://", false)
- || urlString.startsWith("feed:http:", false) || urlString.startsWith("feed:https:", false)
- || urlString.startsWith("feeds:http:", false) || urlString.startsWith("feeds:https:", false)
- || urlString.startsWith("feedsearch:http:", false) || urlString.startsWith("feedsearch:https:", false);
-}
-
void FrameLoader::loadFrameRequest(const FrameLoadRequest& request, bool lockHistory, bool lockBackForwardList,
PassRefPtr<Event> event, PassRefPtr<FormState> formState, ReferrerPolicy referrerPolicy)
{
@@ -1149,8 +1134,7 @@
KURL url = ""
ASSERT(m_frame->document());
- // FIXME: Should we move the isFeedWithNestedProtocolInHTTPFamily logic inside SecurityOrigin::canDisplay?
- if (!isFeedWithNestedProtocolInHTTPFamily(url) && !request.requester()->canDisplay(url)) {
+ if (!request.requester()->canDisplay(url)) {
reportLocalLoadFailed(m_frame, url.string());
return;
}
Modified: trunk/Source/WebCore/loader/MainResourceLoader.cpp (96609 => 96610)
--- trunk/Source/WebCore/loader/MainResourceLoader.cpp 2011-10-04 17:49:46 UTC (rev 96609)
+++ trunk/Source/WebCore/loader/MainResourceLoader.cpp 2011-10-04 18:00:32 UTC (rev 96610)
@@ -182,6 +182,15 @@
ASSERT(documentLoader()->timing()->fetchStart);
if (!redirectResponse.isNull()) {
+ // If the redirecting url is not allowed to display content from the target origin,
+ // then block the redirect.
+ RefPtr<SecurityOrigin> redirectingOrigin = SecurityOrigin::create(redirectResponse.url());
+ if (!redirectingOrigin->canDisplay(newRequest.url())) {
+ FrameLoader::reportLocalLoadFailed(m_frame.get(), newRequest.url().string());
+ cancel();
+ return;
+ }
+
DocumentLoadTiming* documentLoadTiming = documentLoader()->timing();
// Check if the redirected url is allowed to access the redirecting url's timing information.
Modified: trunk/Source/WebCore/page/SecurityOrigin.cpp (96609 => 96610)
--- trunk/Source/WebCore/page/SecurityOrigin.cpp 2011-10-04 17:49:46 UTC (rev 96609)
+++ trunk/Source/WebCore/page/SecurityOrigin.cpp 2011-10-04 18:00:32 UTC (rev 96610)
@@ -332,10 +332,33 @@
return isAccessWhiteListed(targetOrigin.get());
}
+// This is a hack to allow keep navigation to http/https feeds working. To remove this
+// we need to introduce new API akin to registerURLSchemeAsLocal, that registers a
+// protocols navigation policy.
+// feed(|s|search): is considered a 'nesting' scheme by embedders that support it, so it can be
+// local or remote depending on what is nested. Currently we just check if we are nesting
+// http or https, otherwise we ignore the nesting for the purpose of a security check. We need
+// a facility for registering nesting schemes, and some generalized logic for them.
+// This function should be removed as an outcome of https://bugs.webkit.org/show_bug.cgi?id=69196
+static bool isFeedWithNestedProtocolInHTTPFamily(const KURL& url)
+{
+ const String& urlString = url.string();
+ if (!urlString.startsWith("feed", false))
+ return false;
+
+ return urlString.startsWith("feed://", false)
+ || urlString.startsWith("feed:http:", false) || urlString.startsWith("feed:https:", false)
+ || urlString.startsWith("feeds:http:", false) || urlString.startsWith("feeds:https:", false)
+ || urlString.startsWith("feedsearch:http:", false) || urlString.startsWith("feedsearch:https:", false);
+}
+
bool SecurityOrigin::canDisplay(const KURL& url) const
{
String protocol = url.protocol().lower();
+ if (isFeedWithNestedProtocolInHTTPFamily(url))
+ return true;
+
if (SchemeRegistry::canDisplayOnlyIfCanRequest(protocol))
return canRequest(url);