[webkit-changes] [WebKit/WebKit] 40274a: [cocoa] Block response from localhost for mixed co...

Wed, 01 May 2024 10:26:27 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 40274a8fb39df8ee3974a16846a5bb00780253c8
      
https://github.com/WebKit/WebKit/commit/40274a8fb39df8ee3974a16846a5bb00780253c8
  Author: Matthew Finkel <sys...@apple.com>
  Date:   2024-05-01 (Wed, 01 May 2024)

  Changed paths:
    M Source/WebCore/platform/network/DNS.cpp
    M Source/WebCore/platform/network/DNS.h
    M Source/WebKit/NetworkProcess/NetworkDataTask.cpp
    M Source/WebKit/NetworkProcess/NetworkDataTask.h
    M Source/WebKit/NetworkProcess/NetworkDataTaskBlob.cpp
    M Source/WebKit/NetworkProcess/NetworkDataTaskDataURL.cpp
    M Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm
    M Source/WebKit/NetworkProcess/curl/NetworkDataTaskCurl.cpp
    M Source/WebKit/NetworkProcess/soup/NetworkDataTaskSoup.cpp

  Log Message:
  -----------
  [cocoa] Block response from localhost for mixed content if not loopback
https://bugs.webkit.org/show_bug.cgi?id=272955
rdar://126729658

Reviewed by Brent Fulgham.

In general, localhost could resolve to any IP address, but the expectation is
that it resolves to either 127.0.0.1 as an IPv4 and [::1] as IPv6. This change
looks at the resolved IP address and blocks the response if we are loading a
subresource from localhost over plaintext HTTP and the main document was loaded
with HTTPS (and it wasn't from localhost).

* Source/WebCore/platform/network/DNS.cpp:
(WebCore::IPAddress::isLoopback const):
* Source/WebCore/platform/network/DNS.h:
* Source/WebKit/NetworkProcess/NetworkDataTask.cpp:
(WebKit::NetworkDataTask::didReceiveResponse):
* Source/WebKit/NetworkProcess/NetworkDataTask.h:
* Source/WebKit/NetworkProcess/NetworkDataTaskBlob.cpp:
(WebKit::NetworkDataTaskBlob::dispatchDidReceiveResponse):
* Source/WebKit/NetworkProcess/NetworkDataTaskDataURL.cpp:
(WebKit::NetworkDataTaskDataURL::didDecodeDataURL):
* Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:
(WebKit::NetworkDataTaskCocoa::didReceiveResponse):
* Source/WebKit/NetworkProcess/curl/NetworkDataTaskCurl.cpp:
(WebKit::NetworkDataTaskCurl::invokeDidReceiveResponse):
* Source/WebKit/NetworkProcess/soup/NetworkDataTaskSoup.cpp:
(WebKit::NetworkDataTaskSoup::dispatchDidReceiveResponse):

Canonical link: https://commits.webkit.org/278214@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to