- Revision
- 93734
- Author
- [email protected]
- Date
- 2011-08-24 14:06:43 -0700 (Wed, 24 Aug 2011)
Log Message
Source/WebCore: chromium WebFrameImpl - don't load _javascript_ URLs against chrome internal
pages. Adds a mechanism for registering sensitive schemes which should
not be subject to manipulation by _javascript_ urls typed into a location bar
or, more importantly, their bookmarklet equivalents.
https://bugs.webkit.org/show_bug.cgi?id=66720
Patch by Tom Sepez <[email protected]> on 2011-08-24
Reviewed by Adam Barth.
Test: Chromium WebKit API unit test in chromium specific directory.
* platform/SchemeRegistry.cpp:
(WebCore::notAllowingJavascriptURLsSchemes):
(WebCore::SchemeRegistry::registerURLSchemeAsNotAllowingJavascriptURLs):
(WebCore::SchemeRegistry::shouldTreatURLSchemeAsNotAllowingJavascriptURLs):
* platform/SchemeRegistry.h:
Source/WebKit/chromium: chromium WebFrameImpl - don't load _javascript_ URLs against chrome internal pages.
https://bugs.webkit.org/show_bug.cgi?id=66720
Patch by Tom Sepez <[email protected]> on 2011-08-24
Reviewed by Adam Barth.
* public/WebSecurityPolicy.h:
* src/WebFrameImpl.cpp:
(WebKit::WebFrameImpl::loadJavaScriptURL):
* src/WebSecurityPolicy.cpp:
(WebKit::WebSecurityPolicy::registerURLSchemeAsNotAllowingJavascriptURLs):
* tests/WebFrameTest.cpp:
(WebKit::WebFrameTest::WebFrameTest):
(WebKit::WebFrameTest::registerMockedHttpURLLoad):
(WebKit::WebFrameTest::registerMockedChromeURLLoad):
(WebKit::WebFrameTest::serveRequests):
(WebKit::WebFrameTest::loadHttpFrame):
(WebKit::WebFrameTest::loadChromeFrame):
(WebKit::WebFrameTest::registerMockedURLLoad):
(WebKit::WebFrameTest::loadFrame):
(WebKit::TEST_F):
* tests/data/history.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (93733 => 93734)
--- trunk/Source/WebCore/ChangeLog 2011-08-24 20:39:20 UTC (rev 93733)
+++ trunk/Source/WebCore/ChangeLog 2011-08-24 21:06:43 UTC (rev 93734)
@@ -1,3 +1,21 @@
+2011-08-24 Tom Sepez <[email protected]>
+
+ chromium WebFrameImpl - don't load _javascript_ URLs against chrome internal
+ pages. Adds a mechanism for registering sensitive schemes which should
+ not be subject to manipulation by _javascript_ urls typed into a location bar
+ or, more importantly, their bookmarklet equivalents.
+ https://bugs.webkit.org/show_bug.cgi?id=66720
+
+ Reviewed by Adam Barth.
+
+ Test: Chromium WebKit API unit test in chromium specific directory.
+
+ * platform/SchemeRegistry.cpp:
+ (WebCore::notAllowingJavascriptURLsSchemes):
+ (WebCore::SchemeRegistry::registerURLSchemeAsNotAllowingJavascriptURLs):
+ (WebCore::SchemeRegistry::shouldTreatURLSchemeAsNotAllowingJavascriptURLs):
+ * platform/SchemeRegistry.h:
+
2011-08-24 Alexandru Chiculita <[email protected]>
[CSSRegions] Fix Element::getBoundingClientRect and Element::getClientRects for content flow
Modified: trunk/Source/WebCore/platform/SchemeRegistry.cpp (93733 => 93734)
--- trunk/Source/WebCore/platform/SchemeRegistry.cpp 2011-08-24 20:39:20 UTC (rev 93733)
+++ trunk/Source/WebCore/platform/SchemeRegistry.cpp 2011-08-24 21:06:43 UTC (rev 93734)
@@ -104,6 +104,12 @@
return canDisplayOnlyIfCanRequestSchemes;
}
+static URLSchemesMap& notAllowingJavascriptURLsSchemes()
+{
+ DEFINE_STATIC_LOCAL(URLSchemesMap, notAllowingJavascriptURLsSchemes, ());
+ return notAllowingJavascriptURLsSchemes;
+}
+
void SchemeRegistry::registerURLSchemeAsLocal(const String& scheme)
{
localURLSchemes().add(scheme);
@@ -192,4 +198,16 @@
canDisplayOnlyIfCanRequestSchemes().add(scheme);
}
+void SchemeRegistry::registerURLSchemeAsNotAllowingJavascriptURLs(const String& scheme)
+{
+ notAllowingJavascriptURLsSchemes().add(scheme);
+}
+
+bool SchemeRegistry::shouldTreatURLSchemeAsNotAllowingJavascriptURLs(const String& scheme)
+{
+ if (scheme.isEmpty())
+ return false;
+ return notAllowingJavascriptURLsSchemes().contains(scheme);
+}
+
} // namespace WebCore
Modified: trunk/Source/WebCore/platform/SchemeRegistry.h (93733 => 93734)
--- trunk/Source/WebCore/platform/SchemeRegistry.h 2011-08-24 20:39:20 UTC (rev 93733)
+++ trunk/Source/WebCore/platform/SchemeRegistry.h 2011-08-24 21:06:43 UTC (rev 93734)
@@ -63,6 +63,11 @@
// passed to SecurityOrigin::canDisplay.
static bool canDisplayOnlyIfCanRequest(const String& scheme);
static void registerAsCanDisplayOnlyIfCanRequest(const String& scheme);
+
+ // Schemes against which _javascript_: URLs should not be allowed to run (stop
+ // bookmarklets from running on sensitive pages).
+ static void registerURLSchemeAsNotAllowingJavascriptURLs(const String& scheme);
+ static bool shouldTreatURLSchemeAsNotAllowingJavascriptURLs(const String& scheme);
};
} // namespace WebCore
Modified: trunk/Source/WebKit/chromium/ChangeLog (93733 => 93734)
--- trunk/Source/WebKit/chromium/ChangeLog 2011-08-24 20:39:20 UTC (rev 93733)
+++ trunk/Source/WebKit/chromium/ChangeLog 2011-08-24 21:06:43 UTC (rev 93734)
@@ -1,3 +1,27 @@
+2011-08-24 Tom Sepez <[email protected]>
+
+ chromium WebFrameImpl - don't load _javascript_ URLs against chrome internal pages.
+ https://bugs.webkit.org/show_bug.cgi?id=66720
+
+ Reviewed by Adam Barth.
+
+ * public/WebSecurityPolicy.h:
+ * src/WebFrameImpl.cpp:
+ (WebKit::WebFrameImpl::loadJavaScriptURL):
+ * src/WebSecurityPolicy.cpp:
+ (WebKit::WebSecurityPolicy::registerURLSchemeAsNotAllowingJavascriptURLs):
+ * tests/WebFrameTest.cpp:
+ (WebKit::WebFrameTest::WebFrameTest):
+ (WebKit::WebFrameTest::registerMockedHttpURLLoad):
+ (WebKit::WebFrameTest::registerMockedChromeURLLoad):
+ (WebKit::WebFrameTest::serveRequests):
+ (WebKit::WebFrameTest::loadHttpFrame):
+ (WebKit::WebFrameTest::loadChromeFrame):
+ (WebKit::WebFrameTest::registerMockedURLLoad):
+ (WebKit::WebFrameTest::loadFrame):
+ (WebKit::TEST_F):
+ * tests/data/history.html: Added.
+
2011-08-24 Jeremy Apthorp <[email protected]>
Expose fullscreen API on WebElement/WebDocument
Modified: trunk/Source/WebKit/chromium/public/WebSecurityPolicy.h (93733 => 93734)
--- trunk/Source/WebKit/chromium/public/WebSecurityPolicy.h 2011-08-24 20:39:20 UTC (rev 93733)
+++ trunk/Source/WebKit/chromium/public/WebSecurityPolicy.h 2011-08-24 21:06:43 UTC (rev 93734)
@@ -73,6 +73,10 @@
// based on their respective protocols.
WEBKIT_EXPORT static bool shouldHideReferrer(const WebURL& url, const WebString& referrer);
+ // Registers an URL scheme to not allow manipulation of the loaded page
+ // by bookmarklets or _javascript_: URLs typed in the omnibox.
+ WEBKIT_EXPORT static void registerURLSchemeAsNotAllowingJavascriptURLs(const WebString&);
+
private:
WebSecurityPolicy();
};
Modified: trunk/Source/WebKit/chromium/src/WebFrameImpl.cpp (93733 => 93734)
--- trunk/Source/WebKit/chromium/src/WebFrameImpl.cpp 2011-08-24 20:39:20 UTC (rev 93733)
+++ trunk/Source/WebKit/chromium/src/WebFrameImpl.cpp 2011-08-24 21:06:43 UTC (rev 93734)
@@ -122,6 +122,7 @@
#include "ResourceRequest.h"
#include "SVGDocumentExtensions.h"
#include "SVGSMILElement.h"
+#include "SchemeRegistry.h"
#include "ScriptController.h"
#include "ScriptSourceCode.h"
#include "ScriptValue.h"
@@ -2295,6 +2296,10 @@
if (!m_frame->document() || !m_frame->page())
return;
+ // Protect privileged pages against bookmarklets and other _javascript_ manipulations.
+ if (SchemeRegistry::shouldTreatURLSchemeAsNotAllowingJavascriptURLs(m_frame->document()->url().protocol()))
+ return;
+
String script = decodeURLEscapeSequences(url.string().substring(strlen("_javascript_:")));
ScriptValue result = m_frame->script()->executeScript(script, true);
Modified: trunk/Source/WebKit/chromium/src/WebSecurityPolicy.cpp (93733 => 93734)
--- trunk/Source/WebKit/chromium/src/WebSecurityPolicy.cpp 2011-08-24 20:39:20 UTC (rev 93733)
+++ trunk/Source/WebKit/chromium/src/WebSecurityPolicy.cpp 2011-08-24 21:06:43 UTC (rev 93734)
@@ -94,4 +94,9 @@
return SecurityOrigin::shouldHideReferrer(url, referrer);
}
+void WebSecurityPolicy::registerURLSchemeAsNotAllowingJavascriptURLs(const WebString& scheme)
+{
+ SchemeRegistry::registerURLSchemeAsNotAllowingJavascriptURLs(scheme);
+}
+
} // namespace WebKit
Modified: trunk/Source/WebKit/chromium/tests/WebFrameTest.cpp (93733 => 93734)
--- trunk/Source/WebKit/chromium/tests/WebFrameTest.cpp 2011-08-24 20:39:20 UTC (rev 93733)
+++ trunk/Source/WebKit/chromium/tests/WebFrameTest.cpp 2011-08-24 21:06:43 UTC (rev 93734)
@@ -35,6 +35,7 @@
#include "WebFrame.h"
#include "WebFrameClient.h"
#include "WebSearchableFormData.h"
+#include "WebSecurityPolicy.h"
#include "WebSettings.h"
#include "WebString.h"
#include "WebURL.h"
@@ -53,7 +54,8 @@
class WebFrameTest : public testing::Test {
public:
WebFrameTest()
- : baseURL("http://www.test.com/")
+ : baseURL("http://www.test.com/"),
+ chromeURL("chrome://")
{
}
@@ -62,8 +64,33 @@
webkit_support::UnregisterAllMockedURLs();
}
- void registerMockedURLLoad(const std::string& fileName)
+ void registerMockedHttpURLLoad(const std::string& fileName)
{
+ registerMockedURLLoad(baseURL, fileName);
+ }
+
+ void registerMockedChromeURLLoad(const std::string& fileName)
+ {
+ registerMockedURLLoad(chromeURL, fileName);
+ }
+
+ void serveRequests()
+ {
+ webkit_support::ServeAsynchronousMockedRequests();
+ }
+
+ void loadHttpFrame(WebFrame* frame, const std::string& fileName)
+ {
+ loadFrame(frame, baseURL, fileName);
+ }
+
+ void loadChromeFrame(WebFrame* frame, const std::string& fileName)
+ {
+ loadFrame(frame, chromeURL, fileName);
+ }
+
+ void registerMockedURLLoad(const std::string& base, const std::string& fileName)
+ {
WebURLResponse response;
response.initialize();
response.setMIMEType("text/html");
@@ -72,24 +99,20 @@
filePath += "/Source/WebKit/chromium/tests/data/";
filePath += fileName;
- webkit_support::RegisterMockedURL(WebURL(GURL(baseURL + fileName)), response, WebString::fromUTF8(filePath));
+ webkit_support::RegisterMockedURL(WebURL(GURL(base + fileName)), response, WebString::fromUTF8(filePath));
}
- void serveRequests()
+ void loadFrame(WebFrame* frame, const std::string& base, const std::string& fileName)
{
- webkit_support::ServeAsynchronousMockedRequests();
- }
-
- void loadFrame(WebFrame* frame, const std::string& fileName)
- {
WebURLRequest urlRequest;
urlRequest.initialize();
- urlRequest.setURL(WebURL(GURL(baseURL + fileName)));
+ urlRequest.setURL(WebURL(GURL(base + fileName)));
frame->loadRequest(urlRequest);
}
protected:
std::string baseURL;
+ std::string chromeURL;
};
class TestWebFrameClient : public WebFrameClient {
@@ -97,17 +120,17 @@
TEST_F(WebFrameTest, ContentText)
{
- registerMockedURLLoad("iframes_test.html");
- registerMockedURLLoad("visible_iframe.html");
- registerMockedURLLoad("invisible_iframe.html");
- registerMockedURLLoad("zero_sized_iframe.html");
+ registerMockedHttpURLLoad("iframes_test.html");
+ registerMockedHttpURLLoad("visible_iframe.html");
+ registerMockedHttpURLLoad("invisible_iframe.html");
+ registerMockedHttpURLLoad("zero_sized_iframe.html");
// Create and initialize the WebView.
TestWebFrameClient webFrameClient;
WebView* webView = WebView::create(0);
webView->initializeMainFrame(&webFrameClient);
- loadFrame(webView->mainFrame(), "iframes_test.html");
+ loadHttpFrame(webView->mainFrame(), "iframes_test.html");
serveRequests();
// Now retrieve the frames text and test it only includes visible elements.
@@ -123,18 +146,18 @@
TEST_F(WebFrameTest, FrameForEnteredContext)
{
- registerMockedURLLoad("iframes_test.html");
- registerMockedURLLoad("visible_iframe.html");
- registerMockedURLLoad("invisible_iframe.html");
- registerMockedURLLoad("zero_sized_iframe.html");
+ registerMockedHttpURLLoad("iframes_test.html");
+ registerMockedHttpURLLoad("visible_iframe.html");
+ registerMockedHttpURLLoad("invisible_iframe.html");
+ registerMockedHttpURLLoad("zero_sized_iframe.html");
// Create and initialize the WebView.
- TestWebFrameClient webFrameClient;
+ TestWebFrameClient webFrameClient;
WebView* webView = WebView::create(0);
webView->settings()->setJavaScriptEnabled(true);
webView->initializeMainFrame(&webFrameClient);
- loadFrame(webView->mainFrame(), "iframes_test.html");
+ loadHttpFrame(webView->mainFrame(), "iframes_test.html");
serveRequests();
v8::HandleScope scope;
@@ -150,13 +173,13 @@
TEST_F(WebFrameTest, FormWithNullFrame)
{
- registerMockedURLLoad("form.html");
+ registerMockedHttpURLLoad("form.html");
TestWebFrameClient webFrameClient;
WebView* webView = WebView::create(0);
webView->initializeMainFrame(&webFrameClient);
- loadFrame(webView->mainFrame(), "form.html");
+ loadHttpFrame(webView->mainFrame(), "form.html");
serveRequests();
WebVector<WebFormElement> forms;
@@ -169,4 +192,27 @@
WebSearchableFormData searchableDataForm(forms[0]);
}
+TEST_F(WebFrameTest, ChromePageNoJavascript)
+{
+ registerMockedChromeURLLoad("history.html");
+
+ // Create and initialize the WebView.
+ TestWebFrameClient webFrameClient;
+ WebView* webView = WebView::create(0);
+ webView->settings()->setJavaScriptEnabled(true);
+ webView->initializeMainFrame(&webFrameClient);
+
+ loadChromeFrame(webView->mainFrame(), "history.html");
+ serveRequests();
+
+ // Try to run JS against the chrome-style URL.
+ WebSecurityPolicy::registerURLSchemeAsNotAllowingJavascriptURLs("chrome");
+ loadFrame(webView->mainFrame(), "_javascript_:", "document.body.appendChild(document.createTextNode('Clobbered'))");
+
+ // Now retrieve the frames text and see if it was clobbered.
+ std::string content = webView->mainFrame()->contentAsText(1024).utf8();
+ EXPECT_NE(std::string::npos, content.find("Simulated Chromium History Page"));
+ EXPECT_EQ(std::string::npos, content.find("Clobbered"));
}
+
+} // namespace
Added: trunk/Source/WebKit/chromium/tests/data/history.html (0 => 93734)
--- trunk/Source/WebKit/chromium/tests/data/history.html (rev 0)
+++ trunk/Source/WebKit/chromium/tests/data/history.html 2011-08-24 21:06:43 UTC (rev 93734)
@@ -0,0 +1,3 @@
+<body>
+Simulated Chromium History Page
+</body>
