Title: [203258] trunk
- Revision
- 203258
- Author
- [email protected]
- Date
- 2016-07-14 17:10:45 -0700 (Thu, 14 Jul 2016)
Log Message
Remove credentials in URL when accessed through location.href
https://bugs.webkit.org/show_bug.cgi?id=139562
<rdar://problem/27331164>
Reviewed by Brent Fulgham.
Source/WebCore:
Test: http/tests/security/location-href-clears-username-password.html
The reason for this change is to not allow scripts on the page to
exfiltrate username and password from the URL.
* page/Location.cpp:
(WebCore::Location::href):
Now checks if there is a username or password in the URL. If so,
it copies the URL and removes the username and password.
LayoutTests:
The reason for this change is to not allow scripts on the page to
exfiltrate username and password from the URL.
* http/tests/security/location-href-clears-username-password-expected.txt: Added.
* http/tests/security/location-href-clears-username-password.html: Added.
Test case adapted from https://src.chromium.org/viewvc/blink?revision=189367&view=revision.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (203257 => 203258)
--- trunk/LayoutTests/ChangeLog 2016-07-15 00:00:36 UTC (rev 203257)
+++ trunk/LayoutTests/ChangeLog 2016-07-15 00:10:45 UTC (rev 203258)
@@ -1,3 +1,18 @@
+2016-07-14 John Wilander <[email protected]>
+
+ Remove credentials in URL when accessed through location.href
+ https://bugs.webkit.org/show_bug.cgi?id=139562
+ <rdar://problem/27331164>
+
+ Reviewed by Brent Fulgham.
+
+ The reason for this change is to not allow scripts on the page to
+ exfiltrate username and password from the URL.
+
+ * http/tests/security/location-href-clears-username-password-expected.txt: Added.
+ * http/tests/security/location-href-clears-username-password.html: Added.
+ Test case adapted from https://src.chromium.org/viewvc/blink?revision=189367&view=revision.
+
2016-07-14 Brent Fulgham <[email protected]>
Merge Blink test case
Added: trunk/LayoutTests/http/tests/security/location-href-clears-username-password-expected.txt (0 => 203258)
--- trunk/LayoutTests/http/tests/security/location-href-clears-username-password-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/location-href-clears-username-password-expected.txt 2016-07-15 00:10:45 UTC (rev 203258)
@@ -0,0 +1,10 @@
+Tests that URL-based username and password are not revealed in location.href.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS No username or password in location.href.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/http/tests/security/location-href-clears-username-password.html (0 => 203258)
--- trunk/LayoutTests/http/tests/security/location-href-clears-username-password.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/location-href-clears-username-password.html 2016-07-15 00:10:45 UTC (rev 203258)
@@ -0,0 +1,32 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script>
+ description("Tests that URL-based username and password are not revealed in location.href.");
+
+ window.jsTestIsAsync = true;
+
+ var frame = document.createElement('iframe');
+ frame.setAttribute('src', 'http://_username:_password@'
+ + location.host + '/security/resources/blank.html');
+
+ document.body.appendChild(frame);
+
+ frame._onload_ = function() {
+ var href = ""
+ if (href.indexOf('_username') === -1 &&
+ href.indexOf('_password') === -1) {
+ testPassed("No username or password in location.href.");
+ } else {
+ testFailed("Either username, password, or both were found in location.href");
+ }
+
+ finishJSTest();
+ };
+</script>
+<script src=""
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (203257 => 203258)
--- trunk/Source/WebCore/ChangeLog 2016-07-15 00:00:36 UTC (rev 203257)
+++ trunk/Source/WebCore/ChangeLog 2016-07-15 00:10:45 UTC (rev 203258)
@@ -1,3 +1,21 @@
+2016-07-14 John Wilander <[email protected]>
+
+ Remove credentials in URL when accessed through location.href
+ https://bugs.webkit.org/show_bug.cgi?id=139562
+ <rdar://problem/27331164>
+
+ Reviewed by Brent Fulgham.
+
+ Test: http/tests/security/location-href-clears-username-password.html
+
+ The reason for this change is to not allow scripts on the page to
+ exfiltrate username and password from the URL.
+
+ * page/Location.cpp:
+ (WebCore::Location::href):
+ Now checks if there is a username or password in the URL. If so,
+ it copies the URL and removes the username and password.
+
2016-07-14 Javier Fernandez <[email protected]>
[css-grid] Handle min-content/max-content with orthogonal flows
Modified: trunk/Source/WebCore/page/Location.cpp (203257 => 203258)
--- trunk/Source/WebCore/page/Location.cpp 2016-07-15 00:00:36 UTC (rev 203257)
+++ trunk/Source/WebCore/page/Location.cpp 2016-07-15 00:10:45 UTC (rev 203258)
@@ -60,7 +60,15 @@
if (!m_frame)
return String();
- return url().string();
+ auto& url = ""
+
+ if (!url.hasUsername() && !url.hasPassword())
+ return url.string();
+
+ URL urlWithoutCredentials(url);
+ urlWithoutCredentials.setUser(WTF::emptyString());
+ urlWithoutCredentials.setPass(WTF::emptyString());
+ return urlWithoutCredentials.string();
}
String Location::protocol() const
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
