[webkit-changes] [203300] trunk

Fri, 15 Jul 2016 14:18:59 -0700

Title: [203300] trunk
Revision
203300
Author
[email protected]
Date
2016-07-15 14:18:33 -0700 (Fri, 15 Jul 2016)

Log Message

Block insecure script running in a data: frame when the top-level page is HTTPS
https://bugs.webkit.org/show_bug.cgi?id=125806
<rdar://problem/27331825>

Reviewed by Brady Eidson.

Fix based on a Blink change (patch by <[email protected]>):
<https://chromium.googlesource.com/chromium/blink/+/33e553bd96e040151c1472289a0d80803bfca3a5>

Source/WebCore:

Test: http/tests/security/mixedContent/insecure-script-in-data-iframe-in-main-frame-blocked.html

* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::checkInsecureContent): Check the top-level frame's security state
before allowing insecure scripts to be used.        

LayoutTests:

* http/tests/security/mixedContent/insecure-script-in-data-iframe-in-main-frame-blocked-expected.txt: Added.
* http/tests/security/mixedContent/insecure-script-in-data-iframe-in-main-frame-blocked.html: Added.
* http/tests/security/mixedContent/resources/frame-with-data-url-frame-with-script.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (203299 => 203300)


--- trunk/LayoutTests/ChangeLog	2016-07-15 21:17:01 UTC (rev 203299)
+++ trunk/LayoutTests/ChangeLog	2016-07-15 21:18:33 UTC (rev 203300)
@@ -1,3 +1,18 @@
+2016-07-15  Brent Fulgham  <[email protected]>
+
+        Block insecure script running in a data: frame when the top-level page is HTTPS
+        https://bugs.webkit.org/show_bug.cgi?id=125806
+        <rdar://problem/27331825>
+
+        Reviewed by Brady Eidson.
+
+        Fix based on a Blink change (patch by <[email protected]>):
+        <https://chromium.googlesource.com/chromium/blink/+/33e553bd96e040151c1472289a0d80803bfca3a5>
+
+        * http/tests/security/mixedContent/insecure-script-in-data-iframe-in-main-frame-blocked-expected.txt: Added.
+        * http/tests/security/mixedContent/insecure-script-in-data-iframe-in-main-frame-blocked.html: Added.
+        * http/tests/security/mixedContent/resources/frame-with-data-url-frame-with-script.html: Added.
+
 2016-07-15  Ryan Haddad  <[email protected]>
 
         Skipping test from r203288 on ios-simulator due to reliance upon mouse events.

Added: trunk/LayoutTests/http/tests/security/mixedContent/insecure-script-in-data-iframe-in-main-frame-blocked-expected.txt (0 => 203300)


--- trunk/LayoutTests/http/tests/security/mixedContent/insecure-script-in-data-iframe-in-main-frame-blocked-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/mixedContent/insecure-script-in-data-iframe-in-main-frame-blocked-expected.txt	2016-07-15 21:18:33 UTC (rev 203300)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: [blocked] The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-data-url-frame-with-script.html was not allowed to run insecure content from http://127.0.0.1:8080/security/mixedContent/resources/script.js.
+
+This test opens a window that loads a data: iframe that loads an insecure script, and that the script is still blocked. Although the data: frame has a separate origin, the script can still navigate top.

Added: trunk/LayoutTests/http/tests/security/mixedContent/insecure-script-in-data-iframe-in-main-frame-blocked.html (0 => 203300)


--- trunk/LayoutTests/http/tests/security/mixedContent/insecure-script-in-data-iframe-in-main-frame-blocked.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/mixedContent/insecure-script-in-data-iframe-in-main-frame-blocked.html	2016-07-15 21:18:33 UTC (rev 203300)
@@ -0,0 +1,24 @@
+<html>
+<body>
+<script>
+if (window.testRunner) {
+    testRunner.waitUntilDone();
+    testRunner.dumpAsText();
+    testRunner.setCanOpenWindows();
+    testRunner.setCloseRemainingWindowsWhenComplete(true);
+    testRunner.overridePreference("WebKitAllowRunningInsecureContent", false);
+}
+window.addEventListener("message", function (e) {
+  if (window.testRunner)
+      testRunner.notifyDone();
+}, false);
+</script>
+<p>This test opens a window that loads a data: iframe that loads an
+insecure script, and that the script is still blocked. Although the
+data: frame has a separate origin, the script can still navigate top.
+</p>
+<script>
+window.open("https://127.0.0.1:8443/security/mixedContent/resources/frame-with-data-url-frame-with-script.html");
+</script>
+</body>
+</html>
\ No newline at end of file

Added: trunk/LayoutTests/http/tests/security/mixedContent/resources/frame-with-data-url-frame-with-script.html (0 => 203300)


--- trunk/LayoutTests/http/tests/security/mixedContent/resources/frame-with-data-url-frame-with-script.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/mixedContent/resources/frame-with-data-url-frame-with-script.html	2016-07-15 21:18:33 UTC (rev 203300)
@@ -0,0 +1,7 @@
+<script>
+function frameLoaded() {
+  if (window.opener)
+    window.opener.postMessage('done', '*');
+}
+</script>
+<iframe _onload_="frameLoaded()" src="" src=''></script></html>"></iframe>

Modified: trunk/Source/WebCore/ChangeLog (203299 => 203300)


--- trunk/Source/WebCore/ChangeLog	2016-07-15 21:17:01 UTC (rev 203299)
+++ trunk/Source/WebCore/ChangeLog	2016-07-15 21:18:33 UTC (rev 203300)
@@ -1,3 +1,20 @@
+2016-07-15  Brent Fulgham  <[email protected]>
+
+        Block insecure script running in a data: frame when the top-level page is HTTPS
+        https://bugs.webkit.org/show_bug.cgi?id=125806
+        <rdar://problem/27331825>
+
+        Reviewed by Brady Eidson.
+
+        Fix based on a Blink change (patch by <[email protected]>):
+        <https://chromium.googlesource.com/chromium/blink/+/33e553bd96e040151c1472289a0d80803bfca3a5>
+
+        Test: http/tests/security/mixedContent/insecure-script-in-data-iframe-in-main-frame-blocked.html
+
+        * loader/cache/CachedResourceLoader.cpp:
+        (WebCore::CachedResourceLoader::checkInsecureContent): Check the top-level frame's security state
+        before allowing insecure scripts to be used.        
+
 2016-07-15  Chris Dumez  <[email protected]>
 
         Let the compiler generate QualifiedName copy constructor and assignment operator

Modified: trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp (203299 => 203300)


--- trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp	2016-07-15 21:17:01 UTC (rev 203299)
+++ trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp	2016-07-15 21:18:33 UTC (rev 203300)
@@ -343,9 +343,13 @@
     case CachedResource::CSSStyleSheet:
         // These resource can inject script into the current document (Script,
         // XSL) or exfiltrate the content of the current document (CSS).
-        if (Frame* f = frame())
+        if (Frame* f = frame()) {
             if (!f->loader().mixedContentChecker().canRunInsecureContent(m_document->securityOrigin(), url))
                 return false;
+            Frame& top = f->tree().top();
+            if (&top != f && !top.loader().mixedContentChecker().canRunInsecureContent(top.document()->securityOrigin(), url))
+                return false;
+        }
         break;
 #if ENABLE(VIDEO_TRACK)
     case CachedResource::TextTrackResource:

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to