Title: [204796] releases/WebKitGTK/webkit-2.12
- Revision
- 204796
- Author
- [email protected]
- Date
- 2016-08-23 03:39:11 -0700 (Tue, 23 Aug 2016)
Log Message
Merge r203258 - Remove credentials in URL when accessed through location.href
https://bugs.webkit.org/show_bug.cgi?id=139562
<rdar://problem/27331164>
Reviewed by Brent Fulgham.
Source/WebCore:
Test: http/tests/security/location-href-clears-username-password.html
The reason for this change is to not allow scripts on the page to
exfiltrate username and password from the URL.
* page/Location.cpp:
(WebCore::Location::href):
Now checks if there is a username or password in the URL. If so,
it copies the URL and removes the username and password.
LayoutTests:
The reason for this change is to not allow scripts on the page to
exfiltrate username and password from the URL.
* http/tests/security/location-href-clears-username-password-expected.txt: Added.
* http/tests/security/location-href-clears-username-password.html: Added.
Test case adapted from https://src.chromium.org/viewvc/blink?revision=189367&view=revision.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog (204795 => 204796)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-08-23 10:18:38 UTC (rev 204795)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-08-23 10:39:11 UTC (rev 204796)
@@ -1,3 +1,18 @@
+2016-07-14 John Wilander <[email protected]>
+
+ Remove credentials in URL when accessed through location.href
+ https://bugs.webkit.org/show_bug.cgi?id=139562
+ <rdar://problem/27331164>
+
+ Reviewed by Brent Fulgham.
+
+ The reason for this change is to not allow scripts on the page to
+ exfiltrate username and password from the URL.
+
+ * http/tests/security/location-href-clears-username-password-expected.txt: Added.
+ * http/tests/security/location-href-clears-username-password.html: Added.
+ Test case adapted from https://src.chromium.org/viewvc/blink?revision=189367&view=revision.
+
2016-07-24 Wenson Hsieh <[email protected]>
The web process hangs when computing elements-based snap points for a container with large max scroll offset
Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/location-href-clears-username-password-expected.txt (0 => 204796)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/location-href-clears-username-password-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/location-href-clears-username-password-expected.txt 2016-08-23 10:39:11 UTC (rev 204796)
@@ -0,0 +1,10 @@
+Tests that URL-based username and password are not revealed in location.href.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS No username or password in location.href.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/location-href-clears-username-password.html (0 => 204796)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/location-href-clears-username-password.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/location-href-clears-username-password.html 2016-08-23 10:39:11 UTC (rev 204796)
@@ -0,0 +1,32 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script>
+ description("Tests that URL-based username and password are not revealed in location.href.");
+
+ window.jsTestIsAsync = true;
+
+ var frame = document.createElement('iframe');
+ frame.setAttribute('src', 'http://_username:_password@'
+ + location.host + '/security/resources/blank.html');
+
+ document.body.appendChild(frame);
+
+ frame._onload_ = function() {
+ var href = ""
+ if (href.indexOf('_username') === -1 &&
+ href.indexOf('_password') === -1) {
+ testPassed("No username or password in location.href.");
+ } else {
+ testFailed("Either username, password, or both were found in location.href");
+ }
+
+ finishJSTest();
+ };
+</script>
+<script src=""
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog (204795 => 204796)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-08-23 10:18:38 UTC (rev 204795)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-08-23 10:39:11 UTC (rev 204796)
@@ -1,3 +1,21 @@
+2016-07-14 John Wilander <[email protected]>
+
+ Remove credentials in URL when accessed through location.href
+ https://bugs.webkit.org/show_bug.cgi?id=139562
+ <rdar://problem/27331164>
+
+ Reviewed by Brent Fulgham.
+
+ Test: http/tests/security/location-href-clears-username-password.html
+
+ The reason for this change is to not allow scripts on the page to
+ exfiltrate username and password from the URL.
+
+ * page/Location.cpp:
+ (WebCore::Location::href):
+ Now checks if there is a username or password in the URL. If so,
+ it copies the URL and removes the username and password.
+
2016-07-24 Wenson Hsieh <[email protected]>
The web process hangs when computing elements-based snap points for a container with large max scroll offset
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/page/Location.cpp (204795 => 204796)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/page/Location.cpp 2016-08-23 10:18:38 UTC (rev 204795)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/page/Location.cpp 2016-08-23 10:39:11 UTC (rev 204796)
@@ -60,7 +60,15 @@
if (!m_frame)
return String();
- return url().string();
+ auto& url = ""
+
+ if (!url.hasUsername() && !url.hasPassword())
+ return url.string();
+
+ URL urlWithoutCredentials(url);
+ urlWithoutCredentials.setUser(WTF::emptyString());
+ urlWithoutCredentials.setPass(WTF::emptyString());
+ return urlWithoutCredentials.string();
}
String Location::protocol() const
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/platform/URL.h (204795 => 204796)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/platform/URL.h 2016-08-23 10:18:38 UTC (rev 204795)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/platform/URL.h 2016-08-23 10:39:11 UTC (rev 204796)
@@ -114,6 +114,9 @@
WEBCORE_EXPORT String fragmentIdentifier() const;
WEBCORE_EXPORT bool hasFragmentIdentifier() const;
+ bool hasUsername() const;
+ bool hasPassword() const;
+
// Unlike user() and pass(), these functions don't decode escape sequences.
// This is necessary for accurate round-tripping, because encoding doesn't encode '%' characters.
String encodedUser() const;
@@ -343,6 +346,16 @@
return m_hostEnd < m_portEnd;
}
+inline bool URL::hasUsername() const
+{
+ return m_userEnd > m_userStart;
+}
+
+inline bool URL::hasPassword() const
+{
+ return m_passwordEnd > (m_userEnd + 1);
+}
+
inline bool URL::protocolIsInHTTPFamily() const
{
return m_protocolIsInHTTPFamily;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
