Title: [222788] trunk
- Revision
- 222788
- Author
- [email protected]
- Date
- 2017-10-03 11:03:02 -0700 (Tue, 03 Oct 2017)
Log Message
[CSP] Check policy before opening a new window to a _javascript_ URL
https://bugs.webkit.org/show_bug.cgi?id=176815
<rdar://problem/34400057>
Reviewed by Brent Fulgham.
Source/WebCore:
Ensure that the Content Security Policy of the page allows navigation to a _javascript_ URL
before opening a new window to it.
Test: http/tests/security/contentSecurityPolicy/window-open-_javascript_-url-blocked.html
* loader/FrameLoader.cpp:
(WebCore::createWindow):
LayoutTests:
* http/tests/security/contentSecurityPolicy/resources/window-open-_javascript_-url-blocked.js: Added.
* http/tests/security/contentSecurityPolicy/window-open-_javascript_-url-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/window-open-_javascript_-url-blocked.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (222787 => 222788)
--- trunk/LayoutTests/ChangeLog 2017-10-03 17:56:50 UTC (rev 222787)
+++ trunk/LayoutTests/ChangeLog 2017-10-03 18:03:02 UTC (rev 222788)
@@ -1,3 +1,15 @@
+2017-10-03 Daniel Bates <[email protected]>
+
+ [CSP] Check policy before opening a new window to a _javascript_ URL
+ https://bugs.webkit.org/show_bug.cgi?id=176815
+ <rdar://problem/34400057>
+
+ Reviewed by Brent Fulgham.
+
+ * http/tests/security/contentSecurityPolicy/resources/window-open-_javascript_-url-blocked.js: Added.
+ * http/tests/security/contentSecurityPolicy/window-open-_javascript_-url-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/window-open-_javascript_-url-blocked.html: Added.
+
2017-10-03 Joanmarie Diggs <[email protected]>
AX: [ATK] ARIA drag-and-drop attribute values should be exposed via AtkObject attributes
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/window-open-_javascript_-url-blocked.js (0 => 222788)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/window-open-_javascript_-url-blocked.js (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/window-open-_javascript_-url-blocked.js 2017-10-03 18:03:02 UTC (rev 222788)
@@ -0,0 +1,7 @@
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.setCanOpenWindows();
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+
+window.open("_javascript_:alert('FAIL')");
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/window-open-_javascript_-url-blocked-expected.txt (0 => 222788)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/window-open-_javascript_-url-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/window-open-_javascript_-url-blocked-expected.txt 2017-10-03 18:03:02 UTC (rev 222788)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/window-open-_javascript_-url-blocked.html (0 => 222788)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/window-open-_javascript_-url-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/window-open-_javascript_-url-blocked.html 2017-10-03 18:03:02 UTC (rev 222788)
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self'">
+</head>
+<body>
+<script src=""
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (222787 => 222788)
--- trunk/Source/WebCore/ChangeLog 2017-10-03 17:56:50 UTC (rev 222787)
+++ trunk/Source/WebCore/ChangeLog 2017-10-03 18:03:02 UTC (rev 222788)
@@ -1,3 +1,19 @@
+2017-10-03 Daniel Bates <[email protected]>
+
+ [CSP] Check policy before opening a new window to a _javascript_ URL
+ https://bugs.webkit.org/show_bug.cgi?id=176815
+ <rdar://problem/34400057>
+
+ Reviewed by Brent Fulgham.
+
+ Ensure that the Content Security Policy of the page allows navigation to a _javascript_ URL
+ before opening a new window to it.
+
+ Test: http/tests/security/contentSecurityPolicy/window-open-_javascript_-url-blocked.html
+
+ * loader/FrameLoader.cpp:
+ (WebCore::createWindow):
+
2017-10-03 Joanmarie Diggs <[email protected]>
AX: [ATK] ARIA drag-and-drop attribute values should be exposed via AtkObject attributes
Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (222787 => 222788)
--- trunk/Source/WebCore/loader/FrameLoader.cpp 2017-10-03 17:56:50 UTC (rev 222787)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2017-10-03 18:03:02 UTC (rev 222788)
@@ -3721,6 +3721,10 @@
return nullptr;
}
+ // FIXME: Provide line number information with respect to the opener's document.
+ if (protocolIsJavaScript(request.resourceRequest().url()) && !openerFrame.document()->contentSecurityPolicy()->allowJavaScriptURLs(openerFrame.document()->url(), { }))
+ return nullptr;
+
// FIXME: Setting the referrer should be the caller's responsibility.
String referrer = SecurityPolicy::generateReferrerHeader(openerFrame.document()->referrerPolicy(), request.resourceRequest().url(), openerFrame.loader().outgoingReferrer());
if (!referrer.isEmpty())
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
