Diff
Modified: trunk/LayoutTests/ChangeLog (224018 => 224019)
--- trunk/LayoutTests/ChangeLog 2017-10-26 14:06:26 UTC (rev 224018)
+++ trunk/LayoutTests/ChangeLog 2017-10-26 15:14:33 UTC (rev 224019)
@@ -1,3 +1,21 @@
+2017-10-25 Brent Fulgham <[email protected]>
+
+ XMLHttpRequest should not treat file URLs as same origin
+ https://bugs.webkit.org/show_bug.cgi?id=178565
+ <rdar://problem/11115901>
+
+ Reviewed by Ryosuke Niwa.
+
+ * fast/xmlhttprequest/resources/xmlhttprequest-access-self-as-file-real.html: Added.
+ * fast/xmlhttprequest/xmlhttprequest-access-self-as-file.html: Added.
+ * fast/xmlhttprequest/xmlhttprequest-access-self-as-file-expected.txt: Added.
+ * fast/xmlhttprequest/xmlhttprequest-access-self-as-blob-expected.txt: Added.
+ * fast/xmlhttprequest/xmlhttprequest-access-self-as-blob.html: Added.
+ * fast/xmlhttprequest/xmlhttprequest-nonexistent-file-expected.txt: Rebaseline test now that we reject
+ XHR to local file URLs.
+ * platform/ios/fast/xmlhttprequest/xmlhttprequest-nonexistent-file-expected.txt: Rebaselined.
+ * platform/wk2/TestExpectations: Skip test since 'beginDragWithFiles' is not supported in WKTR.
+
2017-10-26 Carlos Garcia Campos <[email protected]>
REGRESSION(r222090): [HarfBuzz] Arabic shaping is broken except for first word in line
Added: trunk/LayoutTests/fast/xmlhttprequest/resources/xmlhttprequest-access-self-as-blob-real.html (0 => 224019)
--- trunk/LayoutTests/fast/xmlhttprequest/resources/xmlhttprequest-access-self-as-blob-real.html (rev 0)
+++ trunk/LayoutTests/fast/xmlhttprequest/resources/xmlhttprequest-access-self-as-blob-real.html 2017-10-26 15:14:33 UTC (rev 224019)
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<div id="console"/>
+<script>
+description("We're checking we can't read from a file-origin Blob.");
+
+window.addEventListener('message', function(event) {
+ testPassed('Got the BURL message data');
+ if ("BURL" in event.data)
+ runTest(event.data.BURL);
+});
+
+testPassed('Added a message handler.');
+
+function runTest(fileBlob) {
+ testPassed('Executing Blob URL test.');
+
+ var xhr = new XMLHttpRequest();
+ try {
+ xhr.open("GET", fileBlob, false);
+ xhr.send("");
+ } catch (e) {
+ testFailed("Exception: " + e.message);
+ }
+
+ debug("Response length: " + xhr.responseText.length);
+ if (xhr.responseText == "")
+ testPassed('Access was not permitted.');
+ else
+ testFailed('We should not have gotten a response.');
+
+ window.parent.postMessage('done', '*');
+}
+</script>
+<script src=""
+</body>
+</html>
\ No newline at end of file
Added: trunk/LayoutTests/fast/xmlhttprequest/resources/xmlhttprequest-access-self-as-file-real.html (0 => 224019)
--- trunk/LayoutTests/fast/xmlhttprequest/resources/xmlhttprequest-access-self-as-file-real.html (rev 0)
+++ trunk/LayoutTests/fast/xmlhttprequest/resources/xmlhttprequest-access-self-as-file-real.html 2017-10-26 15:14:33 UTC (rev 224019)
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.waitUntilDone();
+
+function log(message)
+{
+ var console = document.getElementById('console');
+ console.appendChild(document.createTextNode(message));
+ console.appendChild(document.createElement('br'));
+}
+
+function runTest() {
+ var xhr = new XMLHttpRequest();
+ try {
+ xhr.open("GET", "", false);
+ xhr.send("");
+ } catch (e) {
+ log("Exception: " + e.message);
+ }
+
+ log("Response length: " + xhr.responseText.length);
+ if (xhr.responseText == "")
+ log('PASSED: Access was not permitted.');
+ else
+ log('FAILED: We should not have gotten a response.');
+
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+</script>
+</head>
+<body _onload_="runTest()">
+ <p> We're checking we can't read the current file. </p>
+ <div id="console"/>
+</body>
+</html>
\ No newline at end of file
Added: trunk/LayoutTests/fast/xmlhttprequest/xmlhttprequest-access-self-as-blob-expected.txt (0 => 224019)
--- trunk/LayoutTests/fast/xmlhttprequest/xmlhttprequest-access-self-as-blob-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/xmlhttprequest/xmlhttprequest-access-self-as-blob-expected.txt 2017-10-26 15:14:33 UTC (rev 224019)
@@ -0,0 +1,40 @@
+CONSOLE MESSAGE: line 25: XMLHttpRequest cannot load [object%20File]. Cross origin requests are only supported for HTTP.
+
+Tests that you cannot XHR to the current file as a file-origin Blob.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Got files: resources/xmlhttprequest-access-self-as-blob-real.html
+PASS Moved to center of file input.
+PASS Drag event received.
+PASS Generated file-origin blob successfully.
+PASS Sent Blob URL to frame.
+PASS Recvied message
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+We're checking we can't read from a file-origin Blob.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+
+PASS Added a message handler.
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
+
+PASS Got the BURL message data
+PASS Executing Blob URL test.
+FAIL Exception: A network error occurred.
+Response length: 0
+PASS Access was not permitted.
+
Added: trunk/LayoutTests/fast/xmlhttprequest/xmlhttprequest-access-self-as-blob.html (0 => 224019)
--- trunk/LayoutTests/fast/xmlhttprequest/xmlhttprequest-access-self-as-blob.html (rev 0)
+++ trunk/LayoutTests/fast/xmlhttprequest/xmlhttprequest-access-self-as-blob.html 2017-10-26 15:14:33 UTC (rev 224019)
@@ -0,0 +1,64 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<input type="file" id="singleFile" name="upfile" _onchange_="onFileChanged()" />
+<div id="console"></div>
+<script>
+description("Tests that you cannot XHR to the current file as a file-origin Blob.");
+
+window.jsTestIsAsync = true;
+
+const sourcePath = "resources/xmlhttprequest-access-self-as-blob-real.html";
+var fileUrl;
+
+window.addEventListener('message', function(event) {
+ testPassed('Recvied message');
+ if (event.data ="" 'done')
+ finishJSTest();
+});
+
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.setAllowUniversalAccessFromFileURLs(false);
+
+ var singleFileInput = document.getElementById("singleFile");
+ dragFilesOntoInput(singleFileInput, [sourcePath]);
+}
+
+function onFileChanged() {
+ testPassed("Drag event received.");
+ var file = document.getElementById("singleFile").files[0];
+ testPassed("Generated file-origin blob successfully.");
+
+ var frameTarget = document.createElement('iframe');
+ frameTarget.src = ""
+ document.body.appendChild(frameTarget);
+
+ setTimeout(function() {
+ window.frames[0].postMessage( { BURL: file }, '*');
+ testPassed('Sent Blob URL to frame.');
+ }, 0);
+}
+
+function moveMouseToCenterOfElement(element)
+{
+ var centerX = element.offsetLeft + element.offsetWidth / 2;
+ var centerY = element.offsetTop + element.offsetHeight / 2;
+ eventSender.mouseMoveTo(centerX, centerY);
+ testPassed("Moved to center of file input.");
+}
+
+function dragFilesOntoInput(input, files) {
+ debug("Got files: " + files);
+ eventSender.beginDragWithFiles(files);
+ moveMouseToCenterOfElement(input);
+ eventSender.mouseUp();
+}
+</script>
+<script src=""
+</body>
+</html>
Added: trunk/LayoutTests/fast/xmlhttprequest/xmlhttprequest-access-self-as-file-expected.txt (0 => 224019)
--- trunk/LayoutTests/fast/xmlhttprequest/xmlhttprequest-access-self-as-file-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/xmlhttprequest/xmlhttprequest-access-self-as-file-expected.txt 2017-10-26 15:14:33 UTC (rev 224019)
@@ -0,0 +1,20 @@
+CONSOLE MESSAGE: line 19: XMLHttpRequest cannot load xmlhttprequest-access-self-as-file-real.html. Cross origin requests are only supported for HTTP.
+Tests that you cannot XHR to the current file URL.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+We're checking we can't read the current file.
+
+Exception: A network error occurred.
+Response length: 0
+PASSED: Access was not permitted.
+
Added: trunk/LayoutTests/fast/xmlhttprequest/xmlhttprequest-access-self-as-file.html (0 => 224019)
--- trunk/LayoutTests/fast/xmlhttprequest/xmlhttprequest-access-self-as-file.html (rev 0)
+++ trunk/LayoutTests/fast/xmlhttprequest/xmlhttprequest-access-self-as-file.html 2017-10-26 15:14:33 UTC (rev 224019)
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script>
+description("Tests that you cannot XHR to the current file URL.");
+
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.setAllowUniversalAccessFromFileURLs(false);
+}
+</script>
+</head>
+<body>
+<iframe src=""
+</body>
+</html>
Modified: trunk/LayoutTests/fast/xmlhttprequest/xmlhttprequest-nonexistent-file-expected.txt (224018 => 224019)
--- trunk/LayoutTests/fast/xmlhttprequest/xmlhttprequest-nonexistent-file-expected.txt 2017-10-26 14:06:26 UTC (rev 224018)
+++ trunk/LayoutTests/fast/xmlhttprequest/xmlhttprequest-nonexistent-file-expected.txt 2017-10-26 15:14:33 UTC (rev 224019)
@@ -1,5 +1,5 @@
-CONSOLE MESSAGE: line 64: Not allowed to load local resource: nonexistent.html
-CONSOLE MESSAGE: line 64: XMLHttpRequest cannot load nonexistent.html. Not allowed to request resource
+CONSOLE MESSAGE: line 64: XMLHttpRequest cannot load nonexistent.html. Cross origin requests are only supported for HTTP.
+CONSOLE MESSAGE: line 42: XMLHttpRequest cannot load . Cross origin requests are only supported for HTTP.
Bug 22475: REGRESSION: Async XMLHttpRequest never finishes on nonexistent files anymore
@@ -13,4 +13,5 @@
Doing an XHR to a directory.
ReadyState handler: readyState = 1
ReadyState handler: readyState = 4
+Error handler: readyState = 4
Modified: trunk/LayoutTests/platform/ios/fast/xmlhttprequest/xmlhttprequest-nonexistent-file-expected.txt (224018 => 224019)
--- trunk/LayoutTests/platform/ios/fast/xmlhttprequest/xmlhttprequest-nonexistent-file-expected.txt 2017-10-26 14:06:26 UTC (rev 224018)
+++ trunk/LayoutTests/platform/ios/fast/xmlhttprequest/xmlhttprequest-nonexistent-file-expected.txt 2017-10-26 15:14:33 UTC (rev 224019)
@@ -1,3 +1,5 @@
+CONSOLE MESSAGE: line 64: XMLHttpRequest cannot load nonexistent.html. Cross origin requests are only supported for HTTP.
+CONSOLE MESSAGE: line 42: XMLHttpRequest cannot load . Cross origin requests are only supported for HTTP.
Bug 22475: REGRESSION: Async XMLHttpRequest never finishes on nonexistent files anymore
@@ -11,4 +13,5 @@
Doing an XHR to a directory.
ReadyState handler: readyState = 1
ReadyState handler: readyState = 4
+Error handler: readyState = 4
Modified: trunk/LayoutTests/platform/wk2/TestExpectations (224018 => 224019)
--- trunk/LayoutTests/platform/wk2/TestExpectations 2017-10-26 14:06:26 UTC (rev 224018)
+++ trunk/LayoutTests/platform/wk2/TestExpectations 2017-10-26 15:14:33 UTC (rev 224019)
@@ -196,6 +196,7 @@
fast/events/moving-text-should-fire-drop-and-dragend-events-2.html
fast/events/ondrop-text-html.html
editing/pasteboard/drag-drop-url-with-style.html
+fast/xmlhttprequest/xmlhttprequest-access-self-as-blob.html
# WTR needs an implementation for eventSender.continuousMouseScrollBy
# https://bugs.webkit.org/show_bug.cgi?id=69417
Modified: trunk/Source/WebCore/ChangeLog (224018 => 224019)
--- trunk/Source/WebCore/ChangeLog 2017-10-26 14:06:26 UTC (rev 224018)
+++ trunk/Source/WebCore/ChangeLog 2017-10-26 15:14:33 UTC (rev 224019)
@@ -1,3 +1,22 @@
+2017-10-25 Brent Fulgham <[email protected]>
+
+ XMLHttpRequest should not treat file URLs as same origin
+ https://bugs.webkit.org/show_bug.cgi?id=178565
+ <rdar://problem/11115901>
+
+ Reviewed by Ryosuke Niwa.
+
+ Do not treat file URLs as same-origin for XHR requests.
+
+ Test: fast/xmlhttprequest/xmlhttprequest-access-self-as-file.html
+
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::DocumentThreadableLoader): Use new helper method.
+ * page/SecurityOrigin.cpp:
+ (WebCore::SecurityOrigin::requestIsSameOrigin): New method to recognize same-origin
+ requests, with special handling for XHR.
+ * page/SecurityOrigin.h:
+
2017-10-26 Christopher Reid <[email protected]>
Remove scopeguard from platform
Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp (224018 => 224019)
--- trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2017-10-26 14:06:26 UTC (rev 224018)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2017-10-26 15:14:33 UTC (rev 224019)
@@ -94,7 +94,7 @@
, m_options(options)
, m_origin(WTFMove(origin))
, m_referrer(WTFMove(referrer))
- , m_sameOriginRequest(securityOrigin().canRequest(request.url()))
+ , m_sameOriginRequest(securityOrigin().requestIsSameOrigin(request))
, m_simpleRequest(true)
, m_async(blockingBehavior == LoadAsynchronously)
, m_delayCallbacksForIntegrityCheck(!m_options.integrity.isEmpty())
Modified: trunk/Source/WebCore/page/SecurityOrigin.cpp (224018 => 224019)
--- trunk/Source/WebCore/page/SecurityOrigin.cpp 2017-10-26 14:06:26 UTC (rev 224018)
+++ trunk/Source/WebCore/page/SecurityOrigin.cpp 2017-10-26 15:14:33 UTC (rev 224019)
@@ -31,6 +31,7 @@
#include "BlobURL.h"
#include "FileSystem.h"
+#include "ResourceRequest.h"
#include "URL.h"
#include "SchemeRegistry.h"
#include "SecurityPolicy.h"
@@ -316,6 +317,27 @@
return false;
}
+bool SecurityOrigin::requestIsSameOrigin(const ResourceRequest& request)
+{
+ if (m_universalAccess)
+ return true;
+
+ if (!canRequest(request.url()))
+ return false;
+
+ if (request.requester() != ResourceRequest::Requester::XHR)
+ return true;
+
+ // XHR to a file URL should never be treated as same-origin.
+ if (request.url().protocolIs("file"))
+ return false;
+
+ if (auto blobOrigin = getCachedOrigin(request.url()))
+ return blobOrigin->protocol() != "file";
+
+ return true;
+}
+
bool SecurityOrigin::canReceiveDragData(const SecurityOrigin& dragInitiator) const
{
if (this == &dragInitiator)
Modified: trunk/Source/WebCore/page/SecurityOrigin.h (224018 => 224019)
--- trunk/Source/WebCore/page/SecurityOrigin.h 2017-10-26 14:06:26 UTC (rev 224018)
+++ trunk/Source/WebCore/page/SecurityOrigin.h 2017-10-26 15:14:33 UTC (rev 224019)
@@ -33,6 +33,7 @@
namespace WebCore {
+class ResourceRequest;
class URL;
class SecurityOrigin : public ThreadSafeRefCounted<SecurityOrigin> {
@@ -149,6 +150,8 @@
bool canRequestGeolocation() const { return !isUnique(); }
Policy canShowNotifications() const;
+ bool requestIsSameOrigin(const ResourceRequest&);
+
// The local SecurityOrigin is the most privileged SecurityOrigin.
// The local SecurityOrigin can script any document, navigate to local
// resources, and can set arbitrary headers on XMLHttpRequests.
