Diff
Modified: trunk/LayoutTests/ChangeLog (227566 => 227567)
--- trunk/LayoutTests/ChangeLog 2018-01-24 22:00:33 UTC (rev 227566)
+++ trunk/LayoutTests/ChangeLog 2018-01-24 22:11:19 UTC (rev 227567)
@@ -1,3 +1,17 @@
+2018-01-24 Daniel Bates <daba...@apple.com>
+
+ [CSP] Check policy for targeted windows when navigating to a _javascript_ URL
+ https://bugs.webkit.org/show_bug.cgi?id=182018
+ <rdar://problem/36795781>
+
+ Reviewed by Brent Fulgham.
+
+ * http/tests/security/contentSecurityPolicy/resources/window-open-_javascript_-url-with-target-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/resources/window-open-_javascript_-url-with-target-blocked.js: Added.
+ (done):
+ * http/tests/security/contentSecurityPolicy/window-open-_javascript_-url-with-target-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/window-open-_javascript_-url-with-target-blocked.html: Added.
+
2018-01-24 Chris Dumez <cdu...@apple.com>
Add a IPC::SendSyncOption indicating we should not process incoming IPC while waiting for the sync reply
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/window-open-_javascript_-url-with-target-blocked.html (0 => 227567)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/window-open-_javascript_-url-with-target-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/window-open-_javascript_-url-with-target-blocked.html 2018-01-24 22:11:19 UTC (rev 227567)
@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self'">
+<script src=""
+</head>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/window-open-_javascript_-url-with-target-blocked.js (0 => 227567)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/window-open-_javascript_-url-with-target-blocked.js (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/window-open-_javascript_-url-with-target-blocked.js 2018-01-24 22:11:19 UTC (rev 227567)
@@ -0,0 +1,8 @@
+function done()
+{
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+window.open("_javascript_:window.opener.document.writeln('FAIL')", "child");
+window.setTimeout(done, 0);
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/window-open-_javascript_-url-with-target-blocked-expected.txt (0 => 227567)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/window-open-_javascript_-url-with-target-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/window-open-_javascript_-url-with-target-blocked-expected.txt 2018-01-24 22:11:19 UTC (rev 227567)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/window-open-_javascript_-url-with-target-blocked.html (0 => 227567)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/window-open-_javascript_-url-with-target-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/window-open-_javascript_-url-with-target-blocked.html 2018-01-24 22:11:19 UTC (rev 227567)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ testRunner.setCanOpenWindows();
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+var child = window.open("about:blank", "child");
+child.name = "child";
+child.location.href = ""
+location.replace("resources/window-open-_javascript_-url-with-target-blocked.html");
+</script>
+</head>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (227566 => 227567)
--- trunk/Source/WebCore/ChangeLog 2018-01-24 22:00:33 UTC (rev 227566)
+++ trunk/Source/WebCore/ChangeLog 2018-01-24 22:11:19 UTC (rev 227567)
@@ -1,3 +1,18 @@
+2018-01-24 Daniel Bates <daba...@apple.com>
+
+ [CSP] Check policy for targeted windows when navigating to a _javascript_ URL
+ https://bugs.webkit.org/show_bug.cgi?id=182018
+ <rdar://problem/36795781>
+
+ Reviewed by Brent Fulgham.
+
+ Move the CSP check to be earlier in the function.
+
+ Test: http/tests/security/contentSecurityPolicy/window-open-_javascript_-url-with-target-blocked.html
+
+ * loader/FrameLoader.cpp:
+ (WebCore::createWindow):
+
2018-01-24 Chris Dumez <cdu...@apple.com>
Add a IPC::SendSyncOption indicating we should not process incoming IPC while waiting for the sync reply
Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (227566 => 227567)
--- trunk/Source/WebCore/loader/FrameLoader.cpp 2018-01-24 22:00:33 UTC (rev 227566)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2018-01-24 22:11:19 UTC (rev 227567)
@@ -3743,6 +3743,10 @@
created = false;
+ // FIXME: Provide line number information with respect to the opener's document.
+ if (protocolIsJavaScript(request.resourceRequest().url()) && !openerFrame.document()->contentSecurityPolicy()->allowJavaScriptURLs(openerFrame.document()->url(), { }))
+ return nullptr;
+
if (!request.frameName().isEmpty() && !equalIgnoringASCIICase(request.frameName(), "_blank")) {
if (RefPtr<Frame> frame = lookupFrame.loader().findFrameForNavigation(request.frameName(), openerFrame.document())) {
if (!equalIgnoringASCIICase(request.frameName(), "_self")) {
@@ -3760,10 +3764,6 @@
return nullptr;
}
- // FIXME: Provide line number information with respect to the opener's document.
- if (protocolIsJavaScript(request.resourceRequest().url()) && !openerFrame.document()->contentSecurityPolicy()->allowJavaScriptURLs(openerFrame.document()->url(), { }))
- return nullptr;
-
// FIXME: Setting the referrer should be the caller's responsibility.
String referrer = SecurityPolicy::generateReferrerHeader(openerFrame.document()->referrerPolicy(), request.resourceRequest().url(), openerFrame.loader().outgoingReferrer());
if (!referrer.isEmpty())