Diff
Modified: branches/safari-606-branch/LayoutTests/ChangeLog (238915 => 238916)
--- branches/safari-606-branch/LayoutTests/ChangeLog 2018-12-05 23:51:02 UTC (rev 238915)
+++ branches/safari-606-branch/LayoutTests/ChangeLog 2018-12-05 23:51:12 UTC (rev 238916)
@@ -1,3 +1,28 @@
+2018-12-05 Alan Coon <[email protected]>
+
+ Apply patch. rdar://problem/45997392
+
+ 2018-12-05 Jiewen Tan <[email protected]>
+
+ Disallow loading webarchives as iframes
+ https://bugs.webkit.org/show_bug.cgi?id=191728
+ <rdar://problem/45524528>
+
+ Reviewed by Youenn Fablet.
+
+ * platform/mac-wk1/webarchive/loading/test-loading-archive-subresource-expected.txt: Added.
+ * platform/mac/fast/loader/webarchive-encoding-respected.html:
+ * webarchive/loading/cache-expired-subresource.html:
+ * webarchive/loading/mainresource-null-mimetype-crash.html:
+ * webarchive/loading/missing-data.html:
+ * webarchive/loading/resources/test-loading-archive-main.webarchive: Copied from LayoutTests/webarchive/loading/test-loading-archive.html.
+ * webarchive/loading/test-loading-archive-subresource-expected.txt: Added.
+ * webarchive/loading/test-loading-archive-subresource-null-mimetype.html:
+ * webarchive/loading/test-loading-archive-subresource.html: Copied from LayoutTests/webarchive/loading/test-loading-archive.html.
+ * webarchive/loading/test-loading-archive.html:
+ * webarchive/loading/test-loading-top-archive-expected.txt: Added.
+ * webarchive/loading/test-loading-top-archive.html: Added.
+
2018-11-16 Alan Coon <[email protected]>
Cherry-pick r238222. rdar://problem/45997333
Modified: branches/safari-606-branch/LayoutTests/platform/mac/fast/loader/webarchive-encoding-respected.html (238915 => 238916)
--- branches/safari-606-branch/LayoutTests/platform/mac/fast/loader/webarchive-encoding-respected.html 2018-12-05 23:51:02 UTC (rev 238915)
+++ branches/safari-606-branch/LayoutTests/platform/mac/fast/loader/webarchive-encoding-respected.html 2018-12-05 23:51:12 UTC (rev 238916)
@@ -3,6 +3,8 @@
testRunner.dumpAsText();
testRunner.dumpChildFramesAsText();
}
+if (window.internals)
+ internals.setAlwaysAllowLocalWebarchive();
</script>
The webarchive in this iframe is utf-8 encoded and will only display properly if the webarchive's encoding is respected.<br>
<iframe src=""
Added: branches/safari-606-branch/LayoutTests/platform/mac-wk1/webarchive/loading/test-loading-archive-subresource-expected.txt (0 => 238916)
--- branches/safari-606-branch/LayoutTests/platform/mac-wk1/webarchive/loading/test-loading-archive-subresource-expected.txt (rev 0)
+++ branches/safari-606-branch/LayoutTests/platform/mac-wk1/webarchive/loading/test-loading-archive-subresource-expected.txt 2018-12-05 23:51:12 UTC (rev 238916)
@@ -0,0 +1,8 @@
+main frame - didStartProvisionalLoadForFrame
+main frame - didCommitLoadForFrame
+frame "<!--frame1-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--frame1-->" - didFailProvisionalLoadWithError
+main frame - didFinishLoadForFrame
+ This test assumes the webarchive is not loaded.
Modified: branches/safari-606-branch/LayoutTests/webarchive/loading/cache-expired-subresource.html (238915 => 238916)
--- branches/safari-606-branch/LayoutTests/webarchive/loading/cache-expired-subresource.html 2018-12-05 23:51:02 UTC (rev 238915)
+++ branches/safari-606-branch/LayoutTests/webarchive/loading/cache-expired-subresource.html 2018-12-05 23:51:12 UTC (rev 238916)
@@ -4,6 +4,8 @@
testRunner.dumpResourceLoadCallbacks();
testRunner.waitUntilDone();
}
+ if (window.internals)
+ internals.setAlwaysAllowLocalWebarchive();
function frameLoaded() {
if (window.testRunner)
Modified: branches/safari-606-branch/LayoutTests/webarchive/loading/mainresource-null-mimetype-crash.html (238915 => 238916)
--- branches/safari-606-branch/LayoutTests/webarchive/loading/mainresource-null-mimetype-crash.html 2018-12-05 23:51:02 UTC (rev 238915)
+++ branches/safari-606-branch/LayoutTests/webarchive/loading/mainresource-null-mimetype-crash.html 2018-12-05 23:51:12 UTC (rev 238916)
@@ -4,6 +4,8 @@
testRunner.dumpAsText();
testRunner.waitUntilDone();
}
+ if (window.internals)
+ internals.setAlwaysAllowLocalWebarchive();
_onload_ = function() {
frame = document.createElement("iframe");
frame.src = ""
Modified: branches/safari-606-branch/LayoutTests/webarchive/loading/missing-data.html (238915 => 238916)
--- branches/safari-606-branch/LayoutTests/webarchive/loading/missing-data.html 2018-12-05 23:51:02 UTC (rev 238915)
+++ branches/safari-606-branch/LayoutTests/webarchive/loading/missing-data.html 2018-12-05 23:51:12 UTC (rev 238916)
@@ -3,7 +3,8 @@
testRunner.waitUntilDone();
testRunner.dumpAsText();
}
-
+ if (window.internals)
+ internals.setAlwaysAllowLocalWebarchive();
_onload_ = function() {
frame = document.createElement("iframe");
frame.src = ""
Added: branches/safari-606-branch/LayoutTests/webarchive/loading/resources/top.webarchive (0 => 238916)
--- branches/safari-606-branch/LayoutTests/webarchive/loading/resources/top.webarchive (rev 0)
+++ branches/safari-606-branch/LayoutTests/webarchive/loading/resources/top.webarchive 2018-12-05 23:51:12 UTC (rev 238916)
@@ -0,0 +1,11 @@
+bplist00\xD1��_��WebMainResource\xD5������
+��^WebResourceURL_��WebResourceFrameName_��WebResourceData_��WebResourceMIMEType_��WebResourceTextEncodingName_�Wfile:///Users/jwtan/Documents/Source/OpenSource/LayoutTests/webarchive/loading/top.htmlPO�\xAD<html><head><script>
+ _onload_ = function() {
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+</script>
+</head><body>hello, world.
+
+</body></html>Ytext/htmlUUTF-8�����������(��7��N��`��v��\x94��\xEE��\xEF�\x9F�\xA9����������������������������+�����������������������������\xAF
\ No newline at end of file
Added: branches/safari-606-branch/LayoutTests/webarchive/loading/test-loading-archive-subresource-expected.txt (0 => 238916)
--- branches/safari-606-branch/LayoutTests/webarchive/loading/test-loading-archive-subresource-expected.txt (rev 0)
+++ branches/safari-606-branch/LayoutTests/webarchive/loading/test-loading-archive-subresource-expected.txt 2018-12-05 23:51:12 UTC (rev 238916)
@@ -0,0 +1,8 @@
+main frame - didStartProvisionalLoadForFrame
+main frame - didCommitLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--frame1-->" - didStartProvisionalLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--frame1-->" - didFailProvisionalLoadWithError
+main frame - didFinishLoadForFrame
+ This test assumes the webarchive is not loaded.
Modified: branches/safari-606-branch/LayoutTests/webarchive/loading/test-loading-archive-subresource-null-mimetype.html (238915 => 238916)
--- branches/safari-606-branch/LayoutTests/webarchive/loading/test-loading-archive-subresource-null-mimetype.html 2018-12-05 23:51:02 UTC (rev 238915)
+++ branches/safari-606-branch/LayoutTests/webarchive/loading/test-loading-archive-subresource-null-mimetype.html 2018-12-05 23:51:12 UTC (rev 238916)
@@ -5,7 +5,8 @@
testRunner.dumpAsText();
testRunner.waitUntilDone();
}
-
+ if (window.internals)
+ internals.setAlwaysAllowLocalWebarchive();
function frameLoaded() {
if (window.testRunner)
testRunner.notifyDone();
Copied: branches/safari-606-branch/LayoutTests/webarchive/loading/test-loading-archive-subresource.html (from rev 238915, branches/safari-606-branch/LayoutTests/webarchive/loading/test-loading-archive.html) (0 => 238916)
--- branches/safari-606-branch/LayoutTests/webarchive/loading/test-loading-archive-subresource.html (rev 0)
+++ branches/safari-606-branch/LayoutTests/webarchive/loading/test-loading-archive-subresource.html 2018-12-05 23:51:12 UTC (rev 238916)
@@ -0,0 +1,18 @@
+<html>
+<script>
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+
+ function frameLoaded() {
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+ setTimeout(frameLoaded, 10);
+</script>
+<body>
+ <iframe _onload_="frameLoaded();" src=""
+ This test assumes the webarchive is not loaded.
+</body>
+</html>
Modified: branches/safari-606-branch/LayoutTests/webarchive/loading/test-loading-archive.html (238915 => 238916)
--- branches/safari-606-branch/LayoutTests/webarchive/loading/test-loading-archive.html 2018-12-05 23:51:02 UTC (rev 238915)
+++ branches/safari-606-branch/LayoutTests/webarchive/loading/test-loading-archive.html 2018-12-05 23:51:12 UTC (rev 238916)
@@ -5,7 +5,8 @@
testRunner.dumpAsText();
testRunner.waitUntilDone();
}
-
+ if (window.internals)
+ internals.setAlwaysAllowLocalWebarchive();
function frameLoaded() {
if (window.testRunner)
testRunner.notifyDone();
Added: branches/safari-606-branch/LayoutTests/webarchive/loading/test-loading-top-archive-expected.txt (0 => 238916)
--- branches/safari-606-branch/LayoutTests/webarchive/loading/test-loading-top-archive-expected.txt (rev 0)
+++ branches/safari-606-branch/LayoutTests/webarchive/loading/test-loading-top-archive-expected.txt 2018-12-05 23:51:12 UTC (rev 238916)
@@ -0,0 +1,12 @@
+main frame - didStartProvisionalLoadForFrame
+main frame - didCommitLoadForFrame
+main frame - willPerformClientRedirectToURL: resources/top.webarchive
+main frame - didFinishDocumentLoadForFrame
+main frame - didFinishLoadForFrame
+main frame - didStartProvisionalLoadForFrame
+main frame - didCancelClientRedirectForFrame
+main frame - didCommitLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+hello, world.
Added: branches/safari-606-branch/LayoutTests/webarchive/loading/test-loading-top-archive.html (0 => 238916)
--- branches/safari-606-branch/LayoutTests/webarchive/loading/test-loading-top-archive.html (rev 0)
+++ branches/safari-606-branch/LayoutTests/webarchive/loading/test-loading-top-archive.html 2018-12-05 23:51:12 UTC (rev 238916)
@@ -0,0 +1,9 @@
+<html>
+<script>
+ if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+ }
+ window.location="resources/top.webarchive";
+</script>
+</html>
Modified: branches/safari-606-branch/Source/WebCore/ChangeLog (238915 => 238916)
--- branches/safari-606-branch/Source/WebCore/ChangeLog 2018-12-05 23:51:02 UTC (rev 238915)
+++ branches/safari-606-branch/Source/WebCore/ChangeLog 2018-12-05 23:51:12 UTC (rev 238916)
@@ -1,3 +1,37 @@
+2018-12-05 Alan Coon <[email protected]>
+
+ Apply patch. rdar://problem/45997392
+
+ 2018-12-05 Jiewen Tan <[email protected]>
+
+ Disallow loading webarchives as iframes
+ https://bugs.webkit.org/show_bug.cgi?id=191728
+ <rdar://problem/45524528>
+
+ Reviewed by Youenn Fablet.
+
+ Disallow loading webarchives as iframes. We don't allow loading remote webarchives.
+ Now, this policy is hardened to disallow loading webarchives as iframes for local
+ documents as well.
+
+ To allow old tests still be able to run, a flag is added to always allow loading local
+ webarchives in document. The flag can be set via window.internals.
+
+ Tests: webarchive/loading/test-loading-archive-subresource.html
+ webarchive/loading/test-loading-top-archive.html
+
+ * dom/Document.h:
+ (WebCore::Document::setAlwaysAllowLocalWebarchive):
+ (WebCore::Document::alwaysAllowLocalWebarchive):
+ * loader/DocumentLoader.cpp:
+ (WebCore::disallowWebArchive):
+ (WebCore::DocumentLoader::continueAfterContentPolicy):
+ (WebCore::isRemoteWebArchive): Deleted.
+ * testing/Internals.cpp:
+ (WebCore::Internals::setAlwaysAllowLocalWebarchive const):
+ * testing/Internals.h:
+ * testing/Internals.idl:
+
2018-11-16 Alan Coon <[email protected]>
Cherry-pick r238222. rdar://problem/45997333
Modified: branches/safari-606-branch/Source/WebCore/dom/Document.h (238915 => 238916)
--- branches/safari-606-branch/Source/WebCore/dom/Document.h 2018-12-05 23:51:02 UTC (rev 238915)
+++ branches/safari-606-branch/Source/WebCore/dom/Document.h 2018-12-05 23:51:12 UTC (rev 238916)
@@ -1467,6 +1467,10 @@
void updateMainArticleElementAfterLayout();
bool hasMainArticleElement() const { return !!m_mainArticleElement; }
+ // Used in webarchive loading tests.
+ void setAlwaysAllowLocalWebarchive() { m_alwaysAllowLocalWebarchive = true; }
+ bool alwaysAllowLocalWebarchive() const { return m_alwaysAllowLocalWebarchive; }
+
protected:
enum ConstructionFlags { Synthesized = 1, NonRenderedPlaceholder = 1 << 1 };
Document(Frame*, const URL&, unsigned = DefaultDocumentClass, unsigned constructionFlags = 0);
@@ -1971,6 +1975,8 @@
#endif
std::unique_ptr<UserGestureIndicator> m_temporaryUserGesture;
+
+ bool m_alwaysAllowLocalWebarchive { false };
};
Element* eventTargetElementForDocument(Document*);
Modified: branches/safari-606-branch/Source/WebCore/loader/DocumentLoader.cpp (238915 => 238916)
--- branches/safari-606-branch/Source/WebCore/loader/DocumentLoader.cpp 2018-12-05 23:51:02 UTC (rev 238915)
+++ branches/safari-606-branch/Source/WebCore/loader/DocumentLoader.cpp 2018-12-05 23:51:12 UTC (rev 238916)
@@ -841,7 +841,9 @@
});
}
-static bool isRemoteWebArchive(const DocumentLoader& documentLoader)
+// Prevent web archives from loading if it is remote or it is not the main frame because they
+// can claim to be from any domain and thus avoid cross-domain security checks (4120255, 45524528).
+bool DocumentLoader::disallowWebArchive() const
{
using MIMETypeHashSet = HashSet<String, ASCIICaseInsensitiveHash>;
static NeverDestroyed<MIMETypeHashSet> webArchiveMIMETypes {
@@ -855,17 +857,28 @@
}
};
- const ResourceResponse& response = documentLoader.response();
- String mimeType = response.mimeType();
+ String mimeType = m_response.mimeType();
if (mimeType.isNull() || !webArchiveMIMETypes.get().contains(mimeType))
return false;
#if USE(QUICK_LOOK)
- if (isQuickLookPreviewURL(response.url()))
+ if (isQuickLookPreviewURL(m_response.url()))
return false;
#endif
- return !documentLoader.substituteData().isValid() && !SchemeRegistry::shouldTreatURLSchemeAsLocal(documentLoader.request().url().protocol().toStringWithoutCopying());
+ if (m_substituteData.isValid())
+ return false;
+
+ if (!SchemeRegistry::shouldTreatURLSchemeAsLocal(m_request.url().protocol().toStringWithoutCopying()))
+ return true;
+
+ if (!frame() || frame()->isMainFrame())
+ return false;
+
+ // On purpose of maintaining existing tests.
+ if (!frame()->document() || frame()->document()->topDocument().alwaysAllowLocalWebarchive())
+ return false;
+ return true;
}
void DocumentLoader::continueAfterContentPolicy(PolicyAction policy)
@@ -877,8 +890,7 @@
switch (policy) {
case PolicyAction::Use: {
- // Prevent remote web archives from loading because they can claim to be from any domain and thus avoid cross-domain security checks (4120255).
- if (!frameLoader()->client().canShowMIMEType(m_response.mimeType()) || isRemoteWebArchive(*this)) {
+ if (!frameLoader()->client().canShowMIMEType(m_response.mimeType()) || disallowWebArchive()) {
frameLoader()->policyChecker().cannotShowMIMEType(m_response);
// Check reachedTerminalState since the load may have already been canceled inside of _handleUnimplementablePolicyWithErrorCode::.
stopLoadingForPolicyChange();
Modified: branches/safari-606-branch/Source/WebCore/loader/DocumentLoader.h (238915 => 238916)
--- branches/safari-606-branch/Source/WebCore/loader/DocumentLoader.h 2018-12-05 23:51:02 UTC (rev 238915)
+++ branches/safari-606-branch/Source/WebCore/loader/DocumentLoader.h 2018-12-05 23:51:12 UTC (rev 238916)
@@ -414,6 +414,8 @@
WEBCORE_EXPORT void sendCSPViolationReport(URL&&, Ref<FormData>&&) final;
WEBCORE_EXPORT void enqueueSecurityPolicyViolationEvent(SecurityPolicyViolationEvent::Init&&) final;
+ bool disallowWebArchive() const;
+
Ref<CachedResourceLoader> m_cachedResourceLoader;
CachedResourceHandle<CachedRawResource> m_mainResource;
Modified: branches/safari-606-branch/Source/WebCore/testing/Internals.cpp (238915 => 238916)
--- branches/safari-606-branch/Source/WebCore/testing/Internals.cpp 2018-12-05 23:51:02 UTC (rev 238915)
+++ branches/safari-606-branch/Source/WebCore/testing/Internals.cpp 2018-12-05 23:51:12 UTC (rev 238916)
@@ -4689,4 +4689,12 @@
ResourceLoadObserver::shared().notifyObserver();
}
+void Internals::setAlwaysAllowLocalWebarchive() const
+{
+ auto* document = contextDocument();
+ if (!document)
+ return;
+ document->setAlwaysAllowLocalWebarchive();
+}
+
} // namespace WebCore
Modified: branches/safari-606-branch/Source/WebCore/testing/Internals.h (238915 => 238916)
--- branches/safari-606-branch/Source/WebCore/testing/Internals.h 2018-12-05 23:51:02 UTC (rev 238915)
+++ branches/safari-606-branch/Source/WebCore/testing/Internals.h 2018-12-05 23:51:12 UTC (rev 238916)
@@ -725,6 +725,8 @@
void notifyResourceLoadObserver();
+ void setAlwaysAllowLocalWebarchive() const;
+
private:
explicit Internals(Document&);
Document* contextDocument() const;
Modified: branches/safari-606-branch/Source/WebCore/testing/Internals.idl (238915 => 238916)
--- branches/safari-606-branch/Source/WebCore/testing/Internals.idl 2018-12-05 23:51:02 UTC (rev 238915)
+++ branches/safari-606-branch/Source/WebCore/testing/Internals.idl 2018-12-05 23:51:12 UTC (rev 238916)
@@ -664,4 +664,6 @@
unsigned long pluginCount();
void notifyResourceLoadObserver();
+
+ void setAlwaysAllowLocalWebarchive();
};
Modified: branches/safari-606-branch/Source/WebKit/ChangeLog (238915 => 238916)
--- branches/safari-606-branch/Source/WebKit/ChangeLog 2018-12-05 23:51:02 UTC (rev 238915)
+++ branches/safari-606-branch/Source/WebKit/ChangeLog 2018-12-05 23:51:12 UTC (rev 238916)
@@ -1,3 +1,19 @@
+2018-12-05 Alan Coon <[email protected]>
+
+ Apply patch. rdar://problem/45997392
+
+ 2018-12-05 Jiewen Tan <[email protected]>
+
+ Disallow loading webarchives as iframes
+ https://bugs.webkit.org/show_bug.cgi?id=191728
+ <rdar://problem/45524528>
+
+ Reviewed by Youenn Fablet.
+
+ * UIProcess/WebPageProxy.cpp:
+ (WebKit::WebPageProxy::unableToImplementPolicy):
+ Add a check to prevent null pointer dereference.
+
2018-12-04 Alan Coon <[email protected]>
Cherry-pick r238799. rdar://problem/46432866
Modified: branches/safari-606-branch/Source/WebKit/UIProcess/WebPageProxy.cpp (238915 => 238916)
--- branches/safari-606-branch/Source/WebKit/UIProcess/WebPageProxy.cpp 2018-12-05 23:51:02 UTC (rev 238915)
+++ branches/safari-606-branch/Source/WebKit/UIProcess/WebPageProxy.cpp 2018-12-05 23:51:12 UTC (rev 238916)
@@ -4157,6 +4157,8 @@
WebFrameProxy* frame = m_process->webFrame(frameID);
MESSAGE_CHECK(frame);
+ if (!m_policyClient)
+ return;
m_policyClient->unableToImplementPolicy(*this, *frame, error, m_process->transformHandlesToObjects(userData.object()).get());
}
