Modified: trunk/Source/WebCore/ChangeLog (261401 => 261402)
--- trunk/Source/WebCore/ChangeLog 2020-05-08 19:11:06 UTC (rev 261401)
+++ trunk/Source/WebCore/ChangeLog 2020-05-08 19:39:43 UTC (rev 261402)
@@ -1,3 +1,20 @@
+2020-05-08 Alex Christensen <[email protected]>
+
+ Limit HTTP referer to 4kb
+ https://bugs.webkit.org/show_bug.cgi?id=211603
+ <rdar://problem/56768823>
+
+ Reviewed by Chris Dumez.
+
+ Use the origin if it's longer, unless the origin is too long.
+ This matches the behavior of other browsers.
+ See https://bugzilla.mozilla.org/show_bug.cgi?id=1557346
+
+ Tested by API tests.
+
+ * platform/network/ResourceRequestBase.cpp:
+ (WebCore::ResourceRequestBase::setHTTPReferrer):
+
2020-05-08 Pinki Gyanchandani <[email protected]>
SIGILL @ WebCore::Shape::createRasterShape -- DOS ASAN
Modified: trunk/Source/WebCore/platform/network/ResourceRequestBase.cpp (261401 => 261402)
--- trunk/Source/WebCore/platform/network/ResourceRequestBase.cpp 2020-05-08 19:11:06 UTC (rev 261401)
+++ trunk/Source/WebCore/platform/network/ResourceRequestBase.cpp 2020-05-08 19:39:43 UTC (rev 261402)
@@ -27,9 +27,11 @@
#include "ResourceRequestBase.h"
#include "HTTPHeaderNames.h"
+#include "Logging.h"
#include "PublicSuffix.h"
#include "ResourceRequest.h"
#include "ResourceResponse.h"
+#include "SecurityOrigin.h"
#include "SecurityPolicy.h"
#include <wtf/PointerComparison.h>
@@ -376,7 +378,14 @@
void ResourceRequestBase::setHTTPReferrer(const String& httpReferrer)
{
- setHTTPHeaderField(HTTPHeaderName::Referer, httpReferrer);
+ const size_t maxLength = 4096;
+ if (httpReferrer.length() > maxLength) {
+ RELEASE_LOG(Loading, "Truncating HTTP referer");
+ String origin = SecurityOrigin::create(URL(URL(), httpReferrer))->toString();
+ if (origin.length() <= maxLength)
+ setHTTPHeaderField(HTTPHeaderName::Referer, origin);
+ } else
+ setHTTPHeaderField(HTTPHeaderName::Referer, httpReferrer);
}
void ResourceRequestBase::setExistingHTTPReferrerToOriginString()
Modified: trunk/Tools/ChangeLog (261401 => 261402)
--- trunk/Tools/ChangeLog 2020-05-08 19:11:06 UTC (rev 261401)
+++ trunk/Tools/ChangeLog 2020-05-08 19:39:43 UTC (rev 261402)
@@ -1,3 +1,14 @@
+2020-05-08 Alex Christensen <[email protected]>
+
+ Limit HTTP referer to 4kb
+ https://bugs.webkit.org/show_bug.cgi?id=211603
+ <rdar://problem/56768823>
+
+ Reviewed by Chris Dumez.
+
+ * TestWebKitAPI/Tests/WebKitCocoa/NetworkProcess.mm:
+ (TEST):
+
2020-05-08 Dean Jackson <[email protected]>
Allow run-safari to launch an iPad simulator
Modified: trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/NetworkProcess.mm (261401 => 261402)
--- trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/NetworkProcess.mm 2020-05-08 19:11:06 UTC (rev 261401)
+++ trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/NetworkProcess.mm 2020-05-08 19:39:43 UTC (rev 261402)
@@ -25,8 +25,11 @@
#import "config.h"
+#import "HTTPServer.h"
#import "TestWKWebView.h"
+#import "Utilities.h"
#import <WebKit/WKProcessPoolPrivate.h>
+#import <wtf/BlockPtr.h>
#import <wtf/RetainPtr.h>
TEST(WebKit, NetworkProcessEntitlements)
@@ -42,3 +45,37 @@
#endif
EXPECT_FALSE([pool _networkProcessHasEntitlementForTesting:@"test failure case"]);
}
+
+TEST(WebKit, HTTPReferer)
+{
+ auto checkReferer = [] (NSURL *baseURL, const char* expectedReferer) {
+ using namespace TestWebKitAPI;
+ bool done = false;
+ HTTPServer server([done = &done, expectedReferer] (nw_connection_t connection) {
+ nw_connection_receive(connection, 1, std::numeric_limits<uint32_t>::max(), makeBlockPtr([connection = retainPtr(connection), done, expectedReferer](dispatch_data_t content, nw_content_context_t, bool, nw_error_t) {
+ EXPECT_TRUE(content);
+ auto request = nullTerminatedRequest(content);
+ if (expectedReferer) {
+ auto expectedHeaderField = makeString("Referer: ", expectedReferer, "\r\n");
+ EXPECT_TRUE(strstr(request.data(), expectedHeaderField.utf8().data()));
+ } else
+ EXPECT_FALSE(strstr(request.data(), "Referer:"));
+ *done = true;
+ }).get());
+ });
+ auto webView = adoptNS([WKWebView new]);
+ [webView loadHTMLString:[NSString stringWithFormat:@"<body _onload_='document.getElementById(\"formID\").submit()'><form id='formID' method='post' action=''></form></body>", server.port()] baseURL:baseURL];
+ Util::run(&done);
+ };
+
+ Vector<char> a5k(5000, 'a');
+ Vector<char> a3k(3000, 'a');
+ NSString *longPath = [NSString stringWithFormat:@"http://webkit.org/%s?asdf", a5k.data()];
+ NSString *shorterPath = [NSString stringWithFormat:@"http://webkit.org/%s?asdf", a3k.data()];
+ NSString *longHost = [NSString stringWithFormat:@"http://webkit.org%s/path", a5k.data()];
+ NSString *shorterHost = [NSString stringWithFormat:@"http://webkit.org%s/path", a3k.data()];
+ checkReferer([NSURL URLWithString:longPath], "http://webkit.org");
+ checkReferer([NSURL URLWithString:shorterPath], shorterPath.UTF8String);
+ checkReferer([NSURL URLWithString:longHost], nullptr);
+ checkReferer([NSURL URLWithString:shorterHost], shorterHost.UTF8String);
+}
