[webkit-changes] [280237] releases/WebKitGTK/webkit-2.32

Fri, 23 Jul 2021 03:12:17 -0700

Title: [280237] releases/WebKitGTK/webkit-2.32
Revision
280237
Author
[email protected]
Date
2021-07-23 03:11:19 -0700 (Fri, 23 Jul 2021)

Log Message

Merge r276012 - REGRESSION(Safari 14): iframe with blob url does not work with sandboxing
https://bugs.webkit.org/show_bug.cgi?id=222312
<rdar://problem/74927624>

Reviewed by Chris Dumez.

Source/WebCore:

In https://trac.webkit.org/r275884, we correctly compute whether a blob is to be considered secure or not.
For that, we need to have the blob URL registered with its document origin.
Update PolicyChecker to properly register the temporoary blob URL with its document origin.

Test: http/tests/security/sandbox-iframe-and-blob.https.html

* loader/PolicyChecker.cpp:
(WebCore::FrameLoader::PolicyChecker::extendBlobURLLifetimeIfNecessary const):

LayoutTests:

* http/tests/security/resources/sandbox-iframe-and-blob-frame.html: Added.
* http/tests/security/sandbox-iframe-and-blob.https-expected.txt: Added.
* http/tests/security/sandbox-iframe-and-blob.https.html: Added.
* platform/win/TestExpectations:

Modified Paths

Added Paths

Diff

Modified: releases/WebKitGTK/webkit-2.32/LayoutTests/ChangeLog (280236 => 280237)


--- releases/WebKitGTK/webkit-2.32/LayoutTests/ChangeLog	2021-07-23 10:11:10 UTC (rev 280236)
+++ releases/WebKitGTK/webkit-2.32/LayoutTests/ChangeLog	2021-07-23 10:11:19 UTC (rev 280237)
@@ -1,3 +1,16 @@
+2021-04-15  Youenn Fablet  <[email protected]>
+
+        REGRESSION(Safari 14): iframe with blob url does not work with sandboxing
+        https://bugs.webkit.org/show_bug.cgi?id=222312
+        <rdar://problem/74927624>
+
+        Reviewed by Chris Dumez.
+
+        * http/tests/security/resources/sandbox-iframe-and-blob-frame.html: Added.
+        * http/tests/security/sandbox-iframe-and-blob.https-expected.txt: Added.
+        * http/tests/security/sandbox-iframe-and-blob.https.html: Added.
+        * platform/win/TestExpectations:
+
 2021-04-18  Youenn Fablet  <[email protected]>
 
         Blob URLs should use for their owner origin for CSP checks

Added: releases/WebKitGTK/webkit-2.32/LayoutTests/http/tests/security/resources/sandbox-iframe-and-blob-frame.html (0 => 280237)


--- releases/WebKitGTK/webkit-2.32/LayoutTests/http/tests/security/resources/sandbox-iframe-and-blob-frame.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.32/LayoutTests/http/tests/security/resources/sandbox-iframe-and-blob-frame.html	2021-07-23 10:11:19 UTC (rev 280237)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<body>
+    <iframe id="myFrame"></iframe>
+    <script>
+const html = "<body" + ">PASS<script" + ">parent.postMessage('loaded', '*')</"+ "script></" + "body>";
+var blob = new Blob([html], {type: 'text/html'});
+var url = ""
+myFrame.src = ""
+window._onmessage_ = (event) => {
+    parent.postMessage(event.data, '*');
+};
+    </script>
+</body>
+</html>

Added: releases/WebKitGTK/webkit-2.32/LayoutTests/http/tests/security/sandbox-iframe-and-blob.https-expected.txt (0 => 280237)


--- releases/WebKitGTK/webkit-2.32/LayoutTests/http/tests/security/sandbox-iframe-and-blob.https-expected.txt	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.32/LayoutTests/http/tests/security/sandbox-iframe-and-blob.https-expected.txt	2021-07-23 10:11:19 UTC (rev 280237)
@@ -0,0 +1,4 @@
+
+
+PASS Verify blob URLs are loaded with sandbox iframes
+

Added: releases/WebKitGTK/webkit-2.32/LayoutTests/http/tests/security/sandbox-iframe-and-blob.https.html (0 => 280237)


--- releases/WebKitGTK/webkit-2.32/LayoutTests/http/tests/security/sandbox-iframe-and-blob.https.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.32/LayoutTests/http/tests/security/sandbox-iframe-and-blob.https.html	2021-07-23 10:11:19 UTC (rev 280237)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <script src=""
+    <script src=""
+</head>
+<body>
+    <iframe id="myFrame" sandbox="allow-scripts"></iframe>
+    <script>
+promise_test(async () => {
+    myFrame.src = ""
+    const result = await new Promise((resolve, reject) => {
+        window._onmessage_ = (event) => {
+            resolve(event.data);
+        };
+        setTimeout(() => reject("iframe load timed out"), 5000);
+    });
+    assert_equals(result, 'loaded');
+}, "Verify blob URLs are loaded with sandbox iframes");
+    </script>
+</body>
+</html>

Modified: releases/WebKitGTK/webkit-2.32/LayoutTests/platform/win/TestExpectations (280236 => 280237)


--- releases/WebKitGTK/webkit-2.32/LayoutTests/platform/win/TestExpectations	2021-07-23 10:11:10 UTC (rev 280236)
+++ releases/WebKitGTK/webkit-2.32/LayoutTests/platform/win/TestExpectations	2021-07-23 10:11:19 UTC (rev 280237)
@@ -2330,6 +2330,7 @@
 http/tests/security/contentSecurityPolicy/navigate-self-to-blob.html [ Skip ]
 http/tests/security/contentSecurityPolicy/report-document-uri-blob.html [ Skip ]
 fast/frames/restoring-page-cache-should-not-run-scripts-via-style-update.html [ Skip ]
+http/tests/security/sandbox-iframe-and-blob.https.html [ Skip ]
 
 # Clear Key not implemented
 http/tests/media/clearkey/clear-key-hls-aes128.html [ Skip ] # Timeout

Modified: releases/WebKitGTK/webkit-2.32/Source/WebCore/ChangeLog (280236 => 280237)


--- releases/WebKitGTK/webkit-2.32/Source/WebCore/ChangeLog	2021-07-23 10:11:10 UTC (rev 280236)
+++ releases/WebKitGTK/webkit-2.32/Source/WebCore/ChangeLog	2021-07-23 10:11:19 UTC (rev 280237)
@@ -1,3 +1,20 @@
+2021-04-15  Youenn Fablet  <[email protected]>
+
+        REGRESSION(Safari 14): iframe with blob url does not work with sandboxing
+        https://bugs.webkit.org/show_bug.cgi?id=222312
+        <rdar://problem/74927624>
+
+        Reviewed by Chris Dumez.
+
+        In https://trac.webkit.org/r275884, we correctly compute whether a blob is to be considered secure or not.
+        For that, we need to have the blob URL registered with its document origin.
+        Update PolicyChecker to properly register the temporoary blob URL with its document origin.
+
+        Test: http/tests/security/sandbox-iframe-and-blob.https.html
+
+        * loader/PolicyChecker.cpp:
+        (WebCore::FrameLoader::PolicyChecker::extendBlobURLLifetimeIfNecessary const):
+
 2021-04-18  Youenn Fablet  <[email protected]>
 
         Blob URLs should use for their owner origin for CSP checks

Modified: releases/WebKitGTK/webkit-2.32/Source/WebCore/loader/PolicyChecker.cpp (280236 => 280237)


--- releases/WebKitGTK/webkit-2.32/Source/WebCore/loader/PolicyChecker.cpp	2021-07-23 10:11:10 UTC (rev 280236)
+++ releases/WebKitGTK/webkit-2.32/Source/WebCore/loader/PolicyChecker.cpp	2021-07-23 10:11:19 UTC (rev 280237)
@@ -47,6 +47,7 @@
 #include "HTMLFrameOwnerElement.h"
 #include "HTMLPlugInElement.h"
 #include "Logging.h"
+#include "ThreadableBlobRegistry.h"
 #include <wtf/CompletionHandler.h>
 
 #if USE(QUICK_LOOK)
@@ -111,12 +112,12 @@
 
     // Create a new temporary blobURL in case this one gets revoked during the asynchronous navigation policy decision.
     URL temporaryBlobURL = BlobURL::createPublicURL(&m_frame.document()->securityOrigin());
-    blobRegistry().registerBlobURL(temporaryBlobURL, request.url());
+    ThreadableBlobRegistry::registerBlobURL(&m_frame.document()->securityOrigin(), temporaryBlobURL, request.url());
     request.setURL(temporaryBlobURL);
     if (loader)
         loader->request().setURL(temporaryBlobURL);
     return CompletionHandler<void()>([temporaryBlobURL = WTFMove(temporaryBlobURL)] {
-        blobRegistry().unregisterBlobURL(temporaryBlobURL);
+        ThreadableBlobRegistry::unregisterBlobURL(temporaryBlobURL);
     });
 }
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to