Log Message
Webpages can trigger loads with invalid URLs https://bugs.webkit.org/show_bug.cgi?id=132224 rdar://problem/16697142
Reviewed by Alexey Proskuryakov. Invalid URLs can be a way to trick the user about what website they are looking at. Still trying to figure out a good way to regression-test this. * dom/Document.cpp: (WebCore::Document::processHttpEquiv): Pass a URL rather than a String to the navigation scheduler. * loader/FrameLoader.cpp: (WebCore::FrameLoader::receivedFirstData): Ditto. * loader/NavigationScheduler.cpp: (WebCore::ScheduledURLNavigation::ScheduledURLNavigation): Take a URL rather than a string. (WebCore::ScheduledURLNavigation::url): Ditto. (WebCore::ScheduledRedirect::ScheduledRedirect): Ditto. (WebCore::ScheduledLocationChange::ScheduledLocationChange): Ditto. (WebCore::ScheduledRefresh::ScheduledRefresh): Ditto. (WebCore::NavigationScheduler::shouldScheduleNavigation): Added a check that prevents navigation to any URL that is invalid, except for _javascript_ URLs, which need not be valid. (WebCore::NavigationScheduler::scheduleRedirect): Use URL instead of String. (WebCore::NavigationScheduler::scheduleLocationChange): Use URL instead of String. Also got rid of empty string check since empty URLs are also invalid, and so shouldScheduleNavigation will take care of it. (WebCore::NavigationScheduler::scheduleRefresh): Use URL instead of String. * loader/NavigationScheduler.h: Take URL instead of String. Also removed some unneeded incldues and uses of WTF_MAKE_NONCOPYABLE. NavigationScheduler is already noncopyable because it has a reference for a data member, and the disabler doesn't have any real reason to be noncopyable. * loader/SubframeLoader.cpp: (WebCore::SubframeLoader::loadOrRedirectSubframe): Pass a URL rather than a String to the NavigationScheduler. * page/DOMWindow.cpp: (WebCore::DOMWindow::createWindow): Ditto. * page/SecurityOrigin.cpp: (WebCore::SecurityOrigin::urlWithUniqueSecurityOrigin): Return a URL instead of a String. * page/SecurityOrigin.h: Updated for above change.
Modified Paths
- trunk/Source/WebCore/ChangeLog
- trunk/Source/WebCore/dom/Document.cpp
- trunk/Source/WebCore/loader/FrameLoader.cpp
- trunk/Source/WebCore/loader/NavigationScheduler.cpp
- trunk/Source/WebCore/loader/NavigationScheduler.h
- trunk/Source/WebCore/loader/SubframeLoader.cpp
- trunk/Source/WebCore/page/DOMWindow.cpp
- trunk/Source/WebCore/page/SecurityOrigin.cpp
- trunk/Source/WebCore/page/SecurityOrigin.h
Diff
Modified: trunk/Source/WebCore/ChangeLog (167855 => 167856)
--- trunk/Source/WebCore/ChangeLog 2014-04-27 14:07:03 UTC (rev 167855)
+++ trunk/Source/WebCore/ChangeLog 2014-04-27 16:06:27 UTC (rev 167856)
@@ -1,3 +1,52 @@
+2014-04-27 Darin Adler <[email protected]>
+
+ Webpages can trigger loads with invalid URLs
+ https://bugs.webkit.org/show_bug.cgi?id=132224
+ rdar://problem/16697142
+
+ Reviewed by Alexey Proskuryakov.
+
+ Invalid URLs can be a way to trick the user about what website they
+ are looking at. Still trying to figure out a good way to regression-test this.
+
+ * dom/Document.cpp:
+ (WebCore::Document::processHttpEquiv): Pass a URL rather than a String to
+ the navigation scheduler.
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::receivedFirstData): Ditto.
+
+ * loader/NavigationScheduler.cpp:
+ (WebCore::ScheduledURLNavigation::ScheduledURLNavigation): Take a URL rather
+ than a string.
+ (WebCore::ScheduledURLNavigation::url): Ditto.
+ (WebCore::ScheduledRedirect::ScheduledRedirect): Ditto.
+ (WebCore::ScheduledLocationChange::ScheduledLocationChange): Ditto.
+ (WebCore::ScheduledRefresh::ScheduledRefresh): Ditto.
+ (WebCore::NavigationScheduler::shouldScheduleNavigation): Added a check that
+ prevents navigation to any URL that is invalid, except for _javascript_ URLs,
+ which need not be valid.
+ (WebCore::NavigationScheduler::scheduleRedirect): Use URL instead of String.
+ (WebCore::NavigationScheduler::scheduleLocationChange): Use URL instead of
+ String. Also got rid of empty string check since empty URLs are also invalid,
+ and so shouldScheduleNavigation will take care of it.
+ (WebCore::NavigationScheduler::scheduleRefresh): Use URL instead of String.
+
+ * loader/NavigationScheduler.h: Take URL instead of String. Also removed some
+ unneeded incldues and uses of WTF_MAKE_NONCOPYABLE. NavigationScheduler is
+ already noncopyable because it has a reference for a data member, and the
+ disabler doesn't have any real reason to be noncopyable.
+
+ * loader/SubframeLoader.cpp:
+ (WebCore::SubframeLoader::loadOrRedirectSubframe): Pass a URL rather than a
+ String to the NavigationScheduler.
+ * page/DOMWindow.cpp:
+ (WebCore::DOMWindow::createWindow): Ditto.
+
+ * page/SecurityOrigin.cpp:
+ (WebCore::SecurityOrigin::urlWithUniqueSecurityOrigin): Return a URL instead
+ of a String.
+ * page/SecurityOrigin.h: Updated for above change.
+
2014-04-27 Zan Dobersek <[email protected]>
ScriptExecutionContext::Task should work well with C++11 lambdas
Modified: trunk/Source/WebCore/dom/Document.cpp (167855 => 167856)
--- trunk/Source/WebCore/dom/Document.cpp 2014-04-27 14:07:03 UTC (rev 167855)
+++ trunk/Source/WebCore/dom/Document.cpp 2014-04-27 16:06:27 UTC (rev 167856)
@@ -2824,14 +2824,15 @@
styleResolverChanged(DeferRecalcStyle);
} else if (equalIgnoringCase(equiv, "refresh")) {
double delay;
- String url;
- if (frame && parseHTTPRefresh(content, true, delay, url)) {
- if (url.isEmpty())
- url = ""
+ String urlString;
+ if (frame && parseHTTPRefresh(content, true, delay, urlString)) {
+ URL completedURL;
+ if (urlString.isEmpty())
+ completedURL = m_url;
else
- url = ""
- if (!protocolIsJavaScript(url))
- frame->navigationScheduler().scheduleRedirect(delay, url);
+ completedURL = completeURL(urlString);
+ if (!protocolIsJavaScript(completedURL))
+ frame->navigationScheduler().scheduleRedirect(delay, completedURL);
else {
String message = "Refused to refresh " + m_url.stringCenterEllipsizedToLength() + " to a _javascript_: URL";
addConsoleMessage(MessageSource::Security, MessageLevel::Error, message);
Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (167855 => 167856)
--- trunk/Source/WebCore/loader/FrameLoader.cpp 2014-04-27 14:07:03 UTC (rev 167855)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2014-04-27 16:06:27 UTC (rev 167856)
@@ -666,16 +666,17 @@
return;
double delay;
- String url;
- if (!parseHTTPRefresh(m_documentLoader->response().httpHeaderField("Refresh"), false, delay, url))
+ String urlString;
+ if (!parseHTTPRefresh(m_documentLoader->response().httpHeaderField("Refresh"), false, delay, urlString))
return;
- if (url.isEmpty())
- url = ""
+ URL completedURL;
+ if (urlString.isEmpty())
+ completedURL = m_frame.document()->url();
else
- url = ""
+ completedURL = m_frame.document()->completeURL(urlString);
- if (!protocolIsJavaScript(url))
- m_frame.navigationScheduler().scheduleRedirect(delay, url);
+ if (!protocolIsJavaScript(completedURL))
+ m_frame.navigationScheduler().scheduleRedirect(delay, completedURL);
else {
String message = "Refused to refresh " + m_frame.document()->url().stringCenterEllipsizedToLength() + " to a _javascript_: URL";
m_frame.document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message);
Modified: trunk/Source/WebCore/loader/NavigationScheduler.cpp (167855 => 167856)
--- trunk/Source/WebCore/loader/NavigationScheduler.cpp 2014-04-27 14:07:03 UTC (rev 167855)
+++ trunk/Source/WebCore/loader/NavigationScheduler.cpp 2014-04-27 16:06:27 UTC (rev 167856)
@@ -97,7 +97,7 @@
class ScheduledURLNavigation : public ScheduledNavigation {
protected:
- ScheduledURLNavigation(double delay, SecurityOrigin* securityOrigin, const String& url, const String& referrer, LockHistory lockHistory, LockBackForwardList lockBackForwardList, bool duringLoad, bool isLocationChange)
+ ScheduledURLNavigation(double delay, SecurityOrigin* securityOrigin, const URL& url, const String& referrer, LockHistory lockHistory, LockBackForwardList lockBackForwardList, bool duringLoad, bool isLocationChange)
: ScheduledNavigation(delay, lockHistory, lockBackForwardList, duringLoad, isLocationChange)
, m_securityOrigin(securityOrigin)
, m_url(url)
@@ -109,7 +109,7 @@
virtual void fire(Frame& frame) override
{
UserGestureIndicator gestureIndicator(wasUserGesture() ? DefinitelyProcessingUserGesture : DefinitelyNotProcessingUserGesture);
- frame.loader().changeLocation(m_securityOrigin.get(), URL(ParsedURLString, m_url), m_referrer, lockHistory(), lockBackForwardList(), false);
+ frame.loader().changeLocation(m_securityOrigin.get(), m_url, m_referrer, lockHistory(), lockBackForwardList(), false);
}
virtual void didStartTimer(Frame& frame, Timer<NavigationScheduler>& timer) override
@@ -119,7 +119,7 @@
m_haveToldClient = true;
UserGestureIndicator gestureIndicator(wasUserGesture() ? DefinitelyProcessingUserGesture : DefinitelyNotProcessingUserGesture);
- frame.loader().clientRedirected(URL(ParsedURLString, m_url), delay(), currentTime() + timer.nextFireInterval(), lockBackForwardList());
+ frame.loader().clientRedirected(m_url, delay(), currentTime() + timer.nextFireInterval(), lockBackForwardList());
}
virtual void didStopTimer(Frame& frame, bool newLoadInProgress) override
@@ -137,19 +137,19 @@
}
SecurityOrigin* securityOrigin() const { return m_securityOrigin.get(); }
- String url() const { return m_url; }
+ const URL& url() const { return m_url; }
String referrer() const { return m_referrer; }
private:
RefPtr<SecurityOrigin> m_securityOrigin;
- String m_url;
+ URL m_url;
String m_referrer;
bool m_haveToldClient;
};
class ScheduledRedirect : public ScheduledURLNavigation {
public:
- ScheduledRedirect(double delay, SecurityOrigin* securityOrigin, const String& url, LockHistory lockHistory, LockBackForwardList lockBackForwardList)
+ ScheduledRedirect(double delay, SecurityOrigin* securityOrigin, const URL& url, LockHistory lockHistory, LockBackForwardList lockBackForwardList)
: ScheduledURLNavigation(delay, securityOrigin, url, String(), lockHistory, lockBackForwardList, false, false)
{
clearUserGesture();
@@ -163,20 +163,20 @@
virtual void fire(Frame& frame) override
{
UserGestureIndicator gestureIndicator(wasUserGesture() ? DefinitelyProcessingUserGesture : DefinitelyNotProcessingUserGesture);
- bool refresh = equalIgnoringFragmentIdentifier(frame.document()->url(), URL(ParsedURLString, url()));
- frame.loader().changeLocation(securityOrigin(), URL(ParsedURLString, url()), referrer(), lockHistory(), lockBackForwardList(), refresh);
+ bool refresh = equalIgnoringFragmentIdentifier(frame.document()->url(), url());
+ frame.loader().changeLocation(securityOrigin(), url(), referrer(), lockHistory(), lockBackForwardList(), refresh);
}
};
class ScheduledLocationChange : public ScheduledURLNavigation {
public:
- ScheduledLocationChange(SecurityOrigin* securityOrigin, const String& url, const String& referrer, LockHistory lockHistory, LockBackForwardList lockBackForwardList, bool duringLoad)
+ ScheduledLocationChange(SecurityOrigin* securityOrigin, const URL& url, const String& referrer, LockHistory lockHistory, LockBackForwardList lockBackForwardList, bool duringLoad)
: ScheduledURLNavigation(0.0, securityOrigin, url, referrer, lockHistory, lockBackForwardList, duringLoad, true) { }
};
class ScheduledRefresh : public ScheduledURLNavigation {
public:
- ScheduledRefresh(SecurityOrigin* securityOrigin, const String& url, const String& referrer)
+ ScheduledRefresh(SecurityOrigin* securityOrigin, const URL& url, const String& referrer)
: ScheduledURLNavigation(0.0, securityOrigin, url, referrer, LockHistory::Yes, LockBackForwardList::Yes, false, true)
{
}
@@ -184,7 +184,7 @@
virtual void fire(Frame& frame) override
{
UserGestureIndicator gestureIndicator(wasUserGesture() ? DefinitelyProcessingUserGesture : DefinitelyNotProcessingUserGesture);
- frame.loader().changeLocation(securityOrigin(), URL(ParsedURLString, url()), referrer(), lockHistory(), lockBackForwardList(), true);
+ frame.loader().changeLocation(securityOrigin(), url(), referrer(), lockHistory(), lockBackForwardList(), true);
}
};
@@ -304,12 +304,18 @@
return m_frame.page();
}
-inline bool NavigationScheduler::shouldScheduleNavigation(const String& url) const
+inline bool NavigationScheduler::shouldScheduleNavigation(const URL& url) const
{
- return shouldScheduleNavigation() && (protocolIsJavaScript(url) || NavigationDisablerForBeforeUnload::isNavigationAllowed());
+ if (!shouldScheduleNavigation())
+ return false;
+ if (protocolIsJavaScript(url))
+ return true;
+ if (!url.isValid())
+ return false;
+ return NavigationDisablerForBeforeUnload::isNavigationAllowed();
}
-void NavigationScheduler::scheduleRedirect(double delay, const String& url)
+void NavigationScheduler::scheduleRedirect(double delay, const URL& url)
{
if (!shouldScheduleNavigation(url))
return;
@@ -343,12 +349,10 @@
return LockBackForwardList::No;
}
-void NavigationScheduler::scheduleLocationChange(SecurityOrigin* securityOrigin, const String& url, const String& referrer, LockHistory lockHistory, LockBackForwardList lockBackForwardList)
+void NavigationScheduler::scheduleLocationChange(SecurityOrigin* securityOrigin, const URL& url, const String& referrer, LockHistory lockHistory, LockBackForwardList lockBackForwardList)
{
if (!shouldScheduleNavigation(url))
return;
- if (url.isEmpty())
- return;
if (lockBackForwardList == LockBackForwardList::No)
lockBackForwardList = mustLockBackForwardList(m_frame);
@@ -401,7 +405,7 @@
if (url.isEmpty())
return;
- schedule(std::make_unique<ScheduledRefresh>(m_frame.document()->securityOrigin(), url.string(), m_frame.loader().outgoingReferrer()));
+ schedule(std::make_unique<ScheduledRefresh>(m_frame.document()->securityOrigin(), url, m_frame.loader().outgoingReferrer()));
}
void NavigationScheduler::scheduleHistoryNavigation(int steps)
Modified: trunk/Source/WebCore/loader/NavigationScheduler.h (167855 => 167856)
--- trunk/Source/WebCore/loader/NavigationScheduler.h 2014-04-27 14:07:03 UTC (rev 167855)
+++ trunk/Source/WebCore/loader/NavigationScheduler.h 2014-04-27 16:06:27 UTC (rev 167856)
@@ -34,8 +34,6 @@
#include "FrameLoaderTypes.h"
#include "Timer.h"
#include <wtf/Forward.h>
-#include <wtf/Noncopyable.h>
-#include <wtf/PassRefPtr.h>
namespace WebCore {
@@ -43,10 +41,9 @@
class Frame;
class ScheduledNavigation;
class SecurityOrigin;
+class URL;
class NavigationDisablerForBeforeUnload {
- WTF_MAKE_NONCOPYABLE(NavigationDisablerForBeforeUnload);
-
public:
NavigationDisablerForBeforeUnload()
{
@@ -64,8 +61,6 @@
};
class NavigationScheduler {
- WTF_MAKE_NONCOPYABLE(NavigationScheduler);
-
public:
explicit NavigationScheduler(Frame&);
~NavigationScheduler();
@@ -73,9 +68,8 @@
bool redirectScheduledDuringLoad();
bool locationChangePending();
- void scheduleRedirect(double delay, const String& url);
- void scheduleLocationChange(SecurityOrigin*, const String& url, const String& referrer, LockHistory = LockHistory::Yes,
- LockBackForwardList = LockBackForwardList::Yes);
+ void scheduleRedirect(double delay, const URL&);
+ void scheduleLocationChange(SecurityOrigin*, const URL&, const String& referrer, LockHistory = LockHistory::Yes, LockBackForwardList = LockBackForwardList::Yes);
void scheduleFormSubmission(PassRefPtr<FormSubmission>);
void scheduleRefresh();
void scheduleHistoryNavigation(int steps);
@@ -87,7 +81,7 @@
private:
bool shouldScheduleNavigation() const;
- bool shouldScheduleNavigation(const String& url) const;
+ bool shouldScheduleNavigation(const URL&) const;
void timerFired(Timer<NavigationScheduler>&);
void schedule(std::unique_ptr<ScheduledNavigation>);
Modified: trunk/Source/WebCore/loader/SubframeLoader.cpp (167855 => 167856)
--- trunk/Source/WebCore/loader/SubframeLoader.cpp 2014-04-27 14:07:03 UTC (rev 167855)
+++ trunk/Source/WebCore/loader/SubframeLoader.cpp 2014-04-27 16:06:27 UTC (rev 167856)
@@ -324,7 +324,7 @@
{
Frame* frame = ownerElement.contentFrame();
if (frame)
- frame->navigationScheduler().scheduleLocationChange(m_frame.document()->securityOrigin(), url.string(), m_frame.loader().outgoingReferrer(), lockHistory, lockBackForwardList);
+ frame->navigationScheduler().scheduleLocationChange(m_frame.document()->securityOrigin(), url, m_frame.loader().outgoingReferrer(), lockHistory, lockBackForwardList);
else
frame = loadSubframe(ownerElement, url, frameName, m_frame.loader().outgoingReferrer());
Modified: trunk/Source/WebCore/page/DOMWindow.cpp (167855 => 167856)
--- trunk/Source/WebCore/page/DOMWindow.cpp 2014-04-27 14:07:03 UTC (rev 167855)
+++ trunk/Source/WebCore/page/DOMWindow.cpp 2014-04-27 16:06:27 UTC (rev 167856)
@@ -2018,7 +2018,7 @@
newFrame->loader().changeLocation(activeWindow.document()->securityOrigin(), completedURL, referrer, LockHistory::No, LockBackForwardList::No);
else if (!urlString.isEmpty()) {
LockHistory lockHistory = ScriptController::processingUserGesture() ? LockHistory::No : LockHistory::Yes;
- newFrame->navigationScheduler().scheduleLocationChange(activeWindow.document()->securityOrigin(), completedURL.string(), referrer, lockHistory, LockBackForwardList::No);
+ newFrame->navigationScheduler().scheduleLocationChange(activeWindow.document()->securityOrigin(), completedURL, referrer, lockHistory, LockBackForwardList::No);
}
// Navigating the new frame could result in it being detached from its page by a navigation policy delegate.
Modified: trunk/Source/WebCore/page/SecurityOrigin.cpp (167855 => 167856)
--- trunk/Source/WebCore/page/SecurityOrigin.cpp 2014-04-27 14:07:03 UTC (rev 167855)
+++ trunk/Source/WebCore/page/SecurityOrigin.cpp 2014-04-27 16:06:27 UTC (rev 167856)
@@ -36,6 +36,7 @@
#include "SecurityPolicy.h"
#include "ThreadableBlobRegistry.h"
#include <wtf/MainThread.h>
+#include <wtf/NeverDestroyed.h>
#include <wtf/StdLibExtras.h>
#include <wtf/text/StringBuilder.h>
@@ -597,10 +598,10 @@
return true;
}
-String SecurityOrigin::urlWithUniqueSecurityOrigin()
+URL SecurityOrigin::urlWithUniqueSecurityOrigin()
{
ASSERT(isMainThread());
- DEPRECATED_DEFINE_STATIC_LOCAL(const String, uniqueSecurityOriginURL, (ASCIILiteral("data:,")));
+ static NeverDestroyed<URL> uniqueSecurityOriginURL(ParsedURLString, ASCIILiteral("data:,"));
return uniqueSecurityOriginURL;
}
Modified: trunk/Source/WebCore/page/SecurityOrigin.h (167855 => 167856)
--- trunk/Source/WebCore/page/SecurityOrigin.h 2014-04-27 14:07:03 UTC (rev 167855)
+++ trunk/Source/WebCore/page/SecurityOrigin.h 2014-04-27 16:06:27 UTC (rev 167856)
@@ -205,7 +205,7 @@
// (and whether it was set) but considering the host. It is used for postMessage.
bool isSameSchemeHostPort(const SecurityOrigin*) const;
- static String urlWithUniqueSecurityOrigin();
+ static URL urlWithUniqueSecurityOrigin();
private:
SecurityOrigin();
_______________________________________________ webkit-changes mailing list [email protected] https://lists.webkit.org/mailman/listinfo/webkit-changes
