Log Message
Merged r167856. <rdar://problem/16975541>
Modified Paths
- branches/safari-537.77-branch/Source/WebCore/ChangeLog
- branches/safari-537.77-branch/Source/WebCore/dom/Document.cpp
- branches/safari-537.77-branch/Source/WebCore/loader/FrameLoader.cpp
- branches/safari-537.77-branch/Source/WebCore/loader/NavigationScheduler.cpp
- branches/safari-537.77-branch/Source/WebCore/loader/NavigationScheduler.h
- branches/safari-537.77-branch/Source/WebCore/loader/SubframeLoader.cpp
- branches/safari-537.77-branch/Source/WebCore/page/DOMWindow.cpp
- branches/safari-537.77-branch/Source/WebCore/page/SecurityOrigin.cpp
- branches/safari-537.77-branch/Source/WebCore/page/SecurityOrigin.h
Diff
Modified: branches/safari-537.77-branch/Source/WebCore/ChangeLog (169226 => 169227)
--- branches/safari-537.77-branch/Source/WebCore/ChangeLog 2014-05-22 23:34:16 UTC (rev 169226)
+++ branches/safari-537.77-branch/Source/WebCore/ChangeLog 2014-05-22 23:43:01 UTC (rev 169227)
@@ -1,3 +1,56 @@
+2014-05-22 Dana Burkart <[email protected]>
+
+ Merge r167856
+
+ 2014-04-27 Darin Adler <[email protected]>
+
+ Webpages can trigger loads with invalid URLs
+ https://bugs.webkit.org/show_bug.cgi?id=132224
+ rdar://problem/16697142
+
+ Reviewed by Alexey Proskuryakov.
+
+ Invalid URLs can be a way to trick the user about what website they
+ are looking at. Still trying to figure out a good way to regression-test this.
+
+ * dom/Document.cpp:
+ (WebCore::Document::processHttpEquiv): Pass a URL rather than a String to
+ the navigation scheduler.
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::receivedFirstData): Ditto.
+
+ * loader/NavigationScheduler.cpp:
+ (WebCore::ScheduledURLNavigation::ScheduledURLNavigation): Take a URL rather
+ than a string.
+ (WebCore::ScheduledURLNavigation::url): Ditto.
+ (WebCore::ScheduledRedirect::ScheduledRedirect): Ditto.
+ (WebCore::ScheduledLocationChange::ScheduledLocationChange): Ditto.
+ (WebCore::ScheduledRefresh::ScheduledRefresh): Ditto.
+ (WebCore::NavigationScheduler::shouldScheduleNavigation): Added a check that
+ prevents navigation to any URL that is invalid, except for _javascript_ URLs,
+ which need not be valid.
+ (WebCore::NavigationScheduler::scheduleRedirect): Use URL instead of String.
+ (WebCore::NavigationScheduler::scheduleLocationChange): Use URL instead of
+ String. Also got rid of empty string check since empty URLs are also invalid,
+ and so shouldScheduleNavigation will take care of it.
+ (WebCore::NavigationScheduler::scheduleRefresh): Use URL instead of String.
+
+ * loader/NavigationScheduler.h: Take URL instead of String. Also removed some
+ unneeded incldues and uses of WTF_MAKE_NONCOPYABLE. NavigationScheduler is
+ already noncopyable because it has a reference for a data member, and the
+ disabler doesn't have any real reason to be noncopyable.
+
+ * loader/SubframeLoader.cpp:
+ (WebCore::SubframeLoader::loadOrRedirectSubframe): Pass a URL rather than a
+ String to the NavigationScheduler.
+ * page/DOMWindow.cpp:
+ (WebCore::DOMWindow::createWindow): Ditto.
+
+ * page/SecurityOrigin.cpp:
+ (WebCore::SecurityOrigin::urlWithUniqueSecurityOrigin): Return a URL instead
+ of a String.
+ * page/SecurityOrigin.h: Updated for above change.
+
2014-05-22 Lucas Forschler <[email protected]>
Merge r168636
Modified: branches/safari-537.77-branch/Source/WebCore/dom/Document.cpp (169226 => 169227)
--- branches/safari-537.77-branch/Source/WebCore/dom/Document.cpp 2014-05-22 23:34:16 UTC (rev 169226)
+++ branches/safari-537.77-branch/Source/WebCore/dom/Document.cpp 2014-05-22 23:43:01 UTC (rev 169227)
@@ -2833,13 +2833,19 @@
styleResolverChanged(DeferRecalcStyle);
} else if (equalIgnoringCase(equiv, "refresh")) {
double delay;
- String url;
- if (frame && parseHTTPRefresh(content, true, delay, url)) {
- if (url.isEmpty())
- url = ""
+ String urlString;
+ if (frame && parseHTTPRefresh(content, true, delay, urlString)) {
+ KURL completedURL;
+ if (urlString.isEmpty())
+ completedURL = m_url;
else
- url = ""
- frame->navigationScheduler()->scheduleRedirect(delay, url);
+ completedURL = completeURL(urlString);
+ if (!protocolIsJavaScript(completedURL))
+ frame->navigationScheduler()->scheduleRedirect(delay, completedURL);
+ else {
+ String message = "Refused to refresh " + m_url.stringCenterEllipsizedToLength() + " to a _javascript_: URL";
+ addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, message);
+ }
}
} else if (equalIgnoringCase(equiv, "set-cookie")) {
// FIXME: make setCookie work on XML documents too; e.g. in case of <html:meta .....>
Modified: branches/safari-537.77-branch/Source/WebCore/loader/FrameLoader.cpp (169226 => 169227)
--- branches/safari-537.77-branch/Source/WebCore/loader/FrameLoader.cpp 2014-05-22 23:34:16 UTC (rev 169226)
+++ branches/safari-537.77-branch/Source/WebCore/loader/FrameLoader.cpp 2014-05-22 23:43:01 UTC (rev 169227)
@@ -630,15 +630,21 @@
return;
double delay;
- String url;
- if (!parseHTTPRefresh(m_documentLoader->response().httpHeaderField("Refresh"), false, delay, url))
+ String urlString;
+ if (!parseHTTPRefresh(m_documentLoader->response().httpHeaderField("Refresh"), false, delay, urlString))
return;
- if (url.isEmpty())
- url = ""
+ KURL completedURL;
+ if (urlString.isEmpty())
+ completedURL = m_frame->document()->url();
else
- url = ""
+ completedURL = m_frame->document()->completeURL(urlString);
- m_frame->navigationScheduler()->scheduleRedirect(delay, url);
+ if (!protocolIsJavaScript(completedURL))
+ m_frame->navigationScheduler()->scheduleRedirect(delay, completedURL);
+ else {
+ String message = "Refused to refresh " + m_frame->document()->url().stringCenterEllipsizedToLength() + " to a _javascript_: URL";
+ m_frame->document()->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, message);
+ }
}
void FrameLoader::setOutgoingReferrer(const KURL& url)
Modified: branches/safari-537.77-branch/Source/WebCore/loader/NavigationScheduler.cpp (169226 => 169227)
--- branches/safari-537.77-branch/Source/WebCore/loader/NavigationScheduler.cpp 2014-05-22 23:34:16 UTC (rev 169226)
+++ branches/safari-537.77-branch/Source/WebCore/loader/NavigationScheduler.cpp 2014-05-22 23:43:01 UTC (rev 169227)
@@ -96,7 +96,7 @@
class ScheduledURLNavigation : public ScheduledNavigation {
protected:
- ScheduledURLNavigation(double delay, SecurityOrigin* securityOrigin, const String& url, const String& referrer, bool lockHistory, bool lockBackForwardList, bool duringLoad, bool isLocationChange)
+ ScheduledURLNavigation(double delay, SecurityOrigin* securityOrigin, const KURL& url, const String& referrer, bool lockHistory, bool lockBackForwardList, bool duringLoad, bool isLocationChange)
: ScheduledNavigation(delay, lockHistory, lockBackForwardList, duringLoad, isLocationChange)
, m_securityOrigin(securityOrigin)
, m_url(url)
@@ -108,7 +108,7 @@
virtual void fire(Frame* frame)
{
UserGestureIndicator gestureIndicator(wasUserGesture() ? DefinitelyProcessingNewUserGesture : DefinitelyNotProcessingUserGesture);
- frame->loader()->changeLocation(m_securityOrigin.get(), KURL(ParsedURLString, m_url), m_referrer, lockHistory(), lockBackForwardList(), false);
+ frame->loader()->changeLocation(m_securityOrigin.get(), m_url, m_referrer, lockHistory(), lockBackForwardList(), false);
}
virtual void didStartTimer(Frame* frame, Timer<NavigationScheduler>* timer)
@@ -118,7 +118,7 @@
m_haveToldClient = true;
UserGestureIndicator gestureIndicator(wasUserGesture() ? DefinitelyProcessingNewUserGesture : DefinitelyNotProcessingUserGesture);
- frame->loader()->clientRedirected(KURL(ParsedURLString, m_url), delay(), currentTime() + timer->nextFireInterval(), lockBackForwardList());
+ frame->loader()->clientRedirected(m_url, delay(), currentTime() + timer->nextFireInterval(), lockBackForwardList());
}
virtual void didStopTimer(Frame* frame, bool newLoadInProgress)
@@ -136,19 +136,19 @@
}
SecurityOrigin* securityOrigin() const { return m_securityOrigin.get(); }
- String url() const { return m_url; }
+ const KURL& url() const { return m_url; }
String referrer() const { return m_referrer; }
private:
RefPtr<SecurityOrigin> m_securityOrigin;
- String m_url;
+ KURL m_url;
String m_referrer;
bool m_haveToldClient;
};
class ScheduledRedirect : public ScheduledURLNavigation {
public:
- ScheduledRedirect(double delay, SecurityOrigin* securityOrigin, const String& url, bool lockHistory, bool lockBackForwardList)
+ ScheduledRedirect(double delay, SecurityOrigin* securityOrigin, const KURL& url, bool lockHistory, bool lockBackForwardList)
: ScheduledURLNavigation(delay, securityOrigin, url, String(), lockHistory, lockBackForwardList, false, false)
{
clearUserGesture();
@@ -159,20 +159,20 @@
virtual void fire(Frame* frame)
{
UserGestureIndicator gestureIndicator(wasUserGesture() ? DefinitelyProcessingNewUserGesture : DefinitelyNotProcessingUserGesture);
- bool refresh = equalIgnoringFragmentIdentifier(frame->document()->url(), KURL(ParsedURLString, url()));
- frame->loader()->changeLocation(securityOrigin(), KURL(ParsedURLString, url()), referrer(), lockHistory(), lockBackForwardList(), refresh);
+ bool refresh = equalIgnoringFragmentIdentifier(frame->document()->url(), url());
+ frame->loader()->changeLocation(securityOrigin(), url(), referrer(), lockHistory(), lockBackForwardList(), refresh);
}
};
class ScheduledLocationChange : public ScheduledURLNavigation {
public:
- ScheduledLocationChange(SecurityOrigin* securityOrigin, const String& url, const String& referrer, bool lockHistory, bool lockBackForwardList, bool duringLoad)
+ ScheduledLocationChange(SecurityOrigin* securityOrigin, const KURL& url, const String& referrer, bool lockHistory, bool lockBackForwardList, bool duringLoad)
: ScheduledURLNavigation(0.0, securityOrigin, url, referrer, lockHistory, lockBackForwardList, duringLoad, true) { }
};
class ScheduledRefresh : public ScheduledURLNavigation {
public:
- ScheduledRefresh(SecurityOrigin* securityOrigin, const String& url, const String& referrer)
+ ScheduledRefresh(SecurityOrigin* securityOrigin, const KURL& url, const String& referrer)
: ScheduledURLNavigation(0.0, securityOrigin, url, referrer, true, true, false, true)
{
}
@@ -180,7 +180,7 @@
virtual void fire(Frame* frame)
{
UserGestureIndicator gestureIndicator(wasUserGesture() ? DefinitelyProcessingNewUserGesture : DefinitelyNotProcessingUserGesture);
- frame->loader()->changeLocation(securityOrigin(), KURL(ParsedURLString, url()), referrer(), lockHistory(), lockBackForwardList(), true);
+ frame->loader()->changeLocation(securityOrigin(), url(), referrer(), lockHistory(), lockBackForwardList(), true);
}
};
@@ -299,12 +299,18 @@
return m_frame->page();
}
-inline bool NavigationScheduler::shouldScheduleNavigation(const String& url) const
+inline bool NavigationScheduler::shouldScheduleNavigation(const KURL& url) const
{
- return shouldScheduleNavigation() && (protocolIsJavaScript(url) || NavigationDisablerForBeforeUnload::isNavigationAllowed());
+ if (!shouldScheduleNavigation())
+ return false;
+ if (protocolIsJavaScript(url))
+ return true;
+ if (!url.isValid())
+ return false;
+ return NavigationDisablerForBeforeUnload::isNavigationAllowed();
}
-void NavigationScheduler::scheduleRedirect(double delay, const String& url)
+void NavigationScheduler::scheduleRedirect(double delay, const KURL& url)
{
if (!shouldScheduleNavigation(url))
return;
@@ -336,12 +342,10 @@
return false;
}
-void NavigationScheduler::scheduleLocationChange(SecurityOrigin* securityOrigin, const String& url, const String& referrer, bool lockHistory, bool lockBackForwardList)
+void NavigationScheduler::scheduleLocationChange(SecurityOrigin* securityOrigin, const KURL& url, const String& referrer, bool lockHistory, bool lockBackForwardList)
{
if (!shouldScheduleNavigation(url))
return;
- if (url.isEmpty())
- return;
lockBackForwardList = lockBackForwardList || mustLockBackForwardList(m_frame);
@@ -366,7 +370,7 @@
{
ASSERT(m_frame->page());
- // FIXME: Do we need special handling for form submissions where the URL is the same
+ // FIXME: Do we need special handling for form submissions where the KURL is the same
// as the current one except for the fragment part? See scheduleLocationChange above.
// Handle a location change of a page with no document as a special case.
@@ -391,7 +395,7 @@
if (url.isEmpty())
return;
- schedule(adoptPtr(new ScheduledRefresh(m_frame->document()->securityOrigin(), url.string(), m_frame->loader()->outgoingReferrer())));
+ schedule(adoptPtr(new ScheduledRefresh(m_frame->document()->securityOrigin(), url, m_frame->loader()->outgoingReferrer())));
}
void NavigationScheduler::scheduleHistoryNavigation(int steps)
Modified: branches/safari-537.77-branch/Source/WebCore/loader/NavigationScheduler.h (169226 => 169227)
--- branches/safari-537.77-branch/Source/WebCore/loader/NavigationScheduler.h 2014-05-22 23:34:16 UTC (rev 169226)
+++ branches/safari-537.77-branch/Source/WebCore/loader/NavigationScheduler.h 2014-05-22 23:43:01 UTC (rev 169227)
@@ -33,10 +33,7 @@
#include "Timer.h"
#include <wtf/Forward.h>
-#include <wtf/Noncopyable.h>
#include <wtf/OwnPtr.h>
-#include <wtf/PassOwnPtr.h>
-#include <wtf/PassRefPtr.h>
namespace WebCore {
@@ -44,10 +41,9 @@
class Frame;
class ScheduledNavigation;
class SecurityOrigin;
+class KURL;
class NavigationDisablerForBeforeUnload {
- WTF_MAKE_NONCOPYABLE(NavigationDisablerForBeforeUnload);
-
public:
NavigationDisablerForBeforeUnload()
{
@@ -65,8 +61,6 @@
};
class NavigationScheduler {
- WTF_MAKE_NONCOPYABLE(NavigationScheduler);
-
public:
explicit NavigationScheduler(Frame*);
~NavigationScheduler();
@@ -74,8 +68,8 @@
bool redirectScheduledDuringLoad();
bool locationChangePending();
- void scheduleRedirect(double delay, const String& url);
- void scheduleLocationChange(SecurityOrigin*, const String& url, const String& referrer, bool lockHistory = true, bool lockBackForwardList = true);
+ void scheduleRedirect(double delay, const KURL& url);
+ void scheduleLocationChange(SecurityOrigin*, const KURL& url, const String& referrer, bool lockHistory = true, bool lockBackForwardList = true);
void scheduleFormSubmission(PassRefPtr<FormSubmission>);
void scheduleRefresh();
void scheduleHistoryNavigation(int steps);
@@ -87,7 +81,7 @@
private:
bool shouldScheduleNavigation() const;
- bool shouldScheduleNavigation(const String& url) const;
+ bool shouldScheduleNavigation(const KURL&) const;
void timerFired(Timer<NavigationScheduler>*);
void schedule(PassOwnPtr<ScheduledNavigation>);
Modified: branches/safari-537.77-branch/Source/WebCore/loader/SubframeLoader.cpp (169226 => 169227)
--- branches/safari-537.77-branch/Source/WebCore/loader/SubframeLoader.cpp 2014-05-22 23:34:16 UTC (rev 169226)
+++ branches/safari-537.77-branch/Source/WebCore/loader/SubframeLoader.cpp 2014-05-22 23:43:01 UTC (rev 169227)
@@ -337,7 +337,7 @@
{
Frame* frame = ownerElement->contentFrame();
if (frame)
- frame->navigationScheduler()->scheduleLocationChange(m_frame->document()->securityOrigin(), url.string(), m_frame->loader()->outgoingReferrer(), lockHistory, lockBackForwardList);
+ frame->navigationScheduler()->scheduleLocationChange(m_frame->document()->securityOrigin(), url, m_frame->loader()->outgoingReferrer(), lockHistory, lockBackForwardList);
else
frame = loadSubframe(ownerElement, url, frameName, m_frame->loader()->outgoingReferrer());
Modified: branches/safari-537.77-branch/Source/WebCore/page/DOMWindow.cpp (169226 => 169227)
--- branches/safari-537.77-branch/Source/WebCore/page/DOMWindow.cpp 2014-05-22 23:34:16 UTC (rev 169226)
+++ branches/safari-537.77-branch/Source/WebCore/page/DOMWindow.cpp 2014-05-22 23:43:01 UTC (rev 169227)
@@ -1934,7 +1934,7 @@
newFrame->loader()->changeLocation(activeWindow->document()->securityOrigin(), completedURL, referrer, false, false);
else if (!urlString.isEmpty()) {
bool lockHistory = !ScriptController::processingUserGesture();
- newFrame->navigationScheduler()->scheduleLocationChange(activeWindow->document()->securityOrigin(), completedURL.string(), referrer, lockHistory, false);
+ newFrame->navigationScheduler()->scheduleLocationChange(activeWindow->document()->securityOrigin(), completedURL, referrer, lockHistory, false);
}
// Navigating the new frame could result in it being detached from its page by a navigation policy delegate.
Modified: branches/safari-537.77-branch/Source/WebCore/page/SecurityOrigin.cpp (169226 => 169227)
--- branches/safari-537.77-branch/Source/WebCore/page/SecurityOrigin.cpp 2014-05-22 23:34:16 UTC (rev 169226)
+++ branches/safari-537.77-branch/Source/WebCore/page/SecurityOrigin.cpp 2014-05-22 23:43:01 UTC (rev 169227)
@@ -36,6 +36,7 @@
#include "SecurityPolicy.h"
#include "ThreadableBlobRegistry.h"
#include <wtf/MainThread.h>
+#include <wtf/NeverDestroyed.h>
#include <wtf/StdLibExtras.h>
#include <wtf/text/StringBuilder.h>
@@ -598,10 +599,10 @@
return true;
}
-String SecurityOrigin::urlWithUniqueSecurityOrigin()
+KURL SecurityOrigin::urlWithUniqueSecurityOrigin()
{
ASSERT(isMainThread());
- DEFINE_STATIC_LOCAL(const String, uniqueSecurityOriginURL, (ASCIILiteral("data:,")));
+ static NeverDestroyed<KURL> uniqueSecurityOriginURL(ParsedURLString, ASCIILiteral("data:,"));
return uniqueSecurityOriginURL;
}
Modified: branches/safari-537.77-branch/Source/WebCore/page/SecurityOrigin.h (169226 => 169227)
--- branches/safari-537.77-branch/Source/WebCore/page/SecurityOrigin.h 2014-05-22 23:34:16 UTC (rev 169226)
+++ branches/safari-537.77-branch/Source/WebCore/page/SecurityOrigin.h 2014-05-22 23:43:01 UTC (rev 169227)
@@ -205,7 +205,7 @@
// (and whether it was set) but considering the host. It is used for postMessage.
bool isSameSchemeHostPort(const SecurityOrigin*) const;
- static String urlWithUniqueSecurityOrigin();
+ static KURL urlWithUniqueSecurityOrigin();
private:
SecurityOrigin();
_______________________________________________ webkit-changes mailing list [email protected] https://lists.webkit.org/mailman/listinfo/webkit-changes
