Diff
Modified: branches/safari-601.1.46-branch/LayoutTests/ChangeLog (194214 => 194215)
--- branches/safari-601.1.46-branch/LayoutTests/ChangeLog 2015-12-17 08:15:53 UTC (rev 194214)
+++ branches/safari-601.1.46-branch/LayoutTests/ChangeLog 2015-12-17 08:31:56 UTC (rev 194215)
@@ -1,3 +1,26 @@
+2015-12-17 Babak Shafiei <[email protected]>
+
+ Merge r194209.
+
+ 2015-12-16 Andy Estes <[email protected]>
+
+ [iOS] Block loading external stylesheets in the Content-Disposition: attachment sandbox
+ https://bugs.webkit.org/show_bug.cgi?id=152375
+ <rdar://problem/22020902>
+
+ Reviewed by Darin Adler.
+
+ * http/tests/contentdispositionattachmentsandbox/at-import-stylesheets-disabled-expected.txt: Added.
+ * http/tests/contentdispositionattachmentsandbox/at-import-stylesheets-disabled.html: Added.
+ * http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled-expected.txt:
+ * http/tests/contentdispositionattachmentsandbox/external-stylesheets-disabled-expected.txt: Added.
+ * http/tests/contentdispositionattachmentsandbox/external-stylesheets-disabled.html: Added.
+ * http/tests/contentdispositionattachmentsandbox/resources/at-import-stylesheets-frame.php: Added.
+ * http/tests/contentdispositionattachmentsandbox/resources/external-stylesheets-frame.php: Added.
+ * http/tests/contentdispositionattachmentsandbox/resources/xml-stylesheet-processing-instructions-frame.php: Added.
+ * http/tests/contentdispositionattachmentsandbox/xml-stylesheet-processing-instructions-disabled-expected.txt: Added.
+ * http/tests/contentdispositionattachmentsandbox/xml-stylesheet-processing-instructions-disabled.html: Added.
+
2015-12-15 Matthew Hanson <[email protected]>
Merge r192959. rdar://problem/23903291
Copied: branches/safari-601.1.46-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/at-import-stylesheets-disabled-expected.txt (from rev 194209, trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/at-import-stylesheets-disabled-expected.txt) (0 => 194215)
--- branches/safari-601.1.46-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/at-import-stylesheets-disabled-expected.txt (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/at-import-stylesheets-disabled-expected.txt 2015-12-17 08:31:56 UTC (rev 194215)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 4: Unsafe attempt to load URL data:text/css,body::after { content: 'FAIL'; } from document with Content-Disposition: attachment at URL http://127.0.0.1:8000/contentdispositionattachmentsandbox/resources/at-import-stylesheets-frame.php.
+This test verifies that @imported stylesheets are disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.
+
+
Copied: branches/safari-601.1.46-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/at-import-stylesheets-disabled.html (from rev 194209, trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/at-import-stylesheets-disabled.html) (0 => 194215)
--- branches/safari-601.1.46-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/at-import-stylesheets-disabled.html (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/at-import-stylesheets-disabled.html 2015-12-17 08:31:56 UTC (rev 194215)
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+if (window.internals)
+ internals.settings.setContentDispositionAttachmentSandboxEnabled(true);
+</script>
+<p>This test verifies that @imported stylesheets are disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.</p>
+<iframe src=""
Modified: branches/safari-601.1.46-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled-expected.txt (194214 => 194215)
--- branches/safari-601.1.46-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled-expected.txt 2015-12-17 08:15:53 UTC (rev 194214)
+++ branches/safari-601.1.46-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled-expected.txt 2015-12-17 08:31:56 UTC (rev 194215)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Unsafe attempt to load URL data:text/html,FAIL.
+CONSOLE MESSAGE: line 2: Unsafe attempt to load URL data:text/html,FAIL from document with Content-Disposition: attachment at URL http://127.0.0.1:8000/contentdispositionattachmentsandbox/resources/cross-origin-frames-frame.php.
This test verifies that cross-origin frames are disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.
Copied: branches/safari-601.1.46-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/external-stylesheets-disabled-expected.txt (from rev 194209, trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/external-stylesheets-disabled-expected.txt) (0 => 194215)
--- branches/safari-601.1.46-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/external-stylesheets-disabled-expected.txt (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/external-stylesheets-disabled-expected.txt 2015-12-17 08:31:56 UTC (rev 194215)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 2: Unsafe attempt to load URL data:text/css,body::after { content: 'FAIL'; } from document with Content-Disposition: attachment at URL http://127.0.0.1:8000/contentdispositionattachmentsandbox/resources/external-stylesheets-frame.php.
+This test verifies that external stylesheets are disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.
+
+
Copied: branches/safari-601.1.46-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/external-stylesheets-disabled.html (from rev 194209, trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/external-stylesheets-disabled.html) (0 => 194215)
--- branches/safari-601.1.46-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/external-stylesheets-disabled.html (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/external-stylesheets-disabled.html 2015-12-17 08:31:56 UTC (rev 194215)
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+if (window.internals)
+ internals.settings.setContentDispositionAttachmentSandboxEnabled(true);
+</script>
+<p>This test verifies that external stylesheets are disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.</p>
+<iframe src=""
Copied: branches/safari-601.1.46-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/at-import-stylesheets-frame.php (from rev 194209, trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/at-import-stylesheets-frame.php) (0 => 194215)
--- branches/safari-601.1.46-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/at-import-stylesheets-frame.php (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/at-import-stylesheets-frame.php 2015-12-17 08:31:56 UTC (rev 194215)
@@ -0,0 +1,8 @@
+<?php
+header("Content-Disposition: attachment; filename=test.html");
+header("Content-Type: text/html");
+?>
+<!DOCTYPE html>
+<style>
+@import url("data:text/css,body::after { content: 'FAIL'; }");
+</style>
Copied: branches/safari-601.1.46-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/external-stylesheets-frame.php (from rev 194209, trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/external-stylesheets-frame.php) (0 => 194215)
--- branches/safari-601.1.46-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/external-stylesheets-frame.php (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/external-stylesheets-frame.php 2015-12-17 08:31:56 UTC (rev 194215)
@@ -0,0 +1,6 @@
+<?php
+header("Content-Disposition: attachment; filename=test.html");
+header("Content-Type: text/html");
+?>
+<!DOCTYPE html>
+<link rel="stylesheet" href="" { content: 'FAIL'; }">
Copied: branches/safari-601.1.46-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/xml-stylesheet-processing-instructions-frame.php (from rev 194209, trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/xml-stylesheet-processing-instructions-frame.php) (0 => 194215)
--- branches/safari-601.1.46-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/xml-stylesheet-processing-instructions-frame.php (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/xml-stylesheet-processing-instructions-frame.php 2015-12-17 08:31:56 UTC (rev 194215)
@@ -0,0 +1,9 @@
+<?php
+header("Content-Disposition: attachment; filename=test.xhtml");
+header("Content-Type: application/xhtml+xml");
+echo "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>\n";
+echo "<?xml-stylesheet href="" { content: 'FAIL'; }\" ?>\n";
+echo "<html xmlns=\"http://www.w3.org/1999/xhtml\">\n";
+echo "<body></body>\n";
+echo "</html>\n";
+?>
Copied: branches/safari-601.1.46-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/xml-stylesheet-processing-instructions-disabled-expected.txt (from rev 194209, trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/xml-stylesheet-processing-instructions-disabled-expected.txt) (0 => 194215)
--- branches/safari-601.1.46-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/xml-stylesheet-processing-instructions-disabled-expected.txt (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/xml-stylesheet-processing-instructions-disabled-expected.txt 2015-12-17 08:31:56 UTC (rev 194215)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 2: Unsafe attempt to load URL data:text/css,body::after { content: 'FAIL'; } from document with Content-Disposition: attachment at URL http://127.0.0.1:8000/contentdispositionattachmentsandbox/resources/xml-stylesheet-processing-instructions-frame.php.
+This test verifies that xml-stylesheet processing instructions are disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.
+
+
Copied: branches/safari-601.1.46-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/xml-stylesheet-processing-instructions-disabled.html (from rev 194209, trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/xml-stylesheet-processing-instructions-disabled.html) (0 => 194215)
--- branches/safari-601.1.46-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/xml-stylesheet-processing-instructions-disabled.html (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/xml-stylesheet-processing-instructions-disabled.html 2015-12-17 08:31:56 UTC (rev 194215)
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+if (window.internals)
+ internals.settings.setContentDispositionAttachmentSandboxEnabled(true);
+</script>
+<p>This test verifies that xml-stylesheet processing instructions are disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.</p>
+<iframe src=""
Modified: branches/safari-601.1.46-branch/Source/WebCore/ChangeLog (194214 => 194215)
--- branches/safari-601.1.46-branch/Source/WebCore/ChangeLog 2015-12-17 08:15:53 UTC (rev 194214)
+++ branches/safari-601.1.46-branch/Source/WebCore/ChangeLog 2015-12-17 08:31:56 UTC (rev 194215)
@@ -1,3 +1,25 @@
+2015-12-17 Babak Shafiei <[email protected]>
+
+ Merge r194209.
+
+ 2015-12-16 Andy Estes <[email protected]>
+
+ [iOS] Block loading external stylesheets in the Content-Disposition: attachment sandbox
+ https://bugs.webkit.org/show_bug.cgi?id=152375
+ <rdar://problem/22020902>
+
+ Reviewed by Darin Adler.
+
+ Tests: http/tests/contentdispositionattachmentsandbox/at-import-stylesheets-disabled.html
+ http/tests/contentdispositionattachmentsandbox/external-stylesheets-disabled.html
+ http/tests/contentdispositionattachmentsandbox/xml-stylesheet-processing-instructions-disabled.html
+
+ * loader/cache/CachedResourceLoader.cpp:
+ (WebCore::CachedResourceLoader::canRequest): Moved handling of CachedResource::MainResource to canRequestInContentDispositionAttachmentSandbox().
+ (WebCore::CachedResourceLoader::canRequestInContentDispositionAttachmentSandbox): In addition to handling CachedResource::MainResource,
+ added handling for CachedResource::CSSStyleSheet. Added a FIXME asking whether we should handle other types of resources, too.
+ * loader/cache/CachedResourceLoader.h:
+
2015-12-14 Matthew Hanson <[email protected]>
Merge r194001. rdar://problem/23814327
Modified: branches/safari-601.1.46-branch/Source/WebCore/loader/cache/CachedResourceLoader.cpp (194214 => 194215)
--- branches/safari-601.1.46-branch/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2015-12-17 08:15:53 UTC (rev 194214)
+++ branches/safari-601.1.46-branch/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2015-12-17 08:31:56 UTC (rev 194215)
@@ -374,13 +374,6 @@
// any URL.
switch (type) {
case CachedResource::MainResource:
- if (HTMLFrameOwnerElement* ownerElement = frame() ? frame()->ownerElement() : nullptr) {
- if (ownerElement->document().shouldEnforceContentDispositionAttachmentSandbox() && !ownerElement->document().securityOrigin()->canRequest(url)) {
- printAccessDeniedMessage(url);
- return false;
- }
- }
- FALLTHROUGH;
case CachedResource::ImageResource:
case CachedResource::CSSStyleSheet:
case CachedResource::Script:
@@ -463,6 +456,9 @@
return false;
}
+ if (!canRequestInContentDispositionAttachmentSandbox(type, url))
+ return false;
+
// Last of all, check for insecure content. We do this last so that when
// folks block insecure content with a CSP policy, they don't get a warning.
// They'll still get a warning in the console about CSP blocking the load.
@@ -474,6 +470,33 @@
return true;
}
+bool CachedResourceLoader::canRequestInContentDispositionAttachmentSandbox(CachedResource::Type type, const URL& url) const
+{
+ Document* document;
+
+ // FIXME: Do we want to expand this to all resource types that the mixed content checker would consider active content?
+ switch (type) {
+ case CachedResource::MainResource:
+ if (auto ownerElement = frame() ? frame()->ownerElement() : nullptr) {
+ document = &ownerElement->document();
+ break;
+ }
+ return true;
+ case CachedResource::CSSStyleSheet:
+ document = m_document;
+ break;
+ default:
+ return true;
+ }
+
+ if (!document->shouldEnforceContentDispositionAttachmentSandbox() || document->securityOrigin()->canRequest(url))
+ return true;
+
+ String message = "Unsafe attempt to load URL " + url.stringCenterEllipsizedToLength() + " from document with Content-Disposition: attachment at URL " + document->url().stringCenterEllipsizedToLength() + ".";
+ document->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message);
+ return false;
+}
+
bool CachedResourceLoader::shouldContinueAfterNotifyingLoadedFromMemoryCache(const CachedResourceRequest& request, CachedResource* resource)
{
if (!resource || !frame() || resource->status() != CachedResource::Cached)
Modified: branches/safari-601.1.46-branch/Source/WebCore/loader/cache/CachedResourceLoader.h (194214 => 194215)
--- branches/safari-601.1.46-branch/Source/WebCore/loader/cache/CachedResourceLoader.h 2015-12-17 08:15:53 UTC (rev 194214)
+++ branches/safari-601.1.46-branch/Source/WebCore/loader/cache/CachedResourceLoader.h 2015-12-17 08:31:56 UTC (rev 194215)
@@ -158,6 +158,8 @@
bool clientDefersImage(const URL&) const;
void reloadImagesIfNotDeferred();
+
+ bool canRequestInContentDispositionAttachmentSandbox(CachedResource::Type, const URL&) const;
HashSet<String> m_validatedURLs;
mutable DocumentResourceMap m_documentResources;
