[webkit-changes] [195571] branches/safari-601.1.46-branch

Mon, 25 Jan 2016 16:44:26 -0800

Title: [195571] branches/safari-601.1.46-branch
Revision
195571
Author
[email protected]
Date
2016-01-25 16:43:51 -0800 (Mon, 25 Jan 2016)

Log Message

Merge r195477. rdar://problem/24001780


Modified Paths




Added Paths

Diff

Modified: branches/safari-601.1.46-branch/LayoutTests/ChangeLog (195570 => 195571)


--- branches/safari-601.1.46-branch/LayoutTests/ChangeLog	2016-01-26 00:43:45 UTC (rev 195570)
+++ branches/safari-601.1.46-branch/LayoutTests/ChangeLog	2016-01-26 00:43:51 UTC (rev 195571)
@@ -1,3 +1,24 @@
+2016-01-25  Matthew Hanson  <[email protected]>
+
+        Merge r195477. rdar://problem/24001780
+
+    2016-01-21  Sam Weinig  <[email protected]>
+
+            Treat non-https actions on secure pages as mixed content
+            <rdar://problem/23144492>
+            https://bugs.webkit.org/show_bug.cgi?id=153322
+
+            Reviewed by Alexey Proskuryakov.
+
+            * http/tests/security/mixedContent/insecure-form-in-iframe-expected.txt: Added.
+            * http/tests/security/mixedContent/insecure-form-in-iframe.html: Added.
+            * http/tests/security/mixedContent/insecure-form-in-main-frame-expected.txt: Added.
+            * http/tests/security/mixedContent/insecure-form-in-main-frame.html: Added.
+            * http/tests/security/mixedContent/_javascript_-url-form-in-main-frame-expected.txt: Added.
+            * http/tests/security/mixedContent/_javascript_-url-form-in-main-frame.html: Added.
+            * http/tests/security/mixedContent/resources/frame-with-insecure-form.html: Added.
+            * http/tests/security/mixedContent/resources/frame-with-_javascript_-url-form.html: Added.
+
 2016-01-20  Matthew Hanson  <[email protected]>
 
         Merge r195150. rdar://problem/24208162

Added: branches/safari-601.1.46-branch/LayoutTests/http/tests/security/mixedContent/insecure-form-in-iframe-expected.txt (0 => 195571)


--- branches/safari-601.1.46-branch/LayoutTests/http/tests/security/mixedContent/insecure-form-in-iframe-expected.txt	                        (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/http/tests/security/mixedContent/insecure-form-in-iframe-expected.txt	2016-01-26 00:43:51 UTC (rev 195571)
@@ -0,0 +1,11 @@
+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that has a form with an insecure action. We should *not* get a mixed content callback because the main frame is HTTP and the form doesn't contaminate the child iframe's security origin with mixed content.
+
+

Added: branches/safari-601.1.46-branch/LayoutTests/http/tests/security/mixedContent/insecure-form-in-iframe.html (0 => 195571)


--- branches/safari-601.1.46-branch/LayoutTests/http/tests/security/mixedContent/insecure-form-in-iframe.html	                        (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/http/tests/security/mixedContent/insecure-form-in-iframe.html	2016-01-26 00:43:51 UTC (rev 195571)
@@ -0,0 +1,14 @@
+<html>
+<body>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpFrameLoadCallbacks();
+}
+</script>
+<p>This test loads a secure iframe that has a form with an insecure action.  We should
+*not* get a mixed content callback because the main frame is HTTP and the form
+doesn't contaminate the child iframe's security origin with mixed content.</p>
+<iframe src=""
+</body>
+</html>

Added: branches/safari-601.1.46-branch/LayoutTests/http/tests/security/mixedContent/insecure-form-in-main-frame-expected.txt (0 => 195571)


--- branches/safari-601.1.46-branch/LayoutTests/http/tests/security/mixedContent/insecure-form-in-main-frame-expected.txt	                        (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/http/tests/security/mixedContent/insecure-form-in-main-frame-expected.txt	2016-01-26 00:43:51 UTC (rev 195571)
@@ -0,0 +1,12 @@
+main frame - didFinishDocumentLoadForFrame
+main frame - didStartProvisionalLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+main frame - didCommitLoadForFrame
+CONSOLE MESSAGE: line 3: The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-form.html contains a form which targets an insecure URL http://127.0.0.1:8080/resources/doesnotexist.
+
+didDisplayInsecureContent
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+This test opens a window that has a form with an non-https action. We should trigger a mixed content callback because the main frame in the window is HTTPS but is running insecure content.

Added: branches/safari-601.1.46-branch/LayoutTests/http/tests/security/mixedContent/insecure-form-in-main-frame.html (0 => 195571)


--- branches/safari-601.1.46-branch/LayoutTests/http/tests/security/mixedContent/insecure-form-in-main-frame.html	                        (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/http/tests/security/mixedContent/insecure-form-in-main-frame.html	2016-01-26 00:43:51 UTC (rev 195571)
@@ -0,0 +1,27 @@
+<html>
+<body>
+<script>
+if (window.testRunner) {
+    testRunner.waitUntilDone();
+    testRunner.dumpAsText();
+    testRunner.dumpFrameLoadCallbacks();
+    testRunner.setCanOpenWindows();
+    testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+
+window.addEventListener("message", function (e) {
+  if (window.testRunner)
+      testRunner.notifyDone();
+}, false);
+
+</script>
+<p>This test opens a window that has a form with an non-https action.  We should
+trigger a mixed content callback because the main frame in the window is HTTPS
+but is running insecure content.</p>
+<script>
+_onload_ = function() {
+    window.open("https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-form.html");
+}
+</script>
+</body>
+</html>

Added: branches/safari-601.1.46-branch/LayoutTests/http/tests/security/mixedContent/_javascript_-url-form-in-main-frame-expected.txt (0 => 195571)


--- branches/safari-601.1.46-branch/LayoutTests/http/tests/security/mixedContent/_javascript_-url-form-in-main-frame-expected.txt	                        (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/http/tests/security/mixedContent/_javascript_-url-form-in-main-frame-expected.txt	2016-01-26 00:43:51 UTC (rev 195571)
@@ -0,0 +1,9 @@
+main frame - didFinishDocumentLoadForFrame
+main frame - didStartProvisionalLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+main frame - didCommitLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+This test opens a window that has a form with an action that is a _javascript_: url. We should *not* trigger a mixed content callback because the _javascript_: URL cannot be corrupted by active network attackers.

Added: branches/safari-601.1.46-branch/LayoutTests/http/tests/security/mixedContent/_javascript_-url-form-in-main-frame.html (0 => 195571)


--- branches/safari-601.1.46-branch/LayoutTests/http/tests/security/mixedContent/_javascript_-url-form-in-main-frame.html	                        (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/http/tests/security/mixedContent/_javascript_-url-form-in-main-frame.html	2016-01-26 00:43:51 UTC (rev 195571)
@@ -0,0 +1,27 @@
+<html>
+<body>
+<script>
+if (window.testRunner) {
+    testRunner.waitUntilDone();
+    testRunner.dumpAsText();
+    testRunner.dumpFrameLoadCallbacks();
+    testRunner.setCanOpenWindows();
+    testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+
+window.addEventListener("message", function (e) {
+  if (window.testRunner)
+      testRunner.notifyDone();
+}, false);
+
+</script>
+<p>This test opens a window that has a form with an action that is a _javascript_: url.  We should
+*not* trigger a mixed content callback because the _javascript_: URL cannot be corrupted
+by active network attackers.</p>
+<script>
+_onload_ = function() {
+    window.open("https://127.0.0.1:8443/security/mixedContent/resources/frame-with-_javascript_-url-form.html");
+}
+</script>
+</body>
+</html>

Added: branches/safari-601.1.46-branch/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-form.html (0 => 195571)


--- branches/safari-601.1.46-branch/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-form.html	                        (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-form.html	2016-01-26 00:43:51 UTC (rev 195571)
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<body _onload_="loaded()">
+<form action=""
+<script>
+function loaded() {
+    if (window.opener)
+        window.opener.postMessage('done', '*');
+}
+</script>
+</body>

Added: branches/safari-601.1.46-branch/LayoutTests/http/tests/security/mixedContent/resources/frame-with-_javascript_-url-form.html (0 => 195571)


--- branches/safari-601.1.46-branch/LayoutTests/http/tests/security/mixedContent/resources/frame-with-_javascript_-url-form.html	                        (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/http/tests/security/mixedContent/resources/frame-with-_javascript_-url-form.html	2016-01-26 00:43:51 UTC (rev 195571)
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<body _onload_="loaded()">
+<form action=""
+<script>
+function loaded() {
+    if (window.opener)
+        window.opener.postMessage('done', '*');
+}
+</script>
+</body>

Modified: branches/safari-601.1.46-branch/Source/WebCore/ChangeLog (195570 => 195571)


--- branches/safari-601.1.46-branch/Source/WebCore/ChangeLog	2016-01-26 00:43:45 UTC (rev 195570)
+++ branches/safari-601.1.46-branch/Source/WebCore/ChangeLog	2016-01-26 00:43:51 UTC (rev 195571)
@@ -1,5 +1,30 @@
 2016-01-25  Matthew Hanson  <[email protected]>
 
+        Merge r195477. rdar://problem/24001780
+
+    2016-01-21  Sam Weinig  <[email protected]>
+
+            Treat non-https actions on secure pages as mixed content
+            <rdar://problem/23144492>
+            https://bugs.webkit.org/show_bug.cgi?id=153322
+
+            Reviewed by Alexey Proskuryakov.
+
+            Tests:  http/tests/security/mixedContent/insecure-form-in-iframe.html
+                    http/tests/security/mixedContent/insecure-form-in-main-frame.html
+                    http/tests/security/mixedContent/_javascript_-url-form-in-main-frame.html
+
+            * html/HTMLFormElement.cpp:
+            (WebCore::HTMLFormElement::parseAttribute):
+            Check form actions for mixed content.
+
+            * loader/MixedContentChecker.cpp:
+            (WebCore::MixedContentChecker::checkFormForMixedContent):
+            * loader/MixedContentChecker.h:
+            Add new function to check and warn if a form's action is mixed content.
+
+2016-01-25  Matthew Hanson  <[email protected]>
+
         Merge r195393. rdar://problem/24042909
 
     2016-01-20  David Kilzer  <[email protected]>

Modified: branches/safari-601.1.46-branch/Source/WebCore/html/HTMLFormElement.cpp (195570 => 195571)


--- branches/safari-601.1.46-branch/Source/WebCore/html/HTMLFormElement.cpp	2016-01-26 00:43:45 UTC (rev 195570)
+++ branches/safari-601.1.46-branch/Source/WebCore/html/HTMLFormElement.cpp	2016-01-26 00:43:51 UTC (rev 195571)
@@ -482,9 +482,16 @@
 
 void HTMLFormElement::parseAttribute(const QualifiedName& name, const AtomicString& value)
 {
-    if (name == actionAttr)
+    if (name == actionAttr) {
         m_attributes.parseAction(value);
-    else if (name == targetAttr)
+        
+        if (!m_attributes.action().isEmpty()) {
+            if (Frame* f = document().frame()) {
+                Frame& topFrame = f->tree().top();
+                topFrame.loader().mixedContentChecker().checkFormForMixedContent(topFrame.document()->securityOrigin(), document().completeURL(m_attributes.action()));
+            }
+        }
+    } else if (name == targetAttr)
         m_attributes.setTarget(value);
     else if (name == methodAttr)
         m_attributes.updateMethodType(value);
@@ -497,8 +504,7 @@
             document().registerForPageCacheSuspensionCallbacks(this);
         else
             document().unregisterForPageCacheSuspensionCallbacks(this);
-    }
-    else
+    } else
         HTMLElement::parseAttribute(name, value);
 }

Modified: branches/safari-601.1.46-branch/Source/WebCore/loader/MixedContentChecker.cpp (195570 => 195571)


--- branches/safari-601.1.46-branch/Source/WebCore/loader/MixedContentChecker.cpp	2016-01-26 00:43:45 UTC (rev 195570)
+++ branches/safari-601.1.46-branch/Source/WebCore/loader/MixedContentChecker.cpp	2016-01-26 00:43:51 UTC (rev 195571)
@@ -88,6 +88,22 @@
     return allowed;
 }
 
+void MixedContentChecker::checkFormForMixedContent(SecurityOrigin* securityOrigin, const URL& url) const
+{
+    // Unconditionally allow _javascript_: URLs as form actions as some pages do this and it does not introduce
+    // a mixed content issue.
+    if (protocolIsJavaScript(url))
+        return;
+
+    if (!isMixedContent(securityOrigin, url))
+        return;
+
+    String message = makeString("The page at ", m_frame.document()->url().stringCenterEllipsizedToLength(), " contains a form which targets an insecure URL ", url.stringCenterEllipsizedToLength(), ".\n");
+    m_frame.document()->addConsoleMessage(MessageSource::Security, MessageLevel::Warning, message);
+
+    client().didDisplayInsecureContent();
+}
+
 void MixedContentChecker::logWarning(bool allowed, const String& action, const URL& target) const
 {
     const char* errorString = allowed ? " was allowed to " : " was not allowed to ";

Modified: branches/safari-601.1.46-branch/Source/WebCore/loader/MixedContentChecker.h (195570 => 195571)


--- branches/safari-601.1.46-branch/Source/WebCore/loader/MixedContentChecker.h	2016-01-26 00:43:45 UTC (rev 195570)
+++ branches/safari-601.1.46-branch/Source/WebCore/loader/MixedContentChecker.h	2016-01-26 00:43:51 UTC (rev 195571)
@@ -53,6 +53,7 @@
 
     bool canDisplayInsecureContent(SecurityOrigin*, ContentType, const URL&) const;
     bool canRunInsecureContent(SecurityOrigin*, const URL&) const;
+    void checkFormForMixedContent(SecurityOrigin*, const URL&) const;
     static bool isMixedContent(SecurityOrigin*, const URL&);
 
 private:

Modified: branches/safari-601.1.46-branch/Tools/WebEditingTester/WK2WebDocumentController.m (195570 => 195571)


--- branches/safari-601.1.46-branch/Tools/WebEditingTester/WK2WebDocumentController.m	2016-01-26 00:43:45 UTC (rev 195570)
+++ branches/safari-601.1.46-branch/Tools/WebEditingTester/WK2WebDocumentController.m	2016-01-26 00:43:51 UTC (rev 195571)
@@ -79,7 +79,13 @@
 
 - (void)loadHTMLString:(NSString *)content
 {
-    [_webView loadHTMLString:content baseURL:nil];
+    NSStringEncoding encoding = NSUnicodeStringEncoding;
+
+    NSData *data = "" dataUsingEncoding:encoding];
+    CFStringEncoding cfEncoding = CFStringConvertNSStringEncodingToEncoding(encoding);
+    NSString *textEncodingName = (__bridge NSString *)CFStringConvertEncodingToIANACharSetName(cfEncoding);
+
+    [_webView _loadData:data MIMEType:@"text/html" characterEncodingName:textEncodingName baseURL:[NSURL URLWithString:@"x-webdoc:/klsadfgjlfsdj/"] userData:nil];
 }
 
 - (void)performTextFinderAction:(id)sender

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to