Diff
Modified: trunk/Source/WebKit/mac/ChangeLog (197149 => 197150)
--- trunk/Source/WebKit/mac/ChangeLog 2016-02-26 01:00:24 UTC (rev 197149)
+++ trunk/Source/WebKit/mac/ChangeLog 2016-02-26 01:22:33 UTC (rev 197150)
@@ -1,3 +1,14 @@
+2016-02-25 Jiewen Tan <[email protected]>
+
+ Restrict information passed with navigation action which is triggered by untrusted event
+ https://bugs.webkit.org/show_bug.cgi?id=154571
+ <rdar://problem/15967937>
+
+ Reviewed by Andy Estes.
+
+ * WebCoreSupport/WebFrameLoaderClient.mm:
+ (WebFrameLoaderClient::actionDictionary):
+
2016-02-25 Eric Carlson <[email protected]>
[MediaStream] MediaDeviceInfo deviceId and groupId must be unique to the page's origin
Modified: trunk/Source/WebKit/mac/WebCoreSupport/WebFrameLoaderClient.mm (197149 => 197150)
--- trunk/Source/WebKit/mac/WebCoreSupport/WebFrameLoaderClient.mm 2016-02-26 01:00:24 UTC (rev 197149)
+++ trunk/Source/WebKit/mac/WebCoreSupport/WebFrameLoaderClient.mm 2016-02-26 01:22:33 UTC (rev 197150)
@@ -1561,7 +1561,8 @@
unsigned modifierFlags = 0;
const Event* event = action.event();
#if !PLATFORM(IOS)
- if (const UIEventWithKeyState* keyStateEvent = findEventWithKeyState(const_cast<Event*>(event))) {
+ const UIEventWithKeyState* keyStateEvent = findEventWithKeyState(const_cast<Event*>(event));
+ if (keyStateEvent && keyStateEvent->isTrusted()) {
if (keyStateEvent->ctrlKey())
modifierFlags |= NSControlKeyMask;
if (keyStateEvent->altKey())
@@ -1590,7 +1591,10 @@
[result setObject:element forKey:WebActionElementKey];
[element release];
- [result setObject:[NSNumber numberWithInt:mouseEvent->button()] forKey:WebActionButtonKey];
+ if (mouseEvent->isTrusted())
+ [result setObject:[NSNumber numberWithInt:mouseEvent->button()] forKey:WebActionButtonKey];
+ else
+ [result setObject:[NSNumber numberWithInt:WebCore::NoButton] forKey:WebActionButtonKey];
}
if (formState) {
Modified: trunk/Source/WebKit2/ChangeLog (197149 => 197150)
--- trunk/Source/WebKit2/ChangeLog 2016-02-26 01:00:24 UTC (rev 197149)
+++ trunk/Source/WebKit2/ChangeLog 2016-02-26 01:22:33 UTC (rev 197150)
@@ -1,3 +1,21 @@
+2016-02-25 Jiewen Tan <[email protected]>
+
+ Restrict information passed with navigation action which is triggered by untrusted event
+ https://bugs.webkit.org/show_bug.cgi?id=154571
+ <rdar://problem/15967937>
+
+ Reviewed by Andy Estes.
+
+ When navigation action is triggered by an untrusted event, we should be more restricted of
+ what information should be passed to the clients to lower the risk that clients could
+ be fooled by the untrusted event.
+
+ In this patch, we drop the modifiers for key state events and set the mouse button to NoButton
+ for mouse events.
+
+ * WebProcess/InjectedBundle/InjectedBundleNavigationAction.cpp:
+ (WebKit::InjectedBundleNavigationAction::modifiersForNavigationAction):
+
2016-02-25 Ada Chan <[email protected]>
Hook up fullscreenMayReturnToInline() in WKPageUIClient
Modified: trunk/Source/WebKit2/WebProcess/InjectedBundle/InjectedBundleNavigationAction.cpp (197149 => 197150)
--- trunk/Source/WebKit2/WebProcess/InjectedBundle/InjectedBundleNavigationAction.cpp 2016-02-26 01:00:24 UTC (rev 197149)
+++ trunk/Source/WebKit2/WebProcess/InjectedBundle/InjectedBundleNavigationAction.cpp 2016-02-26 01:22:33 UTC (rev 197150)
@@ -52,7 +52,7 @@
if (!mouseEvent)
return WebMouseEvent::NoButton;
- if (!mouseEvent->buttonDown())
+ if (!mouseEvent->buttonDown() || !mouseEvent->isTrusted())
return WebMouseEvent::NoButton;
return static_cast<WebMouseEvent::Button>(mouseEvent->button());
@@ -61,7 +61,8 @@
WebEvent::Modifiers InjectedBundleNavigationAction::modifiersForNavigationAction(const NavigationAction& navigationAction)
{
uint32_t modifiers = 0;
- if (const UIEventWithKeyState* keyStateEvent = findEventWithKeyState(const_cast<Event*>(navigationAction.event()))) {
+ const UIEventWithKeyState* keyStateEvent = findEventWithKeyState(const_cast<Event*>(navigationAction.event()));
+ if (keyStateEvent && keyStateEvent->isTrusted()) {
if (keyStateEvent->shiftKey())
modifiers |= WebEvent::ShiftKey;
if (keyStateEvent->ctrlKey())
Modified: trunk/Tools/ChangeLog (197149 => 197150)
--- trunk/Tools/ChangeLog 2016-02-26 01:00:24 UTC (rev 197149)
+++ trunk/Tools/ChangeLog 2016-02-26 01:22:33 UTC (rev 197150)
@@ -1,3 +1,18 @@
+2016-02-25 Jiewen Tan <[email protected]>
+
+ Restrict information passed with navigation action which is triggered by untrusted event
+ https://bugs.webkit.org/show_bug.cgi?id=154571
+ <rdar://problem/15967937>
+
+ Reviewed by Andy Estes.
+
+ * TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
+ * TestWebKitAPI/Tests/mac/IsNavigationActionTrusted.mm: Added.
+ (-[WKNavigationActionDelegate webView:decidePolicyForNavigationAction:decisionHandler:]):
+ (TestWebKitAPI::TEST):
+ (-[NavigationActionDelegate webView:decidePolicyForNavigationAction:request:frame:decisionListener:]):
+ * TestWebKitAPI/Tests/mac/IsNavigationActionTrusted.html: Added.
+
2016-02-25 Gavin Barraclough <[email protected]>
Should template RefCounter instead of RefCounter::Token
Modified: trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj (197149 => 197150)
--- trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj 2016-02-26 01:00:24 UTC (rev 197149)
+++ trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj 2016-02-26 01:22:33 UTC (rev 197150)
@@ -75,6 +75,8 @@
52B8CF9815868D9100281053 /* SetDocumentURI.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 52B8CF9415868CF000281053 /* SetDocumentURI.html */; };
52D673EE1AFB127300FA19FE /* WKPageCopySessionStateWithFiltering.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 52D673EC1AFB126800FA19FE /* WKPageCopySessionStateWithFiltering.cpp */; };
52E5CE4914D21EAB003B2BD8 /* ParentFrame_Bundle.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 52E5CE4814D21EAB003B2BD8 /* ParentFrame_Bundle.cpp */; };
+ 57F10D931C7E7B3800ECDF30 /* IsNavigationActionTrusted.mm in Sources */ = {isa = PBXBuildFile; fileRef = 57F10D921C7E7B3800ECDF30 /* IsNavigationActionTrusted.mm */; };
+ 57F56A5C1C7F8CC100F31D7E /* IsNavigationActionTrusted.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 57F56A5B1C7F8A4000F31D7E /* IsNavigationActionTrusted.html */; };
764322D71B61CCC30024F801 /* WordBoundaryTypingAttributes.mm in Sources */ = {isa = PBXBuildFile; fileRef = 764322D51B61CCA40024F801 /* WordBoundaryTypingAttributes.mm */; };
7673499D1930C5BB00E44DF9 /* StopLoadingDuringDidFailProvisionalLoad_bundle.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 7673499A1930182E00E44DF9 /* StopLoadingDuringDidFailProvisionalLoad_bundle.cpp */; };
76E182DD1547569100F1FADD /* WillSendSubmitEvent_Bundle.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 76E182DC1547569100F1FADD /* WillSendSubmitEvent_Bundle.cpp */; };
@@ -386,6 +388,7 @@
dstPath = TestWebKitAPI.resources;
dstSubfolderSpec = 7;
files = (
+ 57F56A5C1C7F8CC100F31D7E /* IsNavigationActionTrusted.html in Copy Resources */,
A16F66BA1C40EB4F00BD4D24 /* ContentFiltering.html in Copy Resources */,
CDC8E4941BC6F10800594FEC /* video-with-audio.html in Copy Resources */,
CDC8E4951BC6F10800594FEC /* video-with-audio.mp4 in Copy Resources */,
@@ -604,6 +607,8 @@
52D673EC1AFB126800FA19FE /* WKPageCopySessionStateWithFiltering.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WKPageCopySessionStateWithFiltering.cpp; sourceTree = "<group>"; };
52E5CE4514D21E9D003B2BD8 /* ParentFrame.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ParentFrame.cpp; sourceTree = "<group>"; };
52E5CE4814D21EAB003B2BD8 /* ParentFrame_Bundle.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ParentFrame_Bundle.cpp; sourceTree = "<group>"; };
+ 57F10D921C7E7B3800ECDF30 /* IsNavigationActionTrusted.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = IsNavigationActionTrusted.mm; sourceTree = "<group>"; };
+ 57F56A5B1C7F8A4000F31D7E /* IsNavigationActionTrusted.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = IsNavigationActionTrusted.html; sourceTree = "<group>"; };
7560917719259C59009EF06E /* MemoryCacheAddImageToCacheIOS.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = MemoryCacheAddImageToCacheIOS.mm; sourceTree = "<group>"; };
75F3133F18C171B70041CAEC /* EphemeralSessionPushStateNoHistoryCallback.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = EphemeralSessionPushStateNoHistoryCallback.cpp; sourceTree = "<group>"; };
764322D51B61CCA40024F801 /* WordBoundaryTypingAttributes.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = WordBoundaryTypingAttributes.mm; sourceTree = "<group>"; };
@@ -1272,8 +1277,6 @@
BC90977B125571AE00083756 /* Resources */ = {
isa = PBXGroup;
children = (
- 7AE9E5081AE5AE8B00CF874B /* test.pdf */,
- 7A1458FB1AD5C03500E06772 /* mouse-button-listener.html */,
C045F9461385C2F800C0F3CD /* 18-characters.html */,
93D3D19B17B1A7B000C7C415 /* all-content-in-one-iframe.html */,
F6B7BE9617469B7E008A3445 /* associate-form-controls.html */,
@@ -1300,6 +1303,7 @@
2DD7D3AE178227AC0026E1E3 /* lots-of-text-vertical-lr.html */,
930AD401150698B30067970F /* lots-of-text.html */,
51CD1C711B38D48400142CA5 /* modal-alerts-in-new-about-blank-window.html */,
+ 7A1458FB1AD5C03500E06772 /* mouse-button-listener.html */,
33E79E05137B5FCE00E32D99 /* mouse-move-listener.html */,
CEA6CF2719CCF69D0064F5A7 /* open-and-close-window.html */,
F6FDDDD514241C48004F1729 /* push-state.html */,
@@ -1312,6 +1316,7 @@
51E780371919AFF8001829A2 /* simple3.html */,
CEBABD481B71687C0051210A /* should-open-external-schemes.html */,
C02B7882126615410026BF0F /* spacebar-scrolling.html */,
+ 7AE9E5081AE5AE8B00CF874B /* test.pdf */,
CD59F53319E910BC00CF1835 /* test-mse.mp4 */,
524BBCA019E30C63002F1AF1 /* test.mp4 */,
);
@@ -1377,6 +1382,7 @@
9B4F8FA3159D52B1002D9F94 /* HTMLCollectionNamedItem.mm */,
9B26FC6B159D061000CC3765 /* HTMLFormCollectionNamedItem.mm */,
C507E8A614C6545B005D6B3B /* InspectorBar.mm */,
+ 57F10D921C7E7B3800ECDF30 /* IsNavigationActionTrusted.mm */,
4BB4160116815B2600824238 /* JSWrapperForNodeInWebFrame.mm */,
E1220D9F155B25480013E2FC /* MemoryCacheDisableWithinResourceLoadDelegate.mm */,
517E7DFB15110EA600D0B008 /* MemoryCachePruneWithinResourceLoadDelegate.mm */,
@@ -1424,6 +1430,7 @@
CDBFCC421A9FF44800A7B691 /* FullscreenZoomInitialFrame.html */,
9B4F8FA6159D52CA002D9F94 /* HTMLCollectionNamedItem.html */,
9B26FCB4159D15E700CC3765 /* HTMLFormCollectionNamedItem.html */,
+ 57F56A5B1C7F8A4000F31D7E /* IsNavigationActionTrusted.html */,
C2CF975816CEC69E0054E99D /* JSContextBackForwardCache1.html */,
C2CF975916CEC69E0054E99D /* JSContextBackForwardCache2.html */,
E1220DC9155B287D0013E2FC /* MemoryCacheDisableWithinResourceLoadDelegate.html */,
@@ -1859,6 +1866,7 @@
2D8104CC1BEC13E70020DA46 /* FindInPage.mm in Sources */,
CD225C081C45A69200140761 /* ParsedContentRange.cpp in Sources */,
41973B5D1AF22875006C7B36 /* SharedBuffer.cpp in Sources */,
+ 57F10D931C7E7B3800ECDF30 /* IsNavigationActionTrusted.mm in Sources */,
2DD355361BD08378005DF4A7 /* AutoLayoutIntegration.mm in Sources */,
7AA6A1521AAC0B31002B2ED3 /* WorkQueue.cpp in Sources */,
2E7765CF16C4D81100BA2BB1 /* mainMac.mm in Sources */,
Added: trunk/Tools/TestWebKitAPI/Tests/mac/IsNavigationActionTrusted.html (0 => 197150)
--- trunk/Tools/TestWebKitAPI/Tests/mac/IsNavigationActionTrusted.html (rev 0)
+++ trunk/Tools/TestWebKitAPI/Tests/mac/IsNavigationActionTrusted.html 2016-02-26 01:22:33 UTC (rev 197150)
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<head>
+</head>
+<body>
+<script>
+function add(a) {
+ try{
+ var c = document.createElement("a");
+ c.setAttribute("href", a);
+ c.setAttribute("style", "display:none;");
+ var b = document.createEvent("MouseEvents");
+ b.initMouseEvent("click", false, false, window, 0, 0, 0, 0, 0, false, false, true, false, 0, null);
+ c.dispatchEvent(b);
+ return true;
+ }catch(q){
+ return false;
+ }
+}
+
+add('http://www.example.com/');
+</script>
+</body>
+</html>
Added: trunk/Tools/TestWebKitAPI/Tests/mac/IsNavigationActionTrusted.mm (0 => 197150)
--- trunk/Tools/TestWebKitAPI/Tests/mac/IsNavigationActionTrusted.mm (rev 0)
+++ trunk/Tools/TestWebKitAPI/Tests/mac/IsNavigationActionTrusted.mm 2016-02-26 01:22:33 UTC (rev 197150)
@@ -0,0 +1,115 @@
+/*
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#import "PlatformUtilities.h"
+#import <WebKit/WebKitLegacy.h>
+#import <WebKit/WKWebView.h>
+#import <wtf/RetainPtr.h>
+
+static bool didFinishTest;
+const static NSURL *targetUrl = [[NSURL alloc] initWithString:@"http://www.example.com/"];
+const static unsigned expectedModifierFlags = 0;
+const static int expectedButtonNumber = -1;
+const static int expectedWKButtonNumber = 0; // unlike DOM spec, 0 is the value for no button in Cocoa.
+
+#if WK_API_ENABLED
+
+@interface NavigationActionDelegate : NSObject <WKNavigationDelegate>
+@end
+
+@implementation NavigationActionDelegate
+
+- (void)webView:(WKWebView *)webView decidePolicyForNavigationAction:(WKNavigationAction *)navigationAction decisionHandler:(void (^)(WKNavigationActionPolicy))decisionHandler
+{
+ if ([navigationAction.request.URL isEqual:targetUrl]) {
+ EXPECT_EQ(navigationAction.modifierFlags, expectedModifierFlags);
+ EXPECT_EQ(navigationAction.buttonNumber, expectedWKButtonNumber);
+ didFinishTest = true;
+ }
+
+ decisionHandler(WKNavigationActionPolicyAllow);
+}
+
+@end
+
+#endif
+
+@interface WebPolicyActionDelegate : NSObject <WebPolicyDelegate>
+@end
+
+@implementation WebPolicyActionDelegate
+
+- (void)webView:(WebView *)webView decidePolicyForNavigationAction:(NSDictionary *)actionInformation request:(NSURLRequest *)request frame:(WebFrame *)frame decisionListener:(id<WebPolicyDecisionListener>)listener
+{
+ if ([request.URL isEqual:targetUrl]) {
+ EXPECT_EQ([actionInformation[WebActionModifierFlagsKey] unsignedIntValue], expectedModifierFlags);
+ EXPECT_EQ([actionInformation[WebActionButtonKey] intValue], expectedButtonNumber);
+ didFinishTest = true;
+ }
+
+ [listener use];
+}
+
+@end
+
+namespace TestWebKitAPI {
+
+#if WK_API_ENABLED
+
+TEST(WebKit2, IsNavigationActionTrusted)
+{
+ @autoreleasepool {
+ RetainPtr<WKWebView> webView = adoptNS([[WKWebView alloc] initWithFrame:NSMakeRect(0, 0, 800, 600)]);
+
+ RetainPtr<NavigationActionDelegate> delegate = adoptNS([[NavigationActionDelegate alloc] init]);
+ [webView setNavigationDelegate:delegate.get()];
+
+ NSURLRequest *request = [NSURLRequest requestWithURL:[[NSBundle mainBundle] URLForResource:@"IsNavigationActionTrusted" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"]];
+ [webView loadRequest:request];
+
+ didFinishTest = false;
+ Util::run(&didFinishTest);
+ }
+}
+
+#endif
+
+TEST(WebKit1, IsNavigationActionTrusted)
+{
+ @autoreleasepool {
+ RetainPtr<WebView> webView = adoptNS([[WebView alloc] init]);
+
+ RetainPtr<WebPolicyActionDelegate> delegate = adoptNS([[WebPolicyActionDelegate alloc] init]);
+ [webView setPolicyDelegate:delegate.get()];
+ [[webView mainFrame] loadRequest:[NSURLRequest requestWithURL:[[NSBundle mainBundle] URLForResource:@"IsNavigationActionTrusted" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"]]];
+
+ didFinishTest = false;
+ Util::run(&didFinishTest);
+ }
+}
+
+} // namespace TestWebKitAPI
