-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Cherry-pick 47ed6aa. rdar://problem/110801928
Block sandboxed frames from navigating to javascript URLs without allow-scripts sandbox flag. https://bugs.webkit.org/show_bug.cgi?id=257824 rdar://108462161 Reviewed by Alex Christensen. Sandboxed iframes could execute script in a target frame by navigating the frame to a javascript: URL. For example, the top frame when the iframe has the sandbox flag "allow-top-navigation". This change checks to see if the "allow-scripts" flag is set before executing the URL in the target frame. * LayoutTests/http/tests/security/sandboxed-iframe-javascript-self-navigation-expected.txt: Added. * LayoutTests/http/tests/security/sandboxed-iframe-javascript-self-navigation.html: Added. * LayoutTests/http/tests/security/sandboxed-iframe-javascript-top-navigation-expected.txt: Added. * LayoutTests/http/tests/security/sandboxed-iframe-javascript-top-navigation.html: Added. * Source/WebCore/loader/FrameLoader.cpp: (WebCore::FrameLoader::executeJavaScriptURL): * Source/WebCore/loader/NavigationRequester.cpp: (WebCore::NavigationRequester::from): * Source/WebCore/loader/NavigationRequester.h: (WebCore::NavigationRequester::encode const): (WebCore::NavigationRequester::decode): Canonical link: https://commits.webkit.org/259548.813@safari-7615-branch Identifier: 245886.897@safari-7613.4.1.0-branch
- Loading branch information
Showing
7 changed files
with
100 additions
and
5 deletions.
There are no files selected for viewing
4 changes: 4 additions & 0 deletions
4
LayoutTests/http/tests/security/sandboxed-iframe-javascript-self-navigation-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
CONSOLE MESSAGE: Blocked script execution in 'about:srcdoc' because the document's frame is sandboxed and the 'allow-scripts' permission is not set. | ||
Tests that an iframe without "allow-scripts" can not navigate itself to a javascript URL. | ||
|
||
|
21 changes: 21 additions & 0 deletions
21
LayoutTests/http/tests/security/sandboxed-iframe-javascript-self-navigation.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
<!DOCTYPE html> | ||
<script> | ||
if (window.testRunner) { | ||
testRunner.dumpAsText(); | ||
testRunner.waitUntilDone(); | ||
} | ||
</script> | ||
<body> | ||
<p> | ||
Tests that an iframe without "allow-scripts" can not navigate | ||
itself to a javascript URL. | ||
</p> | ||
<iframe id="ifr" sandbox="allow-same-origin" srcdoc="<a href='javascript:alert(`FAIL`)'>Click Me</a>"></iframe> | ||
<script> | ||
ifr.addEventListener("load", () => { | ||
ifr.contentDocument.getElementsByTagName("a")[0].click(); | ||
if (window.testRunner) | ||
testRunner.notifyDone(); | ||
}); | ||
</script> | ||
</body> |
4 changes: 4 additions & 0 deletions
4
LayoutTests/http/tests/security/sandboxed-iframe-javascript-top-navigation-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
CONSOLE MESSAGE: Blocked script execution in 'about:srcdoc' because the document's frame is sandboxed and the 'allow-scripts' permission is not set. | ||
Tests that an iframe with "allow-top-navigation" but without "allow-scripts" can not navigate the top frame to a javascript URL. | ||
|
||
|
21 changes: 21 additions & 0 deletions
21
LayoutTests/http/tests/security/sandboxed-iframe-javascript-top-navigation.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
<!DOCTYPE html> | ||
<script> | ||
if (window.testRunner) { | ||
testRunner.dumpAsText(); | ||
testRunner.waitUntilDone(); | ||
} | ||
</script> | ||
<body> | ||
<p> | ||
Tests that an iframe with "allow-top-navigation" but without "allow-scripts" | ||
can not navigate the top frame to a javascript URL. | ||
</p> | ||
<iframe id="ifr" sandbox="allow-same-origin allow-top-navigation" srcdoc="<a href='javascript:alert(`FAIL`)' target='_top'>Click Me</a>"></iframe> | ||
<script> | ||
ifr.addEventListener("load", () => { | ||
ifr.contentDocument.getElementsByTagName("a")[0].click(); | ||
if (window.testRunner) | ||
testRunner.notifyDone(); | ||
}); | ||
</script> | ||
</body> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters