-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Cherry-pick 259548.802@safari-7615-branch (bc09b6f). https://bugs.web…
…kit.org/show_bug.cgi?id=257331 Framed pages have ability to bypass Mixed Content restrictions https://bugs.webkit.org/show_bug.cgi?id=257331 rdar://109100886 Reviewed by Brent Fulgham. It is possible to bypass mixed content restrictions in pages which are framed. There are actually two issues here: secure frames embedded in insecure frames can bypass and frames which are sandboxed can bypass. In the former case we are only checking the for mixed content in the frame making the request as well as the top frame. So if an insecure frame embeds a secure frame, that secure frame could then embed an insecure frame and make mixed content requests without being blocked since the middle frame is not checked against the URL for mixed content. For the latter case we check whether or not the security origin of the requestor has an "https" protocol. The problem is sandboxed iframes are given an opaque origin which does not have the "https" protocol (or any protocol for that matter) and so we were skipping the mixed content check. This patch cleans up the MixedContentChecker implementation and fixes these two methods of bypass. This is accomplished by 1) checking the entire ancestor frame path from the requestor up to the top frame and 2) considering what the protocol of the security origin for the frame making the request would have been if it were not opaque. We special case a main resource load in the DocumentLoader by checking for mixed content starting from the parent frame. Otherwise we would block an insecure main frame from navigating a secure iframe to an insecure URL which is allowed by other browser engines. LayoutTests/http/tests/security: Rewrote some tests to no longer use HTTP iframes in HTTPS frames which is now blocked. These changes also include new console output for mixed content blocking messages. * LayoutTests/http/tests/websocket/tests/hybi/non-document-mixed-content-blocked-http-with-embedded-https-with-embedded-http-expected.txt: Removed. * LayoutTests/http/tests/websocket/tests/hybi/non-document-mixed-content-blocked-http-with-embedded-https-with-embedded-http.html: Removed. This test is no longer needed. We now block loading a HTTP iframe in a middle HTTPS frame so the innermost frame would never have a chance to load a worker anyway. * LayoutTests/imported/w3c/web-platform-tests/fs/FileSystemFileHandle-create-sync-access-handle.https.tentative.window-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/mixed-content/csp.https.window-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/mixed-content/nested-iframes.window-expected.txt: LayoutTests/platform: Updated platform-specific expectations. * Source/WebCore/Modules/websockets/WebSocket.cpp: (WebCore::WebSocket::connect): * Source/WebCore/Modules/websockets/WorkerThreadableWebSocketChannel.cpp: (WebCore::WorkerThreadableWebSocketChannel::Bridge::connect): * Source/WebCore/html/HTMLFormElement.cpp: (WebCore::HTMLFormElement::parseAttribute): * Source/WebCore/loader/DocumentLoader.cpp: (WebCore::DocumentLoader::willSendRequest): * Source/WebCore/loader/DocumentThreadableLoader.cpp: (WebCore::DocumentThreadableLoader::loadRequest): Source/WebCore/loader/MixedContentChecker: Refactor the MixedContentChecker to expose a more clear API. isMixedContent was never called by client code and canDisplay and canShow functions should be more clear that they will be checking the entire frame ancestor hierarchy so clients don't try to do that themselves. Move helpers to be static functions in the .cpp file. * Source/WebCore/loader/MixedContentChecker.cpp: (WebCore::isMixedContent): (WebCore::foundMixedContentInFrameTree): (WebCore::MixedContentChecker::frameAndAncestorsCanDisplayInsecureContent): (WebCore::MixedContentChecker::frameAndAncestorsCanRunInsecureContent): (WebCore::MixedContentChecker::checkFormForMixedContent): (WebCore::MixedContentChecker::checkForMixedContentInFrameTree): Deleted. (WebCore::MixedContentChecker::isMixedContent): Deleted. (WebCore::MixedContentChecker::canDisplayInsecureContent): Deleted. (WebCore::MixedContentChecker::canRunInsecureContent): Deleted. * Source/WebCore/loader/MixedContentChecker.h: * Source/WebCore/loader/SubframeLoader.cpp: (WebCore::FrameLoader::SubframeLoader::pluginIsLoadable): * Source/WebCore/loader/cache/CachedResourceLoader.cpp: (WebCore::CachedResourceLoader::checkInsecureContent const): Canonical link: https://commits.webkit.org/259548.802@safari-7615-branch
- Loading branch information
1 parent
cb67dbb
commit 36a57b9
Showing
75 changed files
with
354 additions
and
240 deletions.
There are no files selected for viewing
2 changes: 1 addition & 1 deletion
2
...ts/referrer-policy-iframe/no-referrer-when-downgrade/cross-origin-http.https-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...tTests/http/tests/referrer-policy-iframe/no-referrer/cross-origin-http.https-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...ests/referrer-policy-iframe/origin-when-cross-origin/cross-origin-http.https-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
LayoutTests/http/tests/referrer-policy-iframe/origin/cross-origin-http.https-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...tTests/http/tests/referrer-policy-iframe/same-origin/cross-origin-http.https-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...ferrer-policy-iframe/strict-origin-when-cross-origin/cross-origin-http.https-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...ests/http/tests/referrer-policy-iframe/strict-origin/cross-origin-http.https-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...utTests/http/tests/referrer-policy-iframe/unsafe-url/cross-origin-http.https-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...ttp/tests/referrer-policy/no-referrer-when-downgrade/cross-origin-http.https-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
LayoutTests/http/tests/referrer-policy/no-referrer/cross-origin-http.https-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
.../http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http.https-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
LayoutTests/http/tests/referrer-policy/origin/cross-origin-http.https-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
LayoutTests/http/tests/referrer-policy/same-origin/cross-origin-http.https-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...ests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http.https-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
LayoutTests/http/tests/referrer-policy/strict-origin/cross-origin-http.https-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
LayoutTests/http/tests/referrer-policy/unsafe-url/cross-origin-http.https-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...ecurity/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
13 changes: 6 additions & 7 deletions
13
LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-iframe-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,16 +1,15 @@ | ||
frame "<!--frame1-->" - didStartProvisionalLoadForFrame | ||
main frame - didFinishDocumentLoadForFrame | ||
frame "<!--frame1-->" - didStartProvisionalLoadForFrame | ||
frame "<!--frame1-->" - didCommitLoadForFrame | ||
frame "<!--frame2-->" - didStartProvisionalLoadForFrame | ||
frame "<!--frame1-->" - didFinishDocumentLoadForFrame | ||
frame "<!--frame2-->" - didCommitLoadForFrame | ||
frame "<!--frame2-->" - didFinishDocumentLoadForFrame | ||
frame "<!--frame2-->" - didHandleOnloadEventsForFrame | ||
frame "<!--frame2-->" - didStartProvisionalLoadForFrame | ||
CONSOLE MESSAGE: [blocked] The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-frame.html was not allowed to display insecure content from http://127.0.0.1:8080/security/mixedContent/resources/boring.html. | ||
|
||
frame "<!--frame1-->" - didHandleOnloadEventsForFrame | ||
main frame - didHandleOnloadEventsForFrame | ||
frame "<!--frame2-->" - didFinishLoadForFrame | ||
frame "<!--frame2-->" - didFailProvisionalLoadWithError | ||
frame "<!--frame1-->" - didFinishLoadForFrame | ||
main frame - didFinishLoadForFrame | ||
This test loads a secure iframe that loads an insecure iframe. We should *not* get a mixed content callback becase the main frame is HTTP and the grandchild iframe doesn't contaminate the child iframe's security origin with mixed content. | ||
This test loads a secure iframe that loads an insecure iframe. We should get a mixed content callback becase the secure inner frame should block mixed content. | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
15 changes: 15 additions & 0 deletions
15
...utTests/http/tests/security/mixedContent/insecure-iframe-in-sandboxed-iframe-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
main frame - didFinishDocumentLoadForFrame | ||
main frame - didHandleOnloadEventsForFrame | ||
frame "<!--frame1-->" - didStartProvisionalLoadForFrame | ||
frame "<!--frame1-->" - didCommitLoadForFrame | ||
frame "<!--frame1-->" - didFinishDocumentLoadForFrame | ||
frame "<!--frame2-->" - didStartProvisionalLoadForFrame | ||
CONSOLE MESSAGE: [blocked] The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-iframe.html was not allowed to display insecure content from http://127.0.0.1:8080/security/mixedContent/resources/boring.html. | ||
|
||
frame "<!--frame1-->" - didHandleOnloadEventsForFrame | ||
frame "<!--frame2-->" - didFailProvisionalLoadWithError | ||
frame "<!--frame1-->" - didFinishLoadForFrame | ||
main frame - didFinishLoadForFrame | ||
This test embeds a secure iframe which tries to open mixed content. We should block mixed content even though the parent frame is insecure because the middle frame is HTTPS. | ||
|
||
|
29 changes: 29 additions & 0 deletions
29
LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-sandboxed-iframe.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
<!DOCTYPE html> | ||
<body> | ||
<script> | ||
if (window.testRunner) { | ||
testRunner.waitUntilDone(); | ||
testRunner.dumpAsText(); | ||
testRunner.dumpFrameLoadCallbacks(); | ||
} | ||
</script> | ||
|
||
<p>This test embeds a secure iframe which tries to open mixed content. | ||
We should block mixed content even though the parent frame is insecure | ||
because the middle frame is HTTPS.</p> | ||
|
||
<script> | ||
onload = function() { | ||
let ifr = document.createElement("iframe"); | ||
ifr.sandbox = "allow-scripts"; | ||
|
||
ifr.onload = function() { | ||
if (window.testRunner) | ||
testRunner.notifyDone(); | ||
}; | ||
ifr.src = "https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-iframe.html"; | ||
|
||
document.body.appendChild(ifr); | ||
}; | ||
</script> | ||
</body> |
2 changes: 1 addition & 1 deletion
2
...s/security/mixedContent/insecure-script-in-data-iframe-in-main-frame-blocked-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,3 @@ | ||
CONSOLE MESSAGE: [blocked] The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-data-url-frame-with-script.html was not allowed to run insecure content from http://127.0.0.1:8080/security/mixedContent/resources/script.js. | ||
CONSOLE MESSAGE: [blocked] The page at data:text/html,<html><script src='http://127.0.0.1:8080/security/mixedContent/resources/script.js'></script></html> was not allowed to run insecure content from http://127.0.0.1:8080/security/mixedContent/resources/script.js. | ||
|
||
This test opens a window that loads a data: iframe that loads an insecure script, and that the script is still blocked. Although the data: frame has a separate origin, the script can still navigate top. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
5 changes: 0 additions & 5 deletions
5
LayoutTests/http/tests/security/referrer-policy-https-always-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,10 +1,5 @@ | ||
This test checks the always referrer policy when navigating from a secure URL to an insecure URL. The test passes if the printed referrer is https://127.0.0.1:8443/security/resources/referrer-policy-start.html?always | ||
|
||
|
||
|
||
-------- | ||
Frame: '<!--frame1-->' | ||
-------- | ||
HTTP Referer header is https://127.0.0.1:8443/security/resources/referrer-policy-start.html?always | ||
Referrer is https://127.0.0.1:8443/security/resources/referrer-policy-start.html?always | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
5 changes: 0 additions & 5 deletions
5
LayoutTests/http/tests/security/referrer-policy-https-default-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,10 +1,5 @@ | ||
This test checks the default referrer policy when navigating from a secure URL to an insecure URL. The test passes if the printed referrer is empty. | ||
|
||
|
||
|
||
-------- | ||
Frame: '<!--frame1-->' | ||
-------- | ||
HTTP Referer header is empty | ||
Referrer is empty | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
5 changes: 0 additions & 5 deletions
5
LayoutTests/http/tests/security/referrer-policy-https-never-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,10 +1,5 @@ | ||
This test checks the never referrer policy when navigating from a secure URL to an insecure URL. The test passes if the printed referrer is empty. | ||
|
||
|
||
|
||
-------- | ||
Frame: '<!--frame1-->' | ||
-------- | ||
HTTP Referer header is empty | ||
Referrer is empty | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
5 changes: 0 additions & 5 deletions
5
LayoutTests/http/tests/security/referrer-policy-https-no-referrer-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,10 +1,5 @@ | ||
This test checks the default referrer policy when navigating from a secure URL to an insecure URL. The test passes if the printed referrer is empty. | ||
|
||
|
||
|
||
-------- | ||
Frame: '<!--frame1-->' | ||
-------- | ||
HTTP Referer header is empty | ||
Referrer is empty | ||
|
5 changes: 0 additions & 5 deletions
5
...utTests/http/tests/security/referrer-policy-https-no-referrer-when-downgrade-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,10 +1,5 @@ | ||
This test checks the default referrer policy when navigating from a secure URL to an insecure URL. The test passes if the printed referrer is empty. | ||
|
||
|
||
|
||
-------- | ||
Frame: '<!--frame1-->' | ||
-------- | ||
HTTP Referer header is empty | ||
Referrer is empty | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.