-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Cherry-pick 259548.823@safari-7615-branch (18a05c4). https://bugs.web…
…kit.org/show_bug.cgi?id=257903 Third Party IFrame Navigation Block Bypass via Content Security Policy Sandbox https://bugs.webkit.org/show_bug.cgi?id=257903 rdar://109059471 Reviewed by Brent Fulgham. If a third-party iframe is unsandboxed we will prevent top navigation without user interaction with the frame. However, this is bypassable if the iframe gives itself a sandbox which allows top navigation via CSP. This change checks to see if the iframe element was unsandboxed and proceeds with the more strict third-party checks if so. * LayoutTests/http/tests/security/block-top-level-navigations-by-third-party-iframe-sandboxed-by-own-csp-expected.txt: Added. * LayoutTests/http/tests/security/block-top-level-navigations-by-third-party-iframe-sandboxed-by-own-csp.html: Added. * LayoutTests/http/tests/security/resources/attempt-top-level-navigation-with-csp.py: Added. * Source/WebCore/dom/Document.cpp: (WebCore::Document::isNavigationBlockedByThirdPartyIFrameRedirectBlocking): Canonical link: https://commits.webkit.org/259548.823@safari-7615-branch
- Loading branch information
1 parent
4b892d2
commit 686e5d9
Showing
4 changed files
with
44 additions
and
2 deletions.
There are no files selected for viewing
13 changes: 13 additions & 0 deletions
13
...urity/block-top-level-navigations-by-third-party-iframe-sandboxed-by-own-csp-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
CONSOLE MESSAGE: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://127.0.0.1:8000/security/block-top-level-navigations-by-third-party-iframe-sandboxed-by-own-csp.html' from frame with URL 'http://127.0.0.1:8000/security/resources/attempt-top-level-navigation-with-csp.py'. The frame attempting navigation of the top-level window is cross-origin or untrusted and the user has never interacted with the frame. | ||
|
||
CONSOLE MESSAGE: SecurityError: The operation is insecure. | ||
Test blocking of top-level navigations by a third-party iframe which gives itself a sandbox which allows top navigation via CSP. | ||
|
||
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". | ||
|
||
|
||
PASS All navigations by subframes have been blocked | ||
PASS successfullyParsed is true | ||
|
||
TEST COMPLETE | ||
|
17 changes: 17 additions & 0 deletions
17
...ests/security/block-top-level-navigations-by-third-party-iframe-sandboxed-by-own-csp.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
<!DOCTYPE html> | ||
<html> | ||
<body> | ||
<script src="/js-test-resources/js-test.js"></script> | ||
<script> | ||
description("Test blocking of top-level navigations by a third-party iframe which gives itself a sandbox which allows top navigation via CSP."); | ||
jsTestIsAsync = true; | ||
onload = () => { | ||
setTimeout(() => { | ||
testPassed("All navigations by subframes have been blocked"); | ||
finishJSTest(); | ||
}, 10); | ||
}; | ||
</script> | ||
<iframe id="testFrame" src="/security/resources/attempt-top-level-navigation-with-csp.py"></iframe> | ||
</body> | ||
</html> |
10 changes: 10 additions & 0 deletions
10
LayoutTests/http/tests/security/resources/attempt-top-level-navigation-with-csp.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
#!/usr/bin/env python3 | ||
|
||
import sys | ||
|
||
sys.stdout.write( | ||
'Content-Security-Policy: sandbox allow-scripts allow-top-navigation\r\n' | ||
'Content-Type: text/html\r\n\r\n' | ||
'<!DOCTYPE html>\n' | ||
'<script>top.location = "http://localhost:8000/security/resources/should-not-have-loaded.html";</script>\n' | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters