Cherry-pick r256191. rdar://problem/59447003

Disallow setting base URL to a data or JavaScript URL https://bugs.webkit.org/show_bug.cgi?id=207136 Source/WebCore: Reviewed by Brent Fulgham. Inspired by <https://bugs.chromium.org/p/chromium/issues/detail?id=679318>. Block setting the base URL to a data URL or JavaScript URL as such usage is questionable. This makes WebKit match the behavior of Chrome and Firefox and is in the spirit of the discussion in <whatwg/html#2249>. On Mac and iOS, this restriction is applied only to apps linked against a future SDK to avoid breaking shipped apps. For all other ports, this restriction is enabled by default. Tests: fast/url/relative2.html fast/url/segments-from-data-url2.html http/tests/security/allowed-base-url-data-url-via-setting.html http/tests/security/denied-base-url-data-url.html http/tests/security/denied-base-url-javascript-url.html * dom/Document.cpp: (WebCore::Document::processBaseElement): Condition updating the parsed base URL on whether is has an allowed scheme, if restrictions are enabled. Otherwise, do what we do now. If the scheme is disallowed then log a message to the console to explain this to web developers. * html/parser/HTMLPreloadScanner.cpp: (WebCore::TokenPreloadScanner::scan): Pass whether to apply restrictons to the base URL to updatePredictedBaseURL(). This depends on whether the setting is enabled or not. (WebCore::TokenPreloadScanner::updatePredictedBaseURL): Modifed to take a boolean as to whether to apply restrictions. If restrictions are not to be applied do what we do now. Otherwise, only do what we do now if the scheme for the predicated base URL is allowed. * html/parser/HTMLPreloadScanner.h: * page/SecurityPolicy.cpp: (WebCore::SecurityPolicy::isBaseURLSchemeAllowed): Added. * page/SecurityPolicy.h: * page/Settings.yaml: Add a setting to toggle restrictions on the base URL scheme. Source/WebKit: Reviewed by Brent Fulgham. Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps. * Shared/WebPreferences.yaml: * UIProcess/API/Cocoa/WKWebView.mm: (shouldRestrictBaseURLSchemes): Added. (-[WKWebView _setupPageConfiguration:]): Update settings. * UIProcess/Cocoa/VersionChecks.h: Source/WebKitLegacy/mac: Reviewed by Brent Fulgham. Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps. * Misc/WebKitVersionChecks.h: * WebView/WebView.mm: (shouldRestrictBaseURLSchemes): Added. (-[WebView _commonInitializationWithFrameName:groupName:]): Update settings. Source/WTF: Reviewed by Brent Fulgham. Add some more macro definitions. * wtf/spi/darwin/dyldSPI.h: LayoutTests: RReviewed by Brent Fulgham. Add some tests. Update others to toggle the setting to apply or unapply the new behavior. The test denied-base-url-javascript-url.html is derived from the test base-url-javascript.html, included in <https://chromium.googlesource.com/chromium/src.git/+/c133efa0b915430701930b76a7cfe35608b9a403>. * fast/url/relative-expected.txt: * fast/url/relative.html: * fast/url/relative2-expected.txt: Copied from LayoutTests/fast/url/relative-expected.txt. * fast/url/relative2.html: Copied from LayoutTests/fast/url/relative.html. * fast/url/resources/utilities.js: (setShouldEllipsizeFileURLPaths): Added. Toggles ellipsizing the path portion of a file URL to simplify matching. Otherwise, file URLs could be machine-specific. (canonicalizedPathname): Added. (segments): Modified to optionally call canonicalizedPathname. (canonicalize): Ditto. * fast/url/segments-from-data-url-expected.txt: * fast/url/segments-from-data-url.html: * fast/url/segments-from-data-url2-expected.txt: Copied from LayoutTests/fast/url/segments-from-data-url-expected.txt. * fast/url/segments-from-data-url2.html: Copied from LayoutTests/fast/url/segments-from-data-url.html. * fetch/fetch-url-serialization-expected.txt: * http/tests/plugins/navigation-during-load-embed.html: * http/tests/plugins/navigation-during-load.html: * http/tests/security/allowed-base-url-data-url-via-setting-expected.txt: Added. * http/tests/security/allowed-base-url-data-url-via-setting.html: Added. * http/tests/security/denied-base-url-data-url-expected.txt: Added. * http/tests/security/denied-base-url-data-url.html: Added. * http/tests/security/denied-base-url-javascript-url-expected.txt: Added. * http/tests/security/denied-base-url-javascript-url.html: Added. Identifier: 220473@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@256191 268f45cc-cd09-0410-ab3c-d52691b4dbfc Identifier: 218903.387@safari-609-branch git-svn-id: https://svn.webkit.org/repository/webkit/branches/safari-609-branch@256896 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Feb 19, 2020 · e2fdf1a · e2fdf1a
1 parent 6c302f6
commit e2fdf1a
Show file tree

Hide file tree

Showing 39 changed files with 1,301 additions and 78 deletions.
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
@@ -1,3 +1,150 @@
+2020-02-18  Alan Coon  <alancoon@apple.com>
+
+        Cherry-pick r256191. rdar://problem/59447003
+
+    Disallow setting base URL to a data or JavaScript URL
+    https://bugs.webkit.org/show_bug.cgi?id=207136
+
+    Source/WebCore:
+
+    Reviewed by Brent Fulgham.
+
+    Inspired by <https://bugs.chromium.org/p/chromium/issues/detail?id=679318>.
+
+    Block setting the base URL to a data URL or JavaScript URL as such usage is questionable.
+    This makes WebKit match the behavior of Chrome and Firefox and is in the spirit of the
+    discussion in <https://github.com/whatwg/html/issues/2249>.
+
+    On Mac and iOS, this restriction is applied only to apps linked against a future SDK to
+    avoid breaking shipped apps.
+
+    For all other ports, this restriction is enabled by default.
+
+    Tests: fast/url/relative2.html
+           fast/url/segments-from-data-url2.html
+           http/tests/security/allowed-base-url-data-url-via-setting.html
+           http/tests/security/denied-base-url-data-url.html
+           http/tests/security/denied-base-url-javascript-url.html
+
+    * dom/Document.cpp:
+    (WebCore::Document::processBaseElement): Condition updating the parsed
+    base URL on whether is has an allowed scheme, if restrictions are enabled. Otherwise,
+    do what we do now. If the scheme is disallowed then log a message to the console to
+    explain this to web developers.
+    * html/parser/HTMLPreloadScanner.cpp:
+    (WebCore::TokenPreloadScanner::scan): Pass whether to apply restrictons to the base URL
+    to updatePredictedBaseURL(). This depends on whether the setting is enabled or not.
+    (WebCore::TokenPreloadScanner::updatePredictedBaseURL): Modifed to take a boolean as to
+    whether to apply restrictions. If restrictions are not to be applied do what we do now.
+    Otherwise, only do what we do now if the scheme for the predicated base URL is allowed.
+    * html/parser/HTMLPreloadScanner.h:
+    * page/SecurityPolicy.cpp:
+    (WebCore::SecurityPolicy::isBaseURLSchemeAllowed): Added.
+    * page/SecurityPolicy.h:
+    * page/Settings.yaml: Add a setting to toggle restrictions on the base URL scheme.
+
+    Source/WebKit:
+
+    Reviewed by Brent Fulgham.
+
+    Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps.
+
+    * Shared/WebPreferences.yaml:
+    * UIProcess/API/Cocoa/WKWebView.mm:
+    (shouldRestrictBaseURLSchemes): Added.
+    (-[WKWebView _setupPageConfiguration:]): Update settings.
+    * UIProcess/Cocoa/VersionChecks.h:
+
+    Source/WebKitLegacy/mac:
+
+    Reviewed by Brent Fulgham.
+
+    Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps.
+
+    * Misc/WebKitVersionChecks.h:
+    * WebView/WebView.mm:
+    (shouldRestrictBaseURLSchemes): Added.
+    (-[WebView _commonInitializationWithFrameName:groupName:]): Update settings.
+
+    Source/WTF:
+
+    Reviewed by Brent Fulgham.
+
+    Add some more macro definitions.
+
+    * wtf/spi/darwin/dyldSPI.h:
+
+    LayoutTests:
+
+    RReviewed by Brent Fulgham.
+
+    Add some tests. Update others to toggle the setting to apply or unapply the new behavior.
+
+    The test denied-base-url-javascript-url.html is derived from the test base-url-javascript.html,
+    included in <https://chromium.googlesource.com/chromium/src.git/+/c133efa0b915430701930b76a7cfe35608b9a403>.
+
+    * fast/url/relative-expected.txt:
+    * fast/url/relative.html:
+    * fast/url/relative2-expected.txt: Copied from LayoutTests/fast/url/relative-expected.txt.
+    * fast/url/relative2.html: Copied from LayoutTests/fast/url/relative.html.
+    * fast/url/resources/utilities.js:
+    (setShouldEllipsizeFileURLPaths): Added. Toggles ellipsizing the path portion of a file URL to simplify matching.
+    Otherwise, file URLs could be machine-specific.
+    (canonicalizedPathname): Added.
+    (segments): Modified to optionally call canonicalizedPathname.
+    (canonicalize): Ditto.
+    * fast/url/segments-from-data-url-expected.txt:
+    * fast/url/segments-from-data-url.html:
+    * fast/url/segments-from-data-url2-expected.txt: Copied from LayoutTests/fast/url/segments-from-data-url-expected.txt.
+    * fast/url/segments-from-data-url2.html: Copied from LayoutTests/fast/url/segments-from-data-url.html.
+    * fetch/fetch-url-serialization-expected.txt:
+    * http/tests/plugins/navigation-during-load-embed.html:
+    * http/tests/plugins/navigation-during-load.html:
+    * http/tests/security/allowed-base-url-data-url-via-setting-expected.txt: Added.
+    * http/tests/security/allowed-base-url-data-url-via-setting.html: Added.
+    * http/tests/security/denied-base-url-data-url-expected.txt: Added.
+    * http/tests/security/denied-base-url-data-url.html: Added.
+    * http/tests/security/denied-base-url-javascript-url-expected.txt: Added.
+    * http/tests/security/denied-base-url-javascript-url.html: Added.
+
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@256191 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2020-02-10  Daniel Bates  <dabates@apple.com>
+
+            Disallow setting base URL to a data or JavaScript URL
+            https://bugs.webkit.org/show_bug.cgi?id=207136
+
+            RReviewed by Brent Fulgham.
+
+            Add some tests. Update others to toggle the setting to apply or unapply the new behavior.
+
+            The test denied-base-url-javascript-url.html is derived from the test base-url-javascript.html,
+            included in <https://chromium.googlesource.com/chromium/src.git/+/c133efa0b915430701930b76a7cfe35608b9a403>.
+
+            * fast/url/relative-expected.txt:
+            * fast/url/relative.html:
+            * fast/url/relative2-expected.txt: Copied from LayoutTests/fast/url/relative-expected.txt.
+            * fast/url/relative2.html: Copied from LayoutTests/fast/url/relative.html.
+            * fast/url/resources/utilities.js:
+            (setShouldEllipsizeFileURLPaths): Added. Toggles ellipsizing the path portion of a file URL to simplify matching.
+            Otherwise, file URLs could be machine-specific.
+            (canonicalizedPathname): Added.
+            (segments): Modified to optionally call canonicalizedPathname.
+            (canonicalize): Ditto.
+            * fast/url/segments-from-data-url-expected.txt:
+            * fast/url/segments-from-data-url.html:
+            * fast/url/segments-from-data-url2-expected.txt: Copied from LayoutTests/fast/url/segments-from-data-url-expected.txt.
+            * fast/url/segments-from-data-url2.html: Copied from LayoutTests/fast/url/segments-from-data-url.html.
+            * fetch/fetch-url-serialization-expected.txt:
+            * http/tests/plugins/navigation-during-load-embed.html:
+            * http/tests/plugins/navigation-during-load.html:
+            * http/tests/security/allowed-base-url-data-url-via-setting-expected.txt: Added.
+            * http/tests/security/allowed-base-url-data-url-via-setting.html: Added.
+            * http/tests/security/denied-base-url-data-url-expected.txt: Added.
+            * http/tests/security/denied-base-url-data-url.html: Added.
+            * http/tests/security/denied-base-url-javascript-url-expected.txt: Added.
+            * http/tests/security/denied-base-url-javascript-url.html: Added.
+
 2020-02-17  Alan Coon  <alancoon@apple.com>
 
         Cherry-pick r256435. rdar://problem/59446986

diff --git a/LayoutTests/fast/url/relative-expected.txt b/LayoutTests/fast/url/relative-expected.txt
@@ -1,3 +1,9 @@
+CONSOLE MESSAGE: line 50: Blocked setting data:foobar as the base URL because it does not have an allowed scheme.
+CONSOLE MESSAGE: line 50: Blocked setting data:foobar as the base URL because it does not have an allowed scheme.
+CONSOLE MESSAGE: line 50: Blocked setting data:foobar as the base URL because it does not have an allowed scheme.
+CONSOLE MESSAGE: line 50: Blocked setting data:foobar as the base URL because it does not have an allowed scheme.
+CONSOLE MESSAGE: line 50: Blocked setting data:foobar as the base URL because it does not have an allowed scheme.
+CONSOLE MESSAGE: line 50: Blocked setting data:asdf as the base URL because it does not have an allowed scheme.
 Test resolution of relative URLs.
 
 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
@@ -38,15 +44,15 @@ PASS canonicalize('?foo=bar#com') is 'http://host/a?foo=bar#com'
 PASS canonicalize('#ref') is 'http://host/a#ref'
 PASS canonicalize('#') is 'http://host/a#'
 PASS canonicalize('#bye') is 'http://host/a?foo=bar#bye'
-FAIL canonicalize('baz.html') should be . Was baz.html.
+PASS canonicalize('baz.html') is 'file:///.../baz.html'
 PASS canonicalize('data:baz') is 'data:baz'
 PASS canonicalize('data:/base') is 'data:/base'
 PASS canonicalize('http://host/') is 'http://host/'
 PASS canonicalize('http:host') is 'http://host/'
 PASS canonicalize('./asd:fgh') is 'http://foo/asd:fgh'
 PASS canonicalize(':foo') is 'http://foo/:foo'
 PASS canonicalize(' hello world') is 'http://foo/hello%20world'
-FAIL canonicalize(':foo') should be . Was :foo.
+PASS canonicalize(':foo') is 'file:///.../:foo'
 PASS canonicalize(';foo') is 'http://host/;foo'
 PASS canonicalize(';foo') is 'http://host/;foo'
 PASS canonicalize(';/../bar') is 'http://host/bar'
@@ -58,6 +64,7 @@ FAIL canonicalize('//') should be http:. Was //.
 PASS canonicalize('\\/another/path') is 'http://another/path'
 PASS canonicalize('/\\Another\\path') is 'http://another/path'
 PASS successfullyParsed is true
+Some tests failed.
 
 TEST COMPLETE
 
diff --git a/LayoutTests/fast/url/relative.html b/LayoutTests/fast/url/relative.html
@@ -1,11 +1,14 @@
 <!DOCTYPE html>
 <html>
 <head>
-<script src="../../resources/js-test-pre.js"></script>
+<script src="../../resources/js-test.js"></script>
 <script src="resources/utilities.js"></script>
 </head>
 <body>
 <script>
+if (window.internals && internals.settings)
+  internals.settings.setShouldRestrictBaseURLSchemes(true);
+
 description("Test resolution of relative URLs.");
 
 cases = [ 
@@ -57,7 +60,7 @@
   ["http://host/a?foo=bar#hello", "#bye", "http://host/a?foo=bar#bye"],
   // Non-hierarchical base: no relative handling. Relative input should
   // error, and if a scheme is present, it should be treated as absolute.
-  ["data:foobar", "baz.html", ""],
+  ["data:foobar", "baz.html", "file:///.../baz.html"],
   ["data:foobar", "data:baz", "data:baz"],
   ["data:foobar", "data:/base", "data:/base"],
   // Non-hierarchical base: absolute input should succeed.
@@ -67,7 +70,7 @@
   ["http://foo/bar", "./asd:fgh", "http://foo/asd:fgh"],
   ["http://foo/bar", ":foo", "http://foo/:foo"],
   ["http://foo/bar", " hello world", "http://foo/hello%20world"],
-  ["data:asdf", ":foo", ""],
+  ["data:asdf", ":foo", "file:///.../:foo"],
   // We should treat semicolons like any other character in URL resolving
   ["http://host/a", ";foo", "http://host/;foo"],
   ["http://host/a;", ";foo", "http://host/;foo"],
@@ -87,6 +90,7 @@
 ];
 
 var originalBaseURL = canonicalize(".");
+setShouldEllipsizeFileURLPaths(true);
 
 for (var i = 0; i < cases.length; ++i) {
   baseURL = cases[i][0];
@@ -99,6 +103,5 @@
 
 setBaseURL(originalBaseURL);
 </script>
-<script src="../../resources/js-test-post.js"></script>
 </body>
 </html>
diff --git a/LayoutTests/fast/url/relative2-expected.txt b/LayoutTests/fast/url/relative2-expected.txt
@@ -0,0 +1,63 @@
+Test resolution of relative URLs.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS canonicalize('http://another/') is 'http://another/'
+PASS canonicalize('http:////another/') is 'http://another/'
+PASS canonicalize('') is 'http://foo/bar'
+PASS canonicalize('') is 'http://foo/bar'
+PASS canonicalize('') is 'http://foo/bar'
+PASS canonicalize('  another  ') is 'http://foo/another'
+PASS canonicalize('  .  ') is 'http://foo/'
+PASS canonicalize(' 	 ') is 'http://foo/bar'
+PASS canonicalize('http:path') is 'http://host/path'
+PASS canonicalize('http:path') is 'http://host/a/path'
+PASS canonicalize('http:/path') is 'http://host/path'
+PASS canonicalize('HTTP:/path') is 'http://host/path'
+PASS canonicalize('https:host2') is 'https://host2/'
+PASS canonicalize('htto:/host2') is 'htto:/host2'
+PASS canonicalize('/b/c/d') is 'http://host/b/c/d'
+PASS canonicalize('\\b\\c\\d') is 'http://host/b/c/d'
+PASS canonicalize('/b/../c') is 'http://host/c'
+PASS canonicalize('/b/../c') is 'http://host/c'
+PASS canonicalize('\\b/../c?x#y') is 'http://host/c?x#y'
+PASS canonicalize('/b/../c?x#y') is 'http://host/c?x#y'
+PASS canonicalize('b') is 'http://host/b'
+PASS canonicalize('bc/de') is 'http://host/bc/de'
+PASS canonicalize('bc/de?query#ref') is 'http://host/a/bc/de?query#ref'
+PASS canonicalize('.') is 'http://host/a/'
+PASS canonicalize('..') is 'http://host/'
+PASS canonicalize('./..') is 'http://host/'
+PASS canonicalize('../.') is 'http://host/'
+PASS canonicalize('././.') is 'http://host/a/'
+PASS canonicalize('../../../foo') is 'http://host/foo'
+PASS canonicalize('?foo=bar') is 'http://host/a?foo=bar'
+PASS canonicalize('?') is 'http://host/a?'
+PASS canonicalize('?foo=bar#com') is 'http://host/a?foo=bar#com'
+PASS canonicalize('#ref') is 'http://host/a#ref'
+PASS canonicalize('#') is 'http://host/a#'
+PASS canonicalize('#bye') is 'http://host/a?foo=bar#bye'
+FAIL canonicalize('baz.html') should be . Was baz.html.
+PASS canonicalize('data:baz') is 'data:baz'
+PASS canonicalize('data:/base') is 'data:/base'
+PASS canonicalize('http://host/') is 'http://host/'
+PASS canonicalize('http:host') is 'http://host/'
+PASS canonicalize('./asd:fgh') is 'http://foo/asd:fgh'
+PASS canonicalize(':foo') is 'http://foo/:foo'
+PASS canonicalize(' hello world') is 'http://foo/hello%20world'
+FAIL canonicalize(':foo') should be . Was :foo.
+PASS canonicalize(';foo') is 'http://host/;foo'
+PASS canonicalize(';foo') is 'http://host/;foo'
+PASS canonicalize(';/../bar') is 'http://host/bar'
+PASS canonicalize('//another') is 'http://another/'
+PASS canonicalize('//another/path?query#ref') is 'http://another/path?query#ref'
+PASS canonicalize('///another/path') is 'http://another/path'
+PASS canonicalize('//Another\\path') is 'http://another/path'
+FAIL canonicalize('//') should be http:. Was //.
+PASS canonicalize('\\/another/path') is 'http://another/path'
+PASS canonicalize('/\\Another\\path') is 'http://another/path'
+PASS successfullyParsed is true
+
+TEST COMPLETE
+