Fix #6315 - block certain data URL as top-level navigation (#6341)

* Fix #6315 - disallow data URL as top-level navigation * Allow certain types of data URLs and add test case * minor fixup
mozilla-mobile · Apr 2, 2020 · c0fd379 · c0fd379
1 parent 8350f11
commit c0fd379
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 2 deletions.
diff --git a/Client/Frontend/Browser/BrowserViewController/BrowserViewController+WebViewDelegates.swift b/Client/Frontend/Browser/BrowserViewController/BrowserViewController+WebViewDelegates.swift
@@ -431,10 +431,36 @@ extension BrowserViewController: WKNavigationDelegate {
             return
         }
 
+        // https://blog.mozilla.org/security/2017/11/27/blocking-top-level-navigations-data-urls-firefox-59/
+        if url.scheme == "data" {
+            let url = url.absoluteString
+            // Allow certain image types
+            if url.hasPrefix("data:image/") && !url.hasPrefix("data:image/svg+xml") {
+                decisionHandler(.allow)
+                return
+            }
+
+            // Allow certain application types
+            if url.hasPrefix("data:application/pdf") || url.hasPrefix("data:application/json") {
+                decisionHandler(.allow)
+                return
+            }
+
+            // Allow plain text types.
+            // Note the format of data URLs is `data:[<media type>][;base64],<data>` with empty <media type> indicating plain text.
+            if url.hasPrefix("data:;base64,") || url.hasPrefix("data:,") || url.hasPrefix("data:text/plain,") || url.hasPrefix("data:text/plain;") {
+                decisionHandler(.allow)
+                return
+            }
+
+            decisionHandler(.cancel)
+            return
+        }
+
         // This is the normal case, opening a http or https url, which we handle by loading them in this WKWebView. We
         // always allow this. Additionally, data URIs are also handled just like normal web pages.
 
-        if ["http", "https", "data", "blob", "file"].contains(url.scheme) {
+        if ["http", "https", "blob", "file"].contains(url.scheme) {
             if navigationAction.targetFrame?.isMainFrame ?? false {
                 tab.changedUserAgent = Tab.ChangeUserAgent.contains(url: url)
             }

diff --git a/UITests/SecurityTests.swift b/UITests/SecurityTests.swift
@@ -120,9 +120,35 @@ class SecurityTests: KIFTestCase {
         XCTAssertEqual(webView.url!.absoluteString, url)
     }
 
+      func closeAllTabs() {
+        let closeButtonMatchers: [GREYMatcher] =
+            [grey_accessibilityID("TabTrayController.deleteButton.closeAll"),
+            grey_kindOfClass(NSClassFromString("_UIAlertControllerActionView")!)]
+
+          EarlGrey.selectElement(with: grey_accessibilityID("TabTrayController.removeTabsButton")).perform(grey_tap())
+          EarlGrey.selectElement(with: grey_allOf(closeButtonMatchers)).perform(grey_tap())
+      }
+
+    func testDataURL() {
+        // Check data urls that are valid
+        ["data-url-ok-1", "data-url-ok-2"].forEach { buttonName in
+            tester().tapWebViewElementWithAccessibilityLabel(buttonName)
+            tester().wait(forTimeInterval: 1)
+            let webView = tester().waitForView(withAccessibilityLabel: "Web content") as! WKWebView
+            XCTAssert(webView.url!.absoluteString.hasPrefix("data:")) // indicates page loaded ok
+            BrowserUtils.resetToAboutHome()
+            beforeEach()
+        }
+
+        // Check data url that is not allowed
+        tester().tapWebViewElementWithAccessibilityLabel("data-url-html-bad")
+        tester().wait(forTimeInterval: 1)
+        let webView = tester().waitForView(withAccessibilityLabel: "Web content") as! WKWebView
+        XCTAssert(webView.url == nil) // indicates page load was blocked
+    }
+
     override func tearDown() {
         BrowserUtils.resetToAboutHome()
-        BrowserUtils.clearPrivateData()
         super.tearDown()
     }
 }
diff --git a/UITests/localhostLoad.html b/UITests/localhostLoad.html
@@ -19,5 +19,14 @@
   <button onclick="window.open(errorURL)">Error exploit</button>
   <button onclick="newTabExploit()">New tab exploit</button>
   <button onclick="window.open('http://1.2.3.4:1234')">URL spoof</button>
+
+  <p>
+      Tries to open a window with the word test. Both should be ok to do.<br>
+      <button onclick="window.open('data:;,test')">data-url-ok-1</button><br>
+      <button onclick="window.open('data:text/plain,test')">data-url-ok-2</button>
+      <br>
+      Tries to open a html data URL, this is a no-no.<br>
+      <button onclick="window.open('data:text/html;base64,VGhpcyBpcyBhIHRlc3QK')">data-url-html-bad</button>
+  </p>
 </body>
 </html>