New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restrict <base>
to ~sane schemes.
#2249
Comments
What's the reason for restricting it? If we do this, we need to update quite a number of |
If you can inject a base tag with data:, you can control all script tags with relative paths (in Chrome) and bypass nonce based CSPs. While I think it makes sense to fix this, it must be noted that the more generic form of this attack (using an attacker controlled domain) would still work. <script src=x.js nonce=random-123></script> |
Okay, so the assumption is that an attacker can inject a data URL |
I don't think this change has ~any value in preventing XSS. As you both note, the attacker can inject That said, it's not clear to me that it makes sense to include non-network schemes (and particularly non-hierarchical schemes) as potential document base URLs. I'm not suggesting that we remove the resolution rules set up in the URL spec; I am suggesting that we poke at the contours of what we allow for HTML documents. |
The specific thing that triggered this suggestion is actually a mismatch between the way the URL parser handles |
I've landed https://codereview.chromium.org/2626243002 in Chrome to gather some metrics. While we're here, it might also be reasonable to mitigate some dangling markup issues in |
@annevk, any thoughts on #2249 (comment)? Based on early numbers from the last week or so of Chrome's beta (which is, admittedly not a truly representative sample), Also, newlines in |
Not really, that it works seems expected from how the system is designed. Though data URL parsing/interpretation could use some better interoperability and standard here and there. As for adding defense-in-depth restrictions, it seems reasonable if we can get everyone to implement them. Bit ambivalent on the whole thing myself. |
FWIW, based on quick experimentation with https://output.jsbin.com/zucihoraca:
I'd like to change Chrome's behavior to align with either Edge or Firefox. Edge's behavior makes more sense to me. If you're ambivalent, that's what I'd prefer to do. |
You will also need to test multiple |
All browsers seem to ignore all but the first I should be more clear about what I mean when I say "ignored". The patch to HTML that I'd propose would be something like changing step 3 of https://html.spec.whatwg.org/multipage/semantics.html#set-the-frozen-base-url to:
That is, we'd treat |
For what it's worth, the way Firefox handles this (in URL spec terms) is by always setting the "cannot-be-a-base-URL" flag on data: URLs. |
Intent: https://groups.google.com/a/chromium.org/d/msg/blink-dev/TsBB5GOpMZA/AAE_Sb_HBwAJ Spec: whatwg/html#2249 BUG=679318 Review-Url: https://codereview.chromium.org/2685843003 Cr-Commit-Position: refs/heads/master@{#449262}
Intent: https://groups.google.com/a/chromium.org/d/msg/blink-dev/TsBB5GOpMZA/AAE_Sb_HBwAJ Spec: whatwg/html#2249 BUG=679318 Review-Url: https://codereview.chromium.org/2685843003 Cr-Commit-Position: refs/heads/master@{#449262}
Wait, why are we changing web platform tests before we've agreed on what the spec should say here? |
Yeah I'm not sure why that happened. @jeffcarp that should not have been merged. |
See whatwg/html#2249 (comment) for why it’s worth calling this out.
I created whatwg/meta#17 to clarify the CONTRIBUTOR guidelines around this so that it hopefully doesn't happen again. |
I guess the problem here was that https://codereview.chromium.org/2685843003 landed before this PR, and tests are automatically upstreamed to web-platform-tests. |
I sent a message to blink-dev about this https://groups.google.com/a/chromium.org/d/msg/blink-dev/QIRcSgN9AK4/0JY58rBhCAAJ |
Yes, this test change shouldn't have been landed until the spec was updated. Sorry about this, we're still getting used to our new system encouraging blink developers to land test changes along with their blink patches (which then get automatically merged back to WPT). We'll work on improving our docs and guidance to reduce mistakes like this. In the meantime, please feel free to revert anything you feel was landed in error. We've been talking lots with @jgraham and others about the inevitable conflicts/mistakes like this as we all work to make WPT a first-class part of our engine development process, but we're all optimistic it'll be worth it in the end :-) /cc @foolip |
See whatwg/html#2249 (comment) for why it’s worth calling this out.
We've anticipated some mishaps of this sort. Just yesterday I noticed an unexpected test change in servo/servo@8b69e73 and it was quickly dealt with, so let's keep learning how to do this together :) @mikewest, can you write a PR that matches what you'd like to ship, or is it entangled in a bunch of other questions which we have yet to decide on? |
@mikewest have you considered Gecko's approach (see #2249 (comment))? That doesn't just affect |
Gecko's approach would require changing the URL Standard and special casing data URLs in it. That does not seem great. |
(And would still leave the hole for javascript URLs, unless we also change the URL Standard for them.) |
Right. Can you explain what is bad about it? It's not clear to me. :-) |
Disallow setting base URL to a data or JavaScript URL https://bugs.webkit.org/show_bug.cgi?id=207136 Source/WebCore: Reviewed by Brent Fulgham. Inspired by <https://bugs.chromium.org/p/chromium/issues/detail?id=679318>. Block setting the base URL to a data URL or JavaScript URL as such usage is questionable. This makes WebKit match the behavior of Chrome and Firefox and is in the spirit of the discussion in <whatwg/html#2249>. On Mac and iOS, this restriction is applied only to apps linked against a future SDK to avoid breaking shipped apps. For all other ports, this restriction is enabled by default. Tests: fast/url/relative2.html fast/url/segments-from-data-url2.html http/tests/security/allowed-base-url-data-url-via-setting.html http/tests/security/denied-base-url-data-url.html http/tests/security/denied-base-url-javascript-url.html * dom/Document.cpp: (WebCore::Document::processBaseElement): Condition updating the parsed base URL on whether is has an allowed scheme, if restrictions are enabled. Otherwise, do what we do now. If the scheme is disallowed then log a message to the console to explain this to web developers. * html/parser/HTMLPreloadScanner.cpp: (WebCore::TokenPreloadScanner::scan): Pass whether to apply restrictons to the base URL to updatePredictedBaseURL(). This depends on whether the setting is enabled or not. (WebCore::TokenPreloadScanner::updatePredictedBaseURL): Modifed to take a boolean as to whether to apply restrictions. If restrictions are not to be applied do what we do now. Otherwise, only do what we do now if the scheme for the predicated base URL is allowed. * html/parser/HTMLPreloadScanner.h: * page/SecurityPolicy.cpp: (WebCore::SecurityPolicy::isBaseURLSchemeAllowed): Added. * page/SecurityPolicy.h: * page/Settings.yaml: Add a setting to toggle restrictions on the base URL scheme. Source/WebKit: Reviewed by Brent Fulgham. Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps. * Shared/WebPreferences.yaml: * UIProcess/API/Cocoa/WKWebView.mm: (shouldRestrictBaseURLSchemes): Added. (-[WKWebView _setupPageConfiguration:]): Update settings. * UIProcess/Cocoa/VersionChecks.h: Source/WebKitLegacy/mac: Reviewed by Brent Fulgham. Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps. * Misc/WebKitVersionChecks.h: * WebView/WebView.mm: (shouldRestrictBaseURLSchemes): Added. (-[WebView _commonInitializationWithFrameName:groupName:]): Update settings. Source/WTF: Reviewed by Brent Fulgham. Add some more macro definitions. * wtf/spi/darwin/dyldSPI.h: LayoutTests: RReviewed by Brent Fulgham. Add some tests. Update others to toggle the setting to apply or unapply the new behavior. The test denied-base-url-javascript-url.html is derived from the test base-url-javascript.html, included in <https://chromium.googlesource.com/chromium/src.git/+/c133efa0b915430701930b76a7cfe35608b9a403>. * fast/url/relative-expected.txt: * fast/url/relative.html: * fast/url/relative2-expected.txt: Copied from LayoutTests/fast/url/relative-expected.txt. * fast/url/relative2.html: Copied from LayoutTests/fast/url/relative.html. * fast/url/resources/utilities.js: (setShouldEllipsizeFileURLPaths): Added. Toggles ellipsizing the path portion of a file URL to simplify matching. Otherwise, file URLs could be machine-specific. (canonicalizedPathname): Added. (segments): Modified to optionally call canonicalizedPathname. (canonicalize): Ditto. * fast/url/segments-from-data-url-expected.txt: * fast/url/segments-from-data-url.html: * fast/url/segments-from-data-url2-expected.txt: Copied from LayoutTests/fast/url/segments-from-data-url-expected.txt. * fast/url/segments-from-data-url2.html: Copied from LayoutTests/fast/url/segments-from-data-url.html. * fetch/fetch-url-serialization-expected.txt: * http/tests/plugins/navigation-during-load-embed.html: * http/tests/plugins/navigation-during-load.html: * http/tests/security/allowed-base-url-data-url-via-setting-expected.txt: Added. * http/tests/security/allowed-base-url-data-url-via-setting.html: Added. * http/tests/security/denied-base-url-data-url-expected.txt: Added. * http/tests/security/denied-base-url-data-url.html: Added. * http/tests/security/denied-base-url-javascript-url-expected.txt: Added. * http/tests/security/denied-base-url-javascript-url.html: Added. git-svn-id: https://svn.webkit.org/repository/webkit/trunk@256191 268f45cc-cd09-0410-ab3c-d52691b4dbfc git-svn-id: http://svn.webkit.org/repository/webkit/branches/safari-609.1.20.0-branch@257015 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Disallow setting base URL to a data or JavaScript URL https://bugs.webkit.org/show_bug.cgi?id=207136 Source/WebCore: Reviewed by Brent Fulgham. Inspired by <https://bugs.chromium.org/p/chromium/issues/detail?id=679318>. Block setting the base URL to a data URL or JavaScript URL as such usage is questionable. This makes WebKit match the behavior of Chrome and Firefox and is in the spirit of the discussion in <whatwg/html#2249>. On Mac and iOS, this restriction is applied only to apps linked against a future SDK to avoid breaking shipped apps. For all other ports, this restriction is enabled by default. Tests: fast/url/relative2.html fast/url/segments-from-data-url2.html http/tests/security/allowed-base-url-data-url-via-setting.html http/tests/security/denied-base-url-data-url.html http/tests/security/denied-base-url-javascript-url.html * dom/Document.cpp: (WebCore::Document::processBaseElement): Condition updating the parsed base URL on whether is has an allowed scheme, if restrictions are enabled. Otherwise, do what we do now. If the scheme is disallowed then log a message to the console to explain this to web developers. * html/parser/HTMLPreloadScanner.cpp: (WebCore::TokenPreloadScanner::scan): Pass whether to apply restrictons to the base URL to updatePredictedBaseURL(). This depends on whether the setting is enabled or not. (WebCore::TokenPreloadScanner::updatePredictedBaseURL): Modifed to take a boolean as to whether to apply restrictions. If restrictions are not to be applied do what we do now. Otherwise, only do what we do now if the scheme for the predicated base URL is allowed. * html/parser/HTMLPreloadScanner.h: * page/SecurityPolicy.cpp: (WebCore::SecurityPolicy::isBaseURLSchemeAllowed): Added. * page/SecurityPolicy.h: * page/Settings.yaml: Add a setting to toggle restrictions on the base URL scheme. Source/WebKit: Reviewed by Brent Fulgham. Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps. * Shared/WebPreferences.yaml: * UIProcess/API/Cocoa/WKWebView.mm: (shouldRestrictBaseURLSchemes): Added. (-[WKWebView _setupPageConfiguration:]): Update settings. * UIProcess/Cocoa/VersionChecks.h: Source/WebKitLegacy/mac: Reviewed by Brent Fulgham. Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps. * Misc/WebKitVersionChecks.h: * WebView/WebView.mm: (shouldRestrictBaseURLSchemes): Added. (-[WebView _commonInitializationWithFrameName:groupName:]): Update settings. Source/WTF: Reviewed by Brent Fulgham. Add some more macro definitions. * wtf/spi/darwin/dyldSPI.h: LayoutTests: RReviewed by Brent Fulgham. Add some tests. Update others to toggle the setting to apply or unapply the new behavior. The test denied-base-url-javascript-url.html is derived from the test base-url-javascript.html, included in <https://chromium.googlesource.com/chromium/src.git/+/c133efa0b915430701930b76a7cfe35608b9a403>. * fast/url/relative-expected.txt: * fast/url/relative.html: * fast/url/relative2-expected.txt: Copied from LayoutTests/fast/url/relative-expected.txt. * fast/url/relative2.html: Copied from LayoutTests/fast/url/relative.html. * fast/url/resources/utilities.js: (setShouldEllipsizeFileURLPaths): Added. Toggles ellipsizing the path portion of a file URL to simplify matching. Otherwise, file URLs could be machine-specific. (canonicalizedPathname): Added. (segments): Modified to optionally call canonicalizedPathname. (canonicalize): Ditto. * fast/url/segments-from-data-url-expected.txt: * fast/url/segments-from-data-url.html: * fast/url/segments-from-data-url2-expected.txt: Copied from LayoutTests/fast/url/segments-from-data-url-expected.txt. * fast/url/segments-from-data-url2.html: Copied from LayoutTests/fast/url/segments-from-data-url.html. * fetch/fetch-url-serialization-expected.txt: * http/tests/plugins/navigation-during-load-embed.html: * http/tests/plugins/navigation-during-load.html: * http/tests/security/allowed-base-url-data-url-via-setting-expected.txt: Added. * http/tests/security/allowed-base-url-data-url-via-setting.html: Added. * http/tests/security/denied-base-url-data-url-expected.txt: Added. * http/tests/security/denied-base-url-data-url.html: Added. * http/tests/security/denied-base-url-javascript-url-expected.txt: Added. * http/tests/security/denied-base-url-javascript-url.html: Added. git-svn-id: https://svn.webkit.org/repository/webkit/trunk@256191 268f45cc-cd09-0410-ab3c-d52691b4dbfc git-svn-id: http://svn.webkit.org/repository/webkit/branches/safari-609.1.20.3-branch@256945 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Disallow setting base URL to a data or JavaScript URL https://bugs.webkit.org/show_bug.cgi?id=207136 Source/WebCore: Reviewed by Brent Fulgham. Inspired by <https://bugs.chromium.org/p/chromium/issues/detail?id=679318>. Block setting the base URL to a data URL or JavaScript URL as such usage is questionable. This makes WebKit match the behavior of Chrome and Firefox and is in the spirit of the discussion in <whatwg/html#2249>. On Mac and iOS, this restriction is applied only to apps linked against a future SDK to avoid breaking shipped apps. For all other ports, this restriction is enabled by default. Tests: fast/url/relative2.html fast/url/segments-from-data-url2.html http/tests/security/allowed-base-url-data-url-via-setting.html http/tests/security/denied-base-url-data-url.html http/tests/security/denied-base-url-javascript-url.html * dom/Document.cpp: (WebCore::Document::processBaseElement): Condition updating the parsed base URL on whether is has an allowed scheme, if restrictions are enabled. Otherwise, do what we do now. If the scheme is disallowed then log a message to the console to explain this to web developers. * html/parser/HTMLPreloadScanner.cpp: (WebCore::TokenPreloadScanner::scan): Pass whether to apply restrictons to the base URL to updatePredictedBaseURL(). This depends on whether the setting is enabled or not. (WebCore::TokenPreloadScanner::updatePredictedBaseURL): Modifed to take a boolean as to whether to apply restrictions. If restrictions are not to be applied do what we do now. Otherwise, only do what we do now if the scheme for the predicated base URL is allowed. * html/parser/HTMLPreloadScanner.h: * page/SecurityPolicy.cpp: (WebCore::SecurityPolicy::isBaseURLSchemeAllowed): Added. * page/SecurityPolicy.h: * page/Settings.yaml: Add a setting to toggle restrictions on the base URL scheme. Source/WebKit: Reviewed by Brent Fulgham. Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps. * Shared/WebPreferences.yaml: * UIProcess/API/Cocoa/WKWebView.mm: (shouldRestrictBaseURLSchemes): Added. (-[WKWebView _setupPageConfiguration:]): Update settings. * UIProcess/Cocoa/VersionChecks.h: Source/WebKitLegacy/mac: Reviewed by Brent Fulgham. Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps. * Misc/WebKitVersionChecks.h: * WebView/WebView.mm: (shouldRestrictBaseURLSchemes): Added. (-[WebView _commonInitializationWithFrameName:groupName:]): Update settings. Source/WTF: Reviewed by Brent Fulgham. Add some more macro definitions. * wtf/spi/darwin/dyldSPI.h: LayoutTests: RReviewed by Brent Fulgham. Add some tests. Update others to toggle the setting to apply or unapply the new behavior. The test denied-base-url-javascript-url.html is derived from the test base-url-javascript.html, included in <https://chromium.googlesource.com/chromium/src.git/+/c133efa0b915430701930b76a7cfe35608b9a403>. * fast/url/relative-expected.txt: * fast/url/relative.html: * fast/url/relative2-expected.txt: Copied from LayoutTests/fast/url/relative-expected.txt. * fast/url/relative2.html: Copied from LayoutTests/fast/url/relative.html. * fast/url/resources/utilities.js: (setShouldEllipsizeFileURLPaths): Added. Toggles ellipsizing the path portion of a file URL to simplify matching. Otherwise, file URLs could be machine-specific. (canonicalizedPathname): Added. (segments): Modified to optionally call canonicalizedPathname. (canonicalize): Ditto. * fast/url/segments-from-data-url-expected.txt: * fast/url/segments-from-data-url.html: * fast/url/segments-from-data-url2-expected.txt: Copied from LayoutTests/fast/url/segments-from-data-url-expected.txt. * fast/url/segments-from-data-url2.html: Copied from LayoutTests/fast/url/segments-from-data-url.html. * fetch/fetch-url-serialization-expected.txt: * http/tests/plugins/navigation-during-load-embed.html: * http/tests/plugins/navigation-during-load.html: * http/tests/security/allowed-base-url-data-url-via-setting-expected.txt: Added. * http/tests/security/allowed-base-url-data-url-via-setting.html: Added. * http/tests/security/denied-base-url-data-url-expected.txt: Added. * http/tests/security/denied-base-url-data-url.html: Added. * http/tests/security/denied-base-url-javascript-url-expected.txt: Added. * http/tests/security/denied-base-url-javascript-url.html: Added. git-svn-id: https://svn.webkit.org/repository/webkit/trunk@256191 268f45cc-cd09-0410-ab3c-d52691b4dbfc git-svn-id: http://svn.webkit.org/repository/webkit/branches/safari-609-branch@256796 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Disallow setting base URL to a data or JavaScript URL https://bugs.webkit.org/show_bug.cgi?id=207136 Source/WebCore: Reviewed by Brent Fulgham. Inspired by <https://bugs.chromium.org/p/chromium/issues/detail?id=679318>. Block setting the base URL to a data URL or JavaScript URL as such usage is questionable. This makes WebKit match the behavior of Chrome and Firefox and is in the spirit of the discussion in <whatwg/html#2249>. On Mac and iOS, this restriction is applied only to apps linked against a future SDK to avoid breaking shipped apps. For all other ports, this restriction is enabled by default. Tests: fast/url/relative2.html fast/url/segments-from-data-url2.html http/tests/security/allowed-base-url-data-url-via-setting.html http/tests/security/denied-base-url-data-url.html http/tests/security/denied-base-url-javascript-url.html * dom/Document.cpp: (WebCore::Document::processBaseElement): Condition updating the parsed base URL on whether is has an allowed scheme, if restrictions are enabled. Otherwise, do what we do now. If the scheme is disallowed then log a message to the console to explain this to web developers. * html/parser/HTMLPreloadScanner.cpp: (WebCore::TokenPreloadScanner::scan): Pass whether to apply restrictons to the base URL to updatePredictedBaseURL(). This depends on whether the setting is enabled or not. (WebCore::TokenPreloadScanner::updatePredictedBaseURL): Modifed to take a boolean as to whether to apply restrictions. If restrictions are not to be applied do what we do now. Otherwise, only do what we do now if the scheme for the predicated base URL is allowed. * html/parser/HTMLPreloadScanner.h: * page/SecurityPolicy.cpp: (WebCore::SecurityPolicy::isBaseURLSchemeAllowed): Added. * page/SecurityPolicy.h: * page/Settings.yaml: Add a setting to toggle restrictions on the base URL scheme. Source/WebKit: Reviewed by Brent Fulgham. Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps. * Shared/WebPreferences.yaml: * UIProcess/API/Cocoa/WKWebView.mm: (shouldRestrictBaseURLSchemes): Added. (-[WKWebView _setupPageConfiguration:]): Update settings. * UIProcess/Cocoa/VersionChecks.h: Source/WebKitLegacy/mac: Reviewed by Brent Fulgham. Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps. * Misc/WebKitVersionChecks.h: * WebView/WebView.mm: (shouldRestrictBaseURLSchemes): Added. (-[WebView _commonInitializationWithFrameName:groupName:]): Update settings. Source/WTF: Reviewed by Brent Fulgham. Add some more macro definitions. * wtf/spi/darwin/dyldSPI.h: LayoutTests: RReviewed by Brent Fulgham. Add some tests. Update others to toggle the setting to apply or unapply the new behavior. The test denied-base-url-javascript-url.html is derived from the test base-url-javascript.html, included in <https://chromium.googlesource.com/chromium/src.git/+/c133efa0b915430701930b76a7cfe35608b9a403>. * fast/url/relative-expected.txt: * fast/url/relative.html: * fast/url/relative2-expected.txt: Copied from LayoutTests/fast/url/relative-expected.txt. * fast/url/relative2.html: Copied from LayoutTests/fast/url/relative.html. * fast/url/resources/utilities.js: (setShouldEllipsizeFileURLPaths): Added. Toggles ellipsizing the path portion of a file URL to simplify matching. Otherwise, file URLs could be machine-specific. (canonicalizedPathname): Added. (segments): Modified to optionally call canonicalizedPathname. (canonicalize): Ditto. * fast/url/segments-from-data-url-expected.txt: * fast/url/segments-from-data-url.html: * fast/url/segments-from-data-url2-expected.txt: Copied from LayoutTests/fast/url/segments-from-data-url-expected.txt. * fast/url/segments-from-data-url2.html: Copied from LayoutTests/fast/url/segments-from-data-url.html. * fetch/fetch-url-serialization-expected.txt: * http/tests/plugins/navigation-during-load-embed.html: * http/tests/plugins/navigation-during-load.html: * http/tests/security/allowed-base-url-data-url-via-setting-expected.txt: Added. * http/tests/security/allowed-base-url-data-url-via-setting.html: Added. * http/tests/security/denied-base-url-data-url-expected.txt: Added. * http/tests/security/denied-base-url-data-url.html: Added. * http/tests/security/denied-base-url-javascript-url-expected.txt: Added. * http/tests/security/denied-base-url-javascript-url.html: Added. git-svn-id: https://svn.webkit.org/repository/webkit/trunk@256191 268f45cc-cd09-0410-ab3c-d52691b4dbfc git-svn-id: http://svn.webkit.org/repository/webkit/branches/safari-609-branch@256896 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Disallow setting base URL to a data or JavaScript URL https://bugs.webkit.org/show_bug.cgi?id=207136 Source/WebCore: Reviewed by Brent Fulgham. Inspired by <https://bugs.chromium.org/p/chromium/issues/detail?id=679318>. Block setting the base URL to a data URL or JavaScript URL as such usage is questionable. This makes WebKit match the behavior of Chrome and Firefox and is in the spirit of the discussion in <whatwg/html#2249>. On Mac and iOS, this restriction is applied only to apps linked against a future SDK to avoid breaking shipped apps. For all other ports, this restriction is enabled by default. Tests: fast/url/relative2.html fast/url/segments-from-data-url2.html http/tests/security/allowed-base-url-data-url-via-setting.html http/tests/security/denied-base-url-data-url.html http/tests/security/denied-base-url-javascript-url.html * dom/Document.cpp: (WebCore::Document::processBaseElement): Condition updating the parsed base URL on whether is has an allowed scheme, if restrictions are enabled. Otherwise, do what we do now. If the scheme is disallowed then log a message to the console to explain this to web developers. * html/parser/HTMLPreloadScanner.cpp: (WebCore::TokenPreloadScanner::scan): Pass whether to apply restrictons to the base URL to updatePredictedBaseURL(). This depends on whether the setting is enabled or not. (WebCore::TokenPreloadScanner::updatePredictedBaseURL): Modifed to take a boolean as to whether to apply restrictions. If restrictions are not to be applied do what we do now. Otherwise, only do what we do now if the scheme for the predicated base URL is allowed. * html/parser/HTMLPreloadScanner.h: * page/SecurityPolicy.cpp: (WebCore::SecurityPolicy::isBaseURLSchemeAllowed): Added. * page/SecurityPolicy.h: * page/Settings.yaml: Add a setting to toggle restrictions on the base URL scheme. Source/WebKit: Reviewed by Brent Fulgham. Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps. * Shared/WebPreferences.yaml: * UIProcess/API/Cocoa/WKWebView.mm: (shouldRestrictBaseURLSchemes): Added. (-[WKWebView _setupPageConfiguration:]): Update settings. * UIProcess/Cocoa/VersionChecks.h: Source/WebKitLegacy/mac: Reviewed by Brent Fulgham. Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps. * Misc/WebKitVersionChecks.h: * WebView/WebView.mm: (shouldRestrictBaseURLSchemes): Added. (-[WebView _commonInitializationWithFrameName:groupName:]): Update settings. Source/WTF: Reviewed by Brent Fulgham. Add some more macro definitions. * wtf/spi/darwin/dyldSPI.h: LayoutTests: RReviewed by Brent Fulgham. Add some tests. Update others to toggle the setting to apply or unapply the new behavior. The test denied-base-url-javascript-url.html is derived from the test base-url-javascript.html, included in <https://chromium.googlesource.com/chromium/src.git/+/c133efa0b915430701930b76a7cfe35608b9a403>. * fast/url/relative-expected.txt: * fast/url/relative.html: * fast/url/relative2-expected.txt: Copied from LayoutTests/fast/url/relative-expected.txt. * fast/url/relative2.html: Copied from LayoutTests/fast/url/relative.html. * fast/url/resources/utilities.js: (setShouldEllipsizeFileURLPaths): Added. Toggles ellipsizing the path portion of a file URL to simplify matching. Otherwise, file URLs could be machine-specific. (canonicalizedPathname): Added. (segments): Modified to optionally call canonicalizedPathname. (canonicalize): Ditto. * fast/url/segments-from-data-url-expected.txt: * fast/url/segments-from-data-url.html: * fast/url/segments-from-data-url2-expected.txt: Copied from LayoutTests/fast/url/segments-from-data-url-expected.txt. * fast/url/segments-from-data-url2.html: Copied from LayoutTests/fast/url/segments-from-data-url.html. * fetch/fetch-url-serialization-expected.txt: * http/tests/plugins/navigation-during-load-embed.html: * http/tests/plugins/navigation-during-load.html: * http/tests/security/allowed-base-url-data-url-via-setting-expected.txt: Added. * http/tests/security/allowed-base-url-data-url-via-setting.html: Added. * http/tests/security/denied-base-url-data-url-expected.txt: Added. * http/tests/security/denied-base-url-data-url.html: Added. * http/tests/security/denied-base-url-javascript-url-expected.txt: Added. * http/tests/security/denied-base-url-javascript-url.html: Added. Identifier: 220473@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@256191 268f45cc-cd09-0410-ab3c-d52691b4dbfc Identifier: 218903.363@safari-609-branch git-svn-id: https://svn.webkit.org/repository/webkit/branches/safari-609-branch@256796 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Disallow setting base URL to a data or JavaScript URL https://bugs.webkit.org/show_bug.cgi?id=207136 Source/WebCore: Reviewed by Brent Fulgham. Inspired by <https://bugs.chromium.org/p/chromium/issues/detail?id=679318>. Block setting the base URL to a data URL or JavaScript URL as such usage is questionable. This makes WebKit match the behavior of Chrome and Firefox and is in the spirit of the discussion in <whatwg/html#2249>. On Mac and iOS, this restriction is applied only to apps linked against a future SDK to avoid breaking shipped apps. For all other ports, this restriction is enabled by default. Tests: fast/url/relative2.html fast/url/segments-from-data-url2.html http/tests/security/allowed-base-url-data-url-via-setting.html http/tests/security/denied-base-url-data-url.html http/tests/security/denied-base-url-javascript-url.html * dom/Document.cpp: (WebCore::Document::processBaseElement): Condition updating the parsed base URL on whether is has an allowed scheme, if restrictions are enabled. Otherwise, do what we do now. If the scheme is disallowed then log a message to the console to explain this to web developers. * html/parser/HTMLPreloadScanner.cpp: (WebCore::TokenPreloadScanner::scan): Pass whether to apply restrictons to the base URL to updatePredictedBaseURL(). This depends on whether the setting is enabled or not. (WebCore::TokenPreloadScanner::updatePredictedBaseURL): Modifed to take a boolean as to whether to apply restrictions. If restrictions are not to be applied do what we do now. Otherwise, only do what we do now if the scheme for the predicated base URL is allowed. * html/parser/HTMLPreloadScanner.h: * page/SecurityPolicy.cpp: (WebCore::SecurityPolicy::isBaseURLSchemeAllowed): Added. * page/SecurityPolicy.h: * page/Settings.yaml: Add a setting to toggle restrictions on the base URL scheme. Source/WebKit: Reviewed by Brent Fulgham. Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps. * Shared/WebPreferences.yaml: * UIProcess/API/Cocoa/WKWebView.mm: (shouldRestrictBaseURLSchemes): Added. (-[WKWebView _setupPageConfiguration:]): Update settings. * UIProcess/Cocoa/VersionChecks.h: Source/WebKitLegacy/mac: Reviewed by Brent Fulgham. Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps. * Misc/WebKitVersionChecks.h: * WebView/WebView.mm: (shouldRestrictBaseURLSchemes): Added. (-[WebView _commonInitializationWithFrameName:groupName:]): Update settings. Source/WTF: Reviewed by Brent Fulgham. Add some more macro definitions. * wtf/spi/darwin/dyldSPI.h: LayoutTests: RReviewed by Brent Fulgham. Add some tests. Update others to toggle the setting to apply or unapply the new behavior. The test denied-base-url-javascript-url.html is derived from the test base-url-javascript.html, included in <https://chromium.googlesource.com/chromium/src.git/+/c133efa0b915430701930b76a7cfe35608b9a403>. * fast/url/relative-expected.txt: * fast/url/relative.html: * fast/url/relative2-expected.txt: Copied from LayoutTests/fast/url/relative-expected.txt. * fast/url/relative2.html: Copied from LayoutTests/fast/url/relative.html. * fast/url/resources/utilities.js: (setShouldEllipsizeFileURLPaths): Added. Toggles ellipsizing the path portion of a file URL to simplify matching. Otherwise, file URLs could be machine-specific. (canonicalizedPathname): Added. (segments): Modified to optionally call canonicalizedPathname. (canonicalize): Ditto. * fast/url/segments-from-data-url-expected.txt: * fast/url/segments-from-data-url.html: * fast/url/segments-from-data-url2-expected.txt: Copied from LayoutTests/fast/url/segments-from-data-url-expected.txt. * fast/url/segments-from-data-url2.html: Copied from LayoutTests/fast/url/segments-from-data-url.html. * fetch/fetch-url-serialization-expected.txt: * http/tests/plugins/navigation-during-load-embed.html: * http/tests/plugins/navigation-during-load.html: * http/tests/security/allowed-base-url-data-url-via-setting-expected.txt: Added. * http/tests/security/allowed-base-url-data-url-via-setting.html: Added. * http/tests/security/denied-base-url-data-url-expected.txt: Added. * http/tests/security/denied-base-url-data-url.html: Added. * http/tests/security/denied-base-url-javascript-url-expected.txt: Added. * http/tests/security/denied-base-url-javascript-url.html: Added. Identifier: 220473@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@256191 268f45cc-cd09-0410-ab3c-d52691b4dbfc Identifier: 218903.387@safari-609-branch git-svn-id: https://svn.webkit.org/repository/webkit/branches/safari-609-branch@256896 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Disallow setting base URL to a data or JavaScript URL https://bugs.webkit.org/show_bug.cgi?id=207136 Source/WebCore: Reviewed by Brent Fulgham. Inspired by <https://bugs.chromium.org/p/chromium/issues/detail?id=679318>. Block setting the base URL to a data URL or JavaScript URL as such usage is questionable. This makes WebKit match the behavior of Chrome and Firefox and is in the spirit of the discussion in <whatwg/html#2249>. On Mac and iOS, this restriction is applied only to apps linked against a future SDK to avoid breaking shipped apps. For all other ports, this restriction is enabled by default. Tests: fast/url/relative2.html fast/url/segments-from-data-url2.html http/tests/security/allowed-base-url-data-url-via-setting.html http/tests/security/denied-base-url-data-url.html http/tests/security/denied-base-url-javascript-url.html * dom/Document.cpp: (WebCore::Document::processBaseElement): Condition updating the parsed base URL on whether is has an allowed scheme, if restrictions are enabled. Otherwise, do what we do now. If the scheme is disallowed then log a message to the console to explain this to web developers. * html/parser/HTMLPreloadScanner.cpp: (WebCore::TokenPreloadScanner::scan): Pass whether to apply restrictons to the base URL to updatePredictedBaseURL(). This depends on whether the setting is enabled or not. (WebCore::TokenPreloadScanner::updatePredictedBaseURL): Modifed to take a boolean as to whether to apply restrictions. If restrictions are not to be applied do what we do now. Otherwise, only do what we do now if the scheme for the predicated base URL is allowed. * html/parser/HTMLPreloadScanner.h: * page/SecurityPolicy.cpp: (WebCore::SecurityPolicy::isBaseURLSchemeAllowed): Added. * page/SecurityPolicy.h: * page/Settings.yaml: Add a setting to toggle restrictions on the base URL scheme. Source/WebKit: Reviewed by Brent Fulgham. Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps. * Shared/WebPreferences.yaml: * UIProcess/API/Cocoa/WKWebView.mm: (shouldRestrictBaseURLSchemes): Added. (-[WKWebView _setupPageConfiguration:]): Update settings. * UIProcess/Cocoa/VersionChecks.h: Source/WebKitLegacy/mac: Reviewed by Brent Fulgham. Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps. * Misc/WebKitVersionChecks.h: * WebView/WebView.mm: (shouldRestrictBaseURLSchemes): Added. (-[WebView _commonInitializationWithFrameName:groupName:]): Update settings. Source/WTF: Reviewed by Brent Fulgham. Add some more macro definitions. * wtf/spi/darwin/dyldSPI.h: LayoutTests: RReviewed by Brent Fulgham. Add some tests. Update others to toggle the setting to apply or unapply the new behavior. The test denied-base-url-javascript-url.html is derived from the test base-url-javascript.html, included in <https://chromium.googlesource.com/chromium/src.git/+/c133efa0b915430701930b76a7cfe35608b9a403>. * fast/url/relative-expected.txt: * fast/url/relative.html: * fast/url/relative2-expected.txt: Copied from LayoutTests/fast/url/relative-expected.txt. * fast/url/relative2.html: Copied from LayoutTests/fast/url/relative.html. * fast/url/resources/utilities.js: (setShouldEllipsizeFileURLPaths): Added. Toggles ellipsizing the path portion of a file URL to simplify matching. Otherwise, file URLs could be machine-specific. (canonicalizedPathname): Added. (segments): Modified to optionally call canonicalizedPathname. (canonicalize): Ditto. * fast/url/segments-from-data-url-expected.txt: * fast/url/segments-from-data-url.html: * fast/url/segments-from-data-url2-expected.txt: Copied from LayoutTests/fast/url/segments-from-data-url-expected.txt. * fast/url/segments-from-data-url2.html: Copied from LayoutTests/fast/url/segments-from-data-url.html. * fetch/fetch-url-serialization-expected.txt: * http/tests/plugins/navigation-during-load-embed.html: * http/tests/plugins/navigation-during-load.html: * http/tests/security/allowed-base-url-data-url-via-setting-expected.txt: Added. * http/tests/security/allowed-base-url-data-url-via-setting.html: Added. * http/tests/security/denied-base-url-data-url-expected.txt: Added. * http/tests/security/denied-base-url-data-url.html: Added. * http/tests/security/denied-base-url-javascript-url-expected.txt: Added. * http/tests/security/denied-base-url-javascript-url.html: Added. Canonical link: https://commits.webkit.org/220473@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@256191 268f45cc-cd09-0410-ab3c-d52691b4dbfc Canonical link: https://commits.webkit.org/218903.363@safari-609-branch git-svn-id: https://svn.webkit.org/repository/webkit/branches/safari-609-branch@256796 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Disallow setting base URL to a data or JavaScript URL https://bugs.webkit.org/show_bug.cgi?id=207136 Source/WebCore: Reviewed by Brent Fulgham. Inspired by <https://bugs.chromium.org/p/chromium/issues/detail?id=679318>. Block setting the base URL to a data URL or JavaScript URL as such usage is questionable. This makes WebKit match the behavior of Chrome and Firefox and is in the spirit of the discussion in <whatwg/html#2249>. On Mac and iOS, this restriction is applied only to apps linked against a future SDK to avoid breaking shipped apps. For all other ports, this restriction is enabled by default. Tests: fast/url/relative2.html fast/url/segments-from-data-url2.html http/tests/security/allowed-base-url-data-url-via-setting.html http/tests/security/denied-base-url-data-url.html http/tests/security/denied-base-url-javascript-url.html * dom/Document.cpp: (WebCore::Document::processBaseElement): Condition updating the parsed base URL on whether is has an allowed scheme, if restrictions are enabled. Otherwise, do what we do now. If the scheme is disallowed then log a message to the console to explain this to web developers. * html/parser/HTMLPreloadScanner.cpp: (WebCore::TokenPreloadScanner::scan): Pass whether to apply restrictons to the base URL to updatePredictedBaseURL(). This depends on whether the setting is enabled or not. (WebCore::TokenPreloadScanner::updatePredictedBaseURL): Modifed to take a boolean as to whether to apply restrictions. If restrictions are not to be applied do what we do now. Otherwise, only do what we do now if the scheme for the predicated base URL is allowed. * html/parser/HTMLPreloadScanner.h: * page/SecurityPolicy.cpp: (WebCore::SecurityPolicy::isBaseURLSchemeAllowed): Added. * page/SecurityPolicy.h: * page/Settings.yaml: Add a setting to toggle restrictions on the base URL scheme. Source/WebKit: Reviewed by Brent Fulgham. Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps. * Shared/WebPreferences.yaml: * UIProcess/API/Cocoa/WKWebView.mm: (shouldRestrictBaseURLSchemes): Added. (-[WKWebView _setupPageConfiguration:]): Update settings. * UIProcess/Cocoa/VersionChecks.h: Source/WebKitLegacy/mac: Reviewed by Brent Fulgham. Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps. * Misc/WebKitVersionChecks.h: * WebView/WebView.mm: (shouldRestrictBaseURLSchemes): Added. (-[WebView _commonInitializationWithFrameName:groupName:]): Update settings. Source/WTF: Reviewed by Brent Fulgham. Add some more macro definitions. * wtf/spi/darwin/dyldSPI.h: LayoutTests: RReviewed by Brent Fulgham. Add some tests. Update others to toggle the setting to apply or unapply the new behavior. The test denied-base-url-javascript-url.html is derived from the test base-url-javascript.html, included in <https://chromium.googlesource.com/chromium/src.git/+/c133efa0b915430701930b76a7cfe35608b9a403>. * fast/url/relative-expected.txt: * fast/url/relative.html: * fast/url/relative2-expected.txt: Copied from LayoutTests/fast/url/relative-expected.txt. * fast/url/relative2.html: Copied from LayoutTests/fast/url/relative.html. * fast/url/resources/utilities.js: (setShouldEllipsizeFileURLPaths): Added. Toggles ellipsizing the path portion of a file URL to simplify matching. Otherwise, file URLs could be machine-specific. (canonicalizedPathname): Added. (segments): Modified to optionally call canonicalizedPathname. (canonicalize): Ditto. * fast/url/segments-from-data-url-expected.txt: * fast/url/segments-from-data-url.html: * fast/url/segments-from-data-url2-expected.txt: Copied from LayoutTests/fast/url/segments-from-data-url-expected.txt. * fast/url/segments-from-data-url2.html: Copied from LayoutTests/fast/url/segments-from-data-url.html. * fetch/fetch-url-serialization-expected.txt: * http/tests/plugins/navigation-during-load-embed.html: * http/tests/plugins/navigation-during-load.html: * http/tests/security/allowed-base-url-data-url-via-setting-expected.txt: Added. * http/tests/security/allowed-base-url-data-url-via-setting.html: Added. * http/tests/security/denied-base-url-data-url-expected.txt: Added. * http/tests/security/denied-base-url-data-url.html: Added. * http/tests/security/denied-base-url-javascript-url-expected.txt: Added. * http/tests/security/denied-base-url-javascript-url.html: Added. Canonical link: https://commits.webkit.org/220473@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@256191 268f45cc-cd09-0410-ab3c-d52691b4dbfc Canonical link: https://commits.webkit.org/218903.387@safari-609-branch git-svn-id: https://svn.webkit.org/repository/webkit/branches/safari-609-branch@256896 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Disallow setting base URL to a data or JavaScript URL https://bugs.webkit.org/show_bug.cgi?id=207136 Source/WebCore: Reviewed by Brent Fulgham. Inspired by <https://bugs.chromium.org/p/chromium/issues/detail?id=679318>. Block setting the base URL to a data URL or JavaScript URL as such usage is questionable. This makes WebKit match the behavior of Chrome and Firefox and is in the spirit of the discussion in <whatwg/html#2249>. On Mac and iOS, this restriction is applied only to apps linked against a future SDK to avoid breaking shipped apps. For all other ports, this restriction is enabled by default. Tests: fast/url/relative2.html fast/url/segments-from-data-url2.html http/tests/security/allowed-base-url-data-url-via-setting.html http/tests/security/denied-base-url-data-url.html http/tests/security/denied-base-url-javascript-url.html * dom/Document.cpp: (WebCore::Document::processBaseElement): Condition updating the parsed base URL on whether is has an allowed scheme, if restrictions are enabled. Otherwise, do what we do now. If the scheme is disallowed then log a message to the console to explain this to web developers. * html/parser/HTMLPreloadScanner.cpp: (WebCore::TokenPreloadScanner::scan): Pass whether to apply restrictons to the base URL to updatePredictedBaseURL(). This depends on whether the setting is enabled or not. (WebCore::TokenPreloadScanner::updatePredictedBaseURL): Modifed to take a boolean as to whether to apply restrictions. If restrictions are not to be applied do what we do now. Otherwise, only do what we do now if the scheme for the predicated base URL is allowed. * html/parser/HTMLPreloadScanner.h: * page/SecurityPolicy.cpp: (WebCore::SecurityPolicy::isBaseURLSchemeAllowed): Added. * page/SecurityPolicy.h: * page/Settings.yaml: Add a setting to toggle restrictions on the base URL scheme. Source/WebKit: Reviewed by Brent Fulgham. Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps. * Shared/WebPreferences.yaml: * UIProcess/API/Cocoa/WKWebView.mm: (shouldRestrictBaseURLSchemes): Added. (-[WKWebView _setupPageConfiguration:]): Update settings. * UIProcess/Cocoa/VersionChecks.h: Source/WebKitLegacy/mac: Reviewed by Brent Fulgham. Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps. * Misc/WebKitVersionChecks.h: * WebView/WebView.mm: (shouldRestrictBaseURLSchemes): Added. (-[WebView _commonInitializationWithFrameName:groupName:]): Update settings. Source/WTF: Reviewed by Brent Fulgham. Add some more macro definitions. * wtf/spi/darwin/dyldSPI.h: LayoutTests: RReviewed by Brent Fulgham. Add some tests. Update others to toggle the setting to apply or unapply the new behavior. The test denied-base-url-javascript-url.html is derived from the test base-url-javascript.html, included in <https://chromium.googlesource.com/chromium/src.git/+/c133efa0b915430701930b76a7cfe35608b9a403>. * fast/url/relative-expected.txt: * fast/url/relative.html: * fast/url/relative2-expected.txt: Copied from LayoutTests/fast/url/relative-expected.txt. * fast/url/relative2.html: Copied from LayoutTests/fast/url/relative.html. * fast/url/resources/utilities.js: (setShouldEllipsizeFileURLPaths): Added. Toggles ellipsizing the path portion of a file URL to simplify matching. Otherwise, file URLs could be machine-specific. (canonicalizedPathname): Added. (segments): Modified to optionally call canonicalizedPathname. (canonicalize): Ditto. * fast/url/segments-from-data-url-expected.txt: * fast/url/segments-from-data-url.html: * fast/url/segments-from-data-url2-expected.txt: Copied from LayoutTests/fast/url/segments-from-data-url-expected.txt. * fast/url/segments-from-data-url2.html: Copied from LayoutTests/fast/url/segments-from-data-url.html. * fetch/fetch-url-serialization-expected.txt: * http/tests/plugins/navigation-during-load-embed.html: * http/tests/plugins/navigation-during-load.html: * http/tests/security/allowed-base-url-data-url-via-setting-expected.txt: Added. * http/tests/security/allowed-base-url-data-url-via-setting.html: Added. * http/tests/security/denied-base-url-data-url-expected.txt: Added. * http/tests/security/denied-base-url-data-url.html: Added. * http/tests/security/denied-base-url-javascript-url-expected.txt: Added. * http/tests/security/denied-base-url-javascript-url.html: Added. Canonical link: https://commits.webkit.org/220473@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@256191 268f45cc-cd09-0410-ab3c-d52691b4dbfc Canonical link: https://commits.webkit.org/218903.381@safari-609.1.20.0-branch git-svn-id: https://svn.webkit.org/repository/webkit/branches/safari-609.1.20.0-branch@257015 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Disallow setting base URL to a data or JavaScript URL https://bugs.webkit.org/show_bug.cgi?id=207136 Source/WebCore: Reviewed by Brent Fulgham. Inspired by <https://bugs.chromium.org/p/chromium/issues/detail?id=679318>. Block setting the base URL to a data URL or JavaScript URL as such usage is questionable. This makes WebKit match the behavior of Chrome and Firefox and is in the spirit of the discussion in <whatwg/html#2249>. On Mac and iOS, this restriction is applied only to apps linked against a future SDK to avoid breaking shipped apps. For all other ports, this restriction is enabled by default. Tests: fast/url/relative2.html fast/url/segments-from-data-url2.html http/tests/security/allowed-base-url-data-url-via-setting.html http/tests/security/denied-base-url-data-url.html http/tests/security/denied-base-url-javascript-url.html * dom/Document.cpp: (WebCore::Document::processBaseElement): Condition updating the parsed base URL on whether is has an allowed scheme, if restrictions are enabled. Otherwise, do what we do now. If the scheme is disallowed then log a message to the console to explain this to web developers. * html/parser/HTMLPreloadScanner.cpp: (WebCore::TokenPreloadScanner::scan): Pass whether to apply restrictons to the base URL to updatePredictedBaseURL(). This depends on whether the setting is enabled or not. (WebCore::TokenPreloadScanner::updatePredictedBaseURL): Modifed to take a boolean as to whether to apply restrictions. If restrictions are not to be applied do what we do now. Otherwise, only do what we do now if the scheme for the predicated base URL is allowed. * html/parser/HTMLPreloadScanner.h: * page/SecurityPolicy.cpp: (WebCore::SecurityPolicy::isBaseURLSchemeAllowed): Added. * page/SecurityPolicy.h: * page/Settings.yaml: Add a setting to toggle restrictions on the base URL scheme. Source/WebKit: Reviewed by Brent Fulgham. Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps. * Shared/WebPreferences.yaml: * UIProcess/API/Cocoa/WKWebView.mm: (shouldRestrictBaseURLSchemes): Added. (-[WKWebView _setupPageConfiguration:]): Update settings. * UIProcess/Cocoa/VersionChecks.h: Source/WebKitLegacy/mac: Reviewed by Brent Fulgham. Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps. * Misc/WebKitVersionChecks.h: * WebView/WebView.mm: (shouldRestrictBaseURLSchemes): Added. (-[WebView _commonInitializationWithFrameName:groupName:]): Update settings. Source/WTF: Reviewed by Brent Fulgham. Add some more macro definitions. * wtf/spi/darwin/dyldSPI.h: LayoutTests: RReviewed by Brent Fulgham. Add some tests. Update others to toggle the setting to apply or unapply the new behavior. The test denied-base-url-javascript-url.html is derived from the test base-url-javascript.html, included in <https://chromium.googlesource.com/chromium/src.git/+/c133efa0b915430701930b76a7cfe35608b9a403>. * fast/url/relative-expected.txt: * fast/url/relative.html: * fast/url/relative2-expected.txt: Copied from LayoutTests/fast/url/relative-expected.txt. * fast/url/relative2.html: Copied from LayoutTests/fast/url/relative.html. * fast/url/resources/utilities.js: (setShouldEllipsizeFileURLPaths): Added. Toggles ellipsizing the path portion of a file URL to simplify matching. Otherwise, file URLs could be machine-specific. (canonicalizedPathname): Added. (segments): Modified to optionally call canonicalizedPathname. (canonicalize): Ditto. * fast/url/segments-from-data-url-expected.txt: * fast/url/segments-from-data-url.html: * fast/url/segments-from-data-url2-expected.txt: Copied from LayoutTests/fast/url/segments-from-data-url-expected.txt. * fast/url/segments-from-data-url2.html: Copied from LayoutTests/fast/url/segments-from-data-url.html. * fetch/fetch-url-serialization-expected.txt: * http/tests/plugins/navigation-during-load-embed.html: * http/tests/plugins/navigation-during-load.html: * http/tests/security/allowed-base-url-data-url-via-setting-expected.txt: Added. * http/tests/security/allowed-base-url-data-url-via-setting.html: Added. * http/tests/security/denied-base-url-data-url-expected.txt: Added. * http/tests/security/denied-base-url-data-url.html: Added. * http/tests/security/denied-base-url-javascript-url-expected.txt: Added. * http/tests/security/denied-base-url-javascript-url.html: Added. Canonical link: https://commits.webkit.org/220473@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@256191 268f45cc-cd09-0410-ab3c-d52691b4dbfc Canonical link: https://commits.webkit.org/218903.363@safari-609.1.20.1-branch git-svn-id: https://svn.webkit.org/repository/webkit/branches/safari-609.1.20.1-branch@256969 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Disallow setting base URL to a data or JavaScript URL https://bugs.webkit.org/show_bug.cgi?id=207136 Source/WebCore: Reviewed by Brent Fulgham. Inspired by <https://bugs.chromium.org/p/chromium/issues/detail?id=679318>. Block setting the base URL to a data URL or JavaScript URL as such usage is questionable. This makes WebKit match the behavior of Chrome and Firefox and is in the spirit of the discussion in <whatwg/html#2249>. On Mac and iOS, this restriction is applied only to apps linked against a future SDK to avoid breaking shipped apps. For all other ports, this restriction is enabled by default. Tests: fast/url/relative2.html fast/url/segments-from-data-url2.html http/tests/security/allowed-base-url-data-url-via-setting.html http/tests/security/denied-base-url-data-url.html http/tests/security/denied-base-url-javascript-url.html * dom/Document.cpp: (WebCore::Document::processBaseElement): Condition updating the parsed base URL on whether is has an allowed scheme, if restrictions are enabled. Otherwise, do what we do now. If the scheme is disallowed then log a message to the console to explain this to web developers. * html/parser/HTMLPreloadScanner.cpp: (WebCore::TokenPreloadScanner::scan): Pass whether to apply restrictons to the base URL to updatePredictedBaseURL(). This depends on whether the setting is enabled or not. (WebCore::TokenPreloadScanner::updatePredictedBaseURL): Modifed to take a boolean as to whether to apply restrictions. If restrictions are not to be applied do what we do now. Otherwise, only do what we do now if the scheme for the predicated base URL is allowed. * html/parser/HTMLPreloadScanner.h: * page/SecurityPolicy.cpp: (WebCore::SecurityPolicy::isBaseURLSchemeAllowed): Added. * page/SecurityPolicy.h: * page/Settings.yaml: Add a setting to toggle restrictions on the base URL scheme. Source/WebKit: Reviewed by Brent Fulgham. Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps. * Shared/WebPreferences.yaml: * UIProcess/API/Cocoa/WKWebView.mm: (shouldRestrictBaseURLSchemes): Added. (-[WKWebView _setupPageConfiguration:]): Update settings. * UIProcess/Cocoa/VersionChecks.h: Source/WebKitLegacy/mac: Reviewed by Brent Fulgham. Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps. * Misc/WebKitVersionChecks.h: * WebView/WebView.mm: (shouldRestrictBaseURLSchemes): Added. (-[WebView _commonInitializationWithFrameName:groupName:]): Update settings. Source/WTF: Reviewed by Brent Fulgham. Add some more macro definitions. * wtf/spi/darwin/dyldSPI.h: LayoutTests: RReviewed by Brent Fulgham. Add some tests. Update others to toggle the setting to apply or unapply the new behavior. The test denied-base-url-javascript-url.html is derived from the test base-url-javascript.html, included in <https://chromium.googlesource.com/chromium/src.git/+/c133efa0b915430701930b76a7cfe35608b9a403>. * fast/url/relative-expected.txt: * fast/url/relative.html: * fast/url/relative2-expected.txt: Copied from LayoutTests/fast/url/relative-expected.txt. * fast/url/relative2.html: Copied from LayoutTests/fast/url/relative.html. * fast/url/resources/utilities.js: (setShouldEllipsizeFileURLPaths): Added. Toggles ellipsizing the path portion of a file URL to simplify matching. Otherwise, file URLs could be machine-specific. (canonicalizedPathname): Added. (segments): Modified to optionally call canonicalizedPathname. (canonicalize): Ditto. * fast/url/segments-from-data-url-expected.txt: * fast/url/segments-from-data-url.html: * fast/url/segments-from-data-url2-expected.txt: Copied from LayoutTests/fast/url/segments-from-data-url-expected.txt. * fast/url/segments-from-data-url2.html: Copied from LayoutTests/fast/url/segments-from-data-url.html. * fetch/fetch-url-serialization-expected.txt: * http/tests/plugins/navigation-during-load-embed.html: * http/tests/plugins/navigation-during-load.html: * http/tests/security/allowed-base-url-data-url-via-setting-expected.txt: Added. * http/tests/security/allowed-base-url-data-url-via-setting.html: Added. * http/tests/security/denied-base-url-data-url-expected.txt: Added. * http/tests/security/denied-base-url-data-url.html: Added. * http/tests/security/denied-base-url-javascript-url-expected.txt: Added. * http/tests/security/denied-base-url-javascript-url.html: Added. Canonical link: https://commits.webkit.org/220473@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@256191 268f45cc-cd09-0410-ab3c-d52691b4dbfc Canonical link: https://commits.webkit.org/218903.369@safari-609.1.20.3-branch git-svn-id: https://svn.webkit.org/repository/webkit/branches/safari-609.1.20.3-branch@256945 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Disallow setting base URL to a data or JavaScript URL https://bugs.webkit.org/show_bug.cgi?id=207136 Source/WebCore: Reviewed by Brent Fulgham. Inspired by <https://bugs.chromium.org/p/chromium/issues/detail?id=679318>. Block setting the base URL to a data URL or JavaScript URL as such usage is questionable. This makes WebKit match the behavior of Chrome and Firefox and is in the spirit of the discussion in <whatwg/html#2249>. On Mac and iOS, this restriction is applied only to apps linked against a future SDK to avoid breaking shipped apps. For all other ports, this restriction is enabled by default. Tests: fast/url/relative2.html fast/url/segments-from-data-url2.html http/tests/security/allowed-base-url-data-url-via-setting.html http/tests/security/denied-base-url-data-url.html http/tests/security/denied-base-url-javascript-url.html * dom/Document.cpp: (WebCore::Document::processBaseElement): Condition updating the parsed base URL on whether is has an allowed scheme, if restrictions are enabled. Otherwise, do what we do now. If the scheme is disallowed then log a message to the console to explain this to web developers. * html/parser/HTMLPreloadScanner.cpp: (WebCore::TokenPreloadScanner::scan): Pass whether to apply restrictons to the base URL to updatePredictedBaseURL(). This depends on whether the setting is enabled or not. (WebCore::TokenPreloadScanner::updatePredictedBaseURL): Modifed to take a boolean as to whether to apply restrictions. If restrictions are not to be applied do what we do now. Otherwise, only do what we do now if the scheme for the predicated base URL is allowed. * html/parser/HTMLPreloadScanner.h: * page/SecurityPolicy.cpp: (WebCore::SecurityPolicy::isBaseURLSchemeAllowed): Added. * page/SecurityPolicy.h: * page/Settings.yaml: Add a setting to toggle restrictions on the base URL scheme. Source/WebKit: Reviewed by Brent Fulgham. Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps. * Shared/WebPreferences.yaml: * UIProcess/API/Cocoa/WKWebView.mm: (shouldRestrictBaseURLSchemes): Added. (-[WKWebView _setupPageConfiguration:]): Update settings. * UIProcess/Cocoa/VersionChecks.h: Source/WebKitLegacy/mac: Reviewed by Brent Fulgham. Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps. * Misc/WebKitVersionChecks.h: * WebView/WebView.mm: (shouldRestrictBaseURLSchemes): Added. (-[WebView _commonInitializationWithFrameName:groupName:]): Update settings. Source/WTF: Reviewed by Brent Fulgham. Add some more macro definitions. * wtf/spi/darwin/dyldSPI.h: LayoutTests: RReviewed by Brent Fulgham. Add some tests. Update others to toggle the setting to apply or unapply the new behavior. The test denied-base-url-javascript-url.html is derived from the test base-url-javascript.html, included in <https://chromium.googlesource.com/chromium/src.git/+/c133efa0b915430701930b76a7cfe35608b9a403>. * fast/url/relative-expected.txt: * fast/url/relative.html: * fast/url/relative2-expected.txt: Copied from LayoutTests/fast/url/relative-expected.txt. * fast/url/relative2.html: Copied from LayoutTests/fast/url/relative.html. * fast/url/resources/utilities.js: (setShouldEllipsizeFileURLPaths): Added. Toggles ellipsizing the path portion of a file URL to simplify matching. Otherwise, file URLs could be machine-specific. (canonicalizedPathname): Added. (segments): Modified to optionally call canonicalizedPathname. (canonicalize): Ditto. * fast/url/segments-from-data-url-expected.txt: * fast/url/segments-from-data-url.html: * fast/url/segments-from-data-url2-expected.txt: Copied from LayoutTests/fast/url/segments-from-data-url-expected.txt. * fast/url/segments-from-data-url2.html: Copied from LayoutTests/fast/url/segments-from-data-url.html. * fetch/fetch-url-serialization-expected.txt: * http/tests/plugins/navigation-during-load-embed.html: * http/tests/plugins/navigation-during-load.html: * http/tests/security/allowed-base-url-data-url-via-setting-expected.txt: Added. * http/tests/security/allowed-base-url-data-url-via-setting.html: Added. * http/tests/security/denied-base-url-data-url-expected.txt: Added. * http/tests/security/denied-base-url-data-url.html: Added. * http/tests/security/denied-base-url-javascript-url-expected.txt: Added. * http/tests/security/denied-base-url-javascript-url.html: Added. git-svn-id: https://svn.webkit.org/repository/webkit/trunk@256191 268f45cc-cd09-0410-ab3c-d52691b4dbfc git-svn-id: https://svn.webkit.org/repository/webkit/branches/safari-609-branch@256796 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Disallow setting base URL to a data or JavaScript URL https://bugs.webkit.org/show_bug.cgi?id=207136 Source/WebCore: Reviewed by Brent Fulgham. Inspired by <https://bugs.chromium.org/p/chromium/issues/detail?id=679318>. Block setting the base URL to a data URL or JavaScript URL as such usage is questionable. This makes WebKit match the behavior of Chrome and Firefox and is in the spirit of the discussion in <whatwg/html#2249>. On Mac and iOS, this restriction is applied only to apps linked against a future SDK to avoid breaking shipped apps. For all other ports, this restriction is enabled by default. Tests: fast/url/relative2.html fast/url/segments-from-data-url2.html http/tests/security/allowed-base-url-data-url-via-setting.html http/tests/security/denied-base-url-data-url.html http/tests/security/denied-base-url-javascript-url.html * dom/Document.cpp: (WebCore::Document::processBaseElement): Condition updating the parsed base URL on whether is has an allowed scheme, if restrictions are enabled. Otherwise, do what we do now. If the scheme is disallowed then log a message to the console to explain this to web developers. * html/parser/HTMLPreloadScanner.cpp: (WebCore::TokenPreloadScanner::scan): Pass whether to apply restrictons to the base URL to updatePredictedBaseURL(). This depends on whether the setting is enabled or not. (WebCore::TokenPreloadScanner::updatePredictedBaseURL): Modifed to take a boolean as to whether to apply restrictions. If restrictions are not to be applied do what we do now. Otherwise, only do what we do now if the scheme for the predicated base URL is allowed. * html/parser/HTMLPreloadScanner.h: * page/SecurityPolicy.cpp: (WebCore::SecurityPolicy::isBaseURLSchemeAllowed): Added. * page/SecurityPolicy.h: * page/Settings.yaml: Add a setting to toggle restrictions on the base URL scheme. Source/WebKit: Reviewed by Brent Fulgham. Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps. * Shared/WebPreferences.yaml: * UIProcess/API/Cocoa/WKWebView.mm: (shouldRestrictBaseURLSchemes): Added. (-[WKWebView _setupPageConfiguration:]): Update settings. * UIProcess/Cocoa/VersionChecks.h: Source/WebKitLegacy/mac: Reviewed by Brent Fulgham. Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps. * Misc/WebKitVersionChecks.h: * WebView/WebView.mm: (shouldRestrictBaseURLSchemes): Added. (-[WebView _commonInitializationWithFrameName:groupName:]): Update settings. Source/WTF: Reviewed by Brent Fulgham. Add some more macro definitions. * wtf/spi/darwin/dyldSPI.h: LayoutTests: RReviewed by Brent Fulgham. Add some tests. Update others to toggle the setting to apply or unapply the new behavior. The test denied-base-url-javascript-url.html is derived from the test base-url-javascript.html, included in <https://chromium.googlesource.com/chromium/src.git/+/c133efa0b915430701930b76a7cfe35608b9a403>. * fast/url/relative-expected.txt: * fast/url/relative.html: * fast/url/relative2-expected.txt: Copied from LayoutTests/fast/url/relative-expected.txt. * fast/url/relative2.html: Copied from LayoutTests/fast/url/relative.html. * fast/url/resources/utilities.js: (setShouldEllipsizeFileURLPaths): Added. Toggles ellipsizing the path portion of a file URL to simplify matching. Otherwise, file URLs could be machine-specific. (canonicalizedPathname): Added. (segments): Modified to optionally call canonicalizedPathname. (canonicalize): Ditto. * fast/url/segments-from-data-url-expected.txt: * fast/url/segments-from-data-url.html: * fast/url/segments-from-data-url2-expected.txt: Copied from LayoutTests/fast/url/segments-from-data-url-expected.txt. * fast/url/segments-from-data-url2.html: Copied from LayoutTests/fast/url/segments-from-data-url.html. * fetch/fetch-url-serialization-expected.txt: * http/tests/plugins/navigation-during-load-embed.html: * http/tests/plugins/navigation-during-load.html: * http/tests/security/allowed-base-url-data-url-via-setting-expected.txt: Added. * http/tests/security/allowed-base-url-data-url-via-setting.html: Added. * http/tests/security/denied-base-url-data-url-expected.txt: Added. * http/tests/security/denied-base-url-data-url.html: Added. * http/tests/security/denied-base-url-javascript-url-expected.txt: Added. * http/tests/security/denied-base-url-javascript-url.html: Added. git-svn-id: https://svn.webkit.org/repository/webkit/trunk@256191 268f45cc-cd09-0410-ab3c-d52691b4dbfc git-svn-id: https://svn.webkit.org/repository/webkit/branches/safari-609-branch@256896 268f45cc-cd09-0410-ab3c-d52691b4dbfc
https://bugs.webkit.org/show_bug.cgi?id=207136 Source/WebCore: Reviewed by Brent Fulgham. Inspired by <https://bugs.chromium.org/p/chromium/issues/detail?id=679318>. Block setting the base URL to a data URL or JavaScript URL as such usage is questionable. This makes WebKit match the behavior of Chrome and Firefox and is in the spirit of the discussion in <whatwg/html#2249>. On Mac and iOS, this restriction is applied only to apps linked against a future SDK to avoid breaking shipped apps. For all other ports, this restriction is enabled by default. Tests: fast/url/relative2.html fast/url/segments-from-data-url2.html http/tests/security/allowed-base-url-data-url-via-setting.html http/tests/security/denied-base-url-data-url.html http/tests/security/denied-base-url-javascript-url.html * dom/Document.cpp: (WebCore::Document::processBaseElement): Condition updating the parsed base URL on whether is has an allowed scheme, if restrictions are enabled. Otherwise, do what we do now. If the scheme is disallowed then log a message to the console to explain this to web developers. * html/parser/HTMLPreloadScanner.cpp: (WebCore::TokenPreloadScanner::scan): Pass whether to apply restrictons to the base URL to updatePredictedBaseURL(). This depends on whether the setting is enabled or not. (WebCore::TokenPreloadScanner::updatePredictedBaseURL): Modifed to take a boolean as to whether to apply restrictions. If restrictions are not to be applied do what we do now. Otherwise, only do what we do now if the scheme for the predicated base URL is allowed. * html/parser/HTMLPreloadScanner.h: * page/SecurityPolicy.cpp: (WebCore::SecurityPolicy::isBaseURLSchemeAllowed): Added. * page/SecurityPolicy.h: * page/Settings.yaml: Add a setting to toggle restrictions on the base URL scheme. Source/WebKit: Reviewed by Brent Fulgham. Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps. * Shared/WebPreferences.yaml: * UIProcess/API/Cocoa/WKWebView.mm: (shouldRestrictBaseURLSchemes): Added. (-[WKWebView _setupPageConfiguration:]): Update settings. * UIProcess/Cocoa/VersionChecks.h: Source/WebKitLegacy/mac: Reviewed by Brent Fulgham. Apply base URL restrictions to apps linked to a future WebKit to avoid breaking existing apps. * Misc/WebKitVersionChecks.h: * WebView/WebView.mm: (shouldRestrictBaseURLSchemes): Added. (-[WebView _commonInitializationWithFrameName:groupName:]): Update settings. Source/WTF: Reviewed by Brent Fulgham. Add some more macro definitions. * wtf/spi/darwin/dyldSPI.h: LayoutTests: RReviewed by Brent Fulgham. Add some tests. Update others to toggle the setting to apply or unapply the new behavior. The test denied-base-url-javascript-url.html is derived from the test base-url-javascript.html, included in <https://chromium.googlesource.com/chromium/src.git/+/c133efa0b915430701930b76a7cfe35608b9a403>. * fast/url/relative-expected.txt: * fast/url/relative.html: * fast/url/relative2-expected.txt: Copied from LayoutTests/fast/url/relative-expected.txt. * fast/url/relative2.html: Copied from LayoutTests/fast/url/relative.html. * fast/url/resources/utilities.js: (setShouldEllipsizeFileURLPaths): Added. Toggles ellipsizing the path portion of a file URL to simplify matching. Otherwise, file URLs could be machine-specific. (canonicalizedPathname): Added. (segments): Modified to optionally call canonicalizedPathname. (canonicalize): Ditto. * fast/url/segments-from-data-url-expected.txt: * fast/url/segments-from-data-url.html: * fast/url/segments-from-data-url2-expected.txt: Copied from LayoutTests/fast/url/segments-from-data-url-expected.txt. * fast/url/segments-from-data-url2.html: Copied from LayoutTests/fast/url/segments-from-data-url.html. * fetch/fetch-url-serialization-expected.txt: * http/tests/plugins/navigation-during-load-embed.html: * http/tests/plugins/navigation-during-load.html: * http/tests/security/allowed-base-url-data-url-via-setting-expected.txt: Added. * http/tests/security/allowed-base-url-data-url-via-setting.html: Added. * http/tests/security/denied-base-url-data-url-expected.txt: Added. * http/tests/security/denied-base-url-data-url.html: Added. * http/tests/security/denied-base-url-javascript-url-expected.txt: Added. * http/tests/security/denied-base-url-javascript-url.html: Added.
Coming back to this, I don't see how the CSS case is a security problem. The The moment Gecko aligns its URL parser it would also end up being vulnerable to that case. Given that Chromium and WebKit already implement a mitigation I think we should standardize on that and have Gecko align to prevent it from introducing a novel XSS angle for itself once it aligns its URL parser. Persuasive enough @zcorpan @mozfreddyb? (I discovered that a single |
My preference would have been to disallow For #2249 (comment) maybe we could have a depth limit for |
Great, I'll work on a PR. I wonder why the |
In STP I get this message in the console:
|
Also correct a minor mistake in the invocation of "Is base allowed for Document?". Tests: web-platform-tests/wpt#41731. Fixes #2249.
Also correct a minor mistake in the invocation of "Is base allowed for Document?". Tests: web-platform-tests/wpt#41731. Fixes #2249.
We discussed the CSS issue further on Chat and as a result Simon filed these bugs:
No specification change should be needed for that scenario. (The main scenario was fixed in #9665.) |
The origin of the stylesheet's URL should be checked for being same-origin with the document, per spec. A data: URL's origin is an opaque origin, which is not same origin with the document. Also see whatwg/html#2249 (comment)
The origin of the stylesheet's URL should be checked for being same-origin with the document, per spec. A data: URL's origin is an opaque origin, which is not same origin with the document. Also see whatwg/html#2249 (comment)
…quirk origin check, a=testonly Automatic update from web-platform-tests HTML: stylesheet with non-CSS MIME type quirk origin check The origin of the stylesheet's URL should be checked for being same-origin with the document, per spec. A data: URL's origin is an opaque origin, which is not same origin with the document. Also see whatwg/html#2249 (comment) -- wpt-commits: a0d5528d8a601e34bec85e34ce8a033d4c3fc192 wpt-pr: 41744
…quirk origin check, a=testonly Automatic update from web-platform-tests HTML: stylesheet with non-CSS MIME type quirk origin check The origin of the stylesheet's URL should be checked for being same-origin with the document, per spec. A data: URL's origin is an opaque origin, which is not same origin with the document. Also see whatwg/html#2249 (comment) -- wpt-commits: a0d5528d8a601e34bec85e34ce8a033d4c3fc192 wpt-pr: 41744
The origin of the stylesheet's URL should be checked for being same-origin with the document, per spec. A data: URL's origin is an opaque origin, which is not same origin with the document. Also see whatwg/html#2249 (comment)
Apparently, Chrome is happy to support
<base href="data:/randomness/">
, which doesn't seem like a good idea. WDYT about restricting document base URLs to network schemes (and, I suppose, the scheme of the current document's URL's origin...file:
comes to mind).The text was updated successfully, but these errors were encountered: