REGRESSION (r231479): Unable to buy Odeon cinema tickets in STP (bogus 'X-Frame-Optio...
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 27 Jun 2018 01:23:09 +0000 (01:23 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 27 Jun 2018 01:23:09 +0000 (01:23 +0000)
commit0fcc967239e1d3e943367574443eabc2f4dffdfa
tree44ea671c115f9e8e45387a7719eb5ea73d4e1369
parentcff3e9280b4a9f5db9fac54f5db1b1925369e881
REGRESSION (r231479): Unable to buy Odeon cinema tickets in STP (bogus 'X-Frame-Options' to 'SAMEORIGIN')
https://bugs.webkit.org/show_bug.cgi?id=186090
<rdar://problem/40692595>

Reviewed by Andy Estes.

Source/WebCore:

Fix up Content Security Policy logic for checking the frame ancestors now that we
exclude the frame that initiated the load request.

Test: http/tests/security/XFrameOptions/cross-origin-iframe-post-form-to-parent-same-origin-x-frame-options-page-allow.html

* page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::allowFrameAncestors const):
* page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::checkFrameAncestors):

Source/WebKit:

Fixes an issue where a page P delivered with "X-Frame-Options: SAMEORIGIN" loaded in a sub-
frame would be blocked if we were redirected to it in response to the cross-origin POST
request regardless of whether P is same-origin with its parent document.

* NetworkProcess/NetworkResourceLoader.cpp:
(WebKit::NetworkResourceLoader::shouldInterruptLoadForXFrameOptions): Compare the origin
of the top frame's document as opposed to the source origin. The latter represents the
origin of the document that initiated the navigation, which can be cross-origin, and
should not be considered when applying "X-Frame-Options: SAMEORIGIN". This check exists
as a performance optimization to avoid traversing over all frame ancestors only to find
out that the innermost frame (the one that made this request) is cross-origin with the
top-most frame.
* NetworkProcess/NetworkResourceLoader.h:
* WebProcess/Network/WebLoaderStrategy.cpp:
(WebKit::WebLoaderStrategy::scheduleLoadFromNetworkProcess): Exclude the origin of the
frame that is making the load request from the list of ancestor origins. This makes the
X-Frame-Options algorithm in WebKit2 match the logic we do in FrameLoader::shouldInterruptLoadForXFrameOptions().

LayoutTests:

Add a test to ensure that we allow a same-origin page with "X-Frame-Options: SAMEORIGIN" to
load as a result of a redirected cross-origin POST request.

* http/tests/security/XFrameOptions/cross-origin-iframe-post-form-to-parent-same-origin-x-frame-options-page-allow-expected.txt: Added.
* http/tests/security/XFrameOptions/cross-origin-iframe-post-form-to-parent-same-origin-x-frame-options-page-allow.html: Added.
* http/tests/security/XFrameOptions/resources/post-form-to-x-frame-options-parent-same-origin-allow.html: Added.
* http/tests/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@233237 268f45cc-cd09-0410-ab3c-d52691b4dbfc
12 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/security/XFrameOptions/cross-origin-iframe-post-form-to-parent-same-origin-x-frame-options-page-allow-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/XFrameOptions/cross-origin-iframe-post-form-to-parent-same-origin-x-frame-options-page-allow.html [new file with mode: 0644]
LayoutTests/http/tests/security/XFrameOptions/resources/post-form-to-x-frame-options-parent-same-origin-allow.html [new file with mode: 0644]
LayoutTests/http/tests/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi
Source/WebCore/ChangeLog
Source/WebCore/page/csp/ContentSecurityPolicy.cpp
Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp
Source/WebKit/ChangeLog
Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp
Source/WebKit/NetworkProcess/NetworkResourceLoader.h
Source/WebKit/WebProcess/Network/WebLoaderStrategy.cpp