Disallow cross-origin subresources from asking for credentials
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 14 Feb 2018 22:27:52 +0000 (22:27 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 14 Feb 2018 22:27:52 +0000 (22:27 +0000)
commit592483afd47ea1acc9140847976a4eb47a32252a
treefa8d9ce21078d8157987bb3c21edc9c350266174
parentb031c105793d28cb94073e30805f389ed634fbcd
Disallow cross-origin subresources from asking for credentials
https://bugs.webkit.org/show_bug.cgi?id=182579
<rdar://problem/36162271>

Reviewed by Andy Estes.

Source/WebCore:

Prompts for credentials to load cross-origin subresources are typically seen as unexpected
by a person that navigates to- or interacts with- a web page. The cross-origin and implicit
loading nature of these subresources makes asking for credentials questionable because they
are not being served by the same origin of the page a person explicitly loaded and are not
guaranteed to correspond to an explicit user interaction other than the initial load of the
page. We know that subresources that ask for credentials can be abused as part of a phishing
attack. It seems reasonable to disallow cross-origin subresources from asking for credentials
due to their questionable nature and the risk for abuse. This will also make the behavior
of WebKit match the behavior of Chrome.

Tests: http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials.html
       http/tests/security/basic-auth-subresource.html
       http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html
       http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.html
       http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html
       http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html
       http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html

* loader/ResourceLoader.cpp:
(WebCore::ResourceLoader::isSubresourceLoader const): Formerly non-const.
(WebCore::ResourceLoader::shouldAllowResourceToAskForCredentials const): Added.
(WebCore::ResourceLoader::didBlockAuthenticationChallenge): Emit Web Inspector console message if
the authentication challenge was blocked because the request is cross origin.
(WebCore::ResourceLoader::isAllowedToAskUserForCredentials const): Disallow a cross-origin
request from prompting for credentials.
(WebCore::ResourceLoader::isSubresourceLoader): Deleted; made const.
* loader/ResourceLoader.h:
* loader/SubresourceLoader.cpp:
(WebCore::SubresourceLoader::SubresourceLoader): Update ResourceLoader state so that block cross-origin
subresources from prompting for credentials, if applicable.
(WebCore::SubresourceLoader::isSubresourceLoader const): Formerly non-const.
(WebCore::SubresourceLoader::isSubresourceLoader): Deleted; made const.
* loader/SubresourceLoader.h:
* page/Settings.yaml: Add setting allowCrossOriginSubresourcesToAskForCredentials (defaults: false -
do not allow cross origin subresources to ask for credentials).

Source/WebKit:

Add a private preference to toggle allowing non-mixed content cross-origin subresources to load.
WebKitTestRunner toggles this preference when it sees the test option allowCrossOriginSubresourcesToAskForCredential.

* Shared/WebPreferences.yaml:
* UIProcess/API/C/WKPreferences.cpp:
(WKPreferencesSetAllowCrossOriginSubresourcesToAskForCredentials):
(WKPreferencesGetAllowCrossOriginSubresourcesToAskForCredentials):
* UIProcess/API/C/WKPreferencesRefPrivate.h:

Source/WebKitLegacy/mac:

Add a private preference to toggle allowing non-mixed content cross-origin subresources to load.
DumpRenderTree toggles this preference when it sees the test option allowCrossOriginSubresourcesToAskForCredential.

* WebView/WebPreferenceKeysPrivate.h:
* WebView/WebPreferences.mm:
(+[WebPreferences initialize]):
(-[WebPreferences allowCrossOriginSubresourcesToAskForCredentials]):
(-[WebPreferences setAllowCrossOriginSubresourcesToAskForCredentials:]):
* WebView/WebPreferencesPrivate.h:
* WebView/WebView.mm:
(-[WebView _preferencesChanged:]):

Tools:

Add test option allowCrossOriginSubresourcesToAskForCredential (defaults to false)
so that tests can toggle between the old behavior and new behavior.

* DumpRenderTree/TestOptions.h:
* DumpRenderTree/TestOptions.mm:
(TestOptions::TestOptions):
* DumpRenderTree/mac/DumpRenderTree.mm:
(setWebPreferencesForTestOptions):
* WebKitTestRunner/TestController.cpp:
(WTR::TestController::resetPreferencesToConsistentValues):
(WTR::updateTestOptionsFromTestHeader):
* WebKitTestRunner/TestOptions.h:
(WTR::TestOptions::hasSameInitializationOptions const):

LayoutTests:

Copied existing tests that depended on cross-origin subresources being able prompt for credentials
to files with suffix allowCrossOriginSubresourcesToAskForCredentials. These copies were modified
to set allowCrossOriginSubresourcesToAskForCredentials to false so as to opt-into the behavior
before this change. Updated existing tests to reflect the new behavior and added new tests to
ensure that we do not regress the new behavior.

* http/tests/media/video-auth-expected.txt:
* http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Copied from LayoutTests/http/tests/media/video-auth-expected.txt.
* http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials.html: Copied from LayoutTests/http/tests/media/video-auth.html.
* http/tests/media/video-auth.html:
* http/tests/security/basic-auth-subresource-expected.txt: Added.
* http/tests/security/basic-auth-subresource.html: Added.
* http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Renamed from LayoutTests/platform/mac-wk1/http/tests/security/credentials-iframes-expected.txt.
* http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials.html: Added.
* http/tests/security/credentials-iframes-expected.txt:
* http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image.https-expected.txt.
* http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html.
* http/tests/security/mixedContent/insecure-basic-auth-image.https-expected.txt:
* http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-expected.txt.
* http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.html: Added.
* http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-expected.txt:
* http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image.https-expected.txt.
* http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html.
* http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image.https-expected.txt:
* http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image.https-expected.txt.
* http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html.
* http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image.https-expected.txt:
* http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Renamed from LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt.
* http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html.
* http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt:
* http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html:
* http/tests/security/resources/basic-auth-subresource.html: Added.
* http/tests/security/resources/subresource1/protected-image.php: Added.
* http/tests/security/resources/subresource2/protected-image.php: Added.
* platform/win/TestExpectations: Skip allowCrossOriginSubresourcesToAskForCredentials-suffixed tests as
DumpRenderTree on Windows does not support parsing test options. See <https://bugs.webkit.org/show_bug.cgi?id=173281>.
* platform/win/http/tests/security/basic-auth-subresource-expected.txt: Added Windows-specific result. For some reason
connections to localhost:8443 are not allowed. See <https://bugs.webkit.org/show_bug.cgi?id=182609> for more details.
* platform/wk2/http/tests/media/video-auth-expected.txt:
* platform/wk2/http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Copied from LayoutTests/platform/wk2/http/tests/media/video-auth-expected.txt.
* platform/wk2/http/tests/security/basic-auth-subresource-expected.txt: Added.
* platform/wk2/http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Copied from LayoutTests/http/tests/security/credentials-iframes-expected.txt.
* platform/wk2/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@228486 268f45cc-cd09-0410-ab3c-d52691b4dbfc
57 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/media/video-auth-expected.txt
LayoutTests/http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials.html [new file with mode: 0644]
LayoutTests/http/tests/media/video-auth.html
LayoutTests/http/tests/security/basic-auth-subresource-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/basic-auth-subresource.html [new file with mode: 0644]
LayoutTests/http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials-expected.txt [moved from LayoutTests/platform/mac-wk1/http/tests/security/credentials-iframes-expected.txt with 100% similarity]
LayoutTests/http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials.html [new file with mode: 0644]
LayoutTests/http/tests/security/credentials-iframes-expected.txt
LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image.https-expected.txt
LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-expected.txt
LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image.https-expected.txt
LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image.https-expected.txt
LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt [moved from LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt with 100% similarity]
LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt
LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html
LayoutTests/http/tests/security/resources/basic-auth-subresource.html [new file with mode: 0644]
LayoutTests/http/tests/security/resources/subresource1/protected-image.php [new file with mode: 0644]
LayoutTests/http/tests/security/resources/subresource2/protected-image.php [new file with mode: 0644]
LayoutTests/platform/win/TestExpectations
LayoutTests/platform/win/http/tests/security/basic-auth-subresource-expected.txt [new file with mode: 0644]
LayoutTests/platform/wk2/http/tests/media/video-auth-expected.txt
LayoutTests/platform/wk2/http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials-expected.txt [new file with mode: 0644]
LayoutTests/platform/wk2/http/tests/security/basic-auth-subresource-expected.txt [new file with mode: 0644]
LayoutTests/platform/wk2/http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials-expected.txt [new file with mode: 0644]
LayoutTests/platform/wk2/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/loader/ResourceLoader.cpp
Source/WebCore/loader/ResourceLoader.h
Source/WebCore/loader/SubresourceLoader.cpp
Source/WebCore/loader/SubresourceLoader.h
Source/WebCore/page/Settings.yaml
Source/WebKit/ChangeLog
Source/WebKit/Shared/WebPreferences.yaml
Source/WebKit/UIProcess/API/C/WKPreferences.cpp
Source/WebKit/UIProcess/API/C/WKPreferencesRefPrivate.h
Source/WebKitLegacy/mac/ChangeLog
Source/WebKitLegacy/mac/WebView/WebPreferenceKeysPrivate.h
Source/WebKitLegacy/mac/WebView/WebPreferences.mm
Source/WebKitLegacy/mac/WebView/WebPreferencesPrivate.h
Source/WebKitLegacy/mac/WebView/WebView.mm
Tools/ChangeLog
Tools/DumpRenderTree/TestOptions.h
Tools/DumpRenderTree/TestOptions.mm
Tools/DumpRenderTree/mac/DumpRenderTree.mm
Tools/WebKitTestRunner/TestController.cpp
Tools/WebKitTestRunner/TestOptions.h