Local HTML should be blocked from localStorage access unless "Disable Local File...
authorbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 10 Nov 2016 00:58:35 +0000 (00:58 +0000)
committerbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 10 Nov 2016 00:58:35 +0000 (00:58 +0000)
commitb9034ddc3313cd12193b253d9a9f84a89c425fe2
tree716093dc472499844cb0d0a223bb4c058252d9a5
parent06633f48b646708b031b75aff5cf2cdc8912770f
Local HTML should be blocked from localStorage access unless "Disable Local File Restrictions" is checked
https://bugs.webkit.org/show_bug.cgi?id=155185
<rdar://problem/11101440>

Reviewed by Brady Eidson.

Source/WebCore:

Add a new quirk for localStorage that defaults to 'on'. When active, this quirk says that
localStorage access should be granted, without needing to grant universal file access.

If the quirk is turned off, then localStorage is blocked unless the WebKit client explicitly
grants universal file access.

Tests: storage/domstorage/localstorage/blocked-file-access-permitted-by-quirk.html
       storage/domstorage/localstorage/blocked-file-access.html

* dom/Document.cpp:
(WebCore::Document::initSecurityContext): Set localStorage quirk mode based on settings.
* page/SecurityOrigin.cpp:
(WebCore::SecurityOrigin::SecurityOrigin): Use more C++11 initializers.
(WebCore::SecurityOrigin::canAccessStorage): If the origin is a local file, and we are NOT in
localStorage quirks mode, and we have not been granted universal file access, prevent access
to DOM localStorage.
(WebCore::SecurityOrigin::setNeedsLocalStorageQuirk): Added.
* page/SecurityOrigin.h:
(WebCore::SecurityOrigin::needsLocalStorageQuirk): Added.
* page/Settings.in:
* workers/WorkerGlobalScope.cpp:
(WebCore::WorkerGlobalScope::WorkerGlobalScope): Make sure Workers know what the
localStorage quirks mode is set to.

Source/WebKit/mac:

Provide SPI to access the new quirk for localStorage. The quirk defaults to 'on'. When active, this
quirk says that localStorage access should be granted, without needing to grant universal file access.

If the quirk is turned off, then localStorage is blocked unless the WebKit client explicitly
grants universal file access.

* WebView/WebPreferenceKeysPrivate.h:
* WebView/WebPreferences.mm:
(-[WebPreferences needsLocalStorageQuirk]): Added.
(-[WebPreferences setNeedsLocalStorageQuirk:]): Added.
* WebView/WebPreferencesPrivate.h:
* WebView/WebView.mm:
(-[WebView _preferencesChanged:]): Honor the new localStorage quirk.

Source/WebKit2:

Provide SPI to access the new quirk for localStorage. The quirk defaults to 'on'. When active, this
quirk says that localStorage access should be granted, without needing to grant universal file access.

If the quirk is turned off, then localStorage is blocked unless the WebKit client explicitly
grants universal file access.

Tested by existing TestWebKitAPI tests and WebKit2.LocalStorageQuirkTest

* Shared/WebPreferencesDefinitions.h:
* UIProcess/API/C/WKPreferences.cpp:
(WKPreferencesSetNeedsLocalStorageQuirk): Added.
(WKPreferencesGetNeedsLocalStorageQuirk): Added.
* UIProcess/API/C/WKPreferencesRefPrivate.h:
* UIProcess/API/Cocoa/WKWebView.mm:
(-[WKWebView _initializeWithConfiguration:]): Honor the new localStorage quirk.
* UIProcess/API/Cocoa/WKWebViewConfiguration.mm:
(-[WKWebViewConfiguration init]): Honor the new localStorage quirk flag.
(-[WKWebViewConfiguration copyWithZone:]): Ditto.
(-[WKWebViewConfiguration _needsLocalStorageQuirk]): Added.
(-[WKWebViewConfiguration _setNeedsLocalStorageQuirk:]): Added.
* UIProcess/API/Cocoa/WKWebViewConfigurationPrivate.h:
* WebProcess/InjectedBundle/API/c/WKBundle.cpp:
(WKBundleSetNeedsLocalStorageQuirk): Added.
* WebProcess/InjectedBundle/API/c/WKBundlePrivate.h:
* WebProcess/InjectedBundle/InjectedBundle.cpp:
(WebKit::InjectedBundle::setNeedsLocalStorageQuirk): Added.
* WebProcess/InjectedBundle/InjectedBundle.h:
* WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::updatePreferences): Honor the new localStorage quirk flag.

Tools:

* DumpRenderTree/TestRunner.cpp:
(setNeedsLocalStorageQuirkCallback): Added.
(TestRunner::staticFunctions):
* DumpRenderTree/TestRunner.h:
* DumpRenderTree/mac/DumpRenderTree.mm:
(resetWebPreferencesToConsistentValues): Update for new quirk setting.
* DumpRenderTree/mac/TestRunnerMac.mm:
(TestRunner::setNeedsLocalStorageQuirk):
* TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
* TestWebKitAPI/Tests/WebKit2/CloseFromWithinCreatePage.cpp:
* TestWebKitAPI/Tests/WebKit2Cocoa/LocalStorageClear.mm:
* TestWebKitAPI/Tests/WebKit2Cocoa/LocalStorageNullEntries.mm:
* TestWebKitAPI/Tests/WebKit2Cocoa/LocalStorageQuirkEnabled.html: Added.
* TestWebKitAPI/Tests/WebKit2Cocoa/LocalStorageQuirkTest.mm: Added.
(-[LocalStorageQuirkMessageHandler userContentController:didReceiveScriptMessage:]):
* WebKitTestRunner/InjectedBundle/Bindings/TestRunner.idl:
* WebKitTestRunner/InjectedBundle/InjectedBundle.cpp:
(WTR::InjectedBundle::beginTesting): Update for new quirk setting.
* WebKitTestRunner/InjectedBundle/TestRunner.cpp:
(WTR::TestRunner::setNeedsLocalStorageQuirk): Added.
* WebKitTestRunner/InjectedBundle/TestRunner.h:

LayoutTests:

* storage/domstorage/localstorage/blocked-file-access-expected.txt: Added.
* storage/domstorage/localstorage/blocked-file-access-permitted-by-quirk-expected.txt: Added.
* storage/domstorage/localstorage/blocked-file-access-permitted-by-quirk.html: Added.
* storage/domstorage/localstorage/blocked-file-access.html: Added.
* storage/domstorage/localstorage/resources/allowed-example.html: Added.
* storage/domstorage/localstorage/resources/blocked-example.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@208509 268f45cc-cd09-0410-ab3c-d52691b4dbfc
46 files changed:
LayoutTests/ChangeLog
LayoutTests/storage/domstorage/localstorage/blocked-file-access-expected.txt [new file with mode: 0644]
LayoutTests/storage/domstorage/localstorage/blocked-file-access-permitted-by-quirk-expected.txt [new file with mode: 0644]
LayoutTests/storage/domstorage/localstorage/blocked-file-access-permitted-by-quirk.html [new file with mode: 0644]
LayoutTests/storage/domstorage/localstorage/blocked-file-access.html [new file with mode: 0644]
LayoutTests/storage/domstorage/localstorage/file-can-access.html
LayoutTests/storage/domstorage/localstorage/resources/allowed-example.html [new file with mode: 0644]
LayoutTests/storage/domstorage/localstorage/resources/blocked-example.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/Document.cpp
Source/WebCore/page/SecurityOrigin.cpp
Source/WebCore/page/SecurityOrigin.h
Source/WebCore/page/Settings.in
Source/WebCore/workers/WorkerGlobalScope.cpp
Source/WebKit/mac/ChangeLog
Source/WebKit/mac/WebView/WebPreferenceKeysPrivate.h
Source/WebKit/mac/WebView/WebPreferences.mm
Source/WebKit/mac/WebView/WebPreferencesPrivate.h
Source/WebKit/mac/WebView/WebView.mm
Source/WebKit2/ChangeLog
Source/WebKit2/Shared/WebPreferencesDefinitions.h
Source/WebKit2/UIProcess/API/C/WKPreferences.cpp
Source/WebKit2/UIProcess/API/C/WKPreferencesRefPrivate.h
Source/WebKit2/UIProcess/API/Cocoa/WKWebView.mm
Source/WebKit2/UIProcess/API/Cocoa/WKWebViewConfiguration.mm
Source/WebKit2/UIProcess/API/Cocoa/WKWebViewConfigurationPrivate.h
Source/WebKit2/WebProcess/InjectedBundle/API/c/WKBundle.cpp
Source/WebKit2/WebProcess/InjectedBundle/API/c/WKBundlePrivate.h
Source/WebKit2/WebProcess/InjectedBundle/InjectedBundle.cpp
Source/WebKit2/WebProcess/InjectedBundle/InjectedBundle.h
Source/WebKit2/WebProcess/WebPage/WebPage.cpp
Tools/ChangeLog
Tools/DumpRenderTree/TestRunner.cpp
Tools/DumpRenderTree/TestRunner.h
Tools/DumpRenderTree/mac/DumpRenderTree.mm
Tools/DumpRenderTree/mac/TestRunnerMac.mm
Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj
Tools/TestWebKitAPI/Tests/WebKit2/CloseFromWithinCreatePage.cpp
Tools/TestWebKitAPI/Tests/WebKit2Cocoa/LocalStorageClear.mm
Tools/TestWebKitAPI/Tests/WebKit2Cocoa/LocalStorageNullEntries.mm
Tools/TestWebKitAPI/Tests/WebKit2Cocoa/LocalStorageQuirkEnabled.html [new file with mode: 0644]
Tools/TestWebKitAPI/Tests/WebKit2Cocoa/LocalStorageQuirkTest.mm [new file with mode: 0644]
Tools/WebKitTestRunner/InjectedBundle/Bindings/TestRunner.idl
Tools/WebKitTestRunner/InjectedBundle/InjectedBundle.cpp
Tools/WebKitTestRunner/InjectedBundle/TestRunner.cpp
Tools/WebKitTestRunner/InjectedBundle/TestRunner.h