Regression(PSON): setting window.opener to null allows process swapping in cases...
authorcdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 13 Sep 2018 22:38:25 +0000 (22:38 +0000)
committercdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 13 Sep 2018 22:38:25 +0000 (22:38 +0000)
commite2f993f3fd32ca7959fd4998951569e062840cdb
tree260e636ea5e420f34066b649efe5f334f440c22c
parentca77486cef22a5b74d99638e924678f57ccd45d1
Regression(PSON): setting window.opener to null allows process swapping in cases that are not web-compatible
https://bugs.webkit.org/show_bug.cgi?id=189590
<rdar://problem/44422725>

Reviewed by Geoffrey Garen.

Source/WebCore:

Set a flag on the navigation action to indicate if the page was opened via window.open() without 'noopener'.

Test: http/tests/navigation/window-open-cross-origin-then-navigated-back-same-origin.html

* loader/FrameLoader.cpp:
(WebCore::FrameLoader::loadURL):
* loader/NavigationAction.h:
(WebCore::NavigationAction::openedViaWindowOpenWithOpener const):
(WebCore::NavigationAction::setOpenedViaWindowOpenWithOpener):
* page/DOMWindow.cpp:
(WebCore::DOMWindow::createWindow):
* page/Page.h:
(WebCore::Page::openedViaWindowOpenWithOpener const):
(WebCore::Page::setOpenedViaWindowOpenWithOpener):

Source/WebKit:

If script calls window.open() without 'noopener' and the newly navigated window gets navigated cross-site,
we are currently unable to process-swap because the opener has a WindowProxy handle to this new Window and
may interact with it (which we currently do not support cross-process). We were dealing with this by not
process-swapping if window.opener is not null. This works most of the time but is not sufficient because the
opener may get nulled out, while the opener still has a valid WindowProxy handle to its openee.

Therefore, we now also check for a flag indicating if the frame was opened via window.open() without
'nooopener'. We still need to check if the browsing context has an opener for browsing context created
via <a target="_blank"> for example (the opener does not have a handle to the new window but the openee
has access to its opener).

* Shared/NavigationActionData.cpp:
(WebKit::NavigationActionData::encode const):
(WebKit::NavigationActionData::decode):
* Shared/NavigationActionData.h:
* UIProcess/API/APINavigation.h:
(API::Navigation::openedViaWindowOpenWithOpener const):
(API::Navigation::setOpenedViaWindowOpenWithOpener):
* UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::decidePolicyForNavigationAction):
* UIProcess/WebProcessPool.cpp:
(WebKit::WebProcessPool::processForNavigationInternal):
* WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
(WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction):

LayoutTests:

Add layout test coverage.

* http/tests/navigation/resources/navigate-helper.html: Added.
* http/tests/navigation/window-open-cross-origin-then-navigated-back-same-origin-expected.txt: Added.
* http/tests/navigation/window-open-cross-origin-then-navigated-back-same-origin.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235994 268f45cc-cd09-0410-ab3c-d52691b4dbfc
16 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/navigation/resources/navigate-helper.html [new file with mode: 0644]
LayoutTests/http/tests/navigation/window-open-cross-origin-then-navigated-back-same-origin-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/navigation/window-open-cross-origin-then-navigated-back-same-origin.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/loader/FrameLoader.cpp
Source/WebCore/loader/NavigationAction.h
Source/WebCore/page/DOMWindow.cpp
Source/WebCore/page/Page.h
Source/WebKit/ChangeLog
Source/WebKit/Shared/NavigationActionData.cpp
Source/WebKit/Shared/NavigationActionData.h
Source/WebKit/UIProcess/API/APINavigation.h
Source/WebKit/UIProcess/WebPageProxy.cpp
Source/WebKit/UIProcess/WebProcessPool.cpp
Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp