CSP: Fire 'load' events even when blocking loads via 'frame-src'.
authorbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 27 May 2016 20:50:04 +0000 (20:50 +0000)
committerbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 27 May 2016 20:50:04 +0000 (20:50 +0000)
https://bugs.webkit.org/show_bug.cgi?id=153150
<rdar://problem/24383162>

Reviewed by Daniel Bates.

Source/WebCore:

Always fire a load event, even when the load is blocked by CSP rules, so that
attackers cannot gain knowledge about the URL in the frame by blocking the
load and waiting long enough to be sure that a 'load' event would have
fired if the load wasn't blocked.

Inspired by Blink patch:
<https://src.chromium.org/viewvc/blink?view=rev&revision=165743>

Tests: http/tests/security/contentSecurityPolicy/frame-src-cross-origin-load.html

* loader/PolicyChecker.cpp:
(WebCore::PolicyChecker::checkNavigationPolicy):

LayoutTests:

* TestExpectations: Unskip the cross-origin load test.
* http/tests/security/contentSecurityPolicy/frame-src-cross-origin-load-expected.txt: Update to match
our message format.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@201468 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/TestExpectations
LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-cross-origin-load-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-cross-origin-load.html
Source/WebCore/ChangeLog
Source/WebCore/loader/PolicyChecker.cpp

index 488b699..4b17d93 100644 (file)
@@ -1,3 +1,15 @@
+2016-05-27  Brent Fulgham  <bfulgham@apple.com>
+
+        CSP: Fire 'load' events even when blocking loads via 'frame-src'.
+        https://bugs.webkit.org/show_bug.cgi?id=153150
+        <rdar://problem/24383162>
+
+        Reviewed by Daniel Bates.
+
+        * TestExpectations: Unskip the cross-origin load test.
+        * http/tests/security/contentSecurityPolicy/frame-src-cross-origin-load-expected.txt: Update to match
+        our message format.
+
 2016-05-27  Saam barati  <sbarati@apple.com>
 
         ShadowChicken/DebuggerCallFrame don't properly handle when the entry stack frame is a tail deleted frame
index c3963ca..df19e1a 100644 (file)
@@ -842,7 +842,6 @@ webkit.org/b/111869 http/tests/security/contentSecurityPolicy/eval-blocked-and-s
 webkit.org/b/153148 http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.php
 webkit.org/b/153150 http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-blocked.html
 webkit.org/b/153150 http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-redirect-blocked.html
-webkit.org/b/153150 http/tests/security/contentSecurityPolicy/frame-src-cross-origin-load.html
 webkit.org/b/153152 http/tests/security/contentSecurityPolicy/manifest-src-allowed.html # Needs testRunner.getManifestThen()
 webkit.org/b/153152 http/tests/security/contentSecurityPolicy/manifest-src-blocked.html # Needs testRunner.getManifestThen()
 webkit.org/b/153155 http/tests/security/contentSecurityPolicy/1.1/scripthash-basic-blocked-error-event.html
index 65006e1..472713e 100644 (file)
@@ -1,5 +1,4 @@
-CONSOLE MESSAGE: line 24: Refused to frame 'https://localhost:8443/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "frame-src 'self' http://localhost:8080".
-
+CONSOLE MESSAGE: Refused to load https://localhost:8443/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the frame-src directive of the Content Security Policy.
 ALERT: PASS
 ALERT: PASS
 IFrames blocked by CSP should generate a 'load' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS.
index e94694b..575a988 100644 (file)
@@ -1,11 +1,11 @@
 <!DOCTYPE html>
 <html>
 <head>
-    <script src="/js-test-resources/js-test.js"></script>
+    <script src="/js-test-resources/js-test-pre.js"></script>
     <meta http-equiv="Content-Security-Policy" content="frame-src 'self' http://localhost:8080">
     <script>
-        window.jsTestIsAsync = true;
-        window.wasPostTestScriptParsed = true;
+        if (window.testRunner)
+            testRunner.waitUntilDone();
         
         description("IFrames blocked by CSP should generate a 'load' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS.");
 
         function loadEvent() {
             loads++;
             testPassed("IFrame #" + loads + " generated a 'load' event.");
-            if (loads == 3)
-                finishJSTest();
+            if (loads == 3) {
+                if (window.testRunner)
+                    testRunner.notifyDone();
+            }
         }
     </script>
 </head>
@@ -22,5 +24,6 @@
     <iframe src="/security/contentSecurityPolicy/resources/alert-pass.html" onload="loadEvent()"></iframe>
     <iframe src="http://localhost:8080/security/contentSecurityPolicy/resources/alert-pass.html" onload="loadEvent()"></iframe>
     <iframe src="https://localhost:8443/security/contentSecurityPolicy/resources/alert-fail.html" onload="loadEvent()"></iframe>
+    <script src="/js-test-resources/js-test-post.js"></script>
 </body>
 </html>
index b01a605..112a240 100644 (file)
@@ -1,3 +1,24 @@
+2016-05-27  Brent Fulgham  <bfulgham@apple.com>
+
+        CSP: Fire 'load' events even when blocking loads via 'frame-src'.
+        https://bugs.webkit.org/show_bug.cgi?id=153150
+        <rdar://problem/24383162>
+
+        Reviewed by Daniel Bates.
+
+        Always fire a load event, even when the load is blocked by CSP rules, so that
+        attackers cannot gain knowledge about the URL in the frame by blocking the
+        load and waiting long enough to be sure that a 'load' event would have
+        fired if the load wasn't blocked.
+
+        Inspired by Blink patch:
+        <https://src.chromium.org/viewvc/blink?view=rev&revision=165743>
+
+        Tests: http/tests/security/contentSecurityPolicy/frame-src-cross-origin-load.html
+
+        * loader/PolicyChecker.cpp:
+        (WebCore::PolicyChecker::checkNavigationPolicy):
+
 2016-05-27  Andreas Kling  <akling@apple.com>
 
         Document abandons its EventTargetData.
index 33f1474..0ac287c 100644 (file)
@@ -98,6 +98,11 @@ void PolicyChecker::checkNavigationPolicy(const ResourceRequest& request, bool d
     }
 
     if (!isAllowedByContentSecurityPolicy(request.url(), m_frame.ownerElement(), didReceiveRedirectResponse)) {
+        if (m_frame.ownerElement()) {
+            // Fire a load event (even though we were blocked by CSP) as timing attacks would otherwise
+            // reveal that the frame was blocked. This way, it looks like any other cross-origin page load.
+            m_frame.ownerElement()->dispatchEvent(Event::create(eventNames().loadEvent, false, false));
+        }
         function(request, 0, false);
         return;
     }