Web sockets should be treated as active mixed content
authormcatanzaro@igalia.com <mcatanzaro@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 22 Jun 2015 22:22:54 +0000 (22:22 +0000)
committermcatanzaro@igalia.com <mcatanzaro@igalia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 22 Jun 2015 22:22:54 +0000 (22:22 +0000)
https://bugs.webkit.org/show_bug.cgi?id=140624

Reviewed by Sam Weinig.

Source/WebCore:

Tests: http/tests/security/mixedContent/websocket/insecure-websocket-in-iframe.html
       http/tests/security/mixedContent/websocket/insecure-websocket-in-main-frame.html

* Modules/websockets/WebSocket.cpp:
(WebCore::WebSocket::connect): Block ws:// WebSocket connections from https:// pages, and
emit the onerror event after doing so.
* platform/SchemeRegistry.cpp:
(WebCore::secureSchemes): Add wss:// to the list of secure schemes.

LayoutTests:

* http/tests/security/mixedContent/resources/frame-with-insecure-websocket.html: Added.
* http/tests/security/mixedContent/websocket/insecure-websocket-in-iframe-expected.txt: Added.
* http/tests/security/mixedContent/websocket/insecure-websocket-in-iframe.html: Added.
* http/tests/security/mixedContent/websocket/insecure-websocket-in-main-frame-expected.txt: Added.
* http/tests/security/mixedContent/websocket/insecure-websocket-in-main-frame.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@185848 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-websocket.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/websocket/insecure-websocket-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/websocket/insecure-websocket-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/websocket/insecure-websocket-in-main-frame-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/websocket/insecure-websocket-in-main-frame.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/Modules/websockets/WebSocket.cpp
Source/WebCore/platform/SchemeRegistry.cpp

index 43fe711..329a544 100644 (file)
@@ -1,3 +1,16 @@
+2015-06-22  Michael Catanzaro  <mcatanzaro@igalia.com>
+
+        Web sockets should be treated as active mixed content
+        https://bugs.webkit.org/show_bug.cgi?id=140624
+
+        Reviewed by Sam Weinig.
+
+        * http/tests/security/mixedContent/resources/frame-with-insecure-websocket.html: Added.
+        * http/tests/security/mixedContent/websocket/insecure-websocket-in-iframe-expected.txt: Added.
+        * http/tests/security/mixedContent/websocket/insecure-websocket-in-iframe.html: Added.
+        * http/tests/security/mixedContent/websocket/insecure-websocket-in-main-frame-expected.txt: Added.
+        * http/tests/security/mixedContent/websocket/insecure-websocket-in-main-frame.html: Added.
+
 2015-06-22  Dean Jackson  <dino@apple.com>
 
         Element with blur backdrop-filter shows edge duplication and dark edges
diff --git a/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-websocket.html b/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-websocket.html
new file mode 100644 (file)
index 0000000..39af8aa
--- /dev/null
@@ -0,0 +1,30 @@
+<script src="../../../../../js-test-resources/js-test-pre.js"></script>
+<script>
+window.jsTestIsAsync = true;
+
+function onSocketOpened() {
+    alert("WebSocket connection opened.");
+    finishJSTest();
+}
+
+function onSocketError() {
+    alert("WebSocket connection failed.");
+    finishJSTest();
+}
+
+function onSocketClosed() {
+    alert("WebSocket closed.");
+    finishJSTest();
+}
+
+try {
+    var ws = new WebSocket("ws://127.0.0.1:8880/websocket/tests/hybi/echo");
+    ws.onopen = onSocketOpened;
+    ws.onerror = onSocketError;
+    ws.onclose = onSocketClosed;
+} catch (e) {
+    alert("Test failed: exception thrown");
+    finishJSTest();
+}
+</script>
+<script src="../../../../js-test-resources/js-test-post.js"></script>
diff --git a/LayoutTests/http/tests/security/mixedContent/websocket/insecure-websocket-in-iframe-expected.txt b/LayoutTests/http/tests/security/mixedContent/websocket/insecure-websocket-in-iframe-expected.txt
new file mode 100644 (file)
index 0000000..8aa0385
--- /dev/null
@@ -0,0 +1,6 @@
+CONSOLE MESSAGE: line 21: [blocked] The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-websocket.html was not allowed to run insecure content from ws://127.0.0.1:8880/websocket/tests/hybi/echo.
+
+ALERT: WebSocket connection failed.
+This test loads an iframe that creates an insecure WebSocket connection. We should block the connection and trigger a mixed content callback because the main frame is HTTPS, but the data sent over the socket could be recorded or controlled by an attacker.
+
+
diff --git a/LayoutTests/http/tests/security/mixedContent/websocket/insecure-websocket-in-iframe.html b/LayoutTests/http/tests/security/mixedContent/websocket/insecure-websocket-in-iframe.html
new file mode 100644 (file)
index 0000000..6bc54c8
--- /dev/null
@@ -0,0 +1,9 @@
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<p>This test loads an iframe that creates an insecure WebSocket connection. We
+should block the connection and trigger a mixed content callback because the
+main frame is HTTPS, but the data sent over the socket could be recorded or
+controlled by an attacker.</p>
+<iframe src="https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-websocket.html"/>
diff --git a/LayoutTests/http/tests/security/mixedContent/websocket/insecure-websocket-in-main-frame-expected.txt b/LayoutTests/http/tests/security/mixedContent/websocket/insecure-websocket-in-main-frame-expected.txt
new file mode 100644 (file)
index 0000000..3557f30
--- /dev/null
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 21: [blocked] The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-websocket.html was not allowed to run insecure content from ws://127.0.0.1:8880/websocket/tests/hybi/echo.
+
+ALERT: WebSocket connection failed.
+This test opens a window that connects to an insecure ws:// WebSocket. We should block the connection and trigger a mixed content callback because the main frame is HTTPS, but the data sent over the socket could be recorded or controlled by an attacker.
diff --git a/LayoutTests/http/tests/security/mixedContent/websocket/insecure-websocket-in-main-frame.html b/LayoutTests/http/tests/security/mixedContent/websocket/insecure-websocket-in-main-frame.html
new file mode 100644 (file)
index 0000000..d33d913
--- /dev/null
@@ -0,0 +1,27 @@
+<html>
+<body>
+<script>
+if (window.testRunner) {
+    testRunner.waitUntilDone();
+    testRunner.dumpAsText();
+    testRunner.setCanOpenWindows();
+    testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+
+window.addEventListener("message", function (e) {
+  if (window.testRunner)
+      testRunner.notifyDone();
+}, false);
+
+</script>
+<p>This test opens a window that connects to an insecure ws:// WebSocket.  We
+should block the connection and trigger a mixed content callback because the
+main frame is HTTPS, but the data sent over the socket could be recorded or
+controlled by an attacker.</p>
+<script>
+onload = function() {
+    window.open("https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-websocket.html");
+}
+</script>
+</body>
+</html>
index 4cfc06e..f82f302 100644 (file)
@@ -1,3 +1,19 @@
+2015-06-22  Michael Catanzaro  <mcatanzaro@igalia.com>
+
+        Web sockets should be treated as active mixed content
+        https://bugs.webkit.org/show_bug.cgi?id=140624
+
+        Reviewed by Sam Weinig.
+
+        Tests: http/tests/security/mixedContent/websocket/insecure-websocket-in-iframe.html
+               http/tests/security/mixedContent/websocket/insecure-websocket-in-main-frame.html
+
+        * Modules/websockets/WebSocket.cpp:
+        (WebCore::WebSocket::connect): Block ws:// WebSocket connections from https:// pages, and
+        emit the onerror event after doing so.
+        * platform/SchemeRegistry.cpp:
+        (WebCore::secureSchemes): Add wss:// to the list of secure schemes.
+
 2015-06-22  Dean Jackson  <dino@apple.com>
 
         Element with blur backdrop-filter shows edge duplication and dark edges
index a87e285..bfb4d11 100644 (file)
@@ -56,6 +56,7 @@
 #include <runtime/ArrayBuffer.h>
 #include <runtime/ArrayBufferView.h>
 #include <wtf/HashSet.h>
+#include <wtf/RunLoop.h>
 #include <wtf/StdLibExtras.h>
 #include <wtf/text/CString.h>
 #include <wtf/text/StringBuilder.h>
@@ -278,6 +279,23 @@ void WebSocket::connect(const String& url, const Vector<String>& protocols, Exce
         }
     }
 
+    if (is<Document>(*scriptExecutionContext())) {
+        Document& document = downcast<Document>(*scriptExecutionContext());
+        if (!document.frame()->loader().mixedContentChecker().canRunInsecureContent(document.securityOrigin(), m_url)) {
+            // Balanced by the call to ActiveDOMObject::unsetPendingActivity() in WebSocket::stop().
+            ActiveDOMObject::setPendingActivity(this);
+            // We must block this connection. Instead of throwing an exception, we indicate this
+            // using the error event. But since this code executes as part of the WebSocket's
+            // constructor, we have to wait until the constructor has completed before firing the
+            // event; otherwise, users can't connect to the event.
+            RunLoop::main().dispatch([this]() {
+                dispatchEvent(Event::create(eventNames().errorEvent, false, false));
+                stop();
+            });
+            return;
+        }
+    }
+
     String protocolString;
     if (!protocols.isEmpty())
         protocolString = joinStrings(protocols, subProtocolSeperator());
index 7dc3b2b..d7af482 100644 (file)
@@ -58,6 +58,7 @@ static URLSchemesMap& secureSchemes()
         secureSchemes.add("https");
         secureSchemes.add("about");
         secureSchemes.add("data");
+        secureSchemes.add("wss");
     }
 
     return secureSchemes;