XMLHttpRequest should not treat file URLs as same origin
authorbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 9 Nov 2017 00:46:33 +0000 (00:46 +0000)
committerbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 9 Nov 2017 00:46:33 +0000 (00:46 +0000)
https://bugs.webkit.org/show_bug.cgi?id=178565
<rdar://problem/11115901>

Reviewed by Daniel Bates.

Source/WebCore:

Based on a Blink patch by <jannhorn@googlemail.com>.
https://chromium.googlesource.com/chromium/src/+/c362e001551abc2bea392773f32eaf043d8bc29f

Test: security/cannot-read-self-from-file.html

* page/SecurityOrigin.cpp:
(WebCore::SecurityOrigin::passesFileCheck const): Do not treat file as same-origin.

LayoutTests:

* security/cannot-read-self-from-file-expected.txt: Added.
* security/cannot-read-self-from-file.html: Added.
* security/resources/cannot-read-self-from-file.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@224609 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/security/cannot-read-self-from-file-expected.txt [new file with mode: 0644]
LayoutTests/security/cannot-read-self-from-file.html [new file with mode: 0644]
LayoutTests/security/resources/cannot-read-self-from-file.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/page/SecurityOrigin.cpp

index 5e3d379..2ec598c 100644 (file)
@@ -1,3 +1,15 @@
+2017-11-08  Brent Fulgham  <bfulgham@apple.com>
+
+        XMLHttpRequest should not treat file URLs as same origin
+        https://bugs.webkit.org/show_bug.cgi?id=178565
+        <rdar://problem/11115901>
+
+        Reviewed by Daniel Bates.
+
+        * security/cannot-read-self-from-file-expected.txt: Added.
+        * security/cannot-read-self-from-file.html: Added.
+        * security/resources/cannot-read-self-from-file.html: Added.
+
 2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>
 
         Web Inspector: Show Internal properties of PaymentRequest in Web Inspector Console
diff --git a/LayoutTests/security/cannot-read-self-from-file-expected.txt b/LayoutTests/security/cannot-read-self-from-file-expected.txt
new file mode 100644 (file)
index 0000000..829f8f3
--- /dev/null
@@ -0,0 +1,5 @@
+CONSOLE MESSAGE: line 8: XMLHttpRequest cannot load cannot-read-self-from-file.html. Cross origin requests are only supported for HTTP.
+ Documents loaded from file: shouldn't be able to access themselves via XHR.
+
+PASS file: should be a unique-origin protocol for XHR purposes 
+
diff --git a/LayoutTests/security/cannot-read-self-from-file.html b/LayoutTests/security/cannot-read-self-from-file.html
new file mode 100644 (file)
index 0000000..0df56f4
--- /dev/null
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="../resources/testharness.js"></script>
+<script src="../resources/testharnessreport.js"></script>
+<script>
+testRunner.setAllowUniversalAccessFromFileURLs(false);
+testRunner.setAllowFileAccessFromFileURLs(false);
+
+var t = async_test('file: should be a unique-origin protocol for XHR purposes');
+window.addEventListener('message', t.step_func(function(evt) {
+    assert_equals(evt.data, 'SUCCESS');
+    t.done();
+}));
+</script>
+</head>
+<body>
+<iframe src="resources/cannot-read-self-from-file.html"></iframe>
+Documents loaded from file: shouldn't be able to access themselves via XHR.
+</body>
+</html>
\ No newline at end of file
diff --git a/LayoutTests/security/resources/cannot-read-self-from-file.html b/LayoutTests/security/resources/cannot-read-self-from-file.html
new file mode 100644 (file)
index 0000000..a13cea7
--- /dev/null
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+var req = new XMLHttpRequest();
+req.open('GET', location);
+try {
+    req.send();
+} catch (e) {
+    window.parent.postMessage(e.name, '*');
+}
+
+if (req.responseText == "")
+    window.parent.postMessage('SUCCESS', '*');
+else
+    window.parent.postMessage('FAIL', '*');
+</script>
+</head>
+<body>
+Documents loaded from file: shouldn't be able to access themselves via XHR.
+</body>
+</html>
\ No newline at end of file
index 73b8a7f..a1df0d2 100644 (file)
@@ -1,3 +1,19 @@
+2017-11-08  Brent Fulgham  <bfulgham@apple.com>
+
+        XMLHttpRequest should not treat file URLs as same origin
+        https://bugs.webkit.org/show_bug.cgi?id=178565
+        <rdar://problem/11115901>
+
+        Reviewed by Daniel Bates.
+
+        Based on a Blink patch by <jannhorn@googlemail.com>.
+        https://chromium.googlesource.com/chromium/src/+/c362e001551abc2bea392773f32eaf043d8bc29f
+
+        Test: security/cannot-read-self-from-file.html
+
+        * page/SecurityOrigin.cpp:
+        (WebCore::SecurityOrigin::passesFileCheck const): Do not treat file as same-origin.
+
 2017-11-08  Jeremy Jones  <jeremyj@apple.com>
 
         HTMLMediaElement should not use element fullscreen on iOS
index 6ad6311..53c99c5 100644 (file)
@@ -283,10 +283,7 @@ bool SecurityOrigin::passesFileCheck(const SecurityOrigin& other) const
 {
     ASSERT(isLocal() && other.isLocal());
 
-    if (!m_enforceFilePathSeparation && !other.m_enforceFilePathSeparation)
-        return true;
-
-    return (m_filePath == other.m_filePath);
+    return !m_enforceFilePathSeparation && !other.m_enforceFilePathSeparation;
 }
 
 bool SecurityOrigin::canRequest(const URL& url) const