https://bugs.webkit.org/show_bug.cgi?id=147044
rdar://problem/
21567820
Reviewed by Brady Eidson.
Source/WebCore:
In addition to placing resources fetched with 'Content-Disposition: attachment' in a unique origin,
this change does the following:
- Switches the sandbox type from SandboxOrigin to SandboxAll, which enforces the same restrictions as <iframe sandbox>.
- Disables processing of <meta http-equiv> elements.
- Disables loading of cross-origin subframes.
Tests: http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled.html
http/tests/contentdispositionattachmentsandbox/form-submission-disabled.html
http/tests/contentdispositionattachmentsandbox/http-equiv-disabled.html
http/tests/contentdispositionattachmentsandbox/plugins-disabled.html
http/tests/contentdispositionattachmentsandbox/scripts-disabled.html
* dom/Document.cpp:
(WebCore::Document::processHttpEquiv): Switched to calling Document::httpEquivPolicy(). Logged an error to the console for policies other than Enabled.
(WebCore::Document::initSecurityContext): Switched sandbox enforcement from SandboxOrigin to SandboxAll.
(WebCore::Document::httpEquivPolicy): Returned a HttpEquivPolicy based on shouldEnforceContentDispositionAttachmentSandbox() and Settings::httpEquivEnabled().
(WebCore::Document::shouldEnforceContentDispositionAttachmentSandbox): Returned true if Settings::contentDispositionAttachmentSandboxEnabled()
and the document was fetched as an attachment.
* dom/Document.h:
* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::canRequest): When requesting a subframe main resource when the parent frame enforces an attachment sandbox,
only continue if the parent frame's SecurityOrigin allows the request.
* page/Settings.in: Added contentDispositionAttachmentSandboxEnabled with an initial value of false.
Source/WebKit/mac:
* WebView/WebView.mm:
(-[WebView _commonInitializationWithFrameName:groupName:]): Enabled Content-Disposition: attachment sandbox on iOS.
Source/WebKit2:
* WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::WebPage): Enabled Content-Disposition: attachment sandbox on iOS.
Tools:
* WebKitTestRunner/InjectedBundle/InjectedBundlePage.cpp:
(WTR::InjectedBundlePage::decidePolicyForResponse): Only log the message about attachments if the custom policy delegate is enabled.
This matches the behavior of DumpRenderTree.
LayoutTests:
* http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled-expected.txt: Added.
* http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled.html: Added.
* http/tests/contentdispositionattachmentsandbox/form-submission-disabled-expected.txt: Added.
* http/tests/contentdispositionattachmentsandbox/form-submission-disabled.html: Added.
* http/tests/contentdispositionattachmentsandbox/http-equiv-disabled-expected.txt: Added.
* http/tests/contentdispositionattachmentsandbox/http-equiv-disabled.html: Added.
* http/tests/contentdispositionattachmentsandbox/plugins-disabled-expected.html: Added.
* http/tests/contentdispositionattachmentsandbox/plugins-disabled.html: Added.
* http/tests/contentdispositionattachmentsandbox/resources/cross-origin-frames-frame.php: Added.
* http/tests/contentdispositionattachmentsandbox/resources/form-submission-frame.php: Added.
* http/tests/contentdispositionattachmentsandbox/resources/http-equiv-frame.php: Added.
* http/tests/contentdispositionattachmentsandbox/resources/plugins-frame.php: Added.
* http/tests/contentdispositionattachmentsandbox/resources/scripts-frame.php: Added.
* http/tests/contentdispositionattachmentsandbox/scripts-disabled-expected.txt: Added.
* http/tests/contentdispositionattachmentsandbox/scripts-disabled.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@186982
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2015-07-17 Andy Estes <aestes@apple.com>
+
+ [iOS] Further tighten the sandbox around pages fetched with Content-Disposition: attachment
+ https://bugs.webkit.org/show_bug.cgi?id=147044
+ rdar://problem/21567820
+
+ Reviewed by Brady Eidson.
+
+ * http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled-expected.txt: Added.
+ * http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled.html: Added.
+ * http/tests/contentdispositionattachmentsandbox/form-submission-disabled-expected.txt: Added.
+ * http/tests/contentdispositionattachmentsandbox/form-submission-disabled.html: Added.
+ * http/tests/contentdispositionattachmentsandbox/http-equiv-disabled-expected.txt: Added.
+ * http/tests/contentdispositionattachmentsandbox/http-equiv-disabled.html: Added.
+ * http/tests/contentdispositionattachmentsandbox/plugins-disabled-expected.html: Added.
+ * http/tests/contentdispositionattachmentsandbox/plugins-disabled.html: Added.
+ * http/tests/contentdispositionattachmentsandbox/resources/cross-origin-frames-frame.php: Added.
+ * http/tests/contentdispositionattachmentsandbox/resources/form-submission-frame.php: Added.
+ * http/tests/contentdispositionattachmentsandbox/resources/http-equiv-frame.php: Added.
+ * http/tests/contentdispositionattachmentsandbox/resources/plugins-frame.php: Added.
+ * http/tests/contentdispositionattachmentsandbox/resources/scripts-frame.php: Added.
+ * http/tests/contentdispositionattachmentsandbox/scripts-disabled-expected.txt: Added.
+ * http/tests/contentdispositionattachmentsandbox/scripts-disabled.html: Added.
+
2015-07-17 Zalan Bujtas <zalan@apple.com>
(display: block)input range's thumb disappears when moved.
--- /dev/null
+CONSOLE MESSAGE: Unsafe attempt to load URL data:text/html,FAIL.
+This test verifies that cross-origin frames are disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.
+
+
--- /dev/null
+<!DOCTYPE html>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+if (window.internals)
+ internals.settings.setContentDispositionAttachmentSandboxEnabled(true);
+</script>
+<p>This test verifies that cross-origin frames are disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.</p>
+<iframe src="resources/cross-origin-frames-frame.php"></iframe>
--- /dev/null
+CONSOLE MESSAGE: line 21: Blocked form submission to 'http://127.0.0.1:8000/contentdispositionattachmentsandbox/resources/form-submission-frame.php' because the form's frame is sandboxed and the 'allow-forms' permission is not set.
+This test verifies that form submission is disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.
+
+
--- /dev/null
+<!DOCTYPE html>
+<script>
+if (window.internals)
+ internals.settings.setContentDispositionAttachmentSandboxEnabled(true);
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ window.addEventListener('load', function() {
+ // Due to the sandbox, it's not possible to run script in the iframe or even access its contentDocument.
+ // Submit the form by clicking its button with synthetic mouse events.
+ var iframeRect = document.getElementsByTagName('iframe')[0].getClientRects()[0];
+ var submitButtonRect = document.getElementById('submitButtonForMetrics').getClientRects()[0];
+
+ // This assumes that the iframe has no border, and its document's body has no margin.
+ var x = iframeRect.left + submitButtonRect.width / 2;
+ var y = iframeRect.top + submitButtonRect.height / 2;
+
+ eventSender.mouseMoveTo(x, y);
+ eventSender.mouseDown();
+ eventSender.mouseUp();
+ testRunner.notifyDone();
+ });
+}
+</script>
+<p>This test verifies that form submission is disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.</p>
+<iframe style="border: 0px" src="resources/form-submission-frame.php"></iframe>
+<input style="visibility: hidden" id="submitButtonForMetrics" type="submit">
--- /dev/null
+CONSOLE MESSAGE: line 2: http-equiv 'refresh' is disabled for documents with Content-Disposition: attachment.
+This test verifies that <meta http-equiv> processing is disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.
+
+
--- /dev/null
+<!DOCTYPE html>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+if (window.internals)
+ internals.settings.setContentDispositionAttachmentSandboxEnabled(true);
+</script>
+<p>This test verifies that <meta http-equiv> processing is disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.</p>
+<iframe src="resources/http-equiv-frame.php"></iframe>
--- /dev/null
+<!DOCTYPE html>
+<p>This test verifies that plug-ins are disabled when 'Content-Disposition: attachment' sandboxing is enabled. 'PASS' is displayed in the <iframe> below if the test passes.</p>
+<iframe srcdoc="<!DOCTYPE html>PASS"></iframe>
--- /dev/null
+<!DOCTYPE html>
+<script>
+if (window.internals)
+ internals.settings.setContentDispositionAttachmentSandboxEnabled(true);
+
+if (window.testRunner) {
+ testRunner.waitUntilDone();
+
+ // The doubly-nested setTimeout() is meant to account for two timers in the object fallback content rendering process.
+ // We can't rely on object's onerror event since we cannot run script in the sandboxed frame, so we must wait for the
+ // post-layout timer followed by the embedded objects update timer to ensure that fallback content has been rendered.
+ window.addEventListener('load', function() {
+ window.setTimeout(function() {
+ window.setTimeout(function() {
+ testRunner.notifyDone();
+ }, 0);
+ }, 0);
+ });
+}
+</script>
+<p>This test verifies that plug-ins are disabled when 'Content-Disposition: attachment' sandboxing is enabled. 'PASS' is displayed in the <iframe> below if the test passes.</p>
+<iframe src="resources/plugins-frame.php"></iframe>
--- /dev/null
+<?php
+header("Content-Disposition: attachment; filename=test.html");
+header("Content-Type: text/html");
+?>
+<!DOCTYPE html>
+<iframe src="data:text/html,FAIL"></iframe>
--- /dev/null
+<?php
+header("Content-Disposition: attachment; filename=test.html");
+header("Content-Type: text/html");
+?>
+<!DOCTYPE html>
+<style>
+body {
+ margin: 0px;
+}
+</style>
+<form>
+<input type="submit">
+</form>
--- /dev/null
+<?php
+header("Content-Disposition: attachment; filename=test.html");
+header("Content-Type: text/html");
+?>
+<!DOCTYPE html>
+<meta http-equiv="refresh" content="0; url=data:text/html,FAIL">
--- /dev/null
+<?php
+header("Content-Disposition: attachment; filename=test.html");
+header("Content-Type: text/html");
+?>
+<!DOCTYPE html>
+<object type="application/x-webkit-test-netscape">PASS</object>
--- /dev/null
+<?php
+header("Content-Disposition: attachment; filename=test.html");
+header("Content-Type: text/html");
+?>
+<!DOCTYPE html>
+<script>
+document.write('FAIL');
+</script>
--- /dev/null
+CONSOLE MESSAGE: Blocked script execution in 'http://127.0.0.1:8000/contentdispositionattachmentsandbox/resources/scripts-frame.php' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
+This test verifies that scripts are disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.
+
+
--- /dev/null
+<!DOCTYPE html>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+if (window.internals)
+ internals.settings.setContentDispositionAttachmentSandboxEnabled(true);
+</script>
+<p>This test verifies that scripts are disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.</p>
+<iframe src="resources/scripts-frame.php"></iframe>
+2015-07-17 Andy Estes <aestes@apple.com>
+
+ [iOS] Further tighten the sandbox around pages fetched with Content-Disposition: attachment
+ https://bugs.webkit.org/show_bug.cgi?id=147044
+ rdar://problem/21567820
+
+ Reviewed by Brady Eidson.
+
+ In addition to placing resources fetched with 'Content-Disposition: attachment' in a unique origin,
+ this change does the following:
+
+ - Switches the sandbox type from SandboxOrigin to SandboxAll, which enforces the same restrictions as <iframe sandbox>.
+ - Disables processing of <meta http-equiv> elements.
+ - Disables loading of cross-origin subframes.
+
+ Tests: http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled.html
+ http/tests/contentdispositionattachmentsandbox/form-submission-disabled.html
+ http/tests/contentdispositionattachmentsandbox/http-equiv-disabled.html
+ http/tests/contentdispositionattachmentsandbox/plugins-disabled.html
+ http/tests/contentdispositionattachmentsandbox/scripts-disabled.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::processHttpEquiv): Switched to calling Document::httpEquivPolicy(). Logged an error to the console for policies other than Enabled.
+ (WebCore::Document::initSecurityContext): Switched sandbox enforcement from SandboxOrigin to SandboxAll.
+ (WebCore::Document::httpEquivPolicy): Returned a HttpEquivPolicy based on shouldEnforceContentDispositionAttachmentSandbox() and Settings::httpEquivEnabled().
+ (WebCore::Document::shouldEnforceContentDispositionAttachmentSandbox): Returned true if Settings::contentDispositionAttachmentSandboxEnabled()
+ and the document was fetched as an attachment.
+ * dom/Document.h:
+ * loader/cache/CachedResourceLoader.cpp:
+ (WebCore::CachedResourceLoader::canRequest): When requesting a subframe main resource when the parent frame enforces an attachment sandbox,
+ only continue if the parent frame's SecurityOrigin allows the request.
+ * page/Settings.in: Added contentDispositionAttachmentSandboxEnabled with an initial value of false.
+
2015-07-17 Zalan Bujtas <zalan@apple.com>
(display: block)input range's thumb disappears when moved.
{
ASSERT(!equiv.isNull() && !content.isNull());
- if (page() && !page()->settings().httpEquivEnabled())
+ HttpEquivPolicy policy = httpEquivPolicy();
+ if (policy != HttpEquivPolicy::Enabled) {
+ String reason;
+ switch (policy) {
+ case HttpEquivPolicy::Enabled:
+ ASSERT_NOT_REACHED();
+ break;
+ case HttpEquivPolicy::DisabledBySettings:
+ reason = "by the embedder.";
+ break;
+ case HttpEquivPolicy::DisabledByContentDispositionAttachmentSandbox:
+ reason = "for documents with Content-Disposition: attachment.";
+ break;
+ }
+ String message = "http-equiv '" + equiv + "' is disabled " + reason;
+ addConsoleMessage(MessageSource::Security, MessageLevel::Error, message);
return;
+ }
Frame* frame = this->frame();
setCookieURL(m_url);
enforceSandboxFlags(m_frame->loader().effectiveSandboxFlags());
-#if PLATFORM(IOS)
- // On iOS we display attachments inline regardless of whether the response includes
- // the HTTP header "Content-Disposition: attachment". So, we enforce a unique
- // security origin for such documents. As an optimization, we don't need to parse
- // the responde header (i.e. call ResourceResponse::isAttachment()) for a synthesized
- // document because such documents cannot be an attachment.
- if (!m_isSynthesized && m_frame->loader().activeDocumentLoader()->response().isAttachment())
- enforceSandboxFlags(SandboxOrigin);
-#endif
+ if (shouldEnforceContentDispositionAttachmentSandbox())
+ enforceSandboxFlags(SandboxAll);
setSecurityOriginPolicy(SecurityOriginPolicy::create(isSandboxed(SandboxOrigin) ? SecurityOrigin::createUnique() : SecurityOrigin::create(m_url)));
setContentSecurityPolicy(std::make_unique<ContentSecurityPolicy>(this));
DebugPageOverlays::didChangeEventHandlers(*frame);
}
+HttpEquivPolicy Document::httpEquivPolicy() const
+{
+ if (shouldEnforceContentDispositionAttachmentSandbox())
+ return HttpEquivPolicy::DisabledByContentDispositionAttachmentSandbox;
+ if (page() && !page()->settings().httpEquivEnabled())
+ return HttpEquivPolicy::DisabledBySettings;
+ return HttpEquivPolicy::Enabled;
+}
+
static bool removeHandlerFromSet(EventTargetSet& handlerSet, Node& node, EventHandlerRemoval removal)
{
switch (removal) {
return ShouldOpenExternalURLsPolicy::ShouldNotAllow;
}
+bool Document::shouldEnforceContentDispositionAttachmentSandbox() const
+{
+ if (m_isSynthesized)
+ return false;
+
+ bool contentDispositionAttachmentSandboxEnabled = settings() && settings()->contentDispositionAttachmentSandboxEnabled();
+ bool responseIsAttachment = false;
+ if (DocumentLoader* documentLoader = m_frame ? m_frame->loader().activeDocumentLoader() : nullptr)
+ responseIsAttachment = documentLoader->response().isAttachment();
+
+ return contentDispositionAttachmentSandboxEnabled && responseIsAttachment;
+}
+
} // namespace WebCore
enum DimensionsCheck { WidthDimensionsCheck = 1 << 0, HeightDimensionsCheck = 1 << 1, AllDimensionsCheck = 1 << 2 };
+enum class HttpEquivPolicy {
+ Enabled,
+ DisabledBySettings,
+ DisabledByContentDispositionAttachmentSandbox
+};
+
class Document : public ContainerNode, public TreeScope, public ScriptExecutionContext, public FontSelectorClient {
public:
static Ref<Document> create(Frame* frame, const URL& url)
#endif
ShouldOpenExternalURLsPolicy shouldOpenExternalURLsPolicyToPropagate() const;
+ bool shouldEnforceContentDispositionAttachmentSandbox() const;
protected:
enum ConstructionFlags { Synthesized = 1, NonRenderedPlaceholder = 1 << 1 };
void wheelEventHandlersChanged();
+ HttpEquivPolicy httpEquivPolicy() const;
+
// DOM Cookies caching.
const String& cachedDOMCookies() const { return m_cachedDOMCookies; }
void setCachedDOMCookies(const String&);
// any URL.
switch (type) {
case CachedResource::MainResource:
+ if (HTMLFrameOwnerElement* ownerElement = frame() ? frame()->ownerElement() : nullptr) {
+ if (ownerElement->document().shouldEnforceContentDispositionAttachmentSandbox() && !ownerElement->document().securityOrigin()->canRequest(url)) {
+ printAccessDeniedMessage(url);
+ return false;
+ }
+ }
+ FALLTHROUGH;
case CachedResource::ImageResource:
case CachedResource::CSSStyleSheet:
case CachedResource::Script:
newBlockInsideInlineModelEnabled initial=false, setNeedsStyleRecalcInAllFrames=1
httpEquivEnabled initial=true
+
+# Some ports (e.g. iOS) might choose to display attachments inline, regardless of whether the response includes the
+# HTTP header "Content-Disposition: attachment". This setting enables a sandbox around these attachments. The sandbox
+# enforces all frame sandbox flags (see enum SandboxFlag in SecurityContext.h), and also disables <meta http-equiv>
+# processing and subframe loading.
+contentDispositionAttachmentSandboxEnabled initial=false
+2015-07-17 Andy Estes <aestes@apple.com>
+
+ [iOS] Further tighten the sandbox around pages fetched with Content-Disposition: attachment
+ https://bugs.webkit.org/show_bug.cgi?id=147044
+ rdar://problem/21567820
+
+ Reviewed by Brady Eidson.
+
+ * WebView/WebView.mm:
+ (-[WebView _commonInitializationWithFrameName:groupName:]): Enabled Content-Disposition: attachment sandbox on iOS.
+
2015-07-16 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: [Mac] Save dialog not working when inspector is docked
_private->page->setDeviceScaleFactor([self _deviceScaleFactor]);
#endif
+
+#if PLATFORM(IOS)
+ _private->page->settings().setContentDispositionAttachmentSandboxEnabled(true);
+#endif
}
- (id)_initWithFrame:(NSRect)f frameName:(NSString *)frameName groupName:(NSString *)groupName
+2015-07-17 Andy Estes <aestes@apple.com>
+
+ [iOS] Further tighten the sandbox around pages fetched with Content-Disposition: attachment
+ https://bugs.webkit.org/show_bug.cgi?id=147044
+ rdar://problem/21567820
+
+ Reviewed by Brady Eidson.
+
+ * WebProcess/WebPage/WebPage.cpp:
+ (WebKit::WebPage::WebPage): Enabled Content-Disposition: attachment sandbox on iOS.
+
2015-07-17 Tim Horton <timothy_horton@apple.com>
[iOS] TextIndicator has a large forehead when line-height > 1
scaleView(parameters.viewScaleFactor);
m_page->setUserContentExtensionsEnabled(parameters.userContentExtensionsEnabled);
+
+#if PLATFORM(IOS)
+ m_page->settings().setContentDispositionAttachmentSandboxEnabled(true);
+#endif
}
void WebPage::reinitializeWebPage(const WebPageCreationParameters& parameters)
+2015-07-17 Andy Estes <aestes@apple.com>
+
+ [iOS] Further tighten the sandbox around pages fetched with Content-Disposition: attachment
+ https://bugs.webkit.org/show_bug.cgi?id=147044
+ rdar://problem/21567820
+
+ Reviewed by Brady Eidson.
+
+ * WebKitTestRunner/InjectedBundle/InjectedBundlePage.cpp:
+ (WTR::InjectedBundlePage::decidePolicyForResponse): Only log the message about attachments if the custom policy delegate is enabled.
+ This matches the behavior of DumpRenderTree.
+
2015-07-17 Benjamin Poulain <bpoulain@apple.com>
[Content Extensions] Term::isUniversalTransition() incorrectly expects the end-of-line assertion in character sets
WKBundlePagePolicyAction InjectedBundlePage::decidePolicyForResponse(WKBundlePageRef page, WKBundleFrameRef, WKURLResponseRef response, WKURLRequestRef, WKTypeRef*)
{
- if (WKURLResponseIsAttachment(response)) {
+ if (InjectedBundle::singleton().testRunner()->isPolicyDelegateEnabled() && WKURLResponseIsAttachment(response)) {
StringBuilder stringBuilder;
WKRetainPtr<WKStringRef> filename = adoptWK(WKURLResponseCopySuggestedFilename(response));
stringBuilder.appendLiteral("Policy delegate: resource is an attachment, suggested file name \'");