Access to service workers / Cache API should be disabled in sandboxed frames without...
authorcdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 25 Jan 2018 23:09:38 +0000 (23:09 +0000)
committercdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 25 Jan 2018 23:09:38 +0000 (23:09 +0000)
https://bugs.webkit.org/show_bug.cgi?id=182140
<rdar://problem/36879952>

Reviewed by Youenn Fablet.

LayoutTests/imported/w3c:

Rebaseline several WPT test that either pass or fail differently.

* web-platform-tests/service-workers/cache-storage/window/sandboxed-iframes.https-expected.txt:
* web-platform-tests/service-workers/service-worker/sandboxed-iframe-navigator-serviceworker.https-expected.txt:

Source/WebCore:

Throw a SecurityError when accessing navigator.serviceWorker or window.caches inside a sandboxed iframe
without the allow-same-origin flag. This behavior is consistent with Chrome. Firefox, however, seems
to return these objects but have their API reject promises with a SecurityError instead.

No new tests, rebaselined existing tests.

* Modules/cache/DOMWindowCaches.cpp:
(WebCore::DOMWindowCaches::caches): Deleted.
* Modules/cache/DOMWindowCaches.h:
* Modules/cache/DOMWindowCaches.idl:
* page/NavigatorBase.cpp:
* page/NavigatorBase.h:
* page/NavigatorServiceWorker.idl:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@227639 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/imported/w3c/ChangeLog
LayoutTests/imported/w3c/web-platform-tests/service-workers/cache-storage/window/sandboxed-iframes.https-expected.txt
LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/sandboxed-iframe-navigator-serviceworker.https-expected.txt
Source/WebCore/ChangeLog
Source/WebCore/Modules/cache/DOMWindowCaches.cpp
Source/WebCore/Modules/cache/DOMWindowCaches.h
Source/WebCore/Modules/cache/DOMWindowCaches.idl
Source/WebCore/page/NavigatorBase.cpp
Source/WebCore/page/NavigatorBase.h
Source/WebCore/page/NavigatorServiceWorker.idl

index 7a9227d..d6b8603 100644 (file)
@@ -1,5 +1,18 @@
 2018-01-25  Chris Dumez  <cdumez@apple.com>
 
+        Access to service workers / Cache API should be disabled in sandboxed frames without allow-same-origin flag
+        https://bugs.webkit.org/show_bug.cgi?id=182140
+        <rdar://problem/36879952>
+
+        Reviewed by Youenn Fablet.
+
+        Rebaseline several WPT test that either pass or fail differently.
+
+        * web-platform-tests/service-workers/cache-storage/window/sandboxed-iframes.https-expected.txt:
+        * web-platform-tests/service-workers/service-worker/sandboxed-iframe-navigator-serviceworker.https-expected.txt:
+
+2018-01-25  Chris Dumez  <cdumez@apple.com>
+
         Clients.get(id) should only returns clients in the service worker's origin
         https://bugs.webkit.org/show_bug.cgi?id=182149
         <rdar://problem/36882310>
index fc6b9bd..a71da23 100644 (file)
@@ -1,5 +1,5 @@
 
 
 PASS Sandboxed iframe with allow-same-origin is allowed access 
-FAIL Sandboxed iframe without allow-same-origin is denied access assert_equals: Access should be denied if sandbox lacks allow-same-origin expected "denied" but got "allowed"
+FAIL Sandboxed iframe without allow-same-origin is denied access assert_equals: Access should be denied if sandbox lacks allow-same-origin expected "denied" but got "unexpecteddenied"
 
index 6e707df..3f2f298 100644 (file)
@@ -1,6 +1,6 @@
 
 PASS Accessing navigator.serviceWorker in normal iframe should not throw. 
-FAIL Accessing navigator.serviceWorker in sandboxed iframe should throw. assert_equals: expected "navigator.serviceWorker failed: SecurityError" but got "ok"
+PASS Accessing navigator.serviceWorker in sandboxed iframe should throw. 
 PASS Accessing navigator.serviceWorker in sandboxed iframe with allow-same-origin flag should not throw. 
 FAIL Switching iframe sandbox attribute while loading the iframe assert_equals: expected "navigator.serviceWorker failed: SecurityError" but got "ok"
 
index 4274882..1728922 100644 (file)
@@ -1,5 +1,27 @@
 2018-01-25  Chris Dumez  <cdumez@apple.com>
 
+        Access to service workers / Cache API should be disabled in sandboxed frames without allow-same-origin flag
+        https://bugs.webkit.org/show_bug.cgi?id=182140
+        <rdar://problem/36879952>
+
+        Reviewed by Youenn Fablet.
+
+        Throw a SecurityError when accessing navigator.serviceWorker or window.caches inside a sandboxed iframe
+        without the allow-same-origin flag. This behavior is consistent with Chrome. Firefox, however, seems
+        to return these objects but have their API reject promises with a SecurityError instead.
+
+        No new tests, rebaselined existing tests.
+
+        * Modules/cache/DOMWindowCaches.cpp:
+        (WebCore::DOMWindowCaches::caches): Deleted.
+        * Modules/cache/DOMWindowCaches.h:
+        * Modules/cache/DOMWindowCaches.idl:
+        * page/NavigatorBase.cpp:
+        * page/NavigatorBase.h:
+        * page/NavigatorServiceWorker.idl:
+
+2018-01-25  Chris Dumez  <cdumez@apple.com>
+
         Clients.get(id) should only returns clients in the service worker's origin
         https://bugs.webkit.org/show_bug.cgi?id=182149
         <rdar://problem/36882310>
index ab078a4..e0b9109 100644 (file)
@@ -56,8 +56,11 @@ DOMWindowCaches* DOMWindowCaches::from(DOMWindow* window)
     return supplement;
 }
 
-DOMCacheStorage* DOMWindowCaches::caches(DOMWindow& window)
+ExceptionOr<DOMCacheStorage*> DOMWindowCaches::caches(ScriptExecutionContext& context, DOMWindow& window)
 {
+    if (downcast<Document>(context).isSandboxed(SandboxOrigin))
+        return Exception { SecurityError, "Cache storage is disabled because the context is sandboxed and lacks the 'allow-same-origin' flag" };
+
     if (!window.isCurrentlyDisplayedInFrame())
         return nullptr;
 
index 81d225f..0ae9468 100644 (file)
 #pragma once
 
 #include "DOMWindowProperty.h"
+#include "ExceptionOr.h"
 #include "Supplementable.h"
 
 namespace WebCore {
 
 class DOMWindow;
 class DOMCacheStorage;
+class ScriptExecutionContext;
 
 class DOMWindowCaches : public Supplement<DOMWindow>, public DOMWindowProperty {
 public:
     explicit DOMWindowCaches(DOMWindow*);
 
     static DOMWindowCaches* from(DOMWindow*);
-    static DOMCacheStorage* caches(DOMWindow&);
+    static ExceptionOr<DOMCacheStorage*> caches(ScriptExecutionContext&, DOMWindow&);
 
 private:
     static const char* supplementName();
index eaf59cd..17976e6 100644 (file)
@@ -26,5 +26,5 @@
 [
     EnabledAtRuntime=CacheAPI,
 ] partial interface DOMWindow {
-    [SecureContext, SameObject] readonly attribute DOMCacheStorage caches;
+    [CallWith=ScriptExecutionContext, MayThrowException, SecureContext, SameObject] readonly attribute DOMCacheStorage caches;
 };
index 979eea5..452df00 100644 (file)
@@ -153,6 +153,13 @@ ServiceWorkerContainer& NavigatorBase::serviceWorker()
 {
     return m_serviceWorkerContainer;
 }
+
+ExceptionOr<ServiceWorkerContainer&> NavigatorBase::serviceWorker(ScriptExecutionContext& context)
+{
+    if (is<Document>(context) && downcast<Document>(context).isSandboxed(SandboxOrigin))
+        return Exception { SecurityError, "Service Worker is disabled because the context is sandboxed and lacks the 'allow-same-origin' flag" };
+    return m_serviceWorkerContainer.get();
+}
 #endif
 
 } // namespace WebCore
index 84b464d..838d200 100644 (file)
@@ -25,6 +25,7 @@
 
 #pragma once
 
+#include "ExceptionOr.h"
 #include <wtf/Forward.h>
 #include <wtf/RefCounted.h>
 #include <wtf/UniqueRef.h>
@@ -61,6 +62,7 @@ protected:
 #if ENABLE(SERVICE_WORKER)
 public:
     ServiceWorkerContainer& serviceWorker();
+    ExceptionOr<ServiceWorkerContainer&> serviceWorker(ScriptExecutionContext&);
 
 private:
     UniqueRef<ServiceWorkerContainer> m_serviceWorkerContainer;
index 0c31178..f740a11 100644 (file)
@@ -28,5 +28,5 @@
     Conditional=SERVICE_WORKER,
     EnabledAtRuntime=ServiceWorker
 ] interface NavigatorServiceWorker {
-    [SecureContext, ContextHasServiceWorkerScheme, SameObject] readonly attribute ServiceWorkerContainer serviceWorker;
+    [CallWith=ScriptExecutionContext, MayThrowException, SecureContext, ContextHasServiceWorkerScheme, SameObject] readonly attribute ServiceWorkerContainer serviceWorker;
 };