Restrict security origin inheritance to empty, about:blank, and about:srcdoc URLs
authorwilander@apple.com <wilander@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 17 Jun 2016 01:10:08 +0000 (01:10 +0000)
committerwilander@apple.com <wilander@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 17 Jun 2016 01:10:08 +0000 (01:10 +0000)
commit55986027396bcccaa8e0c9b914213082ac0f3b0f
tree60055fe1a3e50f6a00452481344dd4bd95b8e0ac
parent5b16a68725332c919f4720185d59a172a2843380
Restrict security origin inheritance to empty, about:blank, and about:srcdoc URLs
https://bugs.webkit.org/show_bug.cgi?id=158855
<rdar://problem/26142632>

Reviewed by Alex Christensen.

Source/WebCore:

Tests: http/tests/dom/window-open-about-blank-and-access-document.html
       http/tests/dom/window-open-about-webkit-org-and-access-document.html

Document.cpp previously checked whether a document should inherit its owner's
security origin by checking if the URL is either empty or blank. URL.cpp in
turn only checks if the protocol is "about:" in the isBlankURL() function.
Thus all about:* URLs inherited security origin. This patch restricts
security origin inheritance to empty, about:blank, and about:srcdoc URLs.

Quotes and links from the WHATWG spec regarding about:srcdoc:

7.1 Browsing contexts
A browsing context can have a creator browsing context, the browsing context
that was responsible for its creation. If a browsing context has a parent
browsing context, then that is its creator browsing context. Otherwise, if the
browsing context has an opener browsing context, then that is its creator
browsing context. Otherwise, the browsing context has no creator browsing
context.
https://html.spec.whatwg.org/multipage/browsers.html#concept-document-bc

7.1.1 Nested browsing contexts
Certain elements (for example, iframe elements) can instantiate further
browsing contexts. These are called nested browsing contexts. If a browsing
context P has a Document D with an element E that nests another browsing
context C inside it, then C is said to be nested through D, and E is said to
be the browsing context container of C. If the browsing context container
element E is in the Document D, then P is said to be the parent browsing
context of C and C is said to be a child browsing context of P. Otherwise,
the nested browsing context C has no parent browsing context.
https://html.spec.whatwg.org/multipage/browsers.html#nested-browsing-context

4.8.5 The iframe element
The iframe element represents a nested browsing context.
...
If the srcdoc attribute is specified
    Navigate the element's child browsing context to a new response whose
    url list consists of about:srcdoc ...
https://html.spec.whatwg.org/multipage/embedded-content.html#attr-iframe-srcdoc

* dom/Document.cpp:
(WebCore::Document::initSecurityContext):
    Now uses the URL::shouldInheritSecurityOriginFromOwner() function instead.
(WebCore::Document::initContentSecurityPolicy):
    Now uses the URL::shouldInheritSecurityOriginFromOwner() function instead.
(WebCore::shouldInheritSecurityOriginFromOwner): Deleted.
    Moved to URL::shouldInheritSecurityOriginFromOwner() and restricted the check.
* platform/URL.cpp:
(WebCore::URL::shouldInheritSecurityOriginFromOwner):
* platform/URL.h:
    Moved the function from Document and restricted the check to only allow
    security origin inheritance for empty, about:blank, and about:srcdoc URLs.

LayoutTests:

* http/tests/dom/window-open-about-blank-and-access-document-expected.txt: Added.
* http/tests/dom/window-open-about-blank-and-access-document.html: Added.
* http/tests/dom/window-open-about-webkit-org-and-access-document-expected.txt: Added.
* http/tests/dom/window-open-about-webkit-org-and-access-document.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@202151 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/http/tests/dom/window-open-about-blank-and-access-document-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/dom/window-open-about-blank-and-access-document.html [new file with mode: 0644]
LayoutTests/http/tests/dom/window-open-about-webkit-org-and-access-document-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/dom/window-open-about-webkit-org-and-access-document.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/Document.cpp
Source/WebCore/platform/URL.cpp
Source/WebCore/platform/URL.h