Do not allow HTTP refresh headers to refresh to javascript: URLs
authorddkilzer@apple.com <ddkilzer@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 1 Apr 2014 19:21:34 +0000 (19:21 +0000)
committerddkilzer@apple.com <ddkilzer@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 1 Apr 2014 19:21:34 +0000 (19:21 +0000)
commita062aef15152aa2eada9b6f11826fee4d46dfd0c
tree35379a49c877a1202a2058d4978bd05207607a4d
parent2806d9557dd9c73f1503b1e7137a52c907b67b5a
Do not allow HTTP refresh headers to refresh to javascript: URLs
<http://webkit.org/b/119051>
<rdar://problem/14536453>

Reviewed by Alexey Proskuryakov.

Merged from Blink (patch by tsepez@chromium.org):
https://src.chromium.org/viewvc/blink?revision=153912&view=revision
http://crbug.com/258151

    This behaviour has been standard in IE since IE7.  This makes us both
    more compatible and less vulnerable to XSS.

Source/WebCore:

Tests: http/tests/security/no-javascript-location-percent-escaped.html
       http/tests/security/no-javascript-location.html
       http/tests/security/no-javascript-refresh-percent-escaped.php
       http/tests/security/no-javascript-refresh-spaces.php
       http/tests/security/no-javascript-refresh-static-percent-escaped.html
       http/tests/security/no-javascript-refresh-static-spaces.html
       http/tests/security/no-javascript-refresh-static.html
       http/tests/security/no-javascript-refresh.php

* dom/Document.cpp:
(WebCore::Document::processHttpEquiv):
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::receivedFirstData):
- Do not fire meta http refresh for a javascript: URL protocol.

LayoutTests:

* http/tests/security/no-javascript-refresh-expected.txt: Added.
* http/tests/security/no-javascript-refresh-static-expected.txt: Added.
* http/tests/security/no-javascript-refresh-static.html: Added.
* http/tests/security/no-javascript-refresh.php: Added.
- Original Blink layout tests with typos fixed and 'PASS:' text
  added.

* http/tests/security/no-javascript-location.html: Added.
* http/tests/security/no-javascript-location-expected.txt: Added.
* http/tests/security/resources/no-javascript-location.php: Copied from LayoutTests/http/tests/security/no-javascript-refresh.php.
* http/tests/security/no-javascript-location-percent-escaped.html: Added.
* http/tests/security/no-javascript-location-percent-escaped-expected.txt: Added.
* http/tests/security/resources/no-javascript-location-percent-escaped.php: Added.
- Add tests using a javascript: URL in a Location: header.

* http/tests/security/no-javascript-refresh-percent-escaped.php: Copied from LayoutTests/http/tests/security/no-javascript-refresh.php.
* http/tests/security/no-javascript-refresh-percent-escaped-expected.txt: Added.
* http/tests/security/no-javascript-refresh-spaces.php: Copied from LayoutTests/http/tests/security/no-javascript-refresh.php.
* http/tests/security/no-javascript-refresh-spaces-expected.txt: Added.
- Add tests using a percent-escaped javascript: URL and a
  javascript: URL with leading spaces in a Refresh: header from
  a web server.

* http/tests/security/no-javascript-refresh-static-percent-escaped.html: Added.
* http/tests/security/no-javascript-refresh-static-percent-escaped-expected.txt: Added.
* http/tests/security/no-javascript-refresh-static-spaces.html: Added.
* http/tests/security/no-javascript-refresh-static-spaces-expected.txt: Added.
- Add tests using a percent-escaped javascript: URL and a
  javascript: URL with leading spaces in a meta http-equiv tag.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@166600 268f45cc-cd09-0410-ab3c-d52691b4dbfc
22 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/security/no-javascript-location-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/no-javascript-location-percent-escaped-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/no-javascript-location-percent-escaped.html [new file with mode: 0644]
LayoutTests/http/tests/security/no-javascript-location.html [new file with mode: 0644]
LayoutTests/http/tests/security/no-javascript-refresh-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/no-javascript-refresh-percent-escaped-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/no-javascript-refresh-percent-escaped.php [new file with mode: 0644]
LayoutTests/http/tests/security/no-javascript-refresh-spaces-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/no-javascript-refresh-spaces.php [new file with mode: 0644]
LayoutTests/http/tests/security/no-javascript-refresh-static-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/no-javascript-refresh-static-percent-escaped-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/no-javascript-refresh-static-percent-escaped.html [new file with mode: 0644]
LayoutTests/http/tests/security/no-javascript-refresh-static-spaces-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/no-javascript-refresh-static-spaces.html [new file with mode: 0644]
LayoutTests/http/tests/security/no-javascript-refresh-static.html [new file with mode: 0644]
LayoutTests/http/tests/security/no-javascript-refresh.php [new file with mode: 0644]
LayoutTests/http/tests/security/resources/no-javascript-location-percent-escaped.php [new file with mode: 0644]
LayoutTests/http/tests/security/resources/no-javascript-location.php [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/Document.cpp
Source/WebCore/loader/FrameLoader.cpp