Don't expose raw HTML in pasteboard to the web content
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 19 Oct 2017 05:44:33 +0000 (05:44 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 19 Oct 2017 05:44:33 +0000 (05:44 +0000)
commitaa07ea3170414d225b48424b101ef71c3475bf5f
tree578643b4a7b1bfd208f83bda1b069e459963c57a
parentd4e87e8e488d36380cb26b0b26ee3e1794e12b17
Don't expose raw HTML in pasteboard to the web content
https://bugs.webkit.org/show_bug.cgi?id=178422
Source/WebCore:

<rdar://problem/34567052>

Reviewed by Wenson Hsieh.

This patch enables HTML sanitization added in r223440 when WebKit pastes & concludes edit drag as opposed to
just when dataTransfer.get is used. This is important to avoid leaking privacy sensitive information such as
local file paths and pasting potentially harmful content such as scripts in event handler serialized by
WebKit prior to r223462. In addition, we start using blob URLs in the pasted content instead of retaining
the original URL and overriding the document loader like r222839 for RTFD and r222119 for image files.

To do this, a new superclass FrameWebContentReader of PasteboardWebContentReader and WebContentMarkupReader
is introduced, and helper functions are extracted out of WebContentMarkupReader in WebContentReaderCocoa.mm
to be also used in WebContentReader.

Tests: http/tests/security/clipboard/copy-paste-html-cross-origin-iframe-across-origin.html
       http/tests/security/clipboard/copy-paste-html-cross-origin-iframe-in-same-origin.html
       http/tests/security/clipboard/drag-drop-html-cross-origin-iframe-in-same-origin.html
       PasteWebArchive.SanitizesHTML

* editing/WebContentReader.cpp:
(WebCore::FrameWebContentReader::shouldSanitize const): Moved from WebContentMarkupReader.
* editing/WebContentReader.h:
(WebCore::FrameWebContentReader): Added to share code between WebContentReader and WebContentMarkupReader.
(WebCore::FrameWebContentReader::FrameWebContentReader): Added.
* editing/cocoa/EditorCocoa.mm:
(WebCore::Editor::writeSelectionToPasteboard): Store the content's origin in the pasteboard so that we can
avoid sanitizing the content when pasting into the same document. This is important since converting all URLs
into blob URLs would break editors on the Web which tracks images, etc... in the content using URLs.
(WebCore::Editor::writeSelection): Ditto.
* editing/cocoa/WebContentReaderCocoa.mm:
(WebCore::MarkupAndArchive): Replaced FragmentAndArchive. Now returns the markup string in the archive
instead of the parsed fragment.
(WebCore::extractMarkupAndArchive): Renamed from createFragmentFromWebArchive. Now returns the markup string.
(WebCore::sanitizeMarkupWithArchive): Extracted out of WebContentMarkupReader::readWebArchive to share code
between WebContentReader and WebContentMarkupReader, and added the code to handle subframes recursively.
As inefficient as this code is, we can't delay the conversion of subframes' marksup until later time since
the main frame's markup would contain blob URLs to refer to those subframes.
(WebCore::WebContentReader::readWebArchive): Use sanitizeMarkupWithArchive when shouldSanitize() is true.
Don't add the subresources to the document loader when the content will be loaded into the same origin since
subresouces are mostly likely available in the document anyway.
(WebCore::WebContentMarkupReader::readWebArchive):
* platform/Pasteboard.h:
(WebCore::PasteboardWebContent): Added contentOrigin.
* platform/PasteboardWriterData.h:
(WebCore::PasteboardWriterData): Ditto.
* platform/ios/PasteboardIOS.mm:
(WebCore::Pasteboard::read): Read the origin before branching out to readRespectingUTIFidelities.
* platform/ios/PlatformPasteboardIOS.mm:
(WebCore::PlatformPasteboard::write): Record the content origin into the pasteboard.
* platform/mac/PasteboardMac.mm:
(WebCore::Pasteboard::write): Ditto.
* platform/mac/PasteboardWriter.mm:
(WebCore::createPasteboardWriter): Ditto.

Source/WebKit:

Reviewed by Wenson Hsieh.

Encode & decode the origin string of the copied content written into the system pasteboard.

* Shared/WebCoreArgumentCoders.cpp:
(IPC::ArgumentCoder<PasteboardWebContent>::encode):
(IPC::ArgumentCoder<PasteboardWebContent>::decode):

Tools:

Reviewed by Wenson Hsieh.

Added a test case for sanitizing web archive in the system pasteboard to strip privacy sensitive information
such as local file paths and potentially harmful scripts like event handlers serialized by WebKit prior to r223462.

* TestWebKitAPI/Tests/WebKitCocoa/PasteWebArchive.mm:
(PasteWebArchive.SanitizesHTML):

LayoutTests:

Reviewed by Wenson Hsieh.

Added tests to copy & paste web contents within the same origin as well as cross origin.

* TestExpectations:
* editing/pasteboard/data-transfer-get-data-on-drop-rich-text-expected.txt: Now contains DOCTYPE.
* editing/pasteboard/data-transfer-get-data-on-paste-rich-text-expected.txt: Ditto.
* editing/pasteboard/onpaste-text-html-expected.txt: Rebaselined as now inline styles are stripped.
* editing/pasteboard/onpaste-text-html.html: Strip away the inline style data since they differ on each platform.
* http/tests/misc/copy-resolves-urls-expected.txt:
* http/tests/misc/copy-resolves-urls.html: Now uses blob URL for the pasted image as expected.
* http/tests/security/clipboard/copy-paste-html-cross-origin-iframe-across-origin-expected.txt: Added.
* http/tests/security/clipboard/copy-paste-html-cross-origin-iframe-across-origin.html: Added.
* http/tests/security/clipboard/copy-paste-html-cross-origin-iframe-in-same-origin-expected.txt: Added.
* http/tests/security/clipboard/copy-paste-html-cross-origin-iframe-in-same-origin.html: Added.
* http/tests/security/clipboard/drag-drop-html-cross-origin-iframe-in-same-origin-expected.txt: Added.
* http/tests/security/clipboard/drag-drop-html-cross-origin-iframe-in-same-origin.html: Added.
* http/tests/security/clipboard/resources/content-to-copy.html: Added.
* http/tests/security/clipboard/resources/subdirectory/paste-html.html: Added.
* platform/ios/TestExpectations: Unskip tests that have started passing.
* platform/mac-wk1/TestExpectations: Unskip the drag & drop test which only works in Mac WK1.
* platform/win/TestExpectations: Skip the newly added tests since we don't support custom pasteboard
data on Windows port.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@223678 268f45cc-cd09-0410-ab3c-d52691b4dbfc
35 files changed:
LayoutTests/ChangeLog
LayoutTests/TestExpectations
LayoutTests/editing/pasteboard/data-transfer-get-data-on-drop-rich-text-expected.txt
LayoutTests/editing/pasteboard/data-transfer-get-data-on-paste-rich-text-expected.txt
LayoutTests/editing/pasteboard/onpaste-text-html-expected.txt
LayoutTests/editing/pasteboard/onpaste-text-html.html
LayoutTests/fast/events/ondrop-text-html-expected.txt
LayoutTests/http/tests/misc/copy-resolves-urls-expected.txt
LayoutTests/http/tests/misc/copy-resolves-urls.html
LayoutTests/http/tests/security/clipboard/copy-paste-html-cross-origin-iframe-across-origin-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/clipboard/copy-paste-html-cross-origin-iframe-across-origin.html [new file with mode: 0644]
LayoutTests/http/tests/security/clipboard/copy-paste-html-cross-origin-iframe-in-same-origin-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/clipboard/copy-paste-html-cross-origin-iframe-in-same-origin.html [new file with mode: 0644]
LayoutTests/http/tests/security/clipboard/drag-drop-html-cross-origin-iframe-in-same-origin-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/clipboard/drag-drop-html-cross-origin-iframe-in-same-origin.html [new file with mode: 0644]
LayoutTests/http/tests/security/clipboard/resources/content-to-copy.html [new file with mode: 0644]
LayoutTests/http/tests/security/clipboard/resources/subdirectory/paste-html.html [new file with mode: 0644]
LayoutTests/platform/ios/TestExpectations
LayoutTests/platform/mac-wk1/TestExpectations
LayoutTests/platform/win/TestExpectations
Source/WebCore/ChangeLog
Source/WebCore/editing/WebContentReader.cpp
Source/WebCore/editing/WebContentReader.h
Source/WebCore/editing/cocoa/EditorCocoa.mm
Source/WebCore/editing/cocoa/WebContentReaderCocoa.mm
Source/WebCore/platform/Pasteboard.h
Source/WebCore/platform/PasteboardWriterData.h
Source/WebCore/platform/ios/PasteboardIOS.mm
Source/WebCore/platform/ios/PlatformPasteboardIOS.mm
Source/WebCore/platform/mac/PasteboardMac.mm
Source/WebCore/platform/mac/PasteboardWriter.mm
Source/WebKit/ChangeLog
Source/WebKit/Shared/WebCoreArgumentCoders.cpp
Tools/ChangeLog
Tools/TestWebKitAPI/Tests/WebKitCocoa/PasteWebArchive.mm