Disable access to secure cookies if an HTTPS site loads mixed content
https://bugs.webkit.org/show_bug.cgi?id=157053
<rdar://problem/
11290808>
Patch by Brent Fulgham <bfulgham@apple.com> and Pranjal Jumde <pjumde@apple.com> on 2017-08-22
Reviewed by Dan Bates.
Source/WebCore:
Tests: http/tests/security/mixedContent/insecure-css-with-secure-cookies.html
http/tests/security/mixedContent/insecure-image-with-securecookie-block.html
http/tests/security/mixedContent/insecure-image-with-securecookie.html
http/tests/security/mixedContent/insecure-script-with-secure-cookies.html
http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies-block.html
http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies.html
* dom/SecurityContext.h:
(WebCore::SecurityContext::secureCookiesAccessed): Added.
(WebCore::SecurityContext::setSecureCookiesAccessed): Added.
* loader/CookieJar.cpp:
(WebCore::cookies): Pass Document as non-const so we can call 'setSecureCookiesAccessed' if necessary.
* loader/CookieJar.h:
* loader/MixedContentChecker.cpp:
(WebCore::MixedContentChecker::canRunInsecureContent): Updated checks to avoid running insecure content
if secure cookies were accessed.
* platform/CookiesStrategy.h:
(WebCore::CookiesStrategy::cookiesForDOM): Pass new argument indicating whether secure cookies should be included in the response.
* platform/network/PlatformCookieJar.h:
* platform/network/cf/CookieJarCFNet.cpp:
(copyCookiesForURLWithFirstPartyURL): Revise to accept new 'IncludeSecureCookiesOrNot' argument.
(WebCore::cookiesForSession): Updated to accept new 'IncludeSecureCookiesOrNot' argument. Also determine if secure cookies were
included in the response, and return this to the caller.
(WebCore::cookieRequestHeaderFieldValue): Revise for new 'copyCookiesForURLWithFirstPartyURL' signature.
(WebCore::getRawCookies): Ditto.
* platform/network/mac/CookieJarMac.mm:
(WebCore::cookiesForSession): Updated checks to keep track of secure cookies and filter out secure cookies if insecure content
was accessed.
(WebCore::cookiesForDOM): Update for new arguments and to return a pair.
(WebCore::cookieRequestHeaderFieldValue): Ditto.
Source/WebKit:
* NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::cookiesForDOM): Pass new arguments needed by WebCore.
* NetworkProcess/NetworkConnectionToWebProcess.h:
* NetworkProcess/NetworkConnectionToWebProcess.messages.in: Updated the CookiesForDOM message with the new foundMixedContent
argument and the new didAccessSecureCookies reply.
* Shared/mac/CookieStorageShim.mm:
(WebKit::webKitCookieStorageCopyRequestHeaderFieldsForURL): Drive-by fix to use the right message.
* WebProcess/WebCoreSupport/WebPlatformStrategies.cpp:
(WebKit::WebPlatformStrategies::cookiesForDOM): Check and return whether secure cookies were accessed. Accept a new argument
indicating whether secure cookies should be included in the response.
* WebProcess/WebCoreSupport/WebPlatformStrategies.h:
Source/WebKitLegacy/mac:
* WebCoreSupport/WebPlatformStrategies.h:
* WebCoreSupport/WebPlatformStrategies.mm:
(WebPlatformStrategies::cookiesForDOM): Check and return whether secure cookies were accessed. Accept a new argument
indicating whether secure cookies should be included in the response.
LayoutTests:
* http/tests/security/mixedContent/insecure-css-with-secure-cookies-expected.txt: Added.
* http/tests/security/mixedContent/insecure-css-with-secure-cookies.html: Added.
* http/tests/security/mixedContent/insecure-executable-css-with-secure-cookies.html: Added.
* http/tests/security/mixedContent/insecure-executable-css-with-secure-cookies-expected.txt: Added.
* http/tests/security/mixedContent/insecure-image-with-securecookie-block-expected.txt: Added.
* http/tests/security/mixedContent/insecure-image-with-securecookie-block.html: Added.
* http/tests/security/mixedContent/insecure-image-with-securecookie-expected.txt: Added.
* http/tests/security/mixedContent/insecure-image-with-securecookie.html: Added.
* http/tests/security/mixedContent/insecure-script-with-secure-cookies-expected.txt: Added.
* http/tests/security/mixedContent/insecure-script-with-secure-cookies.html: Added.
* http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies-block-expected.txt: Added.
* http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies-block.html: Added.
* http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies-expected.txt: Added.
* http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies.html: Added.
* http/tests/security/mixedContent/resources/frame-with-insecure-css-secure-cookies.html: Added.
* http/tests/security/mixedContent/resources/frame-with-insecure-executable-css-with-secure-cookies.html: Added.
* http/tests/security/mixedContent/resources/frame-with-insecure-image-secure-cookie-block.html: Added.
* http/tests/security/mixedContent/resources/frame-with-insecure-image-secure-cookie.html: Added.
* http/tests/security/mixedContent/resources/frame-with-insecure-script-secure-cookies.html: Added.
* http/tests/security/mixedContent/resources/frame-with-redirect-https-to-http-image-secure-cookie-block.html: Added.
* http/tests/security/mixedContent/resources/frame-with-redirect-https-to-http-image-secure-cookie.html: Added.
* http/tests/security/mixedContent/resources/insecure-executable.css: Added.
* http/tests/security/mixedContent/resources/insecure.css: Added.
* http/tests/security/resources/greenbox-hotspot5-4.cur: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@221017
268f45cc-cd09-0410-ab3c-
d52691b4dbfc