REGRESSION (r207155): Unable to switch sheets when previewing Numbers '09 spreadsheets
authoraestes@apple.com <aestes@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 3 Aug 2017 00:46:31 +0000 (00:46 +0000)
committeraestes@apple.com <aestes@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 3 Aug 2017 00:46:31 +0000 (00:46 +0000)
https://bugs.webkit.org/show_bug.cgi?id=175098
<rdar://problem/31416763>

Reviewed by Daniel Bates.

Source/WebCore:

r207155 enabled sandboxing on the frame displaying a QuickLook preview. This restricted
frames within the sandbox from navigating their sandboxed siblings or ancestors, which
breaks the functionality of multi-sheet Numbers '09 spreadsheet previews. These previews
contain a frameset with a table of contents frame and a content frame, and the table of
contents frame needs to be able to navigate the content frame when the sheet selection
changes.

Fix this by disabling the SandboxNavigation flag in the QuickLook sandbox. Frames within the
sandbox will be able to navigate each other, but will not be able to navigate the top frame
(due to SandboxTopNavigation still being enabled), nor will they be able to navigate any
other ancestor frame outside the sandbox (due to QuickLook previews being in a different
origin than the hosting frame). These two cases are covered by existing tests.

Test: quicklook/multi-sheet-numbers-09.html

* dom/Document.cpp:
(WebCore::Document::applyQuickLookSandbox): Added a call to
disableSandboxFlags(SandboxNavigation) after applying the content security policy.
* dom/SecurityContext.h:
(WebCore::SecurityContext::disableSandboxFlags): Defined disableSandboxFlags().

LayoutTests:

* quicklook/multi-sheet-numbers-09-expected.txt: Added.
* quicklook/multi-sheet-numbers-09.html: Added.
* quicklook/resources/multi-sheet-numbers-09.numbers: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@220163 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/quicklook/multi-sheet-numbers-09-expected.txt [new file with mode: 0644]
LayoutTests/quicklook/multi-sheet-numbers-09.html [new file with mode: 0644]
LayoutTests/quicklook/resources/multi-sheet-numbers-09.numbers [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/Document.cpp
Source/WebCore/dom/SecurityContext.h

index e41d57e866403927a4453186f7d6bd73f48981aa..8ac019acc3695c6c1038f188e84f6050cef012b0 100644 (file)
@@ -1,3 +1,15 @@
+2017-08-02  Andy Estes  <aestes@apple.com>
+
+        REGRESSION (r207155): Unable to switch sheets when previewing Numbers '09 spreadsheets
+        https://bugs.webkit.org/show_bug.cgi?id=175098
+        <rdar://problem/31416763>
+
+        Reviewed by Daniel Bates.
+
+        * quicklook/multi-sheet-numbers-09-expected.txt: Added.
+        * quicklook/multi-sheet-numbers-09.html: Added.
+        * quicklook/resources/multi-sheet-numbers-09.numbers: Added.
+
 2017-08-02  Chris Dumez  <cdumez@apple.com>
 
         Unreviewed, skip newly imported WPT that is slow in Debug builds.
diff --git a/LayoutTests/quicklook/multi-sheet-numbers-09-expected.txt b/LayoutTests/quicklook/multi-sheet-numbers-09-expected.txt
new file mode 100644 (file)
index 0000000..725efae
--- /dev/null
@@ -0,0 +1,19 @@
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+
+
+--------
+Frame: 'navPane'
+--------
+ First
+  Second
+  Third
+
+--------
+Frame: 'sheetPane'
+--------
+PASS
+This tests that different sheets can be selected by tapping on their names in the table of contents. The test passes if the second sheet is selected and “PASS” is displayed.
diff --git a/LayoutTests/quicklook/multi-sheet-numbers-09.html b/LayoutTests/quicklook/multi-sheet-numbers-09.html
new file mode 100644 (file)
index 0000000..8d7f92a
--- /dev/null
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<script src="../resources/ui-helper.js"></script>
+<script>
+    if (window.testRunner) {
+        testRunner.dumpAsText();
+        testRunner.dumpChildFramesAsText();
+        testRunner.waitUntilDone();
+    }
+
+    function runTest()
+    {
+        UIHelper.activateAt(25, 35).then(() => {
+            window.setTimeout(() => {
+                testRunner.notifyDone();
+            }, 0);
+        });
+    }
+</script>
+<style>
+iframe {
+    width: 100vw;
+    height: 100vh;
+}
+</style>
+<iframe src="resources/multi-sheet-numbers-09.numbers" onload="runTest(this)"></iframe>
+
diff --git a/LayoutTests/quicklook/resources/multi-sheet-numbers-09.numbers b/LayoutTests/quicklook/resources/multi-sheet-numbers-09.numbers
new file mode 100644 (file)
index 0000000..361d239
Binary files /dev/null and b/LayoutTests/quicklook/resources/multi-sheet-numbers-09.numbers differ
index 91a96c963eb37db0739b701d25cb23f9d01c8640..4b80f6399ff91ed6fa6d9bd0a20e484553cf26d1 100644 (file)
@@ -1,3 +1,32 @@
+2017-08-02  Andy Estes  <aestes@apple.com>
+
+        REGRESSION (r207155): Unable to switch sheets when previewing Numbers '09 spreadsheets
+        https://bugs.webkit.org/show_bug.cgi?id=175098
+        <rdar://problem/31416763>
+
+        Reviewed by Daniel Bates.
+
+        r207155 enabled sandboxing on the frame displaying a QuickLook preview. This restricted
+        frames within the sandbox from navigating their sandboxed siblings or ancestors, which
+        breaks the functionality of multi-sheet Numbers '09 spreadsheet previews. These previews
+        contain a frameset with a table of contents frame and a content frame, and the table of
+        contents frame needs to be able to navigate the content frame when the sheet selection
+        changes.
+
+        Fix this by disabling the SandboxNavigation flag in the QuickLook sandbox. Frames within the
+        sandbox will be able to navigate each other, but will not be able to navigate the top frame
+        (due to SandboxTopNavigation still being enabled), nor will they be able to navigate any
+        other ancestor frame outside the sandbox (due to QuickLook previews being in a different
+        origin than the hosting frame). These two cases are covered by existing tests.
+
+        Test: quicklook/multi-sheet-numbers-09.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::applyQuickLookSandbox): Added a call to
+        disableSandboxFlags(SandboxNavigation) after applying the content security policy.
+        * dom/SecurityContext.h:
+        (WebCore::SecurityContext::disableSandboxFlags): Defined disableSandboxFlags().
+
 2017-08-02  Jer Noble  <jer.noble@apple.com>
 
         [MSE] Removing samples when presentation order does not match decode order can cause bad behavior.
index 0967053ecbe0b8477664dfb7e1472131b45212a7..5d02200ccc3130a55650e48d71ced329f29201f0 100644 (file)
@@ -7039,6 +7039,8 @@ void Document::applyQuickLookSandbox()
     // The sandbox directive is only allowed if the policy is from an HTTP header.
     contentSecurityPolicy()->didReceiveHeader(quickLookCSP, ContentSecurityPolicyHeaderType::Enforce, ContentSecurityPolicy::PolicyFrom::HTTPHeader);
 
+    disableSandboxFlags(SandboxNavigation);
+
     setReferrerPolicy(ReferrerPolicy::Never);
 }
 #endif
index feb829e88ff48c6f11936e2463a21a214f74cf03..a46f985cde73537df9c06581b44aaa3ee6a03194 100644 (file)
@@ -96,6 +96,10 @@ protected:
 
     void setContentSecurityPolicy(std::unique_ptr<ContentSecurityPolicy>);
 
+    // It's only appropriate to call this during security context initialization; it's needed for
+    // flags that can't be disabled with allow-* attributes, such as SandboxNavigation.
+    void disableSandboxFlags(SandboxFlags mask) { m_sandboxFlags &= ~mask; }
+
     void didFailToInitializeSecurityOrigin() { m_haveInitializedSecurityOrigin = false; }
     bool haveInitializedSecurityOrigin() const { return m_haveInitializedSecurityOrigin; }