REGRESSION (r195004): Scripts and plugins blocked for subsequent loads in same WebContent
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 10 Nov 2016 18:50:08 +0000 (18:50 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 10 Nov 2016 18:50:08 +0000 (18:50 +0000)
commit7c6cf2b00157e3c03ba3e2cfd0c715a9f0f2282f
tree0ff52adb8c884125c6a9c2dfd3e169083bd3a383
parentdf5276a29e292e5c6d7c1670d5b09792b2116ea6
REGRESSION (r195004): Scripts and plugins blocked for subsequent loads in same WebContent
process after receiving HTTP 0.9 response
https://bugs.webkit.org/show_bug.cgi?id=164387
<rdar://problem/28987537>

Reviewed by Brent Fulgham.

Source/WebCore:

Fixes an issue where the HTTP 0.9 sandbox persisted across subsequent loads in the same
WebContent process.

Currently when an HTTP 0.9 response is received for a request made to a default port
(e.g. 80) we apply a sandbox policy on the FrameLoader for the main resource that
disallows scripts and plugins. A FrameLoader may be re-used for navigations. Therefore,
the sandbox policy applied to one site may be applied to another site. Moreover the
sandbox policy was applied to the FrameLoader of the main resource regardless of whether
the HTTP response was for a subresource. Instead we should apply the sandbox on a per-
Document basis and only if we receive an HTTP 0.9 response for the document when the
corresponding HTTP request was made to a default port.

As a side benefit of this change, we emit exactly one console message to Web Inspector
when the HTTP 0.9 sandbox is applied to a document as opposed to three console messages.
Moreover, we only emit this console message when the document load is not blocked.

Test: http/tests/security/http-0.9/sandbox-should-not-persist-on-navigation.html

* dom/Document.cpp:
(WebCore::Document::initSecurityContext): Disallow scripts and plugins if an HTTP 0.9
response was received for this document. Note that if this function is called for a
document associated with an HTTP 0.9 response then the corresponding HTTP request was
made to a default port. DocumentLoader::responseReceived() blocks the load for a document
with an HTTP 0.9 response corresponding to an HTTP request made to a non-default port.
This invariant is covered by the tests LayoutTests/http/tests/security/http-0.9/default-port-{plugin, script}-blocked.html.
(WebCore::Document::shouldEnforceHTTP0_9Sandbox): Added. Returns whether an HTTP 0.9 response
was received for this document.
* dom/Document.h:
* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::responseReceived): Remove logic to apply sandbox policy to the
FrameLoader associated with the main resource. We will apply the sandbox during initialization
of the document.
* loader/ResourceLoader.cpp:
(WebCore::ResourceLoader::didReceiveResponse): Ditto.
* loader/SubresourceLoader.cpp:
(WebCore::SubresourceLoader::didReceiveResponse): Ditto.

LayoutTests:

Add a new test to ensure that the HTTP 0.9 sandbox policy does not persist across navigations.

Unskip HTTP 0.9 tests and update expected results for existing tests as needed.

* TestExpectations: Unskip the HTTP 0.9 tests.
* http/tests/security/http-0.9/default-port-plugin-blocked-expected.txt: Remove duplicate console
messages now that we emit the console message exactly once per document.
* http/tests/security/http-0.9/default-port-script-blocked-expected.txt: Ditto.
* http/tests/security/http-0.9/iframe-blocked-expected.txt: Update expected result now that we
no longer emit a console message for a blocked load.
* http/tests/security/http-0.9/image-blocked-expected.txt: Ditto.
* http/tests/security/http-0.9/image-on-HTTP-0.9-default-port-page-allowed-expected.txt: Remove
duplicate console messages now that we emit the console message exactly once per document.
* http/tests/security/http-0.9/image-on-HTTP-0.9-page-blocked-expected.txt: Ditto.
* http/tests/security/http-0.9/resources/sandbox-should-not-persist-on-navigation.html: Added.
* http/tests/security/http-0.9/sandbox-should-not-persist-on-navigation-expected.txt: Added.
* http/tests/security/http-0.9/sandbox-should-not-persist-on-navigation.html: Added.
* http/tests/security/http-0.9/worker-connect-src-blocked-expected.txt: Update expected result
now that we no longer apply a sandbox policy to the main resource if a subresource had an HTTP 0.9
response.
* http/tests/security/http-0.9/worker-importScripts-blocked-expected.txt: Ditto.
* http/tests/security/http-0.9/xhr-asynchronous-blocked-expected.txt: Ditto.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@208549 268f45cc-cd09-0410-ab3c-d52691b4dbfc
20 files changed:
LayoutTests/ChangeLog
LayoutTests/TestExpectations
LayoutTests/http/tests/security/http-0.9/default-port-plugin-blocked-expected.txt
LayoutTests/http/tests/security/http-0.9/default-port-script-blocked-expected.txt
LayoutTests/http/tests/security/http-0.9/iframe-blocked-expected.txt
LayoutTests/http/tests/security/http-0.9/image-blocked-expected.txt
LayoutTests/http/tests/security/http-0.9/image-on-HTTP-0.9-default-port-page-allowed-expected.txt
LayoutTests/http/tests/security/http-0.9/image-on-HTTP-0.9-page-blocked-expected.txt
LayoutTests/http/tests/security/http-0.9/resources/sandbox-should-not-persist-on-navigation.html [new file with mode: 0644]
LayoutTests/http/tests/security/http-0.9/sandbox-should-not-persist-on-navigation-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/http-0.9/sandbox-should-not-persist-on-navigation.html [new file with mode: 0644]
LayoutTests/http/tests/security/http-0.9/worker-connect-src-blocked-expected.txt
LayoutTests/http/tests/security/http-0.9/worker-importScripts-blocked-expected.txt
LayoutTests/http/tests/security/http-0.9/xhr-asynchronous-blocked-expected.txt
Source/WebCore/ChangeLog
Source/WebCore/dom/Document.cpp
Source/WebCore/dom/Document.h
Source/WebCore/loader/DocumentLoader.cpp
Source/WebCore/loader/ResourceLoader.cpp
Source/WebCore/loader/SubresourceLoader.cpp