[CSP] Check policy before opening a new window to a JavaScript URL
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 3 Oct 2017 18:03:02 +0000 (18:03 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 3 Oct 2017 18:03:02 +0000 (18:03 +0000)
https://bugs.webkit.org/show_bug.cgi?id=176815
<rdar://problem/34400057>

Reviewed by Brent Fulgham.

Source/WebCore:

Ensure that the Content Security Policy of the page allows navigation to a JavaScript URL
before opening a new window to it.

Test: http/tests/security/contentSecurityPolicy/window-open-javascript-url-blocked.html

* loader/FrameLoader.cpp:
(WebCore::createWindow):

LayoutTests:

* http/tests/security/contentSecurityPolicy/resources/window-open-javascript-url-blocked.js: Added.
* http/tests/security/contentSecurityPolicy/window-open-javascript-url-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/window-open-javascript-url-blocked.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@222788 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/security/contentSecurityPolicy/resources/window-open-javascript-url-blocked.js [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/window-open-javascript-url-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/window-open-javascript-url-blocked.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/loader/FrameLoader.cpp

index 3bf913e..d8e9db3 100644 (file)
@@ -1,3 +1,15 @@
+2017-10-03  Daniel Bates  <dabates@apple.com>
+
+        [CSP] Check policy before opening a new window to a JavaScript URL
+        https://bugs.webkit.org/show_bug.cgi?id=176815
+        <rdar://problem/34400057>
+
+        Reviewed by Brent Fulgham.
+
+        * http/tests/security/contentSecurityPolicy/resources/window-open-javascript-url-blocked.js: Added.
+        * http/tests/security/contentSecurityPolicy/window-open-javascript-url-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/window-open-javascript-url-blocked.html: Added.
+
 2017-10-03  Joanmarie Diggs  <jdiggs@igalia.com>
 
         AX: [ATK] ARIA drag-and-drop attribute values should be exposed via AtkObject attributes
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/resources/window-open-javascript-url-blocked.js b/LayoutTests/http/tests/security/contentSecurityPolicy/resources/window-open-javascript-url-blocked.js
new file mode 100644 (file)
index 0000000..4811cb1
--- /dev/null
@@ -0,0 +1,7 @@
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.setCanOpenWindows();
+    testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+
+window.open("javascript:alert('FAIL')");
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/window-open-javascript-url-blocked-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/window-open-javascript-url-blocked-expected.txt
new file mode 100644 (file)
index 0000000..459c2ca
--- /dev/null
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/window-open-javascript-url-blocked.html b/LayoutTests/http/tests/security/contentSecurityPolicy/window-open-javascript-url-blocked.html
new file mode 100644 (file)
index 0000000..e5f8374
--- /dev/null
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self'">
+</head>
+<body>
+<script src="resources/window-open-javascript-url-blocked.js"></script>
+</body>
+</html>
index a2aa08c..349adf1 100644 (file)
@@ -1,3 +1,19 @@
+2017-10-03  Daniel Bates  <dabates@apple.com>
+
+        [CSP] Check policy before opening a new window to a JavaScript URL
+        https://bugs.webkit.org/show_bug.cgi?id=176815
+        <rdar://problem/34400057>
+
+        Reviewed by Brent Fulgham.
+
+        Ensure that the Content Security Policy of the page allows navigation to a JavaScript URL
+        before opening a new window to it.
+
+        Test: http/tests/security/contentSecurityPolicy/window-open-javascript-url-blocked.html
+
+        * loader/FrameLoader.cpp:
+        (WebCore::createWindow):
+
 2017-10-03  Joanmarie Diggs  <jdiggs@igalia.com>
 
         AX: [ATK] ARIA drag-and-drop attribute values should be exposed via AtkObject attributes
index 50a6965..8392f96 100644 (file)
@@ -3721,6 +3721,10 @@ RefPtr<Frame> createWindow(Frame& openerFrame, Frame& lookupFrame, FrameLoadRequ
         return nullptr;
     }
 
+    // FIXME: Provide line number information with respect to the opener's document.
+    if (protocolIsJavaScript(request.resourceRequest().url()) && !openerFrame.document()->contentSecurityPolicy()->allowJavaScriptURLs(openerFrame.document()->url(), { }))
+        return nullptr;
+
     // FIXME: Setting the referrer should be the caller's responsibility.
     String referrer = SecurityPolicy::generateReferrerHeader(openerFrame.document()->referrerPolicy(), request.resourceRequest().url(), openerFrame.loader().outgoingReferrer());
     if (!referrer.isEmpty())