Title: [203542] trunk
- Revision
- 203542
- Author
- wilan...@apple.com
- Date
- 2016-07-21 17:44:27 -0700 (Thu, 21 Jul 2016)
Log Message
Block mixed content synchronous XHR
https://bugs.webkit.org/show_bug.cgi?id=105462
<rdar://problem/13666424>
Reviewed by Brent Fulgham.
Source/WebCore:
Test: http/tests/security/mixedContent/insecure-xhr-sync-in-main-frame.html
* loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::loadRequest):
LayoutTests:
* http/tests/security/mixedContent/insecure-xhr-sync-in-main-frame-expected.txt: Added.
* http/tests/security/mixedContent/insecure-xhr-sync-in-main-frame.html: Added.
* http/tests/security/mixedContent/resources/insecure-xhr-sync-in-main-frame-window.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (203541 => 203542)
--- trunk/LayoutTests/ChangeLog 2016-07-22 00:11:14 UTC (rev 203541)
+++ trunk/LayoutTests/ChangeLog 2016-07-22 00:44:27 UTC (rev 203542)
@@ -1,3 +1,15 @@
+2016-07-21 John Wilander <wilan...@apple.com>
+
+ Block mixed content synchronous XHR
+ https://bugs.webkit.org/show_bug.cgi?id=105462
+ <rdar://problem/13666424>
+
+ Reviewed by Brent Fulgham.
+
+ * http/tests/security/mixedContent/insecure-xhr-sync-in-main-frame-expected.txt: Added.
+ * http/tests/security/mixedContent/insecure-xhr-sync-in-main-frame.html: Added.
+ * http/tests/security/mixedContent/resources/insecure-xhr-sync-in-main-frame-window.html: Added.
+
2016-07-21 Chris Dumez <cdu...@apple.com>
Make parameters to Document.getElementsBy*() operations mandatory
Added: trunk/LayoutTests/http/tests/security/mixedContent/insecure-xhr-sync-in-main-frame-expected.txt (0 => 203542)
--- trunk/LayoutTests/http/tests/security/mixedContent/insecure-xhr-sync-in-main-frame-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/mixedContent/insecure-xhr-sync-in-main-frame-expected.txt 2016-07-22 00:44:27 UTC (rev 203542)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: line 26: [blocked] The page at https://127.0.0.1:8443/security/mixedContent/resources/insecure-xhr-sync-in-main-frame-window.html was not allowed to run insecure content from http://127.0.0.1:8000/.
+
+This test opens a HTTPS window that loads insecure data via synchronous XHR. We should trigger a mixed content callback because the main frame in the window is HTTPS but now has insecure data.
Added: trunk/LayoutTests/http/tests/security/mixedContent/insecure-xhr-sync-in-main-frame.html (0 => 203542)
--- trunk/LayoutTests/http/tests/security/mixedContent/insecure-xhr-sync-in-main-frame.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/mixedContent/insecure-xhr-sync-in-main-frame.html 2016-07-22 00:44:27 UTC (rev 203542)
@@ -0,0 +1,21 @@
+<html>
+<body>
+<script>
+if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+ testRunner.setCanOpenWindows();
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+
+</script>
+<p>This test opens a HTTPS window that loads insecure data via synchronous XHR. We
+should trigger a mixed content callback because the main frame in the window is
+HTTPS but now has insecure data.</p>
+<script>
+_onload_ = function() {
+ window.open("https://127.0.0.1:8443/security/mixedContent/resources/insecure-xhr-sync-in-main-frame-window.html");
+}
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/mixedContent/resources/insecure-xhr-sync-in-main-frame-window.html (0 => 203542)
--- trunk/LayoutTests/http/tests/security/mixedContent/resources/insecure-xhr-sync-in-main-frame-window.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/mixedContent/resources/insecure-xhr-sync-in-main-frame-window.html 2016-07-22 00:44:27 UTC (rev 203542)
@@ -0,0 +1,31 @@
+<html>
+<body>
+<script>
+
+window._onload_ = function() {
+ var xhr = new XMLHttpRequest();
+ xhr._onload_ = function() {
+ alert("FAIL: load was not blocked");
+ if (window.testRunner)
+ testRunner.notifyDone();
+ };
+
+ setTimeout(function() {
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }, 2000);
+
+ try {
+ xhr.open("GET", "http://127.0.0.1:8000/", false);
+ } catch (ex) {
+ // Firefox raises an exception, which is one way to make this detectable.
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+
+ xhr.send(null);
+};
+</script>
+
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (203541 => 203542)
--- trunk/Source/WebCore/ChangeLog 2016-07-22 00:11:14 UTC (rev 203541)
+++ trunk/Source/WebCore/ChangeLog 2016-07-22 00:44:27 UTC (rev 203542)
@@ -1,3 +1,16 @@
+2016-07-21 John Wilander <wilan...@apple.com>
+
+ Block mixed content synchronous XHR
+ https://bugs.webkit.org/show_bug.cgi?id=105462
+ <rdar://problem/13666424>
+
+ Reviewed by Brent Fulgham.
+
+ Test: http/tests/security/mixedContent/insecure-xhr-sync-in-main-frame.html
+
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::loadRequest):
+
2016-07-21 Chris Dumez <cdu...@apple.com>
Make parameters to Document.getElementsBy*() operations mandatory
Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp (203541 => 203542)
--- trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2016-07-22 00:11:14 UTC (rev 203541)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2016-07-22 00:44:27 UTC (rev 203542)
@@ -375,8 +375,12 @@
ResourceError error;
ResourceResponse response;
unsigned long identifier = std::numeric_limits<unsigned long>::max();
- if (m_document.frame())
- identifier = m_document.frame()->loader().loadResourceSynchronously(request, m_options.allowCredentials(), m_options.clientCredentialPolicy(), error, response, data);
+ if (m_document.frame()) {
+ auto& frameLoader = m_document.frame()->loader();
+ if (!frameLoader.mixedContentChecker().canRunInsecureContent(m_document.securityOrigin(), requestURL))
+ return;
+ identifier = frameLoader.loadResourceSynchronously(request, m_options.allowCredentials(), m_options.clientCredentialPolicy(), error, response, data);
+ }
if (!error.isNull() && response.httpStatusCode() <= 0) {
if (requestURL.isLocalFile()) {
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
