Diff
Modified: branches/safari-600.1.4.17-branch/LayoutTests/ChangeLog (186982 => 186983)
--- branches/safari-600.1.4.17-branch/LayoutTests/ChangeLog 2015-07-18 03:47:28 UTC (rev 186982)
+++ branches/safari-600.1.4.17-branch/LayoutTests/ChangeLog 2015-07-18 04:44:13 UTC (rev 186983)
@@ -1,3 +1,31 @@
+2015-07-17 Andy Estes <[email protected]>
+
+ Merge r186982. rdar://problem/21709404
+
+ 2015-07-17 Andy Estes <[email protected]>
+
+ [iOS] Further tighten the sandbox around pages fetched with Content-Disposition: attachment
+ https://bugs.webkit.org/show_bug.cgi?id=147044
+ rdar://problem/21567820
+
+ Reviewed by Brady Eidson.
+
+ * http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled-expected.txt: Added.
+ * http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled.html: Added.
+ * http/tests/contentdispositionattachmentsandbox/form-submission-disabled-expected.txt: Added.
+ * http/tests/contentdispositionattachmentsandbox/form-submission-disabled.html: Added.
+ * http/tests/contentdispositionattachmentsandbox/http-equiv-disabled-expected.txt: Added.
+ * http/tests/contentdispositionattachmentsandbox/http-equiv-disabled.html: Added.
+ * http/tests/contentdispositionattachmentsandbox/plugins-disabled-expected.html: Added.
+ * http/tests/contentdispositionattachmentsandbox/plugins-disabled.html: Added.
+ * http/tests/contentdispositionattachmentsandbox/resources/cross-origin-frames-frame.php: Added.
+ * http/tests/contentdispositionattachmentsandbox/resources/form-submission-frame.php: Added.
+ * http/tests/contentdispositionattachmentsandbox/resources/http-equiv-frame.php: Added.
+ * http/tests/contentdispositionattachmentsandbox/resources/plugins-frame.php: Added.
+ * http/tests/contentdispositionattachmentsandbox/resources/scripts-frame.php: Added.
+ * http/tests/contentdispositionattachmentsandbox/scripts-disabled-expected.txt: Added.
+ * http/tests/contentdispositionattachmentsandbox/scripts-disabled.html: Added.
+
2015-07-13 David Kilzer <[email protected]>
Merge r186663. rdar://problem/21708241
Added: branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled-expected.txt (0 => 186983)
--- branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled-expected.txt (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled-expected.txt 2015-07-18 04:44:13 UTC (rev 186983)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: Unsafe attempt to load URL data:text/html,FAIL.
+This test verifies that cross-origin frames are disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.
+
+
Added: branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled.html (0 => 186983)
--- branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled.html (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled.html 2015-07-18 04:44:13 UTC (rev 186983)
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+if (window.internals)
+ internals.settings.setContentDispositionAttachmentSandboxEnabled(true);
+</script>
+<p>This test verifies that cross-origin frames are disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.</p>
+<iframe src=""
Added: branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/form-submission-disabled-expected.txt (0 => 186983)
--- branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/form-submission-disabled-expected.txt (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/form-submission-disabled-expected.txt 2015-07-18 04:44:13 UTC (rev 186983)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 21: Blocked form submission to 'http://127.0.0.1:8000/contentdispositionattachmentsandbox/resources/form-submission-frame.php' because the form's frame is sandboxed and the 'allow-forms' permission is not set.
+This test verifies that form submission is disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.
+
+
Added: branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/form-submission-disabled.html (0 => 186983)
--- branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/form-submission-disabled.html (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/form-submission-disabled.html 2015-07-18 04:44:13 UTC (rev 186983)
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<script>
+if (window.internals)
+ internals.settings.setContentDispositionAttachmentSandboxEnabled(true);
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ window.addEventListener('load', function() {
+ // Due to the sandbox, it's not possible to run script in the iframe or even access its contentDocument.
+ // Submit the form by clicking its button with synthetic mouse events.
+ var iframeRect = document.getElementsByTagName('iframe')[0].getClientRects()[0];
+ var submitButtonRect = document.getElementById('submitButtonForMetrics').getClientRects()[0];
+
+ // This assumes that the iframe has no border, and its document's body has no margin.
+ var x = iframeRect.left + submitButtonRect.width / 2;
+ var y = iframeRect.top + submitButtonRect.height / 2;
+
+ eventSender.mouseMoveTo(x, y);
+ eventSender.mouseDown();
+ eventSender.mouseUp();
+ testRunner.notifyDone();
+ });
+}
+</script>
+<p>This test verifies that form submission is disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.</p>
+<iframe style="border: 0px" src=""
+<input style="visibility: hidden" id="submitButtonForMetrics" type="submit">
Added: branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/http-equiv-disabled-expected.txt (0 => 186983)
--- branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/http-equiv-disabled-expected.txt (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/http-equiv-disabled-expected.txt 2015-07-18 04:44:13 UTC (rev 186983)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 2: http-equiv 'refresh' is disabled for documents with Content-Disposition: attachment.
+This test verifies that <meta http-equiv> processing is disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.
+
+
Added: branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/http-equiv-disabled.html (0 => 186983)
--- branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/http-equiv-disabled.html (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/http-equiv-disabled.html 2015-07-18 04:44:13 UTC (rev 186983)
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+if (window.internals)
+ internals.settings.setContentDispositionAttachmentSandboxEnabled(true);
+</script>
+<p>This test verifies that <meta http-equiv> processing is disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.</p>
+<iframe src=""
Added: branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/plugins-disabled-expected.html (0 => 186983)
--- branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/plugins-disabled-expected.html (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/plugins-disabled-expected.html 2015-07-18 04:44:13 UTC (rev 186983)
@@ -0,0 +1,3 @@
+<!DOCTYPE html>
+<p>This test verifies that plug-ins are disabled when 'Content-Disposition: attachment' sandboxing is enabled. 'PASS' is displayed in the <iframe> below if the test passes.</p>
+<iframe srcdoc="<!DOCTYPE html>PASS"></iframe>
Added: branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/plugins-disabled.html (0 => 186983)
--- branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/plugins-disabled.html (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/plugins-disabled.html 2015-07-18 04:44:13 UTC (rev 186983)
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<script>
+if (window.internals)
+ internals.settings.setContentDispositionAttachmentSandboxEnabled(true);
+
+if (window.testRunner) {
+ testRunner.waitUntilDone();
+
+ // The doubly-nested setTimeout() is meant to account for two timers in the object fallback content rendering process.
+ // We can't rely on object's onerror event since we cannot run script in the sandboxed frame, so we must wait for the
+ // post-layout timer followed by the embedded objects update timer to ensure that fallback content has been rendered.
+ window.addEventListener('load', function() {
+ window.setTimeout(function() {
+ window.setTimeout(function() {
+ testRunner.notifyDone();
+ }, 0);
+ }, 0);
+ });
+}
+</script>
+<p>This test verifies that plug-ins are disabled when 'Content-Disposition: attachment' sandboxing is enabled. 'PASS' is displayed in the <iframe> below if the test passes.</p>
+<iframe src=""
Added: branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/cross-origin-frames-frame.php (0 => 186983)
--- branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/cross-origin-frames-frame.php (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/cross-origin-frames-frame.php 2015-07-18 04:44:13 UTC (rev 186983)
@@ -0,0 +1,6 @@
+<?php
+header("Content-Disposition: attachment; filename=test.html");
+header("Content-Type: text/html");
+?>
+<!DOCTYPE html>
+<iframe src=""
Added: branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/form-submission-frame.php (0 => 186983)
--- branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/form-submission-frame.php (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/form-submission-frame.php 2015-07-18 04:44:13 UTC (rev 186983)
@@ -0,0 +1,13 @@
+<?php
+header("Content-Disposition: attachment; filename=test.html");
+header("Content-Type: text/html");
+?>
+<!DOCTYPE html>
+<style>
+body {
+ margin: 0px;
+}
+</style>
+<form>
+<input type="submit">
+</form>
Added: branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/http-equiv-frame.php (0 => 186983)
--- branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/http-equiv-frame.php (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/http-equiv-frame.php 2015-07-18 04:44:13 UTC (rev 186983)
@@ -0,0 +1,6 @@
+<?php
+header("Content-Disposition: attachment; filename=test.html");
+header("Content-Type: text/html");
+?>
+<!DOCTYPE html>
+<meta http-equiv="refresh" content="0; url=""
Added: branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/plugins-frame.php (0 => 186983)
--- branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/plugins-frame.php (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/plugins-frame.php 2015-07-18 04:44:13 UTC (rev 186983)
@@ -0,0 +1,6 @@
+<?php
+header("Content-Disposition: attachment; filename=test.html");
+header("Content-Type: text/html");
+?>
+<!DOCTYPE html>
+<object type="application/x-webkit-test-netscape">PASS</object>
Added: branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/scripts-frame.php (0 => 186983)
--- branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/scripts-frame.php (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/scripts-frame.php 2015-07-18 04:44:13 UTC (rev 186983)
@@ -0,0 +1,8 @@
+<?php
+header("Content-Disposition: attachment; filename=test.html");
+header("Content-Type: text/html");
+?>
+<!DOCTYPE html>
+<script>
+document.write('FAIL');
+</script>
Added: branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/scripts-disabled-expected.txt (0 => 186983)
--- branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/scripts-disabled-expected.txt (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/scripts-disabled-expected.txt 2015-07-18 04:44:13 UTC (rev 186983)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: Blocked script execution in 'http://127.0.0.1:8000/contentdispositionattachmentsandbox/resources/scripts-frame.php' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
+This test verifies that scripts are disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.
+
+
Added: branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/scripts-disabled.html (0 => 186983)
--- branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/scripts-disabled.html (rev 0)
+++ branches/safari-600.1.4.17-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/scripts-disabled.html 2015-07-18 04:44:13 UTC (rev 186983)
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+if (window.internals)
+ internals.settings.setContentDispositionAttachmentSandboxEnabled(true);
+</script>
+<p>This test verifies that scripts are disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.</p>
+<iframe src=""
Modified: branches/safari-600.1.4.17-branch/Source/WebCore/ChangeLog (186982 => 186983)
--- branches/safari-600.1.4.17-branch/Source/WebCore/ChangeLog 2015-07-18 03:47:28 UTC (rev 186982)
+++ branches/safari-600.1.4.17-branch/Source/WebCore/ChangeLog 2015-07-18 04:44:13 UTC (rev 186983)
@@ -1,3 +1,40 @@
+2015-07-17 Andy Estes <[email protected]>
+
+ Merge r186982. rdar://problem/21709404
+
+ 2015-07-17 Andy Estes <[email protected]>
+
+ [iOS] Further tighten the sandbox around pages fetched with Content-Disposition: attachment
+ https://bugs.webkit.org/show_bug.cgi?id=147044
+ rdar://problem/21567820
+
+ Reviewed by Brady Eidson.
+
+ In addition to placing resources fetched with 'Content-Disposition: attachment' in a unique origin,
+ this change does the following:
+
+ - Switches the sandbox type from SandboxOrigin to SandboxAll, which enforces the same restrictions as <iframe sandbox>.
+ - Disables processing of <meta http-equiv> elements.
+ - Disables loading of cross-origin subframes.
+
+ Tests: http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled.html
+ http/tests/contentdispositionattachmentsandbox/form-submission-disabled.html
+ http/tests/contentdispositionattachmentsandbox/http-equiv-disabled.html
+ http/tests/contentdispositionattachmentsandbox/plugins-disabled.html
+ http/tests/contentdispositionattachmentsandbox/scripts-disabled.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::processHttpEquiv): Switched to calling Document::httpEquivPolicy(). Logged an error to the console for policies other than Enabled.
+ (WebCore::Document::initSecurityContext): Switched sandbox enforcement from SandboxOrigin to SandboxAll.
+ (WebCore::Document::httpEquivPolicy): Returned a HttpEquivPolicy based on shouldEnforceContentDispositionAttachmentSandbox() and Settings::httpEquivEnabled().
+ (WebCore::Document::shouldEnforceContentDispositionAttachmentSandbox): Returned true if Settings::contentDispositionAttachmentSandboxEnabled()
+ and the document was fetched as an attachment.
+ * dom/Document.h:
+ * loader/cache/CachedResourceLoader.cpp:
+ (WebCore::CachedResourceLoader::canRequest): When requesting a subframe main resource when the parent frame enforces an attachment sandbox,
+ only continue if the parent frame's SecurityOrigin allows the request.
+ * page/Settings.in: Added contentDispositionAttachmentSandboxEnabled with an initial value of false.
+
2015-07-13 David Kilzer <[email protected]>
Merge r186663. rdar://problem/21708241
Modified: branches/safari-600.1.4.17-branch/Source/WebCore/dom/Document.cpp (186982 => 186983)
--- branches/safari-600.1.4.17-branch/Source/WebCore/dom/Document.cpp 2015-07-18 03:47:28 UTC (rev 186982)
+++ branches/safari-600.1.4.17-branch/Source/WebCore/dom/Document.cpp 2015-07-18 04:44:13 UTC (rev 186983)
@@ -2807,8 +2807,24 @@
{
ASSERT(!equiv.isNull() && !content.isNull());
- if (page() && !page()->settings().httpEquivEnabled())
+ HttpEquivPolicy policy = httpEquivPolicy();
+ if (policy != HttpEquivPolicy::Enabled) {
+ String reason;
+ switch (policy) {
+ case HttpEquivPolicy::Enabled:
+ ASSERT_NOT_REACHED();
+ break;
+ case HttpEquivPolicy::DisabledBySettings:
+ reason = "by the embedder.";
+ break;
+ case HttpEquivPolicy::DisabledByContentDispositionAttachmentSandbox:
+ reason = "for documents with Content-Disposition: attachment.";
+ break;
+ }
+ String message = "http-equiv '" + equiv + "' is disabled " + reason;
+ addConsoleMessage(MessageSource::Security, MessageLevel::Error, message);
return;
+ }
Frame* frame = this->frame();
@@ -4672,15 +4688,8 @@
m_cookieURL = m_url;
enforceSandboxFlags(m_frame->loader().effectiveSandboxFlags());
-#if PLATFORM(IOS)
- // On iOS we display attachments inline regardless of whether the response includes
- // the HTTP header "Content-Disposition: attachment". So, we enforce a unique
- // security origin for such documents. As an optimization, we don't need to parse
- // the responde header (i.e. call ResourceResponse::isAttachment()) for a synthesized
- // document because such documents cannot be an attachment.
- if (!m_isSynthesized && m_frame->loader().activeDocumentLoader()->response().isAttachment())
- enforceSandboxFlags(SandboxOrigin);
-#endif
+ if (shouldEnforceContentDispositionAttachmentSandbox())
+ enforceSandboxFlags(SandboxAll);
setSecurityOrigin(isSandboxed(SandboxOrigin) ? SecurityOrigin::createUnique() : SecurityOrigin::create(m_url));
setContentSecurityPolicy(std::make_unique<ContentSecurityPolicy>(this));
@@ -5759,6 +5768,15 @@
wheelEventHandlerCountChanged(this);
}
+HttpEquivPolicy Document::httpEquivPolicy() const
+{
+ if (shouldEnforceContentDispositionAttachmentSandbox())
+ return HttpEquivPolicy::DisabledByContentDispositionAttachmentSandbox;
+ if (page() && !page()->settings().httpEquivEnabled())
+ return HttpEquivPolicy::DisabledBySettings;
+ return HttpEquivPolicy::Enabled;
+}
+
void Document::didRemoveWheelEventHandler()
{
ASSERT(m_wheelEventHandlerCount > 0);
@@ -6210,4 +6228,17 @@
}
#endif
+bool Document::shouldEnforceContentDispositionAttachmentSandbox() const
+{
+ if (m_isSynthesized)
+ return false;
+
+ bool contentDispositionAttachmentSandboxEnabled = settings() && settings()->contentDispositionAttachmentSandboxEnabled();
+ bool responseIsAttachment = false;
+ if (DocumentLoader* documentLoader = m_frame ? m_frame->loader().activeDocumentLoader() : nullptr)
+ responseIsAttachment = documentLoader->response().isAttachment();
+
+ return contentDispositionAttachmentSandboxEnabled && responseIsAttachment;
+}
+
} // namespace WebCore
Modified: branches/safari-600.1.4.17-branch/Source/WebCore/dom/Document.h (186982 => 186983)
--- branches/safari-600.1.4.17-branch/Source/WebCore/dom/Document.h 2015-07-18 03:47:28 UTC (rev 186982)
+++ branches/safari-600.1.4.17-branch/Source/WebCore/dom/Document.h 2015-07-18 04:44:13 UTC (rev 186983)
@@ -254,6 +254,12 @@
LimitedQuirksMode = 1 << 2
};
+enum class HttpEquivPolicy {
+ Enabled,
+ DisabledBySettings,
+ DisabledByContentDispositionAttachmentSandbox
+};
+
class Document : public ContainerNode, public TreeScope, public ScriptExecutionContext {
public:
static PassRefPtr<Document> create(Frame* frame, const URL& url)
@@ -1280,6 +1286,7 @@
void setHasStyleWithViewportUnits() { m_hasStyleWithViewportUnits = true; }
bool hasStyleWithViewportUnits() const { return m_hasStyleWithViewportUnits; }
void updateViewportUnitsOnResize();
+ bool shouldEnforceContentDispositionAttachmentSandbox() const;
protected:
enum ConstructionFlags { Synthesized = 1, NonRenderedPlaceholder = 1 << 1 };
@@ -1356,6 +1363,8 @@
void addListenerType(ListenerType listenerType) { m_listenerTypes |= listenerType; }
+ HttpEquivPolicy httpEquivPolicy() const;
+
void didAssociateFormControlsTimerFired(Timer<Document>&);
unsigned m_referencingNodeCount;
Modified: branches/safari-600.1.4.17-branch/Source/WebCore/loader/cache/CachedResourceLoader.cpp (186982 => 186983)
--- branches/safari-600.1.4.17-branch/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2015-07-18 03:47:28 UTC (rev 186982)
+++ branches/safari-600.1.4.17-branch/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2015-07-18 04:44:13 UTC (rev 186983)
@@ -311,6 +311,13 @@
// any URL.
switch (type) {
case CachedResource::MainResource:
+ if (HTMLFrameOwnerElement* ownerElement = frame() ? frame()->ownerElement() : nullptr) {
+ if (ownerElement->document().shouldEnforceContentDispositionAttachmentSandbox() && !ownerElement->document().securityOrigin()->canRequest(url)) {
+ printAccessDeniedMessage(url);
+ return false;
+ }
+ }
+ FALLTHROUGH;
case CachedResource::ImageResource:
case CachedResource::CSSStyleSheet:
case CachedResource::Script:
Modified: branches/safari-600.1.4.17-branch/Source/WebCore/page/Settings.in (186982 => 186983)
--- branches/safari-600.1.4.17-branch/Source/WebCore/page/Settings.in 2015-07-18 03:47:28 UTC (rev 186982)
+++ branches/safari-600.1.4.17-branch/Source/WebCore/page/Settings.in 2015-07-18 04:44:13 UTC (rev 186983)
@@ -231,3 +231,9 @@
allowNavigationToInvalidURL initial=false
httpEquivEnabled initial=true
+
+# Some ports (e.g. iOS) might choose to display attachments inline, regardless of whether the response includes the
+# HTTP header "Content-Disposition: attachment". This setting enables a sandbox around these attachments. The sandbox
+# enforces all frame sandbox flags (see enum SandboxFlag in SecurityContext.h), and also disables <meta http-equiv>
+# processing and subframe loading.
+contentDispositionAttachmentSandboxEnabled initial=false
Modified: branches/safari-600.1.4.17-branch/Source/WebKit/mac/ChangeLog (186982 => 186983)
--- branches/safari-600.1.4.17-branch/Source/WebKit/mac/ChangeLog 2015-07-18 03:47:28 UTC (rev 186982)
+++ branches/safari-600.1.4.17-branch/Source/WebKit/mac/ChangeLog 2015-07-18 04:44:13 UTC (rev 186983)
@@ -1,3 +1,18 @@
+2015-07-17 Andy Estes <[email protected]>
+
+ Merge r186982. rdar://problem/21709404
+
+ 2015-07-17 Andy Estes <[email protected]>
+
+ [iOS] Further tighten the sandbox around pages fetched with Content-Disposition: attachment
+ https://bugs.webkit.org/show_bug.cgi?id=147044
+ rdar://problem/21567820
+
+ Reviewed by Brady Eidson.
+
+ * WebView/WebView.mm:
+ (-[WebView _commonInitializationWithFrameName:groupName:]): Enabled Content-Disposition: attachment sandbox on iOS.
+
2015-07-13 David Kilzer <[email protected]>
Merge r186476. rdar://problem/21708269
Modified: branches/safari-600.1.4.17-branch/Source/WebKit/mac/WebView/WebView.mm (186982 => 186983)
--- branches/safari-600.1.4.17-branch/Source/WebKit/mac/WebView/WebView.mm 2015-07-18 03:47:28 UTC (rev 186982)
+++ branches/safari-600.1.4.17-branch/Source/WebKit/mac/WebView/WebView.mm 2015-07-18 04:44:13 UTC (rev 186983)
@@ -1047,6 +1047,10 @@
#if USE(GLIB)
[self _scheduleGlibContextIterations];
#endif
+
+#if PLATFORM(IOS)
+ _private->page->settings().setContentDispositionAttachmentSandboxEnabled(true);
+#endif
}
- (id)_initWithFrame:(NSRect)f frameName:(NSString *)frameName groupName:(NSString *)groupName
Modified: branches/safari-600.1.4.17-branch/Source/WebKit2/ChangeLog (186982 => 186983)
--- branches/safari-600.1.4.17-branch/Source/WebKit2/ChangeLog 2015-07-18 03:47:28 UTC (rev 186982)
+++ branches/safari-600.1.4.17-branch/Source/WebKit2/ChangeLog 2015-07-18 04:44:13 UTC (rev 186983)
@@ -1,3 +1,18 @@
+2015-07-17 Andy Estes <[email protected]>
+
+ Merge r186982. rdar://problem/21709404
+
+ 2015-07-17 Andy Estes <[email protected]>
+
+ [iOS] Further tighten the sandbox around pages fetched with Content-Disposition: attachment
+ https://bugs.webkit.org/show_bug.cgi?id=147044
+ rdar://problem/21567820
+
+ Reviewed by Brady Eidson.
+
+ * WebProcess/WebPage/WebPage.cpp:
+ (WebKit::WebPage::WebPage): Enabled Content-Disposition: attachment sandbox on iOS.
+
2015-07-15 David Kilzer <[email protected]>
REGRESSION (r186559): Follow-up fix to merge r183861 for <rdar://problem/21716677>
Modified: branches/safari-600.1.4.17-branch/Source/WebKit2/WebProcess/WebPage/WebPage.cpp (186982 => 186983)
--- branches/safari-600.1.4.17-branch/Source/WebKit2/WebProcess/WebPage/WebPage.cpp 2015-07-18 03:47:28 UTC (rev 186982)
+++ branches/safari-600.1.4.17-branch/Source/WebKit2/WebProcess/WebPage/WebPage.cpp 2015-07-18 04:44:13 UTC (rev 186983)
@@ -480,6 +480,10 @@
for (auto& mimeType : parameters.mimeTypesWithCustomContentProviders)
m_mimeTypesWithCustomContentProviders.add(mimeType);
+
+#if PLATFORM(IOS)
+ m_page->settings().setContentDispositionAttachmentSandboxEnabled(true);
+#endif
}
void WebPage::reinitializeWebPage(const WebPageCreationParameters& parameters)
Modified: branches/safari-600.1.4.17-branch/Tools/ChangeLog (186982 => 186983)
--- branches/safari-600.1.4.17-branch/Tools/ChangeLog 2015-07-18 03:47:28 UTC (rev 186982)
+++ branches/safari-600.1.4.17-branch/Tools/ChangeLog 2015-07-18 04:44:13 UTC (rev 186983)
@@ -1,3 +1,19 @@
+2015-07-17 Andy Estes <[email protected]>
+
+ Merge r186982. rdar://problem/21709404
+
+ 2015-07-17 Andy Estes <[email protected]>
+
+ [iOS] Further tighten the sandbox around pages fetched with Content-Disposition: attachment
+ https://bugs.webkit.org/show_bug.cgi?id=147044
+ rdar://problem/21567820
+
+ Reviewed by Brady Eidson.
+
+ * WebKitTestRunner/InjectedBundle/InjectedBundlePage.cpp:
+ (WTR::InjectedBundlePage::decidePolicyForResponse): Only log the message about attachments if the custom policy delegate is enabled.
+ This matches the behavior of DumpRenderTree.
+
2015-07-13 David Kilzer <[email protected]>
Merge r186476. rdar://problem/21708269
Modified: branches/safari-600.1.4.17-branch/Tools/WebKitTestRunner/InjectedBundle/InjectedBundlePage.cpp (186982 => 186983)
--- branches/safari-600.1.4.17-branch/Tools/WebKitTestRunner/InjectedBundle/InjectedBundlePage.cpp 2015-07-18 03:47:28 UTC (rev 186982)
+++ branches/safari-600.1.4.17-branch/Tools/WebKitTestRunner/InjectedBundle/InjectedBundlePage.cpp 2015-07-18 04:44:13 UTC (rev 186983)
@@ -1260,7 +1260,7 @@
WKBundlePagePolicyAction InjectedBundlePage::decidePolicyForResponse(WKBundlePageRef page, WKBundleFrameRef, WKURLResponseRef response, WKURLRequestRef, WKTypeRef*)
{
- if (WKURLResponseIsAttachment(response)) {
+ if (InjectedBundle::singleton().testRunner()->isPolicyDelegateEnabled() && WKURLResponseIsAttachment(response)) {
StringBuilder stringBuilder;
WKRetainPtr<WKStringRef> filename = adoptWK(WKURLResponseCopySuggestedFilename(response));
stringBuilder.appendLiteral("Policy delegate: resource is an attachment, suggested file name \'");
