Diff
Modified: trunk/LayoutTests/ChangeLog (195476 => 195477)
--- trunk/LayoutTests/ChangeLog 2016-01-22 22:21:48 UTC (rev 195476)
+++ trunk/LayoutTests/ChangeLog 2016-01-22 22:24:32 UTC (rev 195477)
@@ -1,3 +1,20 @@
+2016-01-21 Sam Weinig <s...@webkit.org>
+
+ Treat non-https actions on secure pages as mixed content
+ <rdar://problem/23144492>
+ https://bugs.webkit.org/show_bug.cgi?id=153322
+
+ Reviewed by Alexey Proskuryakov.
+
+ * http/tests/security/mixedContent/insecure-form-in-iframe-expected.txt: Added.
+ * http/tests/security/mixedContent/insecure-form-in-iframe.html: Added.
+ * http/tests/security/mixedContent/insecure-form-in-main-frame-expected.txt: Added.
+ * http/tests/security/mixedContent/insecure-form-in-main-frame.html: Added.
+ * http/tests/security/mixedContent/_javascript_-url-form-in-main-frame-expected.txt: Added.
+ * http/tests/security/mixedContent/_javascript_-url-form-in-main-frame.html: Added.
+ * http/tests/security/mixedContent/resources/frame-with-insecure-form.html: Added.
+ * http/tests/security/mixedContent/resources/frame-with-_javascript_-url-form.html: Added.
+
2016-01-22 Ryan Haddad <ryanhad...@apple.com>
Marking imported/w3c/web-platform-tests/XMLHttpRequest/getresponseheader-chunked-trailer.htm as flaky on ios-simulator
Added: trunk/LayoutTests/http/tests/security/mixedContent/insecure-form-in-iframe-expected.txt (0 => 195477)
--- trunk/LayoutTests/http/tests/security/mixedContent/insecure-form-in-iframe-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/mixedContent/insecure-form-in-iframe-expected.txt 2016-01-22 22:24:32 UTC (rev 195477)
@@ -0,0 +1,11 @@
+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that has a form with an insecure action. We should *not* get a mixed content callback because the main frame is HTTP and the form doesn't contaminate the child iframe's security origin with mixed content.
+
+
Added: trunk/LayoutTests/http/tests/security/mixedContent/insecure-form-in-iframe.html (0 => 195477)
--- trunk/LayoutTests/http/tests/security/mixedContent/insecure-form-in-iframe.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/mixedContent/insecure-form-in-iframe.html 2016-01-22 22:24:32 UTC (rev 195477)
@@ -0,0 +1,14 @@
+<html>
+<body>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpFrameLoadCallbacks();
+}
+</script>
+<p>This test loads a secure iframe that has a form with an insecure action. We should
+*not* get a mixed content callback because the main frame is HTTP and the form
+doesn't contaminate the child iframe's security origin with mixed content.</p>
+<iframe src=""
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/mixedContent/insecure-form-in-main-frame-expected.txt (0 => 195477)
--- trunk/LayoutTests/http/tests/security/mixedContent/insecure-form-in-main-frame-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/mixedContent/insecure-form-in-main-frame-expected.txt 2016-01-22 22:24:32 UTC (rev 195477)
@@ -0,0 +1,12 @@
+main frame - didFinishDocumentLoadForFrame
+main frame - didStartProvisionalLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+main frame - didCommitLoadForFrame
+CONSOLE MESSAGE: line 3: The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-form.html contains a form which targets an insecure URL http://127.0.0.1:8080/resources/doesnotexist.
+
+didDisplayInsecureContent
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+This test opens a window that has a form with an non-https action. We should trigger a mixed content callback because the main frame in the window is HTTPS but is running insecure content.
Added: trunk/LayoutTests/http/tests/security/mixedContent/insecure-form-in-main-frame.html (0 => 195477)
--- trunk/LayoutTests/http/tests/security/mixedContent/insecure-form-in-main-frame.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/mixedContent/insecure-form-in-main-frame.html 2016-01-22 22:24:32 UTC (rev 195477)
@@ -0,0 +1,27 @@
+<html>
+<body>
+<script>
+if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+ testRunner.dumpFrameLoadCallbacks();
+ testRunner.setCanOpenWindows();
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+
+window.addEventListener("message", function (e) {
+ if (window.testRunner)
+ testRunner.notifyDone();
+}, false);
+
+</script>
+<p>This test opens a window that has a form with an non-https action. We should
+trigger a mixed content callback because the main frame in the window is HTTPS
+but is running insecure content.</p>
+<script>
+_onload_ = function() {
+ window.open("https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-form.html");
+}
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/mixedContent/_javascript_-url-form-in-main-frame-expected.txt (0 => 195477)
--- trunk/LayoutTests/http/tests/security/mixedContent/_javascript_-url-form-in-main-frame-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/mixedContent/_javascript_-url-form-in-main-frame-expected.txt 2016-01-22 22:24:32 UTC (rev 195477)
@@ -0,0 +1,9 @@
+main frame - didFinishDocumentLoadForFrame
+main frame - didStartProvisionalLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+main frame - didCommitLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+This test opens a window that has a form with an action that is a _javascript_: url. We should *not* trigger a mixed content callback because the _javascript_: URL cannot be corrupted by active network attackers.
Added: trunk/LayoutTests/http/tests/security/mixedContent/_javascript_-url-form-in-main-frame.html (0 => 195477)
--- trunk/LayoutTests/http/tests/security/mixedContent/_javascript_-url-form-in-main-frame.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/mixedContent/_javascript_-url-form-in-main-frame.html 2016-01-22 22:24:32 UTC (rev 195477)
@@ -0,0 +1,27 @@
+<html>
+<body>
+<script>
+if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+ testRunner.dumpFrameLoadCallbacks();
+ testRunner.setCanOpenWindows();
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+
+window.addEventListener("message", function (e) {
+ if (window.testRunner)
+ testRunner.notifyDone();
+}, false);
+
+</script>
+<p>This test opens a window that has a form with an action that is a _javascript_: url. We should
+*not* trigger a mixed content callback because the _javascript_: URL cannot be corrupted
+by active network attackers.</p>
+<script>
+_onload_ = function() {
+ window.open("https://127.0.0.1:8443/security/mixedContent/resources/frame-with-_javascript_-url-form.html");
+}
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-form.html (0 => 195477)
--- trunk/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-form.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-form.html 2016-01-22 22:24:32 UTC (rev 195477)
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<body _onload_="loaded()">
+<form action=""
+<script>
+function loaded() {
+ if (window.opener)
+ window.opener.postMessage('done', '*');
+}
+</script>
+</body>
Added: trunk/LayoutTests/http/tests/security/mixedContent/resources/frame-with-_javascript_-url-form.html (0 => 195477)
--- trunk/LayoutTests/http/tests/security/mixedContent/resources/frame-with-_javascript_-url-form.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/mixedContent/resources/frame-with-_javascript_-url-form.html 2016-01-22 22:24:32 UTC (rev 195477)
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<body _onload_="loaded()">
+<form action=""
+<script>
+function loaded() {
+ if (window.opener)
+ window.opener.postMessage('done', '*');
+}
+</script>
+</body>
Modified: trunk/Source/WebCore/ChangeLog (195476 => 195477)
--- trunk/Source/WebCore/ChangeLog 2016-01-22 22:21:48 UTC (rev 195476)
+++ trunk/Source/WebCore/ChangeLog 2016-01-22 22:24:32 UTC (rev 195477)
@@ -1,3 +1,24 @@
+2016-01-21 Sam Weinig <s...@webkit.org>
+
+ Treat non-https actions on secure pages as mixed content
+ <rdar://problem/23144492>
+ https://bugs.webkit.org/show_bug.cgi?id=153322
+
+ Reviewed by Alexey Proskuryakov.
+
+ Tests: http/tests/security/mixedContent/insecure-form-in-iframe.html
+ http/tests/security/mixedContent/insecure-form-in-main-frame.html
+ http/tests/security/mixedContent/_javascript_-url-form-in-main-frame.html
+
+ * html/HTMLFormElement.cpp:
+ (WebCore::HTMLFormElement::parseAttribute):
+ Check form actions for mixed content.
+
+ * loader/MixedContentChecker.cpp:
+ (WebCore::MixedContentChecker::checkFormForMixedContent):
+ * loader/MixedContentChecker.h:
+ Add new function to check and warn if a form's action is mixed content.
+
2016-01-22 Nan Wang <n_w...@apple.com>
AX: Crash in setTextMarkerDataWithCharacterOffset
Modified: trunk/Source/WebCore/html/HTMLFormElement.cpp (195476 => 195477)
--- trunk/Source/WebCore/html/HTMLFormElement.cpp 2016-01-22 22:21:48 UTC (rev 195476)
+++ trunk/Source/WebCore/html/HTMLFormElement.cpp 2016-01-22 22:24:32 UTC (rev 195477)
@@ -481,9 +481,16 @@
void HTMLFormElement::parseAttribute(const QualifiedName& name, const AtomicString& value)
{
- if (name == actionAttr)
+ if (name == actionAttr) {
m_attributes.parseAction(value);
- else if (name == targetAttr)
+
+ if (!m_attributes.action().isEmpty()) {
+ if (Frame* f = document().frame()) {
+ Frame& topFrame = f->tree().top();
+ topFrame.loader().mixedContentChecker().checkFormForMixedContent(topFrame.document()->securityOrigin(), document().completeURL(m_attributes.action()));
+ }
+ }
+ } else if (name == targetAttr)
m_attributes.setTarget(value);
else if (name == methodAttr)
m_attributes.updateMethodType(value);
@@ -496,8 +503,7 @@
document().registerForDocumentSuspensionCallbacks(this);
else
document().unregisterForDocumentSuspensionCallbacks(this);
- }
- else
+ } else
HTMLElement::parseAttribute(name, value);
}
Modified: trunk/Source/WebCore/loader/MixedContentChecker.cpp (195476 => 195477)
--- trunk/Source/WebCore/loader/MixedContentChecker.cpp 2016-01-22 22:21:48 UTC (rev 195476)
+++ trunk/Source/WebCore/loader/MixedContentChecker.cpp 2016-01-22 22:24:32 UTC (rev 195477)
@@ -88,6 +88,22 @@
return allowed;
}
+void MixedContentChecker::checkFormForMixedContent(SecurityOrigin* securityOrigin, const URL& url) const
+{
+ // Unconditionally allow _javascript_: URLs as form actions as some pages do this and it does not introduce
+ // a mixed content issue.
+ if (protocolIsJavaScript(url))
+ return;
+
+ if (!isMixedContent(securityOrigin, url))
+ return;
+
+ String message = makeString("The page at ", m_frame.document()->url().stringCenterEllipsizedToLength(), " contains a form which targets an insecure URL ", url.stringCenterEllipsizedToLength(), ".\n");
+ m_frame.document()->addConsoleMessage(MessageSource::Security, MessageLevel::Warning, message);
+
+ client().didDisplayInsecureContent();
+}
+
void MixedContentChecker::logWarning(bool allowed, const String& action, const URL& target) const
{
const char* errorString = allowed ? " was allowed to " : " was not allowed to ";
Modified: trunk/Source/WebCore/loader/MixedContentChecker.h (195476 => 195477)
--- trunk/Source/WebCore/loader/MixedContentChecker.h 2016-01-22 22:21:48 UTC (rev 195476)
+++ trunk/Source/WebCore/loader/MixedContentChecker.h 2016-01-22 22:24:32 UTC (rev 195477)
@@ -53,6 +53,7 @@
bool canDisplayInsecureContent(SecurityOrigin*, ContentType, const URL&) const;
bool canRunInsecureContent(SecurityOrigin*, const URL&) const;
+ void checkFormForMixedContent(SecurityOrigin*, const URL&) const;
static bool isMixedContent(SecurityOrigin*, const URL&);
private:
Modified: trunk/Tools/WebEditingTester/WK2WebDocumentController.m (195476 => 195477)
--- trunk/Tools/WebEditingTester/WK2WebDocumentController.m 2016-01-22 22:21:48 UTC (rev 195476)
+++ trunk/Tools/WebEditingTester/WK2WebDocumentController.m 2016-01-22 22:24:32 UTC (rev 195477)
@@ -81,7 +81,13 @@
- (void)loadHTMLString:(NSString *)content
{
- [_webView loadHTMLString:content baseURL:nil];
+ NSStringEncoding encoding = NSUnicodeStringEncoding;
+
+ NSData *data = "" dataUsingEncoding:encoding];
+ CFStringEncoding cfEncoding = CFStringConvertNSStringEncodingToEncoding(encoding);
+ NSString *textEncodingName = (__bridge NSString *)CFStringConvertEncodingToIANACharSetName(cfEncoding);
+
+ [_webView _loadData:data MIMEType:@"text/html" characterEncodingName:textEncodingName baseURL:[NSURL URLWithString:@"x-webdoc:/klsadfgjlfsdj/"] userData:nil];
}
- (void)performTextFinderAction:(id)sender