Title: [269960] trunk
- Revision
- 269960
- Author
- cdu...@apple.com
- Date
- 2020-11-18 08:39:21 -0800 (Wed, 18 Nov 2020)
Log Message
navigator.clipboard is not exposed on *.localhost pages
https://bugs.webkit.org/show_bug.cgi?id=219020
Reviewed by Wenson Hsieh.
Source/WebCore:
Make sure that if the host falls within ".localhost", the security origin is treated as
potentially trustworthy, as per:
- https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy (Step 5).
This makes sure that API that are exposed only to secure context (such as navigator.clipboad)
are exposed on subdomains of localhost.
* page/SecurityOrigin.cpp:
(WebCore::SecurityOrigin::isLocalHostOrLoopbackIPAddress):
Tools:
Extend API test coverage.
* TestWebKitAPI/Tests/WebCore/SecurityOrigin.cpp:
(TestWebKitAPI::TEST_F):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (269959 => 269960)
--- trunk/Source/WebCore/ChangeLog 2020-11-18 16:13:21 UTC (rev 269959)
+++ trunk/Source/WebCore/ChangeLog 2020-11-18 16:39:21 UTC (rev 269960)
@@ -1,3 +1,20 @@
+2020-11-18 Chris Dumez <cdu...@apple.com>
+
+ navigator.clipboard is not exposed on *.localhost pages
+ https://bugs.webkit.org/show_bug.cgi?id=219020
+
+ Reviewed by Wenson Hsieh.
+
+ Make sure that if the host falls within ".localhost", the security origin is treated as
+ potentially trustworthy, as per:
+ - https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy (Step 5).
+
+ This makes sure that API that are exposed only to secure context (such as navigator.clipboad)
+ are exposed on subdomains of localhost.
+
+ * page/SecurityOrigin.cpp:
+ (WebCore::SecurityOrigin::isLocalHostOrLoopbackIPAddress):
+
2020-11-18 Chris Lord <cl...@igalia.com>
Make CSS font shorthands parsable within a worker (i.e. without CSSValuePool)
Modified: trunk/Source/WebCore/page/SecurityOrigin.cpp (269959 => 269960)
--- trunk/Source/WebCore/page/SecurityOrigin.cpp 2020-11-18 16:13:21 UTC (rev 269959)
+++ trunk/Source/WebCore/page/SecurityOrigin.cpp 2020-11-18 16:39:21 UTC (rev 269960)
@@ -605,7 +605,7 @@
return true;
// FIXME: Ensure that localhost resolves to the loopback address.
- if (equalLettersIgnoringASCIICase(host, "localhost"))
+ if (equalLettersIgnoringASCIICase(host, "localhost") || host.endsWithIgnoringASCIICase(".localhost"))
return true;
return false;
Modified: trunk/Tools/ChangeLog (269959 => 269960)
--- trunk/Tools/ChangeLog 2020-11-18 16:13:21 UTC (rev 269959)
+++ trunk/Tools/ChangeLog 2020-11-18 16:39:21 UTC (rev 269960)
@@ -1,3 +1,15 @@
+2020-11-18 Chris Dumez <cdu...@apple.com>
+
+ navigator.clipboard is not exposed on *.localhost pages
+ https://bugs.webkit.org/show_bug.cgi?id=219020
+
+ Reviewed by Wenson Hsieh.
+
+ Extend API test coverage.
+
+ * TestWebKitAPI/Tests/WebCore/SecurityOrigin.cpp:
+ (TestWebKitAPI::TEST_F):
+
2020-11-18 Aakash Jain <aakash_j...@apple.com>
[build.webkit.org] Update RunPerlTests step for new buildbot
Modified: trunk/Tools/TestWebKitAPI/Tests/WebCore/SecurityOrigin.cpp (269959 => 269960)
--- trunk/Tools/TestWebKitAPI/Tests/WebCore/SecurityOrigin.cpp 2020-11-18 16:13:21 UTC (rev 269959)
+++ trunk/Tools/TestWebKitAPI/Tests/WebCore/SecurityOrigin.cpp 2020-11-18 16:39:21 UTC (rev 269960)
@@ -159,8 +159,15 @@
EXPECT_TRUE(SecurityOrigin::createFromString("http://127.0.0.2")->isPotentiallyTrustworthy());
EXPECT_TRUE(SecurityOrigin::createFromString("http://127.0.1.1")->isPotentiallyTrustworthy());
EXPECT_TRUE(SecurityOrigin::createFromString("http://127.1.1.1")->isPotentiallyTrustworthy());
+ EXPECT_TRUE(SecurityOrigin::createFromString("http://localhost:8000")->isPotentiallyTrustworthy());
EXPECT_TRUE(SecurityOrigin::createFromString("http://localhost")->isPotentiallyTrustworthy());
EXPECT_TRUE(SecurityOrigin::createFromString("http://loCALhoST")->isPotentiallyTrustworthy());
+ EXPECT_TRUE(SecurityOrigin::createFromString("http://foo.localhost")->isPotentiallyTrustworthy());
+ EXPECT_TRUE(SecurityOrigin::createFromString("http://Foo.loCaLhOsT")->isPotentiallyTrustworthy());
+ EXPECT_TRUE(SecurityOrigin::createFromString("http://foo.localhost:8000")->isPotentiallyTrustworthy());
+ EXPECT_TRUE(SecurityOrigin::createFromString("http://foo.bar.localhost:8000")->isPotentiallyTrustworthy());
+ EXPECT_FALSE(SecurityOrigin::createFromString("http://localhost.com")->isPotentiallyTrustworthy());
+ EXPECT_FALSE(SecurityOrigin::createFromString("http://foo.localhost.com")->isPotentiallyTrustworthy());
EXPECT_TRUE(SecurityOrigin::createFromString("http://[::1]")->isPotentiallyTrustworthy());
#if PLATFORM(COCOA)
EXPECT_TRUE(SecurityOrigin::createFromString("applewebdata:a")->isPotentiallyTrustworthy());
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes