[webkit-changes] [269960] trunk

Wed, 18 Nov 2020 08:44:32 -0800

Title: [269960] trunk
Revision
269960
Author
cdu...@apple.com
Date
2020-11-18 08:39:21 -0800 (Wed, 18 Nov 2020)

Log Message

navigator.clipboard is not exposed on *.localhost pages
https://bugs.webkit.org/show_bug.cgi?id=219020

Reviewed by Wenson Hsieh.

Source/WebCore:

Make sure that if the host falls within ".localhost", the security origin is treated as
potentially trustworthy, as per:
- https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy (Step 5).

This makes sure that API that are exposed only to secure context (such as navigator.clipboad)
are exposed on subdomains of localhost.

* page/SecurityOrigin.cpp:
(WebCore::SecurityOrigin::isLocalHostOrLoopbackIPAddress):

Tools:

Extend API test coverage.

* TestWebKitAPI/Tests/WebCore/SecurityOrigin.cpp:
(TestWebKitAPI::TEST_F):

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (269959 => 269960)


--- trunk/Source/WebCore/ChangeLog	2020-11-18 16:13:21 UTC (rev 269959)
+++ trunk/Source/WebCore/ChangeLog	2020-11-18 16:39:21 UTC (rev 269960)
@@ -1,3 +1,20 @@
+2020-11-18  Chris Dumez  <cdu...@apple.com>
+
+        navigator.clipboard is not exposed on *.localhost pages
+        https://bugs.webkit.org/show_bug.cgi?id=219020
+
+        Reviewed by Wenson Hsieh.
+
+        Make sure that if the host falls within ".localhost", the security origin is treated as
+        potentially trustworthy, as per:
+        - https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy (Step 5).
+
+        This makes sure that API that are exposed only to secure context (such as navigator.clipboad)
+        are exposed on subdomains of localhost.
+
+        * page/SecurityOrigin.cpp:
+        (WebCore::SecurityOrigin::isLocalHostOrLoopbackIPAddress):
+
 2020-11-18  Chris Lord  <cl...@igalia.com>
 
         Make CSS font shorthands parsable within a worker (i.e. without CSSValuePool)

Modified: trunk/Source/WebCore/page/SecurityOrigin.cpp (269959 => 269960)


--- trunk/Source/WebCore/page/SecurityOrigin.cpp	2020-11-18 16:13:21 UTC (rev 269959)
+++ trunk/Source/WebCore/page/SecurityOrigin.cpp	2020-11-18 16:39:21 UTC (rev 269960)
@@ -605,7 +605,7 @@
         return true;
 
     // FIXME: Ensure that localhost resolves to the loopback address.
-    if (equalLettersIgnoringASCIICase(host, "localhost"))
+    if (equalLettersIgnoringASCIICase(host, "localhost") || host.endsWithIgnoringASCIICase(".localhost"))
         return true;
 
     return false;

Modified: trunk/Tools/ChangeLog (269959 => 269960)


--- trunk/Tools/ChangeLog	2020-11-18 16:13:21 UTC (rev 269959)
+++ trunk/Tools/ChangeLog	2020-11-18 16:39:21 UTC (rev 269960)
@@ -1,3 +1,15 @@
+2020-11-18  Chris Dumez  <cdu...@apple.com>
+
+        navigator.clipboard is not exposed on *.localhost pages
+        https://bugs.webkit.org/show_bug.cgi?id=219020
+
+        Reviewed by Wenson Hsieh.
+
+        Extend API test coverage.
+
+        * TestWebKitAPI/Tests/WebCore/SecurityOrigin.cpp:
+        (TestWebKitAPI::TEST_F):
+
 2020-11-18  Aakash Jain  <aakash_j...@apple.com>
 
         [build.webkit.org] Update RunPerlTests step for new buildbot

Modified: trunk/Tools/TestWebKitAPI/Tests/WebCore/SecurityOrigin.cpp (269959 => 269960)


--- trunk/Tools/TestWebKitAPI/Tests/WebCore/SecurityOrigin.cpp	2020-11-18 16:13:21 UTC (rev 269959)
+++ trunk/Tools/TestWebKitAPI/Tests/WebCore/SecurityOrigin.cpp	2020-11-18 16:39:21 UTC (rev 269960)
@@ -159,8 +159,15 @@
     EXPECT_TRUE(SecurityOrigin::createFromString("http://127.0.0.2")->isPotentiallyTrustworthy());
     EXPECT_TRUE(SecurityOrigin::createFromString("http://127.0.1.1")->isPotentiallyTrustworthy());
     EXPECT_TRUE(SecurityOrigin::createFromString("http://127.1.1.1")->isPotentiallyTrustworthy());
+    EXPECT_TRUE(SecurityOrigin::createFromString("http://localhost:8000")->isPotentiallyTrustworthy());
     EXPECT_TRUE(SecurityOrigin::createFromString("http://localhost")->isPotentiallyTrustworthy());
     EXPECT_TRUE(SecurityOrigin::createFromString("http://loCALhoST")->isPotentiallyTrustworthy());
+    EXPECT_TRUE(SecurityOrigin::createFromString("http://foo.localhost")->isPotentiallyTrustworthy());
+    EXPECT_TRUE(SecurityOrigin::createFromString("http://Foo.loCaLhOsT")->isPotentiallyTrustworthy());
+    EXPECT_TRUE(SecurityOrigin::createFromString("http://foo.localhost:8000")->isPotentiallyTrustworthy());
+    EXPECT_TRUE(SecurityOrigin::createFromString("http://foo.bar.localhost:8000")->isPotentiallyTrustworthy());
+    EXPECT_FALSE(SecurityOrigin::createFromString("http://localhost.com")->isPotentiallyTrustworthy());
+    EXPECT_FALSE(SecurityOrigin::createFromString("http://foo.localhost.com")->isPotentiallyTrustworthy());
     EXPECT_TRUE(SecurityOrigin::createFromString("http://[::1]")->isPotentiallyTrustworthy());
 #if PLATFORM(COCOA)
     EXPECT_TRUE(SecurityOrigin::createFromString("applewebdata:a")->isPotentiallyTrustworthy());

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to