Diff
Modified: branches/safari-601.1.46-branch/Source/WebCore/ChangeLog (200750 => 200751)
--- branches/safari-601.1.46-branch/Source/WebCore/ChangeLog 2016-05-12 09:11:58 UTC (rev 200750)
+++ branches/safari-601.1.46-branch/Source/WebCore/ChangeLog 2016-05-12 09:12:02 UTC (rev 200751)
@@ -1,5 +1,37 @@
2016-05-12 Matthew Hanson <matthew_han...@apple.com>
+ Merge r195004. rdar://problem/26228875
+
+ 2016-01-13 Brent Fulgham <bfulg...@apple.com>
+
+ Cross-protocol, cross-site scripting (XPSS) using HTML forms
+ https://bugs.webkit.org/show_bug.cgi?id=153017
+ <rdar://problem/5873254>
+
+ Reviewed by David Kilzer.
+
+ * loader/DocumentLoader.cpp:
+ (WebCore::DocumentLoader::responseReceived): If response HTTP version is 0.9,
+ sandbox against script execution and plugins.
+ * loader/ResourceLoader.cpp:
+ (WebCore::ResourceLoader::didReceiveResponse): Ditto.
+ * loader/SubresourceLoader.cpp:
+ (WebCore::SubresourceLoader::didReceiveResponse): Ditto.
+ * platform/network/ResourceResponseBase.cpp:
+ (WebCore::ResourceResponseBase::adopt): Update for HTTP version.
+ (WebCore::ResourceResponseBase::copyData): Ditto.
+ (WebCore::ResourceResponseBase::httpVersion): Added.
+ (WebCore::ResourceResponseBase::setHTTPVersion): Ditto.
+ * platform/network/ResourceResponseBase.h:
+ (WebCore::ResourceResponseBase::encode): Update for HTTP version.
+ (WebCore::ResourceResponseBase::decode): Ditto.
+ * platform/network/cf/ResourceResponseCFNet.cpp:
+ (WebCore::ResourceResponse::platformLazyInit): Capture HTTP version.
+ * platform/network/cocoa/ResourceResponseCocoa.mm:
+ (WebCore::ResourceResponse::platformLazyInit): Ditto.
+
+2016-05-12 Matthew Hanson <matthew_han...@apple.com>
+
Merge r194399. rdar://problem/26228911
2015-12-23 Pranjal Jumde <pju...@apple.com>
Modified: branches/safari-601.1.46-branch/Source/WebCore/loader/DocumentLoader.cpp (200750 => 200751)
--- branches/safari-601.1.46-branch/Source/WebCore/loader/DocumentLoader.cpp 2016-05-12 09:11:58 UTC (rev 200750)
+++ branches/safari-601.1.46-branch/Source/WebCore/loader/DocumentLoader.cpp 2016-05-12 09:12:02 UTC (rev 200751)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006, 2007, 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2008, 2016 Apple Inc. All rights reserved.
* Copyright (C) 2011 Google Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -689,6 +689,14 @@
}
#endif
+ if (m_response.isHttpVersion0_9()) {
+ ASSERT(m_identifierForLoadWithoutResourceLoader || m_mainResource);
+ unsigned long identifier = m_identifierForLoadWithoutResourceLoader ? m_identifierForLoadWithoutResourceLoader : m_mainResource->identifier();
+ String message = "Sandboxing '" + response.url().string() + "' because it is using HTTP/0.9.";
+ m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, identifier);
+ frameLoader()->forceSandboxFlags(SandboxScripts | SandboxPlugins);
+ }
+
frameLoader()->policyChecker().checkContentPolicy(m_response, [this](PolicyAction policy) {
continueAfterContentPolicy(policy);
});
Modified: branches/safari-601.1.46-branch/Source/WebCore/loader/ResourceLoader.cpp (200750 => 200751)
--- branches/safari-601.1.46-branch/Source/WebCore/loader/ResourceLoader.cpp 2016-05-12 09:11:58 UTC (rev 200750)
+++ branches/safari-601.1.46-branch/Source/WebCore/loader/ResourceLoader.cpp 2016-05-12 09:12:02 UTC (rev 200751)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006, 2007, 2010, 2011 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2007, 2010-2011, 2016 Apple Inc. All rights reserved.
* (C) 2007 Graham Dennis (graham.den...@gmail.com)
*
* Redistribution and use in source and binary forms, with or without
@@ -392,6 +392,12 @@
m_response = r;
+ if (m_response.isHttpVersion0_9()) {
+ String message = "Sandboxing '" + m_response.url().string() + "' because it is using HTTP/0.9.";
+ m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, m_identifier);
+ frameLoader()->forceSandboxFlags(SandboxScripts | SandboxPlugins);
+ }
+
if (FormData* data = ""
data->removeGeneratedFilesIfNeeded();
Modified: branches/safari-601.1.46-branch/Source/WebCore/loader/SubresourceLoader.cpp (200750 => 200751)
--- branches/safari-601.1.46-branch/Source/WebCore/loader/SubresourceLoader.cpp 2016-05-12 09:11:58 UTC (rev 200750)
+++ branches/safari-601.1.46-branch/Source/WebCore/loader/SubresourceLoader.cpp 2016-05-12 09:12:02 UTC (rev 200751)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006, 2007, 2009 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2007, 2009, 2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -209,6 +209,14 @@
if (shouldIncludeCertificateInfo())
response.includeCertificateInfo();
+ if (response.isHttpVersion0_9()) {
+ if (m_frame) {
+ String message = "Sandboxing '" + response.url().string() + "' because it is using HTTP/0.9.";
+ m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, identifier());
+ frameLoader()->forceSandboxFlags(SandboxScripts | SandboxPlugins);
+ }
+ }
+
if (m_resource->resourceToRevalidate()) {
if (response.httpStatusCode() == 304) {
// 304 Not modified / Use local copy
Modified: branches/safari-601.1.46-branch/Source/WebCore/platform/network/ResourceResponseBase.cpp (200750 => 200751)
--- branches/safari-601.1.46-branch/Source/WebCore/platform/network/ResourceResponseBase.cpp 2016-05-12 09:11:58 UTC (rev 200750)
+++ branches/safari-601.1.46-branch/Source/WebCore/platform/network/ResourceResponseBase.cpp 2016-05-12 09:12:02 UTC (rev 200751)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006, 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2006, 2008, 2016 Apple Inc. All rights reserved.
* Copyright (C) 2009 Google Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -72,6 +72,7 @@
response->setHTTPStatusCode(data->m_httpStatusCode);
response->setHTTPStatusText(data->m_httpStatusText);
+ response->setHTTPVersion(data->m_httpVersion);
response->lazyInit(AllFields);
response->m_httpHeaderFields.adopt(WTF::move(data->m_httpHeaders));
@@ -89,6 +90,7 @@
data->m_textEncodingName = textEncodingName().isolatedCopy();
data->m_httpStatusCode = httpStatusCode();
data->m_httpStatusText = httpStatusText().isolatedCopy();
+ data->m_httpVersion = httpVersion().isolatedCopy();
data->m_httpHeaders = httpHeaderFields().copyData();
data->m_resourceLoadTiming = m_resourceLoadTiming;
return asResourceResponse().doPlatformCopyData(WTF::move(data));
@@ -224,6 +226,29 @@
// FIXME: Should invalidate or update platform response if present.
}
+const String& ResourceResponseBase::httpVersion() const
+{
+ lazyInit(AllFields);
+
+ return m_httpVersion;
+}
+
+void ResourceResponseBase::setHTTPVersion(const String& versionText)
+{
+ lazyInit(AllFields);
+
+ m_httpVersion = versionText;
+
+ // FIXME: Should invalidate or update platform response if present.
+}
+
+bool ResourceResponseBase::isHttpVersion0_9() const
+{
+ lazyInit(AllFields);
+
+ return m_httpVersion.startsWith("HTTP/0.9");
+}
+
String ResourceResponseBase::httpHeaderField(const String& name) const
{
lazyInit(CommonFieldsOnly);
Modified: branches/safari-601.1.46-branch/Source/WebCore/platform/network/ResourceResponseBase.h (200750 => 200751)
--- branches/safari-601.1.46-branch/Source/WebCore/platform/network/ResourceResponseBase.h 2016-05-12 09:11:58 UTC (rev 200750)
+++ branches/safari-601.1.46-branch/Source/WebCore/platform/network/ResourceResponseBase.h 2016-05-12 09:12:02 UTC (rev 200751)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006, 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2006, 2008, 2016 Apple Inc. All rights reserved.
* Copyright (C) 2009 Google Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -72,6 +72,10 @@
WEBCORE_EXPORT const String& httpStatusText() const;
WEBCORE_EXPORT void setHTTPStatusText(const String&);
+ WEBCORE_EXPORT const String& httpVersion() const;
+ WEBCORE_EXPORT void setHTTPVersion(const String&);
+ bool isHttpVersion0_9() const;
+
WEBCORE_EXPORT const HTTPHeaderMap& httpHeaderFields() const;
String httpHeaderField(const String& name) const;
@@ -156,6 +160,7 @@
long long m_expectedContentLength;
AtomicString m_textEncodingName;
AtomicString m_httpStatusText;
+ AtomicString m_httpVersion;
HTTPHeaderMap m_httpHeaderFields;
mutable ResourceLoadTiming m_resourceLoadTiming;
@@ -196,6 +201,7 @@
encoder << static_cast<int64_t>(m_expectedContentLength);
encoder << m_textEncodingName;
encoder << m_httpStatusText;
+ encoder << m_httpVersion;
encoder << m_httpHeaderFields;
encoder << m_resourceLoadTiming;
encoder << m_httpStatusCode;
@@ -229,6 +235,8 @@
return false;
if (!decoder.decode(response.m_httpStatusText))
return false;
+ if (!decoder.decode(response.m_httpVersion))
+ return false;
if (!decoder.decode(response.m_httpHeaderFields))
return false;
if (!decoder.decode(response.m_resourceLoadTiming))
@@ -258,6 +266,7 @@
String m_textEncodingName;
int m_httpStatusCode;
String m_httpStatusText;
+ String m_httpVersion;
std::unique_ptr<CrossThreadHTTPHeaderMapData> m_httpHeaders;
ResourceLoadTiming m_resourceLoadTiming;
};
Modified: branches/safari-601.1.46-branch/Source/WebCore/platform/network/cf/ResourceResponseCFNet.cpp (200750 => 200751)
--- branches/safari-601.1.46-branch/Source/WebCore/platform/network/cf/ResourceResponseCFNet.cpp 2016-05-12 09:11:58 UTC (rev 200750)
+++ branches/safari-601.1.46-branch/Source/WebCore/platform/network/cf/ResourceResponseCFNet.cpp 2016-05-12 09:12:02 UTC (rev 200751)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006, 2007 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2007, 2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -28,9 +28,10 @@
#if USE(CFNETWORK)
+#include "CFNetworkSPI.h"
+
#include "HTTPParsers.h"
#include "MIMETypeRegistry.h"
-#include <CFNetwork/CFURLResponsePriv.h>
#include <wtf/RetainPtr.h>
#if PLATFORM(COCOA)
@@ -90,6 +91,8 @@
CFHTTPMessageRef httpResponse = CFURLResponseGetHTTPResponse(m_cfResponse.get());
if (httpResponse) {
+ RetainPtr<CFStringRef> messageString = adoptCF(CFHTTPMessageCopyVersion(httpResponse));
+ m_httpVersion = String(messageString.get()).upper();
m_httpStatusCode = CFHTTPMessageGetResponseStatusCode(httpResponse);
if (initLevel < AllFields) {
Modified: branches/safari-601.1.46-branch/Source/WebCore/platform/network/mac/ResourceResponseMac.mm (200750 => 200751)
--- branches/safari-601.1.46-branch/Source/WebCore/platform/network/mac/ResourceResponseMac.mm 2016-05-12 09:11:58 UTC (rev 200750)
+++ branches/safari-601.1.46-branch/Source/WebCore/platform/network/mac/ResourceResponseMac.mm 2016-05-12 09:12:02 UTC (rev 200751)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006 Apple Inc. All rights reserved.
+ * Copyright (C) 2006, 2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -137,6 +137,9 @@
if ([m_nsResponse.get() isKindOfClass:[NSHTTPURLResponse class]]) {
NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *)m_nsResponse.get();
+ CFHTTPMessageRef messageRef = CFURLResponseGetHTTPResponse([httpResponse _CFURLResponse]);
+ RetainPtr<CFStringRef> messageString = adoptCF(CFHTTPMessageCopyVersion(messageRef));
+ m_httpVersion = String(messageString.get()).upper();
m_httpStatusCode = [httpResponse statusCode];
if (initLevel < AllFields) {