Diff
Modified: branches/safari-608-branch/LayoutTests/ChangeLog (253711 => 253712)
--- branches/safari-608-branch/LayoutTests/ChangeLog 2019-12-18 21:28:55 UTC (rev 253711)
+++ branches/safari-608-branch/LayoutTests/ChangeLog 2019-12-18 21:43:50 UTC (rev 253712)
@@ -1,3 +1,43 @@
+2019-12-18 Dan Robson <dan_rob...@apple.com>
+
+ Cherry-pick r253544. rdar://problem/58049164
+
+ SecurityOrigin should be unique for null blob URLs that have been unregistered
+ https://bugs.webkit.org/show_bug.cgi?id=205169
+
+ Reviewed by Darin Adler.
+
+ Source/WebCore:
+
+ In case we cannot retrieve a cached origin for a null origin, just create a unique one.
+ This is better than having an origin with an empty host and empty scheme.
+
+ Test: http/tests/security/blob-null-url-location-origin.html
+
+ * fileapi/ThreadableBlobRegistry.cpp:
+ (WebCore::ThreadableBlobRegistry::unregisterBlobURL):
+ (WebCore::ThreadableBlobRegistry::getCachedOrigin):
+
+ LayoutTests:
+
+ * http/tests/security/blob-null-url-location-origin-expected.txt: Added.
+ * http/tests/security/blob-null-url-location-origin.html: Added.
+ * platform/win/TestExpectations: Skipping test as timing out in windows.
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@253544 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-12-16 youenn fablet <you...@apple.com>
+
+ SecurityOrigin should be unique for null blob URLs that have been unregistered
+ https://bugs.webkit.org/show_bug.cgi?id=205169
+
+ Reviewed by Darin Adler.
+
+ * http/tests/security/blob-null-url-location-origin-expected.txt: Added.
+ * http/tests/security/blob-null-url-location-origin.html: Added.
+ * platform/win/TestExpectations: Skipping test as timing out in windows.
+
2019-11-18 Alan Coon <alanc...@apple.com>
Apply patch. rdar://problem/57283569
Added: branches/safari-608-branch/LayoutTests/http/tests/security/blob-null-url-location-origin-expected.txt (0 => 253712)
--- branches/safari-608-branch/LayoutTests/http/tests/security/blob-null-url-location-origin-expected.txt (rev 0)
+++ branches/safari-608-branch/LayoutTests/http/tests/security/blob-null-url-location-origin-expected.txt 2019-12-18 21:43:50 UTC (rev 253712)
@@ -0,0 +1,5 @@
+CONSOLE MESSAGE: line 1: data URL frame loaded
+CONSOLE MESSAGE: line 1: blob popup opened
+CONSOLE MESSAGE: line 1: blob popup loadednull
+CONSOLE MESSAGE: line 1: blob popup message posted
+PASS
Added: branches/safari-608-branch/LayoutTests/http/tests/security/blob-null-url-location-origin.html (0 => 253712)
--- branches/safari-608-branch/LayoutTests/http/tests/security/blob-null-url-location-origin.html (rev 0)
+++ branches/safari-608-branch/LayoutTests/http/tests/security/blob-null-url-location-origin.html 2019-12-18 21:43:50 UTC (rev 253712)
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<body>
+<script>
+if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+ testRunner.setCanOpenWindows();
+}
+
+let count = 0;
+_onmessage_ = (event) => {
+ ++count;
+ if (event.data !== "null") {
+ document.body.innerHTML = "FAIL, got " + event.data + " with count " + count;
+ if (window.testRunner)
+ testRunner.notifyDone();
+ window.clearTimeout(timer);
+ count = 3;
+ return;
+ }
+ if (count === 2) {
+ document.body.innerHTML = "PASS";
+ if (window.testRunner)
+ testRunner.notifyDone();
+ window.clearTimeout(timer);
+ }
+};
+
+const timer = setTimeout(() => {
+ document.body.innerHTML = "TIMEOUT";
+ if (window.testRunner)
+ testRunner.notifyDone();
+}, 10000);
+</script>
+<iframe src="" URL frame loaded'); const blob = new Blob(['<'+ 'script>console.log(\'blob popup loaded\' + location.origin); _onload_ = () => window.opener.postMessage(location.origin, \'*\'); console.log(\'blob popup message posted\'); _onmessage_ = () => window.opener.postMessage(location.origin, \'*\'); <' + '/script>'], {type: 'text/html'}); const blobURL = URL.createObjectURL(blob); const popup = window.open(blobURL); _onmessage_ = (event) => { popup.postMessage('check', '*'); parent.postMessage(event.data, '*'); URL.revokeObjectURL(blobURL); _onmessage_ = (event) => { parent.postMessage(event.data, '*'); popup.close(); }; }; console.log('blob popup opened'); </script>"></iframe>
+</body>
Modified: branches/safari-608-branch/LayoutTests/platform/win/TestExpectations (253711 => 253712)
--- branches/safari-608-branch/LayoutTests/platform/win/TestExpectations 2019-12-18 21:28:55 UTC (rev 253711)
+++ branches/safari-608-branch/LayoutTests/platform/win/TestExpectations 2019-12-18 21:43:50 UTC (rev 253712)
@@ -733,6 +733,8 @@
http/tests/security/contentSecurityPolicy/same-origin-plugin-document-blocked-in-child-window-report.php [ Skip ]
http/tests/security/contentSecurityPolicy/same-origin-plugin-document-with-csp-blocked-in-child-window.html [ Skip ]
+http/tests/security/blob-null-url-location-origin.html [ Skip ]
+
################################################################################
############################ End Plugin Failures ###########################
################################################################################
Modified: branches/safari-608-branch/Source/WebCore/ChangeLog (253711 => 253712)
--- branches/safari-608-branch/Source/WebCore/ChangeLog 2019-12-18 21:28:55 UTC (rev 253711)
+++ branches/safari-608-branch/Source/WebCore/ChangeLog 2019-12-18 21:43:50 UTC (rev 253712)
@@ -1,3 +1,48 @@
+2019-12-18 Dan Robson <dan_rob...@apple.com>
+
+ Cherry-pick r253544. rdar://problem/58049164
+
+ SecurityOrigin should be unique for null blob URLs that have been unregistered
+ https://bugs.webkit.org/show_bug.cgi?id=205169
+
+ Reviewed by Darin Adler.
+
+ Source/WebCore:
+
+ In case we cannot retrieve a cached origin for a null origin, just create a unique one.
+ This is better than having an origin with an empty host and empty scheme.
+
+ Test: http/tests/security/blob-null-url-location-origin.html
+
+ * fileapi/ThreadableBlobRegistry.cpp:
+ (WebCore::ThreadableBlobRegistry::unregisterBlobURL):
+ (WebCore::ThreadableBlobRegistry::getCachedOrigin):
+
+ LayoutTests:
+
+ * http/tests/security/blob-null-url-location-origin-expected.txt: Added.
+ * http/tests/security/blob-null-url-location-origin.html: Added.
+ * platform/win/TestExpectations: Skipping test as timing out in windows.
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@253544 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-12-16 youenn fablet <you...@apple.com>
+
+ SecurityOrigin should be unique for null blob URLs that have been unregistered
+ https://bugs.webkit.org/show_bug.cgi?id=205169
+
+ Reviewed by Darin Adler.
+
+ In case we cannot retrieve a cached origin for a null origin, just create a unique one.
+ This is better than having an origin with an empty host and empty scheme.
+
+ Test: http/tests/security/blob-null-url-location-origin.html
+
+ * fileapi/ThreadableBlobRegistry.cpp:
+ (WebCore::ThreadableBlobRegistry::unregisterBlobURL):
+ (WebCore::ThreadableBlobRegistry::getCachedOrigin):
+
2019-11-19 Alan Coon <alanc...@apple.com>
Cherry-pick r251678. rdar://problem/57283567
Modified: branches/safari-608-branch/Source/WebCore/fileapi/ThreadableBlobRegistry.cpp (253711 => 253712)
--- branches/safari-608-branch/Source/WebCore/fileapi/ThreadableBlobRegistry.cpp 2019-12-18 21:28:55 UTC (rev 253711)
+++ branches/safari-608-branch/Source/WebCore/fileapi/ThreadableBlobRegistry.cpp 2019-12-18 21:43:50 UTC (rev 253712)
@@ -105,10 +105,16 @@
}
}
+static inline bool isBlobURLContainsNullOrigin(const URL& url)
+{
+ ASSERT(url.protocolIsBlob());
+ return BlobURL::getOrigin(url) == "null";
+}
+
void ThreadableBlobRegistry::registerBlobURL(SecurityOrigin* origin, const URL& url, const URL& srcURL)
{
// If the blob URL contains null origin, as in the context with unique security origin or file URL, save the mapping between url and origin so that the origin can be retrived when doing security origin check.
- if (origin && BlobURL::getOrigin(url) == "null")
+ if (origin && isBlobURLContainsNullOrigin(url))
originMap()->add(url.string(), origin);
if (isMainThread())
@@ -157,7 +163,7 @@
void ThreadableBlobRegistry::unregisterBlobURL(const URL& url)
{
- if (BlobURL::getOrigin(url) == "null")
+ if (isBlobURLContainsNullOrigin(url))
originMap()->remove(url.string());
if (isMainThread())
@@ -171,7 +177,14 @@
RefPtr<SecurityOrigin> ThreadableBlobRegistry::getCachedOrigin(const URL& url)
{
- return originMap()->get(url.string());
+ if (auto cachedOrigin = originMap()->get(url.string()))
+ return cachedOrigin;
+
+ if (!url.protocolIsBlob() || !isBlobURLContainsNullOrigin(url))
+ return nullptr;
+
+ // If we do not have a cached origin for null blob URLs, we use a unique origin.
+ return SecurityOrigin::createUnique();
}
} // namespace WebCore
