Diff
Modified: branches/safari-609-branch/LayoutTests/ChangeLog (258855 => 258856)
--- branches/safari-609-branch/LayoutTests/ChangeLog 2020-03-23 17:00:12 UTC (rev 258855)
+++ branches/safari-609-branch/LayoutTests/ChangeLog 2020-03-23 17:00:16 UTC (rev 258856)
@@ -1,50 +1,5 @@
-b'2020-03-23 Russell Epstein <[email protected]>\n\n Cherry-pick r258741. rdar://problem/60756641\n\n Sanitize suggested download filename received from web process\n https://bugs.webkit.org/show_bug.cgi?id=209300\n <rdar://problem/59487723>\n \n Patch by Alex Christensen <[email protected]> on 2020-03-19\n Reviewed by Chris Dumez.\n \n Source/WebKit:\n \n * UIProcess/Downloads/DownloadProxy.cpp:\n (WebKit::DownloadProxy::decideDestinationWithSuggestedFilenameAsync):\n \n LayoutTests:\n \n * fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-backslash-expected.txt:\n * fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-backslash.html:\n \n git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258741 268f45cc-cd09-0410-ab3c-d52691b4dbfc\n\n 2020-03-19 Alex Christensen <[email protected]>\n\n Sanitize suggested download filename rec
eived from web process\n https://bugs.webkit.org/show_bug.cgi?id=209300\n <rdar://problem/59487723>\n\n Reviewed by Chris Dumez.\n\n * fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-backslash-expected.txt:\n * fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-backslash.html:\n\n b"2020-03-23 Russell Epstein <[email protected]>\\n\\n Cherry-pick r258711. rdar://problem/60756645\\n\\n Source/WebCore:\\n AX: VO and safari: can\'t press the play button\\n https://bugs.webkit.org/show_bug.cgi?id=209249\\n \\n Reviewed by Darin Adler.\\n \\n Test: accessibility/ios-simulator/has-touch-event-listener-with-shadow.html\\n \\n If a node is in a shadowRoot, going up the node parent tree will stop and not check the entire tree for touch event listeners\\n and a touch event won\'t be dispatched. We need to change to use the parentInComposedTree instead to
go up the chain.\\n \\n * accessibility/ios/AccessibilityObjectIOS.mm:\\n (WebCore::AccessibilityObject::hasTouchEventListener const):\\n \\n LayoutTests:\\n AX: VO and safari: caan\'t press the play button\\n https://bugs.webkit.org/show_bug.cgi?id=209249\\n \\n Reviewed by Darin Adler.\\n \\n * accessibility/ios-simulator/has-touch-event-listener-with-shadow-expected.txt: Added.\\n * accessibility/ios-simulator/has-touch-event-listener-with-shadow.html: Added.\\n \\n \\n git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258711 268f45cc-cd09-0410-ab3c-d52691b4dbfc\\n\\n 2020-03-19 Chris Fleizach <[email protected]>\\n\\n AX: VO and safari: caan\'t press the play button\\n https://bugs.webkit.org/show_bug.cgi?id=209249\\n\\n Reviewed by Darin Adler.\\n\\n * accessibility/ios-simulator/has-touch-event-listener-with-shadow-expected.txt: Added.\\n * accessibility/io
s-simulator/has-touch-event-listener-with-shadow.html: Added.\\n\\n"2020-03-17 Alan Coon <[email protected]>\n\n Cherry-pick r258459. rdar://problem/60539192\n\n SVGMatrix should have the access right of its owner SVGTransform always\n https://bugs.webkit.org/show_bug.cgi?id=207462\n\n Reviewed by Simon Fraser.\n\n Source/WebCore:\n\n The SVGMatrix needs to be reattached to its owner SVGTransform when the\n access right of this owner changes. The access right of the owner changes\n when it gets attached to or detached from a higher level owner.\n\n Test: svg/dom/SVGTransformList-anim-read-only.html\n\n * svg/SVGTransform.h:\n * svg/properties/SVGProperty.h:\n (WebCore::SVGProperty::attach):\n (WebCore::SVGProperty::detach):\n (WebCore::SVGProperty::reattach):\n\n LayoutTests:\n\n * svg/dom/SVGTransformList-anim-read-only-expected.txt: Added.\n * sv
g/dom/SVGTransformList-anim-read-only.html: Added.\n\n\n git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258459 268f45cc-cd09-0410-ab3c-d52691b4dbfc\n\n 2020-03-13 Said Abou-Hallawa <[email protected]>\n\n SVGMatrix should have the access right of its owner SVGTransform always\n https://bugs.webkit.org/show_bug.cgi?id=207462\n\n Reviewed by Simon Fraser.\n\n * svg/dom/SVGTransformList-anim-read-only-expected.txt: Added.\n * svg/dom/SVGTransformList-anim-read-only.html: Added.\n\n'2020-03-17 Alan Coon <[email protected]>
+b'2020-03-23 Russell Epstein <[email protected]>\n\n Cherry-pick r258799. rdar://problem/60756681\n\n Content-Type & Nosniff Ignored on XML External Entity Resources\n <https://webkit.org/b/191171>\n <rdar://problem/45763222>\n \n Reviewed by Darin Adler.\n \n Source/WebCore:\n \n Test: http/tests/security/contentTypeOptions/nosniff-xml-external-entity.xhtml\n \n * platform/MIMETypeRegistry.cpp:\n (WebCore::MIMETypeRegistry::isXMLEntityMIMEType): Add.\n * platform/MIMETypeRegistry.h:\n (WebCore::MIMETypeRegistry::isXMLEntityMIMEType): Add.\n - Checks for XML external entity MIME types.\n \n * xml/parser/XMLDocumentParserLibxml2.cpp:\n (WebCore::externalEntityMimeTypeAllowedByNosniff): Add.\n - Checks whether the MIME type is valid based on the presence of\n the "X-Content-Type-Options: nosniff" header.\n (WebCore::openFunc):\n - Drop the contents of the resource t
hat was returned and print\n an error message to the Web Inspector console if\n externalEntityMimeTypeAllowedByNosniff() says the MIME type is\n not allowed.\n \n LayoutTests:\n \n * http/tests/security/contentTypeOptions/nosniff-xml-external-entity-expected.txt: Add.\n * http/tests/security/contentTypeOptions/nosniff-xml-external-entity.xhtml: Add.\n \n git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258799 268f45cc-cd09-0410-ab3c-d52691b4dbfc\n\n 2020-03-20 David Kilzer <[email protected]>\n\n Content-Type & Nosniff Ignored on XML External Entity Resources\n <https://webkit.org/b/191171>\n <rdar://problem/45763222>\n\n Reviewed by Darin Adler.\n\n * http/tests/security/contentTypeOptions/nosniff-xml-external-entity-expected.txt: Add.\n * http/tests/security/contentTypeOptions/nosniff-xml-external-entity.xhtml: Add.\n\n b\'2020-03-23 Russe
ll Epstein <[email protected]>\\n\\n Cherry-pick r258741. rdar://problem/60756641\\n\\n Sanitize suggested download filename received from web process\\n https://bugs.webkit.org/show_bug.cgi?id=209300\\n <rdar://problem/59487723>\\n \\n Patch by Alex Christensen <[email protected]> on 2020-03-19\\n Reviewed by Chris Dumez.\\n \\n Source/WebKit:\\n \\n * UIProcess/Downloads/DownloadProxy.cpp:\\n (WebKit::DownloadProxy::decideDestinationWithSuggestedFilenameAsync):\\n \\n LayoutTests:\\n \\n * fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-backslash-expected.txt:\\n * fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-backslash.html:\\n \\n git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258741 268f45cc-cd09-0410-ab3c-d52691b4dbfc\\n\\n 2020-03-19 Alex Christensen <[email protected]>\\n\\n Sanitize suggested download filename received
from web process\\n https://bugs.webkit.org/show_bug.cgi?id=209300\\n <rdar://problem/59487723>\\n\\n Reviewed by Chris Dumez.\\n\\n * fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-backslash-expected.txt:\\n * fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-backslash.html:\\n\\n b"2020-03-23 Russell Epstein <[email protected]>\\\\n\\\\n Cherry-pick r258711. rdar://problem/60756645\\\\n\\\\n Source/WebCore:\\\\n AX: VO and safari: can\\\'t press the play button\\\\n https://bugs.webkit.org/show_bug.cgi?id=209249\\\\n \\\\n Reviewed by Darin Adler.\\\\n \\\\n Test: accessibility/ios-simulator/has-touch-event-listener-with-shadow.html\\\\n \\\\n If a node is in a shadowRoot, going up the node parent tree will stop and not check the entire tree for touch event listeners\\\\n and a touch event won\\\'t be dispatched. We need to change to use the
parentInComposedTree instead to go up the chain.\\\\n \\\\n * accessibility/ios/AccessibilityObjectIOS.mm:\\\\n (WebCore::AccessibilityObject::hasTouchEventListener const):\\\\n \\\\n LayoutTests:\\\\n AX: VO and safari: caan\\\'t press the play button\\\\n https://bugs.webkit.org/show_bug.cgi?id=209249\\\\n \\\\n Reviewed by Darin Adler.\\\\n \\\\n * accessibility/ios-simulator/has-touch-event-listener-with-shadow-expected.txt: Added.\\\\n * accessibility/ios-simulator/has-touch-event-listener-with-shadow.html: Added.\\\\n \\\\n \\\\n git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258711 268f45cc-cd09-0410-ab3c-d52691b4dbfc\\\\n\\\\n 2020-03-19 Chris Fleizach <[email protected]>\\\\n\\\\n AX: VO and safari: caan\\\'t press the play button\\\\n https://bugs.webkit.org/show_bug.cgi?id=209249\\\\n\\\\n Reviewed by Darin Adler.\\\\n\\\\n * accessibility/ios-simulator/has-t
ouch-event-listener-with-shadow-expected.txt: Added.\\\\n * accessibility/ios-simulator/has-touch-event-listener-with-shadow.html: Added.\\\\n\\\\n"2020-03-17 Alan Coon <[email protected]>\\n\\n Cherry-pick r258459. rdar://problem/60539192\\n\\n SVGMatrix should have the access right of its owner SVGTransform always\\n https://bugs.webkit.org/show_bug.cgi?id=207462\\n\\n Reviewed by Simon Fraser.\\n\\n Source/WebCore:\\n\\n The SVGMatrix needs to be reattached to its owner SVGTransform when the\\n access right of this owner changes. The access right of the owner changes\\n when it gets attached to or detached from a higher level owner.\\n\\n Test: svg/dom/SVGTransformList-anim-read-only.html\\n\\n * svg/SVGTransform.h:\\n * svg/properties/SVGProperty.h:\\n (WebCore::SVGProperty::attach):\\n (WebCore::SVGProperty::detach):\\n (WebCore::SVGProperty::reattach):
\\n\\n LayoutTests:\\n\\n * svg/dom/SVGTransformList-anim-read-only-expected.txt: Added.\\n * svg/dom/SVGTransformList-anim-read-only.html: Added.\\n\\n\\n git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258459 268f45cc-cd09-0410-ab3c-d52691b4dbfc\\n\\n 2020-03-13 Said Abou-Hallawa <[email protected]>\\n\\n SVGMatrix should have the access right of its owner SVGTransform always\\n https://bugs.webkit.org/show_bug.cgi?id=207462\\n\\n Reviewed by Simon Fraser.\\n\\n * svg/dom/SVGTransformList-anim-read-only-expected.txt: Added.\\n * svg/dom/SVGTransformList-anim-read-only.html: Added.\\n\\n\'2020-03-17 Alan Coon <[email protected]>\n\n Cherry-pick r258455. rdar://problem/60539179\n\n [Tree building] Block::attachIgnoringContinuation should allow inline tables as before child container\n https://bugs.webkit.org/show_bug.cgi?id=2
09095\n <rdar://problem/59837588>\n\n Reviewed by Simon Fraser.\n\n Source/WebCore:\n\n It\'s perfectly valid to have an inline table as the anonymous container for the before child.\n It\'ll get wrapped inside an anonymous block right before we insert the block box candidate, so\n the final result will be something like:\n\n new block level child (this is the child we are inserting)\n anonymous block wrapper\n inline table (this is the before child\'s inline container)\n before child\n\n Test: fast/table/before-child-is-inline-table.html\n\n * rendering/updating/RenderTreeBuilderBlock.cpp:\n (WebCore::RenderTreeBuilder::Block::attachIgnoringContinuation):\n\n LayoutTests:\n\n * fast/table/before-child-is-inline-table-expected.txt: Added.\n * fast/table/before-child-is-inline-table.html: Added.\n\n\n git-svn-id: https://svn.webkit.org/repository/webkit/t
runk@258455 268f45cc-cd09-0410-ab3c-d52691b4dbfc\n\n 2020-03-13 Zalan Bujtas <[email protected]>\n\n [Tree building] Block::attachIgnoringContinuation should allow inline tables as before child container\n https://bugs.webkit.org/show_bug.cgi?id=209095\n <rdar://problem/59837588>\n\n Reviewed by Simon Fraser.\n\n * fast/table/before-child-is-inline-table-expected.txt: Added.\n * fast/table/before-child-is-inline-table.html: Added.\n\n'2020-03-12 Ryan Haddad <[email protected]>
- Cherry-pick r258455. rdar://problem/60539179
-
- [Tree building] Block::attachIgnoringContinuation should allow inline tables as before child container
- https://bugs.webkit.org/show_bug.cgi?id=209095
- <rdar://problem/59837588>
-
- Reviewed by Simon Fraser.
-
- Source/WebCore:
-
- It's perfectly valid to have an inline table as the anonymous container for the before child.
- It'll get wrapped inside an anonymous block right before we insert the block box candidate, so
- the final result will be something like:
-
- new block level child (this is the child we are inserting)
- anonymous block wrapper
- inline table (this is the before child's inline container)
- before child
-
- Test: fast/table/before-child-is-inline-table.html
-
- * rendering/updating/RenderTreeBuilderBlock.cpp:
- (WebCore::RenderTreeBuilder::Block::attachIgnoringContinuation):
-
- LayoutTests:
-
- * fast/table/before-child-is-inline-table-expected.txt: Added.
- * fast/table/before-child-is-inline-table.html: Added.
-
-
- git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258455 268f45cc-cd09-0410-ab3c-d52691b4dbfc
-
- 2020-03-13 Zalan Bujtas <[email protected]>
-
- [Tree building] Block::attachIgnoringContinuation should allow inline tables as before child container
- https://bugs.webkit.org/show_bug.cgi?id=209095
- <rdar://problem/59837588>
-
- Reviewed by Simon Fraser.
-
- * fast/table/before-child-is-inline-table-expected.txt: Added.
- * fast/table/before-child-is-inline-table.html: Added.
-
-2020-03-12 Ryan Haddad <[email protected]>
-
Cherry-pick r254979. rdar://problem/58836694
Actually fix history link directs on dashboard and results.html
Added: branches/safari-609-branch/LayoutTests/http/tests/security/contentTypeOptions/nosniff-xml-external-entity-expected.txt (0 => 258856)
--- branches/safari-609-branch/LayoutTests/http/tests/security/contentTypeOptions/nosniff-xml-external-entity-expected.txt (rev 0)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentTypeOptions/nosniff-xml-external-entity-expected.txt 2020-03-23 17:00:16 UTC (rev 258856)
@@ -0,0 +1,17 @@
+CONSOLE MESSAGE: Did not parse external entity resource at 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/pdf' because non XML External Entity MIME types are not allowed when 'X-Content-Type-Options: nosniff' is given.
+CONSOLE MESSAGE: Did not parse external entity resource at 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/html' because non XML External Entity MIME types are not allowed when 'X-Content-Type-Options: nosniff' is given.
+CONSOLE MESSAGE: Did not parse external entity resource at 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/_javascript_' because non XML External Entity MIME types are not allowed when 'X-Content-Type-Options: nosniff' is given.
+CONSOLE MESSAGE: line 42: Executed script with MIME type: 'application/xml'.
+CONSOLE MESSAGE: line 42: Executed script with MIME type: 'text/xml'.
+CONSOLE MESSAGE: line 42: Executed script with MIME type: 'application/xml-external-parsed-entity'.
+CONSOLE MESSAGE: line 42: Executed script with MIME type: 'text/xml-external-parsed-entity'.
+Check that xml external entity resources loaded with an 'X-Content-Type-Options: nosniff' header are correctly accepted or blocked based on the MIME type.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS window.scriptsSuccessfullyLoaded is 4
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: branches/safari-609-branch/LayoutTests/http/tests/security/contentTypeOptions/nosniff-xml-external-entity.xhtml (0 => 258856)
--- branches/safari-609-branch/LayoutTests/http/tests/security/contentTypeOptions/nosniff-xml-external-entity.xhtml (rev 0)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentTypeOptions/nosniff-xml-external-entity.xhtml 2020-03-23 17:00:16 UTC (rev 258856)
@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"
+[
+<!ENTITY entA SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/xml">
+<!ENTITY entB SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/xml">
+<!ENTITY entC SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/xml-external-parsed-entity">
+<!ENTITY entD SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/xml-external-parsed-entity">
+<!ENTITY entE SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/pdf">
+<!ENTITY entF SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/html">
+<!ENTITY entG SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/_javascript_">
+]>
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+<head>
+ <title>'X-Content-Type-Options: nosniff' blocks xml external entity resources with improper MIME type</title>
+ <script src=""
+ <script type="text/_javascript_">
+ window.jsTestIsAsync = true;
+ window.scriptsSuccessfullyLoaded = 0;
+
+ window._onload_ = function () {
+ shouldBe('window.scriptsSuccessfullyLoaded', '4');
+ finishJSTest();
+ };
+ </script>
+ <script type="text/_javascript_">&entA;</script>
+ <script type="text/_javascript_">&entB;</script>
+ <script type="text/_javascript_">&entC;</script>
+ <script type="text/_javascript_">&entD;</script>
+ <script type="text/_javascript_">&entE;</script>
+ <script type="text/_javascript_">&entF;</script>
+ <script type="text/_javascript_">&entG;</script>
+</head>
+<body>
+ <script type="text/_javascript_">
+ description('Check that xml external entity resources loaded with an \'X-Content-Type-Options: nosniff\' header are correctly accepted or blocked based on the MIME type.');
+ </script>
+ <script src=""
+</body>
+</html>
Modified: branches/safari-609-branch/Source/WebCore/ChangeLog (258855 => 258856)
--- branches/safari-609-branch/Source/WebCore/ChangeLog 2020-03-23 17:00:12 UTC (rev 258855)
+++ branches/safari-609-branch/Source/WebCore/ChangeLog 2020-03-23 17:00:16 UTC (rev 258856)
@@ -1,31 +1,5 @@
-b"2020-03-23 Russell Epstein <[email protected]>\n\n Cherry-pick r258711. rdar://problem/60756645\n\n Source/WebCore:\n AX: VO and safari: can't press the play button\n https://bugs.webkit.org/show_bug.cgi?id=209249\n \n Reviewed by Darin Adler.\n \n Test: accessibility/ios-simulator/has-touch-event-listener-with-shadow.html\n \n If a node is in a shadowRoot, going up the node parent tree will stop and not check the entire tree for touch event listeners\n and a touch event won't be dispatched. We need to change to use the parentInComposedTree instead to go up the chain.\n \n * accessibility/ios/AccessibilityObjectIOS.mm:\n (WebCore::AccessibilityObject::hasTouchEventListener const):\n \n LayoutTests:\n AX: VO and safari: caan't press the play button\n https://bugs.webkit.org/show_bug.cgi?id=209249\n \n Reviewed by Darin Adler.\n \n * accessibility/ios-simulator/has-touch-event-listener-wi
th-shadow-expected.txt: Added.\n * accessibility/ios-simulator/has-touch-event-listener-with-shadow.html: Added.\n \n \n git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258711 268f45cc-cd09-0410-ab3c-d52691b4dbfc\n\n 2020-03-19 Chris Fleizach <[email protected]>\n\n AX: VO and safari: can't press the play button\n https://bugs.webkit.org/show_bug.cgi?id=209249\n\n Reviewed by Darin Adler.\n\n Test: accessibility/ios-simulator/has-touch-event-listener-with-shadow.html\n\n If a node is in a shadowRoot, going up the node parent tree will stop and not check the entire tree for touch event listeners\n and a touch event won't be dispatched. We need to change to use the parentInComposedTree instead to go up the chain.\n\n * accessibility/ios/AccessibilityObjectIOS.mm:\n (WebCore::AccessibilityObject::hasTouchEventListener const):\n\n"2020-03-17 Alan Coon <al
[email protected]>
+b'2020-03-23 Russell Epstein <[email protected]>\n\n Cherry-pick r258799. rdar://problem/60756681\n\n Content-Type & Nosniff Ignored on XML External Entity Resources\n <https://webkit.org/b/191171>\n <rdar://problem/45763222>\n \n Reviewed by Darin Adler.\n \n Source/WebCore:\n \n Test: http/tests/security/contentTypeOptions/nosniff-xml-external-entity.xhtml\n \n * platform/MIMETypeRegistry.cpp:\n (WebCore::MIMETypeRegistry::isXMLEntityMIMEType): Add.\n * platform/MIMETypeRegistry.h:\n (WebCore::MIMETypeRegistry::isXMLEntityMIMEType): Add.\n - Checks for XML external entity MIME types.\n \n * xml/parser/XMLDocumentParserLibxml2.cpp:\n (WebCore::externalEntityMimeTypeAllowedByNosniff): Add.\n - Checks whether the MIME type is valid based on the presence of\n the "X-Content-Type-Options: nosniff" header.\n (WebCore::openFunc):\n - Drop the contents of the resource t
hat was returned and print\n an error message to the Web Inspector console if\n externalEntityMimeTypeAllowedByNosniff() says the MIME type is\n not allowed.\n \n LayoutTests:\n \n * http/tests/security/contentTypeOptions/nosniff-xml-external-entity-expected.txt: Add.\n * http/tests/security/contentTypeOptions/nosniff-xml-external-entity.xhtml: Add.\n \n git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258799 268f45cc-cd09-0410-ab3c-d52691b4dbfc\n\n 2020-03-20 David Kilzer <[email protected]>\n\n Content-Type & Nosniff Ignored on XML External Entity Resources\n <https://webkit.org/b/191171>\n <rdar://problem/45763222>\n\n Reviewed by Darin Adler.\n\n Test: http/tests/security/contentTypeOptions/nosniff-xml-external-entity.xhtml\n\n * platform/MIMETypeRegistry.cpp:\n (WebCore::MIMETypeRegistry::isXMLEntityMIMEType): Add.\n *
platform/MIMETypeRegistry.h:\n (WebCore::MIMETypeRegistry::isXMLEntityMIMEType): Add.\n - Checks for XML external entity MIME types.\n\n * xml/parser/XMLDocumentParserLibxml2.cpp:\n (WebCore::externalEntityMimeTypeAllowedByNosniff): Add.\n - Checks whether the MIME type is valid based on the presence of\n the "X-Content-Type-Options: nosniff" header.\n (WebCore::openFunc):\n - Drop the contents of the resource that was returned and print\n an error message to the Web Inspector console if\n externalEntityMimeTypeAllowedByNosniff() says the MIME type is\n not allowed.\n\n b"2020-03-23 Russell Epstein <[email protected]>\\n\\n Cherry-pick r258711. rdar://problem/60756645\\n\\n Source/WebCore:\\n AX: VO and safari: can\'t press the play button\\n https://bugs.webkit.org/show_bug.cgi?id=209249\\n \\n Reviewed by
Darin Adler.\\n \\n Test: accessibility/ios-simulator/has-touch-event-listener-with-shadow.html\\n \\n If a node is in a shadowRoot, going up the node parent tree will stop and not check the entire tree for touch event listeners\\n and a touch event won\'t be dispatched. We need to change to use the parentInComposedTree instead to go up the chain.\\n \\n * accessibility/ios/AccessibilityObjectIOS.mm:\\n (WebCore::AccessibilityObject::hasTouchEventListener const):\\n \\n LayoutTests:\\n AX: VO and safari: caan\'t press the play button\\n https://bugs.webkit.org/show_bug.cgi?id=209249\\n \\n Reviewed by Darin Adler.\\n \\n * accessibility/ios-simulator/has-touch-event-listener-with-shadow-expected.txt: Added.\\n * accessibility/ios-simulator/has-touch-event-listener-with-shadow.html: Added.\\n \\n \\n git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258711 268f45cc-cd09-0410-ab3c-d52691b4dbfc\\n\\n 2020-03-19 C
hris Fleizach <[email protected]>\\n\\n AX: VO and safari: can\'t press the play button\\n https://bugs.webkit.org/show_bug.cgi?id=209249\\n\\n Reviewed by Darin Adler.\\n\\n Test: accessibility/ios-simulator/has-touch-event-listener-with-shadow.html\\n\\n If a node is in a shadowRoot, going up the node parent tree will stop and not check the entire tree for touch event listeners\\n and a touch event won\'t be dispatched. We need to change to use the parentInComposedTree instead to go up the chain.\\n\\n * accessibility/ios/AccessibilityObjectIOS.mm:\\n (WebCore::AccessibilityObject::hasTouchEventListener const):\\n\\n"2020-03-17 Alan Coon <[email protected]>\n\n Apply patch. rdar://problem/60396271\n\n 2020-03-17 Zalan Bujtas <[email protected]>\n\n SVG filter triggers unstable layout.\n https://bugs.webkit.org/show_bug
.cgi?id=207444\n rdar://problem/59297004\n\n Reviewed by Simon Fraser.\n\n SVG filter code marks DOM nodes dirty and schedules style recalc outside of the SVG root\n while in layout. This could lead to unstable layout and cause battery drain.\n (See webkit.org/b/208903)\n\n * rendering/RenderLayer.cpp: Remove filterNeedsRepaint(). It\'s a dangerously misleading name and should\n not be part of RenderLayer.\n (WebCore::RenderLayer::calculateClipRects const):\n * rendering/RenderLayer.h:\n * rendering/RenderLayerFilters.cpp:\n (WebCore::RenderLayerFilters::notifyFinished):\n * rendering/svg/RenderSVGResourceContainer.cpp:\n (WebCore::RenderSVGResourceContainer::markAllClientsForInvalidation):\n (WebCore::RenderSVGResourceContainer::markAllClientLayersForInvalidation):\n\n'2020-0
3-17 Alan Coon <[email protected]>
- Apply patch. rdar://problem/60396271
-
- 2020-03-17 Zalan Bujtas <[email protected]>
-
- SVG filter triggers unstable layout.
- https://bugs.webkit.org/show_bug.cgi?id=207444
- rdar://problem/59297004
-
- Reviewed by Simon Fraser.
-
- SVG filter code marks DOM nodes dirty and schedules style recalc outside of the SVG root
- while in layout. This could lead to unstable layout and cause battery drain.
- (See webkit.org/b/208903)
-
- * rendering/RenderLayer.cpp: Remove filterNeedsRepaint(). It's a dangerously misleading name and should
- not be part of RenderLayer.
- (WebCore::RenderLayer::calculateClipRects const):
- * rendering/RenderLayer.h:
- * rendering/RenderLayerFilters.cpp:
- (WebCore::RenderLayerFilters::notifyFinished):
- * rendering/svg/RenderSVGResourceContainer.cpp:
- (WebCore::RenderSVGResourceContainer::markAllClientsForInvalidation):
- (WebCore::RenderSVGResourceContainer::markAllClientLayersForInvalidation):
-
-2020-03-17 Alan Coon <[email protected]>
-
Cherry-pick r258459. rdar://problem/60539192
SVGMatrix should have the access right of its owner SVGTransform always
Modified: branches/safari-609-branch/Source/WebCore/platform/MIMETypeRegistry.cpp (258855 => 258856)
--- branches/safari-609-branch/Source/WebCore/platform/MIMETypeRegistry.cpp 2020-03-23 17:00:12 UTC (rev 258855)
+++ branches/safari-609-branch/Source/WebCore/platform/MIMETypeRegistry.cpp 2020-03-23 17:00:16 UTC (rev 258856)
@@ -618,6 +618,12 @@
return true;
}
+bool MIMETypeRegistry::isXMLEntityMIMEType(StringView mimeType)
+{
+ return equalLettersIgnoringASCIICase(mimeType, "text/xml-external-parsed-entity")
+ || equalLettersIgnoringASCIICase(mimeType, "application/xml-external-parsed-entity");
+}
+
bool MIMETypeRegistry::isJavaAppletMIMEType(const String& mimeType)
{
// Since this set is very limited and is likely to remain so we won't bother with the overhead
Modified: branches/safari-609-branch/Source/WebCore/platform/MIMETypeRegistry.h (258855 => 258856)
--- branches/safari-609-branch/Source/WebCore/platform/MIMETypeRegistry.h 2020-03-23 17:00:12 UTC (rev 258855)
+++ branches/safari-609-branch/Source/WebCore/platform/MIMETypeRegistry.h 2020-03-23 17:00:16 UTC (rev 258856)
@@ -116,6 +116,9 @@
// rather than an HTML document.
WEBCORE_EXPORT static bool isXMLMIMEType(const String& mimeType);
+ // Check to see if a MIME type is for an XML external entity resource.
+ WEBCORE_EXPORT static bool isXMLEntityMIMEType(StringView mimeType);
+
// Used in page load algorithm to decide whether to display as a text
// document in a frame. Not a good idea to use elsewhere, because that code
// makes this test is after many other tests are done on the MIME type.
Modified: branches/safari-609-branch/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp (258855 => 258856)
--- branches/safari-609-branch/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp 2020-03-23 17:00:12 UTC (rev 258855)
+++ branches/safari-609-branch/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp 2020-03-23 17:00:16 UTC (rev 258856)
@@ -39,7 +39,9 @@
#include "HTMLEntityParser.h"
#include "HTMLHtmlElement.h"
#include "HTMLTemplateElement.h"
+#include "HTTPParsers.h"
#include "InlineClassicScript.h"
+#include "MIMETypeRegistry.h"
#include "PendingScript.h"
#include "ProcessingInstruction.h"
#include "ResourceError.h"
@@ -375,6 +377,19 @@
unsigned m_currentOffset;
};
+static bool externalEntityMimeTypeAllowedByNosniff(const ResourceResponse& response)
+{
+ ContentTypeOptionsDisposition contentTypeOption = parseContentTypeOptionsHeader(response.httpHeaderField(HTTPHeaderName::XContentTypeOptions));
+ if (contentTypeOption != ContentTypeOptionsNosniff) {
+ // Allow any MIME type without 'X-Content-Type-Options: nosniff' HTTP header.
+ return true;
+ }
+ String mimeType = extractMIMETypeFromMediaType(response.httpHeaderField(HTTPHeaderName::ContentType));
+ if (MIMETypeRegistry::isXMLMIMEType(mimeType) || MIMETypeRegistry::isXMLEntityMIMEType(mimeType))
+ return true;
+ return false;
+}
+
static inline void setAttributes(Element* element, Vector<Attribute>& attributeVector, ParserContentPolicy parserContentPolicy)
{
if (!scriptingContentIsAllowed(parserContentPolicy))
@@ -455,6 +470,11 @@
options.mode = FetchOptions::Mode::SameOrigin;
options.credentials = FetchOptions::Credentials::Include;
cachedResourceLoader->frame()->loader().loadResourceSynchronously(url, ClientCredentialPolicy::MayAskClientForCredentials, options, { }, error, response, data);
+ if (!externalEntityMimeTypeAllowedByNosniff(response)) {
+ data = ""
+ if (Page* page = cachedResourceLoader->document()->page())
+ page->console().addMessage(MessageSource::Security, MessageLevel::Error, makeString("Did not parse external entity resource at '", url.stringCenterEllipsizedToLength(), "' because non XML External Entity MIME types are not allowed when 'X-Content-Type-Options: nosniff' is given."));
+ }
}
}
