Title: [258856] branches/safari-609-branch
Revision
258856
Author
[email protected]
Date
2020-03-23 10:00:16 -0700 (Mon, 23 Mar 2020)

Log Message

Cherry-pick r258799. rdar://problem/60756681

    Content-Type & Nosniff Ignored on XML External Entity Resources
    <https://webkit.org/b/191171>
    <rdar://problem/45763222>

    Reviewed by Darin Adler.

    Source/WebCore:

    Test: http/tests/security/contentTypeOptions/nosniff-xml-external-entity.xhtml

    * platform/MIMETypeRegistry.cpp:
    (WebCore::MIMETypeRegistry::isXMLEntityMIMEType): Add.
    * platform/MIMETypeRegistry.h:
    (WebCore::MIMETypeRegistry::isXMLEntityMIMEType): Add.
    - Checks for XML external entity MIME types.

    * xml/parser/XMLDocumentParserLibxml2.cpp:
    (WebCore::externalEntityMimeTypeAllowedByNosniff): Add.
    - Checks whether the MIME type is valid based on the presence of
      the "X-Content-Type-Options: nosniff" header.
    (WebCore::openFunc):
    - Drop the contents of the resource that was returned and print
      an error message to the Web Inspector console if
      externalEntityMimeTypeAllowedByNosniff() says the MIME type is
      not allowed.

    LayoutTests:

    * http/tests/security/contentTypeOptions/nosniff-xml-external-entity-expected.txt: Add.
    * http/tests/security/contentTypeOptions/nosniff-xml-external-entity.xhtml: Add.

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258799 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

Added Paths

Diff

Modified: branches/safari-609-branch/LayoutTests/ChangeLog (258855 => 258856)


--- branches/safari-609-branch/LayoutTests/ChangeLog	2020-03-23 17:00:12 UTC (rev 258855)
+++ branches/safari-609-branch/LayoutTests/ChangeLog	2020-03-23 17:00:16 UTC (rev 258856)
@@ -1,50 +1,5 @@
-b'2020-03-23  Russell Epstein  <[email protected]>\n\n        Cherry-pick r258741. rdar://problem/60756641\n\n    Sanitize suggested download filename received from web process\n    https://bugs.webkit.org/show_bug.cgi?id=209300\n    <rdar://problem/59487723>\n    \n    Patch by Alex Christensen <[email protected]> on 2020-03-19\n    Reviewed by Chris Dumez.\n    \n    Source/WebKit:\n    \n    * UIProcess/Downloads/DownloadProxy.cpp:\n    (WebKit::DownloadProxy::decideDestinationWithSuggestedFilenameAsync):\n    \n    LayoutTests:\n    \n    * fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-backslash-expected.txt:\n    * fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-backslash.html:\n    \n    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258741 268f45cc-cd09-0410-ab3c-d52691b4dbfc\n\n    2020-03-19  Alex Christensen  <[email protected]>\n\n            Sanitize suggested download filename rec
 eived from web process\n            https://bugs.webkit.org/show_bug.cgi?id=209300\n            <rdar://problem/59487723>\n\n            Reviewed by Chris Dumez.\n\n            * fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-backslash-expected.txt:\n            * fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-backslash.html:\n\n    b"2020-03-23  Russell Epstein  <[email protected]>\\n\\n        Cherry-pick r258711. rdar://problem/60756645\\n\\n    Source/WebCore:\\n    AX: VO and safari: can\'t press the play button\\n    https://bugs.webkit.org/show_bug.cgi?id=209249\\n    \\n    Reviewed by Darin Adler.\\n    \\n    Test: accessibility/ios-simulator/has-touch-event-listener-with-shadow.html\\n    \\n    If a node is in a shadowRoot, going up the node parent tree will stop and not check the entire tree for touch event listeners\\n    and a touch event won\'t be dispatched. We need to change to use the parentInComposedTree instead to 
 go up the chain.\\n    \\n    * accessibility/ios/AccessibilityObjectIOS.mm:\\n    (WebCore::AccessibilityObject::hasTouchEventListener const):\\n    \\n    LayoutTests:\\n    AX: VO and safari: caan\'t press the play button\\n    https://bugs.webkit.org/show_bug.cgi?id=209249\\n    \\n    Reviewed by Darin Adler.\\n    \\n    * accessibility/ios-simulator/has-touch-event-listener-with-shadow-expected.txt: Added.\\n    * accessibility/ios-simulator/has-touch-event-listener-with-shadow.html: Added.\\n    \\n    \\n    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258711 268f45cc-cd09-0410-ab3c-d52691b4dbfc\\n\\n    2020-03-19  Chris Fleizach  <[email protected]>\\n\\n            AX: VO and safari: caan\'t press the play button\\n            https://bugs.webkit.org/show_bug.cgi?id=209249\\n\\n            Reviewed by Darin Adler.\\n\\n            * accessibility/ios-simulator/has-touch-event-listener-with-shadow-expected.txt: Added.\\n            * accessibility/io
 s-simulator/has-touch-event-listener-with-shadow.html: Added.\\n\\n"2020-03-17  Alan Coon  <[email protected]>\n\n            Cherry-pick r258459. rdar://problem/60539192\n\n        SVGMatrix should have the access right of its owner SVGTransform always\n        https://bugs.webkit.org/show_bug.cgi?id=207462\n\n        Reviewed by Simon Fraser.\n\n        Source/WebCore:\n\n        The SVGMatrix needs to be reattached to its owner SVGTransform when the\n        access right of this owner changes. The access right of the owner changes\n        when it gets attached to or detached from a higher level owner.\n\n        Test: svg/dom/SVGTransformList-anim-read-only.html\n\n        * svg/SVGTransform.h:\n        * svg/properties/SVGProperty.h:\n        (WebCore::SVGProperty::attach):\n        (WebCore::SVGProperty::detach):\n        (WebCore::SVGProperty::reattach):\n\n        LayoutTests:\n\n        * svg/dom/SVGTransformList-anim-read-only-expected.txt: Added.\n        * sv
 g/dom/SVGTransformList-anim-read-only.html: Added.\n\n\n        git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258459 268f45cc-cd09-0410-ab3c-d52691b4dbfc\n\n        2020-03-13  Said Abou-Hallawa  <[email protected]>\n\n                SVGMatrix should have the access right of its owner SVGTransform always\n                https://bugs.webkit.org/show_bug.cgi?id=207462\n\n                Reviewed by Simon Fraser.\n\n                * svg/dom/SVGTransformList-anim-read-only-expected.txt: Added.\n                * svg/dom/SVGTransformList-anim-read-only.html: Added.\n\n'2020-03-17  Alan Coon  <[email protected]>
+b'2020-03-23  Russell Epstein  <[email protected]>\n\n        Cherry-pick r258799. rdar://problem/60756681\n\n    Content-Type & Nosniff Ignored on XML External Entity Resources\n    <https://webkit.org/b/191171>\n    <rdar://problem/45763222>\n    \n    Reviewed by Darin Adler.\n    \n    Source/WebCore:\n    \n    Test: http/tests/security/contentTypeOptions/nosniff-xml-external-entity.xhtml\n    \n    * platform/MIMETypeRegistry.cpp:\n    (WebCore::MIMETypeRegistry::isXMLEntityMIMEType): Add.\n    * platform/MIMETypeRegistry.h:\n    (WebCore::MIMETypeRegistry::isXMLEntityMIMEType): Add.\n    - Checks for XML external entity MIME types.\n    \n    * xml/parser/XMLDocumentParserLibxml2.cpp:\n    (WebCore::externalEntityMimeTypeAllowedByNosniff): Add.\n    - Checks whether the MIME type is valid based on the presence of\n      the "X-Content-Type-Options: nosniff" header.\n    (WebCore::openFunc):\n    - Drop the contents of the resource t
 hat was returned and print\n      an error message to the Web Inspector console if\n      externalEntityMimeTypeAllowedByNosniff() says the MIME type is\n      not allowed.\n    \n    LayoutTests:\n    \n    * http/tests/security/contentTypeOptions/nosniff-xml-external-entity-expected.txt: Add.\n    * http/tests/security/contentTypeOptions/nosniff-xml-external-entity.xhtml: Add.\n    \n    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258799 268f45cc-cd09-0410-ab3c-d52691b4dbfc\n\n    2020-03-20  David Kilzer  <[email protected]>\n\n            Content-Type & Nosniff Ignored on XML External Entity Resources\n            <https://webkit.org/b/191171>\n            <rdar://problem/45763222>\n\n            Reviewed by Darin Adler.\n\n            * http/tests/security/contentTypeOptions/nosniff-xml-external-entity-expected.txt: Add.\n            * http/tests/security/contentTypeOptions/nosniff-xml-external-entity.xhtml: Add.\n\n    b\'2020-03-23  Russe
 ll Epstein  <[email protected]>\\n\\n        Cherry-pick r258741. rdar://problem/60756641\\n\\n    Sanitize suggested download filename received from web process\\n    https://bugs.webkit.org/show_bug.cgi?id=209300\\n    <rdar://problem/59487723>\\n    \\n    Patch by Alex Christensen <[email protected]> on 2020-03-19\\n    Reviewed by Chris Dumez.\\n    \\n    Source/WebKit:\\n    \\n    * UIProcess/Downloads/DownloadProxy.cpp:\\n    (WebKit::DownloadProxy::decideDestinationWithSuggestedFilenameAsync):\\n    \\n    LayoutTests:\\n    \\n    * fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-backslash-expected.txt:\\n    * fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-backslash.html:\\n    \\n    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258741 268f45cc-cd09-0410-ab3c-d52691b4dbfc\\n\\n    2020-03-19  Alex Christensen  <[email protected]>\\n\\n            Sanitize suggested download filename received 
 from web process\\n            https://bugs.webkit.org/show_bug.cgi?id=209300\\n            <rdar://problem/59487723>\\n\\n            Reviewed by Chris Dumez.\\n\\n            * fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-backslash-expected.txt:\\n            * fast/dom/HTMLAnchorElement/anchor-file-blob-download-includes-backslash.html:\\n\\n    b"2020-03-23  Russell Epstein  <[email protected]>\\\\n\\\\n        Cherry-pick r258711. rdar://problem/60756645\\\\n\\\\n    Source/WebCore:\\\\n    AX: VO and safari: can\\\'t press the play button\\\\n    https://bugs.webkit.org/show_bug.cgi?id=209249\\\\n    \\\\n    Reviewed by Darin Adler.\\\\n    \\\\n    Test: accessibility/ios-simulator/has-touch-event-listener-with-shadow.html\\\\n    \\\\n    If a node is in a shadowRoot, going up the node parent tree will stop and not check the entire tree for touch event listeners\\\\n    and a touch event won\\\'t be dispatched. We need to change to use the
  parentInComposedTree instead to go up the chain.\\\\n    \\\\n    * accessibility/ios/AccessibilityObjectIOS.mm:\\\\n    (WebCore::AccessibilityObject::hasTouchEventListener const):\\\\n    \\\\n    LayoutTests:\\\\n    AX: VO and safari: caan\\\'t press the play button\\\\n    https://bugs.webkit.org/show_bug.cgi?id=209249\\\\n    \\\\n    Reviewed by Darin Adler.\\\\n    \\\\n    * accessibility/ios-simulator/has-touch-event-listener-with-shadow-expected.txt: Added.\\\\n    * accessibility/ios-simulator/has-touch-event-listener-with-shadow.html: Added.\\\\n    \\\\n    \\\\n    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258711 268f45cc-cd09-0410-ab3c-d52691b4dbfc\\\\n\\\\n    2020-03-19  Chris Fleizach  <[email protected]>\\\\n\\\\n            AX: VO and safari: caan\\\'t press the play button\\\\n            https://bugs.webkit.org/show_bug.cgi?id=209249\\\\n\\\\n            Reviewed by Darin Adler.\\\\n\\\\n            * accessibility/ios-simulator/has-t
 ouch-event-listener-with-shadow-expected.txt: Added.\\\\n            * accessibility/ios-simulator/has-touch-event-listener-with-shadow.html: Added.\\\\n\\\\n"2020-03-17  Alan Coon  <[email protected]>\\n\\n            Cherry-pick r258459. rdar://problem/60539192\\n\\n        SVGMatrix should have the access right of its owner SVGTransform always\\n        https://bugs.webkit.org/show_bug.cgi?id=207462\\n\\n        Reviewed by Simon Fraser.\\n\\n        Source/WebCore:\\n\\n        The SVGMatrix needs to be reattached to its owner SVGTransform when the\\n        access right of this owner changes. The access right of the owner changes\\n        when it gets attached to or detached from a higher level owner.\\n\\n        Test: svg/dom/SVGTransformList-anim-read-only.html\\n\\n        * svg/SVGTransform.h:\\n        * svg/properties/SVGProperty.h:\\n        (WebCore::SVGProperty::attach):\\n        (WebCore::SVGProperty::detach):\\n        (WebCore::SVGProperty::reattach):
 \\n\\n        LayoutTests:\\n\\n        * svg/dom/SVGTransformList-anim-read-only-expected.txt: Added.\\n        * svg/dom/SVGTransformList-anim-read-only.html: Added.\\n\\n\\n        git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258459 268f45cc-cd09-0410-ab3c-d52691b4dbfc\\n\\n        2020-03-13  Said Abou-Hallawa  <[email protected]>\\n\\n                SVGMatrix should have the access right of its owner SVGTransform always\\n                https://bugs.webkit.org/show_bug.cgi?id=207462\\n\\n                Reviewed by Simon Fraser.\\n\\n                * svg/dom/SVGTransformList-anim-read-only-expected.txt: Added.\\n                * svg/dom/SVGTransformList-anim-read-only.html: Added.\\n\\n\'2020-03-17  Alan Coon  <[email protected]>\n\n            Cherry-pick r258455. rdar://problem/60539179\n\n        [Tree building] Block::attachIgnoringContinuation should allow inline tables as before child container\n        https://bugs.webkit.org/show_bug.cgi?id=2
 09095\n        <rdar://problem/59837588>\n\n        Reviewed by Simon Fraser.\n\n        Source/WebCore:\n\n        It\'s perfectly valid to have an inline table as the anonymous container for the before child.\n        It\'ll get wrapped inside an anonymous block right before we insert the block box candidate, so\n        the final result will be something like:\n\n        new block level child (this is the child we are inserting)\n        anonymous block wrapper\n          inline table (this is the before child\'s inline container)\n            before child\n\n        Test: fast/table/before-child-is-inline-table.html\n\n        * rendering/updating/RenderTreeBuilderBlock.cpp:\n        (WebCore::RenderTreeBuilder::Block::attachIgnoringContinuation):\n\n        LayoutTests:\n\n        * fast/table/before-child-is-inline-table-expected.txt: Added.\n        * fast/table/before-child-is-inline-table.html: Added.\n\n\n        git-svn-id: https://svn.webkit.org/repository/webkit/t
 runk@258455 268f45cc-cd09-0410-ab3c-d52691b4dbfc\n\n        2020-03-13  Zalan Bujtas  <[email protected]>\n\n                [Tree building] Block::attachIgnoringContinuation should allow inline tables as before child container\n                https://bugs.webkit.org/show_bug.cgi?id=209095\n                <rdar://problem/59837588>\n\n                Reviewed by Simon Fraser.\n\n                * fast/table/before-child-is-inline-table-expected.txt: Added.\n                * fast/table/before-child-is-inline-table.html: Added.\n\n'2020-03-12  Ryan Haddad  <[email protected]>
 
-        Cherry-pick r258455. rdar://problem/60539179
-
-    [Tree building] Block::attachIgnoringContinuation should allow inline tables as before child container
-    https://bugs.webkit.org/show_bug.cgi?id=209095
-    <rdar://problem/59837588>
-    
-    Reviewed by Simon Fraser.
-    
-    Source/WebCore:
-    
-    It's perfectly valid to have an inline table as the anonymous container for the before child.
-    It'll get wrapped inside an anonymous block right before we insert the block box candidate, so
-    the final result will be something like:
-    
-    new block level child (this is the child we are inserting)
-    anonymous block wrapper
-      inline table (this is the before child's inline container)
-        before child
-    
-    Test: fast/table/before-child-is-inline-table.html
-    
-    * rendering/updating/RenderTreeBuilderBlock.cpp:
-    (WebCore::RenderTreeBuilder::Block::attachIgnoringContinuation):
-    
-    LayoutTests:
-    
-    * fast/table/before-child-is-inline-table-expected.txt: Added.
-    * fast/table/before-child-is-inline-table.html: Added.
-    
-    
-    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258455 268f45cc-cd09-0410-ab3c-d52691b4dbfc
-
-    2020-03-13  Zalan Bujtas  <[email protected]>
-
-            [Tree building] Block::attachIgnoringContinuation should allow inline tables as before child container
-            https://bugs.webkit.org/show_bug.cgi?id=209095
-            <rdar://problem/59837588>
-
-            Reviewed by Simon Fraser.
-
-            * fast/table/before-child-is-inline-table-expected.txt: Added.
-            * fast/table/before-child-is-inline-table.html: Added.
-
-2020-03-12  Ryan Haddad  <[email protected]>
-
         Cherry-pick r254979. rdar://problem/58836694
 
     Actually fix history link directs on dashboard and results.html

Added: branches/safari-609-branch/LayoutTests/http/tests/security/contentTypeOptions/nosniff-xml-external-entity-expected.txt (0 => 258856)


--- branches/safari-609-branch/LayoutTests/http/tests/security/contentTypeOptions/nosniff-xml-external-entity-expected.txt	                        (rev 0)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentTypeOptions/nosniff-xml-external-entity-expected.txt	2020-03-23 17:00:16 UTC (rev 258856)
@@ -0,0 +1,17 @@
+CONSOLE MESSAGE: Did not parse external entity resource at 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/pdf' because non XML External Entity MIME types are not allowed when 'X-Content-Type-Options: nosniff' is given.
+CONSOLE MESSAGE: Did not parse external entity resource at 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/html' because non XML External Entity MIME types are not allowed when 'X-Content-Type-Options: nosniff' is given.
+CONSOLE MESSAGE: Did not parse external entity resource at 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/_javascript_' because non XML External Entity MIME types are not allowed when 'X-Content-Type-Options: nosniff' is given.
+CONSOLE MESSAGE: line 42: Executed script with MIME type: 'application/xml'.
+CONSOLE MESSAGE: line 42: Executed script with MIME type: 'text/xml'.
+CONSOLE MESSAGE: line 42: Executed script with MIME type: 'application/xml-external-parsed-entity'.
+CONSOLE MESSAGE: line 42: Executed script with MIME type: 'text/xml-external-parsed-entity'.
+Check that xml external entity resources loaded with an 'X-Content-Type-Options: nosniff' header are correctly accepted or blocked based on the MIME type.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS window.scriptsSuccessfullyLoaded is 4
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: branches/safari-609-branch/LayoutTests/http/tests/security/contentTypeOptions/nosniff-xml-external-entity.xhtml (0 => 258856)


--- branches/safari-609-branch/LayoutTests/http/tests/security/contentTypeOptions/nosniff-xml-external-entity.xhtml	                        (rev 0)
+++ branches/safari-609-branch/LayoutTests/http/tests/security/contentTypeOptions/nosniff-xml-external-entity.xhtml	2020-03-23 17:00:16 UTC (rev 258856)
@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"
+[
+<!ENTITY entA SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/xml">
+<!ENTITY entB SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/xml">
+<!ENTITY entC SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/xml-external-parsed-entity">
+<!ENTITY entD SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/xml-external-parsed-entity">
+<!ENTITY entE SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/pdf">
+<!ENTITY entF SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/html">
+<!ENTITY entG SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/_javascript_">
+]>
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+<head>
+    <title>'X-Content-Type-Options: nosniff' blocks xml external entity resources with improper MIME type</title>
+    <script src=""
+    <script type="text/_javascript_">
+        window.jsTestIsAsync = true;
+        window.scriptsSuccessfullyLoaded = 0;
+
+        window._onload_ = function () {
+            shouldBe('window.scriptsSuccessfullyLoaded', '4');
+            finishJSTest();
+        };
+    </script>
+    <script type="text/_javascript_">&entA;</script>
+    <script type="text/_javascript_">&entB;</script>
+    <script type="text/_javascript_">&entC;</script>
+    <script type="text/_javascript_">&entD;</script>
+    <script type="text/_javascript_">&entE;</script>
+    <script type="text/_javascript_">&entF;</script>
+    <script type="text/_javascript_">&entG;</script>
+</head>
+<body>
+    <script type="text/_javascript_">
+        description('Check that xml external entity resources loaded with an \'X-Content-Type-Options: nosniff\' header are correctly accepted or blocked based on the MIME type.');
+    </script>
+    <script src=""
+</body>
+</html>

Modified: branches/safari-609-branch/Source/WebCore/ChangeLog (258855 => 258856)


--- branches/safari-609-branch/Source/WebCore/ChangeLog	2020-03-23 17:00:12 UTC (rev 258855)
+++ branches/safari-609-branch/Source/WebCore/ChangeLog	2020-03-23 17:00:16 UTC (rev 258856)
@@ -1,31 +1,5 @@
-b"2020-03-23  Russell Epstein  <[email protected]>\n\n        Cherry-pick r258711. rdar://problem/60756645\n\n    Source/WebCore:\n    AX: VO and safari: can't press the play button\n    https://bugs.webkit.org/show_bug.cgi?id=209249\n    \n    Reviewed by Darin Adler.\n    \n    Test: accessibility/ios-simulator/has-touch-event-listener-with-shadow.html\n    \n    If a node is in a shadowRoot, going up the node parent tree will stop and not check the entire tree for touch event listeners\n    and a touch event won't be dispatched. We need to change to use the parentInComposedTree instead to go up the chain.\n    \n    * accessibility/ios/AccessibilityObjectIOS.mm:\n    (WebCore::AccessibilityObject::hasTouchEventListener const):\n    \n    LayoutTests:\n    AX: VO and safari: caan't press the play button\n    https://bugs.webkit.org/show_bug.cgi?id=209249\n    \n    Reviewed by Darin Adler.\n    \n    * accessibility/ios-simulator/has-touch-event-listener-wi
 th-shadow-expected.txt: Added.\n    * accessibility/ios-simulator/has-touch-event-listener-with-shadow.html: Added.\n    \n    \n    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258711 268f45cc-cd09-0410-ab3c-d52691b4dbfc\n\n    2020-03-19  Chris Fleizach  <[email protected]>\n\n            AX: VO and safari: can't press the play button\n            https://bugs.webkit.org/show_bug.cgi?id=209249\n\n            Reviewed by Darin Adler.\n\n            Test: accessibility/ios-simulator/has-touch-event-listener-with-shadow.html\n\n            If a node is in a shadowRoot, going up the node parent tree will stop and not check the entire tree for touch event listeners\n            and a touch event won't be dispatched. We need to change to use the parentInComposedTree instead to go up the chain.\n\n            * accessibility/ios/AccessibilityObjectIOS.mm:\n            (WebCore::AccessibilityObject::hasTouchEventListener const):\n\n"2020-03-17  Alan Coon  <al
 [email protected]>
+b'2020-03-23  Russell Epstein  <[email protected]>\n\n        Cherry-pick r258799. rdar://problem/60756681\n\n    Content-Type & Nosniff Ignored on XML External Entity Resources\n    <https://webkit.org/b/191171>\n    <rdar://problem/45763222>\n    \n    Reviewed by Darin Adler.\n    \n    Source/WebCore:\n    \n    Test: http/tests/security/contentTypeOptions/nosniff-xml-external-entity.xhtml\n    \n    * platform/MIMETypeRegistry.cpp:\n    (WebCore::MIMETypeRegistry::isXMLEntityMIMEType): Add.\n    * platform/MIMETypeRegistry.h:\n    (WebCore::MIMETypeRegistry::isXMLEntityMIMEType): Add.\n    - Checks for XML external entity MIME types.\n    \n    * xml/parser/XMLDocumentParserLibxml2.cpp:\n    (WebCore::externalEntityMimeTypeAllowedByNosniff): Add.\n    - Checks whether the MIME type is valid based on the presence of\n      the "X-Content-Type-Options: nosniff" header.\n    (WebCore::openFunc):\n    - Drop the contents of the resource t
 hat was returned and print\n      an error message to the Web Inspector console if\n      externalEntityMimeTypeAllowedByNosniff() says the MIME type is\n      not allowed.\n    \n    LayoutTests:\n    \n    * http/tests/security/contentTypeOptions/nosniff-xml-external-entity-expected.txt: Add.\n    * http/tests/security/contentTypeOptions/nosniff-xml-external-entity.xhtml: Add.\n    \n    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258799 268f45cc-cd09-0410-ab3c-d52691b4dbfc\n\n    2020-03-20  David Kilzer  <[email protected]>\n\n            Content-Type & Nosniff Ignored on XML External Entity Resources\n            <https://webkit.org/b/191171>\n            <rdar://problem/45763222>\n\n            Reviewed by Darin Adler.\n\n            Test: http/tests/security/contentTypeOptions/nosniff-xml-external-entity.xhtml\n\n            * platform/MIMETypeRegistry.cpp:\n            (WebCore::MIMETypeRegistry::isXMLEntityMIMEType): Add.\n            *
  platform/MIMETypeRegistry.h:\n            (WebCore::MIMETypeRegistry::isXMLEntityMIMEType): Add.\n            - Checks for XML external entity MIME types.\n\n            * xml/parser/XMLDocumentParserLibxml2.cpp:\n            (WebCore::externalEntityMimeTypeAllowedByNosniff): Add.\n            - Checks whether the MIME type is valid based on the presence of\n              the "X-Content-Type-Options: nosniff" header.\n            (WebCore::openFunc):\n            - Drop the contents of the resource that was returned and print\n              an error message to the Web Inspector console if\n              externalEntityMimeTypeAllowedByNosniff() says the MIME type is\n              not allowed.\n\n    b"2020-03-23  Russell Epstein  <[email protected]>\\n\\n        Cherry-pick r258711. rdar://problem/60756645\\n\\n    Source/WebCore:\\n    AX: VO and safari: can\'t press the play button\\n    https://bugs.webkit.org/show_bug.cgi?id=209249\\n    \\n    Reviewed by
  Darin Adler.\\n    \\n    Test: accessibility/ios-simulator/has-touch-event-listener-with-shadow.html\\n    \\n    If a node is in a shadowRoot, going up the node parent tree will stop and not check the entire tree for touch event listeners\\n    and a touch event won\'t be dispatched. We need to change to use the parentInComposedTree instead to go up the chain.\\n    \\n    * accessibility/ios/AccessibilityObjectIOS.mm:\\n    (WebCore::AccessibilityObject::hasTouchEventListener const):\\n    \\n    LayoutTests:\\n    AX: VO and safari: caan\'t press the play button\\n    https://bugs.webkit.org/show_bug.cgi?id=209249\\n    \\n    Reviewed by Darin Adler.\\n    \\n    * accessibility/ios-simulator/has-touch-event-listener-with-shadow-expected.txt: Added.\\n    * accessibility/ios-simulator/has-touch-event-listener-with-shadow.html: Added.\\n    \\n    \\n    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258711 268f45cc-cd09-0410-ab3c-d52691b4dbfc\\n\\n    2020-03-19  C
 hris Fleizach  <[email protected]>\\n\\n            AX: VO and safari: can\'t press the play button\\n            https://bugs.webkit.org/show_bug.cgi?id=209249\\n\\n            Reviewed by Darin Adler.\\n\\n            Test: accessibility/ios-simulator/has-touch-event-listener-with-shadow.html\\n\\n            If a node is in a shadowRoot, going up the node parent tree will stop and not check the entire tree for touch event listeners\\n            and a touch event won\'t be dispatched. We need to change to use the parentInComposedTree instead to go up the chain.\\n\\n            * accessibility/ios/AccessibilityObjectIOS.mm:\\n            (WebCore::AccessibilityObject::hasTouchEventListener const):\\n\\n"2020-03-17  Alan Coon  <[email protected]>\n\n            Apply patch. rdar://problem/60396271\n\n        2020-03-17  Zalan Bujtas  <[email protected]>\n\n                SVG filter triggers unstable layout.\n                https://bugs.webkit.org/show_bug
 .cgi?id=207444\n                rdar://problem/59297004\n\n                Reviewed by Simon Fraser.\n\n                SVG filter code marks DOM nodes dirty and schedules style recalc outside of the SVG root\n                while in layout. This could lead to unstable layout and cause battery drain.\n                (See webkit.org/b/208903)\n\n                * rendering/RenderLayer.cpp: Remove filterNeedsRepaint(). It\'s a dangerously misleading name and should\n                not be part of RenderLayer.\n                (WebCore::RenderLayer::calculateClipRects const):\n                * rendering/RenderLayer.h:\n                * rendering/RenderLayerFilters.cpp:\n                (WebCore::RenderLayerFilters::notifyFinished):\n                * rendering/svg/RenderSVGResourceContainer.cpp:\n                (WebCore::RenderSVGResourceContainer::markAllClientsForInvalidation):\n                (WebCore::RenderSVGResourceContainer::markAllClientLayersForInvalidation):\n\n'2020-0
 3-17  Alan Coon  <[email protected]>
 
-        Apply patch. rdar://problem/60396271
-
-    2020-03-17  Zalan Bujtas  <[email protected]>
-
-            SVG filter triggers unstable layout.
-            https://bugs.webkit.org/show_bug.cgi?id=207444
-            rdar://problem/59297004
-
-            Reviewed by Simon Fraser.
-
-            SVG filter code marks DOM nodes dirty and schedules style recalc outside of the SVG root
-            while in layout. This could lead to unstable layout and cause battery drain.
-            (See webkit.org/b/208903)
-
-            * rendering/RenderLayer.cpp: Remove filterNeedsRepaint(). It's a dangerously misleading name and should
-            not be part of RenderLayer.
-            (WebCore::RenderLayer::calculateClipRects const):
-            * rendering/RenderLayer.h:
-            * rendering/RenderLayerFilters.cpp:
-            (WebCore::RenderLayerFilters::notifyFinished):
-            * rendering/svg/RenderSVGResourceContainer.cpp:
-            (WebCore::RenderSVGResourceContainer::markAllClientsForInvalidation):
-            (WebCore::RenderSVGResourceContainer::markAllClientLayersForInvalidation):
-
-2020-03-17  Alan Coon  <[email protected]>
-
         Cherry-pick r258459. rdar://problem/60539192
 
     SVGMatrix should have the access right of its owner SVGTransform always

Modified: branches/safari-609-branch/Source/WebCore/platform/MIMETypeRegistry.cpp (258855 => 258856)


--- branches/safari-609-branch/Source/WebCore/platform/MIMETypeRegistry.cpp	2020-03-23 17:00:12 UTC (rev 258855)
+++ branches/safari-609-branch/Source/WebCore/platform/MIMETypeRegistry.cpp	2020-03-23 17:00:16 UTC (rev 258856)
@@ -618,6 +618,12 @@
     return true;
 }
 
+bool MIMETypeRegistry::isXMLEntityMIMEType(StringView mimeType)
+{
+    return equalLettersIgnoringASCIICase(mimeType, "text/xml-external-parsed-entity")
+        || equalLettersIgnoringASCIICase(mimeType, "application/xml-external-parsed-entity");
+}
+
 bool MIMETypeRegistry::isJavaAppletMIMEType(const String& mimeType)
 {
     // Since this set is very limited and is likely to remain so we won't bother with the overhead

Modified: branches/safari-609-branch/Source/WebCore/platform/MIMETypeRegistry.h (258855 => 258856)


--- branches/safari-609-branch/Source/WebCore/platform/MIMETypeRegistry.h	2020-03-23 17:00:12 UTC (rev 258855)
+++ branches/safari-609-branch/Source/WebCore/platform/MIMETypeRegistry.h	2020-03-23 17:00:16 UTC (rev 258856)
@@ -116,6 +116,9 @@
     // rather than an HTML document.
     WEBCORE_EXPORT static bool isXMLMIMEType(const String& mimeType);
 
+    // Check to see if a MIME type is for an XML external entity resource.
+    WEBCORE_EXPORT static bool isXMLEntityMIMEType(StringView mimeType);
+
     // Used in page load algorithm to decide whether to display as a text
     // document in a frame. Not a good idea to use elsewhere, because that code
     // makes this test is after many other tests are done on the MIME type.

Modified: branches/safari-609-branch/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp (258855 => 258856)


--- branches/safari-609-branch/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp	2020-03-23 17:00:12 UTC (rev 258855)
+++ branches/safari-609-branch/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp	2020-03-23 17:00:16 UTC (rev 258856)
@@ -39,7 +39,9 @@
 #include "HTMLEntityParser.h"
 #include "HTMLHtmlElement.h"
 #include "HTMLTemplateElement.h"
+#include "HTTPParsers.h"
 #include "InlineClassicScript.h"
+#include "MIMETypeRegistry.h"
 #include "PendingScript.h"
 #include "ProcessingInstruction.h"
 #include "ResourceError.h"
@@ -375,6 +377,19 @@
     unsigned m_currentOffset;
 };
 
+static bool externalEntityMimeTypeAllowedByNosniff(const ResourceResponse& response)
+{
+    ContentTypeOptionsDisposition contentTypeOption = parseContentTypeOptionsHeader(response.httpHeaderField(HTTPHeaderName::XContentTypeOptions));
+    if (contentTypeOption != ContentTypeOptionsNosniff) {
+        // Allow any MIME type without 'X-Content-Type-Options: nosniff' HTTP header.
+        return true;
+    }
+    String mimeType = extractMIMETypeFromMediaType(response.httpHeaderField(HTTPHeaderName::ContentType));
+    if (MIMETypeRegistry::isXMLMIMEType(mimeType) || MIMETypeRegistry::isXMLEntityMIMEType(mimeType))
+        return true;
+    return false;
+}
+
 static inline void setAttributes(Element* element, Vector<Attribute>& attributeVector, ParserContentPolicy parserContentPolicy)
 {
     if (!scriptingContentIsAllowed(parserContentPolicy))
@@ -455,6 +470,11 @@
             options.mode = FetchOptions::Mode::SameOrigin;
             options.credentials = FetchOptions::Credentials::Include;
             cachedResourceLoader->frame()->loader().loadResourceSynchronously(url, ClientCredentialPolicy::MayAskClientForCredentials, options, { }, error, response, data);
+            if (!externalEntityMimeTypeAllowedByNosniff(response)) {
+                data = ""
+                if (Page* page = cachedResourceLoader->document()->page())
+                    page->console().addMessage(MessageSource::Security, MessageLevel::Error, makeString("Did not parse external entity resource at '", url.stringCenterEllipsizedToLength(), "' because non XML External Entity MIME types are not allowed when 'X-Content-Type-Options: nosniff' is given."));
+            }
         }
     }
 
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to