Title: [274635] releases/WebKitGTK/webkit-2.30
- Revision
- 274635
- Author
- carlo...@webkit.org
- Date
- 2021-03-18 04:04:24 -0700 (Thu, 18 Mar 2021)
Log Message
Merge r270367 - Block suspicious top level navigations by iframes even if sandbox=allow-top-navigation is specified
https://bugs.webkit.org/show_bug.cgi?id=219408
<rdar://problem/71049726>
Reviewed by Geoffrey Garen.
Source/WebCore:
Block suspicious top level navigations by iframes even if sandbox=allow-top-navigation is specified,
when the parent of the sandboxed iframe is not first-party.
Test: http/tests/security/block-top-level-navigations-by-third-party-sandboxed-iframe.html
* dom/Document.cpp:
(WebCore::Document::isNavigationBlockedByThirdPartyIFrameRedirectBlocking):
LayoutTests:
Add layout test coverage.
* http/tests/security/block-top-level-navigations-by-third-party-sandboxed-iframe-expected.txt: Added.
* http/tests/security/block-top-level-navigations-by-third-party-sandboxed-iframe.html: Added.
* http/tests/security/resources/navigate-top-level-frame-to-failure-page-via-sandboxed-iframe.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.30/LayoutTests/ChangeLog (274634 => 274635)
--- releases/WebKitGTK/webkit-2.30/LayoutTests/ChangeLog 2021-03-18 11:04:16 UTC (rev 274634)
+++ releases/WebKitGTK/webkit-2.30/LayoutTests/ChangeLog 2021-03-18 11:04:24 UTC (rev 274635)
@@ -1,3 +1,17 @@
+2020-12-02 Chris Dumez <cdu...@apple.com>
+
+ Block suspicious top level navigations by iframes even if sandbox=allow-top-navigation is specified
+ https://bugs.webkit.org/show_bug.cgi?id=219408
+ <rdar://problem/71049726>
+
+ Reviewed by Geoffrey Garen.
+
+ Add layout test coverage.
+
+ * http/tests/security/block-top-level-navigations-by-third-party-sandboxed-iframe-expected.txt: Added.
+ * http/tests/security/block-top-level-navigations-by-third-party-sandboxed-iframe.html: Added.
+ * http/tests/security/resources/navigate-top-level-frame-to-failure-page-via-sandboxed-iframe.html: Added.
+
2020-11-20 Youenn Fablet <you...@apple.com>
Add support for RTCPeerConnection.onicecandidateerror event
Added: releases/WebKitGTK/webkit-2.30/LayoutTests/http/tests/security/block-top-level-navigations-by-third-party-sandboxed-iframe-expected.txt (0 => 274635)
--- releases/WebKitGTK/webkit-2.30/LayoutTests/http/tests/security/block-top-level-navigations-by-third-party-sandboxed-iframe-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.30/LayoutTests/http/tests/security/block-top-level-navigations-by-third-party-sandboxed-iframe-expected.txt 2021-03-18 11:04:24 UTC (rev 274635)
@@ -0,0 +1,13 @@
+CONSOLE MESSAGE: Unsafe _javascript_ attempt to initiate navigation for frame with URL 'http://127.0.0.1:8000/security/block-top-level-navigations-by-third-party-sandboxed-iframe.html' from frame with URL 'data:text/html;base64,PGh0bWw+PGJvZHk+U3VjY2VzcyEgVGhlIG5hdmlnYXRpb24gd2FzIGJsb2NrZWQ8c2NyaXB0IHR5cGU9InRleHQvamF2YXNjcmlwdCI+IHdpbmRvdy50b3AubG9jYXRpb24gPSAiaHR0cDovL2xvY2FsaG9zdDo4MDAwL3NlY3VyaXR5L3Jlc291cmNlcy9zaG91bGQtbm90LWhhdmUtbG9hZGVkLmh0bWwiOzwvc2NyaXB0PjwvYm9keT48L2h0bWw+'. The frame attempting navigation of the top-level window is cross-origin or untrusted and the user has never interacted with the frame.
+
+CONSOLE MESSAGE: SecurityError: The operation is insecure.
+Test blocking of suspicious top-level navigations by a third-party iframe even if sandboxing rules allow top navigation
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS All navigations by subframes have been blocked
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: releases/WebKitGTK/webkit-2.30/LayoutTests/http/tests/security/block-top-level-navigations-by-third-party-sandboxed-iframe.html (0 => 274635)
--- releases/WebKitGTK/webkit-2.30/LayoutTests/http/tests/security/block-top-level-navigations-by-third-party-sandboxed-iframe.html (rev 0)
+++ releases/WebKitGTK/webkit-2.30/LayoutTests/http/tests/security/block-top-level-navigations-by-third-party-sandboxed-iframe.html 2021-03-18 11:04:24 UTC (rev 274635)
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src=""
+<script>
+description("Test blocking of suspicious top-level navigations by a third-party iframe even if sandboxing rules allow top navigation");
+jsTestIsAsync = true;
+_onload_ = () => {
+ setTimeout(() => {
+ document.getElementById('testFrame').src = ""
+ setTimeout(() => {
+ testPassed("All navigations by subframes have been blocked");
+ finishJSTest();
+ }, 100);
+ }, 10);
+}
+</script>
+<iframe id="testFrame"></iframe>
+</body>
+</html>
Added: releases/WebKitGTK/webkit-2.30/LayoutTests/http/tests/security/resources/navigate-top-level-frame-to-failure-page-via-sandboxed-iframe.html (0 => 274635)
--- releases/WebKitGTK/webkit-2.30/LayoutTests/http/tests/security/resources/navigate-top-level-frame-to-failure-page-via-sandboxed-iframe.html (rev 0)
+++ releases/WebKitGTK/webkit-2.30/LayoutTests/http/tests/security/resources/navigate-top-level-frame-to-failure-page-via-sandboxed-iframe.html 2021-03-18 11:04:24 UTC (rev 274635)
@@ -0,0 +1,15 @@
+<html>
+<body>
+<script>
+window.addEventListener("load", e => {
+ try {
+ var x = '<html><body>Success! The navigation was blocked<script type="text/_javascript_"> window.top.location = "http://localhost:8000/security/resources/should-not-have-loaded.html";' + '</scr' + 'ipt></body></html>';
+ var bs64 = btoa(x);
+ document.write('<iframe sandbox="allow-top-navigation allow-scripts" src="" + bs64 + '"></iframe>')
+ } catch (e) {
+ console.log(e);
+ }
+});
+</script>
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.30/Source/WebCore/ChangeLog (274634 => 274635)
--- releases/WebKitGTK/webkit-2.30/Source/WebCore/ChangeLog 2021-03-18 11:04:16 UTC (rev 274634)
+++ releases/WebKitGTK/webkit-2.30/Source/WebCore/ChangeLog 2021-03-18 11:04:24 UTC (rev 274635)
@@ -1,3 +1,19 @@
+2020-12-02 Chris Dumez <cdu...@apple.com>
+
+ Block suspicious top level navigations by iframes even if sandbox=allow-top-navigation is specified
+ https://bugs.webkit.org/show_bug.cgi?id=219408
+ <rdar://problem/71049726>
+
+ Reviewed by Geoffrey Garen.
+
+ Block suspicious top level navigations by iframes even if sandbox=allow-top-navigation is specified,
+ when the parent of the sandboxed iframe is not first-party.
+
+ Test: http/tests/security/block-top-level-navigations-by-third-party-sandboxed-iframe.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::isNavigationBlockedByThirdPartyIFrameRedirectBlocking):
+
2020-11-20 Youenn Fablet <you...@apple.com>
Add support for RTCPeerConnection.onicecandidateerror event
Modified: releases/WebKitGTK/webkit-2.30/Source/WebCore/dom/Document.cpp (274634 => 274635)
--- releases/WebKitGTK/webkit-2.30/Source/WebCore/dom/Document.cpp 2021-03-18 11:04:16 UTC (rev 274634)
+++ releases/WebKitGTK/webkit-2.30/Source/WebCore/dom/Document.cpp 2021-03-18 11:04:24 UTC (rev 274635)
@@ -3556,8 +3556,12 @@
// Only prevent navigations by unsandboxed iframes. Such navigations by unsandboxed iframes would have already been blocked unless
// "allow-top-navigation" / "allow-top-navigation-by-user-activation" was explicitly specified.
- if (sandboxFlags() != SandboxNone)
- return false;
+ if (sandboxFlags() != SandboxNone) {
+ // Navigation is only allowed if the parent of the sandboxed iframe is first-party.
+ auto* parentDocument = m_frame->tree().parent() ? m_frame->tree().parent()->document() : nullptr;
+ if (parentDocument && canAccessAncestor(parentDocument->securityOrigin(), &targetFrame))
+ return false;
+ }
// Only prevent navigations by third-party iframes or untrusted first-party iframes.
bool isUntrustedIframe = m_hasLoadedThirdPartyScript && m_hasLoadedThirdPartyFrame;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
