- Revision
- 119883
- Author
- [email protected]
- Date
- 2012-06-08 18:51:27 -0700 (Fri, 08 Jun 2012)
Log Message
Source/WebCore: Treat blob: and filesystem: URLs generated via secure origins as secure.
https://bugs.webkit.org/show_bug.cgi?id=84054
Loading a blob: or filesystem: URL into an iframe or image that's
contained on an HTTPS page shouldn't generate a mixed content warning.
This change adds a SecurityOrigin::isSecure to check both against a
URLs protocol, and the protocol of it's so-called "inner URL" if it's
the type of URL that has such a thing. These sorts of URLs which are
generated from secure sources will themselves be treated as secure.
Patch by Mike West <[email protected]> on 2012-06-08
Reviewed by Adam Barth.
Tests: http/tests/security/mixedContent/blob-url-in-iframe.html
http/tests/security/mixedContent/filesystem-url-in-iframe.html
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::isMixedContent):
* page/SecurityOrigin.cpp:
(WebCore):
(WebCore::SecurityOrigin::isSecure):
* page/SecurityOrigin.h:
(SecurityOrigin):
LayoutTests: Excluding blob: and filesystem: schemes from the mixed content check.
https://bugs.webkit.org/show_bug.cgi?id=84054
Patch by Mike West <[email protected]> on 2012-06-08
Reviewed by Adam Barth.
* http/tests/security/mixedContent/blob-url-in-iframe-expected.txt: Added.
* http/tests/security/mixedContent/blob-url-in-iframe.html: Added.
* http/tests/security/mixedContent/filesystem-url-in-iframe-expected.txt: Added.
* http/tests/security/mixedContent/filesystem-url-in-iframe.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (119882 => 119883)
--- trunk/LayoutTests/ChangeLog 2012-06-09 00:56:05 UTC (rev 119882)
+++ trunk/LayoutTests/ChangeLog 2012-06-09 01:51:27 UTC (rev 119883)
@@ -1,3 +1,15 @@
+2012-06-08 Mike West <[email protected]>
+
+ Excluding blob: and filesystem: schemes from the mixed content check.
+ https://bugs.webkit.org/show_bug.cgi?id=84054
+
+ Reviewed by Adam Barth.
+
+ * http/tests/security/mixedContent/blob-url-in-iframe-expected.txt: Added.
+ * http/tests/security/mixedContent/blob-url-in-iframe.html: Added.
+ * http/tests/security/mixedContent/filesystem-url-in-iframe-expected.txt: Added.
+ * http/tests/security/mixedContent/filesystem-url-in-iframe.html: Added.
+
2012-06-08 Eli Fidler <[email protected]>
[BlackBerry] Default font settings are getting deleted
Added: trunk/LayoutTests/http/tests/security/mixedContent/blob-url-in-iframe-expected.txt (0 => 119883)
--- trunk/LayoutTests/http/tests/security/mixedContent/blob-url-in-iframe-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/mixedContent/blob-url-in-iframe-expected.txt 2012-06-09 01:51:27 UTC (rev 119883)
@@ -0,0 +1,7 @@
+
+This tests that blob URLs created in a secure context are treated as secure origins. This test passes if the iframe renders PASS correctly, and no console warning appears.
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS (1/1)
Added: trunk/LayoutTests/http/tests/security/mixedContent/blob-url-in-iframe.html (0 => 119883)
--- trunk/LayoutTests/http/tests/security/mixedContent/blob-url-in-iframe.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/mixedContent/blob-url-in-iframe.html 2012-06-09 01:51:27 UTC (rev 119883)
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+<body>
+<iframe></iframe>
+<p>
+ This tests that blob URLs created in a secure context are treated as secure
+ origins. This test passes if the iframe renders PASS correctly, and no
+ console warning appears.
+</p>
+
+<script>
+if (location.protocol != 'https:')
+ location = 'https://127.0.0.1:8443/security/mixedContent/blob-url-in-iframe.html';
+
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+ layoutTestController.waitUntilDone();
+}
+var iframe = document.querySelector('iframe');
+var bb = new WebKitBlobBuilder();
+bb.append('<h1>PASS (1/1)</h1>');
+bb.getBlob('text/html');
+iframe._onload_ = function () {
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+};
+iframe.src = ""
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/mixedContent/filesystem-url-in-iframe-expected.txt (0 => 119883)
--- trunk/LayoutTests/http/tests/security/mixedContent/filesystem-url-in-iframe-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/mixedContent/filesystem-url-in-iframe-expected.txt 2012-06-09 01:51:27 UTC (rev 119883)
@@ -0,0 +1,8 @@
+ALERT: PASS (1/2): File written
+
+This tests that filesystem URLs created in a secure context are treated as secure origins. This test passes if the iframe renders PASS correctly, and no console warning appears.
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS (2/2): File displayed
Added: trunk/LayoutTests/http/tests/security/mixedContent/filesystem-url-in-iframe.html (0 => 119883)
--- trunk/LayoutTests/http/tests/security/mixedContent/filesystem-url-in-iframe.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/mixedContent/filesystem-url-in-iframe.html 2012-06-09 01:51:27 UTC (rev 119883)
@@ -0,0 +1,45 @@
+<!DOCTYPE html>
+<html>
+<body>
+<iframe></iframe>
+<p>
+ This tests that filesystem URLs created in a secure context are treated as
+ secure origins. This test passes if the iframe renders PASS correctly, and no
+ console warning appears.
+</p>
+
+<script>
+if (location.protocol != 'https:')
+ location = 'https://127.0.0.1:8443/security/mixedContent/filesystem-url-in-iframe.html';
+
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+ layoutTestController.waitUntilDone();
+}
+
+var iframe = document.querySelector('iframe');
+iframe._onload_ = function () {
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+};
+
+// Opening a file system with temporary storage
+window.webkitRequestFileSystem(TEMPORARY, 1024*1024 /*1MB*/, function(fs) {
+ fs.root.getFile('test.html', {create: true}, function(fileEntry) {
+ fileEntry.createWriter(function(fileWriter) {
+ fileWriter._onwriteend_ = function(e) {
+ alert('PASS (1/2): File written');
+ iframe.src = ""
+ };
+
+ // Create a new Blob and write it to log.txt.
+ var bb = new WebKitBlobBuilder();
+ bb.append('PASS (2/2): File displayed');
+ fileWriter.write(bb.getBlob('text/html'));
+ });
+ });
+});
+</script>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (119882 => 119883)
--- trunk/Source/WebCore/ChangeLog 2012-06-09 00:56:05 UTC (rev 119882)
+++ trunk/Source/WebCore/ChangeLog 2012-06-09 01:51:27 UTC (rev 119883)
@@ -1,3 +1,28 @@
+2012-06-08 Mike West <[email protected]>
+
+ Treat blob: and filesystem: URLs generated via secure origins as secure.
+ https://bugs.webkit.org/show_bug.cgi?id=84054
+
+ Loading a blob: or filesystem: URL into an iframe or image that's
+ contained on an HTTPS page shouldn't generate a mixed content warning.
+ This change adds a SecurityOrigin::isSecure to check both against a
+ URLs protocol, and the protocol of it's so-called "inner URL" if it's
+ the type of URL that has such a thing. These sorts of URLs which are
+ generated from secure sources will themselves be treated as secure.
+
+ Reviewed by Adam Barth.
+
+ Tests: http/tests/security/mixedContent/blob-url-in-iframe.html
+ http/tests/security/mixedContent/filesystem-url-in-iframe.html
+
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::isMixedContent):
+ * page/SecurityOrigin.cpp:
+ (WebCore):
+ (WebCore::SecurityOrigin::isSecure):
+ * page/SecurityOrigin.h:
+ (SecurityOrigin):
+
2012-06-08 Martin Robinson <[email protected]>
[Cairo] [TextureMapperGL] Nvidia card does not update WebGL texture when interacting with canvas
Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (119882 => 119883)
--- trunk/Source/WebCore/loader/FrameLoader.cpp 2012-06-09 00:56:05 UTC (rev 119882)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2012-06-09 01:51:27 UTC (rev 119883)
@@ -869,10 +869,8 @@
if (context->protocol() != "https")
return false; // We only care about HTTPS security origins.
- if (!url.isValid() || SchemeRegistry::shouldTreatURLSchemeAsSecure(url.protocol()))
- return false; // Loading these protocols is secure.
-
- return true;
+ // We're in a secure context, so |url| is mixed content if it's insecure.
+ return !SecurityOrigin::isSecure(url);
}
bool FrameLoader::checkIfDisplayInsecureContent(SecurityOrigin* context, const KURL& url)
Modified: trunk/Source/WebCore/page/SecurityOrigin.cpp (119882 => 119883)
--- trunk/Source/WebCore/page/SecurityOrigin.cpp 2012-06-09 00:56:05 UTC (rev 119882)
+++ trunk/Source/WebCore/page/SecurityOrigin.cpp 2012-06-09 01:51:27 UTC (rev 119883)
@@ -209,6 +209,19 @@
m_domain = newDomain.lower();
}
+bool SecurityOrigin::isSecure(const KURL& url)
+{
+ // Invalid URLs are secure, as are URLs which have a secure protocol.
+ if (!url.isValid() || SchemeRegistry::shouldTreatURLSchemeAsSecure(url.protocol()))
+ return true;
+
+ // URLs that wrap inner URLs are secure if those inner URLs are secure.
+ if (shouldUseInnerURL(url) && SchemeRegistry::shouldTreatURLSchemeAsSecure(extractInnerURL(url).protocol()))
+ return true;
+
+ return false;
+}
+
bool SecurityOrigin::canAccess(const SecurityOrigin* other) const
{
if (m_universalAccess)
Modified: trunk/Source/WebCore/page/SecurityOrigin.h (119882 => 119883)
--- trunk/Source/WebCore/page/SecurityOrigin.h 2012-06-09 00:56:05 UTC (rev 119882)
+++ trunk/Source/WebCore/page/SecurityOrigin.h 2012-06-09 01:51:27 UTC (rev 119883)
@@ -67,6 +67,11 @@
String domain() const { return m_domain; }
unsigned short port() const { return m_port; }
+ // Returns true if a given URL is secure, based either directly on its
+ // own protocol, or, when relevant, on the protocol of its "inner URL"
+ // Protocols like blob: and filesystem: fall into this latter category.
+ static bool isSecure(const KURL&);
+
// Returns true if this SecurityOrigin can script objects in the given
// SecurityOrigin. For example, call this function before allowing
// script from one security origin to read or write objects from
