Title: [193984] trunk
- Revision
- 193984
- Author
- jiewen_...@apple.com
- Date
- 2015-12-11 14:43:49 -0800 (Fri, 11 Dec 2015)
Log Message
Strip out Referer header when requesting subresources or following links for documents with "Content-Disposition: attachment"
https://bugs.webkit.org/show_bug.cgi?id=152102
<rdar://problem/22124230>
Reviewed by Andy Estes.
Source/WebCore:
Keep the ReferrerPolicy for a document as ReferrerPolicyNever if the document is loaded with
"Content-Disposition: attachment".
Test: http/tests/contentdispositionattachmentsandbox/subresource-request-not-include-referer-header.html
* dom/Document.cpp:
(WebCore::Document::processReferrerPolicy):
(WebCore::Document::applyContentDispositionAttachmentSandbox):
LayoutTests:
* http/tests/contentdispositionattachmentsandbox/resources/echo-http-referer.php: Added.
* http/tests/contentdispositionattachmentsandbox/resources/subresource-request-not-include-referer-header-frame.php: Added.
* http/tests/contentdispositionattachmentsandbox/subresource-request-not-include-referer-header-expected.txt: Added.
* http/tests/contentdispositionattachmentsandbox/subresource-request-not-include-referer-header.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (193983 => 193984)
--- trunk/LayoutTests/ChangeLog 2015-12-11 22:39:29 UTC (rev 193983)
+++ trunk/LayoutTests/ChangeLog 2015-12-11 22:43:49 UTC (rev 193984)
@@ -1,3 +1,16 @@
+2015-12-11 Jiewen Tan <jiewen_...@apple.com>
+
+ Strip out Referer header when requesting subresources or following links for documents with "Content-Disposition: attachment"
+ https://bugs.webkit.org/show_bug.cgi?id=152102
+ <rdar://problem/22124230>
+
+ Reviewed by Andy Estes.
+
+ * http/tests/contentdispositionattachmentsandbox/resources/echo-http-referer.php: Added.
+ * http/tests/contentdispositionattachmentsandbox/resources/subresource-request-not-include-referer-header-frame.php: Added.
+ * http/tests/contentdispositionattachmentsandbox/subresource-request-not-include-referer-header-expected.txt: Added.
+ * http/tests/contentdispositionattachmentsandbox/subresource-request-not-include-referer-header.html: Added.
+
2015-12-11 Ryan Haddad <ryanhad...@apple.com>
Marking fast/events/ios tests as flaky on ios-simulator due to timeouts
Added: trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/echo-http-referer.php (0 => 193984)
--- trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/echo-http-referer.php (rev 0)
+++ trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/echo-http-referer.php 2015-12-11 22:43:49 UTC (rev 193984)
@@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<script>
+if (window.parent.testRunner)
+ testRunner.notifyDone();
+</script>
+<?php
+echo $_SERVER['HTTP_REFERER'];
+?>
\ No newline at end of file
Added: trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/subresource-request-not-include-referer-header-frame.php (0 => 193984)
--- trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/subresource-request-not-include-referer-header-frame.php (rev 0)
+++ trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/subresource-request-not-include-referer-header-frame.php 2015-12-11 22:43:49 UTC (rev 193984)
@@ -0,0 +1,14 @@
+<?php
+header("Content-Disposition: attachment; filename=test.html");
+header("Content-Type: text/html");
+?>
+<!DOCTYPE html>
+<style>
+a {
+ display: block;
+ width: 100vw;
+ height: 100vh;
+}
+
+</style>
+<a href="" to second-wo-referer.php</a>
\ No newline at end of file
Added: trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/subresource-request-not-include-referer-header-expected.txt (0 => 193984)
--- trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/subresource-request-not-include-referer-header-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/subresource-request-not-include-referer-header-expected.txt 2015-12-11 22:43:49 UTC (rev 193984)
@@ -0,0 +1,8 @@
+This test verifies that a subresource loaded by a document which is loaded with Content-Disposition:attachment will not have http referer. Tess passes if no referer is printed.
+
+
+
+--------
+Frame: 'iframe'
+--------
+
Added: trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/subresource-request-not-include-referer-header.html (0 => 193984)
--- trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/subresource-request-not-include-referer-header.html (rev 0)
+++ trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/subresource-request-not-include-referer-header.html 2015-12-11 22:43:49 UTC (rev 193984)
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<script>
+if (window.internals)
+ internals.settings.setContentDispositionAttachmentSandboxEnabled(true);
+
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.waitUntilDone();
+}
+
+function navigation() {
+ // Due to the sandbox, it's not possible to run script in the iframe or even access its contentDocument.
+ var element = document.getElementById('iframe');
+ var x = element.offsetLeft + 10;
+ var y = element.offsetTop + 10;
+
+ if (window.testRunner) {
+ if (window.eventSender) {
+ eventSender.mouseMoveTo(x, y);
+ eventSender.mouseDown();
+ eventSender.mouseUp();
+ }
+
+ if (testRunner.runUIScript)
+ testRunner.runUIScript("(function() { uiController.singleTapAtPoint(" + x + ", " + y + "); })()");
+ }
+}
+</script>
+<p>This test verifies that a subresource loaded by a document which is loaded with Content-Disposition:attachment will not have http referer. Tess passes if no referer is printed.</p>
+<iframe id='iframe' src="" _onload_="navigation()"></iframe>
Modified: trunk/Source/WebCore/ChangeLog (193983 => 193984)
--- trunk/Source/WebCore/ChangeLog 2015-12-11 22:39:29 UTC (rev 193983)
+++ trunk/Source/WebCore/ChangeLog 2015-12-11 22:43:49 UTC (rev 193984)
@@ -1,3 +1,20 @@
+2015-12-11 Jiewen Tan <jiewen_...@apple.com>
+
+ Strip out Referer header when requesting subresources or following links for documents with "Content-Disposition: attachment"
+ https://bugs.webkit.org/show_bug.cgi?id=152102
+ <rdar://problem/22124230>
+
+ Reviewed by Andy Estes.
+
+ Keep the ReferrerPolicy for a document as ReferrerPolicyNever if the document is loaded with
+ "Content-Disposition: attachment".
+
+ Test: http/tests/contentdispositionattachmentsandbox/subresource-request-not-include-referer-header.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::processReferrerPolicy):
+ (WebCore::Document::applyContentDispositionAttachmentSandbox):
+
2015-12-11 Brady Eidson <beid...@apple.com>
Modern IDB: storage/indexeddb/key-type-array.html fails.
Modified: trunk/Source/WebCore/dom/Document.cpp (193983 => 193984)
--- trunk/Source/WebCore/dom/Document.cpp 2015-12-11 22:39:29 UTC (rev 193983)
+++ trunk/Source/WebCore/dom/Document.cpp 2015-12-11 22:43:49 UTC (rev 193984)
@@ -3339,6 +3339,11 @@
{
ASSERT(!policy.isNull());
+ // Documents in a Content-Disposition: attachment sandbox should never send a Referer header,
+ // even if the document has a meta tag saying otherwise.
+ if (shouldEnforceContentDispositionAttachmentSandbox())
+ return;
+
// Note that we're supporting both the standard and legacy keywords for referrer
// policies, as defined by http://www.w3.org/TR/referrer-policy/#referrer-policy-delivery-meta
if (equalIgnoringCase(policy, "no-referrer") || equalIgnoringCase(policy, "never"))
@@ -6871,6 +6876,7 @@
{
ASSERT(shouldEnforceContentDispositionAttachmentSandbox());
+ setReferrerPolicy(ReferrerPolicyNever);
if (!isMediaDocument())
enforceSandboxFlags(SandboxAll);
else
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
