[webkit-changes] [WebKit/WebKit] bfe32c: Block sandboxed frames from navigating to javascri...

Ryan Reno noreply at github.com
Tue Aug 8 10:22:31 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: bfe32ce05ee3b00154b18fef84cc2dff3c7bf5af
      https://github.com/WebKit/WebKit/commit/bfe32ce05ee3b00154b18fef84cc2dff3c7bf5af
  Author: Ryan Reno <rreno at apple.com>
  Date:   2023-08-08 (Tue, 08 Aug 2023)

  Changed paths:
    A LayoutTests/http/tests/security/sandboxed-iframe-javascript-self-navigation-expected.txt
    A LayoutTests/http/tests/security/sandboxed-iframe-javascript-self-navigation.html
    A LayoutTests/http/tests/security/sandboxed-iframe-javascript-top-navigation-expected.txt
    A LayoutTests/http/tests/security/sandboxed-iframe-javascript-top-navigation.html
    M Source/WebCore/loader/FrameLoader.cpp
    M Source/WebCore/loader/NavigationRequester.cpp
    M Source/WebCore/loader/NavigationRequester.h
    M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in

  Log Message:
  -----------
  Block sandboxed frames from navigating to javascript URLs without allow-scripts sandbox flag.
https://bugs.webkit.org/show_bug.cgi?id=257824
rdar://108462161

Reviewed by Alex Christensen.

Sandboxed iframes could execute script in a target frame by navigating
the frame to a javascript: URL. For example, the top frame when the
iframe has the sandbox flag "allow-top-navigation". This change checks to see if
the "allow-scripts" flag is set before executing the URL in the target frame.

* LayoutTests/http/tests/security/sandboxed-iframe-javascript-self-navigation-expected.txt: Added.
* LayoutTests/http/tests/security/sandboxed-iframe-javascript-self-navigation.html: Added.
* LayoutTests/http/tests/security/sandboxed-iframe-javascript-top-navigation-expected.txt: Added.
* LayoutTests/http/tests/security/sandboxed-iframe-javascript-top-navigation.html: Added.
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::executeJavaScriptURL):
* Source/WebCore/loader/NavigationRequester.cpp:
(WebCore::NavigationRequester::from):
* Source/WebCore/loader/NavigationRequester.h:
(WebCore::NavigationRequester::encode const):
(WebCore::NavigationRequester::decode):

Originally-landed-as: 259548.813 at safari-7615-branch (47ed6aa2ea88). rdar://113223713
Canonical link: https://commits.webkit.org/266689@main

More information about the webkit-changes mailing list