[webkit-changes] [WebKit/WebKit] bfe32c: Block sandboxed frames from navigating to javascri...
Ryan Reno
noreply at github.com
Tue Aug 8 10:22:31 PDT 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: bfe32ce05ee3b00154b18fef84cc2dff3c7bf5af
https://github.com/WebKit/WebKit/commit/bfe32ce05ee3b00154b18fef84cc2dff3c7bf5af
Author: Ryan Reno <rreno at apple.com>
Date: 2023-08-08 (Tue, 08 Aug 2023)
Changed paths:
A LayoutTests/http/tests/security/sandboxed-iframe-javascript-self-navigation-expected.txt
A LayoutTests/http/tests/security/sandboxed-iframe-javascript-self-navigation.html
A LayoutTests/http/tests/security/sandboxed-iframe-javascript-top-navigation-expected.txt
A LayoutTests/http/tests/security/sandboxed-iframe-javascript-top-navigation.html
M Source/WebCore/loader/FrameLoader.cpp
M Source/WebCore/loader/NavigationRequester.cpp
M Source/WebCore/loader/NavigationRequester.h
M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in
Log Message:
-----------
Block sandboxed frames from navigating to javascript URLs without allow-scripts sandbox flag.
https://bugs.webkit.org/show_bug.cgi?id=257824
rdar://108462161
Reviewed by Alex Christensen.
Sandboxed iframes could execute script in a target frame by navigating
the frame to a javascript: URL. For example, the top frame when the
iframe has the sandbox flag "allow-top-navigation". This change checks to see if
the "allow-scripts" flag is set before executing the URL in the target frame.
* LayoutTests/http/tests/security/sandboxed-iframe-javascript-self-navigation-expected.txt: Added.
* LayoutTests/http/tests/security/sandboxed-iframe-javascript-self-navigation.html: Added.
* LayoutTests/http/tests/security/sandboxed-iframe-javascript-top-navigation-expected.txt: Added.
* LayoutTests/http/tests/security/sandboxed-iframe-javascript-top-navigation.html: Added.
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::executeJavaScriptURL):
* Source/WebCore/loader/NavigationRequester.cpp:
(WebCore::NavigationRequester::from):
* Source/WebCore/loader/NavigationRequester.h:
(WebCore::NavigationRequester::encode const):
(WebCore::NavigationRequester::decode):
Originally-landed-as: 259548.813 at safari-7615-branch (47ed6aa2ea88). rdar://113223713
Canonical link: https://commits.webkit.org/266689@main
More information about the webkit-changes
mailing list