[webkit-changes] [WebKit/WebKit] 900265: Third Party IFrame Navigation Block Bypass via Con...
Ryan Reno
noreply at github.com
Mon Jul 31 10:50:01 PDT 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 900265400e127db69a5ae3234151f005a3e769d3
https://github.com/WebKit/WebKit/commit/900265400e127db69a5ae3234151f005a3e769d3
Author: Ryan Reno <rreno at apple.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
A LayoutTests/http/tests/security/block-top-level-navigations-by-third-party-iframe-sandboxed-by-own-csp-expected.txt
A LayoutTests/http/tests/security/block-top-level-navigations-by-third-party-iframe-sandboxed-by-own-csp.html
A LayoutTests/http/tests/security/resources/attempt-top-level-navigation-with-csp.py
M Source/WebCore/dom/Document.cpp
Log Message:
-----------
Third Party IFrame Navigation Block Bypass via Content Security Policy Sandbox
https://bugs.webkit.org/show_bug.cgi?id=257903
rdar://109059471
Reviewed by Brent Fulgham.
If a third-party iframe is unsandboxed we will prevent top navigation
without user interaction with the frame. However, this is bypassable if
the iframe gives itself a sandbox which allows top navigation via CSP.
This change checks to see if the iframe element was unsandboxed and
proceeds with the more strict third-party checks if so.
* LayoutTests/http/tests/security/block-top-level-navigations-by-third-party-iframe-sandboxed-by-own-csp-expected.txt: Added.
* LayoutTests/http/tests/security/block-top-level-navigations-by-third-party-iframe-sandboxed-by-own-csp.html: Added.
* LayoutTests/http/tests/security/resources/attempt-top-level-navigation-with-csp.py: Added.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::isNavigationBlockedByThirdPartyIFrameRedirectBlocking):
Originally-landed-as: 259548.823 at safari-7615-branch (18a05c43972c). rdar://109059471
Canonical link: https://commits.webkit.org/266433@main
More information about the webkit-changes
mailing list