[webkit-changes] [WebKit/WebKit] 900265: Third Party IFrame Navigation Block Bypass via Con...

Ryan Reno noreply at github.com
Mon Jul 31 10:50:01 PDT 2023


  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 900265400e127db69a5ae3234151f005a3e769d3
      https://github.com/WebKit/WebKit/commit/900265400e127db69a5ae3234151f005a3e769d3
  Author: Ryan Reno <rreno at apple.com>
  Date:   2023-07-31 (Mon, 31 Jul 2023)

  Changed paths:
    A LayoutTests/http/tests/security/block-top-level-navigations-by-third-party-iframe-sandboxed-by-own-csp-expected.txt
    A LayoutTests/http/tests/security/block-top-level-navigations-by-third-party-iframe-sandboxed-by-own-csp.html
    A LayoutTests/http/tests/security/resources/attempt-top-level-navigation-with-csp.py
    M Source/WebCore/dom/Document.cpp

  Log Message:
  -----------
  Third Party IFrame Navigation Block Bypass via Content Security Policy Sandbox
https://bugs.webkit.org/show_bug.cgi?id=257903
rdar://109059471

Reviewed by Brent Fulgham.

If a third-party iframe is unsandboxed we will prevent top navigation
without user interaction with the frame. However, this is bypassable if
the iframe gives itself a sandbox which allows top navigation via CSP.

This change checks to see if the iframe element was unsandboxed and
proceeds with the more strict third-party checks if so.

* LayoutTests/http/tests/security/block-top-level-navigations-by-third-party-iframe-sandboxed-by-own-csp-expected.txt: Added.
* LayoutTests/http/tests/security/block-top-level-navigations-by-third-party-iframe-sandboxed-by-own-csp.html: Added.
* LayoutTests/http/tests/security/resources/attempt-top-level-navigation-with-csp.py: Added.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::isNavigationBlockedByThirdPartyIFrameRedirectBlocking):

Originally-landed-as: 259548.823 at safari-7615-branch (18a05c43972c). rdar://109059471
Canonical link: https://commits.webkit.org/266433@main




More information about the webkit-changes mailing list