[webkit-changes] [WebKit/WebKit] f8f6da: Add support for the `allow-downloads` iframe sandb...

Chris Dumez noreply at github.com
Wed Oct 25 15:47:01 PDT 2023


  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: f8f6da20d5073dc5050556c3f4e1c6f8007b2b13
      https://github.com/WebKit/WebKit/commit/f8f6da20d5073dc5050556c3f4e1c6f8007b2b13
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-10-25 (Wed, 25 Oct 2023)

  Changed paths:
    M LayoutTests/http/tests/contentdispositionattachmentsandbox/at-import-stylesheets-disabled.html
    M LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled.html
    M LayoutTests/http/tests/contentdispositionattachmentsandbox/external-stylesheets-disabled.html
    M LayoutTests/http/tests/contentdispositionattachmentsandbox/form-submission-disabled.html
    M LayoutTests/http/tests/contentdispositionattachmentsandbox/http-equiv-disabled.html
    M LayoutTests/http/tests/contentdispositionattachmentsandbox/plugins-disabled.html
    M LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/referer-header-stripped.js
    M LayoutTests/http/tests/contentdispositionattachmentsandbox/scripts-disabled.html
    M LayoutTests/http/tests/contentdispositionattachmentsandbox/xml-stylesheet-processing-instructions-disabled.html
    A LayoutTests/http/tests/download/sandboxed-iframe-download-allowed-expected.txt
    A LayoutTests/http/tests/download/sandboxed-iframe-download-allowed-in-popup-expected.txt
    A LayoutTests/http/tests/download/sandboxed-iframe-download-allowed-in-popup-noopener-expected.txt
    A LayoutTests/http/tests/download/sandboxed-iframe-download-allowed-in-popup-noopener.html
    A LayoutTests/http/tests/download/sandboxed-iframe-download-allowed-in-popup.html
    A LayoutTests/http/tests/download/sandboxed-iframe-download-allowed.html
    A LayoutTests/http/tests/download/sandboxed-iframe-download-not-allowed-expected.txt
    A LayoutTests/http/tests/download/sandboxed-iframe-download-not-allowed.html
    M LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_anchor_download_block_downloads.tentative-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_navigation_download_block_downloads.sub.tentative-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_window_open_download_allow_downloads.tentative-expected.txt
    R LayoutTests/platform/glib/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_navigation_download_block_downloads.sub.tentative-expected.txt
    M LayoutTests/platform/mac-wk1/TestExpectations
    M Source/WebCore/dom/SecurityContext.cpp
    M Source/WebCore/dom/SecurityContext.h
    M Source/WebCore/loader/DocumentLoader.cpp
    M Source/WebCore/loader/PolicyChecker.cpp
    M Tools/WebKitTestRunner/InjectedBundle/Bindings/TestRunner.idl
    M Tools/WebKitTestRunner/InjectedBundle/TestRunner.cpp
    M Tools/WebKitTestRunner/InjectedBundle/TestRunner.h
    M Tools/WebKitTestRunner/TestController.cpp
    M Tools/WebKitTestRunner/TestController.h
    M Tools/WebKitTestRunner/TestInvocation.cpp

  Log Message:
  -----------
  Add support for the `allow-downloads` iframe sandbox attribute
https://bugs.webkit.org/show_bug.cgi?id=259155
rdar://109414664

Reviewed by Brent Fulgham.

Add support for the `allow-downloads` iframe sandbox attribute so that downloads
are now forbidden by default in sandboxed iframes and this attribute is required
to allow them. This aligns our behavior with Chrome and Firefox.

* LayoutTests/http/tests/download/sandboxed-iframe-download-allowed-expected.txt: Added.
* LayoutTests/http/tests/download/sandboxed-iframe-download-allowed-in-popup-expected.txt: Added.
* LayoutTests/http/tests/download/sandboxed-iframe-download-allowed-in-popup-noopener-expected.txt: Added.
* LayoutTests/http/tests/download/sandboxed-iframe-download-allowed-in-popup-noopener.html: Added.
* LayoutTests/http/tests/download/sandboxed-iframe-download-allowed-in-popup.html: Added.
* LayoutTests/http/tests/download/sandboxed-iframe-download-allowed.html: Added.
* LayoutTests/http/tests/download/sandboxed-iframe-download-not-allowed-expected.txt: Added.
* LayoutTests/http/tests/download/sandboxed-iframe-download-not-allowed.html: Added.
Add layout test coverage.

* LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_anchor_download_block_downloads.tentative-expected.txt:
Rebaseline due to more PASS lines. I investigated the remaining failure and confirmed that no download is actually occurring for any of the subtests, as expected.
I see our code cancelling the NetworkDataTask. However, the test doesn't seem to detect the stream closing. It may be an issue as CFNetwork level.

* Source/WebCore/dom/SecurityContext.cpp:
(WebCore::SecurityContext::isSupportedSandboxPolicy):
(WebCore::SecurityContext::parseSandboxPolicy):
* Source/WebCore/dom/SecurityContext.h:
* Source/WebCore/loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::continueAfterContentPolicy):
* Source/WebCore/loader/PolicyChecker.cpp:
(WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy):
(WebCore::FrameLoader::PolicyChecker::checkNewWindowPolicy):

* Tools/WebKitTestRunner/TestController.cpp:
(WTR::TestController::decidePolicyForNavigationResponse):
Update WebKitTestRunner to trigger a download when a resource response contains
`Content-Disposition: attachment`, similarly to what a browser would do and what
WPT tests expect. By default, we would only trigger a download if the mime type
couldn't be displayed. However, iframe_sandbox_anchor_download_block_downloads.tentative.html
WPT test uses both a `Content-Disposition: attachment` HTTP header and a displayable
MIME type and rightly expects a download.

Originally-landed-as: 265870.84 at safari-7616-branch (9d46b7777bca). rdar://116425379
Canonical link: https://commits.webkit.org/269788@main




More information about the webkit-changes mailing list