<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[186982] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/186982">186982</a></dd>
<dt>Author</dt> <dd>aestes@apple.com</dd>
<dt>Date</dt> <dd>2015-07-17 20:47:28 -0700 (Fri, 17 Jul 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>[iOS] Further tighten the sandbox around pages fetched with Content-Disposition: attachment
https://bugs.webkit.org/show_bug.cgi?id=147044
rdar://problem/21567820
Reviewed by Brady Eidson.
Source/WebCore:
In addition to placing resources fetched with 'Content-Disposition: attachment' in a unique origin,
this change does the following:
- Switches the sandbox type from SandboxOrigin to SandboxAll, which enforces the same restrictions as <iframe sandbox>.
- Disables processing of <meta http-equiv> elements.
- Disables loading of cross-origin subframes.
Tests: http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled.html
http/tests/contentdispositionattachmentsandbox/form-submission-disabled.html
http/tests/contentdispositionattachmentsandbox/http-equiv-disabled.html
http/tests/contentdispositionattachmentsandbox/plugins-disabled.html
http/tests/contentdispositionattachmentsandbox/scripts-disabled.html
* dom/Document.cpp:
(WebCore::Document::processHttpEquiv): Switched to calling Document::httpEquivPolicy(). Logged an error to the console for policies other than Enabled.
(WebCore::Document::initSecurityContext): Switched sandbox enforcement from SandboxOrigin to SandboxAll.
(WebCore::Document::httpEquivPolicy): Returned a HttpEquivPolicy based on shouldEnforceContentDispositionAttachmentSandbox() and Settings::httpEquivEnabled().
(WebCore::Document::shouldEnforceContentDispositionAttachmentSandbox): Returned true if Settings::contentDispositionAttachmentSandboxEnabled()
and the document was fetched as an attachment.
* dom/Document.h:
* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::canRequest): When requesting a subframe main resource when the parent frame enforces an attachment sandbox,
only continue if the parent frame's SecurityOrigin allows the request.
* page/Settings.in: Added contentDispositionAttachmentSandboxEnabled with an initial value of false.
Source/WebKit/mac:
* WebView/WebView.mm:
(-[WebView _commonInitializationWithFrameName:groupName:]): Enabled Content-Disposition: attachment sandbox on iOS.
Source/WebKit2:
* WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::WebPage): Enabled Content-Disposition: attachment sandbox on iOS.
Tools:
* WebKitTestRunner/InjectedBundle/InjectedBundlePage.cpp:
(WTR::InjectedBundlePage::decidePolicyForResponse): Only log the message about attachments if the custom policy delegate is enabled.
This matches the behavior of DumpRenderTree.
LayoutTests:
* http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled-expected.txt: Added.
* http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled.html: Added.
* http/tests/contentdispositionattachmentsandbox/form-submission-disabled-expected.txt: Added.
* http/tests/contentdispositionattachmentsandbox/form-submission-disabled.html: Added.
* http/tests/contentdispositionattachmentsandbox/http-equiv-disabled-expected.txt: Added.
* http/tests/contentdispositionattachmentsandbox/http-equiv-disabled.html: Added.
* http/tests/contentdispositionattachmentsandbox/plugins-disabled-expected.html: Added.
* http/tests/contentdispositionattachmentsandbox/plugins-disabled.html: Added.
* http/tests/contentdispositionattachmentsandbox/resources/cross-origin-frames-frame.php: Added.
* http/tests/contentdispositionattachmentsandbox/resources/form-submission-frame.php: Added.
* http/tests/contentdispositionattachmentsandbox/resources/http-equiv-frame.php: Added.
* http/tests/contentdispositionattachmentsandbox/resources/plugins-frame.php: Added.
* http/tests/contentdispositionattachmentsandbox/resources/scripts-frame.php: Added.
* http/tests/contentdispositionattachmentsandbox/scripts-disabled-expected.txt: Added.
* http/tests/contentdispositionattachmentsandbox/scripts-disabled.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoredomDocumentcpp">trunk/Source/WebCore/dom/Document.cpp</a></li>
<li><a href="#trunkSourceWebCoredomDocumenth">trunk/Source/WebCore/dom/Document.h</a></li>
<li><a href="#trunkSourceWebCoreloadercacheCachedResourceLoadercpp">trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp</a></li>
<li><a href="#trunkSourceWebCorepageSettingsin">trunk/Source/WebCore/page/Settings.in</a></li>
<li><a href="#trunkSourceWebKitmacChangeLog">trunk/Source/WebKit/mac/ChangeLog</a></li>
<li><a href="#trunkSourceWebKitmacWebViewWebViewmm">trunk/Source/WebKit/mac/WebView/WebView.mm</a></li>
<li><a href="#trunkSourceWebKit2ChangeLog">trunk/Source/WebKit2/ChangeLog</a></li>
<li><a href="#trunkSourceWebKit2WebProcessWebPageWebPagecpp">trunk/Source/WebKit2/WebProcess/WebPage/WebPage.cpp</a></li>
<li><a href="#trunkToolsChangeLog">trunk/Tools/ChangeLog</a></li>
<li><a href="#trunkToolsWebKitTestRunnerInjectedBundleInjectedBundlePagecpp">trunk/Tools/WebKitTestRunner/InjectedBundle/InjectedBundlePage.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li>trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/</li>
<li><a href="#trunkLayoutTestshttptestscontentdispositionattachmentsandboxcrossoriginframesdisabledexpectedtxt">trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestscontentdispositionattachmentsandboxcrossoriginframesdisabledhtml">trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled.html</a></li>
<li><a href="#trunkLayoutTestshttptestscontentdispositionattachmentsandboxformsubmissiondisabledexpectedtxt">trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/form-submission-disabled-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestscontentdispositionattachmentsandboxformsubmissiondisabledhtml">trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/form-submission-disabled.html</a></li>
<li><a href="#trunkLayoutTestshttptestscontentdispositionattachmentsandboxhttpequivdisabledexpectedtxt">trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/http-equiv-disabled-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestscontentdispositionattachmentsandboxhttpequivdisabledhtml">trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/http-equiv-disabled.html</a></li>
<li><a href="#trunkLayoutTestshttptestscontentdispositionattachmentsandboxpluginsdisabledexpectedhtml">trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/plugins-disabled-expected.html</a></li>
<li><a href="#trunkLayoutTestshttptestscontentdispositionattachmentsandboxpluginsdisabledhtml">trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/plugins-disabled.html</a></li>
<li>trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/</li>
<li><a href="#trunkLayoutTestshttptestscontentdispositionattachmentsandboxresourcescrossoriginframesframephp">trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/cross-origin-frames-frame.php</a></li>
<li><a href="#trunkLayoutTestshttptestscontentdispositionattachmentsandboxresourcesformsubmissionframephp">trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/form-submission-frame.php</a></li>
<li><a href="#trunkLayoutTestshttptestscontentdispositionattachmentsandboxresourceshttpequivframephp">trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/http-equiv-frame.php</a></li>
<li><a href="#trunkLayoutTestshttptestscontentdispositionattachmentsandboxresourcespluginsframephp">trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/plugins-frame.php</a></li>
<li><a href="#trunkLayoutTestshttptestscontentdispositionattachmentsandboxresourcesscriptsframephp">trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/scripts-frame.php</a></li>
<li><a href="#trunkLayoutTestshttptestscontentdispositionattachmentsandboxscriptsdisabledexpectedtxt">trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/scripts-disabled-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestscontentdispositionattachmentsandboxscriptsdisabledhtml">trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/scripts-disabled.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (186981 => 186982)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog        2015-07-18 03:46:22 UTC (rev 186981)
+++ trunk/LayoutTests/ChangeLog        2015-07-18 03:47:28 UTC (rev 186982)
</span><span class="lines">@@ -1,3 +1,27 @@
</span><ins>+2015-07-17 Andy Estes <aestes@apple.com>
+
+ [iOS] Further tighten the sandbox around pages fetched with Content-Disposition: attachment
+ https://bugs.webkit.org/show_bug.cgi?id=147044
+ rdar://problem/21567820
+
+ Reviewed by Brady Eidson.
+
+ * http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled-expected.txt: Added.
+ * http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled.html: Added.
+ * http/tests/contentdispositionattachmentsandbox/form-submission-disabled-expected.txt: Added.
+ * http/tests/contentdispositionattachmentsandbox/form-submission-disabled.html: Added.
+ * http/tests/contentdispositionattachmentsandbox/http-equiv-disabled-expected.txt: Added.
+ * http/tests/contentdispositionattachmentsandbox/http-equiv-disabled.html: Added.
+ * http/tests/contentdispositionattachmentsandbox/plugins-disabled-expected.html: Added.
+ * http/tests/contentdispositionattachmentsandbox/plugins-disabled.html: Added.
+ * http/tests/contentdispositionattachmentsandbox/resources/cross-origin-frames-frame.php: Added.
+ * http/tests/contentdispositionattachmentsandbox/resources/form-submission-frame.php: Added.
+ * http/tests/contentdispositionattachmentsandbox/resources/http-equiv-frame.php: Added.
+ * http/tests/contentdispositionattachmentsandbox/resources/plugins-frame.php: Added.
+ * http/tests/contentdispositionattachmentsandbox/resources/scripts-frame.php: Added.
+ * http/tests/contentdispositionattachmentsandbox/scripts-disabled-expected.txt: Added.
+ * http/tests/contentdispositionattachmentsandbox/scripts-disabled.html: Added.
+
</ins><span class="cx"> 2015-07-17 Zalan Bujtas <zalan@apple.com>
</span><span class="cx">
</span><span class="cx"> (display: block)input range's thumb disappears when moved.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestscontentdispositionattachmentsandboxcrossoriginframesdisabledexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled-expected.txt (0 => 186982)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled-expected.txt         (rev 0)
+++ trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled-expected.txt        2015-07-18 03:47:28 UTC (rev 186982)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+CONSOLE MESSAGE: Unsafe attempt to load URL data:text/html,FAIL.
+This test verifies that cross-origin frames are disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestscontentdispositionattachmentsandboxcrossoriginframesdisabledhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled.html (0 => 186982)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled.html         (rev 0)
+++ trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled.html        2015-07-18 03:47:28 UTC (rev 186982)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+<!DOCTYPE html>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+if (window.internals)
+ internals.settings.setContentDispositionAttachmentSandboxEnabled(true);
+</script>
+<p>This test verifies that cross-origin frames are disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.</p>
+<iframe src="resources/cross-origin-frames-frame.php"></iframe>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestscontentdispositionattachmentsandboxformsubmissiondisabledexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/form-submission-disabled-expected.txt (0 => 186982)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/form-submission-disabled-expected.txt         (rev 0)
+++ trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/form-submission-disabled-expected.txt        2015-07-18 03:47:28 UTC (rev 186982)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+CONSOLE MESSAGE: line 21: Blocked form submission to 'http://127.0.0.1:8000/contentdispositionattachmentsandbox/resources/form-submission-frame.php' because the form's frame is sandboxed and the 'allow-forms' permission is not set.
+This test verifies that form submission is disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestscontentdispositionattachmentsandboxformsubmissiondisabledhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/form-submission-disabled.html (0 => 186982)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/form-submission-disabled.html         (rev 0)
+++ trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/form-submission-disabled.html        2015-07-18 03:47:28 UTC (rev 186982)
</span><span class="lines">@@ -0,0 +1,27 @@
</span><ins>+<!DOCTYPE html>
+<script>
+if (window.internals)
+ internals.settings.setContentDispositionAttachmentSandboxEnabled(true);
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ window.addEventListener('load', function() {
+ // Due to the sandbox, it's not possible to run script in the iframe or even access its contentDocument.
+ // Submit the form by clicking its button with synthetic mouse events.
+ var iframeRect = document.getElementsByTagName('iframe')[0].getClientRects()[0];
+ var submitButtonRect = document.getElementById('submitButtonForMetrics').getClientRects()[0];
+
+ // This assumes that the iframe has no border, and its document's body has no margin.
+ var x = iframeRect.left + submitButtonRect.width / 2;
+ var y = iframeRect.top + submitButtonRect.height / 2;
+
+ eventSender.mouseMoveTo(x, y);
+ eventSender.mouseDown();
+ eventSender.mouseUp();
+ testRunner.notifyDone();
+ });
+}
+</script>
+<p>This test verifies that form submission is disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.</p>
+<iframe style="border: 0px" src="resources/form-submission-frame.php"></iframe>
+<input style="visibility: hidden" id="submitButtonForMetrics" type="submit">
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestscontentdispositionattachmentsandboxhttpequivdisabledexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/http-equiv-disabled-expected.txt (0 => 186982)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/http-equiv-disabled-expected.txt         (rev 0)
+++ trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/http-equiv-disabled-expected.txt        2015-07-18 03:47:28 UTC (rev 186982)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+CONSOLE MESSAGE: line 2: http-equiv 'refresh' is disabled for documents with Content-Disposition: attachment.
+This test verifies that <meta http-equiv> processing is disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestscontentdispositionattachmentsandboxhttpequivdisabledhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/http-equiv-disabled.html (0 => 186982)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/http-equiv-disabled.html         (rev 0)
+++ trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/http-equiv-disabled.html        2015-07-18 03:47:28 UTC (rev 186982)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+<!DOCTYPE html>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+if (window.internals)
+ internals.settings.setContentDispositionAttachmentSandboxEnabled(true);
+</script>
+<p>This test verifies that &lt;meta http-equiv&gt; processing is disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.</p>
+<iframe src="resources/http-equiv-frame.php"></iframe>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestscontentdispositionattachmentsandboxpluginsdisabledexpectedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/plugins-disabled-expected.html (0 => 186982)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/plugins-disabled-expected.html         (rev 0)
+++ trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/plugins-disabled-expected.html        2015-07-18 03:47:28 UTC (rev 186982)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+<!DOCTYPE html>
+<p>This test verifies that plug-ins are disabled when 'Content-Disposition: attachment' sandboxing is enabled. 'PASS' is displayed in the &lt;iframe&gt; below if the test passes.</p>
+<iframe srcdoc="<!DOCTYPE html>PASS"></iframe>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestscontentdispositionattachmentsandboxpluginsdisabledhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/plugins-disabled.html (0 => 186982)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/plugins-disabled.html         (rev 0)
+++ trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/plugins-disabled.html        2015-07-18 03:47:28 UTC (rev 186982)
</span><span class="lines">@@ -0,0 +1,22 @@
</span><ins>+<!DOCTYPE html>
+<script>
+if (window.internals)
+ internals.settings.setContentDispositionAttachmentSandboxEnabled(true);
+
+if (window.testRunner) {
+ testRunner.waitUntilDone();
+
+ // The doubly-nested setTimeout() is meant to account for two timers in the object fallback content rendering process.
+ // We can't rely on object's onerror event since we cannot run script in the sandboxed frame, so we must wait for the
+ // post-layout timer followed by the embedded objects update timer to ensure that fallback content has been rendered.
+ window.addEventListener('load', function() {
+ window.setTimeout(function() {
+ window.setTimeout(function() {
+ testRunner.notifyDone();
+ }, 0);
+ }, 0);
+ });
+}
+</script>
+<p>This test verifies that plug-ins are disabled when 'Content-Disposition: attachment' sandboxing is enabled. 'PASS' is displayed in the &lt;iframe&gt; below if the test passes.</p>
+<iframe src="resources/plugins-frame.php"></iframe>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestscontentdispositionattachmentsandboxresourcescrossoriginframesframephp"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/cross-origin-frames-frame.php (0 => 186982)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/cross-origin-frames-frame.php         (rev 0)
+++ trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/cross-origin-frames-frame.php        2015-07-18 03:47:28 UTC (rev 186982)
</span><span class="lines">@@ -0,0 +1,6 @@
</span><ins>+<?php
+header("Content-Disposition: attachment; filename=test.html");
+header("Content-Type: text/html");
+?>
+<!DOCTYPE html>
+<iframe src="data:text/html,FAIL"></iframe>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestscontentdispositionattachmentsandboxresourcesformsubmissionframephp"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/form-submission-frame.php (0 => 186982)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/form-submission-frame.php         (rev 0)
+++ trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/form-submission-frame.php        2015-07-18 03:47:28 UTC (rev 186982)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+<?php
+header("Content-Disposition: attachment; filename=test.html");
+header("Content-Type: text/html");
+?>
+<!DOCTYPE html>
+<style>
+body {
+ margin: 0px;
+}
+</style>
+<form>
+<input type="submit">
+</form>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestscontentdispositionattachmentsandboxresourceshttpequivframephp"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/http-equiv-frame.php (0 => 186982)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/http-equiv-frame.php         (rev 0)
+++ trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/http-equiv-frame.php        2015-07-18 03:47:28 UTC (rev 186982)
</span><span class="lines">@@ -0,0 +1,6 @@
</span><ins>+<?php
+header("Content-Disposition: attachment; filename=test.html");
+header("Content-Type: text/html");
+?>
+<!DOCTYPE html>
+<meta http-equiv="refresh" content="0; url=data:text/html,FAIL">
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestscontentdispositionattachmentsandboxresourcespluginsframephp"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/plugins-frame.php (0 => 186982)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/plugins-frame.php         (rev 0)
+++ trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/plugins-frame.php        2015-07-18 03:47:28 UTC (rev 186982)
</span><span class="lines">@@ -0,0 +1,6 @@
</span><ins>+<?php
+header("Content-Disposition: attachment; filename=test.html");
+header("Content-Type: text/html");
+?>
+<!DOCTYPE html>
+<object type="application/x-webkit-test-netscape">PASS</object>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestscontentdispositionattachmentsandboxresourcesscriptsframephp"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/scripts-frame.php (0 => 186982)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/scripts-frame.php         (rev 0)
+++ trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/scripts-frame.php        2015-07-18 03:47:28 UTC (rev 186982)
</span><span class="lines">@@ -0,0 +1,8 @@
</span><ins>+<?php
+header("Content-Disposition: attachment; filename=test.html");
+header("Content-Type: text/html");
+?>
+<!DOCTYPE html>
+<script>
+document.write('FAIL');
+</script>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestscontentdispositionattachmentsandboxscriptsdisabledexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/scripts-disabled-expected.txt (0 => 186982)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/scripts-disabled-expected.txt         (rev 0)
+++ trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/scripts-disabled-expected.txt        2015-07-18 03:47:28 UTC (rev 186982)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+CONSOLE MESSAGE: Blocked script execution in 'http://127.0.0.1:8000/contentdispositionattachmentsandbox/resources/scripts-frame.php' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
+This test verifies that scripts are disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestscontentdispositionattachmentsandboxscriptsdisabledhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/scripts-disabled.html (0 => 186982)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/scripts-disabled.html         (rev 0)
+++ trunk/LayoutTests/http/tests/contentdispositionattachmentsandbox/scripts-disabled.html        2015-07-18 03:47:28 UTC (rev 186982)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+<!DOCTYPE html>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+if (window.internals)
+ internals.settings.setContentDispositionAttachmentSandboxEnabled(true);
+</script>
+<p>This test verifies that scripts are disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.</p>
+<iframe src="resources/scripts-frame.php"></iframe>
</ins></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (186981 => 186982)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog        2015-07-18 03:46:22 UTC (rev 186981)
+++ trunk/Source/WebCore/ChangeLog        2015-07-18 03:47:28 UTC (rev 186982)
</span><span class="lines">@@ -1,3 +1,36 @@
</span><ins>+2015-07-17 Andy Estes <aestes@apple.com>
+
+ [iOS] Further tighten the sandbox around pages fetched with Content-Disposition: attachment
+ https://bugs.webkit.org/show_bug.cgi?id=147044
+ rdar://problem/21567820
+
+ Reviewed by Brady Eidson.
+
+ In addition to placing resources fetched with 'Content-Disposition: attachment' in a unique origin,
+ this change does the following:
+
+ - Switches the sandbox type from SandboxOrigin to SandboxAll, which enforces the same restrictions as <iframe sandbox>.
+ - Disables processing of <meta http-equiv> elements.
+ - Disables loading of cross-origin subframes.
+
+ Tests: http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled.html
+ http/tests/contentdispositionattachmentsandbox/form-submission-disabled.html
+ http/tests/contentdispositionattachmentsandbox/http-equiv-disabled.html
+ http/tests/contentdispositionattachmentsandbox/plugins-disabled.html
+ http/tests/contentdispositionattachmentsandbox/scripts-disabled.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::processHttpEquiv): Switched to calling Document::httpEquivPolicy(). Logged an error to the console for policies other than Enabled.
+ (WebCore::Document::initSecurityContext): Switched sandbox enforcement from SandboxOrigin to SandboxAll.
+ (WebCore::Document::httpEquivPolicy): Returned a HttpEquivPolicy based on shouldEnforceContentDispositionAttachmentSandbox() and Settings::httpEquivEnabled().
+ (WebCore::Document::shouldEnforceContentDispositionAttachmentSandbox): Returned true if Settings::contentDispositionAttachmentSandboxEnabled()
+ and the document was fetched as an attachment.
+ * dom/Document.h:
+ * loader/cache/CachedResourceLoader.cpp:
+ (WebCore::CachedResourceLoader::canRequest): When requesting a subframe main resource when the parent frame enforces an attachment sandbox,
+ only continue if the parent frame's SecurityOrigin allows the request.
+ * page/Settings.in: Added contentDispositionAttachmentSandboxEnabled with an initial value of false.
+
</ins><span class="cx"> 2015-07-17 Zalan Bujtas <zalan@apple.com>
</span><span class="cx">
</span><span class="cx"> (display: block)input range's thumb disappears when moved.
</span></span></pre></div>
<a id="trunkSourceWebCoredomDocumentcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/dom/Document.cpp (186981 => 186982)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/dom/Document.cpp        2015-07-18 03:46:22 UTC (rev 186981)
+++ trunk/Source/WebCore/dom/Document.cpp        2015-07-18 03:47:28 UTC (rev 186982)
</span><span class="lines">@@ -3026,8 +3026,24 @@
</span><span class="cx"> {
</span><span class="cx"> ASSERT(!equiv.isNull() && !content.isNull());
</span><span class="cx">
</span><del>- if (page() && !page()->settings().httpEquivEnabled())
</del><ins>+ HttpEquivPolicy policy = httpEquivPolicy();
+ if (policy != HttpEquivPolicy::Enabled) {
+ String reason;
+ switch (policy) {
+ case HttpEquivPolicy::Enabled:
+ ASSERT_NOT_REACHED();
+ break;
+ case HttpEquivPolicy::DisabledBySettings:
+ reason = "by the embedder.";
+ break;
+ case HttpEquivPolicy::DisabledByContentDispositionAttachmentSandbox:
+ reason = "for documents with Content-Disposition: attachment.";
+ break;
+ }
+ String message = "http-equiv '" + equiv + "' is disabled " + reason;
+ addConsoleMessage(MessageSource::Security, MessageLevel::Error, message);
</ins><span class="cx"> return;
</span><ins>+ }
</ins><span class="cx">
</span><span class="cx"> Frame* frame = this->frame();
</span><span class="cx">
</span><span class="lines">@@ -4895,15 +4911,8 @@
</span><span class="cx"> setCookieURL(m_url);
</span><span class="cx"> enforceSandboxFlags(m_frame->loader().effectiveSandboxFlags());
</span><span class="cx">
</span><del>-#if PLATFORM(IOS)
- // On iOS we display attachments inline regardless of whether the response includes
- // the HTTP header "Content-Disposition: attachment". So, we enforce a unique
- // security origin for such documents. As an optimization, we don't need to parse
- // the responde header (i.e. call ResourceResponse::isAttachment()) for a synthesized
- // document because such documents cannot be an attachment.
- if (!m_isSynthesized && m_frame->loader().activeDocumentLoader()->response().isAttachment())
- enforceSandboxFlags(SandboxOrigin);
-#endif
</del><ins>+ if (shouldEnforceContentDispositionAttachmentSandbox())
+ enforceSandboxFlags(SandboxAll);
</ins><span class="cx">
</span><span class="cx"> setSecurityOriginPolicy(SecurityOriginPolicy::create(isSandboxed(SandboxOrigin) ? SecurityOrigin::createUnique() : SecurityOrigin::create(m_url)));
</span><span class="cx"> setContentSecurityPolicy(std::make_unique<ContentSecurityPolicy>(this));
</span><span class="lines">@@ -6002,6 +6011,15 @@
</span><span class="cx"> DebugPageOverlays::didChangeEventHandlers(*frame);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+HttpEquivPolicy Document::httpEquivPolicy() const
+{
+ if (shouldEnforceContentDispositionAttachmentSandbox())
+ return HttpEquivPolicy::DisabledByContentDispositionAttachmentSandbox;
+ if (page() && !page()->settings().httpEquivEnabled())
+ return HttpEquivPolicy::DisabledBySettings;
+ return HttpEquivPolicy::Enabled;
+}
+
</ins><span class="cx"> static bool removeHandlerFromSet(EventTargetSet& handlerSet, Node& node, EventHandlerRemoval removal)
</span><span class="cx"> {
</span><span class="cx"> switch (removal) {
</span><span class="lines">@@ -6675,4 +6693,17 @@
</span><span class="cx"> return ShouldOpenExternalURLsPolicy::ShouldNotAllow;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool Document::shouldEnforceContentDispositionAttachmentSandbox() const
+{
+ if (m_isSynthesized)
+ return false;
+
+ bool contentDispositionAttachmentSandboxEnabled = settings() && settings()->contentDispositionAttachmentSandboxEnabled();
+ bool responseIsAttachment = false;
+ if (DocumentLoader* documentLoader = m_frame ? m_frame->loader().activeDocumentLoader() : nullptr)
+ responseIsAttachment = documentLoader->response().isAttachment();
+
+ return contentDispositionAttachmentSandboxEnabled && responseIsAttachment;
+}
+
</ins><span class="cx"> } // namespace WebCore
</span></span></pre></div>
<a id="trunkSourceWebCoredomDocumenth"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/dom/Document.h (186981 => 186982)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/dom/Document.h        2015-07-18 03:46:22 UTC (rev 186981)
+++ trunk/Source/WebCore/dom/Document.h        2015-07-18 03:47:28 UTC (rev 186982)
</span><span class="lines">@@ -269,6 +269,12 @@
</span><span class="cx">
</span><span class="cx"> enum DimensionsCheck { WidthDimensionsCheck = 1 << 0, HeightDimensionsCheck = 1 << 1, AllDimensionsCheck = 1 << 2 };
</span><span class="cx">
</span><ins>+enum class HttpEquivPolicy {
+ Enabled,
+ DisabledBySettings,
+ DisabledByContentDispositionAttachmentSandbox
+};
+
</ins><span class="cx"> class Document : public ContainerNode, public TreeScope, public ScriptExecutionContext, public FontSelectorClient {
</span><span class="cx"> public:
</span><span class="cx"> static Ref<Document> create(Frame* frame, const URL& url)
</span><span class="lines">@@ -1265,6 +1271,7 @@
</span><span class="cx"> #endif
</span><span class="cx">
</span><span class="cx"> ShouldOpenExternalURLsPolicy shouldOpenExternalURLsPolicyToPropagate() const;
</span><ins>+ bool shouldEnforceContentDispositionAttachmentSandbox() const;
</ins><span class="cx">
</span><span class="cx"> protected:
</span><span class="cx"> enum ConstructionFlags { Synthesized = 1, NonRenderedPlaceholder = 1 << 1 };
</span><span class="lines">@@ -1350,6 +1357,8 @@
</span><span class="cx">
</span><span class="cx"> void wheelEventHandlersChanged();
</span><span class="cx">
</span><ins>+ HttpEquivPolicy httpEquivPolicy() const;
+
</ins><span class="cx"> // DOM Cookies caching.
</span><span class="cx"> const String& cachedDOMCookies() const { return m_cachedDOMCookies; }
</span><span class="cx"> void setCachedDOMCookies(const String&);
</span></span></pre></div>
<a id="trunkSourceWebCoreloadercacheCachedResourceLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp (186981 => 186982)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp        2015-07-18 03:46:22 UTC (rev 186981)
+++ trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp        2015-07-18 03:47:28 UTC (rev 186982)
</span><span class="lines">@@ -373,6 +373,13 @@
</span><span class="cx"> // any URL.
</span><span class="cx"> switch (type) {
</span><span class="cx"> case CachedResource::MainResource:
</span><ins>+ if (HTMLFrameOwnerElement* ownerElement = frame() ? frame()->ownerElement() : nullptr) {
+ if (ownerElement->document().shouldEnforceContentDispositionAttachmentSandbox() && !ownerElement->document().securityOrigin()->canRequest(url)) {
+ printAccessDeniedMessage(url);
+ return false;
+ }
+ }
+ FALLTHROUGH;
</ins><span class="cx"> case CachedResource::ImageResource:
</span><span class="cx"> case CachedResource::CSSStyleSheet:
</span><span class="cx"> case CachedResource::Script:
</span></span></pre></div>
<a id="trunkSourceWebCorepageSettingsin"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/Settings.in (186981 => 186982)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/Settings.in        2015-07-18 03:46:22 UTC (rev 186981)
+++ trunk/Source/WebCore/page/Settings.in        2015-07-18 03:47:28 UTC (rev 186982)
</span><span class="lines">@@ -243,3 +243,9 @@
</span><span class="cx"> newBlockInsideInlineModelEnabled initial=false, setNeedsStyleRecalcInAllFrames=1
</span><span class="cx">
</span><span class="cx"> httpEquivEnabled initial=true
</span><ins>+
+# Some ports (e.g. iOS) might choose to display attachments inline, regardless of whether the response includes the
+# HTTP header "Content-Disposition: attachment". This setting enables a sandbox around these attachments. The sandbox
+# enforces all frame sandbox flags (see enum SandboxFlag in SecurityContext.h), and also disables <meta http-equiv>
+# processing and subframe loading.
+contentDispositionAttachmentSandboxEnabled initial=false
</ins></span></pre></div>
<a id="trunkSourceWebKitmacChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit/mac/ChangeLog (186981 => 186982)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit/mac/ChangeLog        2015-07-18 03:46:22 UTC (rev 186981)
+++ trunk/Source/WebKit/mac/ChangeLog        2015-07-18 03:47:28 UTC (rev 186982)
</span><span class="lines">@@ -1,3 +1,14 @@
</span><ins>+2015-07-17 Andy Estes <aestes@apple.com>
+
+ [iOS] Further tighten the sandbox around pages fetched with Content-Disposition: attachment
+ https://bugs.webkit.org/show_bug.cgi?id=147044
+ rdar://problem/21567820
+
+ Reviewed by Brady Eidson.
+
+ * WebView/WebView.mm:
+ (-[WebView _commonInitializationWithFrameName:groupName:]): Enabled Content-Disposition: attachment sandbox on iOS.
+
</ins><span class="cx"> 2015-07-16 Joseph Pecoraro <pecoraro@apple.com>
</span><span class="cx">
</span><span class="cx"> Web Inspector: [Mac] Save dialog not working when inspector is docked
</span></span></pre></div>
<a id="trunkSourceWebKitmacWebViewWebViewmm"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit/mac/WebView/WebView.mm (186981 => 186982)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit/mac/WebView/WebView.mm        2015-07-18 03:46:22 UTC (rev 186981)
+++ trunk/Source/WebKit/mac/WebView/WebView.mm        2015-07-18 03:47:28 UTC (rev 186982)
</span><span class="lines">@@ -1085,6 +1085,10 @@
</span><span class="cx">
</span><span class="cx"> _private->page->setDeviceScaleFactor([self _deviceScaleFactor]);
</span><span class="cx"> #endif
</span><ins>+
+#if PLATFORM(IOS)
+ _private->page->settings().setContentDispositionAttachmentSandboxEnabled(true);
+#endif
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> - (id)_initWithFrame:(NSRect)f frameName:(NSString *)frameName groupName:(NSString *)groupName
</span></span></pre></div>
<a id="trunkSourceWebKit2ChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/ChangeLog (186981 => 186982)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/ChangeLog        2015-07-18 03:46:22 UTC (rev 186981)
+++ trunk/Source/WebKit2/ChangeLog        2015-07-18 03:47:28 UTC (rev 186982)
</span><span class="lines">@@ -1,3 +1,14 @@
</span><ins>+2015-07-17 Andy Estes <aestes@apple.com>
+
+ [iOS] Further tighten the sandbox around pages fetched with Content-Disposition: attachment
+ https://bugs.webkit.org/show_bug.cgi?id=147044
+ rdar://problem/21567820
+
+ Reviewed by Brady Eidson.
+
+ * WebProcess/WebPage/WebPage.cpp:
+ (WebKit::WebPage::WebPage): Enabled Content-Disposition: attachment sandbox on iOS.
+
</ins><span class="cx"> 2015-07-17 Tim Horton <timothy_horton@apple.com>
</span><span class="cx">
</span><span class="cx"> [iOS] TextIndicator has a large forehead when line-height > 1
</span></span></pre></div>
<a id="trunkSourceWebKit2WebProcessWebPageWebPagecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/WebProcess/WebPage/WebPage.cpp (186981 => 186982)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/WebProcess/WebPage/WebPage.cpp        2015-07-18 03:46:22 UTC (rev 186981)
+++ trunk/Source/WebKit2/WebProcess/WebPage/WebPage.cpp        2015-07-18 03:47:28 UTC (rev 186982)
</span><span class="lines">@@ -519,6 +519,10 @@
</span><span class="cx"> scaleView(parameters.viewScaleFactor);
</span><span class="cx">
</span><span class="cx"> m_page->setUserContentExtensionsEnabled(parameters.userContentExtensionsEnabled);
</span><ins>+
+#if PLATFORM(IOS)
+ m_page->settings().setContentDispositionAttachmentSandboxEnabled(true);
+#endif
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void WebPage::reinitializeWebPage(const WebPageCreationParameters& parameters)
</span></span></pre></div>
<a id="trunkToolsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Tools/ChangeLog (186981 => 186982)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Tools/ChangeLog        2015-07-18 03:46:22 UTC (rev 186981)
+++ trunk/Tools/ChangeLog        2015-07-18 03:47:28 UTC (rev 186982)
</span><span class="lines">@@ -1,3 +1,15 @@
</span><ins>+2015-07-17 Andy Estes <aestes@apple.com>
+
+ [iOS] Further tighten the sandbox around pages fetched with Content-Disposition: attachment
+ https://bugs.webkit.org/show_bug.cgi?id=147044
+ rdar://problem/21567820
+
+ Reviewed by Brady Eidson.
+
+ * WebKitTestRunner/InjectedBundle/InjectedBundlePage.cpp:
+ (WTR::InjectedBundlePage::decidePolicyForResponse): Only log the message about attachments if the custom policy delegate is enabled.
+ This matches the behavior of DumpRenderTree.
+
</ins><span class="cx"> 2015-07-17 Benjamin Poulain <bpoulain@apple.com>
</span><span class="cx">
</span><span class="cx"> [Content Extensions] Term::isUniversalTransition() incorrectly expects the end-of-line assertion in character sets
</span></span></pre></div>
<a id="trunkToolsWebKitTestRunnerInjectedBundleInjectedBundlePagecpp"></a>
<div class="modfile"><h4>Modified: trunk/Tools/WebKitTestRunner/InjectedBundle/InjectedBundlePage.cpp (186981 => 186982)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Tools/WebKitTestRunner/InjectedBundle/InjectedBundlePage.cpp        2015-07-18 03:46:22 UTC (rev 186981)
+++ trunk/Tools/WebKitTestRunner/InjectedBundle/InjectedBundlePage.cpp        2015-07-18 03:47:28 UTC (rev 186982)
</span><span class="lines">@@ -1326,7 +1326,7 @@
</span><span class="cx">
</span><span class="cx"> WKBundlePagePolicyAction InjectedBundlePage::decidePolicyForResponse(WKBundlePageRef page, WKBundleFrameRef, WKURLResponseRef response, WKURLRequestRef, WKTypeRef*)
</span><span class="cx"> {
</span><del>- if (WKURLResponseIsAttachment(response)) {
</del><ins>+ if (InjectedBundle::singleton().testRunner()->isPolicyDelegateEnabled() && WKURLResponseIsAttachment(response)) {
</ins><span class="cx"> StringBuilder stringBuilder;
</span><span class="cx"> WKRetainPtr<WKStringRef> filename = adoptWK(WKURLResponseCopySuggestedFilename(response));
</span><span class="cx"> stringBuilder.appendLiteral("Policy delegate: resource is an attachment, suggested file name \'");
</span></span></pre>
</div>
</div>
</body>
</html>