<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[187073] branches/safari-601.1-branch</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/187073">187073</a></dd>
<dt>Author</dt> <dd>matthew_hanson@apple.com</dd>
<dt>Date</dt> <dd>2015-07-20 21:37:40 -0700 (Mon, 20 Jul 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/186982">r186982</a>. rdar://problem/21567820</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#branchessafari6011branchLayoutTestsChangeLog">branches/safari-601.1-branch/LayoutTests/ChangeLog</a></li>
<li><a href="#branchessafari6011branchSourceWebCoreChangeLog">branches/safari-601.1-branch/Source/WebCore/ChangeLog</a></li>
<li><a href="#branchessafari6011branchSourceWebCoredomDocumentcpp">branches/safari-601.1-branch/Source/WebCore/dom/Document.cpp</a></li>
<li><a href="#branchessafari6011branchSourceWebCoredomDocumenth">branches/safari-601.1-branch/Source/WebCore/dom/Document.h</a></li>
<li><a href="#branchessafari6011branchSourceWebCoreloadercacheCachedResourceLoadercpp">branches/safari-601.1-branch/Source/WebCore/loader/cache/CachedResourceLoader.cpp</a></li>
<li><a href="#branchessafari6011branchSourceWebCorepageSettingsin">branches/safari-601.1-branch/Source/WebCore/page/Settings.in</a></li>
<li><a href="#branchessafari6011branchSourceWebKitmacChangeLog">branches/safari-601.1-branch/Source/WebKit/mac/ChangeLog</a></li>
<li><a href="#branchessafari6011branchSourceWebKitmacWebViewWebViewmm">branches/safari-601.1-branch/Source/WebKit/mac/WebView/WebView.mm</a></li>
<li><a href="#branchessafari6011branchSourceWebKit2ChangeLog">branches/safari-601.1-branch/Source/WebKit2/ChangeLog</a></li>
<li><a href="#branchessafari6011branchSourceWebKit2WebProcessWebPageWebPagecpp">branches/safari-601.1-branch/Source/WebKit2/WebProcess/WebPage/WebPage.cpp</a></li>
<li><a href="#branchessafari6011branchToolsChangeLog">branches/safari-601.1-branch/Tools/ChangeLog</a></li>
<li><a href="#branchessafari6011branchToolsWebKitTestRunnerInjectedBundleInjectedBundlePagecpp">branches/safari-601.1-branch/Tools/WebKitTestRunner/InjectedBundle/InjectedBundlePage.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li>branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/</li>
<li><a href="#branchessafari6011branchLayoutTestshttptestscontentdispositionattachmentsandboxcrossoriginframesdisabledexpectedtxt">branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled-expected.txt</a></li>
<li><a href="#branchessafari6011branchLayoutTestshttptestscontentdispositionattachmentsandboxcrossoriginframesdisabledhtml">branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled.html</a></li>
<li><a href="#branchessafari6011branchLayoutTestshttptestscontentdispositionattachmentsandboxformsubmissiondisabledexpectedtxt">branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/form-submission-disabled-expected.txt</a></li>
<li><a href="#branchessafari6011branchLayoutTestshttptestscontentdispositionattachmentsandboxformsubmissiondisabledhtml">branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/form-submission-disabled.html</a></li>
<li><a href="#branchessafari6011branchLayoutTestshttptestscontentdispositionattachmentsandboxhttpequivdisabledexpectedtxt">branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/http-equiv-disabled-expected.txt</a></li>
<li><a href="#branchessafari6011branchLayoutTestshttptestscontentdispositionattachmentsandboxhttpequivdisabledhtml">branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/http-equiv-disabled.html</a></li>
<li><a href="#branchessafari6011branchLayoutTestshttptestscontentdispositionattachmentsandboxpluginsdisabledexpectedhtml">branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/plugins-disabled-expected.html</a></li>
<li><a href="#branchessafari6011branchLayoutTestshttptestscontentdispositionattachmentsandboxpluginsdisabledhtml">branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/plugins-disabled.html</a></li>
<li>branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/</li>
<li><a href="#branchessafari6011branchLayoutTestshttptestscontentdispositionattachmentsandboxresourcescrossoriginframesframephp">branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/cross-origin-frames-frame.php</a></li>
<li><a href="#branchessafari6011branchLayoutTestshttptestscontentdispositionattachmentsandboxresourcesformsubmissionframephp">branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/form-submission-frame.php</a></li>
<li><a href="#branchessafari6011branchLayoutTestshttptestscontentdispositionattachmentsandboxresourceshttpequivframephp">branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/http-equiv-frame.php</a></li>
<li><a href="#branchessafari6011branchLayoutTestshttptestscontentdispositionattachmentsandboxresourcespluginsframephp">branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/plugins-frame.php</a></li>
<li><a href="#branchessafari6011branchLayoutTestshttptestscontentdispositionattachmentsandboxresourcesscriptsframephp">branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/scripts-frame.php</a></li>
<li><a href="#branchessafari6011branchLayoutTestshttptestscontentdispositionattachmentsandboxscriptsdisabledexpectedtxt">branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/scripts-disabled-expected.txt</a></li>
<li><a href="#branchessafari6011branchLayoutTestshttptestscontentdispositionattachmentsandboxscriptsdisabledhtml">branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/scripts-disabled.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="branchessafari6011branchLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-601.1-branch/LayoutTests/ChangeLog (187072 => 187073)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-601.1-branch/LayoutTests/ChangeLog 2015-07-21 04:37:33 UTC (rev 187072)
+++ branches/safari-601.1-branch/LayoutTests/ChangeLog 2015-07-21 04:37:40 UTC (rev 187073)
</span><span class="lines">@@ -1,5 +1,33 @@
</span><span class="cx"> 2015-07-20 Matthew Hanson <matthew_hanson@apple.com>
</span><span class="cx">
</span><ins>+ Merge r186982. rdar://problem/21567820
+
+ 2015-07-17 Andy Estes <aestes@apple.com>
+
+ [iOS] Further tighten the sandbox around pages fetched with Content-Disposition: attachment
+ https://bugs.webkit.org/show_bug.cgi?id=147044
+ rdar://problem/21567820
+
+ Reviewed by Brady Eidson.
+
+ * http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled-expected.txt: Added.
+ * http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled.html: Added.
+ * http/tests/contentdispositionattachmentsandbox/form-submission-disabled-expected.txt: Added.
+ * http/tests/contentdispositionattachmentsandbox/form-submission-disabled.html: Added.
+ * http/tests/contentdispositionattachmentsandbox/http-equiv-disabled-expected.txt: Added.
+ * http/tests/contentdispositionattachmentsandbox/http-equiv-disabled.html: Added.
+ * http/tests/contentdispositionattachmentsandbox/plugins-disabled-expected.html: Added.
+ * http/tests/contentdispositionattachmentsandbox/plugins-disabled.html: Added.
+ * http/tests/contentdispositionattachmentsandbox/resources/cross-origin-frames-frame.php: Added.
+ * http/tests/contentdispositionattachmentsandbox/resources/form-submission-frame.php: Added.
+ * http/tests/contentdispositionattachmentsandbox/resources/http-equiv-frame.php: Added.
+ * http/tests/contentdispositionattachmentsandbox/resources/plugins-frame.php: Added.
+ * http/tests/contentdispositionattachmentsandbox/resources/scripts-frame.php: Added.
+ * http/tests/contentdispositionattachmentsandbox/scripts-disabled-expected.txt: Added.
+ * http/tests/contentdispositionattachmentsandbox/scripts-disabled.html: Added.
+
+2015-07-20 Matthew Hanson <matthew_hanson@apple.com>
+
</ins><span class="cx"> Merge r186976. rdar://problem/21643094
</span><span class="cx">
</span><span class="cx"> 2015-07-17 Tim Horton <timothy_horton@apple.com>
</span></span></pre></div>
<a id="branchessafari6011branchLayoutTestshttptestscontentdispositionattachmentsandboxcrossoriginframesdisabledexpectedtxt"></a>
<div class="addfile"><h4>Added: branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled-expected.txt (0 => 187073)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled-expected.txt (rev 0)
+++ branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled-expected.txt 2015-07-21 04:37:40 UTC (rev 187073)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+CONSOLE MESSAGE: Unsafe attempt to load URL data:text/html,FAIL.
+This test verifies that cross-origin frames are disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.
+
+
</ins></span></pre></div>
<a id="branchessafari6011branchLayoutTestshttptestscontentdispositionattachmentsandboxcrossoriginframesdisabledhtml"></a>
<div class="addfile"><h4>Added: branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled.html (0 => 187073)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled.html (rev 0)
+++ branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled.html 2015-07-21 04:37:40 UTC (rev 187073)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+<!DOCTYPE html>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+if (window.internals)
+ internals.settings.setContentDispositionAttachmentSandboxEnabled(true);
+</script>
+<p>This test verifies that cross-origin frames are disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.</p>
+<iframe src="resources/cross-origin-frames-frame.php"></iframe>
</ins></span></pre></div>
<a id="branchessafari6011branchLayoutTestshttptestscontentdispositionattachmentsandboxformsubmissiondisabledexpectedtxt"></a>
<div class="addfile"><h4>Added: branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/form-submission-disabled-expected.txt (0 => 187073)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/form-submission-disabled-expected.txt (rev 0)
+++ branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/form-submission-disabled-expected.txt 2015-07-21 04:37:40 UTC (rev 187073)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+CONSOLE MESSAGE: line 21: Blocked form submission to 'http://127.0.0.1:8000/contentdispositionattachmentsandbox/resources/form-submission-frame.php' because the form's frame is sandboxed and the 'allow-forms' permission is not set.
+This test verifies that form submission is disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.
+
+
</ins></span></pre></div>
<a id="branchessafari6011branchLayoutTestshttptestscontentdispositionattachmentsandboxformsubmissiondisabledhtml"></a>
<div class="addfile"><h4>Added: branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/form-submission-disabled.html (0 => 187073)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/form-submission-disabled.html (rev 0)
+++ branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/form-submission-disabled.html 2015-07-21 04:37:40 UTC (rev 187073)
</span><span class="lines">@@ -0,0 +1,27 @@
</span><ins>+<!DOCTYPE html>
+<script>
+if (window.internals)
+ internals.settings.setContentDispositionAttachmentSandboxEnabled(true);
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ window.addEventListener('load', function() {
+ // Due to the sandbox, it's not possible to run script in the iframe or even access its contentDocument.
+ // Submit the form by clicking its button with synthetic mouse events.
+ var iframeRect = document.getElementsByTagName('iframe')[0].getClientRects()[0];
+ var submitButtonRect = document.getElementById('submitButtonForMetrics').getClientRects()[0];
+
+ // This assumes that the iframe has no border, and its document's body has no margin.
+ var x = iframeRect.left + submitButtonRect.width / 2;
+ var y = iframeRect.top + submitButtonRect.height / 2;
+
+ eventSender.mouseMoveTo(x, y);
+ eventSender.mouseDown();
+ eventSender.mouseUp();
+ testRunner.notifyDone();
+ });
+}
+</script>
+<p>This test verifies that form submission is disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.</p>
+<iframe style="border: 0px" src="resources/form-submission-frame.php"></iframe>
+<input style="visibility: hidden" id="submitButtonForMetrics" type="submit">
</ins></span></pre></div>
<a id="branchessafari6011branchLayoutTestshttptestscontentdispositionattachmentsandboxhttpequivdisabledexpectedtxt"></a>
<div class="addfile"><h4>Added: branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/http-equiv-disabled-expected.txt (0 => 187073)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/http-equiv-disabled-expected.txt (rev 0)
+++ branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/http-equiv-disabled-expected.txt 2015-07-21 04:37:40 UTC (rev 187073)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+CONSOLE MESSAGE: line 2: http-equiv 'refresh' is disabled for documents with Content-Disposition: attachment.
+This test verifies that <meta http-equiv> processing is disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.
+
+
</ins></span></pre></div>
<a id="branchessafari6011branchLayoutTestshttptestscontentdispositionattachmentsandboxhttpequivdisabledhtml"></a>
<div class="addfile"><h4>Added: branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/http-equiv-disabled.html (0 => 187073)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/http-equiv-disabled.html (rev 0)
+++ branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/http-equiv-disabled.html 2015-07-21 04:37:40 UTC (rev 187073)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+<!DOCTYPE html>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+if (window.internals)
+ internals.settings.setContentDispositionAttachmentSandboxEnabled(true);
+</script>
+<p>This test verifies that &lt;meta http-equiv&gt; processing is disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.</p>
+<iframe src="resources/http-equiv-frame.php"></iframe>
</ins></span></pre></div>
<a id="branchessafari6011branchLayoutTestshttptestscontentdispositionattachmentsandboxpluginsdisabledexpectedhtml"></a>
<div class="addfile"><h4>Added: branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/plugins-disabled-expected.html (0 => 187073)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/plugins-disabled-expected.html (rev 0)
+++ branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/plugins-disabled-expected.html 2015-07-21 04:37:40 UTC (rev 187073)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+<!DOCTYPE html>
+<p>This test verifies that plug-ins are disabled when 'Content-Disposition: attachment' sandboxing is enabled. 'PASS' is displayed in the &lt;iframe&gt; below if the test passes.</p>
+<iframe srcdoc="<!DOCTYPE html>PASS"></iframe>
</ins></span></pre></div>
<a id="branchessafari6011branchLayoutTestshttptestscontentdispositionattachmentsandboxpluginsdisabledhtml"></a>
<div class="addfile"><h4>Added: branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/plugins-disabled.html (0 => 187073)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/plugins-disabled.html (rev 0)
+++ branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/plugins-disabled.html 2015-07-21 04:37:40 UTC (rev 187073)
</span><span class="lines">@@ -0,0 +1,22 @@
</span><ins>+<!DOCTYPE html>
+<script>
+if (window.internals)
+ internals.settings.setContentDispositionAttachmentSandboxEnabled(true);
+
+if (window.testRunner) {
+ testRunner.waitUntilDone();
+
+ // The doubly-nested setTimeout() is meant to account for two timers in the object fallback content rendering process.
+ // We can't rely on object's onerror event since we cannot run script in the sandboxed frame, so we must wait for the
+ // post-layout timer followed by the embedded objects update timer to ensure that fallback content has been rendered.
+ window.addEventListener('load', function() {
+ window.setTimeout(function() {
+ window.setTimeout(function() {
+ testRunner.notifyDone();
+ }, 0);
+ }, 0);
+ });
+}
+</script>
+<p>This test verifies that plug-ins are disabled when 'Content-Disposition: attachment' sandboxing is enabled. 'PASS' is displayed in the &lt;iframe&gt; below if the test passes.</p>
+<iframe src="resources/plugins-frame.php"></iframe>
</ins></span></pre></div>
<a id="branchessafari6011branchLayoutTestshttptestscontentdispositionattachmentsandboxresourcescrossoriginframesframephp"></a>
<div class="addfile"><h4>Added: branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/cross-origin-frames-frame.php (0 => 187073)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/cross-origin-frames-frame.php (rev 0)
+++ branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/cross-origin-frames-frame.php 2015-07-21 04:37:40 UTC (rev 187073)
</span><span class="lines">@@ -0,0 +1,6 @@
</span><ins>+<?php
+header("Content-Disposition: attachment; filename=test.html");
+header("Content-Type: text/html");
+?>
+<!DOCTYPE html>
+<iframe src="data:text/html,FAIL"></iframe>
</ins></span></pre></div>
<a id="branchessafari6011branchLayoutTestshttptestscontentdispositionattachmentsandboxresourcesformsubmissionframephp"></a>
<div class="addfile"><h4>Added: branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/form-submission-frame.php (0 => 187073)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/form-submission-frame.php (rev 0)
+++ branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/form-submission-frame.php 2015-07-21 04:37:40 UTC (rev 187073)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+<?php
+header("Content-Disposition: attachment; filename=test.html");
+header("Content-Type: text/html");
+?>
+<!DOCTYPE html>
+<style>
+body {
+ margin: 0px;
+}
+</style>
+<form>
+<input type="submit">
+</form>
</ins></span></pre></div>
<a id="branchessafari6011branchLayoutTestshttptestscontentdispositionattachmentsandboxresourceshttpequivframephp"></a>
<div class="addfile"><h4>Added: branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/http-equiv-frame.php (0 => 187073)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/http-equiv-frame.php (rev 0)
+++ branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/http-equiv-frame.php 2015-07-21 04:37:40 UTC (rev 187073)
</span><span class="lines">@@ -0,0 +1,6 @@
</span><ins>+<?php
+header("Content-Disposition: attachment; filename=test.html");
+header("Content-Type: text/html");
+?>
+<!DOCTYPE html>
+<meta http-equiv="refresh" content="0; url=data:text/html,FAIL">
</ins></span></pre></div>
<a id="branchessafari6011branchLayoutTestshttptestscontentdispositionattachmentsandboxresourcespluginsframephp"></a>
<div class="addfile"><h4>Added: branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/plugins-frame.php (0 => 187073)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/plugins-frame.php (rev 0)
+++ branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/plugins-frame.php 2015-07-21 04:37:40 UTC (rev 187073)
</span><span class="lines">@@ -0,0 +1,6 @@
</span><ins>+<?php
+header("Content-Disposition: attachment; filename=test.html");
+header("Content-Type: text/html");
+?>
+<!DOCTYPE html>
+<object type="application/x-webkit-test-netscape">PASS</object>
</ins></span></pre></div>
<a id="branchessafari6011branchLayoutTestshttptestscontentdispositionattachmentsandboxresourcesscriptsframephp"></a>
<div class="addfile"><h4>Added: branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/scripts-frame.php (0 => 187073)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/scripts-frame.php (rev 0)
+++ branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/resources/scripts-frame.php 2015-07-21 04:37:40 UTC (rev 187073)
</span><span class="lines">@@ -0,0 +1,8 @@
</span><ins>+<?php
+header("Content-Disposition: attachment; filename=test.html");
+header("Content-Type: text/html");
+?>
+<!DOCTYPE html>
+<script>
+document.write('FAIL');
+</script>
</ins></span></pre></div>
<a id="branchessafari6011branchLayoutTestshttptestscontentdispositionattachmentsandboxscriptsdisabledexpectedtxt"></a>
<div class="addfile"><h4>Added: branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/scripts-disabled-expected.txt (0 => 187073)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/scripts-disabled-expected.txt (rev 0)
+++ branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/scripts-disabled-expected.txt 2015-07-21 04:37:40 UTC (rev 187073)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+CONSOLE MESSAGE: Blocked script execution in 'http://127.0.0.1:8000/contentdispositionattachmentsandbox/resources/scripts-frame.php' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
+This test verifies that scripts are disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.
+
+
</ins></span></pre></div>
<a id="branchessafari6011branchLayoutTestshttptestscontentdispositionattachmentsandboxscriptsdisabledhtml"></a>
<div class="addfile"><h4>Added: branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/scripts-disabled.html (0 => 187073)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/scripts-disabled.html (rev 0)
+++ branches/safari-601.1-branch/LayoutTests/http/tests/contentdispositionattachmentsandbox/scripts-disabled.html 2015-07-21 04:37:40 UTC (rev 187073)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+<!DOCTYPE html>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+if (window.internals)
+ internals.settings.setContentDispositionAttachmentSandboxEnabled(true);
+</script>
+<p>This test verifies that scripts are disabled when 'Content-Disposition: attachment' sandboxing is enabled. A security error will be logged to the console if the test passes.</p>
+<iframe src="resources/scripts-frame.php"></iframe>
</ins></span></pre></div>
<a id="branchessafari6011branchSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-601.1-branch/Source/WebCore/ChangeLog (187072 => 187073)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-601.1-branch/Source/WebCore/ChangeLog 2015-07-21 04:37:33 UTC (rev 187072)
+++ branches/safari-601.1-branch/Source/WebCore/ChangeLog 2015-07-21 04:37:40 UTC (rev 187073)
</span><span class="lines">@@ -1,5 +1,42 @@
</span><span class="cx"> 2015-07-20 Matthew Hanson <matthew_hanson@apple.com>
</span><span class="cx">
</span><ins>+ Merge r186982. rdar://problem/21567820
+
+ 2015-07-17 Andy Estes <aestes@apple.com>
+
+ [iOS] Further tighten the sandbox around pages fetched with Content-Disposition: attachment
+ https://bugs.webkit.org/show_bug.cgi?id=147044
+ rdar://problem/21567820
+
+ Reviewed by Brady Eidson.
+
+ In addition to placing resources fetched with 'Content-Disposition: attachment' in a unique origin,
+ this change does the following:
+
+ - Switches the sandbox type from SandboxOrigin to SandboxAll, which enforces the same restrictions as <iframe sandbox>.
+ - Disables processing of <meta http-equiv> elements.
+ - Disables loading of cross-origin subframes.
+
+ Tests: http/tests/contentdispositionattachmentsandbox/cross-origin-frames-disabled.html
+ http/tests/contentdispositionattachmentsandbox/form-submission-disabled.html
+ http/tests/contentdispositionattachmentsandbox/http-equiv-disabled.html
+ http/tests/contentdispositionattachmentsandbox/plugins-disabled.html
+ http/tests/contentdispositionattachmentsandbox/scripts-disabled.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::processHttpEquiv): Switched to calling Document::httpEquivPolicy(). Logged an error to the console for policies other than Enabled.
+ (WebCore::Document::initSecurityContext): Switched sandbox enforcement from SandboxOrigin to SandboxAll.
+ (WebCore::Document::httpEquivPolicy): Returned a HttpEquivPolicy based on shouldEnforceContentDispositionAttachmentSandbox() and Settings::httpEquivEnabled().
+ (WebCore::Document::shouldEnforceContentDispositionAttachmentSandbox): Returned true if Settings::contentDispositionAttachmentSandboxEnabled()
+ and the document was fetched as an attachment.
+ * dom/Document.h:
+ * loader/cache/CachedResourceLoader.cpp:
+ (WebCore::CachedResourceLoader::canRequest): When requesting a subframe main resource when the parent frame enforces an attachment sandbox,
+ only continue if the parent frame's SecurityOrigin allows the request.
+ * page/Settings.in: Added contentDispositionAttachmentSandboxEnabled with an initial value of false.
+
+2015-07-20 Matthew Hanson <matthew_hanson@apple.com>
+
</ins><span class="cx"> Merge r186979. rdar://problem/19192076
</span><span class="cx">
</span><span class="cx"> 2015-07-17 Dean Jackson <dino@apple.com>
</span></span></pre></div>
<a id="branchessafari6011branchSourceWebCoredomDocumentcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-601.1-branch/Source/WebCore/dom/Document.cpp (187072 => 187073)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-601.1-branch/Source/WebCore/dom/Document.cpp 2015-07-21 04:37:33 UTC (rev 187072)
+++ branches/safari-601.1-branch/Source/WebCore/dom/Document.cpp 2015-07-21 04:37:40 UTC (rev 187073)
</span><span class="lines">@@ -3026,8 +3026,24 @@
</span><span class="cx"> {
</span><span class="cx"> ASSERT(!equiv.isNull() && !content.isNull());
</span><span class="cx">
</span><del>- if (page() && !page()->settings().httpEquivEnabled())
</del><ins>+ HttpEquivPolicy policy = httpEquivPolicy();
+ if (policy != HttpEquivPolicy::Enabled) {
+ String reason;
+ switch (policy) {
+ case HttpEquivPolicy::Enabled:
+ ASSERT_NOT_REACHED();
+ break;
+ case HttpEquivPolicy::DisabledBySettings:
+ reason = "by the embedder.";
+ break;
+ case HttpEquivPolicy::DisabledByContentDispositionAttachmentSandbox:
+ reason = "for documents with Content-Disposition: attachment.";
+ break;
+ }
+ String message = "http-equiv '" + equiv + "' is disabled " + reason;
+ addConsoleMessage(MessageSource::Security, MessageLevel::Error, message);
</ins><span class="cx"> return;
</span><ins>+ }
</ins><span class="cx">
</span><span class="cx"> Frame* frame = this->frame();
</span><span class="cx">
</span><span class="lines">@@ -4895,15 +4911,8 @@
</span><span class="cx"> setCookieURL(m_url);
</span><span class="cx"> enforceSandboxFlags(m_frame->loader().effectiveSandboxFlags());
</span><span class="cx">
</span><del>-#if PLATFORM(IOS)
- // On iOS we display attachments inline regardless of whether the response includes
- // the HTTP header "Content-Disposition: attachment". So, we enforce a unique
- // security origin for such documents. As an optimization, we don't need to parse
- // the responde header (i.e. call ResourceResponse::isAttachment()) for a synthesized
- // document because such documents cannot be an attachment.
- if (!m_isSynthesized && m_frame->loader().activeDocumentLoader()->response().isAttachment())
- enforceSandboxFlags(SandboxOrigin);
-#endif
</del><ins>+ if (shouldEnforceContentDispositionAttachmentSandbox())
+ enforceSandboxFlags(SandboxAll);
</ins><span class="cx">
</span><span class="cx"> setSecurityOriginPolicy(SecurityOriginPolicy::create(isSandboxed(SandboxOrigin) ? SecurityOrigin::createUnique() : SecurityOrigin::create(m_url)));
</span><span class="cx"> setContentSecurityPolicy(std::make_unique<ContentSecurityPolicy>(this));
</span><span class="lines">@@ -6002,6 +6011,15 @@
</span><span class="cx"> DebugPageOverlays::didChangeEventHandlers(*frame);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+HttpEquivPolicy Document::httpEquivPolicy() const
+{
+ if (shouldEnforceContentDispositionAttachmentSandbox())
+ return HttpEquivPolicy::DisabledByContentDispositionAttachmentSandbox;
+ if (page() && !page()->settings().httpEquivEnabled())
+ return HttpEquivPolicy::DisabledBySettings;
+ return HttpEquivPolicy::Enabled;
+}
+
</ins><span class="cx"> static bool removeHandlerFromSet(EventTargetSet& handlerSet, Node& node, EventHandlerRemoval removal)
</span><span class="cx"> {
</span><span class="cx"> switch (removal) {
</span><span class="lines">@@ -6675,4 +6693,17 @@
</span><span class="cx"> return ShouldOpenExternalURLsPolicy::ShouldNotAllow;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool Document::shouldEnforceContentDispositionAttachmentSandbox() const
+{
+ if (m_isSynthesized)
+ return false;
+
+ bool contentDispositionAttachmentSandboxEnabled = settings() && settings()->contentDispositionAttachmentSandboxEnabled();
+ bool responseIsAttachment = false;
+ if (DocumentLoader* documentLoader = m_frame ? m_frame->loader().activeDocumentLoader() : nullptr)
+ responseIsAttachment = documentLoader->response().isAttachment();
+
+ return contentDispositionAttachmentSandboxEnabled && responseIsAttachment;
+}
+
</ins><span class="cx"> } // namespace WebCore
</span></span></pre></div>
<a id="branchessafari6011branchSourceWebCoredomDocumenth"></a>
<div class="modfile"><h4>Modified: branches/safari-601.1-branch/Source/WebCore/dom/Document.h (187072 => 187073)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-601.1-branch/Source/WebCore/dom/Document.h 2015-07-21 04:37:33 UTC (rev 187072)
+++ branches/safari-601.1-branch/Source/WebCore/dom/Document.h 2015-07-21 04:37:40 UTC (rev 187073)
</span><span class="lines">@@ -269,6 +269,12 @@
</span><span class="cx">
</span><span class="cx"> enum DimensionsCheck { WidthDimensionsCheck = 1 << 0, HeightDimensionsCheck = 1 << 1, AllDimensionsCheck = 1 << 2 };
</span><span class="cx">
</span><ins>+enum class HttpEquivPolicy {
+ Enabled,
+ DisabledBySettings,
+ DisabledByContentDispositionAttachmentSandbox
+};
+
</ins><span class="cx"> class Document : public ContainerNode, public TreeScope, public ScriptExecutionContext, public FontSelectorClient {
</span><span class="cx"> public:
</span><span class="cx"> static Ref<Document> create(Frame* frame, const URL& url)
</span><span class="lines">@@ -1265,6 +1271,7 @@
</span><span class="cx"> #endif
</span><span class="cx">
</span><span class="cx"> ShouldOpenExternalURLsPolicy shouldOpenExternalURLsPolicyToPropagate() const;
</span><ins>+ bool shouldEnforceContentDispositionAttachmentSandbox() const;
</ins><span class="cx">
</span><span class="cx"> protected:
</span><span class="cx"> enum ConstructionFlags { Synthesized = 1, NonRenderedPlaceholder = 1 << 1 };
</span><span class="lines">@@ -1350,6 +1357,8 @@
</span><span class="cx">
</span><span class="cx"> void wheelEventHandlersChanged();
</span><span class="cx">
</span><ins>+ HttpEquivPolicy httpEquivPolicy() const;
+
</ins><span class="cx"> // DOM Cookies caching.
</span><span class="cx"> const String& cachedDOMCookies() const { return m_cachedDOMCookies; }
</span><span class="cx"> void setCachedDOMCookies(const String&);
</span></span></pre></div>
<a id="branchessafari6011branchSourceWebCoreloadercacheCachedResourceLoadercpp"></a>
<div class="modfile"><h4>Modified: branches/safari-601.1-branch/Source/WebCore/loader/cache/CachedResourceLoader.cpp (187072 => 187073)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-601.1-branch/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2015-07-21 04:37:33 UTC (rev 187072)
+++ branches/safari-601.1-branch/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2015-07-21 04:37:40 UTC (rev 187073)
</span><span class="lines">@@ -373,6 +373,13 @@
</span><span class="cx"> // any URL.
</span><span class="cx"> switch (type) {
</span><span class="cx"> case CachedResource::MainResource:
</span><ins>+ if (HTMLFrameOwnerElement* ownerElement = frame() ? frame()->ownerElement() : nullptr) {
+ if (ownerElement->document().shouldEnforceContentDispositionAttachmentSandbox() && !ownerElement->document().securityOrigin()->canRequest(url)) {
+ printAccessDeniedMessage(url);
+ return false;
+ }
+ }
+ FALLTHROUGH;
</ins><span class="cx"> case CachedResource::ImageResource:
</span><span class="cx"> case CachedResource::CSSStyleSheet:
</span><span class="cx"> case CachedResource::Script:
</span></span></pre></div>
<a id="branchessafari6011branchSourceWebCorepageSettingsin"></a>
<div class="modfile"><h4>Modified: branches/safari-601.1-branch/Source/WebCore/page/Settings.in (187072 => 187073)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-601.1-branch/Source/WebCore/page/Settings.in 2015-07-21 04:37:33 UTC (rev 187072)
+++ branches/safari-601.1-branch/Source/WebCore/page/Settings.in 2015-07-21 04:37:40 UTC (rev 187073)
</span><span class="lines">@@ -243,3 +243,9 @@
</span><span class="cx"> newBlockInsideInlineModelEnabled initial=false, setNeedsStyleRecalcInAllFrames=1
</span><span class="cx">
</span><span class="cx"> httpEquivEnabled initial=true
</span><ins>+
+# Some ports (e.g. iOS) might choose to display attachments inline, regardless of whether the response includes the
+# HTTP header "Content-Disposition: attachment". This setting enables a sandbox around these attachments. The sandbox
+# enforces all frame sandbox flags (see enum SandboxFlag in SecurityContext.h), and also disables <meta http-equiv>
+# processing and subframe loading.
+contentDispositionAttachmentSandboxEnabled initial=false
</ins></span></pre></div>
<a id="branchessafari6011branchSourceWebKitmacChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-601.1-branch/Source/WebKit/mac/ChangeLog (187072 => 187073)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-601.1-branch/Source/WebKit/mac/ChangeLog 2015-07-21 04:37:33 UTC (rev 187072)
+++ branches/safari-601.1-branch/Source/WebKit/mac/ChangeLog 2015-07-21 04:37:40 UTC (rev 187073)
</span><span class="lines">@@ -1,3 +1,18 @@
</span><ins>+2015-07-20 Matthew Hanson <matthew_hanson@apple.com>
+
+ Merge r186982. rdar://problem/21567820
+
+ 2015-07-17 Andy Estes <aestes@apple.com>
+
+ [iOS] Further tighten the sandbox around pages fetched with Content-Disposition: attachment
+ https://bugs.webkit.org/show_bug.cgi?id=147044
+ rdar://problem/21567820
+
+ Reviewed by Brady Eidson.
+
+ * WebView/WebView.mm:
+ (-[WebView _commonInitializationWithFrameName:groupName:]): Enabled Content-Disposition: attachment sandbox on iOS.
+
</ins><span class="cx"> 2015-07-16 Matthew Hanson <matthew_hanson@apple.com>
</span><span class="cx">
</span><span class="cx"> Merge r186919. rdar://problem/21834578
</span></span></pre></div>
<a id="branchessafari6011branchSourceWebKitmacWebViewWebViewmm"></a>
<div class="modfile"><h4>Modified: branches/safari-601.1-branch/Source/WebKit/mac/WebView/WebView.mm (187072 => 187073)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-601.1-branch/Source/WebKit/mac/WebView/WebView.mm 2015-07-21 04:37:33 UTC (rev 187072)
+++ branches/safari-601.1-branch/Source/WebKit/mac/WebView/WebView.mm 2015-07-21 04:37:40 UTC (rev 187073)
</span><span class="lines">@@ -1085,6 +1085,10 @@
</span><span class="cx">
</span><span class="cx"> _private->page->setDeviceScaleFactor([self _deviceScaleFactor]);
</span><span class="cx"> #endif
</span><ins>+
+#if PLATFORM(IOS)
+ _private->page->settings().setContentDispositionAttachmentSandboxEnabled(true);
+#endif
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> - (id)_initWithFrame:(NSRect)f frameName:(NSString *)frameName groupName:(NSString *)groupName
</span></span></pre></div>
<a id="branchessafari6011branchSourceWebKit2ChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-601.1-branch/Source/WebKit2/ChangeLog (187072 => 187073)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-601.1-branch/Source/WebKit2/ChangeLog 2015-07-21 04:37:33 UTC (rev 187072)
+++ branches/safari-601.1-branch/Source/WebKit2/ChangeLog 2015-07-21 04:37:40 UTC (rev 187073)
</span><span class="lines">@@ -1,5 +1,20 @@
</span><span class="cx"> 2015-07-20 Matthew Hanson <matthew_hanson@apple.com>
</span><span class="cx">
</span><ins>+ Merge r186982. rdar://problem/21567820
+
+ 2015-07-17 Andy Estes <aestes@apple.com>
+
+ [iOS] Further tighten the sandbox around pages fetched with Content-Disposition: attachment
+ https://bugs.webkit.org/show_bug.cgi?id=147044
+ rdar://problem/21567820
+
+ Reviewed by Brady Eidson.
+
+ * WebProcess/WebPage/WebPage.cpp:
+ (WebKit::WebPage::WebPage): Enabled Content-Disposition: attachment sandbox on iOS.
+
+2015-07-20 Matthew Hanson <matthew_hanson@apple.com>
+
</ins><span class="cx"> Merge r186978. rdar://problem/21643094
</span><span class="cx">
</span><span class="cx"> 2015-07-17 Tim Horton <timothy_horton@apple.com>
</span></span></pre></div>
<a id="branchessafari6011branchSourceWebKit2WebProcessWebPageWebPagecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-601.1-branch/Source/WebKit2/WebProcess/WebPage/WebPage.cpp (187072 => 187073)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-601.1-branch/Source/WebKit2/WebProcess/WebPage/WebPage.cpp 2015-07-21 04:37:33 UTC (rev 187072)
+++ branches/safari-601.1-branch/Source/WebKit2/WebProcess/WebPage/WebPage.cpp 2015-07-21 04:37:40 UTC (rev 187073)
</span><span class="lines">@@ -519,6 +519,10 @@
</span><span class="cx"> scaleView(parameters.viewScaleFactor);
</span><span class="cx">
</span><span class="cx"> m_page->setUserContentExtensionsEnabled(parameters.userContentExtensionsEnabled);
</span><ins>+
+#if PLATFORM(IOS)
+ m_page->settings().setContentDispositionAttachmentSandboxEnabled(true);
+#endif
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void WebPage::reinitializeWebPage(const WebPageCreationParameters& parameters)
</span></span></pre></div>
<a id="branchessafari6011branchToolsChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-601.1-branch/Tools/ChangeLog (187072 => 187073)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-601.1-branch/Tools/ChangeLog 2015-07-21 04:37:33 UTC (rev 187072)
+++ branches/safari-601.1-branch/Tools/ChangeLog 2015-07-21 04:37:40 UTC (rev 187073)
</span><span class="lines">@@ -1,5 +1,21 @@
</span><span class="cx"> 2015-07-20 Matthew Hanson <matthew_hanson@apple.com>
</span><span class="cx">
</span><ins>+ Merge r186982. rdar://problem/21567820
+
+ 2015-07-17 Andy Estes <aestes@apple.com>
+
+ [iOS] Further tighten the sandbox around pages fetched with Content-Disposition: attachment
+ https://bugs.webkit.org/show_bug.cgi?id=147044
+ rdar://problem/21567820
+
+ Reviewed by Brady Eidson.
+
+ * WebKitTestRunner/InjectedBundle/InjectedBundlePage.cpp:
+ (WTR::InjectedBundlePage::decidePolicyForResponse): Only log the message about attachments if the custom policy delegate is enabled.
+ This matches the behavior of DumpRenderTree.
+
+2015-07-20 Matthew Hanson <matthew_hanson@apple.com>
+
</ins><span class="cx"> Merge r186964. rdar://problem/21803781
</span><span class="cx">
</span><span class="cx"> 2015-07-17 Dan Bernstein <mitz@apple.com>
</span></span></pre></div>
<a id="branchessafari6011branchToolsWebKitTestRunnerInjectedBundleInjectedBundlePagecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-601.1-branch/Tools/WebKitTestRunner/InjectedBundle/InjectedBundlePage.cpp (187072 => 187073)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-601.1-branch/Tools/WebKitTestRunner/InjectedBundle/InjectedBundlePage.cpp 2015-07-21 04:37:33 UTC (rev 187072)
+++ branches/safari-601.1-branch/Tools/WebKitTestRunner/InjectedBundle/InjectedBundlePage.cpp 2015-07-21 04:37:40 UTC (rev 187073)
</span><span class="lines">@@ -1326,7 +1326,7 @@
</span><span class="cx">
</span><span class="cx"> WKBundlePagePolicyAction InjectedBundlePage::decidePolicyForResponse(WKBundlePageRef page, WKBundleFrameRef, WKURLResponseRef response, WKURLRequestRef, WKTypeRef*)
</span><span class="cx"> {
</span><del>- if (WKURLResponseIsAttachment(response)) {
</del><ins>+ if (InjectedBundle::singleton().testRunner()->isPolicyDelegateEnabled() && WKURLResponseIsAttachment(response)) {
</ins><span class="cx"> StringBuilder stringBuilder;
</span><span class="cx"> WKRetainPtr<WKStringRef> filename = adoptWK(WKURLResponseCopySuggestedFilename(response));
</span><span class="cx"> stringBuilder.appendLiteral("Policy delegate: resource is an attachment, suggested file name \'");
</span></span></pre>
</div>
</div>
</body>
</html>