[Webkit-unassigned] [Bug 166624] New: SecurityOrigin::create triplet constructor does not canonicalize port
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Dec 30 12:21:33 PST 2016
https://bugs.webkit.org/show_bug.cgi?id=166624
Bug ID: 166624
Summary: SecurityOrigin::create triplet constructor does not
canonicalize port
Classification: Unclassified
Product: WebKit
Version: WebKit Nightly Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: WebCore Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mcatanzaro at igalia.com
CC: bugs-noreply at webkitgtk.org
WebCore::SecurityOrigin has four public create functions:
WEBCORE_EXPORT static Ref<SecurityOrigin> create(const URL&);
static Ref<SecurityOrigin> createUnique();
WEBCORE_EXPORT static Ref<SecurityOrigin> createFromString(const String&);
WEBCORE_EXPORT static Ref<SecurityOrigin> create(const String& protocol, const String& host, std::optional<uint16_t> port);
When a WebCore::SecurityOrigin is created using the first function, the port is canonicalized by unsetting it if it matches the default port for a protocol. That is handled by this code in the constructor:
if (m_port && isDefaultPortForProtocol(m_port.value(), m_protocol))
m_port = std::nullopt;
The second create function is not relevant to this bug.
The third function, createFromString, converts a String to a URL and then uses this path. So, for example, the expression SecurityOrigin::createFromString("http://example.com:80").port() would return nullopt, as it would if the port was omitted from the URL string. This is correct as per RFC 6454 because http://example.com and http://example.com:80 have the same security origin.
The issue lies with the fourth constructor. It does not perform this canonicalization, allowing two different nonequal SecurityOrigin objects to be created that represent the same security origin. That is, this constructor could be used to create a SecurityOrigin with protocol http, port 80, even though the other constructors would always canonicalize port 80 to nullopt.
I noticed this when working on exposing WebKitSecurityOrigin in the GTK+ API. I'm performing the canonicalization at the GTK+ API level for now, but I think it makes sense to do it in WebCore instead. I wonder if changing this in WebCore would expose unexpected side effects.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20161230/30247063/attachment.html>
More information about the webkit-unassigned
mailing list