Can not read blobs in sandboxed iframes

https://bugs.webkit.org/show_bug.cgi?id=170075 <rdar://problem/31282427> Reviewed by Alex Christensen. Source/WebCore: In case of blob with an opaque origin, get the document that created the blob and use the document for mixed content check. Further refactoring should be done once specs are updated to clarify this. See w3c/webappsec-mixed-content#41 for more information. Tests: http/wpt/fetch/blob-of-opaque-origin-iframe.html http/wpt/fetch/blob-of-opaque-origin-worker.html * loader/MixedContentChecker.cpp: (WebCore::MixedContentChecker::isMixedContent): LayoutTests: * http/wpt/fetch/blob-of-opaque-origin-iframe-expected.txt: Added. * http/wpt/fetch/blob-of-opaque-origin-iframe.html: Added. * http/wpt/fetch/blob-of-opaque-origin-worker-expected.txt: Added. * http/wpt/fetch/blob-of-opaque-origin-worker.html: Added. * platform/win/TestExpectations: git-svn-id: http://svn.webkit.org/repository/webkit/trunk@273879 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Cwiiis · Mar 4, 2021 · f7acb91 · f7acb91
1 parent c58e62b
commit f7acb91
Show file tree

Hide file tree

Showing 8 changed files with 132 additions and 0 deletions.
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
@@ -1,3 +1,17 @@
+2021-03-04 Youenn Fablet <youenn@apple.com>
+
+ Can not read blobs in sandboxed iframes
+ https://bugs.webkit.org/show_bug.cgi?id=170075
+ <rdar://problem/31282427>
+
+ Reviewed by Alex Christensen.
+
+ * http/wpt/fetch/blob-of-opaque-origin-iframe-expected.txt: Added.
+ * http/wpt/fetch/blob-of-opaque-origin-iframe.html: Added.
+ * http/wpt/fetch/blob-of-opaque-origin-worker-expected.txt: Added.
+ * http/wpt/fetch/blob-of-opaque-origin-worker.html: Added.
+ * platform/win/TestExpectations:
+
 2021-03-04 Kimmo Kinnunen <kkinnunen@apple.com>
 
  Adding new test conditions for WebGL should be simpler

diff --git a/LayoutTests/http/wpt/fetch/blob-of-opaque-origin-iframe-expected.txt b/LayoutTests/http/wpt/fetch/blob-of-opaque-origin-iframe-expected.txt
@@ -0,0 +1,4 @@
+
+PASS Load opaque origin blobs for iframe
+PASS Check iframe secure context from a blob created in opaque origin but secure context
+
diff --git a/LayoutTests/http/wpt/fetch/blob-of-opaque-origin-iframe.html b/LayoutTests/http/wpt/fetch/blob-of-opaque-origin-iframe.html
@@ -0,0 +1,38 @@
+<!doctype html>
+<html>
+ <head>
+ <meta charset="utf-8">
+ <title>Blobs and opaque origins, iframe</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ </head>
+ <body>
+<script>
+function with_iframe(url) {
+ return new Promise(function(resolve) {
+ var frame = document.createElement('iframe');
+ frame.srcdoc = url;
+ frame.onload = function() { resolve(frame); };
+ document.body.appendChild(frame);
+ });
+}
+
+promise_test(async (t) => {
+ const frame = await with_iframe('<'+ 'script>' +
+ 'onload = () => {' +
+ ' const blob = new Blob(["<" + "script>parent.postMessage(self.isSecureContext)</" + "script>"], { type : "text/html" });' +
+ ' const frame = document.createElement("iframe");' +
+ ' frame.src = URL.createObjectURL(blob);' +
+ ' document.body.appendChild(frame);' +
+ ' onmessage = (e) => parent.postMessage(e.data);' +
+ '}' +
+ '</' + 'script>');
+ const result = await new Promise(resolve => window.onmessage = (e) => resolve(e.data));
+ frame.remove();
+ test(() => {
+ assert_true(result);
+ }, "Check iframe secure context from a blob created in opaque origin but secure context");
+}, "Load opaque origin blobs for iframe");
+</script>
+ </body>
+</html>
diff --git a/LayoutTests/http/wpt/fetch/blob-of-opaque-origin-worker-expected.txt b/LayoutTests/http/wpt/fetch/blob-of-opaque-origin-worker-expected.txt
@@ -0,0 +1,4 @@
+
+PASS Load opaque origin blobs for worker
+PASS Check worker secure context from a blob created in opaque origin but secure context
+
diff --git a/LayoutTests/http/wpt/fetch/blob-of-opaque-origin-worker.html b/LayoutTests/http/wpt/fetch/blob-of-opaque-origin-worker.html
@@ -0,0 +1,36 @@
+<!doctype html>
+<html>
+ <head>
+ <meta charset="utf-8">
+ <title>Blobs and opaque origins, worker</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ </head>
+ <body>
+<script>
+function with_iframe(url) {
+ return new Promise(function(resolve) {
+ var frame = document.createElement('iframe');
+ frame.srcdoc = url;
+ frame.onload = function() { resolve(frame); };
+ document.body.appendChild(frame);
+ });
+}
+
+promise_test(async (t) => {
+ const frame = await with_iframe('<'+ 'script>' +
+ 'onload = () => {' +
+ ' const blob = new Blob(["self.postMessage(self.isSecureContext)"]);' +
+ ' const worker = new Worker(URL.createObjectURL(blob));' +
+ ' worker.onmessage = (e) => parent.postMessage(e.data);' +
+ '}' +
+ '</' + 'script>');
+ const result = await new Promise(resolve => window.onmessage = (e) => resolve(e.data));
+ frame.remove();
+ test(() => {
+ assert_true(result);
+ }, "Check worker secure context from a blob created in opaque origin but secure context");
+}, "Load opaque origin blobs for worker");
+</script>
+ </body>
+</html>
diff --git a/LayoutTests/platform/win/TestExpectations b/LayoutTests/platform/win/TestExpectations
@@ -3707,6 +3707,7 @@ fast/forms/file/entries-api/image-transcode-drag-drop.html [ Failure Timeout ]
 http/tests/multipart/multipart-async-image.html [ Failure ]
 http/tests/security/contentSecurityPolicy/allow-favicon.html [ Failure ]
 http/wpt/entries-api/interfaces.html [ Failure ]
+http/wpt/fetch/blob-of-opaque-origin-iframe.html [ Skip ]
 http/wpt/fetch/response-status-text.html [ Failure ]
 js/dom/builtin-getter-name.html [ Failure ]
 fast/forms/file/entries-api/webkitdirectory-open-panel.html [ Skip ]

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,21 @@
+2021-03-04 Youenn Fablet <youenn@apple.com>
+
+ Can not read blobs in sandboxed iframes
+ https://bugs.webkit.org/show_bug.cgi?id=170075
+ <rdar://problem/31282427>
+
+ Reviewed by Alex Christensen.
+
+ In case of blob with an opaque origin, get the document that created the blob and use the document for mixed content check.
+ Further refactoring should be done once specs are updated to clarify this.
+ See https://github.com/w3c/webappsec-mixed-content/issues/41 for more information.
+
+ Tests: http/wpt/fetch/blob-of-opaque-origin-iframe.html
+ http/wpt/fetch/blob-of-opaque-origin-worker.html
+
+ * loader/MixedContentChecker.cpp:
+ (WebCore::MixedContentChecker::isMixedContent):
+
 2021-03-04 Kimmo Kinnunen <kkinnunen@apple.com>
 
  Adding new test conditions for WebGL should be simpler

diff --git a/Source/WebCore/loader/MixedContentChecker.cpp b/Source/WebCore/loader/MixedContentChecker.cpp
@@ -37,6 +37,7 @@
 #include "FrameLoaderClient.h"
 #include "SecurityOrigin.h"
 #include "Settings.h"
+#include "ThreadableBlobRegistry.h"
 #include <wtf/text/CString.h>
 #include <wtf/text/WTFString.h>
 
@@ -48,6 +49,22 @@ bool MixedContentChecker::isMixedContent(SecurityOrigin& securityOrigin, const U
  if (securityOrigin.protocol() != "https")
  return false; // We only care about HTTPS security origins.
 
+ if (url.protocolIsBlob()) {
+ // As per https://github.com/w3c/webappsec-mixed-content/issues/41, Blob URL is secure if the document that created it is secure.
+ // This code path is specific to opaque origins.
+ if (auto origin = ThreadableBlobRegistry::getCachedOrigin(url)) {
+ const Document* blobDocument = nullptr;
+ for (const auto* document : Document::allDocuments()) {
+ if (&document->securityOrigin() == origin.get()) {
+ blobDocument = document;
+ break;
+ }
+ }
+ if (blobDocument && blobDocument->isSecureContext())
+ return false;
+ }
+ }
+
  // We're in a secure context, so |url| is mixed content if it's insecure.
  return !SecurityOrigin::isSecure(url);
 }