Skip to content
Find file Blame History Permalink
  • jpfau@apple.com's avatar
    Allow blocking of third-party localStorage and sessionStorage · d9930b31
    jpfau@apple.com authored 
    https://bugs.webkit.org/show_bug.cgi?id=93390

Reviewed by Adam Barth.

Source/WebCore:

Add checks for if a page is third-party and third-party storage blocking is enabled while accessing storage.

Tests: http/tests/security/cross-origin-local-storage-allowed.html
       http/tests/security/cross-origin-local-storage.html
       http/tests/security/cross-origin-session-storage-allowed.html
       http/tests/security/cross-origin-session-storage.html
       http/tests/security/same-origin-document-domain-storage-allowed.html

* dom/Document.cpp:
(WebCore::Document::initSecurityContext): Initialize securityOrigin with knowledge of if we should block third-party storage.
* page/DOMWindow.cpp: Check if the origin trying to access storage is third-party relative to the top document.
(WebCore::DOMWindow::sessionStorage):
(WebCore::DOMWindow::localStorage):
* page/SecurityOrigin.cpp: Add a call in Security origin to see if another origin counts as a third-party.
(WebCore::SecurityOrigin::SecurityOrigin):
(WebCore::SecurityOrigin::canAccessLocalStorage):
(WebCore):
(WebCore::SecurityOrigin::isThirdParty):
* page/SecurityOrigin.h:
(WebCore::SecurityOrigin::blockThirdPartyStorage):
(SecurityOrigin):
* testing/InternalSettings.cpp: Add an internals.settings hook for setting third-party storage blocking enabled.
(WebCore::InternalSettings::setThirdPartyStorageBlockingEnabled):
(WebCore):
* testing/InternalSettings.h:
(InternalSettings):
* testing/InternalSettings.idl:

LayoutTests:

Created tests for testing accessing localStorage and selfStorage from a third party and first party when third-party blocking is on and off.

* http/tests/security/cross-origin-local-storage-allowed-expected.txt: Added.
* http/tests/security/cross-origin-local-storage-allowed.html: Added.
* http/tests/security/cross-origin-local-storage-expected.txt: Added.
* http/tests/security/cross-origin-local-storage.html: Added.
* http/tests/security/cross-origin-session-storage-allowed-expected.txt: Added.
* http/tests/security/cross-origin-session-storage-allowed.html: Added.
* http/tests/security/cross-origin-session-storage-expected.txt: Added.
* http/tests/security/cross-origin-session-storage.html: Added.
* http/tests/security/same-origin-document-domain-storage-allowed-expected.html: Added.
* http/tests/security/same-origin-document-domain-storage-allowed.html: Added.
* http/tests/security/resources/document-domain-iframe-for-local-storage.html: Added.
* http/tests/security/resources/cross-origin-iframe-for-local-storage.html: Added.
* http/tests/security/resources/cross-origin-iframe-for-session-storage.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@125335 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    d9930b31