Commit c17c9594 authored by abarth@webkit.org's avatar abarth@webkit.org

WebCore:

2008-06-21  Adam Barth  <abarth@webkit.org>

        Reviewed by Sam Weinig.

        Fix <https://bugs.webkit.org/show_bug.cgi?id=19649>:
          XSL style sheets allowed across origins

        Block cross-orgin loads of XSL style sheets, matching Internet
        Explorer, Firefox, and Opera.  Also, we now block loading of XBL
        across origins, matching Firefox.  The XBL behavior does not appear
        testable because XBL seems to not be enabled.

        Test: http/tests/security/cross-origin-xsl-BLOCKED.html

        * loader/DocLoader.cpp:
        (WebCore::DocLoader::requestResource):

LayoutTests:

2008-06-21  Adam Barth  <abarth@webkit.org>

        Reviewed by Sam Weinig.

        https://bugs.webkit.org/show_bug.cgi?id=19649

        Test that we block cross-orign loads of XSL style sheets.

        * http/tests/security/cross-origin-xsl-BLOCKED-expected.txt: Added.
        * http/tests/security/cross-origin-xsl-BLOCKED.html: Added.
        * http/tests/security/resources/cross-origin-xsl.xml: Added.
        * http/tests/security/resources/forbidden-stylesheet.xsl: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@34719 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 857146f1
2008-06-21 Adam Barth <abarth@webkit.org>
Reviewed by Sam Weinig.
https://bugs.webkit.org/show_bug.cgi?id=19649
Test that we block cross-orign loads of XSL style sheets.
* http/tests/security/cross-origin-xsl-BLOCKED-expected.txt: Added.
* http/tests/security/cross-origin-xsl-BLOCKED.html: Added.
* http/tests/security/resources/cross-origin-xsl.xml: Added.
* http/tests/security/resources/forbidden-stylesheet.xsl: Added.
2008-06-21 Dan Bernstein <mitz@apple.com>
Rubber-stamped by Alexey Proskuryakov.
This test loads the XML document in an iframe so that it can call dumpAsText(). This test passes if the iframe below is blank.
<html>
<head>
<script>
if (window.layoutTestController) {
layoutTestController.dumpAsText();
layoutTestController.dumpChildFramesAsText();
layoutTestController.waitUntilDone();
}
function done() {
if (window.layoutTestController)
layoutTestController.notifyDone();
}
</script>
</head>
<body>
<div>This test loads the XML document in an iframe so that it can call
dumpAsText(). This test passes if the iframe below is blank.</div>
<iframe name="uses-xsl" onload="done()"
src="resources/cross-origin-xsl.xml"></iframe>
</body>
</html>
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="http://localhost:8000/security/resources/forbidden-stylesheet.xsl"?>
<html xmlns="http://www.w3.org/1999/xhtml">
<body>
<script>
if (window.layoutTestController)
layoutTestController.dumpAsText();
</script>
PASS: Forbidden XML stylesheet did not run.
</body>
</html>
<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="*">
<html>
<body>
<script>
if (window.layoutTestController)
layoutTestController.dumpAsText();
</script>
FAIL: Forbidden XML stylesheet did run.
</body>
</html>
</xsl:template>
</xsl:stylesheet>
2008-06-21 Adam Barth <abarth@webkit.org>
Reviewed by Sam Weinig.
Fix <https://bugs.webkit.org/show_bug.cgi?id=19649>:
XSL style sheets allowed across origins
Block cross-orgin loads of XSL style sheets, matching Internet
Explorer, Firefox, and Opera. Also, we now block loading of XBL
across origins, matching Firefox. The XBL behavior does not appear
testable because XBL seems to not be enabled.
Test: http/tests/security/cross-origin-xsl-BLOCKED.html
* loader/DocLoader.cpp:
(WebCore::DocLoader::requestResource):
2008-06-21 Marvin Decker <marv.decker@gmail.com>
Reviewed by Dave Hyatt.
......@@ -37,6 +37,7 @@
#include "Frame.h"
#include "FrameLoader.h"
#include "loader.h"
#include "SecurityOrigin.h"
#define PRELOAD_DEBUG 0
......@@ -138,7 +139,34 @@ CachedXBLDocument* DocLoader::requestXBLDocument(const String& url)
CachedResource* DocLoader::requestResource(CachedResource::Type type, const String& url, const String& charset, bool isPreload)
{
KURL fullURL = m_doc->completeURL(url);
// Some types of resources can be loaded only from the same origin. Other
// types of resources, like Images, Scripts, and CSS, can be loaded from
// any URL.
switch (type) {
case CachedResource::ImageResource:
case CachedResource::CSSStyleSheet:
case CachedResource::Script:
case CachedResource::FontResource:
// These types of resources can be loaded from any origin.
// FIXME: Are we sure about CachedResource::FontResource?
break;
#if ENABLE(XSLT)
case CachedResource::XSLStyleSheet:
#endif
#if ENABLE(XBL)
case CachedResource::XBL:
#endif
#if ENABLE(XSLT) || ENABLE(XBL)
if (!m_doc->securityOrigin()->canRequest(fullURL))
return 0;
break;
#endif
default:
ASSERT_NOT_REACHED();
break;
}
if (cache()->disabled()) {
HashMap<String, CachedResource*>::iterator it = m_docResources.find(fullURL.string());
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment