Commit f0330aae authored by commit-queue@webkit.org's avatar commit-queue@webkit.org
Browse files

[EFL] Add setting API to enable/disable XSSAuditor

https://bugs.webkit.org/show_bug.cgi?id=83281

Source/WebKit/efl:

Add setting API to enable or disable WebKit's XSSAuditor to protect
from reflective cross-site scripting attacks. Also, emit the signal
'xss,detected' and provide addition information received from
XSSAuditor when reflected XSS is encountered in the page.

Patch by Sudarsana Nagineni <sudarsana.nagineni@linux.intel.com> on 2012-04-17
Reviewed by Antonio Gomes.

* WebCoreSupport/FrameLoaderClientEfl.cpp:
(WebCore::FrameLoaderClientEfl::didDetectXSS):
* ewk/ewk_frame.cpp:
(ewk_frame_xss_detected):
* ewk/ewk_frame.h:
* ewk/ewk_private.h:
* ewk/ewk_view.cpp:
(_Ewk_View_Private_Data):
(_ewk_view_priv_new):
(ewk_view_setting_enable_xss_auditor_get):
(ewk_view_setting_enable_xss_auditor_set):
* ewk/ewk_view.h:

Tools:

Add missing implementation setXSSAuditorEnabled to EFL's LayoutTestController
in order to unskip tests in http/tests/security/xssAuditor. Also, catch the signal
'xss,detected' in DRT to enable a test, which is expecting a line containing
'didDetectXSS' in the output when reflected XSS is encountered in the page.

Patch by Sudarsana Nagineni <sudarsana.nagineni@linux.intel.com> on 2012-04-17
Reviewed by Antonio Gomes.

* DumpRenderTree/efl/DumpRenderTreeChrome.cpp:
(DumpRenderTreeChrome::createView):
(DumpRenderTreeChrome::onFrameCreated):
(DumpRenderTreeChrome::onDidDetectXSS):
* DumpRenderTree/efl/DumpRenderTreeChrome.h:
(DumpRenderTreeChrome):
* DumpRenderTree/efl/LayoutTestControllerEfl.cpp:
(LayoutTestController::setXSSAuditorEnabled):

LayoutTests:

Unskip tests in http/tests/security/xssAuditor

Patch by Sudarsana Nagineni <sudarsana.nagineni@linux.intel.com> on 2012-04-17
Reviewed by Antonio Gomes.

* platform/efl/Skipped:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@114419 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 1f22d13d
2012-04-17 Sudarsana Nagineni <sudarsana.nagineni@linux.intel.com>
[EFL] Add setting API to enable/disable XSSAuditor
https://bugs.webkit.org/show_bug.cgi?id=83281
Unskip tests in http/tests/security/xssAuditor
Reviewed by Antonio Gomes.
* platform/efl/Skipped:
2012-04-17 Chris Fleizach <cfleizach@apple.com>
 
Crash in invalid index for _textMarkerForIndex
......@@ -403,9 +403,6 @@ plugins/netscape-plugin-setwindow-size-2.html
# EFL's LayoutTestController does not implement setJavaScriptCanAccessClipboard
editing/execCommand/clipboard-access.html
# EFL's LayoutTestController does not implement setXSSAuditorEnabled
http/tests/security/xssAuditor
# EFL's LayoutTestController does not implement setAllowUniversalAccessFromFileURLs
# EFL's LayoutTestController does not implement setAllowAccessFromFileURLs
fast/files/workers/inline-worker-via-blob-url.html
......
2012-04-17 Sudarsana Nagineni <sudarsana.nagineni@linux.intel.com>
[EFL] Add setting API to enable/disable XSSAuditor
https://bugs.webkit.org/show_bug.cgi?id=83281
Add setting API to enable or disable WebKit's XSSAuditor to protect
from reflective cross-site scripting attacks. Also, emit the signal
'xss,detected' and provide addition information received from
XSSAuditor when reflected XSS is encountered in the page.
Reviewed by Antonio Gomes.
* WebCoreSupport/FrameLoaderClientEfl.cpp:
(WebCore::FrameLoaderClientEfl::didDetectXSS):
* ewk/ewk_frame.cpp:
(ewk_frame_xss_detected):
* ewk/ewk_frame.h:
* ewk/ewk_private.h:
* ewk/ewk_view.cpp:
(_Ewk_View_Private_Data):
(_ewk_view_priv_new):
(ewk_view_setting_enable_xss_auditor_get):
(ewk_view_setting_enable_xss_auditor_set):
* ewk/ewk_view.h:
2012-04-17 Christophe Dumez <christophe.dumez@intel.com>
[EFL] DRT should support LayoutTestController's dumpFrameLoadCallbacks()
......
......@@ -505,9 +505,12 @@ void FrameLoaderClientEfl::didRunInsecureContent(SecurityOrigin*, const KURL&)
ewk_frame_mixed_content_run_set(m_frame, true);
}
void FrameLoaderClientEfl::didDetectXSS(const KURL&, bool)
void FrameLoaderClientEfl::didDetectXSS(const KURL& insecureURL, bool didBlockEntirePage)
{
notImplemented();
CString cs = insecureURL.string().utf8();
Ewk_Frame_Xss_Notification xssInfo = { cs.data(), didBlockEntirePage };
ewk_frame_xss_detected(m_frame, &xssInfo);
}
void FrameLoaderClientEfl::makeRepresentation(DocumentLoader*)
......
......@@ -1775,6 +1775,20 @@ void ewk_frame_mixed_content_run_set(Evas_Object* ewkFrame, bool hasRun)
}
}
/**
* @internal
* Reports that reflected XSS is encountered in the page and suppressed.
*
* @param xssInfo Information received from the XSSAuditor when XSS is
* encountered in the page.
*
* Emits signal: "xss,detected" with pointer to Ewk_Frame_Xss_Notification.
*/
void ewk_frame_xss_detected(Evas_Object* ewkFrame, const Ewk_Frame_Xss_Notification* xssInfo)
{
evas_object_smart_callback_call(ewkFrame, "xss,detected", (void*)xssInfo);
}
namespace EWKPrivate {
WebCore::Frame* coreFrame(const Evas_Object* ewkFrame)
......
......@@ -63,6 +63,7 @@
* - "state,save", void: frame's state will be saved as a history item.
* - "title,changed", const char*: title of the main frame was changed.
* - "uri,changed", const char*: uri of the main frame was changed.
* - "xss,detected", Ewk_Frame_Xss_Notification*: reflected XSS is encountered in the page and suppressed.
*/
#ifndef ewk_frame_h
......@@ -111,6 +112,21 @@ struct _Ewk_Frame_Resource_Request {
Eina_Bool is_main_frame_request; /** < indicates if the request is for the main frame */
};
/// Creates a type name for Ewk_Frame_Xss_Notification.
typedef struct _Ewk_Frame_Xss_Notification Ewk_Frame_Xss_Notification;
/**
* @brief Structure used to report reflected XSS is encountered in the page.
*
* This structure contains information received from the XSSAuditor when reflected XSS
* is encountered in the page. The string is temporary reference and should @b not
* be used after the signal callback returns. If it's required, make a copy of it.
*/
struct _Ewk_Frame_Xss_Notification {
const char *insecure_url; /**< insecure url of the document */
Eina_Bool is_entire_page_blocked; /** < indicates if the entire page was blocked by XSSAuditor */
};
/// Enum containing hit test data types
typedef enum {
EWK_HIT_TEST_RESULT_CONTEXT_DOCUMENT = 1 << 1,
......
......@@ -252,6 +252,7 @@ void ewk_frame_mixed_content_displayed_set(Evas_Object* ewkFrame, bool hasDispla
void ewk_frame_mixed_content_run_set(Evas_Object* ewkFrame, bool hasRun);
void ewk_view_mixed_content_displayed_set(Evas_Object* ewkView, bool hasDisplayed);
void ewk_view_mixed_content_run_set(Evas_Object* ewkView, bool hasRun);
void ewk_frame_xss_detected(Evas_Object* ewkFrame, const Ewk_Frame_Xss_Notification* xssInfo);
#if USE(ACCELERATED_COMPOSITING)
bool ewk_view_accelerated_compositing_object_create(Evas_Object* ewkView, Evas_Native_Surface* nativeSurface, const WebCore::IntRect& rect);
......
......@@ -218,6 +218,7 @@ struct _Ewk_View_Private_Data {
bool localStorage : 1;
bool offlineAppCache : 1;
bool pageCache : 1;
bool enableXSSAuditor : 1;
struct {
float minScale;
float maxScale;
......@@ -676,6 +677,7 @@ static Ewk_View_Private_Data* _ewk_view_priv_new(Ewk_View_Smart_Data* smartData)
priv->pageSettings->setUsesPageCache(true);
priv->pageSettings->setUsesEncodingDetector(false);
priv->pageSettings->setWebGLEnabled(true);
priv->pageSettings->setXSSAuditorEnabled(true);
url = priv->pageSettings->userStyleSheetLocation();
priv->settings.userStylesheet = eina_stringshare_add(url.string().utf8().data());
......@@ -712,6 +714,7 @@ static Ewk_View_Private_Data* _ewk_view_priv_new(Ewk_View_Smart_Data* smartData)
priv->settings.enableScripts = priv->pageSettings->isScriptEnabled();
priv->settings.enablePlugins = priv->pageSettings->arePluginsEnabled();
priv->settings.enableFrameFlattening = priv->pageSettings->frameFlatteningEnabled();
priv->settings.enableXSSAuditor = priv->pageSettings->xssAuditorEnabled();
priv->settings.scriptsCanOpenWindows = priv->pageSettings->javaScriptCanOpenWindowsAutomatically();
priv->settings.scriptsCanCloseWindows = priv->pageSettings->allowScriptsToCloseWindows();
priv->settings.resizableTextareas = priv->pageSettings->textAreasAreResizable();
......@@ -4047,6 +4050,24 @@ void ewk_view_soup_session_set(Evas_Object* ewkView, SoupSession* session)
priv->soupSession = session;
}
Eina_Bool ewk_view_setting_enable_xss_auditor_get(const Evas_Object* ewkView)
{
EWK_VIEW_SD_GET_OR_RETURN(ewkView, smartData, EINA_FALSE);
EWK_VIEW_PRIV_GET_OR_RETURN(smartData, priv, EINA_FALSE);
return priv->settings.enableXSSAuditor;
}
void ewk_view_setting_enable_xss_auditor_set(Evas_Object* ewkView, Eina_Bool enable)
{
EWK_VIEW_SD_GET(ewkView, smartData);
EWK_VIEW_PRIV_GET(smartData, priv);
enable = !!enable;
if (priv->settings.enableXSSAuditor != enable) {
priv->pageSettings->setXSSAuditorEnabled(enable);
priv->settings.enableXSSAuditor = enable;
}
}
#if USE(ACCELERATED_COMPOSITING)
bool ewk_view_accelerated_compositing_object_create(Evas_Object* ewkView, Evas_Native_Surface* nativeSurface, const WebCore::IntRect& rect)
{
......
......@@ -2413,6 +2413,31 @@ EAPI SoupSession* ewk_view_soup_session_get(const Evas_Object *o);
*/
EAPI void ewk_view_soup_session_set(Evas_Object *o, SoupSession *session);
/**
* Returns whether XSSAuditor feature is enabled.
*
* @param o view object to query whether XSSAuditor feature is enabled.
*
* @return @c EINA_TRUE if the XSSAuditor feature is enabled,
* @c EINA_FALSE if not or on failure.
*/
EAPI Eina_Bool ewk_view_setting_enable_xss_auditor_get(const Evas_Object *o);
/**
* Enables/disables the XSSAuditor feature.
*
* The XSSAuditor (cross-site scripting protection) feature provides protection
* from reflected XSS attacks on vulnerable web sites. When XSS is encountered
* in the page, frame sends a signal "xss,detected" with additional information
* on whether the entire page was blocked or only injected scripts were removed.
* This feature is enabled by default.
*
* @param o view object to set the XSSAuditor feature.
* @param enable @c EINA_TRUE to enable the XSSAuditor feature,
* @c EINA_FALSE to disable.
*/
EAPI void ewk_view_setting_enable_xss_auditor_set(Evas_Object *o, Eina_Bool enable);
#ifdef __cplusplus
}
#endif
......
2012-04-17 Sudarsana Nagineni <sudarsana.nagineni@linux.intel.com>
[EFL] Add setting API to enable/disable XSSAuditor
https://bugs.webkit.org/show_bug.cgi?id=83281
Add missing implementation setXSSAuditorEnabled to EFL's LayoutTestController
in order to unskip tests in http/tests/security/xssAuditor. Also, catch the signal
'xss,detected' in DRT to enable a test, which is expecting a line containing
'didDetectXSS' in the output when reflected XSS is encountered in the page.
Reviewed by Antonio Gomes.
* DumpRenderTree/efl/DumpRenderTreeChrome.cpp:
(DumpRenderTreeChrome::createView):
(DumpRenderTreeChrome::onFrameCreated):
(DumpRenderTreeChrome::onDidDetectXSS):
* DumpRenderTree/efl/DumpRenderTreeChrome.h:
(DumpRenderTreeChrome):
* DumpRenderTree/efl/LayoutTestControllerEfl.cpp:
(LayoutTestController::setXSSAuditorEnabled):
2012-04-17 Nandor Huszka <hnandor@inf.u-szeged.hu>
 
[Qt] JSC build should handle --no-webkit2 option to avoid unwanted clean-builds
......@@ -105,6 +105,7 @@ Evas_Object* DumpRenderTreeChrome::createView() const
evas_object_smart_callback_add(mainFrame, "load,committed", onFrameLoadCommitted, 0);
evas_object_smart_callback_add(mainFrame, "load,finished", onFrameLoadFinished, 0);
evas_object_smart_callback_add(mainFrame, "load,error", onFrameLoadError, 0);
evas_object_smart_callback_add(mainFrame, "xss,detected", onDidDetectXSS, 0);
return view;
}
......@@ -345,6 +346,7 @@ void DumpRenderTreeChrome::onFrameCreated(void*, Evas_Object*, void* eventInfo)
evas_object_smart_callback_add(frame, "load,committed", onFrameLoadCommitted, 0);
evas_object_smart_callback_add(frame, "load,finished", onFrameLoadFinished, 0);
evas_object_smart_callback_add(frame, "load,error", onFrameLoadError, 0);
evas_object_smart_callback_add(frame, "xss,detected", onDidDetectXSS, 0);
}
void DumpRenderTreeChrome::onFrameProvisionalLoad(void*, Evas_Object* frame, void*)
......@@ -392,3 +394,9 @@ void DumpRenderTreeChrome::onFrameLoadError(void*, Evas_Object* frame, void*)
if (frame == topLoadingFrame)
topLoadingFrameLoadFinished();
}
void DumpRenderTreeChrome::onDidDetectXSS(void*, Evas_Object* view, void*)
{
if (!done && gLayoutTestController->dumpFrameLoadCallbacks())
printf("didDetectXSS\n");
}
......@@ -93,6 +93,7 @@ private:
static void onFrameLoadFinished(void*, Evas_Object*, void*);
static void onFrameLoadError(void*, Evas_Object*, void*);
static void onDidDetectXSS(void*, Evas_Object*, void*);
};
#endif // DumpRenderTreeChrome_h
......@@ -329,9 +329,9 @@ void LayoutTestController::setJavaScriptCanAccessClipboard(bool)
notImplemented();
}
void LayoutTestController::setXSSAuditorEnabled(bool)
void LayoutTestController::setXSSAuditorEnabled(bool flag)
{
notImplemented();
ewk_view_setting_enable_xss_auditor_set(browser->mainView(), flag);
}
void LayoutTestController::setFrameFlatteningEnabled(bool flag)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment