Enforce no remote access from local URLs for XHR

Add a specific setting to disable remote access for local URLs and also enforce that on data-URLs loaded owned by local URLs. Change-Id: Ied8ec141eb1c28775644fce184a4759a79e1d177 Task-number: QTBUG-45556 Reviewed-by: Dmitry Shachnev <mitya57@gmail.com> Reviewed-by: Michael Brüning <michael.bruning@theqtcompany.com>
author: Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> 2015-04-17 17:16:23 +0200
committer: Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> 2015-04-28 19:29:19 +0000
commit: 9cbcd93cfe0ba6f7531574f7784e8978bd723110 (patch)
tree: 2f7c926e7f334669b7885ecd219a197bd181de0c /Source/WebCore/page
parent: 8ce4aba7d1742f07c01f2786e75ff7a5c8386aa6 (diff)
download: qtwebkit-9cbcd93cfe0ba6f7531574f7784e8978bd723110.tar.gz
4 files changed, 17 insertions, 1 deletions
diff --git a/Source/WebCore/page/EventSource.cpp b/Source/WebCore/page/EventSource.cpp
index 77a8e6f33..d3e6bbc6b 100644
--- a/Source/WebCore/page/EventSource.cpp
+++ b/Source/WebCore/page/EventSource.cpp
@@ -132,7 +132,7 @@ void EventSource::connect()
     options.sniffContent = DoNotSniffContent;
     options.allowCredentials = (origin->canRequest(m_url) || m_withCredentials) ? AllowStoredCredentials : DoNotAllowStoredCredentials;
     options.preflightPolicy = PreventPreflight;
-    options.crossOriginRequestPolicy = UseAccessControl;
+    options.crossOriginRequestPolicy = origin->allowsCrossOriginRequests() ? UseAccessControl : DenyCrossOriginRequests;
     options.dataBufferingPolicy = DoNotBufferData;
     options.securityOrigin = origin;
 
diff --git a/Source/WebCore/page/SecurityOrigin.cpp b/Source/WebCore/page/SecurityOrigin.cpp
index cebc89684..ae2822aaa 100644
--- a/Source/WebCore/page/SecurityOrigin.cpp
+++ b/Source/WebCore/page/SecurityOrigin.cpp
@@ -127,6 +127,7 @@ SecurityOrigin::SecurityOrigin(const KURL& url)
     , m_storageBlockingPolicy(AllowAllStorage)
     , m_enforceFilePathSeparation(false)
     , m_needsDatabaseIdentifierQuirkForFiles(false)
+    , m_deniedCORS(false)
 {
     // document.domain starts as m_host, but can be set by the DOM.
     m_domain = m_host;
@@ -153,6 +154,7 @@ SecurityOrigin::SecurityOrigin()
     , m_storageBlockingPolicy(AllowAllStorage)
     , m_enforceFilePathSeparation(false)
     , m_needsDatabaseIdentifierQuirkForFiles(false)
+    , m_deniedCORS(false)
 {
 }
 
@@ -169,6 +171,7 @@ SecurityOrigin::SecurityOrigin(const SecurityOrigin* other)
     , m_storageBlockingPolicy(other->m_storageBlockingPolicy)
     , m_enforceFilePathSeparation(other->m_enforceFilePathSeparation)
     , m_needsDatabaseIdentifierQuirkForFiles(other->m_needsDatabaseIdentifierQuirkForFiles)
+    , m_deniedCORS(other->m_deniedCORS)
 {
 }
 
@@ -442,6 +445,11 @@ void SecurityOrigin::grantUniversalAccess()
     m_universalAccess = true;
 }
 
+void SecurityOrigin::denyCrossOriginRequests()
+{
+    m_deniedCORS = true;
+}
+
 #if ENABLE(CACHE_PARTITIONING)
 String SecurityOrigin::cachePartition() const
 {
diff --git a/Source/WebCore/page/SecurityOrigin.h b/Source/WebCore/page/SecurityOrigin.h
index 8572f4ce4..980fcfffb 100644
--- a/Source/WebCore/page/SecurityOrigin.h
+++ b/Source/WebCore/page/SecurityOrigin.h
@@ -139,6 +139,11 @@ public:
     // WARNING: This is an extremely powerful ability. Use with caution!
     void grantUniversalAccess();
 
+    // Explicitly deny the ability to issue cross origin requests.
+    //
+    void denyCrossOriginRequests();
+    bool allowsCrossOriginRequests() const { return !m_deniedCORS; }
+
     void setStorageBlockingPolicy(StorageBlockingPolicy policy) { m_storageBlockingPolicy = policy; }
 
 #if ENABLE(CACHE_PARTITIONING)
@@ -173,6 +178,7 @@ public:
     // FIXME 81578: The naming of this is confusing. Files with restricted access to other local files
     // still can have other privileges that can be remembered, thereby not making them unique.
     void enforceFilePathSeparation();
+    bool enforcesFilePathSeparation() const { return m_enforceFilePathSeparation; }
 
     // Convert this SecurityOrigin into a string. The string
     // representation of a SecurityOrigin is similar to a URL, except it
@@ -231,6 +237,7 @@ private:
     StorageBlockingPolicy m_storageBlockingPolicy;
     bool m_enforceFilePathSeparation;
     bool m_needsDatabaseIdentifierQuirkForFiles;
+    bool m_deniedCORS;
 };
 
 } // namespace WebCore
diff --git a/Source/WebCore/page/Settings.in b/Source/WebCore/page/Settings.in
index dd51d6850..c66ab0be6 100644
--- a/Source/WebCore/page/Settings.in
+++ b/Source/WebCore/page/Settings.in
@@ -49,6 +49,7 @@ caretBrowsingEnabled initial=false
 localStorageEnabled initial=false
 allowUniversalAccessFromFileURLs initial=true
 allowFileAccessFromFileURLs initial=true
+allowRemoteAccessFromFileURLs initial=true
 javaScriptCanOpenWindowsAutomatically initial=false
 supportsMultipleWindows initial=true
 javaScriptCanAccessClipboard initial=false
author	Allan Sandfeld Jensen <allan.jensen@theqtcompany.com>	2015-04-17 17:16:23 +0200
committer	Allan Sandfeld Jensen <allan.jensen@theqtcompany.com>	2015-04-28 19:29:19 +0000
commit	9cbcd93cfe0ba6f7531574f7784e8978bd723110 (patch)
tree	2f7c926e7f334669b7885ecd219a197bd181de0c /Source/WebCore/page
parent	8ce4aba7d1742f07c01f2786e75ff7a5c8386aa6 (diff)
download	qtwebkit-9cbcd93cfe0ba6f7531574f7784e8978bd723110.tar.gz