[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-10851-g50815da
abarth at webkit.org
abarth at webkit.org
Wed Dec 22 17:46:29 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit d84288db71fb4092e3a92a48d25d1627471fae59
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue Nov 30 04:48:40 2010 +0000
2010-11-29 Adam Barth <abarth at webkit.org>
Reviewed by Darin Adler.
Introduce the notion of a "display-isolated" URL scheme for use by Chrome-internal URLs
https://bugs.webkit.org/show_bug.cgi?id=50182
A display-isolated URL can only be displayed (e.g., put in an iframe,
hyperlinked to) by documents from that scheme. In a sense, this is a
generalization of some of the protections we give file URLs, but
instead of lumping them all together into one "local" bucket, this
patch creates a separate bucket for each scheme.
For a while, I tried using a separate bucket for each origin. That
would have played nicely with what Blob URLs are trying to do, but some
"chrome" URL pages rely on being able to display other chrome URL
pages, even in different origins. For example, the New Tab Page shows
thumbnails from the "thumbnail" host.
This patch also removes a bunch of unused code. I've also propagated
the "deprecated" status of deprecatedCanDisplay to
deprecatedShouldTreatURLAsLocal because that method has no other
callers and is really asking for uppercase/lowercase bugs. I dream of
someday removing these functions.
* page/SecurityOrigin.cpp:
(WebCore::SecurityOrigin::canDisplay):
(WebCore::SecurityOrigin::deprecatedCanDisplay):
* platform/SchemeRegistry.cpp:
(WebCore::displayIsolatedURLSchemes):
(WebCore::SchemeRegistry::registerURLSchemeAsLocal):
(WebCore::SchemeRegistry::deprecatedShouldTreatURLAsLocal):
(WebCore::SchemeRegistry::shouldTreatURLSchemeAsLocal):
(WebCore::SchemeRegistry::registerURLSchemeAsDisplayIsolated):
(WebCore::SchemeRegistry::shouldTreatURLSchemeAsDisplayIsolated):
* platform/SchemeRegistry.h:
2010-11-29 Adam Barth <abarth at webkit.org>
Reviewed by Darin Adler.
Introduce the notion of a "display-isolated" URL scheme for use by Chrome-internal URLs
https://bugs.webkit.org/show_bug.cgi?id=50182
This patch adds a Chromium API for registering schemes as
display-isolated. In a subsequent patch, I'll change the "chrome"
scheme in Chrome to be display isolated instead of local. That will
prevent file URLs from linking to chrome URLs.
* public/WebSecurityPolicy.h:
* src/WebSecurityPolicy.cpp:
(WebKit::WebSecurityPolicy::registerURLSchemeAsDisplayIsolated):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@72876 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 258fe08..4b73d1a 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,40 @@
+2010-11-29 Adam Barth <abarth at webkit.org>
+
+ Reviewed by Darin Adler.
+
+ Introduce the notion of a "display-isolated" URL scheme for use by Chrome-internal URLs
+ https://bugs.webkit.org/show_bug.cgi?id=50182
+
+ A display-isolated URL can only be displayed (e.g., put in an iframe,
+ hyperlinked to) by documents from that scheme. In a sense, this is a
+ generalization of some of the protections we give file URLs, but
+ instead of lumping them all together into one "local" bucket, this
+ patch creates a separate bucket for each scheme.
+
+ For a while, I tried using a separate bucket for each origin. That
+ would have played nicely with what Blob URLs are trying to do, but some
+ "chrome" URL pages rely on being able to display other chrome URL
+ pages, even in different origins. For example, the New Tab Page shows
+ thumbnails from the "thumbnail" host.
+
+ This patch also removes a bunch of unused code. I've also propagated
+ the "deprecated" status of deprecatedCanDisplay to
+ deprecatedShouldTreatURLAsLocal because that method has no other
+ callers and is really asking for uppercase/lowercase bugs. I dream of
+ someday removing these functions.
+
+ * page/SecurityOrigin.cpp:
+ (WebCore::SecurityOrigin::canDisplay):
+ (WebCore::SecurityOrigin::deprecatedCanDisplay):
+ * platform/SchemeRegistry.cpp:
+ (WebCore::displayIsolatedURLSchemes):
+ (WebCore::SchemeRegistry::registerURLSchemeAsLocal):
+ (WebCore::SchemeRegistry::deprecatedShouldTreatURLAsLocal):
+ (WebCore::SchemeRegistry::shouldTreatURLSchemeAsLocal):
+ (WebCore::SchemeRegistry::registerURLSchemeAsDisplayIsolated):
+ (WebCore::SchemeRegistry::shouldTreatURLSchemeAsDisplayIsolated):
+ * platform/SchemeRegistry.h:
+
2010-11-29 Sergio Villar Senin <svillar at igalia.com>
Reviewed by Martin Robinson.
diff --git a/WebCore/page/SecurityOrigin.cpp b/WebCore/page/SecurityOrigin.cpp
index 82af42a..3b8d148 100644
--- a/WebCore/page/SecurityOrigin.cpp
+++ b/WebCore/page/SecurityOrigin.cpp
@@ -298,22 +298,26 @@ bool SecurityOrigin::isAccessWhiteListed(const SecurityOrigin* targetOrigin) con
}
return false;
}
-
+
bool SecurityOrigin::canDisplay(const KURL& url) const
{
+ RefPtr<SecurityOrigin> targetOrigin = SecurityOrigin::create(url);
+ if (isAccessWhiteListed(targetOrigin.get()))
+ return true;
+
+ if (SchemeRegistry::shouldTreatURLSchemeAsDisplayIsolated(targetOrigin->protocol()))
+ return targetOrigin->protocol() == m_protocol;
+
#if ENABLE(BLOB)
- if (url.protocolIs(BlobURL::blobProtocol()))
+ // FIXME: We should generalize this check.
+ if (targetOrigin->protocol() == BlobURL::blobProtocol())
return canRequest(url);
#endif
if (!restrictAccessToLocal())
return true;
- if (!SchemeRegistry::shouldTreatURLAsLocal(url.string()))
- return true;
-
- RefPtr<SecurityOrigin> targetOrigin = SecurityOrigin::create(url);
- if (isAccessWhiteListed(targetOrigin.get()))
+ if (!SchemeRegistry::shouldTreatURLSchemeAsLocal(targetOrigin->protocol()))
return true;
return canLoadLocalResources();
@@ -324,10 +328,12 @@ bool SecurityOrigin::deprecatedCanDisplay(const String& referrer, const KURL& ur
if (!restrictAccessToLocal())
return true;
- if (!SchemeRegistry::shouldTreatURLAsLocal(url.string()))
+ // FIXME: I suspect these checks are incorrect because referrer and url
+ // have not necessarily been canonicalized.
+ if (!SchemeRegistry::deprecatedShouldTreatURLAsLocal(url.string()))
return true;
- return SchemeRegistry::shouldTreatURLAsLocal(referrer);
+ return SchemeRegistry::deprecatedShouldTreatURLAsLocal(referrer);
}
void SecurityOrigin::grantLoadLocalResources()
diff --git a/WebCore/platform/SchemeRegistry.cpp b/WebCore/platform/SchemeRegistry.cpp
index 58df51a..617acd3 100644
--- a/WebCore/platform/SchemeRegistry.cpp
+++ b/WebCore/platform/SchemeRegistry.cpp
@@ -45,6 +45,12 @@ static URLSchemesMap& localURLSchemes()
return localSchemes;
}
+static URLSchemesMap& displayIsolatedURLSchemes()
+{
+ DEFINE_STATIC_LOCAL(URLSchemesMap, displayIsolatedSchemes, ());
+ return displayIsolatedSchemes;
+}
+
static URLSchemesMap& secureSchemes()
{
DEFINE_STATIC_LOCAL(URLSchemesMap, secureSchemes, ());
@@ -82,7 +88,7 @@ static URLSchemesMap& emptyDocumentSchemes()
void SchemeRegistry::registerURLSchemeAsLocal(const String& scheme)
{
- WebCore::localURLSchemes().add(scheme);
+ localURLSchemes().add(scheme);
}
void SchemeRegistry::removeURLSchemeRegisteredAsLocal(const String& scheme)
@@ -93,15 +99,15 @@ void SchemeRegistry::removeURLSchemeRegisteredAsLocal(const String& scheme)
if (scheme == "applewebdata")
return;
#endif
- WebCore::localURLSchemes().remove(scheme);
+ localURLSchemes().remove(scheme);
}
-const URLSchemesMap& SchemeRegistry::localURLSchemes()
+const URLSchemesMap& SchemeRegistry::localSchemes()
{
- return WebCore::localURLSchemes();
+ return localURLSchemes();
}
-bool SchemeRegistry::shouldTreatURLAsLocal(const String& url)
+bool SchemeRegistry::deprecatedShouldTreatURLAsLocal(const String& url)
{
// This avoids an allocation of another String and the HashSet contains()
// call for the file: and http: schemes.
@@ -118,7 +124,7 @@ bool SchemeRegistry::shouldTreatURLAsLocal(const String& url)
return false;
String scheme = url.left(loc);
- return WebCore::localURLSchemes().contains(scheme);
+ return localURLSchemes().contains(scheme);
}
bool SchemeRegistry::shouldTreatURLSchemeAsLocal(const String& scheme)
@@ -136,7 +142,7 @@ bool SchemeRegistry::shouldTreatURLSchemeAsLocal(const String& scheme)
if (scheme.isEmpty())
return false;
- return WebCore::localURLSchemes().contains(scheme);
+ return localURLSchemes().contains(scheme);
}
void SchemeRegistry::registerURLSchemeAsNoAccess(const String& scheme)
@@ -149,6 +155,16 @@ bool SchemeRegistry::shouldTreatURLSchemeAsNoAccess(const String& scheme)
return schemesWithUniqueOrigins().contains(scheme);
}
+void SchemeRegistry::registerURLSchemeAsDisplayIsolated(const String& scheme)
+{
+ displayIsolatedURLSchemes().add(scheme);
+}
+
+bool SchemeRegistry::shouldTreatURLSchemeAsDisplayIsolated(const String& scheme)
+{
+ return displayIsolatedURLSchemes().contains(scheme);
+}
+
void SchemeRegistry::registerURLSchemeAsSecure(const String& scheme)
{
secureSchemes().add(scheme);
diff --git a/WebCore/platform/SchemeRegistry.h b/WebCore/platform/SchemeRegistry.h
index 56e3b33..9d79b3f 100644
--- a/WebCore/platform/SchemeRegistry.h
+++ b/WebCore/platform/SchemeRegistry.h
@@ -38,10 +38,10 @@ class SchemeRegistry {
public:
static void registerURLSchemeAsLocal(const String&);
static void removeURLSchemeRegisteredAsLocal(const String&);
- static const URLSchemesMap& localURLSchemes();
+ static const URLSchemesMap& localSchemes();
- static bool shouldTreatURLAsLocal(const String&);
static bool shouldTreatURLSchemeAsLocal(const String&);
+ static bool deprecatedShouldTreatURLAsLocal(const String&);
// Secure schemes do not trigger mixed content warnings. For example,
// https and data are secure schemes because they cannot be corrupted by
@@ -51,7 +51,12 @@ public:
static void registerURLSchemeAsNoAccess(const String&);
static bool shouldTreatURLSchemeAsNoAccess(const String&);
-
+
+ // Display-isolated schemes can only be displayed (in the sense of
+ // SecurityOrigin::canDisplay) by documents from the same scheme.
+ static void registerURLSchemeAsDisplayIsolated(const String&);
+ static bool shouldTreatURLSchemeAsDisplayIsolated(const String&);
+
static void registerURLSchemeAsEmptyDocument(const String&);
static bool shouldLoadURLSchemeAsEmptyDocument(const String&);
};
diff --git a/WebKit/chromium/ChangeLog b/WebKit/chromium/ChangeLog
index 3f9efc9..a7c5bce 100644
--- a/WebKit/chromium/ChangeLog
+++ b/WebKit/chromium/ChangeLog
@@ -1,3 +1,19 @@
+2010-11-29 Adam Barth <abarth at webkit.org>
+
+ Reviewed by Darin Adler.
+
+ Introduce the notion of a "display-isolated" URL scheme for use by Chrome-internal URLs
+ https://bugs.webkit.org/show_bug.cgi?id=50182
+
+ This patch adds a Chromium API for registering schemes as
+ display-isolated. In a subsequent patch, I'll change the "chrome"
+ scheme in Chrome to be display isolated instead of local. That will
+ prevent file URLs from linking to chrome URLs.
+
+ * public/WebSecurityPolicy.h:
+ * src/WebSecurityPolicy.cpp:
+ (WebKit::WebSecurityPolicy::registerURLSchemeAsDisplayIsolated):
+
2010-11-29 Kent Tamura <tkent at chromium.org>
Reviewed by Darin Fisher.
diff --git a/WebKit/chromium/public/WebSecurityPolicy.h b/WebKit/chromium/public/WebSecurityPolicy.h
index f15dd75..9cf293d 100644
--- a/WebKit/chromium/public/WebSecurityPolicy.h
+++ b/WebKit/chromium/public/WebSecurityPolicy.h
@@ -41,15 +41,21 @@ class WebURL;
class WebSecurityPolicy {
public:
// Registers a URL scheme to be treated as a local scheme (i.e., with the
- // same security rules as those applied to "file" URLs). This means that
+ // same security rules as those applied to "file" URLs). This means that
// normal pages cannot link to or access URLs of this scheme.
WEBKIT_API static void registerURLSchemeAsLocal(const WebString&);
- // Registers a URL scheme to be treated as a noAccess scheme. This means
+ // Registers a URL scheme to be treated as a noAccess scheme. This means
// that pages loaded with this URL scheme cannot access pages loaded with
// any other URL scheme.
WEBKIT_API static void registerURLSchemeAsNoAccess(const WebString&);
+ // Registers a URL scheme to be treated as display-isolated. This means
+ // that pages cannot display these URLs unless they are from the same
+ // scheme. For example, pages in other origin cannot create iframes or
+ // hyperlinks to URLs with the scheme.
+ WEBKIT_API static void registerURLSchemeAsDisplayIsolated(const WebString&);
+
// Registers a URL scheme to not generate mixed content warnings when
// included by an HTTPS page.
WEBKIT_API static void registerURLSchemeAsSecure(const WebString&);
@@ -62,7 +68,7 @@ public:
const WebURL& sourceOrigin, const WebString& destinationProtocol,
const WebString& destinationHost, bool allowDestinationSubdomains);
WEBKIT_API static void resetOriginAccessWhitelists();
-
+
// Returns whether the url should be allowed to see the referrer
// based on their respective protocols.
WEBKIT_API static bool shouldHideReferrer(const WebURL& url, const WebString& referrer);
diff --git a/WebKit/chromium/src/WebSecurityPolicy.cpp b/WebKit/chromium/src/WebSecurityPolicy.cpp
index 58d0893..8e4e702 100644
--- a/WebKit/chromium/src/WebSecurityPolicy.cpp
+++ b/WebKit/chromium/src/WebSecurityPolicy.cpp
@@ -52,6 +52,11 @@ void WebSecurityPolicy::registerURLSchemeAsNoAccess(const WebString& scheme)
SchemeRegistry::registerURLSchemeAsNoAccess(scheme);
}
+void WebSecurityPolicy::registerURLSchemeAsDisplayIsolated(const WebString& scheme)
+{
+ SchemeRegistry::registerURLSchemeAsDisplayIsolated(scheme);
+}
+
void WebSecurityPolicy::registerURLSchemeAsSecure(const WebString& scheme)
{
SchemeRegistry::registerURLSchemeAsSecure(scheme);
diff --git a/WebKit/qt/Api/qwebsecurityorigin.cpp b/WebKit/qt/Api/qwebsecurityorigin.cpp
index e8c8f33..e4ed5d9 100644
--- a/WebKit/qt/Api/qwebsecurityorigin.cpp
+++ b/WebKit/qt/Api/qwebsecurityorigin.cpp
@@ -252,7 +252,7 @@ void QWebSecurityOrigin::removeLocalScheme(const QString& scheme)
QStringList QWebSecurityOrigin::localSchemes()
{
QStringList list;
- const URLSchemesMap& map = SchemeRegistry::localURLSchemes();
+ const URLSchemesMap& map = SchemeRegistry::localSchemes();
URLSchemesMap::const_iterator end = map.end();
for (URLSchemesMap::const_iterator i = map.begin(); i != end; ++i) {
const QString scheme = *i;
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list