157252 2016-05-01 17:33:19 -0700 CSP: Add workaround for XtraMath 2016-05-02 09:27:05 -0700 1 1 1 Unclassified WebKit WebKit Misc. WebKit Local Build iPhone / iPad Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 dbates dbates aestes bfulgham commit-queue mkwst oldest_to_newest 1189286 0 dbates 2016-05-01 17:33:19 -0700 Similar to the purpose of bug #157005, the app XtraMath depends on * matching an arbitrary protocol. Following bug #154122, we restrict matching of * to protocols HTTP, HTTPS in most circumstances. Add a app-specific workaround for this XtraMath. <rdar://problem/25881955> 1189287 1 277880 dbates 2016-05-01 17:36:11 -0700 Created attachment 277880 Patch 1189289 2 277880 darin 2016-05-01 17:40:18 -0700 Comment on attachment 277880 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=277880&action=review Was about to say review+, but Andy beat me to it. I do have this one comment: > Source/WebKit/mac/WebView/WebView.mm:868 > static bool shouldAllowContentSecurityPolicySourceStarToMatchAnyProtocol() We should consider grouping these functions that make decisions about these kinds of quirks and workarounds in a header analogous to the RuntimeApplicationChecks one. This header would never mention specific application but would just list all the different quirks. The implementation file would contain all the expressions used to decide when each quirk applies, and comments about why each implements the right policy. The implementations of the quirks would continue to be distributed throughout the code, but the policy of which quirks apply when would be grouped together. 1189407 3 dbates 2016-05-02 09:14:10 -0700 (In reply to comment #2) > [...] > I do have this one comment: > > > Source/WebKit/mac/WebView/WebView.mm:868 > > static bool shouldAllowContentSecurityPolicySourceStarToMatchAnyProtocol() > > We should consider grouping these functions that make decisions about these > kinds of quirks and workarounds in a header analogous to the > RuntimeApplicationChecks one. This header would never mention specific > application but would just list all the different quirks. The implementation > file would contain all the expressions used to decide when each quirk > applies, and comments about why each implements the right policy. > > The implementations of the quirks would continue to be distributed > throughout the code, but the policy of which quirks apply when would be > grouped together. I hope you do not mind that I defer such work to bug #157267 and keep this bug focused on the workaround. 1189408 4 277880 dbates 2016-05-02 09:15:21 -0700 Comment on attachment 277880 Patch Clearing flags on attachment: 277880 Committed r200323: <http://trac.webkit.org/changeset/200323> 1189409 5 dbates 2016-05-02 09:15:25 -0700 All reviewed patches have been landed. Closing bug. 1189414 6 277880 timothy 2016-05-02 09:27:05 -0700 Comment on attachment 277880 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=277880&action=review > Source/WebKit/mac/WebView/WebView.mm:871 > + static bool shouldAllowContentSecurityPolicySourceStarToMatchAnyProtocol = (IOSApplication::isEcobee() || IOSApplication::isQuora() || IOSApplication::isXtraMath()) && !WebKitLinkedOnOrAfter(WEBKIT_FIRST_VERSION_WITH_CONTENT_SECURITY_POLICY_SOURCE_STAR_PROTOCOL_RESTRICTION); If we run into more apps doing this, I think we should consider dropping the bundle checks and just allow star to match any protocol for any app linked on older WebKit versions. 277880 2016-05-01 17:36:11 -0700 2016-05-02 09:15:21 -0700 Patch bug-157252-20160501173647.patch text/plain 3643 dbates U3VidmVyc2lvbiBSZXZpc2lvbjogMjAwMzEyCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggZGJlMDJhNGM1MTYyOWQ3 NDk2NDVlM2YyYmE4OTRhNzdiMjBiZGVjYS4uNDY1NWNjYWRlMmFhMTg5ZTE4NTE0MjA5NWU5Yzk2 N2ExN2NiYzQ1YyAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE0IEBACisyMDE2LTA1LTAxICBEYW5p ZWwgQmF0ZXMgIDxkYWJhdGVzQGFwcGxlLmNvbT4KKworICAgICAgICBDU1A6IEFkZCB3b3JrYXJv dW5kIGZvciBYdHJhTWF0aAorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1 Zy5jZ2k/aWQ9MTU3MjUyCisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisK KyAgICAgICAgKiBwbGF0Zm9ybS9SdW50aW1lQXBwbGljYXRpb25DaGVja3MuaDoKKyAgICAgICAg KiBwbGF0Zm9ybS9SdW50aW1lQXBwbGljYXRpb25DaGVja3MubW06CisgICAgICAgIChXZWJDb3Jl OjpJT1NBcHBsaWNhdGlvbjo6aXNYdHJhTWF0aCk6IEFkZGVkLgorCiAyMDE2LTA1LTAxICBDaHJp cyBEdW1leiAgPGNkdW1lekBhcHBsZS5jb20+CiAKICAgICAgICAgVW5yZXZpZXdlZCBhdHRlbXB0 IHRvIGZpeCBXaW5kb3dzIGJ1aWxkIGFmdGVyIHIyMDAyODguCmRpZmYgLS1naXQgYS9Tb3VyY2Uv V2ViS2l0L21hYy9DaGFuZ2VMb2cgYi9Tb3VyY2UvV2ViS2l0L21hYy9DaGFuZ2VMb2cKaW5kZXgg NmRkY2I1NDNiMTcxNjJhNzVkMjU4N2Q5NDIxOWIxN2M1M2U5MjJmOC4uMDljNmI0ZDUxNGI0Y2Q4 MWE4NTFjM2E4MjVjYzVhMWFiM2IyMmU3MiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYktpdC9tYWMv Q2hhbmdlTG9nCisrKyBiL1NvdXJjZS9XZWJLaXQvbWFjL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE0 IEBACisyMDE2LTA1LTAxICBEYW5pZWwgQmF0ZXMgIDxkYWJhdGVzQGFwcGxlLmNvbT4KKworICAg ICAgICBDU1A6IEFkZCB3b3JrYXJvdW5kIGZvciBYdHJhTWF0aAorICAgICAgICBodHRwczovL2J1 Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTU3MjUyCisKKyAgICAgICAgUmV2aWV3ZWQg YnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgKiBXZWJWaWV3L1dlYlZpZXcubW06CisgICAg ICAgIChzaG91bGRBbGxvd0NvbnRlbnRTZWN1cml0eVBvbGljeVNvdXJjZVN0YXJUb01hdGNoQW55 UHJvdG9jb2wpOiBBbGxvdyAqIHRvIG1hdGNoIGFueSBwcm90b2NvbCBmb3IKKyAgICAgICAgYXBw bGljYWJsZSB2ZXJzaW9ucyBvZiBhcHAgWHRyYU1hdGguCisKIDIwMTYtMDQtMjkgIERlYW4gSmFj a3NvbiAgPGRpbm9AYXBwbGUuY29tPgogCiAgICAgICAgIFJUTCA8c2VsZWN0PiBwb3B1cCBtZW51 IGlzIGluIHRoZSB3cm9uZyBsb2NhdGlvbgpkaWZmIC0tZ2l0IGEvU291cmNlL1dlYkNvcmUvcGxh dGZvcm0vUnVudGltZUFwcGxpY2F0aW9uQ2hlY2tzLmggYi9Tb3VyY2UvV2ViQ29yZS9wbGF0Zm9y bS9SdW50aW1lQXBwbGljYXRpb25DaGVja3MuaAppbmRleCBiNmVlN2E3MWZmOWVjNTdiZmI4ZjI3 MWQyYjUxYTljOTNhZmRlYzlhLi4wZWMxYjJiZDdhZDExYmZkZDJhMjI3ZGQwMzkzOGRhNjZkYWZk MjY1IDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9wbGF0Zm9ybS9SdW50aW1lQXBwbGljYXRp b25DaGVja3MuaAorKysgYi9Tb3VyY2UvV2ViQ29yZS9wbGF0Zm9ybS9SdW50aW1lQXBwbGljYXRp b25DaGVja3MuaApAQCAtNzUsNiArNzUsNyBAQCBXRUJDT1JFX0VYUE9SVCBib29sIGlzV2ViUHJv Y2VzcygpOwogYm9vbCBpc0lCb29rcygpOwogV0VCQ09SRV9FWFBPUlQgYm9vbCBpc0Vjb2JlZSgp OwogV0VCQ09SRV9FWFBPUlQgYm9vbCBpc1F1b3JhKCk7CitXRUJDT1JFX0VYUE9SVCBib29sIGlz WHRyYU1hdGgoKTsKIAogfSAvLyBJT1NBcHBsaWNhdGlvbgogCmRpZmYgLS1naXQgYS9Tb3VyY2Uv V2ViQ29yZS9wbGF0Zm9ybS9SdW50aW1lQXBwbGljYXRpb25DaGVja3MubW0gYi9Tb3VyY2UvV2Vi Q29yZS9wbGF0Zm9ybS9SdW50aW1lQXBwbGljYXRpb25DaGVja3MubW0KaW5kZXggYzhmZGQyYzgy NDVjZDNiZGMzMGYyZTIzMTg0YmM4M2IyZDE0MWY2OC4uZjg5OTQ4ZTIxMDM3Mzg5NzM5OWMzYzEx YjQ1YzgxNDJiNjQ5MDlhYSAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvcGxhdGZvcm0vUnVu dGltZUFwcGxpY2F0aW9uQ2hlY2tzLm1tCisrKyBiL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL1J1 bnRpbWVBcHBsaWNhdGlvbkNoZWNrcy5tbQpAQCAtMjUzLDYgKzI1MywxMiBAQCBib29sIElPU0Fw cGxpY2F0aW9uOjppc1F1b3JhKCkKICAgICByZXR1cm4gaXNRdW9yYTsKIH0KIAorYm9vbCBJT1NB cHBsaWNhdGlvbjo6aXNYdHJhTWF0aCgpCit7CisgICAgc3RhdGljIGJvb2wgaXNYdHJhTWF0aCA9 IGFwcGxpY2F0aW9uQnVuZGxlSXNFcXVhbFRvKCJvcmcueHRyYW1hdGgubWF0aGZhY3RzIik7Cisg ICAgcmV0dXJuIGlzWHRyYU1hdGg7Cit9CisKICNlbmRpZgogCiB9IC8vIG5hbWVzcGFjZSBXZWJD b3JlCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0L21hYy9XZWJWaWV3L1dlYlZpZXcubW0gYi9T b3VyY2UvV2ViS2l0L21hYy9XZWJWaWV3L1dlYlZpZXcubW0KaW5kZXggYzk3ZDM5OWUzMWNjMDNi YzI2MGI3ZmNkZjU4OTk2Y2FjZmQzOTYzNi4uYzMyOWU0ZWRhMjg2ZTE0MjA4ZmE3NzFmMzFlZmMx M2Y5MTYzMjk0YyAxMDA2NDQKLS0tIGEvU291cmNlL1dlYktpdC9tYWMvV2ViVmlldy9XZWJWaWV3 Lm1tCisrKyBiL1NvdXJjZS9XZWJLaXQvbWFjL1dlYlZpZXcvV2ViVmlldy5tbQpAQCAtODY4LDcg Kzg2OCw3IEBAIHN0YXRpYyBib29sIHNob3VsZEFsbG93UGljdHVyZUluUGljdHVyZU1lZGlhUGxh eWJhY2soKQogc3RhdGljIGJvb2wgc2hvdWxkQWxsb3dDb250ZW50U2VjdXJpdHlQb2xpY3lTb3Vy Y2VTdGFyVG9NYXRjaEFueVByb3RvY29sKCkKIHsKICNpZiBQTEFURk9STShJT1MpCi0gICAgc3Rh dGljIGJvb2wgc2hvdWxkQWxsb3dDb250ZW50U2VjdXJpdHlQb2xpY3lTb3VyY2VTdGFyVG9NYXRj aEFueVByb3RvY29sID0gKElPU0FwcGxpY2F0aW9uOjppc0Vjb2JlZSgpIHx8IElPU0FwcGxpY2F0 aW9uOjppc1F1b3JhKCkpICYmICFXZWJLaXRMaW5rZWRPbk9yQWZ0ZXIoV0VCS0lUX0ZJUlNUX1ZF UlNJT05fV0lUSF9DT05URU5UX1NFQ1VSSVRZX1BPTElDWV9TT1VSQ0VfU1RBUl9QUk9UT0NPTF9S RVNUUklDVElPTik7CisgICAgc3RhdGljIGJvb2wgc2hvdWxkQWxsb3dDb250ZW50U2VjdXJpdHlQ b2xpY3lTb3VyY2VTdGFyVG9NYXRjaEFueVByb3RvY29sID0gKElPU0FwcGxpY2F0aW9uOjppc0Vj b2JlZSgpIHx8IElPU0FwcGxpY2F0aW9uOjppc1F1b3JhKCkgfHwgSU9TQXBwbGljYXRpb246Omlz WHRyYU1hdGgoKSkgJiYgIVdlYktpdExpbmtlZE9uT3JBZnRlcihXRUJLSVRfRklSU1RfVkVSU0lP Tl9XSVRIX0NPTlRFTlRfU0VDVVJJVFlfUE9MSUNZX1NPVVJDRV9TVEFSX1BST1RPQ09MX1JFU1RS SUNUSU9OKTsKICAgICByZXR1cm4gc2hvdWxkQWxsb3dDb250ZW50U2VjdXJpdHlQb2xpY3lTb3Vy Y2VTdGFyVG9NYXRjaEFueVByb3RvY29sOwogI2Vsc2UKICAgICByZXR1cm4gZmFsc2U7Cg==