Bug 169868

Summary:

[QuickLook] Subresources should be in the same origin as the main document

Product:

WebKit

Reporter:

Andy Estes <aestes>

Component:

Page Loading

Assignee:

Andy Estes <aestes>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

beidson, cdumez, commit-queue, dbates, esprehn+autocc, kangil.han, koivisto, simon.fraser, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

iPhone / iPad

OS:

All

Attachments:

Description	Flags
Patch	none
Patch	none
Archive of layout-test-results from ews122 for ios-simulator-wk2	none
Patch	dbates: review+
Patch	none

Andy Estes

Reported 2017-03-19 16:33:40 PDT

[QuickLook] Subresources should be in the same origin as the main document

Attachments
Patch (9.17 KB, patch) 2017-03-19 16:56 PDT, Andy Estes	no flags	Details Formatted Diff Diff
Patch (9.17 KB, patch) 2017-03-19 17:14 PDT, Andy Estes	no flags	Details Formatted Diff Diff
Archive of layout-test-results from ews122 for ios-simulator-wk2 (2.45 MB, application/zip) 2017-03-19 19:03 PDT, Build Bot	no flags	Details
Patch (8.90 KB, patch) 2017-03-20 10:31 PDT, Andy Estes	dbates: review+	Details Formatted Diff Diff
Patch (9.11 KB, patch) 2017-03-20 12:09 PDT, Andy Estes	no flags	Details Formatted Diff Diff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.

Andy Estes

Comment 1 2017-03-19 16:54:45 PDT

rdar://problem/29898214

Andy Estes

Comment 2 2017-03-19 16:56:21 PDT

Created attachment 304906 [details] Patch

Andy Estes

Comment 3 2017-03-19 17:14:10 PDT

Created attachment 304907 [details] Patch

Build Bot

Comment 4 2017-03-19 19:03:50 PDT

Comment on attachment 304907 [details] Patch Attachment 304907 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/3365686 New failing tests: quicklook/powerpoint.html quicklook/invalid-ql-id-url.html quicklook/word.html quicklook/word-legacy.html quicklook/powerpoint-legacy.html

Build Bot

Comment 5 2017-03-19 19:03:55 PDT

Created attachment 304911 [details] Archive of layout-test-results from ews122 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews122 Port: ios-simulator-wk2 Platform: Mac OS X 10.11.6

Andy Estes

Comment 6 2017-03-20 10:31:25 PDT

Created attachment 304930 [details] Patch

Daniel Bates

Comment 7 2017-03-20 11:43:36 PDT

Comment on attachment 304930 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=304930&action=review > Source/WebCore/dom/Document.cpp:6823 > + const URL& responseURL = m_frame->loader().activeDocumentLoader()->responseURL(); > + ASSERT(responseURL.protocolIs(QLPreviewProtocol())); > + setSecurityOriginPolicy(SecurityOriginPolicy::create(SecurityOrigin::create(responseURL))); This will allow QuickLook documents to use local storage/databases/cookies. Is this intentional? Currently we disallow such storage access because QuickLook documents have a unique origin.

Andy Estes

Comment 8 2017-03-20 11:47:21 PDT

(In reply to comment #7) > Comment on attachment 304930 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=304930&action=review > > > Source/WebCore/dom/Document.cpp:6823 > > + const URL& responseURL = m_frame->loader().activeDocumentLoader()->responseURL(); > > + ASSERT(responseURL.protocolIs(QLPreviewProtocol())); > > + setSecurityOriginPolicy(SecurityOriginPolicy::create(SecurityOrigin::create(responseURL))); > > This will allow QuickLook documents to use local storage/databases/cookies. > Is this intentional? Currently we disallow such storage access because > QuickLook documents have a unique origin. Yeah, that's a side effect of this change, but since QuickLook documents won't share an origin with the hosting site, I don't think this is a problem.

Daniel Bates

Comment 9 2017-03-20 11:55:32 PDT

(In reply to comment #8) > (In reply to comment #7) > > Comment on attachment 304930 [details] > > Patch > > > > View in context: > > https://bugs.webkit.org/attachment.cgi?id=304930&action=review > > > > > Source/WebCore/dom/Document.cpp:6823 > > > + const URL& responseURL = m_frame->loader().activeDocumentLoader()->responseURL(); > > > + ASSERT(responseURL.protocolIs(QLPreviewProtocol())); > > > + setSecurityOriginPolicy(SecurityOriginPolicy::create(SecurityOrigin::create(responseURL))); > > > > This will allow QuickLook documents to use local storage/databases/cookies. > > Is this intentional? Currently we disallow such storage access because > > QuickLook documents have a unique origin. > > Yeah, that's a side effect of this change, but since QuickLook documents > won't share an origin with the hosting site, I don't think this is a problem. Would it make sense to disable such storage access for QuickLook documents using SecurityOrigin::setStorageBlockingPolicy()?

Andy Estes

Comment 10 2017-03-20 12:08:11 PDT

(In reply to comment #9) > (In reply to comment #8) > > (In reply to comment #7) > > > Comment on attachment 304930 [details] > > > Patch > > > > > > View in context: > > > https://bugs.webkit.org/attachment.cgi?id=304930&action=review > > > > > > > Source/WebCore/dom/Document.cpp:6823 > > > > + const URL& responseURL = m_frame->loader().activeDocumentLoader()->responseURL(); > > > > + ASSERT(responseURL.protocolIs(QLPreviewProtocol())); > > > > + setSecurityOriginPolicy(SecurityOriginPolicy::create(SecurityOrigin::create(responseURL))); > > > > > > This will allow QuickLook documents to use local storage/databases/cookies. > > > Is this intentional? Currently we disallow such storage access because > > > QuickLook documents have a unique origin. > > > > Yeah, that's a side effect of this change, but since QuickLook documents > > won't share an origin with the hosting site, I don't think this is a problem. > > Would it make sense to disable such storage access for QuickLook documents > using SecurityOrigin::setStorageBlockingPolicy()? Since QuickLook origins are ephemeral, using storage doesn't seem useful, so I agree that this would make sense.

Andy Estes

Comment 11 2017-03-20 12:09:01 PDT

Created attachment 304940 [details] Patch

WebKit Commit Bot

Comment 12 2017-03-20 12:50:13 PDT

Comment on attachment 304940 [details] Patch Clearing flags on attachment: 304940 Committed r214189: <http://trac.webkit.org/changeset/214189>

WebKit Commit Bot

Comment 13 2017-03-20 12:50:21 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.