169868 – [QuickLook] Subresources should be in the same origin as the main document

Bug 169868 - [QuickLook] Subresources should be in the same origin as the main document

Summary: [QuickLook] Subresources should be in the same origin as the main document

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Page Loading (show other bugs)
Version:	WebKit Nightly Build
Hardware:	iPhone / iPad All

Importance:	P2 Normal
Assignee:	Andy Estes

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2017-03-19 16:33 PDT by Andy Estes
Modified:	2017-03-20 12:50 PDT (History)
CC List:	9 users (show)

See Also:

Attachments
Patch (9.17 KB, patch) 2017-03-19 16:56 PDT, Andy Estes	no flags	Details \| Formatted Diff \| Diff
Patch (9.17 KB, patch) 2017-03-19 17:14 PDT, Andy Estes	no flags	Details \| Formatted Diff \| Diff
Archive of layout-test-results from ews122 for ios-simulator-wk2 (2.45 MB, application/zip) 2017-03-19 19:03 PDT, Build Bot	no flags	Details
Patch (8.90 KB, patch) 2017-03-20 10:31 PDT, Andy Estes	dbates: review+	Details \| Formatted Diff \| Diff
Patch (9.11 KB, patch) 2017-03-20 12:09 PDT, Andy Estes	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andy Estes 2017-03-19 16:33:40 PDT

[QuickLook] Subresources should be in the same origin as the main document

Comment 1 Andy Estes 2017-03-19 16:54:45 PDT

rdar://problem/29898214

Comment 2 Andy Estes 2017-03-19 16:56:21 PDT

Created attachment 304906 [details]
Patch

Comment 3 Andy Estes 2017-03-19 17:14:10 PDT

Created attachment 304907 [details]
Patch

Comment 4 Build Bot 2017-03-19 19:03:50 PDT

Comment on attachment 304907 [details]
Patch

Attachment 304907 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: http://webkit-queues.webkit.org/results/3365686

New failing tests:
quicklook/powerpoint.html
quicklook/invalid-ql-id-url.html
quicklook/word.html
quicklook/word-legacy.html
quicklook/powerpoint-legacy.html

Comment 5 Build Bot 2017-03-19 19:03:55 PDT

Created attachment 304911 [details]
Archive of layout-test-results from ews122 for ios-simulator-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews122  Port: ios-simulator-wk2  Platform: Mac OS X 10.11.6

Comment 6 Andy Estes 2017-03-20 10:31:25 PDT

Created attachment 304930 [details]
Patch

Comment 7 Daniel Bates 2017-03-20 11:43:36 PDT

Comment on attachment 304930 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=304930&action=review

> Source/WebCore/dom/Document.cpp:6823
> +    const URL& responseURL = m_frame->loader().activeDocumentLoader()->responseURL();
> +    ASSERT(responseURL.protocolIs(QLPreviewProtocol()));
> +    setSecurityOriginPolicy(SecurityOriginPolicy::create(SecurityOrigin::create(responseURL)));

This will allow QuickLook documents to use local storage/databases/cookies. Is this intentional? Currently we disallow such storage access because QuickLook documents have a unique origin.

Comment 8 Andy Estes 2017-03-20 11:47:21 PDT

(In reply to comment #7)
> Comment on attachment 304930 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=304930&action=review
> 
> > Source/WebCore/dom/Document.cpp:6823
> > +    const URL& responseURL = m_frame->loader().activeDocumentLoader()->responseURL();
> > +    ASSERT(responseURL.protocolIs(QLPreviewProtocol()));
> > +    setSecurityOriginPolicy(SecurityOriginPolicy::create(SecurityOrigin::create(responseURL)));
> 
> This will allow QuickLook documents to use local storage/databases/cookies.
> Is this intentional? Currently we disallow such storage access because
> QuickLook documents have a unique origin.

Yeah, that's a side effect of this change, but since QuickLook documents won't share an origin with the hosting site, I don't think this is a problem.

Comment 9 Daniel Bates 2017-03-20 11:55:32 PDT

(In reply to comment #8)
> (In reply to comment #7)
> > Comment on attachment 304930 [details]
> > Patch
> > 
> > View in context:
> > https://bugs.webkit.org/attachment.cgi?id=304930&action=review
> > 
> > > Source/WebCore/dom/Document.cpp:6823
> > > +    const URL& responseURL = m_frame->loader().activeDocumentLoader()->responseURL();
> > > +    ASSERT(responseURL.protocolIs(QLPreviewProtocol()));
> > > +    setSecurityOriginPolicy(SecurityOriginPolicy::create(SecurityOrigin::create(responseURL)));
> > 
> > This will allow QuickLook documents to use local storage/databases/cookies.
> > Is this intentional? Currently we disallow such storage access because
> > QuickLook documents have a unique origin.
> 
> Yeah, that's a side effect of this change, but since QuickLook documents
> won't share an origin with the hosting site, I don't think this is a problem.

Would it make sense to disable such storage access for QuickLook documents using SecurityOrigin::setStorageBlockingPolicy()?

Comment 10 Andy Estes 2017-03-20 12:08:11 PDT

(In reply to comment #9)
> (In reply to comment #8)
> > (In reply to comment #7)
> > > Comment on attachment 304930 [details]
> > > Patch
> > > 
> > > View in context:
> > > https://bugs.webkit.org/attachment.cgi?id=304930&action=review
> > > 
> > > > Source/WebCore/dom/Document.cpp:6823
> > > > +    const URL& responseURL = m_frame->loader().activeDocumentLoader()->responseURL();
> > > > +    ASSERT(responseURL.protocolIs(QLPreviewProtocol()));
> > > > +    setSecurityOriginPolicy(SecurityOriginPolicy::create(SecurityOrigin::create(responseURL)));
> > > 
> > > This will allow QuickLook documents to use local storage/databases/cookies.
> > > Is this intentional? Currently we disallow such storage access because
> > > QuickLook documents have a unique origin.
> > 
> > Yeah, that's a side effect of this change, but since QuickLook documents
> > won't share an origin with the hosting site, I don't think this is a problem.
> 
> Would it make sense to disable such storage access for QuickLook documents
> using SecurityOrigin::setStorageBlockingPolicy()?

Since QuickLook origins are ephemeral, using storage doesn't seem useful, so I agree that this would make sense.

Comment 11 Andy Estes 2017-03-20 12:09:01 PDT

Created attachment 304940 [details]
Patch

Comment 12 WebKit Commit Bot 2017-03-20 12:50:13 PDT

Comment on attachment 304940 [details]
Patch

Clearing flags on attachment: 304940

Committed r214189: <http://trac.webkit.org/changeset/214189>

Comment 13 WebKit Commit Bot 2017-03-20 12:50:21 PDT

All reviewed patches have been landed.  Closing bug.