RESOLVED FIXED 67655
AssociatedURLLoader should check HTTP method / headers for untrusted requests.
https://bugs.webkit.org/show_bug.cgi?id=67655
Summary AssociatedURLLoader should check HTTP method / headers for untrusted requests.
Bill Budge
Reported 2011-09-06 10:51:51 PDT
Perform HTTP method and header validation in AssociatedURLLoader for requests coming from untrusted code (eg. Native Client in Chrome). Use the same code as XMLHttpRequest to reduce code duplication and have behavior identical to XHR in Javascript. Add an 'untrustedHTTP' option to WebURLLoaderOptions, which AssociatedURLLoader can use to determine if it should check the request method and headers.
Attachments
Proposed Patch (11.90 KB, patch)
2011-09-06 11:02 PDT, Bill Budge
levin: commit-queue-
Proposed Patch (11.91 KB, patch)
2011-09-07 11:30 PDT, Bill Budge
no flags
Proposed Patch (11.87 KB, patch)
2011-09-07 13:55 PDT, Bill Budge
fishd: review+
fishd: commit-queue-
Proposed Patch (11.86 KB, patch)
2011-09-13 14:01 PDT, Bill Budge
no flags
Bill Budge
Comment 1 2011-09-06 11:02:51 PDT
Created attachment 106444 [details] Proposed Patch
David Levin
Comment 2 2011-09-06 12:54:53 PDT
Comment on attachment 106444 [details] Proposed Patch View in context: https://bugs.webkit.org/attachment.cgi?id=106444&action=review Looks good to me. Since there is a chromium/public change, I'll leave the final r+ for Darin. > Source/WebKit/chromium/public/WebURLLoaderOptions.h:49 > + , crossOriginRequestPolicy(CrossOriginRequestPolicyDeny) { } Ideally put the {} on separate lines at this point.
Bill Budge
Comment 3 2011-09-07 11:30:52 PDT
Created attachment 106607 [details] Proposed Patch
Bill Budge
Comment 4 2011-09-07 11:56:14 PDT
*** Bug 66963 has been marked as a duplicate of this bug. ***
Bill Budge
Comment 5 2011-09-07 11:57:01 PDT
Comment on attachment 106607 [details] Proposed Patch Adding some tests for invalid header values.
Bill Budge
Comment 6 2011-09-07 13:55:28 PDT
Created attachment 106631 [details] Proposed Patch Improved the tests to check for invalid header values. Improved helper method names.
WebKit Review Bot
Comment 7 2011-09-08 10:05:02 PDT
Comment on attachment 106631 [details] Proposed Patch Attachment 106631 [details] did not pass chromium-ews (chromium-xvfb): Output: http://queues.webkit.org/results/9616952
Bill Budge
Comment 8 2011-09-08 16:27:09 PDT
Comment on attachment 106631 [details] Proposed Patch I believe this build failure is spurious.
Darin Fisher (:fishd, Google)
Comment 9 2011-09-09 09:38:50 PDT
Comment on attachment 106631 [details] Proposed Patch View in context: https://bugs.webkit.org/attachment.cgi?id=106631&action=review > Source/WebKit/chromium/src/AssociatedURLLoader.cpp:56 > +namespace { nit: put the anonymous namespace inside the WebKit namespace. then we shoudn't need the 'using namespace WebKit' up above. > Source/WebKit/chromium/src/AssociatedURLLoader.cpp:289 > + m_clientAdapter->setDelayedError(ResourceError()); what are your plans for this?
Bill Budge
Comment 10 2011-09-09 12:28:59 PDT
Once this lands, I can redo PPAPI and WebKit glue code that does all of these checks. As part of that CL I will have to modify URLRequest and URLLoader tests since these errors are reported asynchronously now. I also have FIXMEs to improve error reporting in the glue code. I will need to define a new error domain in WebKit so AssociatedURLLoader can report syntax vs. security errors in a way that WebKit glue understands. Currently it doesn't know about WebKit error domains, only our net:: one, and reports the former as PP_ERROR. It might make sense to modify this patch to generate ResourceErrors with enough information to make this possible.
Bill Budge
Comment 11 2011-09-09 12:29:56 PDT
Quick question about the red bot. This is the first time I've seen a failure that isn't caused by the patch. Is there a way to re-run the bot?
David Levin
Comment 12 2011-09-09 12:43:34 PDT
(In reply to comment #11) > Quick question about the red bot. This is the first time I've seen a failure that isn't caused by the patch. Is there a way to re-run the bot? Reupload the patch is the only way that I know of. (New attachment).
Bill Budge
Comment 13 2011-09-13 14:01:11 PDT
Created attachment 107222 [details] Proposed Patch Moved header visitor into WebKit namespace. Added information on plans for fixing error reporting from this layer.
Darin Fisher (:fishd, Google)
Comment 14 2011-09-19 14:58:49 PDT
Comment on attachment 107222 [details] Proposed Patch R=me, sorry for the delayed response!
WebKit Review Bot
Comment 15 2011-09-19 16:01:59 PDT
Comment on attachment 107222 [details] Proposed Patch Clearing flags on attachment: 107222 Committed r95490: <http://trac.webkit.org/changeset/95490>
WebKit Review Bot
Comment 16 2011-09-19 16:02:04 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.