WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
67655
AssociatedURLLoader should check HTTP method / headers for untrusted requests.
https://bugs.webkit.org/show_bug.cgi?id=67655
Summary
AssociatedURLLoader should check HTTP method / headers for untrusted requests.
Bill Budge
Reported
2011-09-06 10:51:51 PDT
Perform HTTP method and header validation in AssociatedURLLoader for requests coming from untrusted code (eg. Native Client in Chrome). Use the same code as XMLHttpRequest to reduce code duplication and have behavior identical to XHR in Javascript. Add an 'untrustedHTTP' option to WebURLLoaderOptions, which AssociatedURLLoader can use to determine if it should check the request method and headers.
Attachments
Proposed Patch
(11.90 KB, patch)
2011-09-06 11:02 PDT
,
Bill Budge
levin
: commit-queue-
Details
Formatted Diff
Diff
Proposed Patch
(11.91 KB, patch)
2011-09-07 11:30 PDT
,
Bill Budge
no flags
Details
Formatted Diff
Diff
Proposed Patch
(11.87 KB, patch)
2011-09-07 13:55 PDT
,
Bill Budge
fishd
: review+
fishd
: commit-queue-
Details
Formatted Diff
Diff
Proposed Patch
(11.86 KB, patch)
2011-09-13 14:01 PDT
,
Bill Budge
no flags
Details
Formatted Diff
Diff
Show Obsolete
(3)
View All
Add attachment
proposed patch, testcase, etc.
Bill Budge
Comment 1
2011-09-06 11:02:51 PDT
Created
attachment 106444
[details]
Proposed Patch
David Levin
Comment 2
2011-09-06 12:54:53 PDT
Comment on
attachment 106444
[details]
Proposed Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=106444&action=review
Looks good to me. Since there is a chromium/public change, I'll leave the final r+ for Darin.
> Source/WebKit/chromium/public/WebURLLoaderOptions.h:49 > + , crossOriginRequestPolicy(CrossOriginRequestPolicyDeny) { }
Ideally put the {} on separate lines at this point.
Bill Budge
Comment 3
2011-09-07 11:30:52 PDT
Created
attachment 106607
[details]
Proposed Patch
Bill Budge
Comment 4
2011-09-07 11:56:14 PDT
***
Bug 66963
has been marked as a duplicate of this bug. ***
Bill Budge
Comment 5
2011-09-07 11:57:01 PDT
Comment on
attachment 106607
[details]
Proposed Patch Adding some tests for invalid header values.
Bill Budge
Comment 6
2011-09-07 13:55:28 PDT
Created
attachment 106631
[details]
Proposed Patch Improved the tests to check for invalid header values. Improved helper method names.
WebKit Review Bot
Comment 7
2011-09-08 10:05:02 PDT
Comment on
attachment 106631
[details]
Proposed Patch
Attachment 106631
[details]
did not pass chromium-ews (chromium-xvfb): Output:
http://queues.webkit.org/results/9616952
Bill Budge
Comment 8
2011-09-08 16:27:09 PDT
Comment on
attachment 106631
[details]
Proposed Patch I believe this build failure is spurious.
Darin Fisher (:fishd, Google)
Comment 9
2011-09-09 09:38:50 PDT
Comment on
attachment 106631
[details]
Proposed Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=106631&action=review
> Source/WebKit/chromium/src/AssociatedURLLoader.cpp:56 > +namespace {
nit: put the anonymous namespace inside the WebKit namespace. then we shoudn't need the 'using namespace WebKit' up above.
> Source/WebKit/chromium/src/AssociatedURLLoader.cpp:289 > + m_clientAdapter->setDelayedError(ResourceError());
what are your plans for this?
Bill Budge
Comment 10
2011-09-09 12:28:59 PDT
Once this lands, I can redo PPAPI and WebKit glue code that does all of these checks. As part of that CL I will have to modify URLRequest and URLLoader tests since these errors are reported asynchronously now. I also have FIXMEs to improve error reporting in the glue code. I will need to define a new error domain in WebKit so AssociatedURLLoader can report syntax vs. security errors in a way that WebKit glue understands. Currently it doesn't know about WebKit error domains, only our net:: one, and reports the former as PP_ERROR. It might make sense to modify this patch to generate ResourceErrors with enough information to make this possible.
Bill Budge
Comment 11
2011-09-09 12:29:56 PDT
Quick question about the red bot. This is the first time I've seen a failure that isn't caused by the patch. Is there a way to re-run the bot?
David Levin
Comment 12
2011-09-09 12:43:34 PDT
(In reply to
comment #11
)
> Quick question about the red bot. This is the first time I've seen a failure that isn't caused by the patch. Is there a way to re-run the bot?
Reupload the patch is the only way that I know of. (New attachment).
Bill Budge
Comment 13
2011-09-13 14:01:11 PDT
Created
attachment 107222
[details]
Proposed Patch Moved header visitor into WebKit namespace. Added information on plans for fixing error reporting from this layer.
Darin Fisher (:fishd, Google)
Comment 14
2011-09-19 14:58:49 PDT
Comment on
attachment 107222
[details]
Proposed Patch R=me, sorry for the delayed response!
WebKit Review Bot
Comment 15
2011-09-19 16:01:59 PDT
Comment on
attachment 107222
[details]
Proposed Patch Clearing flags on attachment: 107222 Committed
r95490
: <
http://trac.webkit.org/changeset/95490
>
WebKit Review Bot
Comment 16
2011-09-19 16:02:04 PDT
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug