Bug 78227 - [WK2] WebProcess terminates when loading HTML string with resources in paths different from the base url
Summary: [WK2] WebProcess terminates when loading HTML string with resources in paths ...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit2 (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Linux
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-02-09 06:14 PST by Carlos Garcia Campos
Modified: 2012-02-10 00:44 PST (History)
4 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos Garcia Campos 2012-02-09 06:14:29 PST
This only happens if a base URL is passed to loadHTMLString. If the same HTML string is saved to a file and loaded with loadURI, it works perfectly, because willAcquireUniversalFileReadSandboxExtension() is called in that case. 

This problem affects Devhelp the GNOME dev documentation viewer, it has a mode that loads parts of html files, extracted and loaded with loadHTML(). That HTML code contains links relative to the current path, so it passes the html file as base url. The problem is that it also has its own css and javascript in a different directory, see this example:

Snippet extracted from file:///usr/share/gtk-doc/html/glib/glib-Hash-Tables.html
<html><head><link rel="stylesheet" type="text/css" href="file:///usr/share/devhelp/assistant/assistant.css"/><script src="file:///usr/share/devhelp/assistant/assistant.js"></script></head><body onload="reformatSignature()"><div class="title">Function: <a href="file:///home/cgarcia/gnome/share/gtk-doc/html/glib/glib-Hash-Tables.html#g-str-hash">g_str_hash</a>
....

In WebPageProxy::didInitiateLoadForResource() the url resource is checked and checkURLReceivedFromWebProcess() returns false, because it's not in the base url dir, which makes the web process to terminate:

"Receive an invalid message from the web process with message ID 230049"


This has always worked with WebKit1. Is this new behaviour expected or just a bug?
Comment 1 Alexey Proskuryakov 2012-02-09 10:09:00 PST
This is expected behavior. The reason is that showing generated pages that reference browser resources - such as error pages - should not enable access to arbitrary files (if they did, an exploited WebProcess would always be able to break out of its sandbox).

Can the documentation viewer just pass "file:///" as base URL?
Comment 2 Carlos Garcia Campos 2012-02-09 10:21:25 PST
(In reply to comment #1)
> This is expected behavior. The reason is that showing generated pages that reference browser resources - such as error pages - should not enable access to arbitrary files (if they did, an exploited WebProcess would always be able to break out of its sandbox).

I see, the problem is that it works in WebKit1, so there are applications using it.

> Can the documentation viewer just pass "file:///" as base URL?

That would break links using relative paths link this example from the same html code I posted:

<a class="link" href="glib-Hash-Tables.html#g-hash-table-new" title="g_hash_table_new ()">
Comment 3 Carlos Garcia Campos 2012-02-09 10:33:17 PST
A possible solution for the application might be to save the contents in a temp file and use loadURI() instead of loadHTML(), but I think it would be better if we could use loadHTML(). On the other hand, maybe terminate de web process in that case is a bit drastic, I thought it was a crash the first time it happened.
Comment 4 Alexey Proskuryakov 2012-02-09 10:56:22 PST
Getting an unexpected URL from WebProcess means that it has been exploited and now runs malicious code. Immediate termination is the least we can do.

Of course this all makes less sense on platforms that don't sandbox WebProcess.
Comment 5 Carlos Garcia Campos 2012-02-10 00:44:41 PST
The workaround I've used for devhelp is to use data uris for resources (css and javascript). I'll document in load_html() gtk docs that uris not relative to the base_url will cause the web process to terminate. 

So, if this is the expected behaviour, feel free to close the bug. Thanks for your help.