diff -pruN webkitgtk-2.40.0-orig/Source/WebCore/loader/cache/CachedResourceLoader.cpp webkitgtk-2.40.0-new/Source/WebCore/loader/cache/CachedResourceLoader.cpp --- webkitgtk-2.40.0-orig/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2023-02-20 10:22:17.557738300 +0100 +++ webkitgtk-2.40.0-new/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2023-03-19 03:01:56.712486919 +0100 @@ -67,6 +67,7 @@ #include "Page.h" #include "PingLoader.h" #include "PlatformStrategies.h" +#include "PublicSuffix.h" #include "RenderElement.h" #include "ResourceLoadInfo.h" #include "ResourceTiming.h" @@ -981,6 +982,23 @@ ResourceErrorOrclearHTTPOrigin(); } + bool disableCORS = frame.page()->isCORSDisabled(); + bool enableCORSSameDomain = frame.page()->isCORSSameDomainEnabled(); + + if (disableCORS) { + if (enableCORSSameDomain) { + String requestDomain = topPrivatelyControlledDomain(url.host().toString()); + String documentDomain = topPrivatelyControlledDomain(frame.document()->url().host().toString()); + if (!equalIgnoringASCIICase(requestDomain, documentDomain) && type != CachedResource::Type::MainResource) { + CACHEDRESOURCELOADER_RELEASE_LOG_WITH_FRAME("requestResource: Resource blocked by Cross-Origin Resource Sharing policy", frame); + return makeUnexpected(ResourceError { errorDomainWebKitInternal, 0, url, "Resource blocked by Cross-Origin Resource Sharing policy"_s, ResourceError::Type::AccessControl }); + } + } else if (!equalIgnoringASCIICase(url.host(), frame.document()->url().host()) && type != CachedResource::Type::MainResource) { + CACHEDRESOURCELOADER_RELEASE_LOG_WITH_FRAME("requestResource: Resource blocked by Cross-Origin Resource Sharing policy", frame); + return makeUnexpected(ResourceError { errorDomainWebKitInternal, 0, url, "Resource blocked by Cross-Origin Resource Sharing policy"_s, ResourceError::Type::AccessControl }); + } + } + prepareFetch(type, request); if (request.options().destination == FetchOptions::Destination::Document || request.options().destination == FetchOptions::Destination::Iframe) { @@ -1098,7 +1116,8 @@ ResourceErrorOrisCORSDisabled(); + enableCORSSameDomain = page->isCORSSameDomainEnabled(); + } + + if (disableCORS) { + if (enableCORSSameDomain) { + String requestDomain = topPrivatelyControlledDomain(params.href.host().toString()); + String documentDomain = topPrivatelyControlledDomain(document.url().host().toString()); + if (!documentDomain.isEmpty() && !equalIgnoringASCIICase(requestDomain, documentDomain)) + return; + } else if (!document.url().host().isEmpty() && params.href.host() != document.url().host()) { + return; + } + } + if (params.relAttribute.isDNSPrefetch) { // FIXME: The href attribute of the link element can be in "//hostname" form, and we shouldn't attempt // to complete that as URL . diff -pruN webkitgtk-2.40.0-orig/Source/WebCore/loader/SubresourceLoader.cpp webkitgtk-2.40.0-new/Source/WebCore/loader/SubresourceLoader.cpp --- webkitgtk-2.40.0-orig/Source/WebCore/loader/SubresourceLoader.cpp 2023-02-20 10:22:17.537738000 +0100 +++ webkitgtk-2.40.0-new/Source/WebCore/loader/SubresourceLoader.cpp 2023-03-18 13:13:41.100652519 +0100 @@ -197,6 +197,39 @@ bool SubresourceLoader::isSubresourceLoa return true; } +bool SubresourceLoader::isCORSDisabled() const +{ + if (!m_frame) + return false; + + if (!m_frame->page()) + return false; + + return m_frame->page()->isCORSDisabled(); +} + +bool SubresourceLoader::isCORSSameDomainEnabled() const +{ + if (!m_frame) + return true; + + if (!m_frame->page()) + return true; + + return m_frame->page()->isCORSSameDomainEnabled(); +} + +bool SubresourceLoader::isCORSRedirectionDisabled() const +{ + if (!m_frame) + return false; + + if (!m_frame->page()) + return false; + + return m_frame->page()->isCORSRedirectionDisabled(); +} + void SubresourceLoader::willSendRequestInternal(ResourceRequest&& newRequest, const ResourceResponse& redirectResponse, CompletionHandler&& completionHandler) { // Store the previous URL because the call to ResourceLoader::willSendRequest will modify it. @@ -649,12 +682,25 @@ Expected SubresourceLoader { bool crossOriginFlag = m_resource->isCrossOrigin(); bool isNextRequestCrossOrigin = m_origin && !m_origin->canRequest(newRequest.url()); + bool disableCORS = isCORSDisabled(); + bool disableCORSRedirection = isCORSRedirectionDisabled(); if (isNextRequestCrossOrigin) m_resource->setCrossOrigin(); ASSERT(options().mode != FetchOptions::Mode::SameOrigin || !m_resource->isCrossOrigin()); + if (options().mode != FetchOptions::Mode::Cors) { + if (!disableCORS) { + return { }; + } else { + if (!disableCORSRedirection) + return { }; + else + return makeUnexpected("CORS redirection is disabled"_s); + } + } + // Implementing https://fetch.spec.whatwg.org/#concept-http-redirect-fetch step 7 & 8. if (options().mode == FetchOptions::Mode::Cors) { if (m_resource->isCrossOrigin()) { diff -pruN webkitgtk-2.40.0-orig/Source/WebCore/loader/SubresourceLoader.h webkitgtk-2.40.0-new/Source/WebCore/loader/SubresourceLoader.h --- webkitgtk-2.40.0-orig/Source/WebCore/loader/SubresourceLoader.h 2023-02-20 10:22:17.541738300 +0100 +++ webkitgtk-2.40.0-new/Source/WebCore/loader/SubresourceLoader.h 2023-03-18 13:13:41.100652519 +0100 @@ -50,6 +50,9 @@ public: void cancelIfNotFinishing(); bool isSubresourceLoader() const override; + bool isCORSDisabled() const; + bool isCORSSameDomainEnabled() const; + bool isCORSRedirectionDisabled() const; CachedResource* cachedResource() const override { return m_resource; }; WEBCORE_EXPORT const HTTPHeaderMap* originalHeaders() const; diff -pruN webkitgtk-2.40.0-orig/Source/WebCore/page/Page.h webkitgtk-2.40.0-new/Source/WebCore/page/Page.h --- webkitgtk-2.40.0-orig/Source/WebCore/page/Page.h 2023-02-20 10:22:17.681738900 +0100 +++ webkitgtk-2.40.0-new/Source/WebCore/page/Page.h 2023-03-18 13:13:41.102652519 +0100 @@ -45,6 +45,7 @@ #include "Region.h" #include "RegistrableDomain.h" #include "ScrollTypes.h" +#include "Settings.h" #include "ShouldRelaxThirdPartyCookieBlocking.h" #include "SpeechRecognitionConnection.h" #include "Supplementable.h" @@ -1006,6 +1007,10 @@ public: ContentSecurityPolicyModeForExtension contentSecurityPolicyModeForExtension() const { return m_contentSecurityPolicyModeForExtension; } + bool isCORSDisabled() const { return m_settings->disableCORS(); } + bool isCORSSameDomainEnabled() const { return m_settings->enableCORSSameDomain(); } + bool isCORSRedirectionDisabled() const { return m_settings->disableCORSRedirection(); } + WEBCORE_EXPORT void forceRepaintAllFrames(); #if ENABLE(IMAGE_ANALYSIS) diff -pruN webkitgtk-2.40.0-orig/Source/WebKit/UIProcess/API/C/WKPreferences.cpp webkitgtk-2.40.0-new/Source/WebKit/UIProcess/API/C/WKPreferences.cpp --- webkitgtk-2.40.0-orig/Source/WebKit/UIProcess/API/C/WKPreferences.cpp 2023-02-20 10:22:21.369753400 +0100 +++ webkitgtk-2.40.0-new/Source/WebKit/UIProcess/API/C/WKPreferences.cpp 2023-03-18 13:13:41.104652519 +0100 @@ -696,6 +696,36 @@ bool WKPreferencesGetTopNavigationToData return toImpl(preferencesRef)->allowTopNavigationToDataURLs(); } +void WKPreferencesSetDisableCORS(WKPreferencesRef preferencesRef, bool allowed) +{ + toImpl(preferencesRef)->setDisableCORS(allowed); +} + +bool WKPreferencesGetDisableCORS(WKPreferencesRef preferencesRef) +{ + return toImpl(preferencesRef)->disableCORS(); +} + +void WKPreferencesSetEnableCORSSameDomain(WKPreferencesRef preferencesRef, bool allowed) +{ + toImpl(preferencesRef)->setEnableCORSSameDomain(allowed); +} + +bool WKPreferencesGetEnableCORSSameDomain(WKPreferencesRef preferencesRef) +{ + return toImpl(preferencesRef)->enableCORSSameDomain(); +} + +void WKPreferencesSetDisableCORSRedirection(WKPreferencesRef preferencesRef, bool allowed) +{ + toImpl(preferencesRef)->setDisableCORSRedirection(allowed); +} + +bool WKPreferencesGetDisableCORSRedirection(WKPreferencesRef preferencesRef) +{ + return toImpl(preferencesRef)->disableCORSRedirection(); +} + void WKPreferencesSetNeedsStorageAccessFromFileURLsQuirk(WKPreferencesRef preferencesRef, bool needsQuirk) { toImpl(preferencesRef)->setNeedsStorageAccessFromFileURLsQuirk(needsQuirk); diff -pruN webkitgtk-2.40.0-orig/Source/WebKit/UIProcess/API/C/WKPreferencesRefPrivate.h webkitgtk-2.40.0-new/Source/WebKit/UIProcess/API/C/WKPreferencesRefPrivate.h --- webkitgtk-2.40.0-orig/Source/WebKit/UIProcess/API/C/WKPreferencesRefPrivate.h 2023-02-20 10:22:21.369753400 +0100 +++ webkitgtk-2.40.0-new/Source/WebKit/UIProcess/API/C/WKPreferencesRefPrivate.h 2023-03-18 13:13:41.105652520 +0100 @@ -157,6 +157,18 @@ WK_EXPORT bool WKPreferencesGetFileAcces WK_EXPORT void WKPreferencesSetTopNavigationToDataURLsAllowed(WKPreferencesRef preferences, bool allowed); WK_EXPORT bool WKPreferencesGetTopNavigationToDataURLsAllowed(WKPreferencesRef preferences); +// Defaults to false. +WK_EXPORT void WKPreferencesSetDisableCORS(WKPreferencesRef preferences, bool allowed); +WK_EXPORT bool WKPreferencesGetDisableCORS(WKPreferencesRef preferences); + +// Defaults to true. +WK_EXPORT void WKPreferencesSetEnableCORSSameDomain(WKPreferencesRef preferences, bool allowed); +WK_EXPORT bool WKPreferencesGetEnableCORSSameDomain(WKPreferencesRef preferences); + +// Defaults to false. +WK_EXPORT void WKPreferencesSetDisableCORSRedirection(WKPreferencesRef preferences, bool allowed); +WK_EXPORT bool WKPreferencesGetDisableCORSRedirection(WKPreferencesRef preferences); + // Defaults to true WK_EXPORT void WKPreferencesSetNeedsStorageAccessFromFileURLsQuirk(WKPreferencesRef preferences, bool needsQuirk); WK_EXPORT bool WKPreferencesGetNeedsStorageAccessFromFileURLsQuirk(WKPreferencesRef preferences); diff -pruN webkitgtk-2.40.0-orig/Source/WebKit/UIProcess/API/glib/WebKitSettings.cpp webkitgtk-2.40.0-new/Source/WebKit/UIProcess/API/glib/WebKitSettings.cpp --- webkitgtk-2.40.0-orig/Source/WebKit/UIProcess/API/glib/WebKitSettings.cpp 2023-02-20 10:22:21.473753700 +0100 +++ webkitgtk-2.40.0-new/Source/WebKit/UIProcess/API/glib/WebKitSettings.cpp 2023-03-18 13:15:58.605154198 +0100 @@ -177,6 +177,9 @@ enum { PROP_MEDIA_CONTENT_TYPES_REQUIRING_HARDWARE_SUPPORT, PROP_ENABLE_WEBRTC, PROP_DISABLE_WEB_SECURITY, + PROP_DISABLE_CORS, + PROP_ENABLE_CORS_SAME_DOMAIN, + PROP_DISABLE_CORS_REDIRECTION, N_PROPERTIES, }; @@ -411,6 +414,15 @@ static void webKitSettingsSetProperty(GO case PROP_DISABLE_WEB_SECURITY: webkit_settings_set_disable_web_security(settings, g_value_get_boolean(value)); break; + case PROP_DISABLE_CORS: + webkit_settings_set_disable_cors(settings, g_value_get_boolean(value)); + break; + case PROP_ENABLE_CORS_SAME_DOMAIN: + webkit_settings_set_enable_cors_same_domain(settings, g_value_get_boolean(value)); + break; + case PROP_DISABLE_CORS_REDIRECTION: + webkit_settings_set_disable_cors_redirection(settings, g_value_get_boolean(value)); + break; default: G_OBJECT_WARN_INVALID_PROPERTY_ID(object, propId, paramSpec); break; @@ -617,6 +629,15 @@ static void webKitSettingsGetProperty(GO case PROP_DISABLE_WEB_SECURITY: g_value_set_boolean(value, webkit_settings_get_disable_web_security(settings)); break; + case PROP_DISABLE_CORS: + g_value_set_boolean(value, webkit_settings_get_disable_cors(settings)); + break; + case PROP_ENABLE_CORS_SAME_DOMAIN: + g_value_set_boolean(value, webkit_settings_get_enable_cors_same_domain(settings)); + break; + case PROP_DISABLE_CORS_REDIRECTION: + g_value_set_boolean(value, webkit_settings_get_disable_cors_redirection(settings)); + break; default: G_OBJECT_WARN_INVALID_PROPERTY_ID(object, propId, paramSpec); break; @@ -1619,6 +1640,51 @@ static void webkit_settings_class_init(W FALSE, readWriteConstructParamFlags); + /** + * WebKitSettings:disable-cors: + * + * Enable or disable CORS. + * + * Since: 2.32.1 + */ + sObjProperties[PROP_DISABLE_CORS] = + g_param_spec_boolean( + "disable-cors", + _("Disable CORS"), + _("Whether CORS should be disabled"), + FALSE, + readWriteConstructParamFlags); + + /** + * WebKitSettings:enable-cors-same-domain: + * + * Enable or disable CORS on same domain. + * + * Since: 2.32.1 + */ + sObjProperties[PROP_ENABLE_CORS_SAME_DOMAIN] = + g_param_spec_boolean( + "enable-cors-same-domain", + _("Enable CORS Same Domain"), + _("Whether CORS on same domain should be enabled"), + TRUE, + readWriteConstructParamFlags); + + /** + * WebKitSettings:disable-cors-redirection: + * + * Enable or disable CORS redirection. + * + * Since: 2.32.1 + */ + sObjProperties[PROP_DISABLE_CORS_REDIRECTION] = + g_param_spec_boolean( + "disable-cors-redirection", + _("Disable CORS redirection"), + _("Whether CORS redirection should be disabled"), + FALSE, + readWriteConstructParamFlags); + g_object_class_install_properties(gObjectClass, N_PROPERTIES, sObjProperties); } @@ -4031,3 +4097,117 @@ void webkit_settings_set_disable_web_sec priv->preferences->setWebSecurityEnabled(!disabled); g_object_notify_by_pspec(G_OBJECT(settings), sObjProperties[PROP_DISABLE_WEB_SECURITY]); } + +/** + * webkit_settings_get_disable_cors: + * @settings: a #WebKitSettings + * + * Get the #WebKitSettings:disable-cors property. + * + * Returns: %TRUE If CORS is disabled or %FALSE otherwise. + * + * Since: 2.32.1 + */ +gboolean webkit_settings_get_disable_cors(WebKitSettings* settings) +{ + g_return_val_if_fail(WEBKIT_IS_SETTINGS(settings), FALSE); + + return settings->priv->preferences->disableCORS(); +} + +/** + * webkit_settings_set_disable_cors: + * @settings: a #WebKitSettings + * @allowed: Value to be set + * + * Set the #WebKitSettings:disable-cors property. + * + * Since: 2.32.1 + */ +void webkit_settings_set_disable_cors(WebKitSettings* settings, gboolean allowed) +{ + g_return_if_fail(WEBKIT_IS_SETTINGS(settings)); + + WebKitSettingsPrivate* priv = settings->priv; + if (priv->preferences->disableCORS() == allowed) + return; + + priv->preferences->setDisableCORS(allowed); + g_object_notify(G_OBJECT(settings), "disable-cors"); +} + +/** + * webkit_settings_get_enable_cors_same_domain: + * @settings: a #WebKitSettings + * + * Get the #WebKitSettings:enable-cors-same-domain property. + * + * Returns: %TRUE If CORS within the same domain is enabled or %FALSE otherwise. + * + * Since: 2.32.1 + */ +gboolean webkit_settings_get_enable_cors_same_domain(WebKitSettings* settings) +{ + g_return_val_if_fail(WEBKIT_IS_SETTINGS(settings), FALSE); + + return settings->priv->preferences->enableCORSSameDomain(); +} + +/** + * webkit_settings_set_enable_cors_same_domain: + * @settings: a #WebKitSettings + * @allowed: Value to be set + * + * Set the #WebKitSettings:enable-cors-same-domain property. + * + * Since: 2.32.1 + */ +void webkit_settings_set_enable_cors_same_domain(WebKitSettings* settings, gboolean allowed) +{ + g_return_if_fail(WEBKIT_IS_SETTINGS(settings)); + + WebKitSettingsPrivate* priv = settings->priv; + if (priv->preferences->enableCORSSameDomain() == allowed) + return; + + priv->preferences->setEnableCORSSameDomain(allowed); + g_object_notify(G_OBJECT(settings), "enable-cors-same-domain"); +} + +/** + * webkit_settings_get_disable_cors_redirection: + * @settings: a #WebKitSettings + * + * Get the #WebKitSettings:disable-cors-redirection property. + * + * Returns: %TRUE If CORS redirection is disabled or %FALSE otherwise. + * + * Since: 2.32.1 + */ +gboolean webkit_settings_get_disable_cors_redirection(WebKitSettings* settings) +{ + g_return_val_if_fail(WEBKIT_IS_SETTINGS(settings), FALSE); + + return settings->priv->preferences->disableCORSRedirection(); +} + +/** + * webkit_settings_set_disable_cors_redirection: + * @settings: a #WebKitSettings + * @allowed: Value to be set + * + * Set the #WebKitSettings:disable-cors-redirection property. + * + * Since: 2.32.1 + */ +void webkit_settings_set_disable_cors_redirection(WebKitSettings* settings, gboolean allowed) +{ + g_return_if_fail(WEBKIT_IS_SETTINGS(settings)); + + WebKitSettingsPrivate* priv = settings->priv; + if (priv->preferences->disableCORSRedirection() == allowed) + return; + + priv->preferences->setDisableCORSRedirection(allowed); + g_object_notify(G_OBJECT(settings), "disable-cors-redirection"); +} diff -pruN webkitgtk-2.40.0-orig/Source/WebKit/UIProcess/API/glib/WebKitSettings.h.in webkitgtk-2.40.0-new/Source/WebKit/UIProcess/API/glib/WebKitSettings.h.in --- webkitgtk-2.40.0-orig/Source/WebKit/UIProcess/API/glib/WebKitSettings.h.in 2023-02-20 10:22:21.473753700 +0100 +++ webkitgtk-2.40.0-new/Source/WebKit/UIProcess/API/glib/WebKitSettings.h.in 2023-03-18 13:25:08.114169897 +0100 @@ -540,6 +540,27 @@ webkit_settings_get_disable_web_security webkit_settings_set_disable_web_security (WebKitSettings *settings, gboolean disabled); +WEBKIT_API gboolean +webkit_settings_get_disable_cors (WebKitSettings *settings); + +WEBKIT_API void +webkit_settings_set_disable_cors (WebKitSettings *settings, + gboolean allowed); + +WEBKIT_API gboolean +webkit_settings_get_enable_cors_same_domain (WebKitSettings *settings); + +WEBKIT_API void +webkit_settings_set_enable_cors_same_domain (WebKitSettings *settings, + gboolean allowed); + +WEBKIT_API gboolean +webkit_settings_get_disable_cors_redirection (WebKitSettings *settings); + +WEBKIT_API void +webkit_settings_set_disable_cors_redirection (WebKitSettings *settings, + gboolean allowed); + G_END_DECLS #endif /* WebKitSettings_h */ diff -pruN webkitgtk-2.40.0-orig/Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml webkitgtk-2.40.0-new/Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml --- webkitgtk-2.40.0-orig/Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml 2023-03-17 11:00:23.465180200 +0100 +++ webkitgtk-2.40.0-new/Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml 2023-03-18 23:42:48.031500201 +0100 @@ -2049,6 +2049,32 @@ DirectoryUploadEnabled: WebCore: default: false +DisableCORS: + type: bool + status: stable + category: security + humanReadableName: "Disable CORS" + defaultValue: + WebKitLegacy: + default: false + WebKit: + default: false + WebCore: + default: false + +DisableCORSRedirection: + type: bool + status: stable + category: security + humanReadableName: "Disable CORS Redirection" + defaultValue: + WebKitLegacy: + default: false + WebKit: + default: false + WebCore: + default: false + # FIXME: Starting the preference name with "Disable" is inconsistent with most other preferences and should be changed. DisableScreenSizeOverride: type: bool @@ -2139,6 +2165,19 @@ EmbedElementEnabled: defaultValue: WebKitLegacy: default: true + WebKit: + default: true + WebCore: + default: true + +EnableCORSSameDomain: + type: bool + status: stable + category: security + humanReadableName: "Enable CORS Same Domain" + defaultValue: + WebKitLegacy: + default: true WebKit: default: true WebCore: