Add the following new web settings to control Cross-Origin Resource Sharing (CORS) for improved security and privacy: - disable-cors: to disable the CORS mode (can be tested for example here: https://test-cors.appspot.com/#technical); - enable-cors-same-domain: to enable loading resources from a different site within the same domain (slightly less safe, but more functional); - disable-cors-redirection: to disable redirection (safer, but much less functional). This version of the patch is intended for the stable releases 2.20.x, although it has not been tested. If you are looking for a well tested setup use version 2.18.x and the associated patch version. --- Source/WebCore/loader/LinkLoader.cpp | 16 + Source/WebCore/loader/SubresourceLoader.cpp | 47 ++++ Source/WebCore/loader/SubresourceLoader.h | 3 Source/WebCore/loader/cache/CachedResourceLoader.cpp | 21 ++ Source/WebCore/page/Page.h | 5 Source/WebCore/page/Settings.yaml | 6 Source/WebKit/Shared/WebPreferences.yaml | 12 + Source/WebKit/UIProcess/API/C/WKPreferences.cpp | 30 +++ Source/WebKit/UIProcess/API/glib/WebKitSettings.cpp | 180 +++++++++++++++++++ Source/WebKit/UIProcess/API/gtk/WebKitSettings.h | 21 ++ 10 files changed, 338 insertions(+), 3 deletions(-) diff -pru webkitgtk-2.20.1-orig/Source/WebCore/loader/cache/CachedResourceLoader.cpp webkitgtk-2.20.1/Source/WebCore/loader/cache/CachedResourceLoader.cpp --- webkitgtk-2.20.1-orig/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2018-02-19 08:45:32.000000000 +0100 +++ webkitgtk-2.20.1/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2019-01-07 17:09:14.845756256 +0100 @@ -60,6 +60,7 @@ #include "Page.h" #include "PingLoader.h" #include "PlatformStrategies.h" +#include "PublicSuffix.h" #include "RenderElement.h" #include "ResourceLoadInfo.h" #include "ResourceTiming.h" @@ -775,6 +776,23 @@ ResourceErrorOrpage()->isCORSDisabled(); + bool enableCORSSameDomain = frame()->page()->isCORSSameDomainEnabled(); + + if (disableCORS) { + if (enableCORSSameDomain) { + String requestDomain = topPrivatelyControlledDomain(url.host()); + String documentDomain = topPrivatelyControlledDomain(frame()->document()->url().host()); + if (!equalIgnoringASCIICase(requestDomain, documentDomain) && type != CachedResource::MainResource) { + RELEASE_LOG_IF_ALLOWED("requestResource: Resource blocked by Cross-Origin Resource Sharing policy (frame = %p)", frame()); + return makeUnexpected(ResourceError { errorDomainWebKitInternal, 0, url, ASCIILiteral("Resource blocked by Cross-Origin Resource Sharing policy"), ResourceError::Type::AccessControl }); + } + } else if (!equalIgnoringASCIICase(url.host(), frame()->document()->url().host()) && type != CachedResource::MainResource) { + RELEASE_LOG_IF_ALLOWED("requestResource: Resource blocked by Cross-Origin Resource Sharing policy (frame = %p)", frame()); + return makeUnexpected(ResourceError { errorDomainWebKitInternal, 0, url, ASCIILiteral("Resource blocked by Cross-Origin Resource Sharing policy"), ResourceError::Type::AccessControl }); + } + } + prepareFetch(type, request); // We are passing url as well as request, as request url may contain a fragment identifier. @@ -858,7 +876,8 @@ ResourceErrorOrisCORSDisabled(); + bool enableCORSSameDomain = document.page()->isCORSSameDomainEnabled(); + + if (disableCORS) { + if (enableCORSSameDomain) { + String requestDomain = topPrivatelyControlledDomain(href.host()); + String documentDomain = topPrivatelyControlledDomain(document.url().host()); + if (!documentDomain.isEmpty() && !equalIgnoringASCIICase(requestDomain, documentDomain)) + return false; + } else if (!document.url().host().isEmpty() && href.host() != document.url().host()) { + return false; + } + } + if (relAttribute.isDNSPrefetch) { // FIXME: The href attribute of the link element can be in "//hostname" form, and we shouldn't attempt // to complete that as URL . diff -pru webkitgtk-2.20.1-orig/Source/WebCore/loader/SubresourceLoader.cpp webkitgtk-2.20.1/Source/WebCore/loader/SubresourceLoader.cpp --- webkitgtk-2.20.1-orig/Source/WebCore/loader/SubresourceLoader.cpp 2018-02-26 11:50:22.000000000 +0100 +++ webkitgtk-2.20.1/Source/WebCore/loader/SubresourceLoader.cpp 2019-01-07 17:09:14.846756256 +0100 @@ -167,6 +167,39 @@ bool SubresourceLoader::isSubresourceLoa return true; } +bool SubresourceLoader::isCORSDisabled() const +{ + if (!m_frame) + return false; + + if (!m_frame->page()) + return false; + + return m_frame->page()->isCORSDisabled(); +} + +bool SubresourceLoader::isCORSSameDomainEnabled() const +{ + if (!m_frame) + return false; + + if (!m_frame->page()) + return false; + + return m_frame->page()->isCORSSameDomainEnabled(); +} + +bool SubresourceLoader::isCORSRedirectionDisabled() const +{ + if (!m_frame) + return false; + + if (!m_frame->page()) + return false; + + return m_frame->page()->isCORSRedirectionDisabled(); +} + void SubresourceLoader::willSendRequestInternal(ResourceRequest&& newRequest, const ResourceResponse& redirectResponse, CompletionHandler&& completionHandler) { // Store the previous URL because the call to ResourceLoader::willSendRequest will modify it. @@ -520,14 +553,24 @@ bool SubresourceLoader::checkRedirection { bool crossOriginFlag = m_resource->isCrossOrigin(); bool isNextRequestCrossOrigin = m_origin && !m_origin->canRequest(newRequest.url()); + bool disableCORS = isCORSDisabled(); + bool disableCORSRedirection = isCORSRedirectionDisabled(); if (isNextRequestCrossOrigin) m_resource->setCrossOrigin(); ASSERT(options().mode != FetchOptions::Mode::SameOrigin || !m_resource->isCrossOrigin()); - if (options().mode != FetchOptions::Mode::Cors) - return true; + if (options().mode != FetchOptions::Mode::Cors) { + if (!disableCORS) { + return true; + } else { + if (!disableCORSRedirection) + return true; + else + return false; + } + } // Implementing https://fetch.spec.whatwg.org/#concept-http-redirect-fetch step 8 & 9. if (m_resource->isCrossOrigin() && !isValidCrossOriginRedirectionURL(newRequest.url())) { diff -pru webkitgtk-2.20.1-orig/Source/WebCore/loader/SubresourceLoader.h webkitgtk-2.20.1/Source/WebCore/loader/SubresourceLoader.h --- webkitgtk-2.20.1-orig/Source/WebCore/loader/SubresourceLoader.h 2018-02-26 11:50:22.000000000 +0100 +++ webkitgtk-2.20.1/Source/WebCore/loader/SubresourceLoader.h 2019-01-07 17:09:14.847756256 +0100 @@ -48,6 +48,9 @@ public: void cancelIfNotFinishing(); bool isSubresourceLoader() override; + bool isCORSDisabled() const; + bool isCORSSameDomainEnabled() const; + bool isCORSRedirectionDisabled() const; CachedResource* cachedResource(); SecurityOrigin* origin() { return m_origin.get(); } diff -pru webkitgtk-2.20.1-orig/Source/WebCore/page/Page.h webkitgtk-2.20.1/Source/WebCore/page/Page.h --- webkitgtk-2.20.1-orig/Source/WebCore/page/Page.h 2018-02-19 08:45:32.000000000 +0100 +++ webkitgtk-2.20.1/Source/WebCore/page/Page.h 2019-01-07 17:09:14.847756256 +0100 @@ -31,6 +31,7 @@ #include "RTCController.h" #include "Region.h" #include "ScrollTypes.h" +#include "Settings.h" #include "Supplementable.h" #include "Timer.h" #include "UserInterfaceLayoutDirection.h" @@ -596,6 +597,10 @@ public: WEBCORE_EXPORT void applicationWillEnterForeground(); WEBCORE_EXPORT void applicationDidBecomeActive(); + bool isCORSDisabled() const { return m_settings->disableCORS(); } + bool isCORSSameDomainEnabled() const { return m_settings->enableCORSSameDomain(); } + bool isCORSRedirectionDisabled() const { return m_settings->disableCORSRedirection(); } + private: struct Navigation { String domain; diff -pru webkitgtk-2.20.1-orig/Source/WebCore/page/Settings.yaml webkitgtk-2.20.1/Source/WebCore/page/Settings.yaml --- webkitgtk-2.20.1-orig/Source/WebCore/page/Settings.yaml 2018-02-20 14:38:15.000000000 +0100 +++ webkitgtk-2.20.1/Source/WebCore/page/Settings.yaml 2019-01-07 17:09:56.807754319 +0100 @@ -101,6 +101,12 @@ allowFileAccessFromFileURLs: initial: true allowSettingAnyXHRHeaderFromFileURLs: initial: false +disableCORS: + initial: false +enableCORSSameDomain: + initial: true +disableCORSRedirection: + initial: false needsStorageAccessFromFileURLsQuirk: initial: true javaScriptCanOpenWindowsAutomatically: diff -pru webkitgtk-2.20.1-orig/Source/WebKit/Shared/WebPreferences.yaml webkitgtk-2.20.1/Source/WebKit/Shared/WebPreferences.yaml --- webkitgtk-2.20.1-orig/Source/WebKit/Shared/WebPreferences.yaml 2018-02-19 08:45:32.000000000 +0100 +++ webkitgtk-2.20.1/Source/WebKit/Shared/WebPreferences.yaml 2019-01-07 17:09:14.850756255 +0100 @@ -183,6 +183,18 @@ AllowSettingAnyXHRHeaderFromFileURLs: type: bool defaultValue: false +DisableCORS: + type: bool + defaultValue: false + +EnableCORSSameDomain: + type: bool + defaultValue: true + +DisableCORSRedirection: + type: bool + defaultValue: false + AVFoundationEnabled: type: bool defaultValue: true diff -pru webkitgtk-2.20.1-orig/Source/WebKit/UIProcess/API/C/WKPreferences.cpp webkitgtk-2.20.1/Source/WebKit/UIProcess/API/C/WKPreferences.cpp --- webkitgtk-2.20.1-orig/Source/WebKit/UIProcess/API/C/WKPreferences.cpp 2018-02-19 08:45:32.000000000 +0100 +++ webkitgtk-2.20.1/Source/WebKit/UIProcess/API/C/WKPreferences.cpp 2019-01-07 17:09:14.851756255 +0100 @@ -745,6 +745,36 @@ bool WKPreferencesGetFileAccessFromFileU return toImpl(preferencesRef)->allowFileAccessFromFileURLs(); } +void WKPreferencesSetDisableCORS(WKPreferencesRef preferencesRef, bool allowed) +{ + toImpl(preferencesRef)->setDisableCORS(allowed); +} + +bool WKPreferencesGetDisableCORS(WKPreferencesRef preferencesRef) +{ + return toImpl(preferencesRef)->disableCORS(); +} + +void WKPreferencesSetEnableCORSSameDomain(WKPreferencesRef preferencesRef, bool allowed) +{ + toImpl(preferencesRef)->setEnableCORSSameDomain(allowed); +} + +bool WKPreferencesGetEnableCORSSameDomain(WKPreferencesRef preferencesRef) +{ + return toImpl(preferencesRef)->enableCORSSameDomain(); +} + +void WKPreferencesSetDisableCORSRedirection(WKPreferencesRef preferencesRef, bool allowed) +{ + toImpl(preferencesRef)->setDisableCORSRedirection(allowed); +} + +bool WKPreferencesGetDisableCORSRedirection(WKPreferencesRef preferencesRef) +{ + return toImpl(preferencesRef)->disableCORSRedirection(); +} + void WKPreferencesSetNeedsStorageAccessFromFileURLsQuirk(WKPreferencesRef preferencesRef, bool needsQuirk) { toImpl(preferencesRef)->setNeedsStorageAccessFromFileURLsQuirk(needsQuirk); diff -pru webkitgtk-2.20.1-orig/Source/WebKit/UIProcess/API/glib/WebKitSettings.cpp webkitgtk-2.20.1/Source/WebKit/UIProcess/API/glib/WebKitSettings.cpp --- webkitgtk-2.20.1-orig/Source/WebKit/UIProcess/API/glib/WebKitSettings.cpp 2018-02-19 08:45:33.000000000 +0100 +++ webkitgtk-2.20.1/Source/WebKit/UIProcess/API/glib/WebKitSettings.cpp 2019-01-07 17:09:14.853756255 +0100 @@ -158,6 +158,9 @@ enum { #if PLATFORM(GTK) PROP_HARDWARE_ACCELERATION_POLICY, #endif + PROP_DISABLE_CORS, + PROP_ENABLE_CORS_SAME_DOMAIN, + PROP_DISABLE_CORS_REDIRECTION, }; static void webKitSettingsDispose(GObject* object) @@ -363,6 +366,15 @@ static void webKitSettingsSetProperty(GO webkit_settings_set_hardware_acceleration_policy(settings, static_cast(g_value_get_enum(value))); break; #endif + case PROP_DISABLE_CORS: + webkit_settings_set_disable_cors(settings, g_value_get_boolean(value)); + break; + case PROP_ENABLE_CORS_SAME_DOMAIN: + webkit_settings_set_enable_cors_same_domain(settings, g_value_get_boolean(value)); + break; + case PROP_DISABLE_CORS_REDIRECTION: + webkit_settings_set_disable_cors_redirection(settings, g_value_get_boolean(value)); + break; default: G_OBJECT_WARN_INVALID_PROPERTY_ID(object, propId, paramSpec); break; @@ -534,6 +546,15 @@ static void webKitSettingsGetProperty(GO g_value_set_enum(value, webkit_settings_get_hardware_acceleration_policy(settings)); break; #endif + case PROP_DISABLE_CORS: + g_value_set_boolean(value, webkit_settings_get_disable_cors(settings)); + break; + case PROP_ENABLE_CORS_SAME_DOMAIN: + g_value_set_boolean(value, webkit_settings_get_enable_cors_same_domain(settings)); + break; + case PROP_DISABLE_CORS_REDIRECTION: + g_value_set_boolean(value, webkit_settings_get_disable_cors_redirection(settings)); + break; default: G_OBJECT_WARN_INVALID_PROPERTY_ID(object, propId, paramSpec); break; @@ -1377,6 +1398,51 @@ static void webkit_settings_class_init(W WEBKIT_HARDWARE_ACCELERATION_POLICY_ON_DEMAND, readWriteConstructParamFlags)); #endif // PLATFOTM(GTK) + + /** + * WebKitSettings:disable-cors: + * + * Whether Cross Origin Resource Sharing (CORS) is disabled. + * + * Since: 2.20.1 + */ + g_object_class_install_property(gObjectClass, + PROP_DISABLE_CORS, + g_param_spec_boolean("disable-cors", + _("Disable Cross Origin Resource Sharing (CORS)"), + _("Whether Cross Origin Resource Sharing (CORS) is disabled."), + FALSE, + readWriteConstructParamFlags)); + + /** + * WebKitSettings:enable-cors-same-domain: + * + * Whether Cross Origin Resource Sharing (CORS) within the same domain is enabled. + * + * Since: 2.20.1 + */ + g_object_class_install_property(gObjectClass, + PROP_ENABLE_CORS_SAME_DOMAIN, + g_param_spec_boolean("enable-cors-same-domain", + _("Enable Cross Origin Resource Sharing (CORS) within the same domain"), + _("Whether Cross Origin Resource Sharing (CORS) within the same domain is enabled."), + TRUE, + readWriteConstructParamFlags)); + + /** + * WebKitSettings:disable-cors-redirection: + * + * Whether Cross Origin Resource Sharing (CORS) Redirection is disabled. + * + * Since: 2.20.1 + */ + g_object_class_install_property(gObjectClass, + PROP_DISABLE_CORS_REDIRECTION, + g_param_spec_boolean("disable-cors-redirection", + _("Disable Cross Origin Resource Sharing (CORS) Redirection"), + _("Whether Cross Origin Resource Sharing (CORS) Redirection is disabled."), + FALSE, + readWriteConstructParamFlags)); } WebPreferences* webkitSettingsGetPreferences(WebKitSettings* settings) @@ -3402,3 +3468,117 @@ guint32 webkit_settings_font_size_to_pix return std::round(points * WebCore::screenDPI() / 72); } #endif // PLATFORM(GTK) + +/** + * webkit_settings_get_disable_cors: + * @settings: a #WebKitSettings + * + * Get the #WebKitSettings:disable-cors property. + * + * Returns: %TRUE If CORS is disabled or %FALSE otherwise. + * + * Since: 2.20.1 + */ +gboolean webkit_settings_get_disable_cors(WebKitSettings* settings) +{ + g_return_val_if_fail(WEBKIT_IS_SETTINGS(settings), FALSE); + + return settings->priv->preferences->disableCORS(); +} + +/** + * webkit_settings_set_disable_cors: + * @settings: a #WebKitSettings + * @allowed: Value to be set + * + * Set the #WebKitSettings:disable-cors property. + * + * Since: 2.20.1 + */ +void webkit_settings_set_disable_cors(WebKitSettings* settings, gboolean allowed) +{ + g_return_if_fail(WEBKIT_IS_SETTINGS(settings)); + + WebKitSettingsPrivate* priv = settings->priv; + if (priv->preferences->disableCORS() == allowed) + return; + + priv->preferences->setDisableCORS(allowed); + g_object_notify(G_OBJECT(settings), "disable-cors"); +} + +/** + * webkit_settings_get_enable_cors_same_domain: + * @settings: a #WebKitSettings + * + * Get the #WebKitSettings:enable-cors-same-domain property. + * + * Returns: %TRUE If CORS within the same domain is enabled or %FALSE otherwise. + * + * Since: 2.20.1 + */ +gboolean webkit_settings_get_enable_cors_same_domain(WebKitSettings* settings) +{ + g_return_val_if_fail(WEBKIT_IS_SETTINGS(settings), FALSE); + + return settings->priv->preferences->enableCORSSameDomain(); +} + +/** + * webkit_settings_set_enable_cors_same_domain: + * @settings: a #WebKitSettings + * @allowed: Value to be set + * + * Set the #WebKitSettings:enable-cors-same-domain property. + * + * Since: 2.20.1 + */ +void webkit_settings_set_enable_cors_same_domain(WebKitSettings* settings, gboolean allowed) +{ + g_return_if_fail(WEBKIT_IS_SETTINGS(settings)); + + WebKitSettingsPrivate* priv = settings->priv; + if (priv->preferences->enableCORSSameDomain() == allowed) + return; + + priv->preferences->setEnableCORSSameDomain(allowed); + g_object_notify(G_OBJECT(settings), "enable-cors-same-domain"); +} + +/** + * webkit_settings_get_disable_cors_redirection: + * @settings: a #WebKitSettings + * + * Get the #WebKitSettings:disable-cors-redirection property. + * + * Returns: %TRUE If CORS redirection is disabled or %FALSE otherwise. + * + * Since: 2.20.1 + */ +gboolean webkit_settings_get_disable_cors_redirection(WebKitSettings* settings) +{ + g_return_val_if_fail(WEBKIT_IS_SETTINGS(settings), FALSE); + + return settings->priv->preferences->disableCORSRedirection(); +} + +/** + * webkit_settings_set_disable_cors_redirection: + * @settings: a #WebKitSettings + * @allowed: Value to be set + * + * Set the #WebKitSettings:disable-cors-redirection property. + * + * Since: 2.20.1 + */ +void webkit_settings_set_disable_cors_redirection(WebKitSettings* settings, gboolean allowed) +{ + g_return_if_fail(WEBKIT_IS_SETTINGS(settings)); + + WebKitSettingsPrivate* priv = settings->priv; + if (priv->preferences->disableCORSRedirection() == allowed) + return; + + priv->preferences->setDisableCORSRedirection(allowed); + g_object_notify(G_OBJECT(settings), "disable-cors-redirection"); +} diff -pru webkitgtk-2.20.1-orig/Source/WebKit/UIProcess/API/gtk/WebKitSettings.h webkitgtk-2.20.1/Source/WebKit/UIProcess/API/gtk/WebKitSettings.h --- webkitgtk-2.20.1-orig/Source/WebKit/UIProcess/API/gtk/WebKitSettings.h 2018-02-19 08:45:33.000000000 +0100 +++ webkitgtk-2.20.1/Source/WebKit/UIProcess/API/gtk/WebKitSettings.h 2019-01-07 17:09:14.854756255 +0100 @@ -464,6 +464,27 @@ webkit_settings_font_size_to_points WEBKIT_API guint32 webkit_settings_font_size_to_pixels (guint32 points); +WEBKIT_API gboolean +webkit_settings_get_disable_cors (WebKitSettings *settings); + +WEBKIT_API void +webkit_settings_set_disable_cors (WebKitSettings *settings, + gboolean allowed); + +WEBKIT_API gboolean +webkit_settings_get_enable_cors_same_domain (WebKitSettings *settings); + +WEBKIT_API void +webkit_settings_set_enable_cors_same_domain (WebKitSettings *settings, + gboolean allowed); + +WEBKIT_API gboolean +webkit_settings_get_disable_cors_redirection (WebKitSettings *settings); + +WEBKIT_API void +webkit_settings_set_disable_cors_redirection (WebKitSettings *settings, + gboolean allowed); + G_END_DECLS #endif /* WebKitSettings_h */