Add the following new web settings to control Cross-Origin Resource Sharing (CORS) for improved security and privacy: - disable-cors: to disable the CORS mode (can be tested for example here: https://test-cors.appspot.com/#technical); - enable-cors-same-domain: to enable loading resources from a different site within the same domain (slightly less safe, but more functional); - disable-cors-redirection: to disable redirection (safer, but much less functional). This version of the patch is intended for the current stable branch (2.22.x). This patch should probably work, however it has never been tested, but just adapted from patches targeting previous releases. If you are looking for a well tested patch, use the one targeted for 2.18.x. Signed-off-by: Guido Trentalancia --- Source/WebCore/loader/LinkLoader.cpp | 16 + Source/WebCore/loader/SubresourceLoader.cpp | 47 ++++ Source/WebCore/loader/SubresourceLoader.h | 3 Source/WebCore/loader/cache/CachedResourceLoader.cpp | 21 ++ Source/WebCore/page/Page.h | 5 Source/WebCore/page/Settings.yaml | 6 Source/WebKit/Shared/WebPreferences.yaml | 12 + Source/WebKit/UIProcess/API/C/WKPreferences.cpp | 30 +++ Source/WebKit/UIProcess/API/glib/WebKitSettings.cpp | 180 +++++++++++++++++++ Source/WebKit/UIProcess/API/gtk/WebKitSettings.h | 21 ++ 10 files changed, 338 insertions(+), 3 deletions(-) diff -pru webkitgtk-2.22.5-orig/Source/WebCore/loader/cache/CachedResourceLoader.cpp webkitgtk-2.22.5/Source/WebCore/loader/cache/CachedResourceLoader.cpp --- webkitgtk-2.22.5-orig/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2018-12-13 02:57:40.000000000 +0100 +++ webkitgtk-2.22.5/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2019-01-07 16:37:46.323068964 +0100 @@ -59,6 +59,7 @@ #include "Page.h" #include "PingLoader.h" #include "PlatformStrategies.h" +#include "PublicSuffix.h" #include "RenderElement.h" #include "ResourceLoadInfo.h" #include "ResourceTiming.h" @@ -796,6 +797,23 @@ ResourceErrorOrpage()->isCORSDisabled(); + bool enableCORSSameDomain = frame()->page()->isCORSSameDomainEnabled(); + + if (disableCORS) { + if (enableCORSSameDomain) { + String requestDomain = topPrivatelyControlledDomain(url.host().toString()); + String documentDomain = topPrivatelyControlledDomain(frame()->document()->url().host().toString()); + if (!equalIgnoringASCIICase(requestDomain, documentDomain) && type != CachedResource::Type::MainResource) { + RELEASE_LOG_IF_ALLOWED("requestResource: Resource blocked by Cross-Origin Resource Sharing policy (frame = %p)", frame()); + return makeUnexpected(ResourceError { errorDomainWebKitInternal, 0, url, "Resource blocked by Cross-Origin Resource Sharing policy"_s, ResourceError::Type::AccessControl }); + } + } else if (!equalIgnoringASCIICase(url.host(), frame()->document()->url().host()) && type != CachedResource::Type::MainResource) { + RELEASE_LOG_IF_ALLOWED("requestResource: Resource blocked by Cross-Origin Resource Sharing policy (frame = %p)", frame()); + return makeUnexpected(ResourceError { errorDomainWebKitInternal, 0, url, "Resource blocked by Cross-Origin Resource Sharing policy"_s, ResourceError::Type::AccessControl }); + } + } + prepareFetch(type, request); // We are passing url as well as request, as request url may contain a fragment identifier. @@ -879,7 +897,8 @@ ResourceErrorOrisCORSDisabled(); + bool enableCORSSameDomain = document.page()->isCORSSameDomainEnabled(); + + if (disableCORS) { + if (enableCORSSameDomain) { + String requestDomain = topPrivatelyControlledDomain(href.host().toString()); + String documentDomain = topPrivatelyControlledDomain(document.url().host().toString()); + if (!documentDomain.isEmpty() && !equalIgnoringASCIICase(requestDomain, documentDomain)) + return false; + } else if (!document.url().host().isEmpty() && href.host() != document.url().host()) { + return false; + } + } + if (relAttribute.isDNSPrefetch) { // FIXME: The href attribute of the link element can be in "//hostname" form, and we shouldn't attempt // to complete that as URL . diff -pru webkitgtk-2.22.5-orig/Source/WebCore/loader/SubresourceLoader.cpp webkitgtk-2.22.5/Source/WebCore/loader/SubresourceLoader.cpp --- webkitgtk-2.22.5-orig/Source/WebCore/loader/SubresourceLoader.cpp 2018-12-13 02:57:40.000000000 +0100 +++ webkitgtk-2.22.5/Source/WebCore/loader/SubresourceLoader.cpp 2019-01-06 21:31:42.687140625 +0100 @@ -170,6 +170,39 @@ bool SubresourceLoader::isSubresourceLoa return true; } +bool SubresourceLoader::isCORSDisabled() const +{ + if (!m_frame) + return false; + + if (!m_frame->page()) + return false; + + return m_frame->page()->isCORSDisabled(); +} + +bool SubresourceLoader::isCORSSameDomainEnabled() const +{ + if (!m_frame) + return false; + + if (!m_frame->page()) + return false; + + return m_frame->page()->isCORSSameDomainEnabled(); +} + +bool SubresourceLoader::isCORSRedirectionDisabled() const +{ + if (!m_frame) + return false; + + if (!m_frame->page()) + return false; + + return m_frame->page()->isCORSRedirectionDisabled(); +} + void SubresourceLoader::willSendRequestInternal(ResourceRequest&& newRequest, const ResourceResponse& redirectResponse, CompletionHandler&& completionHandler) { // Store the previous URL because the call to ResourceLoader::willSendRequest will modify it. @@ -543,14 +576,24 @@ bool SubresourceLoader::checkRedirection { bool crossOriginFlag = m_resource->isCrossOrigin(); bool isNextRequestCrossOrigin = m_origin && !m_origin->canRequest(newRequest.url()); + bool disableCORS = isCORSDisabled(); + bool disableCORSRedirection = isCORSRedirectionDisabled(); if (isNextRequestCrossOrigin) m_resource->setCrossOrigin(); ASSERT(options().mode != FetchOptions::Mode::SameOrigin || !m_resource->isCrossOrigin()); - if (options().mode != FetchOptions::Mode::Cors) - return true; + if (options().mode != FetchOptions::Mode::Cors) { + if (!disableCORS) { + return true; + } else { + if (!disableCORSRedirection) + return true; + else + return false; + } + } // Implementing https://fetch.spec.whatwg.org/#concept-http-redirect-fetch step 8 & 9. if (m_resource->isCrossOrigin() && !isValidCrossOriginRedirectionURL(newRequest.url())) { diff -pru webkitgtk-2.22.5-orig/Source/WebCore/loader/SubresourceLoader.h webkitgtk-2.22.5/Source/WebCore/loader/SubresourceLoader.h --- webkitgtk-2.22.5-orig/Source/WebCore/loader/SubresourceLoader.h 2018-12-13 02:57:40.000000000 +0100 +++ webkitgtk-2.22.5/Source/WebCore/loader/SubresourceLoader.h 2019-01-06 21:37:47.293285832 +0100 @@ -49,6 +49,9 @@ public: void cancelIfNotFinishing(); bool isSubresourceLoader() const override; + bool isCORSDisabled() const; + bool isCORSSameDomainEnabled() const; + bool isCORSRedirectionDisabled() const; CachedResource* cachedResource(); WEBCORE_EXPORT const HTTPHeaderMap* originalHeaders() const; diff -pru webkitgtk-2.22.5-orig/Source/WebCore/page/Page.h webkitgtk-2.22.5/Source/WebCore/page/Page.h --- webkitgtk-2.22.5-orig/Source/WebCore/page/Page.h 2018-12-13 02:57:40.000000000 +0100 +++ webkitgtk-2.22.5/Source/WebCore/page/Page.h 2019-01-06 21:31:42.689139625 +0100 @@ -32,6 +32,7 @@ #include "RTCController.h" #include "Region.h" #include "ScrollTypes.h" +#include "Settings.h" #include "Supplementable.h" #include "Timer.h" #include "UserInterfaceLayoutDirection.h" @@ -660,6 +661,10 @@ public: PerformanceLogging& performanceLogging() const { return *m_performanceLogging; } + bool isCORSDisabled() const { return m_settings->disableCORS(); } + bool isCORSSameDomainEnabled() const { return m_settings->enableCORSSameDomain(); } + bool isCORSRedirectionDisabled() const { return m_settings->disableCORSRedirection(); } + private: struct Navigation { String domain; diff -pru webkitgtk-2.22.5-orig/Source/WebCore/page/Settings.yaml webkitgtk-2.22.5/Source/WebCore/page/Settings.yaml --- webkitgtk-2.22.5-orig/Source/WebCore/page/Settings.yaml 2018-12-13 02:57:40.000000000 +0100 +++ webkitgtk-2.22.5/Source/WebCore/page/Settings.yaml 2019-01-06 21:39:15.593289185 +0100 @@ -103,6 +103,12 @@ allowSettingAnyXHRHeaderFromFileURLs: initial: false allowCrossOriginSubresourcesToAskForCredentials: initial: false +disableCORS: + initial: false +enableCORSSameDomain: + initial: true +disableCORSRedirection: + initial: false needsStorageAccessFromFileURLsQuirk: initial: true needsFrameNameFallbackToIdQuirk: diff -pru webkitgtk-2.22.5-orig/Source/WebKit/Shared/WebPreferences.yaml webkitgtk-2.22.5/Source/WebKit/Shared/WebPreferences.yaml --- webkitgtk-2.22.5-orig/Source/WebKit/Shared/WebPreferences.yaml 2018-12-13 02:57:40.000000000 +0100 +++ webkitgtk-2.22.5/Source/WebKit/Shared/WebPreferences.yaml 2019-01-06 21:31:42.691138625 +0100 @@ -182,6 +182,18 @@ AllowCrossOriginSubresourcesToAskForCred type: bool defaultValue: false +DisableCORS: + type: bool + defaultValue: false + +EnableCORSSameDomain: + type: bool + defaultValue: true + +DisableCORSRedirection: + type: bool + defaultValue: false + AVFoundationEnabled: type: bool defaultValue: DEFAULT_AVFOUNDATION_ENABLED diff -pru webkitgtk-2.22.5-orig/Source/WebKit/UIProcess/API/C/WKPreferences.cpp webkitgtk-2.22.5/Source/WebKit/UIProcess/API/C/WKPreferences.cpp --- webkitgtk-2.22.5-orig/Source/WebKit/UIProcess/API/C/WKPreferences.cpp 2018-12-13 02:57:40.000000000 +0100 +++ webkitgtk-2.22.5/Source/WebKit/UIProcess/API/C/WKPreferences.cpp 2019-01-06 21:31:42.692138125 +0100 @@ -766,6 +766,36 @@ bool WKPreferencesGetFileAccessFromFileU return toImpl(preferencesRef)->allowFileAccessFromFileURLs(); } +void WKPreferencesSetDisableCORS(WKPreferencesRef preferencesRef, bool allowed) +{ + toImpl(preferencesRef)->setDisableCORS(allowed); +} + +bool WKPreferencesGetDisableCORS(WKPreferencesRef preferencesRef) +{ + return toImpl(preferencesRef)->disableCORS(); +} + +void WKPreferencesSetEnableCORSSameDomain(WKPreferencesRef preferencesRef, bool allowed) +{ + toImpl(preferencesRef)->setEnableCORSSameDomain(allowed); +} + +bool WKPreferencesGetEnableCORSSameDomain(WKPreferencesRef preferencesRef) +{ + return toImpl(preferencesRef)->enableCORSSameDomain(); +} + +void WKPreferencesSetDisableCORSRedirection(WKPreferencesRef preferencesRef, bool allowed) +{ + toImpl(preferencesRef)->setDisableCORSRedirection(allowed); +} + +bool WKPreferencesGetDisableCORSRedirection(WKPreferencesRef preferencesRef) +{ + return toImpl(preferencesRef)->disableCORSRedirection(); +} + void WKPreferencesSetNeedsStorageAccessFromFileURLsQuirk(WKPreferencesRef preferencesRef, bool needsQuirk) { toImpl(preferencesRef)->setNeedsStorageAccessFromFileURLsQuirk(needsQuirk); diff -pru webkitgtk-2.22.5-orig/Source/WebKit/UIProcess/API/glib/WebKitSettings.cpp webkitgtk-2.22.5/Source/WebKit/UIProcess/API/glib/WebKitSettings.cpp --- webkitgtk-2.22.5-orig/Source/WebKit/UIProcess/API/glib/WebKitSettings.cpp 2018-12-13 02:57:40.000000000 +0100 +++ webkitgtk-2.22.5/Source/WebKit/UIProcess/API/glib/WebKitSettings.cpp 2019-01-07 16:32:10.435084467 +0100 @@ -161,6 +161,9 @@ enum { #if PLATFORM(GTK) PROP_HARDWARE_ACCELERATION_POLICY, #endif + PROP_DISABLE_CORS, + PROP_ENABLE_CORS_SAME_DOMAIN, + PROP_DISABLE_CORS_REDIRECTION, }; static void webKitSettingsDispose(GObject* object) @@ -371,6 +374,15 @@ static void webKitSettingsSetProperty(GO webkit_settings_set_hardware_acceleration_policy(settings, static_cast(g_value_get_enum(value))); break; #endif + case PROP_DISABLE_CORS: + webkit_settings_set_disable_cors(settings, g_value_get_boolean(value)); + break; + case PROP_ENABLE_CORS_SAME_DOMAIN: + webkit_settings_set_enable_cors_same_domain(settings, g_value_get_boolean(value)); + break; + case PROP_DISABLE_CORS_REDIRECTION: + webkit_settings_set_disable_cors_redirection(settings, g_value_get_boolean(value)); + break; default: G_OBJECT_WARN_INVALID_PROPERTY_ID(object, propId, paramSpec); break; @@ -547,6 +559,15 @@ static void webKitSettingsGetProperty(GO g_value_set_enum(value, webkit_settings_get_hardware_acceleration_policy(settings)); break; #endif + case PROP_DISABLE_CORS: + g_value_set_boolean(value, webkit_settings_get_disable_cors(settings)); + break; + case PROP_ENABLE_CORS_SAME_DOMAIN: + g_value_set_boolean(value, webkit_settings_get_enable_cors_same_domain(settings)); + break; + case PROP_DISABLE_CORS_REDIRECTION: + g_value_set_boolean(value, webkit_settings_get_disable_cors_redirection(settings)); + break; default: G_OBJECT_WARN_INVALID_PROPERTY_ID(object, propId, paramSpec); break; @@ -1414,6 +1435,51 @@ static void webkit_settings_class_init(W WEBKIT_HARDWARE_ACCELERATION_POLICY_ON_DEMAND, readWriteConstructParamFlags)); #endif // PLATFOTM(GTK) + + /** + * WebKitSettings:disable-cors: + * + * Whether Cross Origin Resource Sharing (CORS) is disabled. + * + * Since: 2.22.1 + */ + g_object_class_install_property(gObjectClass, + PROP_DISABLE_CORS, + g_param_spec_boolean("disable-cors", + _("Disable Cross Origin Resource Sharing (CORS)"), + _("Whether Cross Origin Resource Sharing (CORS) is disabled."), + FALSE, + readWriteConstructParamFlags)); + + /** + * WebKitSettings:enable-cors-same-domain: + * + * Whether Cross Origin Resource Sharing (CORS) within the same domain is enabled. + * + * Since: 2.22.1 + */ + g_object_class_install_property(gObjectClass, + PROP_ENABLE_CORS_SAME_DOMAIN, + g_param_spec_boolean("enable-cors-same-domain", + _("Enable Cross Origin Resource Sharing (CORS) within the same domain"), + _("Whether Cross Origin Resource Sharing (CORS) within the same domain is enabled."), + TRUE, + readWriteConstructParamFlags)); + + /** + * WebKitSettings:disable-cors-redirection: + * + * Whether Cross Origin Resource Sharing (CORS) Redirection is disabled. + * + * Since: 2.22.1 + */ + g_object_class_install_property(gObjectClass, + PROP_DISABLE_CORS_REDIRECTION, + g_param_spec_boolean("disable-cors-redirection", + _("Disable Cross Origin Resource Sharing (CORS) Redirection"), + _("Whether Cross Origin Resource Sharing (CORS) Redirection is disabled."), + FALSE, + readWriteConstructParamFlags)); } WebPreferences* webkitSettingsGetPreferences(WebKitSettings* settings) @@ -3482,3 +3548,117 @@ guint32 webkit_settings_font_size_to_pix return std::round(points * WebCore::screenDPI() / 72); } #endif // PLATFORM(GTK) + +/** + * webkit_settings_get_disable_cors: + * @settings: a #WebKitSettings + * + * Get the #WebKitSettings:disable-cors property. + * + * Returns: %TRUE If CORS is disabled or %FALSE otherwise. + * + * Since: 2.22.1 + */ +gboolean webkit_settings_get_disable_cors(WebKitSettings* settings) +{ + g_return_val_if_fail(WEBKIT_IS_SETTINGS(settings), FALSE); + + return settings->priv->preferences->disableCORS(); +} + +/** + * webkit_settings_set_disable_cors: + * @settings: a #WebKitSettings + * @allowed: Value to be set + * + * Set the #WebKitSettings:disable-cors property. + * + * Since: 2.22.1 + */ +void webkit_settings_set_disable_cors(WebKitSettings* settings, gboolean allowed) +{ + g_return_if_fail(WEBKIT_IS_SETTINGS(settings)); + + WebKitSettingsPrivate* priv = settings->priv; + if (priv->preferences->disableCORS() == allowed) + return; + + priv->preferences->setDisableCORS(allowed); + g_object_notify(G_OBJECT(settings), "disable-cors"); +} + +/** + * webkit_settings_get_enable_cors_same_domain: + * @settings: a #WebKitSettings + * + * Get the #WebKitSettings:enable-cors-same-domain property. + * + * Returns: %TRUE If CORS within the same domain is enabled or %FALSE otherwise. + * + * Since: 2.22.1 + */ +gboolean webkit_settings_get_enable_cors_same_domain(WebKitSettings* settings) +{ + g_return_val_if_fail(WEBKIT_IS_SETTINGS(settings), FALSE); + + return settings->priv->preferences->enableCORSSameDomain(); +} + +/** + * webkit_settings_set_enable_cors_same_domain: + * @settings: a #WebKitSettings + * @allowed: Value to be set + * + * Set the #WebKitSettings:enable-cors-same-domain property. + * + * Since: 2.22.1 + */ +void webkit_settings_set_enable_cors_same_domain(WebKitSettings* settings, gboolean allowed) +{ + g_return_if_fail(WEBKIT_IS_SETTINGS(settings)); + + WebKitSettingsPrivate* priv = settings->priv; + if (priv->preferences->enableCORSSameDomain() == allowed) + return; + + priv->preferences->setEnableCORSSameDomain(allowed); + g_object_notify(G_OBJECT(settings), "enable-cors-same-domain"); +} + +/** + * webkit_settings_get_disable_cors_redirection: + * @settings: a #WebKitSettings + * + * Get the #WebKitSettings:disable-cors-redirection property. + * + * Returns: %TRUE If CORS redirection is disabled or %FALSE otherwise. + * + * Since: 2.22.1 + */ +gboolean webkit_settings_get_disable_cors_redirection(WebKitSettings* settings) +{ + g_return_val_if_fail(WEBKIT_IS_SETTINGS(settings), FALSE); + + return settings->priv->preferences->disableCORSRedirection(); +} + +/** + * webkit_settings_set_disable_cors_redirection: + * @settings: a #WebKitSettings + * @allowed: Value to be set + * + * Set the #WebKitSettings:disable-cors-redirection property. + * + * Since: 2.22.1 + */ +void webkit_settings_set_disable_cors_redirection(WebKitSettings* settings, gboolean allowed) +{ + g_return_if_fail(WEBKIT_IS_SETTINGS(settings)); + + WebKitSettingsPrivate* priv = settings->priv; + if (priv->preferences->disableCORSRedirection() == allowed) + return; + + priv->preferences->setDisableCORSRedirection(allowed); + g_object_notify(G_OBJECT(settings), "disable-cors-redirection"); +} diff -pru webkitgtk-2.22.5-orig/Source/WebKit/UIProcess/API/gtk/WebKitSettings.h webkitgtk-2.22.5/Source/WebKit/UIProcess/API/gtk/WebKitSettings.h --- webkitgtk-2.22.5-orig/Source/WebKit/UIProcess/API/gtk/WebKitSettings.h 2018-12-13 02:57:41.000000000 +0100 +++ webkitgtk-2.22.5/Source/WebKit/UIProcess/API/gtk/WebKitSettings.h 2019-01-06 21:31:42.697135626 +0100 @@ -471,6 +471,27 @@ webkit_settings_font_size_to_points WEBKIT_API guint32 webkit_settings_font_size_to_pixels (guint32 points); +WEBKIT_API gboolean +webkit_settings_get_disable_cors (WebKitSettings *settings); + +WEBKIT_API void +webkit_settings_set_disable_cors (WebKitSettings *settings, + gboolean allowed); + +WEBKIT_API gboolean +webkit_settings_get_enable_cors_same_domain (WebKitSettings *settings); + +WEBKIT_API void +webkit_settings_set_enable_cors_same_domain (WebKitSettings *settings, + gboolean allowed); + +WEBKIT_API gboolean +webkit_settings_get_disable_cors_redirection (WebKitSettings *settings); + +WEBKIT_API void +webkit_settings_set_disable_cors_redirection (WebKitSettings *settings, + gboolean allowed); + G_END_DECLS #endif /* WebKitSettings_h */