Patch for webkitgtk version 2.32.x diff -pru webkitgtk-2.32.1-orig/Source/WebCore/loader/cache/CachedResourceLoader.cpp webkitgtk-2.32.1/Source/WebCore/loader/cache/CachedResourceLoader.cpp --- webkitgtk-2.32.1-orig/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2021-05-17 02:15:39.763380192 +0200 +++ webkitgtk-2.32.1/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2021-05-17 04:39:13.602806132 +0200 @@ -67,6 +67,7 @@ #include "Page.h" #include "PingLoader.h" #include "PlatformStrategies.h" +#include "PublicSuffix.h" #include "RenderElement.h" #include "ResourceLoadInfo.h" #include "ResourceTiming.h" @@ -1141,6 +1142,23 @@ ResourceErrorOrclearHTTPOrigin(); } + bool disableCORS = frame.page()->isCORSDisabled(); + bool enableCORSSameDomain = frame.page()->isCORSSameDomainEnabled(); + + if (disableCORS) { + if (enableCORSSameDomain) { + String requestDomain = topPrivatelyControlledDomain(url.host().toString()); + String documentDomain = topPrivatelyControlledDomain(frame.document()->url().host().toString()); + if (!equalIgnoringASCIICase(requestDomain, documentDomain) && type != CachedResource::Type::MainResource) { + RELEASE_LOG_IF_ALLOWED("requestResource: Resource blocked by Cross-Origin Resource Sharing policy (frame = %p)", frame()); + return makeUnexpected(ResourceError { errorDomainWebKitInternal, 0, url, "Resource blocked by Cross-Origin Resource Sharing policy"_s, ResourceError::Type::AccessControl }); + } + } else if (!equalIgnoringASCIICase(url.host(), frame.document()->url().host()) && type != CachedResource::Type::MainResource) { + RELEASE_LOG_IF_ALLOWED("requestResource: Resource blocked by Cross-Origin Resource Sharing policy (frame = %p)", frame()); + return makeUnexpected(ResourceError { errorDomainWebKitInternal, 0, url, "Resource blocked by Cross-Origin Resource Sharing policy"_s, ResourceError::Type::AccessControl }); + } + } + prepareFetch(type, request); if (request.options().destination == FetchOptions::Destination::Document) { @@ -1245,7 +1263,8 @@ ResourceErrorOrisCORSDisabled(); + bool enableCORSSameDomain = document.page()->isCORSSameDomainEnabled(); + + if (disableCORS) { + if (enableCORSSameDomain) { + String requestDomain = topPrivatelyControlledDomain(params.href.host().toString()); + String documentDomain = topPrivatelyControlledDomain(document.url().host().toString()); + if (!documentDomain.isEmpty() && !equalIgnoringASCIICase(requestDomain, documentDomain)) + return; + } else if (!document.url().host().isEmpty() && params.href.host() != document.url().host()) { + return; + } + } + if (params.relAttribute.isDNSPrefetch) { // FIXME: The href attribute of the link element can be in "//hostname" form, and we shouldn't attempt // to complete that as URL . diff -pru webkitgtk-2.32.1-orig/Source/WebCore/loader/SubresourceLoader.cpp webkitgtk-2.32.1/Source/WebCore/loader/SubresourceLoader.cpp --- webkitgtk-2.32.1-orig/Source/WebCore/loader/SubresourceLoader.cpp 2021-02-26 10:57:12.000000000 +0100 +++ webkitgtk-2.32.1/Source/WebCore/loader/SubresourceLoader.cpp 2021-05-17 02:15:04.499505771 +0200 @@ -183,6 +183,39 @@ bool SubresourceLoader::isSubresourceLoa return true; } +bool SubresourceLoader::isCORSDisabled() const +{ + if (!m_frame) + return false; + + if (!m_frame->page()) + return false; + + return m_frame->page()->isCORSDisabled(); +} + +bool SubresourceLoader::isCORSSameDomainEnabled() const +{ + if (!m_frame) + return false; + + if (!m_frame->page()) + return false; + + return m_frame->page()->isCORSSameDomainEnabled(); +} + +bool SubresourceLoader::isCORSRedirectionDisabled() const +{ + if (!m_frame) + return false; + + if (!m_frame->page()) + return false; + + return m_frame->page()->isCORSRedirectionDisabled(); +} + void SubresourceLoader::willSendRequestInternal(ResourceRequest&& newRequest, const ResourceResponse& redirectResponse, CompletionHandler&& completionHandler) { // Store the previous URL because the call to ResourceLoader::willSendRequest will modify it. @@ -628,12 +661,25 @@ Expected SubresourceLoader { bool crossOriginFlag = m_resource->isCrossOrigin(); bool isNextRequestCrossOrigin = m_origin && !m_origin->canRequest(newRequest.url()); + bool disableCORS = isCORSDisabled(); + bool disableCORSRedirection = isCORSRedirectionDisabled(); if (isNextRequestCrossOrigin) m_resource->setCrossOrigin(); ASSERT(options().mode != FetchOptions::Mode::SameOrigin || !m_resource->isCrossOrigin()); + if (options().mode != FetchOptions::Mode::Cors) { + if (!disableCORS) { + return { }; + } else { + if (!disableCORSRedirection) + return { }; + else + return makeUnexpected("CORS redirection is disabled"_s); + } + } + // Implementing https://fetch.spec.whatwg.org/#concept-http-redirect-fetch step 7 & 8. if (options().mode == FetchOptions::Mode::Cors) { if (m_resource->isCrossOrigin()) { diff -pru webkitgtk-2.32.1-orig/Source/WebCore/loader/SubresourceLoader.h webkitgtk-2.32.1/Source/WebCore/loader/SubresourceLoader.h --- webkitgtk-2.32.1-orig/Source/WebCore/loader/SubresourceLoader.h 2021-02-26 10:57:12.000000000 +0100 +++ webkitgtk-2.32.1/Source/WebCore/loader/SubresourceLoader.h 2021-05-17 02:12:40.762501664 +0200 @@ -49,6 +49,9 @@ public: void cancelIfNotFinishing(); bool isSubresourceLoader() const override; + bool isCORSDisabled() const; + bool isCORSSameDomainEnabled() const; + bool isCORSRedirectionDisabled() const; CachedResource* cachedResource(); WEBCORE_EXPORT const HTTPHeaderMap* originalHeaders() const; diff -pru webkitgtk-2.32.1-orig/Source/WebCore/page/Page.h webkitgtk-2.32.1/Source/WebCore/page/Page.h --- webkitgtk-2.32.1-orig/Source/WebCore/page/Page.h 2021-05-05 07:33:24.000000000 +0200 +++ webkitgtk-2.32.1/Source/WebCore/page/Page.h 2021-05-17 02:12:40.763501664 +0200 @@ -38,6 +38,7 @@ #include "Region.h" #include "RegistrableDomain.h" #include "ScrollTypes.h" +#include "Settings.h" #include "ShouldRelaxThirdPartyCookieBlocking.h" #include "SpeechRecognitionConnection.h" #include "Supplementable.h" @@ -842,6 +843,10 @@ public: LoadSchedulingMode loadSchedulingMode() const { return m_loadSchedulingMode; } void setLoadSchedulingMode(LoadSchedulingMode); + bool isCORSDisabled() const { return m_settings->disableCORS(); } + bool isCORSSameDomainEnabled() const { return m_settings->enableCORSSameDomain(); } + bool isCORSRedirectionDisabled() const { return m_settings->disableCORSRedirection(); } + private: struct Navigation { RegistrableDomain domain; diff -pru webkitgtk-2.32.1-orig/Source/WebKit/UIProcess/API/C/WKPreferences.cpp webkitgtk-2.32.1/Source/WebKit/UIProcess/API/C/WKPreferences.cpp --- webkitgtk-2.32.1-orig/Source/WebKit/UIProcess/API/C/WKPreferences.cpp 2021-02-26 10:57:16.000000000 +0100 +++ webkitgtk-2.32.1/Source/WebKit/UIProcess/API/C/WKPreferences.cpp 2021-05-17 02:12:40.765501664 +0200 @@ -726,6 +726,36 @@ bool WKPreferencesGetTopNavigationToData return toImpl(preferencesRef)->allowTopNavigationToDataURLs(); } +void WKPreferencesSetDisableCORS(WKPreferencesRef preferencesRef, bool allowed) +{ + toImpl(preferencesRef)->setDisableCORS(allowed); +} + +bool WKPreferencesGetDisableCORS(WKPreferencesRef preferencesRef) +{ + return toImpl(preferencesRef)->disableCORS(); +} + +void WKPreferencesSetEnableCORSSameDomain(WKPreferencesRef preferencesRef, bool allowed) +{ + toImpl(preferencesRef)->setEnableCORSSameDomain(allowed); +} + +bool WKPreferencesGetEnableCORSSameDomain(WKPreferencesRef preferencesRef) +{ + return toImpl(preferencesRef)->enableCORSSameDomain(); +} + +void WKPreferencesSetDisableCORSRedirection(WKPreferencesRef preferencesRef, bool allowed) +{ + toImpl(preferencesRef)->setDisableCORSRedirection(allowed); +} + +bool WKPreferencesGetDisableCORSRedirection(WKPreferencesRef preferencesRef) +{ + return toImpl(preferencesRef)->disableCORSRedirection(); +} + void WKPreferencesSetNeedsStorageAccessFromFileURLsQuirk(WKPreferencesRef preferencesRef, bool needsQuirk) { toImpl(preferencesRef)->setNeedsStorageAccessFromFileURLsQuirk(needsQuirk); diff -pru webkitgtk-2.32.1-orig/Source/WebKit/UIProcess/API/C/WKPreferencesRefPrivate.h webkitgtk-2.32.1/Source/WebKit/UIProcess/API/C/WKPreferencesRefPrivate.h --- webkitgtk-2.32.1-orig/Source/WebKit/UIProcess/API/C/WKPreferencesRefPrivate.h 2021-02-26 10:57:16.000000000 +0100 +++ webkitgtk-2.32.1/Source/WebKit/UIProcess/API/C/WKPreferencesRefPrivate.h 2021-05-17 02:12:40.767501664 +0200 @@ -160,6 +160,18 @@ WK_EXPORT bool WKPreferencesGetFileAcces WK_EXPORT void WKPreferencesSetTopNavigationToDataURLsAllowed(WKPreferencesRef preferences, bool allowed); WK_EXPORT bool WKPreferencesGetTopNavigationToDataURLsAllowed(WKPreferencesRef preferences); +// Defaults to false. +WK_EXPORT void WKPreferencesSetDisableCORS(WKPreferencesRef preferences, bool allowed); +WK_EXPORT bool WKPreferencesGetDisableCORS(WKPreferencesRef preferences); + +// Defaults to true. +WK_EXPORT void WKPreferencesSetEnableCORSSameDomain(WKPreferencesRef preferences, bool allowed); +WK_EXPORT bool WKPreferencesGetEnableCORSSameDomain(WKPreferencesRef preferences); + +// Defaults to false. +WK_EXPORT void WKPreferencesSetDisableCORSRedirection(WKPreferencesRef preferences, bool allowed); +WK_EXPORT bool WKPreferencesGetDisableCORSRedirection(WKPreferencesRef preferences); + // Defaults to true WK_EXPORT void WKPreferencesSetNeedsStorageAccessFromFileURLsQuirk(WKPreferencesRef preferences, bool needsQuirk); WK_EXPORT bool WKPreferencesGetNeedsStorageAccessFromFileURLsQuirk(WKPreferencesRef preferences); diff -pru webkitgtk-2.32.1-orig/Source/WebKit/UIProcess/API/glib/WebKitSettings.cpp webkitgtk-2.32.1/Source/WebKit/UIProcess/API/glib/WebKitSettings.cpp --- webkitgtk-2.32.1-orig/Source/WebKit/UIProcess/API/glib/WebKitSettings.cpp 2021-02-26 10:57:16.000000000 +0100 +++ webkitgtk-2.32.1/Source/WebKit/UIProcess/API/glib/WebKitSettings.cpp 2021-05-17 02:12:40.767501664 +0200 @@ -172,6 +172,9 @@ enum { PROP_ENABLE_JAVASCRIPT_MARKUP, PROP_ENABLE_MEDIA, PROP_MEDIA_CONTENT_TYPES_REQUIRING_HARDWARE_SUPPORT, + PROP_DISABLE_CORS, + PROP_ENABLE_CORS_SAME_DOMAIN, + PROP_DISABLE_CORS_REDIRECTION, }; static void webKitSettingsDispose(GObject* object) @@ -388,6 +391,15 @@ static void webKitSettingsSetProperty(GO case PROP_MEDIA_CONTENT_TYPES_REQUIRING_HARDWARE_SUPPORT: webkit_settings_set_media_content_types_requiring_hardware_support(settings, g_value_get_string(value)); break; + case PROP_DISABLE_CORS: + webkit_settings_set_disable_cors(settings, g_value_get_boolean(value)); + break; + case PROP_ENABLE_CORS_SAME_DOMAIN: + webkit_settings_set_enable_cors_same_domain(settings, g_value_get_boolean(value)); + break; + case PROP_DISABLE_CORS_REDIRECTION: + webkit_settings_set_disable_cors_redirection(settings, g_value_get_boolean(value)); + break; default: G_OBJECT_WARN_INVALID_PROPERTY_ID(object, propId, paramSpec); break; @@ -584,6 +596,15 @@ static void webKitSettingsGetProperty(GO case PROP_MEDIA_CONTENT_TYPES_REQUIRING_HARDWARE_SUPPORT: g_value_set_string(value, webkit_settings_get_media_content_types_requiring_hardware_support(settings)); break; + case PROP_DISABLE_CORS: + g_value_set_boolean(value, webkit_settings_get_disable_cors(settings)); + break; + case PROP_ENABLE_CORS_SAME_DOMAIN: + g_value_set_boolean(value, webkit_settings_get_enable_cors_same_domain(settings)); + break; + case PROP_DISABLE_CORS_REDIRECTION: + g_value_set_boolean(value, webkit_settings_get_disable_cors_redirection(settings)); + break; default: G_OBJECT_WARN_INVALID_PROPERTY_ID(object, propId, paramSpec); break; @@ -1552,6 +1573,51 @@ static void webkit_settings_class_init(W _("List of media content types requiring hardware support."), nullptr, // A null string forces the default value. readWriteConstructParamFlags)); + + /** + * WebKitSettings:disable-cors: + * + * Enable or disable CORS. + * + * Since: 2.32.1 + */ + g_object_class_install_property(gObjectClass, + PROP_DISABLE_CORS, + g_param_spec_boolean("disable-cors", + _("Disable CORS"), + _("Whether CORS should be disabled"), + FALSE, + readWriteConstructParamFlags)); + + /** + * WebKitSettings:enable-cors-same-domain: + * + * Enable or disable CORS on same domain. + * + * Since: 2.32.1 + */ + g_object_class_install_property(gObjectClass, + PROP_ENABLE_CORS_SAME_DOMAIN, + g_param_spec_boolean("enable-cors-same-domain", + _("Enable CORS Same Domain"), + _("Whether CORS on same domain should be enabled"), + TRUE, + readWriteConstructParamFlags)); + + /** + * WebKitSettings:disable-cors-redirection: + * + * Enable or disable CORS redirection. + * + * Since: 2.32.1 + */ + g_object_class_install_property(gObjectClass, + PROP_DISABLE_CORS_REDIRECTION, + g_param_spec_boolean("disable-cors-redirection", + _("Disable CORS redirection"), + _("Whether CORS redirection should be disabled"), + FALSE, + readWriteConstructParamFlags)); } WebPreferences* webkitSettingsGetPreferences(WebKitSettings* settings) @@ -3863,3 +3929,117 @@ void webkit_settings_set_media_content_t priv->mediaContentTypesRequiringHardwareSupport = mediaContentTypesRequiringHardwareSupportString.utf8(); g_object_notify(G_OBJECT(settings), "media-content-types-requiring-hardware-support"); } + +/** + * webkit_settings_get_disable_cors: + * @settings: a #WebKitSettings + * + * Get the #WebKitSettings:disable-cors property. + * + * Returns: %TRUE If CORS is disabled or %FALSE otherwise. + * + * Since: 2.32.1 + */ +gboolean webkit_settings_get_disable_cors(WebKitSettings* settings) +{ + g_return_val_if_fail(WEBKIT_IS_SETTINGS(settings), FALSE); + + return settings->priv->preferences->disableCORS(); +} + +/** + * webkit_settings_set_disable_cors: + * @settings: a #WebKitSettings + * @allowed: Value to be set + * + * Set the #WebKitSettings:disable-cors property. + * + * Since: 2.32.1 + */ +void webkit_settings_set_disable_cors(WebKitSettings* settings, gboolean allowed) +{ + g_return_if_fail(WEBKIT_IS_SETTINGS(settings)); + + WebKitSettingsPrivate* priv = settings->priv; + if (priv->preferences->disableCORS() == allowed) + return; + + priv->preferences->setDisableCORS(allowed); + g_object_notify(G_OBJECT(settings), "disable-cors"); +} + +/** + * webkit_settings_get_enable_cors_same_domain: + * @settings: a #WebKitSettings + * + * Get the #WebKitSettings:enable-cors-same-domain property. + * + * Returns: %TRUE If CORS within the same domain is enabled or %FALSE otherwise. + * + * Since: 2.32.1 + */ +gboolean webkit_settings_get_enable_cors_same_domain(WebKitSettings* settings) +{ + g_return_val_if_fail(WEBKIT_IS_SETTINGS(settings), FALSE); + + return settings->priv->preferences->enableCORSSameDomain(); +} + +/** + * webkit_settings_set_enable_cors_same_domain: + * @settings: a #WebKitSettings + * @allowed: Value to be set + * + * Set the #WebKitSettings:enable-cors-same-domain property. + * + * Since: 2.32.1 + */ +void webkit_settings_set_enable_cors_same_domain(WebKitSettings* settings, gboolean allowed) +{ + g_return_if_fail(WEBKIT_IS_SETTINGS(settings)); + + WebKitSettingsPrivate* priv = settings->priv; + if (priv->preferences->enableCORSSameDomain() == allowed) + return; + + priv->preferences->setEnableCORSSameDomain(allowed); + g_object_notify(G_OBJECT(settings), "enable-cors-same-domain"); +} + +/** + * webkit_settings_get_disable_cors_redirection: + * @settings: a #WebKitSettings + * + * Get the #WebKitSettings:disable-cors-redirection property. + * + * Returns: %TRUE If CORS redirection is disabled or %FALSE otherwise. + * + * Since: 2.32.1 + */ +gboolean webkit_settings_get_disable_cors_redirection(WebKitSettings* settings) +{ + g_return_val_if_fail(WEBKIT_IS_SETTINGS(settings), FALSE); + + return settings->priv->preferences->disableCORSRedirection(); +} + +/** + * webkit_settings_set_disable_cors_redirection: + * @settings: a #WebKitSettings + * @allowed: Value to be set + * + * Set the #WebKitSettings:disable-cors-redirection property. + * + * Since: 2.32.1 + */ +void webkit_settings_set_disable_cors_redirection(WebKitSettings* settings, gboolean allowed) +{ + g_return_if_fail(WEBKIT_IS_SETTINGS(settings)); + + WebKitSettingsPrivate* priv = settings->priv; + if (priv->preferences->disableCORSRedirection() == allowed) + return; + + priv->preferences->setDisableCORSRedirection(allowed); + g_object_notify(G_OBJECT(settings), "disable-cors-redirection"); +} diff -pru webkitgtk-2.32.1-orig/Source/WebKit/UIProcess/API/gtk/WebKitSettings.h webkitgtk-2.32.1/Source/WebKit/UIProcess/API/gtk/WebKitSettings.h --- webkitgtk-2.32.1-orig/Source/WebKit/UIProcess/API/gtk/WebKitSettings.h 2021-02-26 10:57:16.000000000 +0100 +++ webkitgtk-2.32.1/Source/WebKit/UIProcess/API/gtk/WebKitSettings.h 2021-05-17 02:12:40.765501664 +0200 @@ -513,6 +513,27 @@ WEBKIT_API void webkit_settings_set_media_content_types_requiring_hardware_support (WebKitSettings *settings, const gchar *content_types); +WEBKIT_API gboolean +webkit_settings_get_disable_cors (WebKitSettings *settings); + +WEBKIT_API void +webkit_settings_set_disable_cors (WebKitSettings *settings, + gboolean allowed); + +WEBKIT_API gboolean +webkit_settings_get_enable_cors_same_domain (WebKitSettings *settings); + +WEBKIT_API void +webkit_settings_set_enable_cors_same_domain (WebKitSettings *settings, + gboolean allowed); + +WEBKIT_API gboolean +webkit_settings_get_disable_cors_redirection (WebKitSettings *settings); + +WEBKIT_API void +webkit_settings_set_disable_cors_redirection (WebKitSettings *settings, + gboolean allowed); + G_END_DECLS #endif /* WebKitSettings_h */ diff -pru webkitgtk-2.32.1-orig/Source/WTF/Scripts/Preferences/WebPreferences.yaml webkitgtk-2.32.1/Source/WTF/Scripts/Preferences/WebPreferences.yaml --- webkitgtk-2.32.1-orig/Source/WTF/Scripts/Preferences/WebPreferences.yaml 2021-02-26 10:57:08.000000000 +0100 +++ webkitgtk-2.32.1/Source/WTF/Scripts/Preferences/WebPreferences.yaml 2021-05-17 02:12:40.768501664 +0200 @@ -687,6 +687,26 @@ DirectoryUploadEnabled: "PLATFORM(COCOA) || PLATFORM(GTK) || PLATFORM(WPE)": true default: false +DisableCORS: + type: bool + defaultValue: + WebKitLegacy: + default: false + WebKit: + default: false + WebCore: + default: false + +DisableCORSRedirection: + type: bool + defaultValue: + WebKitLegacy: + default: false + WebKit: + default: false + WebCore: + default: false + DisabledAdaptationsMetaTagEnabled: type: bool defaultValue: @@ -719,6 +739,16 @@ EditableLinkBehavior: WebKit: default: WebCore::EditableLinkBehavior::NeverLive +EnableCORSSameDomain: + type: bool + defaultValue: + WebKitLegacy: + default: true + WebKit: + default: true + WebCore: + default: true + EnableInheritURIQueryComponent: type: bool defaultValue: