commit d065482e873a0613b41379dc573785e54bfe5358
author commit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Tue Oct 04 18:00:32 2011 +0000
committer commit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Tue Oct 04 18:00:32 2011 +0000
tree 9fc15eb83d510ae7ccd0638819fff9cbb708c5e4
parent 1fbeb615c70530fc471a50d25ff7e012ebc31a0f

Resource loader should block HTTP redirects to local resources
https://bugs.webkit.org/show_bug.cgi?id=68706

Patch by Ken Buchanan <kenrb@chromium.org> on 2011-10-03
Reviewed by Adam Barth.

Source/WebCore:

Modified MainResourceLoader to add an extra security check on
HTTP redirects. Also, moved isFeedWithNestedProtocolInHTTPFamily
to SecurityOrigin.cpp.

* loader/FrameLoader.cpp:
(WebCore::isFeedWithNestedProtocolInHTTPFamily):
(WebCore::FrameLoader::loadFrameRequest):
* loader/MainResourceLoader.cpp:
(WebCore::MainResourceLoader::willSendRequest):
* page/SecurityOrigin.cpp:
(WebCore::isFeedWithNestedProtocolInHTTPFamily):
(WebCore::SecurityOrigin::canDisplay):

LayoutTests:

Adding a test to attempt an HTTP redirect to a file: URL.

* http/tests/security/redirect-BLOCKED-to-localURL.html: Added.
* http/tests/security/redirect-BLOCKED-to-localURL-expected.txt: Added.
* http/tests/security/resources/file-redirect-target.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@96610 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/loader/FrameLoader.cpp

diff --git a/Source/WebCore/loader/FrameLoader.cpp b/Source/WebCore/loader/FrameLoader.cpp
index baaf202..4a52002 100644
--- a/Source/WebCore/loader/FrameLoader.cpp
+++ b/Source/WebCore/loader/FrameLoader.cpp
@@ -1125,21 +1125,6 @@
     detachChildren();
 }
 
-// This is a hack to allow keep navigation to http/https feeds working. To remove this
-// we need to introduce new API akin to registerURLSchemeAsLocal, that registers a
-// protocols navigation policy.
-static bool isFeedWithNestedProtocolInHTTPFamily(const KURL& url)
-{
-    const String& urlString = url.string();
-    if (!urlString.startsWith("feed", false))
-        return false;
-
-    return urlString.startsWith("feed://", false) 
-        || urlString.startsWith("feed:http:", false) || urlString.startsWith("feed:https:", false)
-        || urlString.startsWith("feeds:http:", false) || urlString.startsWith("feeds:https:", false)
-        || urlString.startsWith("feedsearch:http:", false) || urlString.startsWith("feedsearch:https:", false);
-}
-
 void FrameLoader::loadFrameRequest(const FrameLoadRequest& request, bool lockHistory, bool lockBackForwardList,
     PassRefPtr<Event> event, PassRefPtr<FormState> formState, ReferrerPolicy referrerPolicy)
 {    
@@ -1149,8 +1134,7 @@
     KURL url = request.resourceRequest().url();
 
     ASSERT(m_frame->document());
-    // FIXME: Should we move the isFeedWithNestedProtocolInHTTPFamily logic inside SecurityOrigin::canDisplay?
-    if (!isFeedWithNestedProtocolInHTTPFamily(url) && !request.requester()->canDisplay(url)) {
+    if (!request.requester()->canDisplay(url)) {
         reportLocalLoadFailed(m_frame, url.string());
         return;
     }