Skip to content

Commit

Permalink
Allow certain types of data URLs and add test case
Browse files Browse the repository at this point in the history
  • Loading branch information
garvankeeley committed Mar 31, 2020
1 parent dba6453 commit 238d51b
Show file tree
Hide file tree
Showing 3 changed files with 56 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -431,7 +431,27 @@ extension BrowserViewController: WKNavigationDelegate {
return
}

// https://blog.mozilla.org/security/2017/11/27/blocking-top-level-navigations-data-urls-firefox-59/
if url.scheme == "data" {
let url = url.absoluteString
// Allow certain image types
if url.hasPrefix("data:image/") && !url.hasPrefix("data:image/svg+xml") {
decisionHandler(.allow)
return
}

// Allow certain application types
if url.hasPrefix("data:application/pdf") || url.hasPrefix("data:application/json") {
decisionHandler(.allow)
return
}

// Allow plan text types
if url.hasPrefix("data:;") || url.hasPrefix("data:,") || url.hasPrefix("data:text/plain") {
decisionHandler(.allow)
return
}

decisionHandler(.cancel)
return
}
Expand Down
28 changes: 27 additions & 1 deletion UITests/SecurityTests.swift
Original file line number Diff line number Diff line change
Expand Up @@ -120,9 +120,35 @@ class SecurityTests: KIFTestCase {
XCTAssertEqual(webView.url!.absoluteString, url)
}

func closeAllTabs() {
let closeButtonMatchers: [GREYMatcher] =
[grey_accessibilityID("TabTrayController.deleteButton.closeAll"),
grey_kindOfClass(NSClassFromString("_UIAlertControllerActionView")!)]

EarlGrey.selectElement(with: grey_accessibilityID("TabTrayController.removeTabsButton")).perform(grey_tap())
EarlGrey.selectElement(with: grey_allOf(closeButtonMatchers)).perform(grey_tap())
}

func testDataURL() {
// Check data urls that are valid
["data-url-ok-1", "data-url-ok-2"].forEach { buttonName in
tester().tapWebViewElementWithAccessibilityLabel(buttonName)
tester().wait(forTimeInterval: 1)
let webView = tester().waitForView(withAccessibilityLabel: "Web content") as! WKWebView
XCTAssert(webView.url!.absoluteString.hasPrefix("data:")) // indicates page loaded ok
BrowserUtils.resetToAboutHome()
beforeEach()
}

// Check data url that is no allowed
tester().tapWebViewElementWithAccessibilityLabel("data-url-html-bad")
tester().wait(forTimeInterval: 1)
let webView = tester().waitForView(withAccessibilityLabel: "Web content") as! WKWebView
XCTAssert(webView.url == nil) // indicates page load was blocked
}

override func tearDown() {
BrowserUtils.resetToAboutHome()
BrowserUtils.clearPrivateData()
super.tearDown()
}
}
9 changes: 9 additions & 0 deletions UITests/localhostLoad.html
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,14 @@
<button onclick="window.open(errorURL)">Error exploit</button>
<button onclick="newTabExploit()">New tab exploit</button>
<button onclick="window.open('http://1.2.3.4:1234')">URL spoof</button>

<p>
Tries to open a window with the word test. Both should be ok to do.<br>
<button onclick="window.open('data:;,test')">data-url-ok-1</button><br>
<button onclick="window.open('data:text/plain,test')">data-url-ok-2</button>
<br>
Tries to open a html data URL, this is a no-no.<br>
<button onclick="window.open('data:text/html;base64,VGhpcyBpcyBhIHRlc3QK')">data-url-html-bad</button>
</p>
</body>
</html>

0 comments on commit 238d51b

Please sign in to comment.