From 238d51bb98dfe5c711fb7579baaa6d89ec9e24fc Mon Sep 17 00:00:00 2001 From: Garvan Keeley Date: Tue, 31 Mar 2020 17:34:23 -0400 Subject: [PATCH] Allow certain types of data URLs and add test case --- ...owserViewController+WebViewDelegates.swift | 20 +++++++++++++ UITests/SecurityTests.swift | 28 ++++++++++++++++++- UITests/localhostLoad.html | 9 ++++++ 3 files changed, 56 insertions(+), 1 deletion(-) diff --git a/Client/Frontend/Browser/BrowserViewController/BrowserViewController+WebViewDelegates.swift b/Client/Frontend/Browser/BrowserViewController/BrowserViewController+WebViewDelegates.swift index f76d64063a86..96f8d78690d3 100644 --- a/Client/Frontend/Browser/BrowserViewController/BrowserViewController+WebViewDelegates.swift +++ b/Client/Frontend/Browser/BrowserViewController/BrowserViewController+WebViewDelegates.swift @@ -431,7 +431,27 @@ extension BrowserViewController: WKNavigationDelegate { return } + // https://blog.mozilla.org/security/2017/11/27/blocking-top-level-navigations-data-urls-firefox-59/ if url.scheme == "data" { + let url = url.absoluteString + // Allow certain image types + if url.hasPrefix("data:image/") && !url.hasPrefix("data:image/svg+xml") { + decisionHandler(.allow) + return + } + + // Allow certain application types + if url.hasPrefix("data:application/pdf") || url.hasPrefix("data:application/json") { + decisionHandler(.allow) + return + } + + // Allow plan text types + if url.hasPrefix("data:;") || url.hasPrefix("data:,") || url.hasPrefix("data:text/plain") { + decisionHandler(.allow) + return + } + decisionHandler(.cancel) return } diff --git a/UITests/SecurityTests.swift b/UITests/SecurityTests.swift index fd5d5ddcc4f0..b96ed3cc798a 100644 --- a/UITests/SecurityTests.swift +++ b/UITests/SecurityTests.swift @@ -120,9 +120,35 @@ class SecurityTests: KIFTestCase { XCTAssertEqual(webView.url!.absoluteString, url) } + func closeAllTabs() { + let closeButtonMatchers: [GREYMatcher] = + [grey_accessibilityID("TabTrayController.deleteButton.closeAll"), + grey_kindOfClass(NSClassFromString("_UIAlertControllerActionView")!)] + + EarlGrey.selectElement(with: grey_accessibilityID("TabTrayController.removeTabsButton")).perform(grey_tap()) + EarlGrey.selectElement(with: grey_allOf(closeButtonMatchers)).perform(grey_tap()) + } + + func testDataURL() { + // Check data urls that are valid + ["data-url-ok-1", "data-url-ok-2"].forEach { buttonName in + tester().tapWebViewElementWithAccessibilityLabel(buttonName) + tester().wait(forTimeInterval: 1) + let webView = tester().waitForView(withAccessibilityLabel: "Web content") as! WKWebView + XCTAssert(webView.url!.absoluteString.hasPrefix("data:")) // indicates page loaded ok + BrowserUtils.resetToAboutHome() + beforeEach() + } + + // Check data url that is no allowed + tester().tapWebViewElementWithAccessibilityLabel("data-url-html-bad") + tester().wait(forTimeInterval: 1) + let webView = tester().waitForView(withAccessibilityLabel: "Web content") as! WKWebView + XCTAssert(webView.url == nil) // indicates page load was blocked + } + override func tearDown() { BrowserUtils.resetToAboutHome() - BrowserUtils.clearPrivateData() super.tearDown() } } diff --git a/UITests/localhostLoad.html b/UITests/localhostLoad.html index eb00b41816ad..666fd3751086 100644 --- a/UITests/localhostLoad.html +++ b/UITests/localhostLoad.html @@ -19,5 +19,14 @@ + +

+ Tries to open a window with the word test. Both should be ok to do.
+
+ +
+ Tries to open a html data URL, this is a no-no.
+ +