Bug 138127

Summary: Insecure content warnings not emitted when page is restored from page cache
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: HistoryAssignee: Michael Catanzaro <mcatanzaro>
Status: RESOLVED WONTFIX    
Severity: Normal CC: ap, beidson, berto, bfulgham, buildbot, cdumez, cgarcia, commit-queue, dbates, esprehn+autocc, gustavo, japhet, jberlin, kangil.han, mbaluta, mcatanzaro, mkwst, mrobinson, rniwa, wilander, zan
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Linux   
See Also: https://bugs.webkit.org/show_bug.cgi?id=196182
Bug Depends on:    
Bug Blocks: 140625    
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

Michael Catanzaro
Reported 2014-10-27 22:23:32 PDT
When a page with insecure content is restored from the page cache, it needs to emit the normal insecure content detected events didDisplayInsecureContent or didRunInsecureContent. [1] is a quick test in a browser that displays insecure content warnings (like Epiphany). Just note the insecure content warning, then click any link on that page, then click back and note that there is no longer any warning. This patch mostly works so I'm posting it for feedback. I added GTK+ test cases to make sure not just that the insecure-content-detected signal fires, but also that this occurs after load-committed, which is what Epiphany expects and I guess is what is probably desired? (The problem is that one of the assertions I added to check this is failing, so I guess this is likely broken, but I need to debug it more.) [1] https://www.ssllabs.com/ssltest/viewMyClient.html
Attachments
Patch (13.18 KB, patch)
2014-10-27 22:34 PDT, Michael Catanzaro 		no flags
DetailsFormatted DiffDiff
Patch (13.67 KB, patch)
2014-10-28 15:14 PDT, Michael Catanzaro 		no flags
DetailsFormatted DiffDiff
Patch (24.49 KB, patch)
2015-02-02 15:27 PST, Michael Catanzaro 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2014-10-27 22:34:21 PDT
Created attachment 240529 [details] Patch
WebKit Commit Bot
Comment 2 2014-10-27 22:36:32 PDT
Thanks for the patch. If this patch contains new public API please make sure it follows the guidelines for new WebKit2 GTK+ API. See http://trac.webkit.org/wiki/WebKitGTK/AddingNewWebKit2API
Michael Catanzaro
Comment 3 2014-10-28 15:14:23 PDT
Created attachment 240574 [details] Patch Fixed that.
Brady Eidson
Comment 4 2014-10-30 10:04:15 PDT
Comment on attachment 240574 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=240574&action=review This is basically a new feature, and I think it'd be important to test cross platform. > Source/WebCore/history/CachedFrame.cpp:107 > + if (frame.didDisplayInsecureContent()) { How is it okay to check this on the frame when (in the common main-frame case) it is being reused from the previously shown content? > Source/WebCore/history/CachedFrame.cpp:112 > + if (frame.didRunInsecureContent()) { Ditto. > Source/WebCore/history/CachedFrame.cpp:114 > + frame.loader().client().didRunInsecureContent(m_document->securityOrigin(), m_url); "did run insecure content" being overloaded for the page cache restore case seems weird. > Source/WebCore/loader/FrameLoader.cpp:-1805 > + dispatchDidCommitLoad(); > + > + // CachedPage::restore() emits events (e.g. didDisplayInsecureContent) that are good to have after didCommitLoad. > // FIXME: This API should be turned around so that we ground CachedPage into the Page. > cachedPage->restore(*m_frame.page()); > > - dispatchDidCommitLoad(); Did you run the WK2 API tests before making this change? I suspect they will be very relevant. Also, as is suggested in this code and your comment, FrameLoader is usually incharge of dispatching events and callbacks etc etc. Yet now some of that logic is being moved into the cached frame restore. That doesn't seem good. > Source/WebCore/page/Frame.h:269 > + void setDidDisplayInsecureContent(bool value = true) { m_didDisplayInsecureContent = value; } > + bool didDisplayInsecureContent() const { return m_didDisplayInsecureContent; } > + void setDidRunInsecureContent(bool value = true) { m_didRunInsecureContent = value; } > + bool didRunInsecureContent() const { return m_didRunInsecureContent; } Why is Frame the right place for these? Frames are commonly reused between navigations (and the main frame always is) I'm not confident the values are kept fully up to date in this patch. It would be much better to attach these values to something that *does* change with navigations. Document is one example. DOMWindow is another. etc etc
Michael Catanzaro
Comment 5 2014-10-30 15:57:18 PDT
Thanks for the review. I'll work on cross-platform tests before I try to address your comments. (In reply to comment #4) > This is basically a new feature, and I think it'd be important to test cross > platform. I'd call it a minor security bug rather than a feature, since it's unsafe for a port to use these events unless it completely blocks all mixed content. > > Source/WebCore/history/CachedFrame.cpp:107 > > + if (frame.didDisplayInsecureContent()) { > > How is it okay to check this on the frame when (in the common main-frame > case) it is being reused from the previously shown content? You're right; now loading a single page with insecure content causes unrelated future loads from the page cache to emit these events, like you suspected. That's very bad. I'll add a test for this. > Did you run the WK2 API tests before making this change? I suspect they > will be very relevant. If we're thinking of the same tests (the Google framework ones), those all passed.
Michael Catanzaro
Comment 6 2015-02-02 15:27:49 PST
Created attachment 245906 [details] Patch
Michael Catanzaro
Comment 7 2015-02-02 15:30:09 PST
Brady, thanks for the last review and sorry for the delay on this. I think this second attempt addresses your previous comments. Carlos might want to approve the GTK-specific changes.
Alexey Proskuryakov
Comment 8 2015-11-12 15:58:04 PST
Strangely, the symptom didn't reproduce in Safari when I tested going back to <https://www.ssllabs.com/ssltest/viewMyClient.html> - it just won't go into page cache. I wonder if this is something that we do intentionally.
Michael Catanzaro
Comment 9 2015-11-13 10:09:32 PST
I did consider rejecting the page from the page cache as a potential solution for this (and the equivalent favicon cache issue). The disadvantage is that would obviously make affected sites slower. OTOH, such sites are broken, and I'm fine with them receiving a performance penalty for that.
Michael Catanzaro
Comment 10 2016-01-02 10:12:27 PST
Comment on attachment 245906 [details] Patch I think my patch should store a list of insecure URIs so that they can be reported properly, rather than pretending that the entire frame is insecure.
Michael Catanzaro
Comment 11 2018-06-04 22:17:05 PDT
*** Bug 134882 has been marked as a duplicate of this bug. ***
Michael Catanzaro
Comment 12 2018-06-04 22:17:28 PDT
(In reply to Michael Catanzaro from comment #11) > *** Bug 134882 has been marked as a duplicate of this bug. *** This (private) bug has another testcase.
Michael Catanzaro
Comment 13 2020-02-19 13:33:23 PST
Hm, I thought this might be fixed by r206006, but the reproducer in my first comment is still failing so maybe not.
Michael Catanzaro
Comment 14 2022-07-19 14:59:21 PDT
If we fix bug #219396, then we can close this issue as obsolete because the page cache should never contain insecure content.
Michael Catanzaro
Comment 15 2023-03-03 14:11:24 PST
This is obsoleted by bug #247197 and bug #219396.
Note You need to log in before you can comment on or make changes to this bug.