static void testWebContextSecurityFileXHR(WebViewTest* test, gconstpointer) { GUniquePtr<char> fileURL(g_strdup_printf("file://%s/simple.html", Test::getResourcesDir(Test::WebKit2Resources).data())); test->loadURI(fileURL.get()); test->waitUntilLoadFinished(); GUniquePtr<char> jsonURL(g_strdup_printf("file://%s/simple.json", Test::getResourcesDir().data())); GUniquePtr<char> xhr(g_strdup_printf("var xhr = new XMLHttpRequest; xhr.open(\"GET\", \"%s\"); xhr.send();", jsonURL.get())); WebKitJavascriptResult* consoleMessage = nullptr; webkit_user_content_manager_register_script_message_handler(test->m_userContentManager.get(), "console"); g_signal_connect(test->m_userContentManager.get(), "script-message-received::console", G_CALLBACK(consoleMessageReceivedCallback), &consoleMessage); // By default file access is not allowed, this will show a console message with a cross-origin error. GUniqueOutPtr<GError> error; WebKitJavascriptResult* javascriptResult = test->runJavaScriptAndWaitUntilFinished(xhr.get(), &error.outPtr()); g_assert(javascriptResult); g_assert(!error); g_assert(consoleMessage); GUniquePtr<char> messageString(WebViewTest::javascriptResultToCString(consoleMessage)); GRefPtr<GVariant> variant = g_variant_parse(G_VARIANT_TYPE("(uusus)"), messageString.get(), nullptr, nullptr, nullptr); g_assert(variant.get()); unsigned level; const char* messageText; g_variant_get(variant.get(), "(uu&su&s)", nullptr, &level, &messageText, nullptr, nullptr); g_assert_cmpuint(level, ==, 3); // Console error message. GUniquePtr<char> expectedErrorMessage(g_strdup_printf("XMLHttpRequest cannot load %s. Cross origin requests are only supported for HTTP.", jsonURL.get())); g_assert_cmpstr(messageText, ==, expectedErrorMessage.get()); webkit_javascript_result_unref(consoleMessage); consoleMessage = nullptr; level = 0; messageText = nullptr; variant = nullptr; // Allow file access from file URLs. webkit_settings_set_allow_file_access_from_file_urls(webkit_web_view_get_settings(test->m_webView), TRUE); test->loadURI(fileURL.get()); test->waitUntilLoadFinished(); javascriptResult = test->runJavaScriptAndWaitUntilFinished(xhr.get(), &error.outPtr()); g_assert(javascriptResult); g_assert(!error); // It isn't still possible to load file from an HTTP URL. test->loadURI(kServer->getURIForPath("/").data()); test->waitUntilLoadFinished(); javascriptResult = test->runJavaScriptAndWaitUntilFinished(xhr.get(), &error.outPtr()); g_assert(javascriptResult); g_assert(!error); g_assert(consoleMessage); variant = g_variant_parse(G_VARIANT_TYPE("(uusus)"), messageString.get(), nullptr, nullptr, nullptr); g_assert(variant.get()); g_variant_get(variant.get(), "(uu&su&s)", nullptr, &level, &messageText, nullptr, nullptr); g_assert_cmpuint(level, ==, 3); // Console error message. g_assert_cmpstr(messageText, ==, expectedErrorMessage.get()); webkit_javascript_result_unref(consoleMessage); g_signal_handlers_disconnect_matched(test->m_userContentManager.get(), G_SIGNAL_MATCH_DATA, 0, 0, nullptr, nullptr, &consoleMessage); webkit_user_content_manager_unregister_script_message_handler(test->m_userContentManager.get(), "console"); webkit_settings_set_allow_file_access_from_file_urls(webkit_web_view_get_settings(test->m_webView), FALSE); }
static void ephy_embed_shell_startup (GApplication* application) { EphyEmbedShell *shell = EPHY_EMBED_SHELL (application); EphyEmbedShellPrivate *priv = ephy_embed_shell_get_instance_private (shell); char *favicon_db_path; WebKitCookieManager *cookie_manager; char *filename; char *cookie_policy; G_APPLICATION_CLASS (ephy_embed_shell_parent_class)->startup (application); /* We're not remoting, setup the Web Context if we are not running in a test. Tests already do this after construction. */ if (priv->mode != EPHY_EMBED_SHELL_MODE_TEST) ephy_embed_shell_create_web_context (embed_shell); ephy_embed_shell_setup_web_extensions_connection (shell); /* User content manager */ if (priv->mode != EPHY_EMBED_SHELL_MODE_TEST) priv->user_content = webkit_user_content_manager_new (); webkit_user_content_manager_register_script_message_handler (priv->user_content, "overview"); g_signal_connect (priv->user_content, "script-message-received::overview", G_CALLBACK (web_extension_overview_message_received_cb), shell); webkit_user_content_manager_register_script_message_handler (priv->user_content, "tlsErrorPage"); g_signal_connect (priv->user_content, "script-message-received::tlsErrorPage", G_CALLBACK (web_extension_tls_error_page_message_received_cb), shell); webkit_user_content_manager_register_script_message_handler (priv->user_content, "formAuthData"); g_signal_connect (priv->user_content, "script-message-received::formAuthData", G_CALLBACK (web_extension_form_auth_data_message_received_cb), shell); webkit_user_content_manager_register_script_message_handler (priv->user_content, "aboutApps"); g_signal_connect (priv->user_content, "script-message-received::aboutApps", G_CALLBACK (web_extension_about_apps_message_received_cb), shell); ephy_embed_shell_setup_process_model (shell); g_signal_connect (priv->web_context, "initialize-web-extensions", G_CALLBACK (initialize_web_extensions), shell); /* Favicon Database */ favicon_db_path = g_build_filename (EPHY_EMBED_SHELL_MODE_HAS_PRIVATE_PROFILE (priv->mode) ? ephy_dot_dir () : g_get_user_cache_dir (), "icondatabase", NULL); webkit_web_context_set_favicon_database_directory (priv->web_context, favicon_db_path); g_free (favicon_db_path); /* Do not ignore TLS errors. */ webkit_web_context_set_tls_errors_policy (priv->web_context, WEBKIT_TLS_ERRORS_POLICY_FAIL); /* about: URIs handler */ priv->about_handler = ephy_about_handler_new (); webkit_web_context_register_uri_scheme (priv->web_context, EPHY_ABOUT_SCHEME, (WebKitURISchemeRequestCallback)about_request_cb, shell, NULL); /* Register about scheme as local so that it can contain file resources */ webkit_security_manager_register_uri_scheme_as_local (webkit_web_context_get_security_manager (priv->web_context), EPHY_ABOUT_SCHEME); /* ephy-resource handler */ webkit_web_context_register_uri_scheme (priv->web_context, "ephy-resource", (WebKitURISchemeRequestCallback)ephy_resource_request_cb, NULL, NULL); /* Store cookies in moz-compatible SQLite format */ cookie_manager = webkit_web_context_get_cookie_manager (priv->web_context); filename = g_build_filename (ephy_dot_dir (), "cookies.sqlite", NULL); webkit_cookie_manager_set_persistent_storage (cookie_manager, filename, WEBKIT_COOKIE_PERSISTENT_STORAGE_SQLITE); g_free (filename); cookie_policy = g_settings_get_string (EPHY_SETTINGS_WEB, EPHY_PREFS_WEB_COOKIES_POLICY); ephy_embed_prefs_set_cookie_accept_policy (cookie_manager, cookie_policy); g_free (cookie_policy); }