static void testWebContextSecurityFileXHR(WebViewTest* test, gconstpointer) { GUniquePtr<char> fileURL(g_strdup_printf("file://%s/simple.html", Test::getResourcesDir(Test::WebKit2Resources).data())); test->loadURI(fileURL.get()); test->waitUntilLoadFinished(); GUniquePtr<char> jsonURL(g_strdup_printf("file://%s/simple.json", Test::getResourcesDir().data())); GUniquePtr<char> xhr(g_strdup_printf("var xhr = new XMLHttpRequest; xhr.open(\"GET\", \"%s\"); xhr.send();", jsonURL.get())); // By default file access is not allowed, this will fail with a cross-origin error. GUniqueOutPtr<GError> error; WebKitJavascriptResult* javascriptResult = test->runJavaScriptAndWaitUntilFinished(xhr.get(), &error.outPtr()); g_assert(!javascriptResult); g_assert_error(error.get(), WEBKIT_JAVASCRIPT_ERROR, WEBKIT_JAVASCRIPT_ERROR_SCRIPT_FAILED); // Allow file access from file URLs. webkit_settings_set_allow_file_access_from_file_urls(webkit_web_view_get_settings(test->m_webView), TRUE); test->loadURI(fileURL.get()); test->waitUntilLoadFinished(); javascriptResult = test->runJavaScriptAndWaitUntilFinished(xhr.get(), &error.outPtr()); g_assert(javascriptResult); g_assert(!error); // It isn't still possible to load file from an HTTP URL. test->loadURI(kServer->getURIForPath("/").data()); test->waitUntilLoadFinished(); javascriptResult = test->runJavaScriptAndWaitUntilFinished(xhr.get(), &error.outPtr()); g_assert(!javascriptResult); g_assert_error(error.get(), WEBKIT_JAVASCRIPT_ERROR, WEBKIT_JAVASCRIPT_ERROR_SCRIPT_FAILED); webkit_settings_set_allow_file_access_from_file_urls(webkit_web_view_get_settings(test->m_webView), FALSE); }
static void testWebKitSettings(Test*, gconstpointer) { WebKitSettings* settings = webkit_settings_new(); // JavaScript is enabled by default. g_assert(webkit_settings_get_enable_javascript(settings)); webkit_settings_set_enable_javascript(settings, FALSE); g_assert(!webkit_settings_get_enable_javascript(settings)); // By default auto-load-image is true. g_assert(webkit_settings_get_auto_load_images(settings)); webkit_settings_set_auto_load_images(settings, FALSE); g_assert(!webkit_settings_get_auto_load_images(settings)); // load-icons-ignoring-image-load-setting is false by default. g_assert(!webkit_settings_get_load_icons_ignoring_image_load_setting(settings)); webkit_settings_set_load_icons_ignoring_image_load_setting(settings, TRUE); g_assert(webkit_settings_get_load_icons_ignoring_image_load_setting(settings)); // Offline application cache is true by default. g_assert(webkit_settings_get_enable_offline_web_application_cache(settings)); webkit_settings_set_enable_offline_web_application_cache(settings, FALSE); g_assert(!webkit_settings_get_enable_offline_web_application_cache(settings)); // Local storage is enable by default. g_assert(webkit_settings_get_enable_html5_local_storage(settings)); webkit_settings_set_enable_html5_local_storage(settings, FALSE); g_assert(!webkit_settings_get_enable_html5_local_storage(settings)); // HTML5 database is enabled by default. g_assert(webkit_settings_get_enable_html5_database(settings)); webkit_settings_set_enable_html5_database(settings, FALSE); g_assert(!webkit_settings_get_enable_html5_database(settings)); // XSS Auditor is enabled by default. g_assert(webkit_settings_get_enable_xss_auditor(settings)); webkit_settings_set_enable_xss_auditor(settings, FALSE); g_assert(!webkit_settings_get_enable_xss_auditor(settings)); // Frame flattening is disabled by default. g_assert(!webkit_settings_get_enable_frame_flattening(settings)); webkit_settings_set_enable_frame_flattening(settings, TRUE); g_assert(webkit_settings_get_enable_frame_flattening(settings)); // Plugins are enabled by default. g_assert(webkit_settings_get_enable_plugins(settings)); webkit_settings_set_enable_plugins(settings, FALSE); g_assert(!webkit_settings_get_enable_plugins(settings)); // Java is enabled by default. g_assert(webkit_settings_get_enable_java(settings)); webkit_settings_set_enable_java(settings, FALSE); g_assert(!webkit_settings_get_enable_java(settings)); // By default, JavaScript can open windows automatically is disabled. g_assert(!webkit_settings_get_javascript_can_open_windows_automatically(settings)); webkit_settings_set_javascript_can_open_windows_automatically(settings, TRUE); g_assert(webkit_settings_get_javascript_can_open_windows_automatically(settings)); // By default hyper link auditing is disabled. g_assert(!webkit_settings_get_enable_hyperlink_auditing(settings)); webkit_settings_set_enable_hyperlink_auditing(settings, TRUE); g_assert(webkit_settings_get_enable_hyperlink_auditing(settings)); // Default font family is "sans-serif". g_assert_cmpstr(webkit_settings_get_default_font_family(settings), ==, "sans-serif"); webkit_settings_set_default_font_family(settings, "monospace"); g_assert_cmpstr(webkit_settings_get_default_font_family(settings), ==, "monospace"); // Default monospace font family font family is "monospace". g_assert_cmpstr(webkit_settings_get_monospace_font_family(settings), ==, "monospace"); webkit_settings_set_monospace_font_family(settings, "sans-serif"); g_assert_cmpstr(webkit_settings_get_monospace_font_family(settings), ==, "sans-serif"); // Default serif font family is "serif". g_assert_cmpstr(webkit_settings_get_serif_font_family(settings), ==, "serif"); webkit_settings_set_serif_font_family(settings, "sans-serif"); g_assert_cmpstr(webkit_settings_get_serif_font_family(settings), ==, "sans-serif"); // Default sans serif font family is "sans-serif". g_assert_cmpstr(webkit_settings_get_sans_serif_font_family(settings), ==, "sans-serif"); webkit_settings_set_sans_serif_font_family(settings, "serif"); g_assert_cmpstr(webkit_settings_get_sans_serif_font_family(settings), ==, "serif"); // Default cursive font family "serif". g_assert_cmpstr(webkit_settings_get_cursive_font_family(settings), ==, "serif"); webkit_settings_set_cursive_font_family(settings, "sans-serif"); g_assert_cmpstr(webkit_settings_get_cursive_font_family(settings), ==, "sans-serif"); // Default fantasy font family is "serif". g_assert_cmpstr(webkit_settings_get_fantasy_font_family(settings), ==, "serif"); webkit_settings_set_fantasy_font_family(settings, "sans-serif"); g_assert_cmpstr(webkit_settings_get_fantasy_font_family(settings), ==, "sans-serif"); // Default pictograph font family is "serif". g_assert_cmpstr(webkit_settings_get_pictograph_font_family(settings), ==, "serif"); webkit_settings_set_pictograph_font_family(settings, "sans-serif"); g_assert_cmpstr(webkit_settings_get_pictograph_font_family(settings), ==, "sans-serif"); // Default font size is 16. g_assert_cmpuint(webkit_settings_get_default_font_size(settings), ==, 16); webkit_settings_set_default_font_size(settings, 14); g_assert_cmpuint(webkit_settings_get_default_font_size(settings), ==, 14); // Default monospace font size is 13. g_assert_cmpuint(webkit_settings_get_default_monospace_font_size(settings), ==, 13); webkit_settings_set_default_monospace_font_size(settings, 10); g_assert_cmpuint(webkit_settings_get_default_monospace_font_size(settings), ==, 10); // Default minimum font size is 0. g_assert_cmpuint(webkit_settings_get_minimum_font_size(settings), ==, 0); webkit_settings_set_minimum_font_size(settings, 7); g_assert_cmpuint(webkit_settings_get_minimum_font_size(settings), ==, 7); // Default charset is "iso-8859-1". g_assert_cmpstr(webkit_settings_get_default_charset(settings), ==, "iso-8859-1"); webkit_settings_set_default_charset(settings, "utf8"); g_assert_cmpstr(webkit_settings_get_default_charset(settings), ==, "utf8"); g_assert(!webkit_settings_get_enable_private_browsing(settings)); webkit_settings_set_enable_private_browsing(settings, TRUE); g_assert(webkit_settings_get_enable_private_browsing(settings)); g_assert(!webkit_settings_get_enable_developer_extras(settings)); webkit_settings_set_enable_developer_extras(settings, TRUE); g_assert(webkit_settings_get_enable_developer_extras(settings)); g_assert(webkit_settings_get_enable_resizable_text_areas(settings)); webkit_settings_set_enable_resizable_text_areas(settings, FALSE); g_assert(!webkit_settings_get_enable_resizable_text_areas(settings)); g_assert(webkit_settings_get_enable_tabs_to_links(settings)); webkit_settings_set_enable_tabs_to_links(settings, FALSE); g_assert(!webkit_settings_get_enable_tabs_to_links(settings)); g_assert(!webkit_settings_get_enable_dns_prefetching(settings)); webkit_settings_set_enable_dns_prefetching(settings, TRUE); g_assert(webkit_settings_get_enable_dns_prefetching(settings)); // Caret browsing is disabled by default. g_assert(!webkit_settings_get_enable_caret_browsing(settings)); webkit_settings_set_enable_caret_browsing(settings, TRUE); g_assert(webkit_settings_get_enable_caret_browsing(settings)); // Fullscreen JavaScript API is enabled by default. g_assert(webkit_settings_get_enable_fullscreen(settings)); webkit_settings_set_enable_fullscreen(settings, FALSE); g_assert(!webkit_settings_get_enable_fullscreen(settings)); // Print backgrounds is enabled by default g_assert(webkit_settings_get_print_backgrounds(settings)); webkit_settings_set_print_backgrounds(settings, FALSE); g_assert(!webkit_settings_get_print_backgrounds(settings)); // WebAudio is disabled by default. g_assert(!webkit_settings_get_enable_webaudio(settings)); webkit_settings_set_enable_webaudio(settings, TRUE); g_assert(webkit_settings_get_enable_webaudio(settings)); // WebGL is disabled by default. g_assert(!webkit_settings_get_enable_webgl(settings)); webkit_settings_set_enable_webgl(settings, TRUE); g_assert(webkit_settings_get_enable_webgl(settings)); // Allow Modal Dialogs is disabled by default. g_assert(!webkit_settings_get_allow_modal_dialogs(settings)); webkit_settings_set_allow_modal_dialogs(settings, TRUE); g_assert(webkit_settings_get_allow_modal_dialogs(settings)); // Zoom text only is disabled by default. g_assert(!webkit_settings_get_zoom_text_only(settings)); webkit_settings_set_zoom_text_only(settings, TRUE); g_assert(webkit_settings_get_zoom_text_only(settings)); // By default, JavaScript cannot access the clipboard. g_assert(!webkit_settings_get_javascript_can_access_clipboard(settings)); webkit_settings_set_javascript_can_access_clipboard(settings, TRUE); g_assert(webkit_settings_get_javascript_can_access_clipboard(settings)); // By default, media playback doesn't require user gestures. g_assert(!webkit_settings_get_media_playback_requires_user_gesture(settings)); webkit_settings_set_media_playback_requires_user_gesture(settings, TRUE); g_assert(webkit_settings_get_media_playback_requires_user_gesture(settings)); // By default, inline media playback is allowed g_assert(webkit_settings_get_media_playback_allows_inline(settings)); webkit_settings_set_media_playback_allows_inline(settings, FALSE); g_assert(!webkit_settings_get_media_playback_allows_inline(settings)); // By default, debug indicators are disabled. g_assert(!webkit_settings_get_draw_compositing_indicators(settings)); webkit_settings_set_draw_compositing_indicators(settings, TRUE); g_assert(webkit_settings_get_draw_compositing_indicators(settings)); // By default, site specific quirks are enabled. g_assert(webkit_settings_get_enable_site_specific_quirks(settings)); webkit_settings_set_enable_site_specific_quirks(settings, FALSE); g_assert(!webkit_settings_get_enable_site_specific_quirks(settings)); // By default, page cache is enabled. g_assert(webkit_settings_get_enable_page_cache(settings)); webkit_settings_set_enable_page_cache(settings, FALSE); g_assert(!webkit_settings_get_enable_page_cache(settings)); // By default, smooth scrolling is disabled. g_assert(!webkit_settings_get_enable_smooth_scrolling(settings)); webkit_settings_set_enable_smooth_scrolling(settings, TRUE); g_assert(webkit_settings_get_enable_smooth_scrolling(settings)); // By default, accelerated 2D canvas is disabled. g_assert(!webkit_settings_get_enable_accelerated_2d_canvas(settings)); webkit_settings_set_enable_accelerated_2d_canvas(settings, TRUE); g_assert(webkit_settings_get_enable_accelerated_2d_canvas(settings)); // By default, writing of console messages to stdout is disabled. g_assert(!webkit_settings_get_enable_write_console_messages_to_stdout(settings)); webkit_settings_set_enable_write_console_messages_to_stdout(settings, TRUE); g_assert(webkit_settings_get_enable_write_console_messages_to_stdout(settings)); // MediaStream is disabled by default. g_assert(!webkit_settings_get_enable_media_stream(settings)); webkit_settings_set_enable_media_stream(settings, TRUE); g_assert(webkit_settings_get_enable_media_stream(settings)); // By default, SpatialNavigation is disabled g_assert(!webkit_settings_get_enable_spatial_navigation(settings)); webkit_settings_set_enable_spatial_navigation(settings, TRUE); g_assert(webkit_settings_get_enable_spatial_navigation(settings)); // MediaSource is disabled by default g_assert(!webkit_settings_get_enable_mediasource(settings)); webkit_settings_set_enable_mediasource(settings, TRUE); g_assert(webkit_settings_get_enable_mediasource(settings)); // File access from file URLs is not allowed by default. g_assert(!webkit_settings_get_allow_file_access_from_file_urls(settings)); webkit_settings_set_allow_file_access_from_file_urls(settings, TRUE); g_assert(webkit_settings_get_allow_file_access_from_file_urls(settings)); // Universal access from file URLs is not allowed by default. g_assert(!webkit_settings_get_allow_universal_access_from_file_urls(settings)); webkit_settings_set_allow_universal_access_from_file_urls(settings, TRUE); g_assert(webkit_settings_get_allow_universal_access_from_file_urls(settings)); g_object_unref(G_OBJECT(settings)); }
static void testWebContextSecurityFileXHR(WebViewTest* test, gconstpointer) { GUniquePtr<char> fileURL(g_strdup_printf("file://%s/simple.html", Test::getResourcesDir(Test::WebKit2Resources).data())); test->loadURI(fileURL.get()); test->waitUntilLoadFinished(); GUniquePtr<char> jsonURL(g_strdup_printf("file://%s/simple.json", Test::getResourcesDir().data())); GUniquePtr<char> xhr(g_strdup_printf("var xhr = new XMLHttpRequest; xhr.open(\"GET\", \"%s\"); xhr.send();", jsonURL.get())); WebKitJavascriptResult* consoleMessage = nullptr; webkit_user_content_manager_register_script_message_handler(test->m_userContentManager.get(), "console"); g_signal_connect(test->m_userContentManager.get(), "script-message-received::console", G_CALLBACK(consoleMessageReceivedCallback), &consoleMessage); // By default file access is not allowed, this will show a console message with a cross-origin error. GUniqueOutPtr<GError> error; WebKitJavascriptResult* javascriptResult = test->runJavaScriptAndWaitUntilFinished(xhr.get(), &error.outPtr()); g_assert(javascriptResult); g_assert(!error); g_assert(consoleMessage); GUniquePtr<char> messageString(WebViewTest::javascriptResultToCString(consoleMessage)); GRefPtr<GVariant> variant = g_variant_parse(G_VARIANT_TYPE("(uusus)"), messageString.get(), nullptr, nullptr, nullptr); g_assert(variant.get()); unsigned level; const char* messageText; g_variant_get(variant.get(), "(uu&su&s)", nullptr, &level, &messageText, nullptr, nullptr); g_assert_cmpuint(level, ==, 3); // Console error message. GUniquePtr<char> expectedErrorMessage(g_strdup_printf("XMLHttpRequest cannot load %s. Cross origin requests are only supported for HTTP.", jsonURL.get())); g_assert_cmpstr(messageText, ==, expectedErrorMessage.get()); webkit_javascript_result_unref(consoleMessage); consoleMessage = nullptr; level = 0; messageText = nullptr; variant = nullptr; // Allow file access from file URLs. webkit_settings_set_allow_file_access_from_file_urls(webkit_web_view_get_settings(test->m_webView), TRUE); test->loadURI(fileURL.get()); test->waitUntilLoadFinished(); javascriptResult = test->runJavaScriptAndWaitUntilFinished(xhr.get(), &error.outPtr()); g_assert(javascriptResult); g_assert(!error); // It isn't still possible to load file from an HTTP URL. test->loadURI(kServer->getURIForPath("/").data()); test->waitUntilLoadFinished(); javascriptResult = test->runJavaScriptAndWaitUntilFinished(xhr.get(), &error.outPtr()); g_assert(javascriptResult); g_assert(!error); g_assert(consoleMessage); variant = g_variant_parse(G_VARIANT_TYPE("(uusus)"), messageString.get(), nullptr, nullptr, nullptr); g_assert(variant.get()); g_variant_get(variant.get(), "(uu&su&s)", nullptr, &level, &messageText, nullptr, nullptr); g_assert_cmpuint(level, ==, 3); // Console error message. g_assert_cmpstr(messageText, ==, expectedErrorMessage.get()); webkit_javascript_result_unref(consoleMessage); g_signal_handlers_disconnect_matched(test->m_userContentManager.get(), G_SIGNAL_MATCH_DATA, 0, 0, nullptr, nullptr, &consoleMessage); webkit_user_content_manager_unregister_script_message_handler(test->m_userContentManager.get(), "console"); webkit_settings_set_allow_file_access_from_file_urls(webkit_web_view_get_settings(test->m_webView), FALSE); }