276 lines
9.6 KiB
C++
276 lines
9.6 KiB
C++
/*
|
|
* Copyright (C) 2007-2018 Apple Inc. All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
|
|
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
|
|
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
|
|
* OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
#include "config.h"
|
|
#include "History.h"
|
|
|
|
#include "BackForwardController.h"
|
|
#include "Document.h"
|
|
#include "Frame.h"
|
|
#include "FrameLoader.h"
|
|
#include "FrameLoaderClient.h"
|
|
#include "HistoryController.h"
|
|
#include "HistoryItem.h"
|
|
#include "Logging.h"
|
|
#include "NavigationScheduler.h"
|
|
#include "Page.h"
|
|
#include "ScriptController.h"
|
|
#include "SecurityOrigin.h"
|
|
#include <wtf/CheckedArithmetic.h>
|
|
#include <wtf/IsoMallocInlines.h>
|
|
#include <wtf/MainThread.h>
|
|
#include <wtf/text/StringConcatenateNumbers.h>
|
|
|
|
namespace WebCore {
|
|
|
|
WTF_MAKE_ISO_ALLOCATED_IMPL(History);
|
|
|
|
History::History(DOMWindow& window)
|
|
: DOMWindowProperty(&window)
|
|
{
|
|
}
|
|
|
|
unsigned History::length() const
|
|
{
|
|
auto* frame = this->frame();
|
|
if (!frame)
|
|
return 0;
|
|
auto* page = frame->page();
|
|
if (!page)
|
|
return 0;
|
|
return page->backForward().count();
|
|
}
|
|
|
|
ExceptionOr<History::ScrollRestoration> History::scrollRestoration() const
|
|
{
|
|
auto* frame = this->frame();
|
|
if (!frame)
|
|
return Exception { SecurityError };
|
|
|
|
auto* historyItem = frame->loader().history().currentItem();
|
|
if (!historyItem)
|
|
return ScrollRestoration::Auto;
|
|
|
|
return historyItem->shouldRestoreScrollPosition() ? ScrollRestoration::Auto : ScrollRestoration::Manual;
|
|
}
|
|
|
|
ExceptionOr<void> History::setScrollRestoration(ScrollRestoration scrollRestoration)
|
|
{
|
|
auto* frame = this->frame();
|
|
if (!frame)
|
|
return Exception { SecurityError };
|
|
|
|
auto* historyItem = frame->loader().history().currentItem();
|
|
if (historyItem)
|
|
historyItem->setShouldRestoreScrollPosition(scrollRestoration == ScrollRestoration::Auto);
|
|
|
|
return { };
|
|
}
|
|
|
|
SerializedScriptValue* History::state()
|
|
{
|
|
m_lastStateObjectRequested = stateInternal();
|
|
return m_lastStateObjectRequested.get();
|
|
}
|
|
|
|
SerializedScriptValue* History::stateInternal() const
|
|
{
|
|
auto* frame = this->frame();
|
|
if (!frame)
|
|
return nullptr;
|
|
auto* historyItem = frame->loader().history().currentItem();
|
|
if (!historyItem)
|
|
return nullptr;
|
|
return historyItem->stateObject();
|
|
}
|
|
|
|
bool History::stateChanged() const
|
|
{
|
|
return m_lastStateObjectRequested != stateInternal();
|
|
}
|
|
|
|
JSValueInWrappedObject& History::cachedState()
|
|
{
|
|
if (m_cachedState && stateChanged())
|
|
m_cachedState = { };
|
|
return m_cachedState;
|
|
}
|
|
|
|
bool History::isSameAsCurrentState(SerializedScriptValue* state) const
|
|
{
|
|
return state == stateInternal();
|
|
}
|
|
|
|
void History::back()
|
|
{
|
|
go(-1);
|
|
}
|
|
|
|
void History::back(Document& document)
|
|
{
|
|
go(document, -1);
|
|
}
|
|
|
|
void History::forward()
|
|
{
|
|
go(1);
|
|
}
|
|
|
|
void History::forward(Document& document)
|
|
{
|
|
go(document, 1);
|
|
}
|
|
|
|
void History::go(int distance)
|
|
{
|
|
auto* frame = this->frame();
|
|
LOG(History, "History %p go(%d) frame %p (main frame %d)", this, distance, frame, frame ? frame->isMainFrame() : false);
|
|
|
|
if (!frame)
|
|
return;
|
|
|
|
frame->navigationScheduler().scheduleHistoryNavigation(distance);
|
|
}
|
|
|
|
void History::go(Document& document, int distance)
|
|
{
|
|
auto* frame = this->frame();
|
|
LOG(History, "History %p go(%d) in document %p frame %p (main frame %d)", this, distance, &document, frame, frame ? frame->isMainFrame() : false);
|
|
|
|
if (!frame)
|
|
return;
|
|
|
|
ASSERT(isMainThread());
|
|
|
|
if (!document.canNavigate(frame))
|
|
return;
|
|
|
|
frame->navigationScheduler().scheduleHistoryNavigation(distance);
|
|
}
|
|
|
|
URL History::urlForState(const String& urlString)
|
|
{
|
|
auto* frame = this->frame();
|
|
if (urlString.isNull())
|
|
return frame->document()->url();
|
|
return frame->document()->completeURL(urlString);
|
|
}
|
|
|
|
ExceptionOr<void> History::stateObjectAdded(RefPtr<SerializedScriptValue>&& data, const String& title, const String& urlString, StateObjectType stateObjectType)
|
|
{
|
|
m_cachedState = { };
|
|
|
|
// Each unique main-frame document is only allowed to send 64MB of state object payload to the UI client/process.
|
|
static uint32_t totalStateObjectPayloadLimit = 0x4000000;
|
|
static Seconds stateObjectTimeSpan { 30_s };
|
|
static unsigned perStateObjectTimeSpanLimit = 100;
|
|
|
|
auto* frame = this->frame();
|
|
if (!frame || !frame->page())
|
|
return { };
|
|
|
|
URL fullURL = urlForState(urlString);
|
|
if (!fullURL.isValid())
|
|
return Exception { SecurityError };
|
|
|
|
const URL& documentURL = frame->document()->url();
|
|
|
|
auto createBlockedURLSecurityErrorWithMessageSuffix = [&] (const char* suffix) {
|
|
const char* functionName = stateObjectType == StateObjectType::Replace ? "history.replaceState()" : "history.pushState()";
|
|
return Exception { SecurityError, makeString("Blocked attempt to use ", functionName, " to change session history URL from ", documentURL.stringCenterEllipsizedToLength(), " to ", fullURL.stringCenterEllipsizedToLength(), ". ", suffix) };
|
|
};
|
|
if (!protocolHostAndPortAreEqual(fullURL, documentURL) || fullURL.user() != documentURL.user() || fullURL.password() != documentURL.password())
|
|
return createBlockedURLSecurityErrorWithMessageSuffix("Protocols, domains, ports, usernames, and passwords must match.");
|
|
|
|
const auto& documentSecurityOrigin = frame->document()->securityOrigin();
|
|
// We allow sandboxed documents, 'data:'/'file:' URLs, etc. to use 'pushState'/'replaceState' to modify the URL query and fragments.
|
|
// See https://bugs.webkit.org/show_bug.cgi?id=183028 for the compatibility concerns.
|
|
bool allowSandboxException = (documentSecurityOrigin.isLocal() || documentSecurityOrigin.isUnique())
|
|
&& documentURL.stringWithoutQueryOrFragmentIdentifier() == fullURL.stringWithoutQueryOrFragmentIdentifier();
|
|
|
|
if (!allowSandboxException && !documentSecurityOrigin.canRequest(fullURL) && (fullURL.path() != documentURL.path() || fullURL.query() != documentURL.query()))
|
|
return createBlockedURLSecurityErrorWithMessageSuffix("Paths and fragments must match for a sandboxed document.");
|
|
|
|
auto* mainWindow = frame->page()->mainFrame().window();
|
|
if (!mainWindow)
|
|
return { };
|
|
|
|
auto& mainHistory = mainWindow->history();
|
|
|
|
WallTime currentTimestamp = WallTime::now();
|
|
if (currentTimestamp - mainHistory.m_currentStateObjectTimeSpanStart > stateObjectTimeSpan) {
|
|
mainHistory.m_currentStateObjectTimeSpanStart = currentTimestamp;
|
|
mainHistory.m_currentStateObjectTimeSpanObjectsAdded = 0;
|
|
}
|
|
|
|
if (mainHistory.m_currentStateObjectTimeSpanObjectsAdded >= perStateObjectTimeSpanLimit) {
|
|
if (stateObjectType == StateObjectType::Replace)
|
|
return Exception { SecurityError, makeString("Attempt to use history.replaceState() more than ", perStateObjectTimeSpanLimit, " times per ", stateObjectTimeSpan.seconds(), " seconds") };
|
|
return Exception { SecurityError, makeString("Attempt to use history.pushState() more than ", perStateObjectTimeSpanLimit, " times per ", stateObjectTimeSpan.seconds(), " seconds") };
|
|
}
|
|
|
|
Checked<unsigned> titleSize = title.length();
|
|
titleSize *= 2;
|
|
|
|
Checked<unsigned> urlSize = fullURL.string().length();
|
|
urlSize *= 2;
|
|
|
|
Checked<uint64_t> payloadSize = titleSize;
|
|
payloadSize += urlSize;
|
|
payloadSize += data ? data->data().size() : 0;
|
|
|
|
Checked<uint64_t> newTotalUsage = mainHistory.m_totalStateObjectUsage;
|
|
|
|
if (stateObjectType == StateObjectType::Replace)
|
|
newTotalUsage -= m_mostRecentStateObjectUsage;
|
|
newTotalUsage += payloadSize;
|
|
|
|
if (newTotalUsage > totalStateObjectPayloadLimit) {
|
|
if (stateObjectType == StateObjectType::Replace)
|
|
return Exception { QuotaExceededError, "Attempt to store more data than allowed using history.replaceState()"_s };
|
|
return Exception { QuotaExceededError, "Attempt to store more data than allowed using history.pushState()"_s };
|
|
}
|
|
|
|
m_mostRecentStateObjectUsage = payloadSize;
|
|
|
|
mainHistory.m_totalStateObjectUsage = newTotalUsage;
|
|
++mainHistory.m_currentStateObjectTimeSpanObjectsAdded;
|
|
|
|
if (!urlString.isEmpty())
|
|
frame->document()->updateURLForPushOrReplaceState(fullURL);
|
|
|
|
if (stateObjectType == StateObjectType::Push) {
|
|
frame->loader().history().pushState(WTFMove(data), title, fullURL.string());
|
|
frame->loader().client().dispatchDidPushStateWithinPage();
|
|
} else if (stateObjectType == StateObjectType::Replace) {
|
|
frame->loader().history().replaceState(WTFMove(data), title, fullURL.string());
|
|
frame->loader().client().dispatchDidReplaceStateWithinPage();
|
|
}
|
|
|
|
return { };
|
|
}
|
|
|
|
} // namespace WebCore
|