Support whitelisting URLs for local universal access

When launching the browser with a local (file) URL, the page
may need to load scripts that reside on a different volume.
The commit 448487f introduced a change to use the posix
version of FileSystem::getFileDeviceId() instead of the glib
one. This affected the return value which is now non-zero,
fixing a bug, but changing the behavior of
FileSystem::filesHaveSameVolume() compared to older versions
and consequently the behavior of
SecurityOrigin::canDisplay() when a page loads a script that
resides on a different volume. While this can be overcome by
enabling the setting to allow universal access from file
urls using the API
webkit_settings_set_allow_universal_access_from_file_urls(),
that will allow a wider access that needed, as the access is
only required from a limited number of trusted local files.
This new API introduces a way to overcome this issue and
allow only the access that is required.

Author: filipe-norte-red

Source/WebKit/Shared/WebPageCreationParameters.h

@@ -270,6 +270,7 @@ struct WebPageCreationParameters {
 
     String overriddenMediaType { };
     Vector<String> corsDisablingPatterns { };
+    Vector<String> localUniversalAccessAllowList { };
     HashSet<String> maskedURLSchemes { };
     bool loadsSubresources { true };
     std::optional<MemoryCompactLookupOnlyRobinHoodHashSet<String>> allowedNetworkHosts { };

Source/WebKit/Shared/WebPageCreationParameters.serialization.in

@@ -191,6 +191,7 @@ enum class WebCore::UserInterfaceLayoutDirection : bool;
 
     String overriddenMediaType;
     Vector<String> corsDisablingPatterns;
+    Vector<String> localUniversalAccessAllowList;
     HashSet<String> maskedURLSchemes;
     bool loadsSubresources;
     std::optional<MemoryCompactLookupOnlyRobinHoodHashSet<String>> allowedNetworkHosts;

Source/WebKit/UIProcess/API/APIPageConfiguration.h

@@ -574,6 +574,7 @@ class PageConfiguration : public ObjectImpl<Object::Type::PageConfiguration> {
 
         HashMap<WTF::String, Ref<WebKit::WebURLSchemeHandler>> urlSchemeHandlers;
         Vector<WTF::String> corsDisablingPatterns;
+        Vector<WTF::String> localUniversalAccessAllowList;
         HashSet<WTF::String> maskedURLSchemes;
         bool maskedURLSchemesWasSet { false };
         bool crossOriginAccessControlCheckEnabled { true };

Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp

@@ -5613,6 +5613,33 @@ void webkit_web_view_set_cors_allowlist(WebKitWebView* webView, const gchar* con
     getPage(webView).setCORSDisablingPatterns(WTFMove(allowListVector));
 }
 
+
+/**
+ * webkit_web_view_set_local_universal_access_allowlist:
+ * @web_view: a #WebKitWebView
+ * @allowlist: (array zero-terminated=1) (element-type utf8) (transfer none) (nullable): an allowlist of URIs, or %NULL
+ *
+ * Sets the @allowlist for which local universal access is granted.
+ *
+ * If this function is called multiple times, only the allowlist set by
+ * the most recent call will be effective.
+ *
+ * Since: 2.46
+ */
+void webkit_web_view_set_local_universal_access_allowlist(WebKitWebView* webView, const gchar* const* allowList)
+{
+    g_return_if_fail(WEBKIT_IS_WEB_VIEW(webView));
+
+    Vector<String> allowListVector;
+    if (allowList) {
+        for (auto str = allowList; *str; ++str)
+            allowListVector.append(String::fromUTF8(*str));
+    }
+
+    getPage(webView).setLocalUniversalAccessAllowList(WTFMove(allowListVector));
+}
+
+
 static void webkitWebViewConfigureMediaCapture(WebKitWebView* webView, WebCore::MediaProducerMediaCaptureKind captureKind, WebKitMediaCaptureState captureState)
 {
     Ref page = getPage(webView);

Source/WebKit/UIProcess/API/glib/WebKitWebView.h.in

@@ -872,6 +872,10 @@ WEBKIT_API void
 webkit_web_view_set_cors_allowlist                   (WebKitWebView             *web_view,
                                                       const gchar * const       *allowlist);
 
+WEBKIT_API void
+webkit_web_view_set_local_universal_access_allowlist (WebKitWebView             *web_view,
+                                                      const gchar * const       *allowlist);
+
 WEBKIT_API WebKitWebsitePolicies *
 webkit_web_view_get_website_policies                 (WebKitWebView             *web_view);
 

Source/WebKit/UIProcess/WebPageProxy.cpp

@@ -11883,6 +11883,7 @@ WebPageCreationParameters WebPageProxy::creationParameters(WebProcessProxy& proc
 
     parameters.overriddenMediaType = m_overriddenMediaType;
     parameters.corsDisablingPatterns = corsDisablingPatterns();
+    parameters.localUniversalAccessAllowList = localUniversalAccessAllowList();
     parameters.maskedURLSchemes = m_configuration->maskedURLSchemes();
     parameters.allowedNetworkHosts = m_configuration->allowedNetworkHosts();
     parameters.loadsSubresources = m_configuration->loadsSubresources();
@@ -15179,6 +15180,12 @@ void WebPageProxy::setCORSDisablingPatterns(Vector<String>&& patterns)
     send(Messages::WebPage::UpdateCORSDisablingPatterns(m_corsDisablingPatterns));
 }
 
+void WebPageProxy::setLocalUniversalAccessAllowList(Vector<String>&& allowList)
+{
+    m_localUniversalAccessAllowList = WTFMove(allowList);
+    send(Messages::WebPage::SetLocalUniversalAccessAllowList(m_localUniversalAccessAllowList));
+}
+
 void WebPageProxy::setOverriddenMediaType(const String& mediaType)
 {
     m_overriddenMediaType = mediaType;

Source/WebKit/UIProcess/WebPageProxy.h

@@ -2253,6 +2253,9 @@ class WebPageProxy final : public API::ObjectImpl<API::Object::Type::Page>, publ
     void setCORSDisablingPatterns(Vector<String>&&);
     const Vector<String>& corsDisablingPatterns() const { return m_corsDisablingPatterns; }
 
+    void setLocalUniversalAccessAllowList(Vector<String>&&);
+    const Vector<String>& localUniversalAccessAllowList() const { return m_localUniversalAccessAllowList; }
+
     void getProcessDisplayName(CompletionHandler<void(String&&)>&&);
 
     void setOrientationForMediaCapture(WebCore::IntDegrees);
@@ -3829,6 +3832,7 @@ class WebPageProxy final : public API::ObjectImpl<API::Object::Type::Page>, publ
     String m_overriddenMediaType;
 
     Vector<String> m_corsDisablingPatterns;
+    Vector<String> m_localUniversalAccessAllowList;
 
     struct InjectedBundleMessage {
         String messageName;

Source/WebKit/WebProcess/InjectedBundle/API/glib/WebKitWebPage.cpp

@@ -283,6 +283,11 @@ class PageLoaderClient final : public API::InjectedBundle::PageLoaderClient {
     {
     }
 
+    bool shouldForceUniversalAccessFromLocalURL(WebKit::WebPage& webPage, const WTF::String& url) override
+    {
+        return webPage.localUniversalAccessAllowList().contains(url);
+    }
+
     WebKitWebPage* m_webPage;
 };
 

Source/WebKit/WebProcess/WebPage/WebPage.cpp

@@ -853,6 +853,8 @@ WebPage::WebPage(PageIdentifier pageID, WebPageCreationParameters&& parameters)
     pageConfiguration.httpsUpgradeEnabled = parameters.httpsUpgradeEnabled;
     pageConfiguration.portsForUpgradingInsecureSchemeForTesting = parameters.portsForUpgradingInsecureSchemeForTesting;
 
+    m_localUniversalAccessAllowList = WTFMove(parameters.localUniversalAccessAllowList);
+
     if (!parameters.crossOriginAccessControlCheckEnabled)
         CrossOriginAccessControlCheckDisabler::singleton().setCrossOriginAccessControlCheckEnabled(false);
 
@@ -9140,6 +9142,11 @@ void WebPage::updateCORSDisablingPatterns(Vector<String>&& patterns)
     page->setCORSDisablingPatterns(parseAndAllowAccessToCORSDisablingPatterns(m_corsDisablingPatterns));
 }
 
+void WebPage::setLocalUniversalAccessAllowList(Vector<String>&& allowList)
+{
+    m_localUniversalAccessAllowList = WTFMove(allowList);
+}
+
 void WebPage::synchronizeCORSDisablingPatternsWithNetworkProcess()
 {
     // FIXME: We should probably have this mechanism done between UIProcess and NetworkProcess directly.

Source/WebKit/WebProcess/WebPage/WebPage.h

@@ -1744,6 +1744,7 @@ class WebPage final : public API::ObjectImpl<API::Object::Type::BundlePage>, pub
     void setOverriddenMediaType(const String&);
 
     void updateCORSDisablingPatterns(Vector<String>&&);
+    void setLocalUniversalAccessAllowList(Vector<String>&&);
 
 #if ENABLE(IPC_TESTING_API)
     bool ipcTestingAPIEnabled() const { return m_ipcTestingAPIEnabled; }
@@ -2009,6 +2010,8 @@ class WebPage final : public API::ObjectImpl<API::Object::Type::BundlePage>, pub
 
     std::unique_ptr<FrameInfoData> takeMainFrameNavigationInitiator();
 
+    const Vector<String>& localUniversalAccessAllowList() const { return m_localUniversalAccessAllowList; };
+
 private:
     WebPage(WebCore::PageIdentifier, WebPageCreationParameters&&);
 
@@ -3044,6 +3047,7 @@ class WebPage final : public API::ObjectImpl<API::Object::Type::BundlePage>, pub
     bool m_textManipulationIncludesSubframes { false };
 
     Vector<String> m_corsDisablingPatterns;
+    Vector<String> m_localUniversalAccessAllowList;
 
     std::unique_ptr<WebCore::CachedPage> m_cachedPage;