Diff
Modified: branches/safari-601.1.46-branch/ChangeLog (191096 => 191097)
--- branches/safari-601.1.46-branch/ChangeLog 2015-10-15 06:46:40 UTC (rev 191096)
+++ branches/safari-601.1.46-branch/ChangeLog 2015-10-15 06:46:44 UTC (rev 191097)
@@ -1,3 +1,21 @@
+2015-10-14 Matthew Hanson <matthew_han...@apple.com>
+
+ Merge r191008. rdar://problem/23110743
+
+ 2015-10-13 Dean Jackson <d...@apple.com>
+
+ Device motion and orientation should only be visible from the main frame's security origin
+ https://bugs.webkit.org/show_bug.cgi?id=150072
+ <rdar://problem/23082036>
+
+ Reviewed by Brent Fulgham.
+
+ Add a manual test for cross-origin device orientation events, while
+ we're waiting on the mock client to be supported everywhere.
+
+ * ManualTests/deviceorientation-child-frame.html: Added.
+ * ManualTests/deviceorientation-main-frame-only.html: Added.
+
2015-10-02 Babak Shafiei <bshaf...@apple.com>
Merge r188405.
Added: branches/safari-601.1.46-branch/ManualTests/deviceorientation-child-frame.html (0 => 191097)
--- branches/safari-601.1.46-branch/ManualTests/deviceorientation-child-frame.html (rev 0)
+++ branches/safari-601.1.46-branch/ManualTests/deviceorientation-child-frame.html 2015-10-15 06:46:44 UTC (rev 191097)
@@ -0,0 +1,23 @@
+<html>
+<head>
+ <script>
+ var results = null;
+
+ function run() {
+ results = document.getElementById("results");
+ window.addEventListener("deviceorientation", handleDeviceOrientation, false);
+ }
+
+ function handleDeviceOrientation(event) {
+ results.textContent = "ERROR: Saw event in child frame.";
+ window.removeEventListener("deviceorientation", handleDeviceOrientation);
+ }
+
+ window.addEventListener("load", run, false);
+ </script>
+</head>
+<body>
+ <p>We should not see an event in here.</p>
+ <p id="results">Child frame has not seen event - this is ok.</p>
+</body>
+</html>
Added: branches/safari-601.1.46-branch/ManualTests/deviceorientation-main-frame-only.html (0 => 191097)
--- branches/safari-601.1.46-branch/ManualTests/deviceorientation-main-frame-only.html (rev 0)
+++ branches/safari-601.1.46-branch/ManualTests/deviceorientation-main-frame-only.html 2015-10-15 06:46:44 UTC (rev 191097)
@@ -0,0 +1,26 @@
+<html>
+<head>
+ <script>
+ var results = null;
+
+ function run() {
+ results = document.getElementById("results");
+ window.addEventListener("deviceorientation", handleDeviceOrientation, false);
+ }
+
+ function handleDeviceOrientation(event) {
+ results.textContent = "Saw event in the main frame - this is ok";
+ window.removeEventListener("deviceorientation", handleDeviceOrientation);
+ }
+
+ window.addEventListener("load", run, false);
+ </script>
+</head>
+<body>
+ <p>This tests that deviceorientation events are not dispatched in different origin iframes.</p>
+ <p><b>REMEMBER TO CHANGE THE SRC OF THE IFRAME TO BE CROSS-ORIGIN</b></p>
+ <p>We should be able to detect the event in the main page, but not in the frame.</p>
+ <p id="results">Main page has not seen event.</p>
+ <iframe id="frameA" src=""
+</body>
+</html>
Modified: branches/safari-601.1.46-branch/Source/WebCore/ChangeLog (191096 => 191097)
--- branches/safari-601.1.46-branch/Source/WebCore/ChangeLog 2015-10-15 06:46:40 UTC (rev 191096)
+++ branches/safari-601.1.46-branch/Source/WebCore/ChangeLog 2015-10-15 06:46:44 UTC (rev 191097)
@@ -1,5 +1,30 @@
2015-10-14 Matthew Hanson <matthew_han...@apple.com>
+ Merge r191008. rdar://problem/23110743
+
+ 2015-10-13 Dean Jackson <d...@apple.com>
+
+ Device motion and orientation should only be visible from the main frame's security origin
+ https://bugs.webkit.org/show_bug.cgi?id=150072
+ <rdar://problem/23082036>
+
+ Reviewed by Brent Fulgham.
+
+ There are reports that gyroscope and accelerometer information can
+ be used to detect keyboard entry. One initial step to reduce the
+ risk is to forbid device motion and orientation events from
+ being fired in frames that are a different security origin from the main page.
+
+ Manual test: deviceorientation-main-frame-only.html
+
+ * page/DOMWindow.cpp:
+ (WebCore::DOMWindow::isSameSecurityOriginAsMainFrame): New helper function.
+ (WebCore::DOMWindow::addEventListener): Check if we are the main frame, or the
+ same security origin as the main frame. If not, don't add the event
+ listeners.
+
+2015-10-14 Matthew Hanson <matthew_han...@apple.com>
+
Merge r190570. rdar://problem/23075838
2015-10-05 Zalan Bujtas <za...@apple.com>
Modified: branches/safari-601.1.46-branch/Source/WebCore/page/DOMWindow.cpp (191096 => 191097)
--- branches/safari-601.1.46-branch/Source/WebCore/page/DOMWindow.cpp 2015-10-15 06:46:40 UTC (rev 191096)
+++ branches/safari-601.1.46-branch/Source/WebCore/page/DOMWindow.cpp 2015-10-15 06:46:44 UTC (rev 191097)
@@ -1692,6 +1692,22 @@
window->sessionStorage(IGNORE_EXCEPTION);
}
+bool DOMWindow::isSameSecurityOriginAsMainFrame() const
+{
+ if (!m_frame || !m_frame->page() || !document())
+ return false;
+
+ if (m_frame->isMainFrame())
+ return true;
+
+ Document* mainFrameDocument = m_frame->mainFrame().document();
+
+ if (mainFrameDocument && document()->securityOrigin()->canAccess(mainFrameDocument->securityOrigin()))
+ return true;
+
+ return false;
+}
+
bool DOMWindow::addEventListener(const AtomicString& eventType, PassRefPtr<EventListener> listener, bool useCapture)
{
if (!EventTarget::addEventListener(eventType, listener, useCapture))
@@ -1713,17 +1729,28 @@
addBeforeUnloadEventListener(this);
#if ENABLE(DEVICE_ORIENTATION)
#if PLATFORM(IOS)
- else if (eventType == eventNames().devicemotionEvent && document())
- document()->deviceMotionController()->addDeviceEventListener(this);
- else if (eventType == eventNames().deviceorientationEvent && document())
- document()->deviceOrientationController()->addDeviceEventListener(this);
+ else if ((eventType == eventNames().devicemotionEvent || eventType == eventNames().deviceorientationEvent) && document()) {
+ if (isSameSecurityOriginAsMainFrame()) {
+ if (eventType == eventNames().deviceorientationEvent)
+ document()->deviceOrientationController()->addDeviceEventListener(this);
+ else
+ document()->deviceMotionController()->addDeviceEventListener(this);
+ } else if (document())
+ document()->addConsoleMessage(MessageSource::JS, MessageLevel::Warning, ASCIILiteral("Blocked attempt add device motion or orientation listener from child frame that wasn't the same security origin as the main page."));
+ }
#else
else if (eventType == eventNames().devicemotionEvent && RuntimeEnabledFeatures::sharedFeatures().deviceMotionEnabled()) {
- if (DeviceMotionController* controller = DeviceMotionController::from(page()))
- controller->addDeviceEventListener(this);
+ if (isSameSecurityOriginAsMainFrame()) {
+ if (DeviceMotionController* controller = DeviceMotionController::from(page()))
+ controller->addDeviceEventListener(this);
+ } else if (document())
+ document()->addConsoleMessage(MessageSource::JS, MessageLevel::Warning, ASCIILiteral("Blocked attempt add device motion listener from child frame that wasn't the same security origin as the main page."));
} else if (eventType == eventNames().deviceorientationEvent && RuntimeEnabledFeatures::sharedFeatures().deviceOrientationEnabled()) {
- if (DeviceOrientationController* controller = DeviceOrientationController::from(page()))
- controller->addDeviceEventListener(this);
+ if (isSameSecurityOriginAsMainFrame()) {
+ if (DeviceOrientationController* controller = DeviceOrientationController::from(page()))
+ controller->addDeviceEventListener(this);
+ } else if (document())
+ document()->addConsoleMessage(MessageSource::JS, MessageLevel::Warning, ASCIILiteral("Blocked attempt add device orientation listener from child frame that wasn't the same security origin as the main page."));
}
#endif // PLATFORM(IOS)
#endif // ENABLE(DEVICE_ORIENTATION)
Modified: branches/safari-601.1.46-branch/Source/WebCore/page/DOMWindow.h (191096 => 191097)
--- branches/safari-601.1.46-branch/Source/WebCore/page/DOMWindow.h 2015-10-15 06:46:40 UTC (rev 191096)
+++ branches/safari-601.1.46-branch/Source/WebCore/page/DOMWindow.h 2015-10-15 06:46:44 UTC (rev 191097)
@@ -361,6 +361,8 @@
void reconnectDOMWindowProperties();
void willDestroyDocumentInFrame();
+ bool isSameSecurityOriginAsMainFrame() const;
+
#if ENABLE(GAMEPAD)
void incrementGamepadEventListenerCount();
void decrementGamepadEventListenerCount();
