Diff
Modified: branches/safari-602.2.14.0-branch/LayoutTests/ChangeLog (207252 => 207253)
--- branches/safari-602.2.14.0-branch/LayoutTests/ChangeLog 2016-10-12 23:01:50 UTC (rev 207252)
+++ branches/safari-602.2.14.0-branch/LayoutTests/ChangeLog 2016-10-12 23:01:55 UTC (rev 207253)
@@ -1,3 +1,20 @@
+2016-10-12 Matthew Hanson <matthew_han...@apple.com>
+
+ Merge r204266. rdar://problem/28216261
+
+ 2016-08-08 John Wilander <wilan...@apple.com>
+
+ Popups opened from a sandboxed iframe should themselves be sandboxed
+ https://bugs.webkit.org/show_bug.cgi?id=134850
+ <rdar://problem/27375388>
+
+ Reviewed by Brent Fulgham.
+
+ * http/tests/security/resources/anchor-tag-with-blank-target.html: Added.
+ * http/tests/security/resources/page-executing-_javascript_.html: Added.
+ * http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox-expected.txt: Added.
+ * http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html: Added.
+
2016-10-11 Matthew Hanson <matthew_han...@apple.com>
Merge r203611. rdar://problem/28476958
Added: branches/safari-602.2.14.0-branch/LayoutTests/http/tests/security/resources/anchor-tag-with-blank-target.html (0 => 207253)
--- branches/safari-602.2.14.0-branch/LayoutTests/http/tests/security/resources/anchor-tag-with-blank-target.html (rev 0)
+++ branches/safari-602.2.14.0-branch/LayoutTests/http/tests/security/resources/anchor-tag-with-blank-target.html 2016-10-12 23:01:55 UTC (rev 207253)
@@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<html>
+<head>
+</head>
+<body>
+ <a id="theLink" target="_blank" href="" page that executes _javascript_</a>
+</body>
+</html>
Added: branches/safari-602.2.14.0-branch/LayoutTests/http/tests/security/resources/page-executing-_javascript_.html (0 => 207253)
--- branches/safari-602.2.14.0-branch/LayoutTests/http/tests/security/resources/page-executing-_javascript_.html (rev 0)
+++ branches/safari-602.2.14.0-branch/LayoutTests/http/tests/security/resources/page-executing-_javascript_.html 2016-10-12 23:01:55 UTC (rev 207253)
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<body>
+<noscript>Pass: _javascript_ was not allowed to execute.</noscript>
+<p id="output"></p>
+<script>
+ document.getElementById("output").innerHTML = "Fail: _javascript_ was allowed to execute.";
+</script>
+</body>
+</html>
Added: branches/safari-602.2.14.0-branch/LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox-expected.txt (0 => 207253)
--- branches/safari-602.2.14.0-branch/LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox-expected.txt (rev 0)
+++ branches/safari-602.2.14.0-branch/LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox-expected.txt 2016-10-12 23:01:55 UTC (rev 207253)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: Blocked script execution in 'http://127.0.0.1:8000/security/resources/page-executing-_javascript_.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
+
Added: branches/safari-602.2.14.0-branch/LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html (0 => 207253)
--- branches/safari-602.2.14.0-branch/LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html (rev 0)
+++ branches/safari-602.2.14.0-branch/LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html 2016-10-12 23:01:55 UTC (rev 207253)
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="UTF-8">
+ <title>Tests that windows created from a sandboxed context inherit the same sandbox</title>
+ <script src=""
+</head>
+<body>
+<script>
+ if (window.testRunner) {
+ testRunner.setCanOpenWindows();
+ testRunner.waitUntilDone();
+ testRunner.setPopupBlockingEnabled(false);
+ testRunner.dumpAsText();
+ }
+
+ function wrapUp () {
+ if (window.testRunner) {
+ testRunner.notifyDone();
+ }
+ }
+
+ function run() {
+ var iframeContentDocument = document.getElementById("theIframe").contentDocument,
+ theLink = iframeContentDocument.getElementById("theLink"),
+ clickEvent = document.createEvent("HTMLEvents");
+ clickEvent.initEvent("click", true, true);
+ theLink.dispatchEvent(clickEvent);
+
+ setTimeout(wrapUp, 500);
+ }
+</script>
+<iframe _onload_="run()" id="theIframe" sandbox="allow-same-origin allow-popups" src=""
+</body>
+</html>
Modified: branches/safari-602.2.14.0-branch/Source/WebCore/ChangeLog (207252 => 207253)
--- branches/safari-602.2.14.0-branch/Source/WebCore/ChangeLog 2016-10-12 23:01:50 UTC (rev 207252)
+++ branches/safari-602.2.14.0-branch/Source/WebCore/ChangeLog 2016-10-12 23:01:55 UTC (rev 207253)
@@ -1,5 +1,24 @@
2016-10-12 Matthew Hanson <matthew_han...@apple.com>
+ Merge r204266. rdar://problem/28216261
+
+ 2016-08-08 John Wilander <wilan...@apple.com>
+
+ Popups opened from a sandboxed iframe should themselves be sandboxed
+ https://bugs.webkit.org/show_bug.cgi?id=134850
+ <rdar://problem/27375388>
+
+ Reviewed by Brent Fulgham.
+
+ Test: http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html
+
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::continueLoadAfterNewWindowPolicy):
+ Now copies the opener's frame loader effective sandbox flags to the
+ new frame loader.
+
+2016-10-12 Matthew Hanson <matthew_han...@apple.com>
+
Merge r203903. rdar://problem/28476961
2016-07-28 Dean Jackson <d...@apple.com>
Modified: branches/safari-602.2.14.0-branch/Source/WebCore/loader/FrameLoader.cpp (207252 => 207253)
--- branches/safari-602.2.14.0-branch/Source/WebCore/loader/FrameLoader.cpp 2016-10-12 23:01:50 UTC (rev 207252)
+++ branches/safari-602.2.14.0-branch/Source/WebCore/loader/FrameLoader.cpp 2016-10-12 23:01:55 UTC (rev 207253)
@@ -3119,6 +3119,8 @@
if (!mainFrame)
return;
+ mainFrame->loader().forceSandboxFlags(frame->loader().effectiveSandboxFlags());
+
if (frameName != "_blank")
mainFrame->tree().setName(frameName);