[webkit-changes] [91152] trunk

[commit-queue]

Title: [91152] trunk

Revision

91152

Author

commit-qu...@webkit.org

Date

2011-07-16 13:12:51 -0700 (Sat, 16 Jul 2011)

Log Message

DOMWindow::open performs a security check on a wrong window
https://bugs.webkit.org/show_bug.cgi?id=64651

Patch by Sergey Glazunov <serg.glazu...@gmail.com> on 2011-07-16
Reviewed by Adam Barth.

Source/WebCore:

Test: http/tests/security/xss-DENIED-window-open-parent.html

* page/DOMWindow.cpp:
(WebCore::DOMWindow::open):

LayoutTests:

* http/tests/security/resources/xss-DENIED-window-open-parent-attacker.html: Added.
* http/tests/security/xss-DENIED-window-open-parent-expected.txt: Added.
* http/tests/security/xss-DENIED-window-open-parent.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/page/DOMWindow.cpp

Added Paths

• trunk/LayoutTests/http/tests/security/resources/xss-DENIED-window-open-parent-attacker.html
• trunk/LayoutTests/http/tests/security/xss-DENIED-window-open-parent-expected.txt
• trunk/LayoutTests/http/tests/security/xss-DENIED-window-open-parent.html

Diff

Modified: trunk/LayoutTests/ChangeLog (91151 => 91152)

--- trunk/LayoutTests/ChangeLog	2011-07-16 19:07:21 UTC (rev 91151)
+++ trunk/LayoutTests/ChangeLog	2011-07-16 20:12:51 UTC (rev 91152)
@@ -1,3 +1,14 @@
+2011-07-16  Sergey Glazunov  <serg.glazu...@gmail.com>
+
+        DOMWindow::open performs a security check on a wrong window
+        https://bugs.webkit.org/show_bug.cgi?id=64651
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/resources/xss-DENIED-window-open-parent-attacker.html: Added.
+        * http/tests/security/xss-DENIED-window-open-parent-expected.txt: Added.
+        * http/tests/security/xss-DENIED-window-open-parent.html: Added.
+
 2011-07-16  Sam Weinig  <s...@webkit.org>
 
         Attribute selectors don't handle glob namespaces (e.g. *|E)

Added: trunk/LayoutTests/http/tests/security/resources/xss-DENIED-window-open-parent-attacker.html (0 => 91152)

--- trunk/LayoutTests/http/tests/security/resources/xss-DENIED-window-open-parent-attacker.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/resources/xss-DENIED-window-open-parent-attacker.html	2011-07-16 20:12:51 UTC (rev 91152)
@@ -0,0 +1,4 @@
+<script>
+open("_javascript_:alert('failed')", "_top");
+parent.postMessage("", "*");
+</script>

Added: trunk/LayoutTests/http/tests/security/xss-DENIED-window-open-parent-expected.txt (0 => 91152)

--- trunk/LayoutTests/http/tests/security/xss-DENIED-window-open-parent-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/xss-DENIED-window-open-parent-expected.txt	2011-07-16 20:12:51 UTC (rev 91152)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Unsafe _javascript_ attempt to access frame with URL http://127.0.0.1:8000/security/xss-DENIED-window-open-parent.html from frame with URL http://localhost:8080/security/resources/xss-DENIED-window-open-parent-attacker.html. Domains, protocols and ports must match.
+
+This test passes if there is no alert dialog.
+

Added: trunk/LayoutTests/http/tests/security/xss-DENIED-window-open-parent.html (0 => 91152)

--- trunk/LayoutTests/http/tests/security/xss-DENIED-window-open-parent.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/xss-DENIED-window-open-parent.html	2011-07-16 20:12:51 UTC (rev 91152)
@@ -0,0 +1,21 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+
+window._onmessage_ = function()
+{
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+</script>
+</head>
+<body>
+This test passes if there is no alert dialog.<br>
+<iframe src="" 
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (91151 => 91152)

--- trunk/Source/WebCore/ChangeLog	2011-07-16 19:07:21 UTC (rev 91151)
+++ trunk/Source/WebCore/ChangeLog	2011-07-16 20:12:51 UTC (rev 91152)
@@ -1,3 +1,15 @@
+2011-07-16  Sergey Glazunov  <serg.glazu...@gmail.com>
+
+        DOMWindow::open performs a security check on a wrong window
+        https://bugs.webkit.org/show_bug.cgi?id=64651
+
+        Reviewed by Adam Barth.
+
+        Test: http/tests/security/xss-DENIED-window-open-parent.html
+
+        * page/DOMWindow.cpp:
+        (WebCore::DOMWindow::open):
+
 2011-07-16  Sam Weinig  <s...@webkit.org>
 
         Attribute selectors don't handle glob namespaces (e.g. *|E)

Modified: trunk/Source/WebCore/page/DOMWindow.cpp (91151 => 91152)

--- trunk/Source/WebCore/page/DOMWindow.cpp	2011-07-16 19:07:21 UTC (rev 91151)
+++ trunk/Source/WebCore/page/DOMWindow.cpp	2011-07-16 20:12:51 UTC (rev 91152)
@@ -1807,7 +1807,7 @@
         if (!activeFrame->loader()->shouldAllowNavigation(targetFrame))
             return 0;
 
-        if (isInsecureScriptAccess(activeWindow, urlString))
+        if (targetFrame->domWindow()->isInsecureScriptAccess(activeWindow, urlString))
             return targetFrame->domWindow();
 
         if (urlString.isEmpty())

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes