[webkit-changes] [91611] trunk

Fri, 22 Jul 2011 15:23:26 -0700

Title: [91611] trunk
Revision
91611
Author
[email protected]
Date
2011-07-22 15:23:08 -0700 (Fri, 22 Jul 2011)

Log Message

Perform the _javascript_ navigation check on a complete URL
https://bugs.webkit.org/show_bug.cgi?id=65038

Patch by Sergey Glazunov <[email protected]> on 2011-07-22
Reviewed by Adam Barth.

Source/WebCore:

Test: http/tests/security/xss-DENIED-document-baseURI-_javascript_.html

* page/DOMWindow.cpp:
(WebCore::DOMWindow::setLocation):
(WebCore::DOMWindow::createWindow):
(WebCore::DOMWindow::open):

LayoutTests:

* http/tests/security/xss-DENIED-document-baseURI-_javascript_-expected.txt: Added.
* http/tests/security/xss-DENIED-document-baseURI-_javascript_.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (91610 => 91611)


--- trunk/LayoutTests/ChangeLog	2011-07-22 22:22:21 UTC (rev 91610)
+++ trunk/LayoutTests/ChangeLog	2011-07-22 22:23:08 UTC (rev 91611)
@@ -1,3 +1,13 @@
+2011-07-22  Sergey Glazunov  <[email protected]>
+
+        Perform the _javascript_ navigation check on a complete URL
+        https://bugs.webkit.org/show_bug.cgi?id=65038
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/xss-DENIED-document-baseURI-_javascript_-expected.txt: Added.
+        * http/tests/security/xss-DENIED-document-baseURI-_javascript_.html: Added.
+
 2011-07-22  Julien Chaffraix  <[email protected]>
 
         RenderLayer fixed position logic needs more basic testing

Added: trunk/LayoutTests/http/tests/security/xss-DENIED-document-baseURI-_javascript_-expected.txt (0 => 91611)


--- trunk/LayoutTests/http/tests/security/xss-DENIED-document-baseURI-_javascript_-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/xss-DENIED-document-baseURI-_javascript_-expected.txt	2011-07-22 22:23:08 UTC (rev 91611)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: line 1: Unsafe _javascript_ attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/xss-DENIED-document-baseURI-_javascript_.html. Domains, protocols and ports must match.
+
+This test passes if there is no alert dialog

Added: trunk/LayoutTests/http/tests/security/xss-DENIED-document-baseURI-_javascript_.html (0 => 91611)


--- trunk/LayoutTests/http/tests/security/xss-DENIED-document-baseURI-_javascript_.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/xss-DENIED-document-baseURI-_javascript_.html	2011-07-22 22:23:08 UTC (rev 91611)
@@ -0,0 +1,34 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+
+window._onload_ = function()
+{
+    document.documentURI = "_javascript_://hostname.com/%0D%0Aalert('FAIL')";
+
+    frame = document.body.appendChild(document.createElement("iframe"));
+    frame.src = ""
+    
+    frame._onload_ = function()
+    {
+        frame.contentWindow.location = "";
+        setTimeout(finishTest, 0);
+    }
+}
+
+function finishTest()
+{
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+</script>
+</head>
+<body>
+This test passes if there is no alert dialog
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (91610 => 91611)


--- trunk/Source/WebCore/ChangeLog	2011-07-22 22:22:21 UTC (rev 91610)
+++ trunk/Source/WebCore/ChangeLog	2011-07-22 22:23:08 UTC (rev 91611)
@@ -1,3 +1,17 @@
+2011-07-22  Sergey Glazunov  <[email protected]>
+
+        Perform the _javascript_ navigation check on a complete URL
+        https://bugs.webkit.org/show_bug.cgi?id=65038
+
+        Reviewed by Adam Barth.
+
+        Test: http/tests/security/xss-DENIED-document-baseURI-_javascript_.html
+
+        * page/DOMWindow.cpp:
+        (WebCore::DOMWindow::setLocation):
+        (WebCore::DOMWindow::createWindow):
+        (WebCore::DOMWindow::open):
+
 2011-07-22  Ryosuke Niwa  <[email protected]>
 
         Revert r91595 for it broke Chromium Windows build.

Modified: trunk/Source/WebCore/page/DOMWindow.cpp (91610 => 91611)


--- trunk/Source/WebCore/page/DOMWindow.cpp	2011-07-22 22:22:21 UTC (rev 91610)
+++ trunk/Source/WebCore/page/DOMWindow.cpp	2011-07-22 22:23:08 UTC (rev 91611)
@@ -1672,7 +1672,7 @@
     if (completedURL.isNull())
         return;
 
-    if (isInsecureScriptAccess(activeWindow, urlString))
+    if (isInsecureScriptAccess(activeWindow, completedURL))
         return;
 
     // We want a new history item if we are processing a user gesture.
@@ -1757,7 +1757,7 @@
     newFrame->loader()->setOpener(openerFrame);
     newFrame->page()->setOpenedByDOM();
 
-    if (newFrame->domWindow()->isInsecureScriptAccess(activeWindow, urlString))
+    if (newFrame->domWindow()->isInsecureScriptAccess(activeWindow, completedURL))
         return newFrame;
 
     if (function)
@@ -1807,7 +1807,9 @@
         if (!activeFrame->loader()->shouldAllowNavigation(targetFrame))
             return 0;
 
-        if (targetFrame->domWindow()->isInsecureScriptAccess(activeWindow, urlString))
+        KURL completedURL = firstFrame->document()->completeURL(urlString);
+
+        if (targetFrame->domWindow()->isInsecureScriptAccess(activeWindow, completedURL))
             return targetFrame->domWindow();
 
         if (urlString.isEmpty())
@@ -1818,7 +1820,7 @@
         bool lockHistory = !ScriptController::processingUserGesture();
         targetFrame->navigationScheduler()->scheduleLocationChange(
             activeFrame->document()->securityOrigin(),
-            firstFrame->document()->completeURL(urlString).string(),
+            completedURL,
             firstFrame->loader()->outgoingReferrer(),
             lockHistory,
             false);

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to