Diff
Modified: branches/safari-534.51-branch/LayoutTests/ChangeLog (92931 => 92932)
--- branches/safari-534.51-branch/LayoutTests/ChangeLog 2011-08-12 05:45:53 UTC (rev 92931)
+++ branches/safari-534.51-branch/LayoutTests/ChangeLog 2011-08-12 05:47:47 UTC (rev 92932)
@@ -1,5 +1,19 @@
2011-08-11 Lucas Forschler <[email protected]>
+ Merged 91611
+
+ 2011-07-22 Sergey Glazunov <[email protected]>
+
+ Perform the _javascript_ navigation check on a complete URL
+ https://bugs.webkit.org/show_bug.cgi?id=65038
+
+ Reviewed by Adam Barth.
+
+ * http/tests/security/xss-DENIED-document-baseURI-_javascript_-expected.txt: Added.
+ * http/tests/security/xss-DENIED-document-baseURI-_javascript_.html: Added.
+
+2011-08-11 Lucas Forschler <[email protected]>
+
Merged 91531
2011-07-21 Gavin Peters <[email protected]>
Copied: branches/safari-534.51-branch/LayoutTests/http/tests/security/xss-DENIED-document-baseURI-_javascript_-expected.txt (from rev 91611, trunk/LayoutTests/http/tests/security/xss-DENIED-document-baseURI-_javascript_-expected.txt) (0 => 92932)
--- branches/safari-534.51-branch/LayoutTests/http/tests/security/xss-DENIED-document-baseURI-_javascript_-expected.txt (rev 0)
+++ branches/safari-534.51-branch/LayoutTests/http/tests/security/xss-DENIED-document-baseURI-_javascript_-expected.txt 2011-08-12 05:47:47 UTC (rev 92932)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: line 1: Unsafe _javascript_ attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/xss-DENIED-document-baseURI-_javascript_.html. Domains, protocols and ports must match.
+
+This test passes if there is no alert dialog
Copied: branches/safari-534.51-branch/LayoutTests/http/tests/security/xss-DENIED-document-baseURI-_javascript_.html (from rev 91611, trunk/LayoutTests/http/tests/security/xss-DENIED-document-baseURI-_javascript_.html) (0 => 92932)
--- branches/safari-534.51-branch/LayoutTests/http/tests/security/xss-DENIED-document-baseURI-_javascript_.html (rev 0)
+++ branches/safari-534.51-branch/LayoutTests/http/tests/security/xss-DENIED-document-baseURI-_javascript_.html 2011-08-12 05:47:47 UTC (rev 92932)
@@ -0,0 +1,34 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+
+window._onload_ = function()
+{
+ document.documentURI = "_javascript_://hostname.com/%0D%0Aalert('FAIL')";
+
+ frame = document.body.appendChild(document.createElement("iframe"));
+ frame.src = ""
+
+ frame._onload_ = function()
+ {
+ frame.contentWindow.location = "";
+ setTimeout(finishTest, 0);
+ }
+}
+
+function finishTest()
+{
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+</script>
+</head>
+<body>
+This test passes if there is no alert dialog
+</body>
+</html>
Modified: branches/safari-534.51-branch/Source/WebCore/ChangeLog (92931 => 92932)
--- branches/safari-534.51-branch/Source/WebCore/ChangeLog 2011-08-12 05:45:53 UTC (rev 92931)
+++ branches/safari-534.51-branch/Source/WebCore/ChangeLog 2011-08-12 05:47:47 UTC (rev 92932)
@@ -1,5 +1,23 @@
2011-08-11 Lucas Forschler <[email protected]>
+ Merged 91611
+
+ 2011-07-22 Sergey Glazunov <[email protected]>
+
+ Perform the _javascript_ navigation check on a complete URL
+ https://bugs.webkit.org/show_bug.cgi?id=65038
+
+ Reviewed by Adam Barth.
+
+ Test: http/tests/security/xss-DENIED-document-baseURI-_javascript_.html
+
+ * page/DOMWindow.cpp:
+ (WebCore::DOMWindow::setLocation):
+ (WebCore::DOMWindow::createWindow):
+ (WebCore::DOMWindow::open):
+
+2011-08-11 Lucas Forschler <[email protected]>
+
Merged 91559
2011-07-22 Jia Pu <[email protected]>
Modified: branches/safari-534.51-branch/Source/WebCore/page/DOMWindow.cpp (92931 => 92932)
--- branches/safari-534.51-branch/Source/WebCore/page/DOMWindow.cpp 2011-08-12 05:45:53 UTC (rev 92931)
+++ branches/safari-534.51-branch/Source/WebCore/page/DOMWindow.cpp 2011-08-12 05:47:47 UTC (rev 92932)
@@ -1664,7 +1664,7 @@
if (completedURL.isNull())
return;
- if (isInsecureScriptAccess(activeWindow, urlString))
+ if (isInsecureScriptAccess(activeWindow, completedURL))
return;
// We want a new history item if we are processing a user gesture.
@@ -1749,7 +1749,7 @@
newFrame->loader()->setOpener(openerFrame);
newFrame->page()->setOpenedByDOM();
- if (newFrame->domWindow()->isInsecureScriptAccess(activeWindow, urlString))
+ if (newFrame->domWindow()->isInsecureScriptAccess(activeWindow, completedURL))
return newFrame;
if (function)
@@ -1799,7 +1799,9 @@
if (!activeFrame->loader()->shouldAllowNavigation(targetFrame))
return 0;
- if (targetFrame->domWindow()->isInsecureScriptAccess(activeWindow, urlString))
+ KURL completedURL = firstFrame->document()->completeURL(urlString);
+
+ if (targetFrame->domWindow()->isInsecureScriptAccess(activeWindow, completedURL))
return targetFrame->domWindow();
if (urlString.isEmpty())
@@ -1808,7 +1810,7 @@
// For whatever reason, Firefox uses the first window rather than the active window to
// determine the outgoing referrer. We replicate that behavior here.
targetFrame->navigationScheduler()->scheduleLocationChange(activeFrame->document()->securityOrigin(),
- firstFrame->document()->completeURL(urlString).string(),
+ completedURL,
firstFrame->loader()->outgoingReferrer(),
!activeFrame->script()->anyPageIsProcessingUserGesture(), false);
