[webkit-changes] [96826] trunk

[commit-queue]

Title: [96826] trunk

Revision

96826

Author

commit-qu...@webkit.org

Date

2011-10-06 10:14:11 -0700 (Thu, 06 Oct 2011)

Log Message

Add check for _javascript_ URLs in HTMLPlugInImageElement::allowedToLoadFrameURL
https://bugs.webkit.org/show_bug.cgi?id=68813

Patch by Sergey Glazunov <serg.glazu...@gmail.com> on 2011-10-06
Reviewed by Adam Barth.

Source/WebCore:

Test: http/tests/security/xss-DENIED-object-element.html

* html/HTMLPlugInImageElement.cpp:
(WebCore::HTMLPlugInImageElement::allowedToLoadFrameURL):

LayoutTests:

* http/tests/security/xss-DENIED-object-element-expected.txt: Added.
* http/tests/security/xss-DENIED-object-element.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/html/HTMLPlugInImageElement.cpp

Added Paths

• trunk/LayoutTests/http/tests/security/xss-DENIED-object-element-expected.txt
• trunk/LayoutTests/http/tests/security/xss-DENIED-object-element.html

Diff

Modified: trunk/LayoutTests/ChangeLog (96825 => 96826)

--- trunk/LayoutTests/ChangeLog	2011-10-06 17:12:35 UTC (rev 96825)
+++ trunk/LayoutTests/ChangeLog	2011-10-06 17:14:11 UTC (rev 96826)
@@ -1,3 +1,13 @@
+2011-10-06  Sergey Glazunov  <serg.glazu...@gmail.com>
+
+        Add check for _javascript_ URLs in HTMLPlugInImageElement::allowedToLoadFrameURL
+        https://bugs.webkit.org/show_bug.cgi?id=68813
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/xss-DENIED-object-element-expected.txt: Added.
+        * http/tests/security/xss-DENIED-object-element.html: Added.
+
 2011-10-06  Mark Pilgrim  <pilg...@chromium.org>
 
         Test how filesystem methods react to too few arguments

Added: trunk/LayoutTests/http/tests/security/xss-DENIED-object-element-expected.txt (0 => 96826)

--- trunk/LayoutTests/http/tests/security/xss-DENIED-object-element-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/xss-DENIED-object-element-expected.txt	2011-10-06 17:14:11 UTC (rev 96826)
@@ -0,0 +1 @@
+There should be no alert displayed.  

Added: trunk/LayoutTests/http/tests/security/xss-DENIED-object-element.html (0 => 96826)

--- trunk/LayoutTests/http/tests/security/xss-DENIED-object-element.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/xss-DENIED-object-element.html	2011-10-06 17:14:11 UTC (rev 96826)
@@ -0,0 +1,28 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.waitUntilDone();
+    layoutTestController.dumpAsText();
+}
+
+window._onload_ = function()
+{
+    object = document.createElement("object");
+    object.data = ""
+    document.body.appendChild(object);
+    object._onload_ = function() {
+        object._onload_ = null;
+        object.data = ""
+        object.innerHTML = "foo";
+
+        if (window.layoutTestController)
+            setTimeout("layoutTestController.notifyDone()", 50);
+    }
+}
+</script>
+</head>
+<body>
+There should be no alert displayed.
+</body>
+</html>
\ No newline at end of file

Modified: trunk/Source/WebCore/ChangeLog (96825 => 96826)

--- trunk/Source/WebCore/ChangeLog	2011-10-06 17:12:35 UTC (rev 96825)
+++ trunk/Source/WebCore/ChangeLog	2011-10-06 17:14:11 UTC (rev 96826)
@@ -1,3 +1,15 @@
+2011-10-06  Sergey Glazunov  <serg.glazu...@gmail.com>
+
+        Add check for _javascript_ URLs in HTMLPlugInImageElement::allowedToLoadFrameURL
+        https://bugs.webkit.org/show_bug.cgi?id=68813
+
+        Reviewed by Adam Barth.
+
+        Test: http/tests/security/xss-DENIED-object-element.html
+
+        * html/HTMLPlugInImageElement.cpp:
+        (WebCore::HTMLPlugInImageElement::allowedToLoadFrameURL):
+
 2011-10-06  Yury Semikhatsky  <yu...@chromium.org>
 
         Web Inspector: avoid assertion failure in ~InspectorDebuggerAgent in case of workers

Modified: trunk/Source/WebCore/html/HTMLPlugInImageElement.cpp (96825 => 96826)

--- trunk/Source/WebCore/html/HTMLPlugInImageElement.cpp	2011-10-06 17:12:35 UTC (rev 96825)
+++ trunk/Source/WebCore/html/HTMLPlugInImageElement.cpp	2011-10-06 17:14:11 UTC (rev 96826)
@@ -30,6 +30,7 @@
 #include "Page.h"
 #include "RenderEmbeddedObject.h"
 #include "RenderImage.h"
+#include "SecurityOrigin.h"
 
 namespace WebCore {
 
@@ -76,9 +77,14 @@
     if (document()->frame()->page()->frameCount() >= Page::maxNumberOfFrames)
         return false;
 
+    KURL completeURL = document()->completeURL(url);
+    
+    if (contentFrame() && protocolIsJavaScript(completeURL)
+        && !document()->securityOrigin()->canAccess(contentDocument()->securityOrigin()))
+        return false;
+    
     // We allow one level of self-reference because some sites depend on that.
     // But we don't allow more than one.
-    KURL completeURL = document()->completeURL(url);
     bool foundSelfReference = false;
     for (Frame* frame = document()->frame(); frame; frame = frame->tree()->parent()) {
         if (equalIgnoringFragmentIdentifier(frame->document()->url(), completeURL)) {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes