[webkit-changes] [96984] trunk

Fri, 07 Oct 2011 15:59:08 -0700

Title: [96984] trunk
Revision
96984
Author
[email protected]
Date
2011-10-07 16:00:04 -0700 (Fri, 07 Oct 2011)

Log Message

XSLT-generated document should inherit its SecurityOrigin from the source document
https://bugs.webkit.org/show_bug.cgi?id=69661

Patch by Sergey Glazunov <[email protected]> on 2011-10-07
Reviewed by Adam Barth.

Source/WebCore:

Test: http/tests/security/xss-DENIED-xsl-document-securityOrigin.xml

* xml/XSLTProcessor.cpp:
(WebCore::XSLTProcessor::createDocumentFromSource):

LayoutTests:

* http/tests/security/xss-DENIED-xsl-document-securityOrigin-expected.txt: Added.
* http/tests/security/xss-DENIED-xsl-document-securityOrigin.xml: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (96983 => 96984)


--- trunk/LayoutTests/ChangeLog	2011-10-07 22:11:51 UTC (rev 96983)
+++ trunk/LayoutTests/ChangeLog	2011-10-07 23:00:04 UTC (rev 96984)
@@ -1,3 +1,13 @@
+2011-10-07  Sergey Glazunov  <[email protected]>
+
+        XSLT-generated document should inherit its SecurityOrigin from the source document
+        https://bugs.webkit.org/show_bug.cgi?id=69661
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/xss-DENIED-xsl-document-securityOrigin-expected.txt: Added.
+        * http/tests/security/xss-DENIED-xsl-document-securityOrigin.xml: Added.
+
 2011-10-07  Brent Fulgham  <[email protected]>
 
         [WinCairo] Unreviewed Skiplist update to get WinCairo bot green.

Added: trunk/LayoutTests/http/tests/security/xss-DENIED-xsl-document-securityOrigin-expected.txt (0 => 96984)


--- trunk/LayoutTests/http/tests/security/xss-DENIED-xsl-document-securityOrigin-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/xss-DENIED-xsl-document-securityOrigin-expected.txt	2011-10-07 23:00:04 UTC (rev 96984)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: line 1: Unsafe _javascript_ attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL about:blank. Domains, protocols and ports must match.
+
+This test passes if it doesn't alert the contents of innocent-victim.html.

Added: trunk/LayoutTests/http/tests/security/xss-DENIED-xsl-document-securityOrigin.xml (0 => 96984)


--- trunk/LayoutTests/http/tests/security/xss-DENIED-xsl-document-securityOrigin.xml	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/xss-DENIED-xsl-document-securityOrigin.xml	2011-10-07 23:00:04 UTC (rev 96984)
@@ -0,0 +1,45 @@
+<?xml-stylesheet type="text/xsl" href=""
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+<xsl:template match="/">
+<html>
+<head>
+<script>
+<![CDATA[
+if (window.layoutTestController) {
+	layoutTestController.dumpAsText();
+	layoutTestController.waitUntilDone();
+	layoutTestController.setCanOpenWindows();
+	layoutTestController.setCloseRemainingWindowsWhenComplete(true);
+ }
+
+window._onload_ = function()
+{
+	if (!opener) {
+		victim = document.body.appendChild(document.createElement("iframe"));
+		wnd = victim.contentWindow.open();
+		victim.src = ""
+		victim._onload_ = function() { wnd.eval("location = '" + location + "'"); }
+	} else if (location != "about:blank") {
+		url = ""
+		blank = document.body.appendChild(document.createElement("iframe"));
+		blank.contentWindow.eval("parent.document.open()");
+		location = "_javascript_:(\"<?xml version='1.0'?><?xml-stylesheet type='text/xsl' href=''?><root/>\")";
+	} else {
+		victim = opener;
+		open("_javascript_:void(0)", "_self");
+		if (victim.eval)
+			victim.eval("alert(document.body.innerHTML)");
+
+		if (window.layoutTestController)
+			layoutTestController.notifyDone();
+	}
+}
+]]>
+</script>
+</head>
+<body>
+This test passes if it doesn't alert the contents of innocent-victim.html.
+</body>
+</html>
+</xsl:template>
+</xsl:stylesheet>
\ No newline at end of file

Modified: trunk/Source/WebCore/ChangeLog (96983 => 96984)


--- trunk/Source/WebCore/ChangeLog	2011-10-07 22:11:51 UTC (rev 96983)
+++ trunk/Source/WebCore/ChangeLog	2011-10-07 23:00:04 UTC (rev 96984)
@@ -1,3 +1,15 @@
+2011-10-07  Sergey Glazunov  <[email protected]>
+
+        XSLT-generated document should inherit its SecurityOrigin from the source document
+        https://bugs.webkit.org/show_bug.cgi?id=69661
+
+        Reviewed by Adam Barth.
+
+        Test: http/tests/security/xss-DENIED-xsl-document-securityOrigin.xml
+
+        * xml/XSLTProcessor.cpp:
+        (WebCore::XSLTProcessor::createDocumentFromSource):
+
 2011-10-07  Sheriff Bot  <[email protected]>
 
         Unreviewed, rolling out r96944.

Modified: trunk/Source/WebCore/xml/XSLTProcessor.cpp (96983 => 96984)


--- trunk/Source/WebCore/xml/XSLTProcessor.cpp	2011-10-07 22:11:51 UTC (rev 96983)
+++ trunk/Source/WebCore/xml/XSLTProcessor.cpp	2011-10-07 23:00:04 UTC (rev 96984)
@@ -84,7 +84,13 @@
     if (frame) {
         if (FrameView* view = frame->view())
             view->clear();
-        result->setTransformSourceDocument(frame->document());
+
+        if (Document* oldDocument = frame->document()) {
+            result->setTransformSourceDocument(oldDocument);
+            result->setSecurityOrigin(oldDocument->securityOrigin());
+            result->setCookieURL(oldDocument->cookieURL());
+        }
+
         frame->setDocument(result);
     }
 

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to