Title: [97018] branches/chromium/874
- Revision
- 97018
- Author
- [email protected]
- Date
- 2011-10-08 18:20:00 -0700 (Sat, 08 Oct 2011)
Log Message
Merge 96984 - XSLT-generated document should inherit its SecurityOrigin from the source document
BUG=99512
Review URL: http://codereview.chromium.org/8213002
Modified Paths
Added Paths
Diff
Copied: branches/chromium/874/LayoutTests/http/tests/security/xss-DENIED-xsl-document-securityOrigin-expected.txt (from rev 96984, trunk/LayoutTests/http/tests/security/xss-DENIED-xsl-document-securityOrigin-expected.txt) (0 => 97018)
--- branches/chromium/874/LayoutTests/http/tests/security/xss-DENIED-xsl-document-securityOrigin-expected.txt (rev 0)
+++ branches/chromium/874/LayoutTests/http/tests/security/xss-DENIED-xsl-document-securityOrigin-expected.txt 2011-10-09 01:20:00 UTC (rev 97018)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: line 1: Unsafe _javascript_ attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL about:blank. Domains, protocols and ports must match.
+
+This test passes if it doesn't alert the contents of innocent-victim.html.
Copied: branches/chromium/874/LayoutTests/http/tests/security/xss-DENIED-xsl-document-securityOrigin.xml (from rev 96984, trunk/LayoutTests/http/tests/security/xss-DENIED-xsl-document-securityOrigin.xml) (0 => 97018)
--- branches/chromium/874/LayoutTests/http/tests/security/xss-DENIED-xsl-document-securityOrigin.xml (rev 0)
+++ branches/chromium/874/LayoutTests/http/tests/security/xss-DENIED-xsl-document-securityOrigin.xml 2011-10-09 01:20:00 UTC (rev 97018)
@@ -0,0 +1,45 @@
+<?xml-stylesheet type="text/xsl" href=""
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+<xsl:template match="/">
+<html>
+<head>
+<script>
+<![CDATA[
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+ layoutTestController.setCanOpenWindows();
+ layoutTestController.setCloseRemainingWindowsWhenComplete(true);
+ }
+
+window._onload_ = function()
+{
+ if (!opener) {
+ victim = document.body.appendChild(document.createElement("iframe"));
+ wnd = victim.contentWindow.open();
+ victim.src = ""
+ victim._onload_ = function() { wnd.eval("location = '" + location + "'"); }
+ } else if (location != "about:blank") {
+ url = ""
+ blank = document.body.appendChild(document.createElement("iframe"));
+ blank.contentWindow.eval("parent.document.open()");
+ location = "_javascript_:(\"<?xml version='1.0'?><?xml-stylesheet type='text/xsl' href=''?><root/>\")";
+ } else {
+ victim = opener;
+ open("_javascript_:void(0)", "_self");
+ if (victim.eval)
+ victim.eval("alert(document.body.innerHTML)");
+
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ }
+}
+]]>
+</script>
+</head>
+<body>
+This test passes if it doesn't alert the contents of innocent-victim.html.
+</body>
+</html>
+</xsl:template>
+</xsl:stylesheet>
\ No newline at end of file
Modified: branches/chromium/874/Source/WebCore/xml/XSLTProcessor.cpp (97017 => 97018)
--- branches/chromium/874/Source/WebCore/xml/XSLTProcessor.cpp 2011-10-09 00:24:25 UTC (rev 97017)
+++ branches/chromium/874/Source/WebCore/xml/XSLTProcessor.cpp 2011-10-09 01:20:00 UTC (rev 97018)
@@ -84,7 +84,13 @@
if (frame) {
if (FrameView* view = frame->view())
view->clear();
- result->setTransformSourceDocument(frame->document());
+
+ if (Document* oldDocument = frame->document()) {
+ result->setTransformSourceDocument(oldDocument);
+ result->setSecurityOrigin(oldDocument->securityOrigin());
+ result->setCookieURL(oldDocument->cookieURL());
+ }
+
frame->setDocument(result);
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
