Diff
Modified: branches/safari-601.1.46-branch/LayoutTests/ChangeLog (202170 => 202171)
--- branches/safari-601.1.46-branch/LayoutTests/ChangeLog 2016-06-17 17:24:39 UTC (rev 202170)
+++ branches/safari-601.1.46-branch/LayoutTests/ChangeLog 2016-06-17 18:47:48 UTC (rev 202171)
@@ -1,3 +1,20 @@
+2016-06-17 Babak Shafiei <[email protected]>
+
+ Merge r202151.
+
+ 2016-06-16 John Wilander <[email protected]>
+
+ Restrict security origin inheritance to empty, about:blank, and about:srcdoc URLs
+ https://bugs.webkit.org/show_bug.cgi?id=158855
+ <rdar://problem/26142632>
+
+ Reviewed by Alex Christensen.
+
+ * http/tests/dom/window-open-about-blank-and-access-document-expected.txt: Added.
+ * http/tests/dom/window-open-about-blank-and-access-document.html: Added.
+ * http/tests/dom/window-open-about-webkit-org-and-access-document-expected.txt: Added.
+ * http/tests/dom/window-open-about-webkit-org-and-access-document.html: Added.
+
2016-06-10 Matthew Hanson <[email protected]>
Roll out r201287. rdar://problem/26605164
Copied: branches/safari-601.1.46-branch/LayoutTests/http/tests/dom/window-open-about-blank-and-access-document-expected.txt (from rev 202151, trunk/LayoutTests/http/tests/dom/window-open-about-blank-and-access-document-expected.txt) (0 => 202171)
--- branches/safari-601.1.46-branch/LayoutTests/http/tests/dom/window-open-about-blank-and-access-document-expected.txt (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/http/tests/dom/window-open-about-blank-and-access-document-expected.txt 2016-06-17 18:47:48 UTC (rev 202171)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Injected script running.
+
+PASS newWindow.document is defined.
+
Copied: branches/safari-601.1.46-branch/LayoutTests/http/tests/dom/window-open-about-blank-and-access-document.html (from rev 202151, trunk/LayoutTests/http/tests/dom/window-open-about-blank-and-access-document.html) (0 => 202171)
--- branches/safari-601.1.46-branch/LayoutTests/http/tests/dom/window-open-about-blank-and-access-document.html (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/http/tests/dom/window-open-about-blank-and-access-document.html 2016-06-17 18:47:48 UTC (rev 202171)
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+ <meta charset="UTF-8">
+ <title>Tests opening a new about:blank window and accessing its document</title>
+ <script src=""
+ <script>
+ var newWindow;
+
+ if (window.testRunner) {
+ testRunner.setCanOpenWindows();
+ testRunner.waitUntilDone();
+ }
+
+ function checkNewWindowDocumentIsUndefined () {
+ shouldBeDefined("newWindow.document");
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+
+ function clickHandler() {
+ newWindow = window.open("about:blank");
+ try {
+ newWindow.document.write("<scri" + "pt>console.log('Injected script running.')</sc" + "ript>");
+ setTimeout(checkNewWindowDocumentIsUndefined, 500);
+ } catch (e) {
+ testFailed("Was not able to write to the new window's document.");
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+ }
+
+ function clickButton() {
+ var button = document.getElementById("test");
+ var buttonX = button.offsetLeft + button.offsetWidth / 2;
+ var buttonY = button.offsetTop + button.offsetHeight / 2;
+ if (window.eventSender) {
+ eventSender.mouseMoveTo(buttonX, buttonY);
+ eventSender.mouseDown();
+ eventSender.mouseUp();
+ }
+ }
+ </script>
+</head>
+<body _onload_="clickButton()">
+<button id="test" _onclick_="clickHandler()"></button>
+<div id="console"></div>
+</body>
+</html>
\ No newline at end of file
Copied: branches/safari-601.1.46-branch/LayoutTests/http/tests/dom/window-open-about-webkit-org-and-access-document-expected.txt (from rev 202151, trunk/LayoutTests/http/tests/dom/window-open-about-webkit-org-and-access-document-expected.txt) (0 => 202171)
--- branches/safari-601.1.46-branch/LayoutTests/http/tests/dom/window-open-about-webkit-org-and-access-document-expected.txt (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/http/tests/dom/window-open-about-webkit-org-and-access-document-expected.txt 2016-06-17 18:47:48 UTC (rev 202171)
@@ -0,0 +1,7 @@
+CONSOLE MESSAGE: line 45: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "about". Protocols must match.
+
+CONSOLE MESSAGE: line 347: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "about". Protocols must match.
+
+
+PASS newWindow.document is undefined.
+
Copied: branches/safari-601.1.46-branch/LayoutTests/http/tests/dom/window-open-about-webkit-org-and-access-document.html (from rev 202151, trunk/LayoutTests/http/tests/dom/window-open-about-webkit-org-and-access-document.html) (0 => 202171)
--- branches/safari-601.1.46-branch/LayoutTests/http/tests/dom/window-open-about-webkit-org-and-access-document.html (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/http/tests/dom/window-open-about-webkit-org-and-access-document.html 2016-06-17 18:47:48 UTC (rev 202171)
@@ -0,0 +1,48 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+ <title>Tests opening a new about://webkit.org window and accessing its document</title>
+ <script src=""
+ <script>
+ var newWindow;
+
+ if (window.testRunner) {
+ testRunner.setCanOpenWindows();
+ testRunner.waitUntilDone();
+ }
+
+ function checkNewWindowDocumentIsUndefined () {
+ shouldBeUndefined("newWindow.document");
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+
+ function clickHandler() {
+ newWindow = window.open("about://webkit.org");
+ try {
+ newWindow.document.write("<scri" + "pt>console.log('Injected script running.')</sc" + "ript>");
+ testFailed("Was able to write to the new window's document.");
+ if (window.testRunner)
+ testRunner.notifyDone();
+ } catch (e) {
+ setTimeout(checkNewWindowDocumentIsUndefined, 500);
+ }
+ }
+
+ function clickButton() {
+ var button = document.getElementById("test");
+ var buttonX = button.offsetLeft + button.offsetWidth / 2;
+ var buttonY = button.offsetTop + button.offsetHeight / 2;
+ if (window.eventSender) {
+ eventSender.mouseMoveTo(buttonX, buttonY);
+ eventSender.mouseDown();
+ eventSender.mouseUp();
+ }
+ }
+ </script>
+</head>
+<body _onload_="clickButton()">
+<button id="test" _onclick_="clickHandler()"></button>
+<div id="console"></div>
+</body>
+</html>
\ No newline at end of file
Modified: branches/safari-601.1.46-branch/Source/WebCore/ChangeLog (202170 => 202171)
--- branches/safari-601.1.46-branch/Source/WebCore/ChangeLog 2016-06-17 17:24:39 UTC (rev 202170)
+++ branches/safari-601.1.46-branch/Source/WebCore/ChangeLog 2016-06-17 18:47:48 UTC (rev 202171)
@@ -1,3 +1,67 @@
+2016-06-17 Babak Shafiei <[email protected]>
+
+ Merge r202151.
+
+ 2016-06-16 John Wilander <[email protected]>
+
+ Restrict security origin inheritance to empty, about:blank, and about:srcdoc URLs
+ https://bugs.webkit.org/show_bug.cgi?id=158855
+ <rdar://problem/26142632>
+
+ Reviewed by Alex Christensen.
+
+ Tests: http/tests/dom/window-open-about-blank-and-access-document.html
+ http/tests/dom/window-open-about-webkit-org-and-access-document.html
+
+ Document.cpp previously checked whether a document should inherit its owner's
+ security origin by checking if the URL is either empty or blank. URL.cpp in
+ turn only checks if the protocol is "about:" in the isBlankURL() function.
+ Thus all about:* URLs inherited security origin. This patch restricts
+ security origin inheritance to empty, about:blank, and about:srcdoc URLs.
+
+ Quotes and links from the WHATWG spec regarding about:srcdoc:
+
+ 7.1 Browsing contexts
+ A browsing context can have a creator browsing context, the browsing context
+ that was responsible for its creation. If a browsing context has a parent
+ browsing context, then that is its creator browsing context. Otherwise, if the
+ browsing context has an opener browsing context, then that is its creator
+ browsing context. Otherwise, the browsing context has no creator browsing
+ context.
+ https://html.spec.whatwg.org/multipage/browsers.html#concept-document-bc
+
+ 7.1.1 Nested browsing contexts
+ Certain elements (for example, iframe elements) can instantiate further
+ browsing contexts. These are called nested browsing contexts. If a browsing
+ context P has a Document D with an element E that nests another browsing
+ context C inside it, then C is said to be nested through D, and E is said to
+ be the browsing context container of C. If the browsing context container
+ element E is in the Document D, then P is said to be the parent browsing
+ context of C and C is said to be a child browsing context of P. Otherwise,
+ the nested browsing context C has no parent browsing context.
+ https://html.spec.whatwg.org/multipage/browsers.html#nested-browsing-context
+
+ 4.8.5 The iframe element
+ The iframe element represents a nested browsing context.
+ ...
+ If the srcdoc attribute is specified
+ Navigate the element's child browsing context to a new response whose
+ url list consists of about:srcdoc ...
+ https://html.spec.whatwg.org/multipage/embedded-content.html#attr-iframe-srcdoc
+
+ * dom/Document.cpp:
+ (WebCore::Document::initSecurityContext):
+ Now uses the URL::shouldInheritSecurityOriginFromOwner() function instead.
+ (WebCore::Document::initContentSecurityPolicy):
+ Now uses the URL::shouldInheritSecurityOriginFromOwner() function instead.
+ (WebCore::shouldInheritSecurityOriginFromOwner): Deleted.
+ Moved to URL::shouldInheritSecurityOriginFromOwner() and restricted the check.
+ * platform/URL.cpp:
+ (WebCore::URL::shouldInheritSecurityOriginFromOwner):
+ * platform/URL.h:
+ Moved the function from Document and restricted the check to only allow
+ security origin inheritance for empty, about:blank, and about:srcdoc URLs.
+
2016-06-01 Babak Shafiei <[email protected]>
Merge r201561.
Modified: branches/safari-601.1.46-branch/Source/WebCore/dom/Document.cpp (202170 => 202171)
--- branches/safari-601.1.46-branch/Source/WebCore/dom/Document.cpp 2016-06-17 17:24:39 UTC (rev 202170)
+++ branches/safari-601.1.46-branch/Source/WebCore/dom/Document.cpp 2016-06-17 18:47:48 UTC (rev 202171)
@@ -321,19 +321,6 @@
return true;
}
-static bool shouldInheritSecurityOriginFromOwner(const URL& url)
-{
- // http://www.whatwg.org/specs/web-apps/current-work/#origin-0
- //
- // If a Document has the address "about:blank"
- // The origin of the Document is the origin it was assigned when its browsing context was created.
- //
- // Note: We generalize this to all "blank" URLs and invalid URLs because we
- // treat all of these URLs as about:blank.
- //
- return url.isEmpty() || url.isBlankURL();
-}
-
static Widget* widgetForElement(Element* focusedElement)
{
if (!focusedElement)
@@ -4999,7 +4986,7 @@
setBaseURLOverride(parentDocument->baseURL());
}
- if (!shouldInheritSecurityOriginFromOwner(m_url))
+ if (!m_url.shouldInheritSecurityOriginFromOwner())
return;
// If we do not obtain a meaningful origin from the URL, then we try to
@@ -5032,7 +5019,7 @@
void Document::initContentSecurityPolicy()
{
- if (!m_frame->tree().parent() || (!shouldInheritSecurityOriginFromOwner(m_url) && !isPluginDocument()))
+ if (!m_frame->tree().parent() || (!m_url.shouldInheritSecurityOriginFromOwner() && !isPluginDocument()))
return;
contentSecurityPolicy()->copyStateFrom(m_frame->tree().parent()->document()->contentSecurityPolicy());
Modified: branches/safari-601.1.46-branch/Source/WebCore/platform/URL.cpp (202170 => 202171)
--- branches/safari-601.1.46-branch/Source/WebCore/platform/URL.cpp 2016-06-17 17:24:39 UTC (rev 202170)
+++ branches/safari-601.1.46-branch/Source/WebCore/platform/URL.cpp 2016-06-17 18:47:48 UTC (rev 202171)
@@ -1975,6 +1975,13 @@
return protocolIs("about");
}
+bool URL::shouldInheritSecurityOriginFromOwner() const
+{
+ return isEmpty()
+ || m_string == blankURL().string()
+ || m_string == "about:srcdoc";
+}
+
bool isDefaultPortForProtocol(unsigned short port, const String& protocol)
{
if (protocol.isEmpty())
Modified: branches/safari-601.1.46-branch/Source/WebCore/platform/URL.h (202170 => 202171)
--- branches/safari-601.1.46-branch/Source/WebCore/platform/URL.h 2016-06-17 17:24:39 UTC (rev 202170)
+++ branches/safari-601.1.46-branch/Source/WebCore/platform/URL.h 2016-06-17 18:47:48 UTC (rev 202171)
@@ -129,6 +129,7 @@
bool protocolIsInHTTPFamily() const;
WEBCORE_EXPORT bool isLocalFile() const;
bool isBlankURL() const;
+ bool shouldInheritSecurityOriginFromOwner() const;
WEBCORE_EXPORT bool setProtocol(const String&);
void setHost(const String&);
