Title: [204174] trunk
- Revision
- 204174
- Author
- [email protected]
- Date
- 2016-08-05 09:51:05 -0700 (Fri, 05 Aug 2016)
Log Message
Popups opened from a sandboxed iframe should themselves be sandboxed
https://bugs.webkit.org/show_bug.cgi?id=134850
<rdar://problem/27375388>
Reviewed by Brent Fulgham.
Source/WebCore:
This replicates the behavior in Chrome, Firefox, and according to the reporter
also in Internet Explorer. See the Mozilla bug report:
https://bugzilla.mozilla.org/show_bug.cgi?id=1037381#c1
Test: http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html
* page/Chrome.cpp:
(WebCore::Chrome::createWindow):
Now copies the opener's frame loader effective sandbox flags to the new
frame loader.
LayoutTests:
* http/tests/security/resources/anchor-tag-with-blank-target.html: Added.
* http/tests/security/resources/page-executing-_javascript_.html: Added.
* http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox-expected.txt: Added.
* http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (204173 => 204174)
--- trunk/LayoutTests/ChangeLog 2016-08-05 16:42:34 UTC (rev 204173)
+++ trunk/LayoutTests/ChangeLog 2016-08-05 16:51:05 UTC (rev 204174)
@@ -1,3 +1,16 @@
+2016-08-05 John Wilander <[email protected]>
+
+ Popups opened from a sandboxed iframe should themselves be sandboxed
+ https://bugs.webkit.org/show_bug.cgi?id=134850
+ <rdar://problem/27375388>
+
+ Reviewed by Brent Fulgham.
+
+ * http/tests/security/resources/anchor-tag-with-blank-target.html: Added.
+ * http/tests/security/resources/page-executing-_javascript_.html: Added.
+ * http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox-expected.txt: Added.
+ * http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html: Added.
+
2016-08-05 Commit Queue <[email protected]>
Unreviewed, rolling out r203935.
Added: trunk/LayoutTests/http/tests/security/resources/anchor-tag-with-blank-target.html (0 => 204174)
--- trunk/LayoutTests/http/tests/security/resources/anchor-tag-with-blank-target.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/resources/anchor-tag-with-blank-target.html 2016-08-05 16:51:05 UTC (rev 204174)
@@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<html>
+<head>
+</head>
+<body>
+ <a id="theLink" target="_blank" href="" page that executes _javascript_</a>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/resources/page-executing-_javascript_.html (0 => 204174)
--- trunk/LayoutTests/http/tests/security/resources/page-executing-_javascript_.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/resources/page-executing-_javascript_.html 2016-08-05 16:51:05 UTC (rev 204174)
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<body>
+<noscript>Pass: _javascript_ was not allowed to execute.</noscript>
+<p id="output"></p>
+<script>
+ document.getElementById("output").innerHTML = "Fail: _javascript_ was allowed to execute.";
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox-expected.txt (0 => 204174)
--- trunk/LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox-expected.txt 2016-08-05 16:51:05 UTC (rev 204174)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: Blocked script execution in 'http://127.0.0.1:8000/security/resources/page-executing-_javascript_.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
+
Added: trunk/LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html (0 => 204174)
--- trunk/LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html 2016-08-05 16:51:05 UTC (rev 204174)
@@ -0,0 +1,48 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="UTF-8">
+ <title>Tests that windows created from a sandboxed context inherit the same sandbox</title>
+ <script src=""
+</head>
+<body>
+<script>
+ if (window.testRunner) {
+ testRunner.setCanOpenWindows();
+ testRunner.waitUntilDone();
+ testRunner.setPopupBlockingEnabled(false);
+ testRunner.dumpAsText();
+ }
+
+ function wrapUp () {
+ finishJSTest();
+ if (window.testRunner) {
+ testRunner.notifyDone();
+ }
+ }
+
+ function run() {
+ var iframeContentDocument = document.getElementById("theIframe").contentDocument;
+ if (!iframeContentDocument) {
+ testFailed("Can't get iframeElement.contentDocument");
+ finishJSTest();
+ testRunner.notifyDone();
+ } else {
+ var theLink = iframeContentDocument.getElementById("theLink");
+ if (!theLink) {
+ testFailed("Can't get iframeElement.contentDocument.getElementById('theLink')");
+ finishJSTest();
+ testRunner.notifyDone();
+ } else {
+ var clickEvent = document.createEvent("HTMLEvents");
+ clickEvent.initEvent("click", true, true);
+ theLink.dispatchEvent(clickEvent);
+
+ setTimeout(wrapUp, 500);
+ }
+ }
+ }
+</script>
+<iframe _onload_="run()" id="theIframe" sandbox="allow-same-origin allow-popups" src=""
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (204173 => 204174)
--- trunk/Source/WebCore/ChangeLog 2016-08-05 16:42:34 UTC (rev 204173)
+++ trunk/Source/WebCore/ChangeLog 2016-08-05 16:51:05 UTC (rev 204174)
@@ -1,3 +1,22 @@
+2016-08-05 John Wilander <[email protected]>
+
+ Popups opened from a sandboxed iframe should themselves be sandboxed
+ https://bugs.webkit.org/show_bug.cgi?id=134850
+ <rdar://problem/27375388>
+
+ Reviewed by Brent Fulgham.
+
+ This replicates the behavior in Chrome, Firefox, and according to the reporter
+ also in Internet Explorer. See the Mozilla bug report:
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1037381#c1
+
+ Test: http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html
+
+ * page/Chrome.cpp:
+ (WebCore::Chrome::createWindow):
+ Now copies the opener's frame loader effective sandbox flags to the new
+ frame loader.
+
2016-08-05 Darin Adler <[email protected]>
* DerivedSources.make: Fix all places that were using tabs instead of spaces outside
Modified: trunk/Source/WebCore/page/Chrome.cpp (204173 => 204174)
--- trunk/Source/WebCore/page/Chrome.cpp 2016-08-05 16:42:34 UTC (rev 204173)
+++ trunk/Source/WebCore/page/Chrome.cpp 2016-08-05 16:51:05 UTC (rev 204174)
@@ -195,10 +195,13 @@
Page* Chrome::createWindow(Frame* frame, const FrameLoadRequest& request, const WindowFeatures& features, const NavigationAction& action) const
{
+ ASSERT(frame);
Page* newPage = m_client.createWindow(frame, request, features, action);
if (!newPage)
return 0;
+ newPage->mainFrame().loader().forceSandboxFlags(frame->loader().effectiveSandboxFlags());
+
if (StorageNamespace* oldSessionStorage = m_page.sessionStorage(false))
newPage->setSessionStorage(oldSessionStorage->copy(newPage));
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
