Diff
Modified: trunk/LayoutTests/ChangeLog (204922 => 204923)
--- trunk/LayoutTests/ChangeLog 2016-08-24 19:38:45 UTC (rev 204922)
+++ trunk/LayoutTests/ChangeLog 2016-08-24 19:52:07 UTC (rev 204923)
@@ -1,3 +1,16 @@
+2016-08-24 Chris Dumez <[email protected]>
+
+ It should not be possible to access Location attributes cross origin
+ https://bugs.webkit.org/show_bug.cgi?id=161125
+ <rdar://problem/27982472>
+
+ Reviewed by Brent Fulgham.
+
+ Add layout test coverage.
+
+ * http/tests/security/location-cross-origin-expected.txt: Added.
+ * http/tests/security/location-cross-origin.html: Added.
+
2016-08-24 Jonathan Bedard <[email protected]>
WebKit2 needs layoutTestController.setDeferMainResourceDataLoad
Added: trunk/LayoutTests/http/tests/security/location-cross-origin-expected.txt (0 => 204923)
--- trunk/LayoutTests/http/tests/security/location-cross-origin-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/location-cross-origin-expected.txt 2016-08-24 19:52:07 UTC (rev 204923)
@@ -0,0 +1,57 @@
+CONSOLE MESSAGE: line 526: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 526: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 526: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 526: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 526: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 526: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 526: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 526: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 526: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 600: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 600: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 600: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 526: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+Test security checking for access to Location.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS frames[0].location.protocol is undefined.
+PASS frames[0].location.host is undefined.
+PASS frames[0].location.hostname is undefined.
+PASS frames[0].location.port is undefined.
+PASS frames[0].location.pathname is undefined.
+PASS frames[0].location.search is undefined.
+PASS frames[0].location.hash is undefined.
+PASS frames[0].location.origin is undefined.
+PASS frames[0].location.ancestorOrigins is undefined.
+PASS frames[0].location.toString() threw exception TypeError: frames[0].location.toString is not a function. (In 'frames[0].location.toString()', 'frames[0].location.toString' is undefined).
+PASS frames[0].location.reload() threw exception TypeError: frames[0].location.reload is not a function. (In 'frames[0].location.reload()', 'frames[0].location.reload' is undefined).
+PASS frames[0].location.assign('about:blank') threw exception TypeError: frames[0].location.assign is not a function. (In 'frames[0].location.assign('about:blank')', 'frames[0].location.assign' is undefined).
+PASS frames[0].location.href is undefined.
+PASS Object.getOwnPropertyDescriptor(window.location, 'protocol').get.call(frames[0].location) is undefined.
+PASS Object.getOwnPropertyDescriptor(window.location, 'host').get.call(frames[0].location) is undefined.
+PASS Object.getOwnPropertyDescriptor(window.location, 'hostname').get.call(frames[0].location) is undefined.
+PASS Object.getOwnPropertyDescriptor(window.location, 'port').get.call(frames[0].location) is undefined.
+PASS Object.getOwnPropertyDescriptor(window.location, 'pathname').get.call(frames[0].location) is undefined.
+PASS Object.getOwnPropertyDescriptor(window.location, 'search').get.call(frames[0].location) is undefined.
+PASS Object.getOwnPropertyDescriptor(window.location, 'hash').get.call(frames[0].location) is undefined.
+PASS Object.getOwnPropertyDescriptor(window.location, 'origin').get.call(frames[0].location) is undefined.
+PASS Object.getOwnPropertyDescriptor(window.location, 'ancestorOrigins').get.call(frames[0].location) is undefined.
+PASS Object.getOwnPropertyDescriptor(window.location, 'toString').value.call(frames[0].location) is undefined.
+PASS Object.getOwnPropertyDescriptor(window.location, 'href').get.call(frames[0].location) is undefined.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/http/tests/security/location-cross-origin.html (0 => 204923)
--- trunk/LayoutTests/http/tests/security/location-cross-origin.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/location-cross-origin.html 2016-08-24 19:52:07 UTC (rev 204923)
@@ -0,0 +1,44 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src=""
+<iframe src=""
+<script>
+description("Test security checking for access to Location.");
+jsTestIsAsync = true;
+
+_onload_ = function() {
+ shouldBeUndefined("frames[0].location.protocol");
+ shouldBeUndefined("frames[0].location.host");
+ shouldBeUndefined("frames[0].location.hostname");
+ shouldBeUndefined("frames[0].location.port");
+ shouldBeUndefined("frames[0].location.pathname");
+ shouldBeUndefined("frames[0].location.search");
+ shouldBeUndefined("frames[0].location.hash");
+ shouldBeUndefined("frames[0].location.origin");
+ shouldBeUndefined("frames[0].location.ancestorOrigins");
+ shouldThrow("frames[0].location.toString()");
+ shouldThrow("frames[0].location.reload()");
+ shouldThrow("frames[0].location.assign('about:blank')");
+ // The specification seems to allow access to href but Firefox does not.
+ shouldBeUndefined("frames[0].location.href");
+
+ shouldBeUndefined("Object.getOwnPropertyDescriptor(window.location, 'protocol').get.call(frames[0].location)");
+ shouldBeUndefined("Object.getOwnPropertyDescriptor(window.location, 'host').get.call(frames[0].location)");
+ shouldBeUndefined("Object.getOwnPropertyDescriptor(window.location, 'hostname').get.call(frames[0].location)");
+ shouldBeUndefined("Object.getOwnPropertyDescriptor(window.location, 'port').get.call(frames[0].location)");
+ shouldBeUndefined("Object.getOwnPropertyDescriptor(window.location, 'pathname').get.call(frames[0].location)");
+ shouldBeUndefined("Object.getOwnPropertyDescriptor(window.location, 'search').get.call(frames[0].location)");
+ shouldBeUndefined("Object.getOwnPropertyDescriptor(window.location, 'hash').get.call(frames[0].location)");
+ shouldBeUndefined("Object.getOwnPropertyDescriptor(window.location, 'origin').get.call(frames[0].location)");
+ shouldBeUndefined("Object.getOwnPropertyDescriptor(window.location, 'ancestorOrigins').get.call(frames[0].location)");
+ shouldBeUndefined("Object.getOwnPropertyDescriptor(window.location, 'toString').value.call(frames[0].location)");
+ // The specification seems to allow access to href but Firefox does not.
+ shouldBeUndefined("Object.getOwnPropertyDescriptor(window.location, 'href').get.call(frames[0].location)");
+
+ finishJSTest();
+};
+</script>
+<script src=""
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (204922 => 204923)
--- trunk/Source/WebCore/ChangeLog 2016-08-24 19:38:45 UTC (rev 204922)
+++ trunk/Source/WebCore/ChangeLog 2016-08-24 19:52:07 UTC (rev 204923)
@@ -1,3 +1,25 @@
+2016-08-24 Chris Dumez <[email protected]>
+
+ It should not be possible to access Location attributes cross origin
+ https://bugs.webkit.org/show_bug.cgi?id=161125
+ <rdar://problem/27982472>
+
+ Reviewed by Brent Fulgham.
+
+ It should not be possible to access Location attributes cross origin:
+ - https://html.spec.whatwg.org/#crossoriginproperties-(-o-)
+
+ We allow access to replace() as per the specification and consistently
+ with Firefox. The specification seems to indicate we should allow access
+ to 'href' but Firefox does not and we previously did not so I am not
+ allowing it in this patch.
+
+ Test: http/tests/security/location-cross-origin.html
+
+ * bindings/scripts/CodeGeneratorJS.pm:
+ (GenerateImplementation):
+ * page/Location.idl:
+
2016-08-24 Joseph Pecoraro <[email protected]>
Add User Timing to the feature status page
Modified: trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (204922 => 204923)
--- trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2016-08-24 19:38:45 UTC (rev 204922)
+++ trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2016-08-24 19:52:07 UTC (rev 204923)
@@ -2830,7 +2830,11 @@
if ($interface->extendedAttributes->{"CheckSecurity"} &&
!$attribute->signature->extendedAttributes->{"DoNotCheckSecurity"} &&
!$attribute->signature->extendedAttributes->{"DoNotCheckSecurityOnGetter"}) {
- push(@implContent, " if (!BindingSecurity::shouldAllowAccessToDOMWindow(state, castedThis->wrapped()))\n");
+ if ($interfaceName eq "DOMWindow") {
+ push(@implContent, " if (!BindingSecurity::shouldAllowAccessToDOMWindow(state, castedThis->wrapped()))\n");
+ } else {
+ push(@implContent, " if (!shouldAllowAccessToFrame(state, castedThis->wrapped().frame()))\n");
+ }
push(@implContent, " return JSValue::encode(jsUndefined());\n");
}
@@ -3387,9 +3391,12 @@
} else {
GenerateFunctionCastedThis($interface, $className, $function);
- if ($interface->extendedAttributes->{"CheckSecurity"} and
- !$function->signature->extendedAttributes->{"DoNotCheckSecurity"}) {
- push(@implContent, " if (!BindingSecurity::shouldAllowAccessToDOMWindow(state, castedThis->wrapped()))\n");
+ if ($interface->extendedAttributes->{"CheckSecurity"} and !$function->signature->extendedAttributes->{"DoNotCheckSecurity"}) {
+ if ($interfaceName eq "DOMWindow") {
+ push(@implContent, " if (!BindingSecurity::shouldAllowAccessToDOMWindow(state, castedThis->wrapped()))\n");
+ } else {
+ push(@implContent, " if (!shouldAllowAccessToFrame(state, castedThis->wrapped().frame()))\n");
+ }
push(@implContent, " return JSValue::encode(jsUndefined());\n");
}
Modified: trunk/Source/WebCore/page/Location.idl (204922 => 204923)
--- trunk/Source/WebCore/page/Location.idl 2016-08-24 19:38:45 UTC (rev 204922)
+++ trunk/Source/WebCore/page/Location.idl 2016-08-24 19:52:07 UTC (rev 204923)
@@ -27,6 +27,7 @@
*/
[
+ CheckSecurity,
CustomDeleteProperty,
CustomEnumerateProperty,
CustomNamedSetter,
@@ -40,7 +41,7 @@
[SetterCallWith=ActiveWindow&FirstWindow] attribute USVString href;
[CallWith=ActiveWindow&FirstWindow, ForwardDeclareInHeader] void assign(USVString url);
- [CallWith=ActiveWindow&FirstWindow, ForwardDeclareInHeader] void replace(USVString url);
+ [DoNotCheckSecurity, CallWith=ActiveWindow&FirstWindow, ForwardDeclareInHeader] void replace(USVString url);
[CallWith=ActiveWindow, ForwardDeclareInHeader] void reload();
// URI decomposition attributes
