[webkit-changes] [205037] trunk

Fri, 26 Aug 2016 13:35:15 -0700

Title: [205037] trunk
Revision
205037
Author
[email protected]
Date
2016-08-26 13:35:21 -0700 (Fri, 26 Aug 2016)

Log Message

Calling crossOriginWindow.toString() should not be allowed
https://bugs.webkit.org/show_bug.cgi?id=161225

Reviewed by Andreas Kling.

Source/WebCore:

Calling crossOriginWindow.toString() should not be allowed:
- https://html.spec.whatwg.org/#crossoriginproperties-(-o-)

In WebKit, we were printing a security error in the console but
returning "[object Window]" anyway.

In Firefox and Chrome, it throws an exception.

No new tests, updated existing test.

* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::jsDOMWindowGetOwnPropertySlotRestrictedAccess):

LayoutTests:

Update existing tests to reflect the behavior change.

* http/tests/security/cross-frame-access-custom-expected.txt:
* http/tests/security/cross-frame-access-custom.html:
* http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt:
* http/tests/security/cross-frame-access-object-setPrototypeOf.html:

Modified Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (205036 => 205037)


--- trunk/LayoutTests/ChangeLog	2016-08-26 20:33:34 UTC (rev 205036)
+++ trunk/LayoutTests/ChangeLog	2016-08-26 20:35:21 UTC (rev 205037)
@@ -1,3 +1,17 @@
+2016-08-26  Chris Dumez  <[email protected]>
+
+        Calling crossOriginWindow.toString() should not be allowed
+        https://bugs.webkit.org/show_bug.cgi?id=161225
+
+        Reviewed by Andreas Kling.
+
+        Update existing tests to reflect the behavior change.
+
+        * http/tests/security/cross-frame-access-custom-expected.txt:
+        * http/tests/security/cross-frame-access-custom.html:
+        * http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt:
+        * http/tests/security/cross-frame-access-object-setPrototypeOf.html:
+
 2016-08-26  Devin Rousso  <[email protected]>
 
         Web Inspector: Some CSS selectors in the UI aren't escaped

Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-custom-expected.txt (205036 => 205037)


--- trunk/LayoutTests/http/tests/security/cross-frame-access-custom-expected.txt	2016-08-26 20:33:34 UTC (rev 205036)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-custom-expected.txt	2016-08-26 20:35:21 UTC (rev 205037)
@@ -15,9 +15,13 @@
 CONSOLE MESSAGE: line 55: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 CONSOLE MESSAGE: line 83: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 CONSOLE MESSAGE: line 84: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 55: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 CONSOLE MESSAGE: line 83: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 84: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 CONSOLE MESSAGE: line 111: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 CONSOLE MESSAGE: line 111: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 111: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 114: TypeError: No default value
 
 
 ----- tests for getting/setting interesting properties -----
@@ -33,7 +37,7 @@
 PASS: canSet('targetWindow.windowPrototypeCustomProperty') should be 'false' and is.
 PASS: canGet('targetWindow.objectPrototypeCustomProperty') should be 'false' and is.
 PASS: canSet('targetWindow.objectPrototypeCustomProperty') should be 'false' and is.
-PASS: canGet('targetWindow.toString') should be 'true' and is.
+PASS: canGet('targetWindow.toString') should be 'false' and is.
 PASS: canSet('targetWindow.toString') should be 'false' and is.
-PASS: toString('targetWindow', '') should be '[object Window]' and is.
+PASS: toString('targetWindow', 'NOTALLOWED') should be 'NOTALLOWED' and is.

Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-custom.html (205036 => 205037)


--- trunk/LayoutTests/http/tests/security/cross-frame-access-custom.html	2016-08-26 20:33:34 UTC (rev 205036)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-custom.html	2016-08-26 20:35:21 UTC (rev 205037)
@@ -38,9 +38,9 @@
     shouldBeFalse("canSet('targetWindow.objectPrototypeCustomProperty')");
 
     // window object itself
-    shouldBeTrue("canGet('targetWindow.toString')");
+    shouldBeFalse("canGet('targetWindow.toString')");
     shouldBeFalse("canSet('targetWindow.toString')");
-    shouldBe("toString('targetWindow', '')", "'[object Window]'");
+    shouldBe("toString('targetWindow', 'NOTALLOWED')", "'NOTALLOWED'");
 
     // Work around DRT bug that causes subsequent tests to fail.
     window.stop();

Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt (205036 => 205037)


--- trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt	2016-08-26 20:33:34 UTC (rev 205036)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt	2016-08-26 20:35:21 UTC (rev 205037)
@@ -1,10 +1,6 @@
-CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 CONSOLE MESSAGE: line 22: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 22: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 25: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 This tests that you can't set the prototype of the window or history objects cross-origin using Object.setPrototypeOf().
 
 PASS: targetWindow instanceof Array should be 'false' and is.
-PASS: Object.setPrototypeOf(targetWindow, Array.prototype) should be '[object Window]' and is.
 PASS: targetWindow instanceof Array should be 'false' and is.

Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf.html (205036 => 205037)


--- trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf.html	2016-08-26 20:33:34 UTC (rev 205036)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf.html	2016-08-26 20:35:21 UTC (rev 205037)
@@ -19,7 +19,7 @@
 
             shouldBeFalse("targetWindow instanceof Array");
 
-            shouldBe("Object.setPrototypeOf(targetWindow, Array.prototype)", "targetWindow");
+            Object.setPrototypeOf(targetWindow, Array.prototype);
 
             shouldBeFalse("targetWindow instanceof Array");

Modified: trunk/Source/WebCore/ChangeLog (205036 => 205037)


--- trunk/Source/WebCore/ChangeLog	2016-08-26 20:33:34 UTC (rev 205036)
+++ trunk/Source/WebCore/ChangeLog	2016-08-26 20:35:21 UTC (rev 205037)
@@ -1,3 +1,23 @@
+2016-08-26  Chris Dumez  <[email protected]>
+
+        Calling crossOriginWindow.toString() should not be allowed
+        https://bugs.webkit.org/show_bug.cgi?id=161225
+
+        Reviewed by Andreas Kling.
+
+        Calling crossOriginWindow.toString() should not be allowed:
+        - https://html.spec.whatwg.org/#crossoriginproperties-(-o-)
+
+        In WebKit, we were printing a security error in the console but
+        returning "[object Window]" anyway.
+
+        In Firefox and Chrome, it throws an exception.
+
+        No new tests, updated existing test.
+
+        * bindings/js/JSDOMWindowCustom.cpp:
+        (WebCore::jsDOMWindowGetOwnPropertySlotRestrictedAccess):
+
 2016-08-26  Devin Rousso  <[email protected]>
 
         Web Inspector: Some CSS selectors in the UI aren't escaped

Modified: trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp (205036 => 205037)


--- trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp	2016-08-26 20:33:34 UTC (rev 205036)
+++ trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp	2016-08-26 20:35:21 UTC (rev 205037)
@@ -75,12 +75,6 @@
 
 static bool jsDOMWindowGetOwnPropertySlotRestrictedAccess(JSDOMWindow* thisObject, Frame* frame, ExecState* exec, PropertyName propertyName, PropertySlot& slot, String& errorMessage)
 {
-    // Allow access to toString() cross-domain, but always Object.prototype.toString.
-    if (propertyName == exec->propertyNames().toString) {
-        slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<objectProtoFuncToString, 0>);
-        return true;
-    }
-
     // We don't want any properties other than "close" and "closed" on a frameless window
     // (i.e. one whose page got closed, or whose iframe got removed).
     // FIXME: This handling for frameless windows duplicates similar behaviour for cross-origin

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to