Title: [205205] trunk
- Revision
- 205205
- Author
- [email protected]
- Date
- 2016-08-30 15:49:45 -0700 (Tue, 30 Aug 2016)
Log Message
Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object
https://bugs.webkit.org/show_bug.cgi?id=161396
Reviewed by Ryosuke Niwa.
Source/_javascript_Core:
Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object:
- https://html.spec.whatwg.org/#windowproxy-setprototypeof
- https://html.spec.whatwg.org/#location-setprototypeof
- https://tc39.github.io/ecma262/#sec-object.setprototypeof (step 5)
Firefox and Chrome already throw. However, WebKit merely ignores the call and logs an error message.
Note that technically, we should also throw in the same origin case.
However, not all browsers agree on this yet so I haven't not changed
the behavior for the same origin case.
* runtime/ObjectConstructor.cpp:
(JSC::objectConstructorSetPrototypeOf):
LayoutTests:
Update / rebaseline existing test to reflect behavior change.
* http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt:
* http/tests/security/cross-frame-access-object-setPrototypeOf.html:
Modified Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (205204 => 205205)
--- trunk/LayoutTests/ChangeLog 2016-08-30 22:43:12 UTC (rev 205204)
+++ trunk/LayoutTests/ChangeLog 2016-08-30 22:49:45 UTC (rev 205205)
@@ -1,3 +1,15 @@
+2016-08-30 Chris Dumez <[email protected]>
+
+ Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object
+ https://bugs.webkit.org/show_bug.cgi?id=161396
+
+ Reviewed by Ryosuke Niwa.
+
+ Update / rebaseline existing test to reflect behavior change.
+
+ * http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt:
+ * http/tests/security/cross-frame-access-object-setPrototypeOf.html:
+
2016-08-30 Jiewen Tan <[email protected]>
Unreviewed, update iOS simulator WK1 flaky tests.
Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt (205204 => 205205)
--- trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt 2016-08-30 22:43:12 UTC (rev 205204)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt 2016-08-30 22:49:45 UTC (rev 205205)
@@ -1,6 +1,18 @@
-CONSOLE MESSAGE: line 22: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-This tests that you can't set the prototype of the window or history objects cross-origin using Object.setPrototypeOf().
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+This tests that you can't set the prototype of the window or location objects cross-origin using Object.setPrototypeOf()
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
PASS: targetWindow instanceof Array should be 'false' and is.
+PASS Object.setPrototypeOf(targetWindow, Array.prototype) threw exception TypeError: Permission denied.
PASS: targetWindow instanceof Array should be 'false' and is.
+PASS: targetWindow.location instanceof Array should be 'false' and is.
+PASS Object.setPrototypeOf(targetWindow.location, Array.prototype) threw exception TypeError: Permission denied.
+PASS: targetWindow.location instanceof Array should be 'false' and is.
+PASS: successfullyParsed should be 'true' and is.
+TEST COMPLETE
+
+
Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf.html (205204 => 205205)
--- trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf.html 2016-08-30 22:43:12 UTC (rev 205204)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf.html 2016-08-30 22:49:45 UTC (rev 205205)
@@ -1,11 +1,10 @@
<html>
<head>
+ <script src=""
<script src=""
<script>
- if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.waitUntilDone();
- }
+ description("This tests that you can't set the prototype of the window or location objects cross-origin using Object.setPrototypeOf()");
+ jsTestIsAsync = true;
// Set up listener for message from iframe
addEventListener('message', function(event) {
@@ -18,19 +17,20 @@
targetWindow = document.getElementById("target").contentWindow;
shouldBeFalse("targetWindow instanceof Array");
+ shouldThrowErrorName("Object.setPrototypeOf(targetWindow, Array.prototype)", "TypeError");
+ shouldBeFalse("targetWindow instanceof Array");
- Object.setPrototypeOf(targetWindow, Array.prototype);
+ shouldBeFalse("targetWindow.location instanceof Array");
+ shouldThrowErrorName("Object.setPrototypeOf(targetWindow.location, Array.prototype)", "TypeError");
+ shouldBeFalse("targetWindow.location instanceof Array");
- shouldBeFalse("targetWindow instanceof Array");
-
- if (window.testRunner)
- testRunner.notifyDone();
+ finishJSTest();
}
</script>
</head>
<body>
- <div>This tests that you can't set the prototype of the window or history objects cross-origin using Object.setPrototypeOf().</div>
<iframe id="target" src=""
<pre id="console"></pre>
+ <script src=""
</body>
</html>
Modified: trunk/Source/_javascript_Core/ChangeLog (205204 => 205205)
--- trunk/Source/_javascript_Core/ChangeLog 2016-08-30 22:43:12 UTC (rev 205204)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-08-30 22:49:45 UTC (rev 205205)
@@ -1,3 +1,24 @@
+2016-08-30 Chris Dumez <[email protected]>
+
+ Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object
+ https://bugs.webkit.org/show_bug.cgi?id=161396
+
+ Reviewed by Ryosuke Niwa.
+
+ Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object:
+ - https://html.spec.whatwg.org/#windowproxy-setprototypeof
+ - https://html.spec.whatwg.org/#location-setprototypeof
+ - https://tc39.github.io/ecma262/#sec-object.setprototypeof (step 5)
+
+ Firefox and Chrome already throw. However, WebKit merely ignores the call and logs an error message.
+
+ Note that technically, we should also throw in the same origin case.
+ However, not all browsers agree on this yet so I haven't not changed
+ the behavior for the same origin case.
+
+ * runtime/ObjectConstructor.cpp:
+ (JSC::objectConstructorSetPrototypeOf):
+
2016-08-30 Benjamin Poulain <[email protected]>
[JSC] Clean up the remaining compare nodes in FTLCapabilities
Modified: trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp (205204 => 205205)
--- trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp 2016-08-30 22:43:12 UTC (rev 205204)
+++ trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp 2016-08-30 22:49:45 UTC (rev 205205)
@@ -232,8 +232,10 @@
if (exec->hadException())
return JSValue::encode(objectValue);
- if (!checkProtoSetterAccessAllowed(exec, object))
+ if (!checkProtoSetterAccessAllowed(exec, object)) {
+ throwTypeError(exec, ASCIILiteral("Permission denied"));
return JSValue::encode(objectValue);
+ }
bool shouldThrowIfCantSet = true;
bool didSetPrototype = object->setPrototype(vm, exec, protoValue, shouldThrowIfCantSet);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
