Diff
Modified: trunk/LayoutTests/ChangeLog (205408 => 205409)
--- trunk/LayoutTests/ChangeLog 2016-09-03 21:32:45 UTC (rev 205408)
+++ trunk/LayoutTests/ChangeLog 2016-09-03 22:50:55 UTC (rev 205409)
@@ -1,5 +1,17 @@
2016-09-03 Chris Dumez <[email protected]>
+ Align cross-Origin Object.getOwnPropertyNames() with the HTML specification
+ https://bugs.webkit.org/show_bug.cgi?id=161457
+
+ Reviewed by Darin Adler.
+
+ Add test coverage.
+
+ * http/tests/security/cross-frame-access-enumeration-expected.txt:
+ * http/tests/security/cross-frame-access-enumeration.html:
+
+2016-09-03 Chris Dumez <[email protected]>
+
Object.preventExtensions(window) should throw a TypeError
https://bugs.webkit.org/show_bug.cgi?id=161554
Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-enumeration-expected.txt (205408 => 205409)
--- trunk/LayoutTests/http/tests/security/cross-frame-access-enumeration-expected.txt 2016-09-03 21:32:45 UTC (rev 205408)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-enumeration-expected.txt 2016-09-03 22:50:55 UTC (rev 205409)
@@ -1,13 +1,10 @@
-CONSOLE MESSAGE: line 29: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 29: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 48: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 55: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 29: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 75: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 82: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-This tests that variable names can't be enumerated cross domain (see http://bugs.webkit.org/show_bug.cgi?id=16387)
+CONSOLE MESSAGE: line 28: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 28: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+Tests enumeration of Window / Location properties cross origin.
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
PASS: Cross frame access by enumerating the window object was denied.
PASS: Cross frame access by getting the keys of the window object was denied.
PASS: Cross frame access by getting the property names of the window object was denied.
@@ -14,4 +11,9 @@
PASS: Cross frame access by enumerating the Location object was denied.
PASS: Cross frame access by getting the keys of the Location object was denied.
PASS: Cross frame access by getting the property names of the Location object was denied.
+PASS: areArraysEqual(Object.getOwnPropertyNames(b_win).sort(), whitelistedWindowProperties.sort()) should be 'true' and is.
+PASS: areArraysEqual(Object.getOwnPropertyNames(b_win.location).sort(), whitelistedLocationProperties.sort()) should be 'true' and is.
+PASS: successfullyParsed should be 'true' and is.
+TEST COMPLETE
+
Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-enumeration.html (205408 => 205409)
--- trunk/LayoutTests/http/tests/security/cross-frame-access-enumeration.html 2016-09-03 21:32:45 UTC (rev 205408)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-enumeration.html 2016-09-03 22:50:55 UTC (rev 205409)
@@ -1,15 +1,14 @@
<html>
<head>
+ <script src=''></script>
<script src=""
<script>
+ description("Tests enumeration of Window / Location properties cross origin.");
+ jsTestIsAsync = true;
+
window._onload_ = function()
{
if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.waitUntilDone();
- }
-
- if (window.testRunner) {
setTimeout(pollForTest, 1);
} else {
log("To run the test, click the button below when the frame finishes loading.");
@@ -27,13 +26,13 @@
return;
}
runTest();
- testRunner.notifyDone();
+ finishJSTest();
}
runTest = function()
{
// Test enumerating the Window object
- var b_win = document.getElementsByTagName("iframe")[0].contentWindow;
+ b_win = document.getElementsByTagName("iframe")[0].contentWindow;
try {
for (var k in b_win) {
if (k == "customWindowProperty") {
@@ -85,12 +84,16 @@
return;
}
log("PASS: Cross frame access by getting the property names of the Location object was denied.");
+
+ whitelistedWindowProperties = ['location', 'postMessage', 'window', 'frames', 'self', 'top', 'parent', 'opener', 'closed', 'close', 'blur', 'focus', 'length'];
+ whitelistedLocationProperties = ['href', 'replace'];
+ shouldBeTrue("areArraysEqual(Object.getOwnPropertyNames(b_win).sort(), whitelistedWindowProperties.sort())");
+ shouldBeTrue("areArraysEqual(Object.getOwnPropertyNames(b_win.location).sort(), whitelistedLocationProperties.sort())");
}
</script>
</head>
<body>
- <p>This tests that variable names can't be enumerated cross domain (see http://bugs.webkit.org/show_bug.cgi?id=16387)</p>
<iframe src=""
- <pre id="console"></pre>
+ <script src=''></script>
</body>
</html>
Modified: trunk/Source/WebCore/ChangeLog (205408 => 205409)
--- trunk/Source/WebCore/ChangeLog 2016-09-03 21:32:45 UTC (rev 205408)
+++ trunk/Source/WebCore/ChangeLog 2016-09-03 22:50:55 UTC (rev 205409)
@@ -1,3 +1,29 @@
+2016-09-03 Chris Dumez <[email protected]>
+
+ Align cross-Origin Object.getOwnPropertyNames() with the HTML specification
+ https://bugs.webkit.org/show_bug.cgi?id=161457
+
+ Reviewed by Darin Adler.
+
+ Align cross-Origin Object.getOwnPropertyNames() with the HTML specification:
+ - https://html.spec.whatwg.org/#windowproxy-ownpropertykeys
+ - https://html.spec.whatwg.org/#location-ownpropertykeys
+ - https://html.spec.whatwg.org/#crossoriginproperties-(-o-)
+
+ We should list cross origin properties.
+
+ Firefox complies with the specification. However, WebKit was returning an
+ empty array and logs a security error message.
+
+ No new tests, updated existing test.
+
+ * bindings/js/JSDOMWindowCustom.cpp:
+ (WebCore::addCrossOriginPropertyNames):
+ (WebCore::JSDOMWindow::getOwnPropertyNames):
+ * bindings/js/JSLocationCustom.cpp:
+ (WebCore::addCrossOriginPropertyNames):
+ (WebCore::JSLocation::getOwnPropertyNames):
+
2016-09-03 Frédéric Wang <[email protected]>
Constructors of MathML renderers should only accept MathMLPresentationElement-derived classes
Modified: trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp (205408 => 205409)
--- trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp 2016-09-03 21:32:45 UTC (rev 205408)
+++ trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp 2016-09-03 22:50:55 UTC (rev 205409)
@@ -319,12 +319,27 @@
Base::getPropertyNames(thisObject, exec, propertyNames, mode);
}
+static void addCrossOriginWindowPropertyNames(ExecState& state, PropertyNameArray& propertyNames)
+{
+ // https://html.spec.whatwg.org/#crossoriginproperties-(-o-)
+ static const Identifier* properties[] = {
+ &state.propertyNames().blur, &state.propertyNames().close, &state.propertyNames().closed,
+ &state.propertyNames().focus, &state.propertyNames().frames, &state.propertyNames().length,
+ &state.propertyNames().location, &state.propertyNames().opener, &state.propertyNames().parent,
+ &state.propertyNames().postMessage, &state.propertyNames().self, &state.propertyNames().top,
+ &state.propertyNames().window
+ };
+ for (auto* property : properties)
+ propertyNames.add(*property);
+}
+
void JSDOMWindow::getOwnPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
{
JSDOMWindow* thisObject = jsCast<JSDOMWindow*>(object);
- // Only allow the window to enumerated by frames in the same origin.
- if (!BindingSecurity::shouldAllowAccessToDOMWindow(exec, thisObject->wrapped()))
+ if (!BindingSecurity::shouldAllowAccessToDOMWindow(exec, thisObject->wrapped(), DoNotReportSecurityError)) {
+ addCrossOriginWindowPropertyNames(*exec, propertyNames);
return;
+ }
Base::getOwnPropertyNames(thisObject, exec, propertyNames, mode);
}
Modified: trunk/Source/WebCore/bindings/js/JSLocationCustom.cpp (205408 => 205409)
--- trunk/Source/WebCore/bindings/js/JSLocationCustom.cpp 2016-09-03 21:32:45 UTC (rev 205408)
+++ trunk/Source/WebCore/bindings/js/JSLocationCustom.cpp 2016-09-03 22:50:55 UTC (rev 205409)
@@ -108,12 +108,21 @@
return Base::deletePropertyByIndex(thisObject, exec, propertyName);
}
+static void addCrossOriginLocationPropertyNames(ExecState& state, PropertyNameArray& propertyNames)
+{
+ // https://html.spec.whatwg.org/#crossoriginproperties-(-o-)
+ static const Identifier* properties[] = { &state.propertyNames().href, &state.propertyNames().replace };
+ for (auto* property : properties)
+ propertyNames.add(*property);
+}
+
void JSLocation::getOwnPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
{
JSLocation* thisObject = jsCast<JSLocation*>(object);
- // Only allow the location object to enumerated by frames in the same origin.
- if (!shouldAllowAccessToFrame(exec, thisObject->wrapped().frame()))
+ if (!BindingSecurity::shouldAllowAccessToFrame(exec, thisObject->wrapped().frame(), DoNotReportSecurityError)) {
+ addCrossOriginLocationPropertyNames(*exec, propertyNames);
return;
+ }
Base::getOwnPropertyNames(thisObject, exec, propertyNames, mode);
}
