Title: [205599] releases/WebKitGTK/webkit-2.14
- Revision
- 205599
- Author
- [email protected]
- Date
- 2016-09-08 00:50:43 -0700 (Thu, 08 Sep 2016)
Log Message
Merge r205205 - Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object
https://bugs.webkit.org/show_bug.cgi?id=161396
Reviewed by Ryosuke Niwa.
Source/_javascript_Core:
Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object:
- https://html.spec.whatwg.org/#windowproxy-setprototypeof
- https://html.spec.whatwg.org/#location-setprototypeof
- https://tc39.github.io/ecma262/#sec-object.setprototypeof (step 5)
Firefox and Chrome already throw. However, WebKit merely ignores the call and logs an error message.
Note that technically, we should also throw in the same origin case.
However, not all browsers agree on this yet so I haven't not changed
the behavior for the same origin case.
* runtime/ObjectConstructor.cpp:
(JSC::objectConstructorSetPrototypeOf):
LayoutTests:
Update / rebaseline existing test to reflect behavior change.
* http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt:
* http/tests/security/cross-frame-access-object-setPrototypeOf.html:
Modified Paths
Diff
Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog (205598 => 205599)
--- releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog 2016-09-08 07:45:27 UTC (rev 205598)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog 2016-09-08 07:50:43 UTC (rev 205599)
@@ -1,5 +1,17 @@
2016-08-30 Chris Dumez <[email protected]>
+ Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object
+ https://bugs.webkit.org/show_bug.cgi?id=161396
+
+ Reviewed by Ryosuke Niwa.
+
+ Update / rebaseline existing test to reflect behavior change.
+
+ * http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt:
+ * http/tests/security/cross-frame-access-object-setPrototypeOf.html:
+
+2016-08-30 Chris Dumez <[email protected]>
+
[[Delete]] should throw for cross-origin Window / Location objects
https://bugs.webkit.org/show_bug.cgi?id=161397
Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt (205598 => 205599)
--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt 2016-09-08 07:45:27 UTC (rev 205598)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt 2016-09-08 07:50:43 UTC (rev 205599)
@@ -1,6 +1,18 @@
-CONSOLE MESSAGE: line 22: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-This tests that you can't set the prototype of the window or history objects cross-origin using Object.setPrototypeOf().
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+This tests that you can't set the prototype of the window or location objects cross-origin using Object.setPrototypeOf()
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
PASS: targetWindow instanceof Array should be 'false' and is.
+PASS Object.setPrototypeOf(targetWindow, Array.prototype) threw exception TypeError: Permission denied.
PASS: targetWindow instanceof Array should be 'false' and is.
+PASS: targetWindow.location instanceof Array should be 'false' and is.
+PASS Object.setPrototypeOf(targetWindow.location, Array.prototype) threw exception TypeError: Permission denied.
+PASS: targetWindow.location instanceof Array should be 'false' and is.
+PASS: successfullyParsed should be 'true' and is.
+TEST COMPLETE
+
+
Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf.html (205598 => 205599)
--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf.html 2016-09-08 07:45:27 UTC (rev 205598)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf.html 2016-09-08 07:50:43 UTC (rev 205599)
@@ -1,11 +1,10 @@
<html>
<head>
+ <script src=""
<script src=""
<script>
- if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.waitUntilDone();
- }
+ description("This tests that you can't set the prototype of the window or location objects cross-origin using Object.setPrototypeOf()");
+ jsTestIsAsync = true;
// Set up listener for message from iframe
addEventListener('message', function(event) {
@@ -18,19 +17,20 @@
targetWindow = document.getElementById("target").contentWindow;
shouldBeFalse("targetWindow instanceof Array");
+ shouldThrowErrorName("Object.setPrototypeOf(targetWindow, Array.prototype)", "TypeError");
+ shouldBeFalse("targetWindow instanceof Array");
- Object.setPrototypeOf(targetWindow, Array.prototype);
+ shouldBeFalse("targetWindow.location instanceof Array");
+ shouldThrowErrorName("Object.setPrototypeOf(targetWindow.location, Array.prototype)", "TypeError");
+ shouldBeFalse("targetWindow.location instanceof Array");
- shouldBeFalse("targetWindow instanceof Array");
-
- if (window.testRunner)
- testRunner.notifyDone();
+ finishJSTest();
}
</script>
</head>
<body>
- <div>This tests that you can't set the prototype of the window or history objects cross-origin using Object.setPrototypeOf().</div>
<iframe id="target" src=""
<pre id="console"></pre>
+ <script src=""
</body>
</html>
Modified: releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/ChangeLog (205598 => 205599)
--- releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/ChangeLog 2016-09-08 07:45:27 UTC (rev 205598)
+++ releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/ChangeLog 2016-09-08 07:50:43 UTC (rev 205599)
@@ -1,3 +1,24 @@
+2016-08-30 Chris Dumez <[email protected]>
+
+ Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object
+ https://bugs.webkit.org/show_bug.cgi?id=161396
+
+ Reviewed by Ryosuke Niwa.
+
+ Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object:
+ - https://html.spec.whatwg.org/#windowproxy-setprototypeof
+ - https://html.spec.whatwg.org/#location-setprototypeof
+ - https://tc39.github.io/ecma262/#sec-object.setprototypeof (step 5)
+
+ Firefox and Chrome already throw. However, WebKit merely ignores the call and logs an error message.
+
+ Note that technically, we should also throw in the same origin case.
+ However, not all browsers agree on this yet so I haven't not changed
+ the behavior for the same origin case.
+
+ * runtime/ObjectConstructor.cpp:
+ (JSC::objectConstructorSetPrototypeOf):
+
2016-08-30 Benjamin Poulain <[email protected]>
[JSC] Clean up the remaining compare nodes in FTLCapabilities
Modified: releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/runtime/ObjectConstructor.cpp (205598 => 205599)
--- releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/runtime/ObjectConstructor.cpp 2016-09-08 07:45:27 UTC (rev 205598)
+++ releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/runtime/ObjectConstructor.cpp 2016-09-08 07:50:43 UTC (rev 205599)
@@ -232,8 +232,10 @@
if (exec->hadException())
return JSValue::encode(objectValue);
- if (!checkProtoSetterAccessAllowed(exec, object))
+ if (!checkProtoSetterAccessAllowed(exec, object)) {
+ throwTypeError(exec, scope, ASCIILiteral("Permission denied"));
return JSValue::encode(objectValue);
+ }
bool shouldThrowIfCantSet = true;
bool didSetPrototype = object->setPrototype(vm, exec, protoValue, shouldThrowIfCantSet);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
