Diff
Modified: branches/safari-602-branch/LayoutTests/ChangeLog (205801 => 205802)
--- branches/safari-602-branch/LayoutTests/ChangeLog 2016-09-12 07:54:02 UTC (rev 205801)
+++ branches/safari-602-branch/LayoutTests/ChangeLog 2016-09-12 07:54:06 UTC (rev 205802)
@@ -1,5 +1,23 @@
2016-09-12 Babak Shafiei <[email protected]>
+ Merge r205154. rdar://problem/28233330
+
+ 2016-08-29 Chris Dumez <[email protected]>
+
+ Regression(r204923): It should be possible to set 'Location.href' cross origin
+ https://bugs.webkit.org/show_bug.cgi?id=161343
+ <rdar://problem/28063361>
+
+ Reviewed by Ryosuke Niwa.
+
+ Add layout test coverage.
+
+ * http/tests/security/location-cross-origin-expected.txt:
+ * http/tests/security/location-cross-origin.html:
+ * http/tests/security/xss-DENIED-assign-location-href-_javascript_-expected.txt:
+
+2016-09-12 Babak Shafiei <[email protected]>
+
Merge r204923. rdar://problem/28233330
2016-08-24 Chris Dumez <[email protected]>
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/location-cross-origin-expected.txt (205801 => 205802)
--- branches/safari-602-branch/LayoutTests/http/tests/security/location-cross-origin-expected.txt 2016-09-12 07:54:02 UTC (rev 205801)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/location-cross-origin-expected.txt 2016-09-12 07:54:06 UTC (rev 205802)
@@ -51,6 +51,8 @@
PASS Object.getOwnPropertyDescriptor(window.location, 'ancestorOrigins').get.call(frames[0].location) is undefined.
PASS Object.getOwnPropertyDescriptor(window.location, 'toString').value.call(frames[0].location) is undefined.
PASS Object.getOwnPropertyDescriptor(window.location, 'href').get.call(frames[0].location) is undefined.
+PASS frames[0].location.href = '' did not throw exception.
+PASS frames[0].location.href is "about:blank"
PASS successfullyParsed is true
TEST COMPLETE
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/location-cross-origin.html (205801 => 205802)
--- branches/safari-602-branch/LayoutTests/http/tests/security/location-cross-origin.html 2016-09-12 07:54:02 UTC (rev 205801)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/location-cross-origin.html 2016-09-12 07:54:06 UTC (rev 205802)
@@ -36,7 +36,12 @@
// The specification seems to allow access to href but Firefox does not.
shouldBeUndefined("Object.getOwnPropertyDescriptor(window.location, 'href').get.call(frames[0].location)");
- finishJSTest();
+ // Setting 'href' cross origin should be allowed.
+ shouldNotThrow("frames[0].location.href = ''");
+ setTimeout(function() {
+ shouldBeEqualToString("frames[0].location.href", "about:blank");
+ finishJSTest();
+ }, 100);
};
</script>
<script src=""
Modified: branches/safari-602-branch/LayoutTests/http/tests/security/xss-DENIED-assign-location-href-_javascript_-expected.txt (205801 => 205802)
--- branches/safari-602-branch/LayoutTests/http/tests/security/xss-DENIED-assign-location-href-_javascript_-expected.txt 2016-09-12 07:54:02 UTC (rev 205801)
+++ branches/safari-602-branch/LayoutTests/http/tests/security/xss-DENIED-assign-location-href-_javascript_-expected.txt 2016-09-12 07:54:06 UTC (rev 205802)
@@ -1,5 +1,4 @@
CONSOLE MESSAGE: line 13: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 13: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
--------
Modified: branches/safari-602-branch/Source/WebCore/ChangeLog (205801 => 205802)
--- branches/safari-602-branch/Source/WebCore/ChangeLog 2016-09-12 07:54:02 UTC (rev 205801)
+++ branches/safari-602-branch/Source/WebCore/ChangeLog 2016-09-12 07:54:06 UTC (rev 205802)
@@ -1,5 +1,43 @@
2016-09-12 Babak Shafiei <[email protected]>
+ Merge r205154. rdar://problem/28233330
+
+ 2016-08-29 Chris Dumez <[email protected]>
+
+ Regression(r204923): It should be possible to set 'Location.href' cross origin
+ https://bugs.webkit.org/show_bug.cgi?id=161343
+ <rdar://problem/28063361>
+
+ Reviewed by Ryosuke Niwa.
+
+ It should be possible to set 'Location.href' cross origin:
+ - https://html.spec.whatwg.org/#crossoriginproperties-(-o-)
+
+ Firefox and Chrome allow this but we throw a SecurityError.
+
+ We already allow setting crossOrigin.window.location which is equivalent.
+
+ No new tests, updated existing test.
+
+ * bindings/js/JSLocationCustom.cpp:
+ (WebCore::JSLocation::putDelegate):
+ Refactor the [Put] delegate so that it does not log a security error
+ when setting 'href' attribute, given that setting it works as expected.
+ This fixes a bug in shipping Safari where setting 'href' would work but
+ log an error message anyway.
+
+ * bindings/scripts/CodeGeneratorJS.pm:
+ (GenerateImplementation):
+ Add support for [DoNotCheckSecurityOnSetter] IDL extended attribute,
+ in addition to the already supported [DoNotCheckSecurity] and
+ [DoNotCheckSecurityOnGetter].
+
+ * page/Location.idl:
+ Use [DoNotCheckSecurityOnSetter] on 'href' attribute as it can be
+ set cross-origin. This fixes the regression introduced in r204923.
+
+2016-09-12 Babak Shafiei <[email protected]>
+
Merge r204943. rdar://problem/28233330
2016-08-24 Ryan Haddad <[email protected]>
Modified: branches/safari-602-branch/Source/WebCore/bindings/js/JSLocationCustom.cpp (205801 => 205802)
--- branches/safari-602-branch/Source/WebCore/bindings/js/JSLocationCustom.cpp 2016-09-12 07:54:02 UTC (rev 205801)
+++ branches/safari-602-branch/Source/WebCore/bindings/js/JSLocationCustom.cpp 2016-09-12 07:54:06 UTC (rev 205802)
@@ -70,13 +70,19 @@
if (propertyName == exec->propertyNames().toString || propertyName == exec->propertyNames().valueOf)
return true;
- if (shouldAllowAccessToFrame(exec, frame))
+ String errorMessage;
+ if (shouldAllowAccessToFrame(exec, frame, errorMessage))
return false;
// Cross-domain access to the location is allowed when assigning the whole location,
- //but not when assigning the individual pieces, since that might inadvertently
+ // but not when assigning the individual pieces, since that might inadvertently
// disclose other parts of the original location.
- return propertyName != exec->propertyNames().href;
+ if (propertyName != exec->propertyNames().href) {
+ // FIXME: We should throw a SecurityError.
+ printErrorMessageForFrame(frame, errorMessage);
+ return true;
+ }
+ return false;
}
bool JSLocation::deleteProperty(JSCell* cell, ExecState* exec, PropertyName propertyName)
Modified: branches/safari-602-branch/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (205801 => 205802)
--- branches/safari-602-branch/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2016-09-12 07:54:02 UTC (rev 205801)
+++ branches/safari-602-branch/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2016-09-12 07:54:06 UTC (rev 205802)
@@ -2888,7 +2888,7 @@
}
push(@implContent, " }\n");
}
- if ($interface->extendedAttributes->{"CheckSecurity"} && !$attribute->signature->extendedAttributes->{"DoNotCheckSecurity"}) {
+ if ($interface->extendedAttributes->{"CheckSecurity"} && !$attribute->signature->extendedAttributes->{"DoNotCheckSecurity"} && !$attribute->signature->extendedAttributes->{"DoNotCheckSecurityOnSetter"}) {
if ($interfaceName eq "DOMWindow") {
push(@implContent, " if (!BindingSecurity::shouldAllowAccessToDOMWindow(state, castedThis->wrapped()))\n");
} else {
Modified: branches/safari-602-branch/Source/WebCore/page/Location.idl (205801 => 205802)
--- branches/safari-602-branch/Source/WebCore/page/Location.idl 2016-09-12 07:54:02 UTC (rev 205801)
+++ branches/safari-602-branch/Source/WebCore/page/Location.idl 2016-09-12 07:54:06 UTC (rev 205802)
@@ -38,7 +38,7 @@
JSCustomDefineOwnPropertyOnPrototype,
Unforgeable
] interface Location {
- [SetterCallWith=ActiveWindow&FirstWindow] attribute DOMString href;
+ [SetterCallWith=ActiveWindow&FirstWindow, DoNotCheckSecurityOnSetter] attribute DOMString href;
[CallWith=ActiveWindow&FirstWindow, ForwardDeclareInHeader] void assign(DOMString url);
[DoNotCheckSecurity, CallWith=ActiveWindow&FirstWindow, ForwardDeclareInHeader] void replace(DOMString url);
