Diff
Modified: trunk/LayoutTests/ChangeLog (210111 => 210112)
--- trunk/LayoutTests/ChangeLog 2016-12-22 22:19:42 UTC (rev 210111)
+++ trunk/LayoutTests/ChangeLog 2016-12-22 22:20:25 UTC (rev 210112)
@@ -1,3 +1,18 @@
+2016-12-22 Daniel Bates <[email protected]>
+
+ Bypass pop-up blocker from cross-origin or sandboxed frame
+ https://bugs.webkit.org/show_bug.cgi?id=166290
+ <rdar://problem/29742039>
+
+ Reviewed by Darin Adler.
+
+ * fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame-expected.txt: Added.
+ * fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame.html: Added.
+ * fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame2-expected.txt: Added.
+ * fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame2.html: Added.
+ * fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt: Added.
+ * fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame.html: Added.
+
2016-12-21 Eric Carlson <[email protected]>
[MediaStream] Update media-stream-event-constructor test
Added: trunk/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame-expected.txt (0 => 210112)
--- trunk/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame-expected.txt 2016-12-22 22:20:25 UTC (rev 210112)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Unsafe _javascript_ attempt to initiate navigation for frame with URL 'about:blank' from frame with URL 'about:blank'. The frame attempting navigation is sandboxed, and is therefore disallowed from navigating its ancestors.
+
+ALERT: PASS
+
Added: trunk/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame.html (0 => 210112)
--- trunk/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame.html (rev 0)
+++ trunk/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame.html 2016-12-22 22:20:25 UTC (rev 210112)
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.setCanOpenWindows();
+ testRunner.setPopupBlockingEnabled(true);
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+</script>
+</head>
+<body>
+<iframe name="A"></iframe>
+<iframe id="B" sandbox="allow-scripts allow-same-origin allow-popups"></iframe>
+<script>
+document.getElementById("B").contentWindow.eval('alert(window.open("about:blank", "A") ? "FAIL" : "PASS");');
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame2-expected.txt (0 => 210112)
--- trunk/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame2-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame2-expected.txt 2016-12-22 22:20:25 UTC (rev 210112)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Unsafe _javascript_ attempt to initiate navigation for frame with URL 'about:blank' from frame with URL 'about:blank'. The frame attempting navigation is sandboxed, and is therefore disallowed from navigating its ancestors.
+
+ALERT: PASS
+
Added: trunk/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame2.html (0 => 210112)
--- trunk/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame2.html (rev 0)
+++ trunk/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame2.html 2016-12-22 22:20:25 UTC (rev 210112)
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.setCanOpenWindows();
+ testRunner.setPopupBlockingEnabled(true);
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+</script>
+</head>
+<body>
+<iframe name="A"></iframe>
+<iframe id="B" sandbox="allow-scripts allow-same-origin allow-popups"></iframe>
+<script>
+document.getElementById("B").contentWindow.eval('alert(window.open.call(window.top, "about:blank", "A") ? "FAIL" : "PASS");');
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt (0 => 210112)
--- trunk/LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt 2016-12-22 22:20:25 UTC (rev 210112)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Unsafe _javascript_ attempt to initiate navigation for frame with URL 'about:blank' from frame with URL 'data:text/html,<script>alert(window.open('about:blank', 'A') ?%20'FAIL'%20:%20'PASS');%3C/script%3E'. The frame attempting navigation is neither same-origin with the target, nor is it the target's parent or opener.
+
+ALERT: PASS
+
Added: trunk/LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame.html (0 => 210112)
--- trunk/LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame.html (rev 0)
+++ trunk/LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame.html 2016-12-22 22:20:25 UTC (rev 210112)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.setCanOpenWindows();
+ testRunner.setPopupBlockingEnabled(true);
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+</script>
+</head>
+<body>
+<iframe name="A"></iframe>
+<iframe name="B" src="" 'A') ? 'FAIL' : 'PASS');</script>"></iframe>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (210111 => 210112)
--- trunk/Source/WebCore/ChangeLog 2016-12-22 22:19:42 UTC (rev 210111)
+++ trunk/Source/WebCore/ChangeLog 2016-12-22 22:20:25 UTC (rev 210112)
@@ -1,3 +1,19 @@
+2016-12-22 Daniel Bates <[email protected]>
+
+ Bypass pop-up blocker from cross-origin or sandboxed frame
+ https://bugs.webkit.org/show_bug.cgi?id=166290
+ <rdar://problem/29742039>
+
+ Reviewed by Darin Adler.
+
+ Tests: fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame.html
+ fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame2.html
+ fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame.html
+
+ * page/DOMWindow.cpp:
+ (WebCore::DOMWindow::open): Use FrameLoader::findFrameForNavigation() to find the
+ target frame to navigate with respect to the active document just as we do in WebCore::createWindow().
+
2016-12-22 Andy Estes <[email protected]>
Make WebCore::EditorInsertAction an enum class
Modified: trunk/Source/WebCore/page/DOMWindow.cpp (210111 => 210112)
--- trunk/Source/WebCore/page/DOMWindow.cpp 2016-12-22 22:19:42 UTC (rev 210111)
+++ trunk/Source/WebCore/page/DOMWindow.cpp 2016-12-22 22:20:25 UTC (rev 210112)
@@ -2245,9 +2245,9 @@
#endif
if (!firstWindow.allowPopUp()) {
- // Because FrameTree::find() returns true for empty strings, we must check for empty frame names.
+ // Because FrameTree::findFrameForNavigation() returns true for empty strings, we must check for empty frame names.
// Otherwise, illegitimate window.open() calls with no name will pass right through the popup blocker.
- if (frameName.isEmpty() || !m_frame->tree().find(frameName))
+ if (frameName.isEmpty() || !m_frame->loader().findFrameForNavigation(frameName, activeDocument))
return nullptr;
}