[webkit-changes] [217061] trunk/LayoutTests

Thu, 18 May 2017 12:41:10 -0700

Title: [217061] trunk/LayoutTests
Revision
217061
Author
[email protected]
Date
2017-05-18 12:40:48 -0700 (Thu, 18 May 2017)

Log Message

Evaluating window named element may return wrong result
https://bugs.webkit.org/show_bug.cgi?id=166792
<rdar://problem/29801059>

Reviewed by Chris Dumez.

Add tests to ensure we do not regress evaluation of window named elements.

* http/tests/security/named-window-property-from-same-origin-inactive-document-expected.txt: Added.
* http/tests/security/named-window-property-from-same-origin-inactive-document.html: Added.
* http/tests/security/resources/innocent-victim-with-named-elements.html: Added.
* http/tests/security/xss-DENIED-named-window-property-from-cross-origin-inactive-document-expected.txt: Added.
* http/tests/security/xss-DENIED-named-window-property-from-cross-origin-inactive-document.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (217060 => 217061)


--- trunk/LayoutTests/ChangeLog	2017-05-18 19:38:10 UTC (rev 217060)
+++ trunk/LayoutTests/ChangeLog	2017-05-18 19:40:48 UTC (rev 217061)
@@ -1,3 +1,19 @@
+2017-05-18  Daniel Bates  <[email protected]>
+
+        Evaluating window named element may return wrong result
+        https://bugs.webkit.org/show_bug.cgi?id=166792
+        <rdar://problem/29801059>
+
+        Reviewed by Chris Dumez.
+
+        Add tests to ensure we do not regress evaluation of window named elements.
+
+        * http/tests/security/named-window-property-from-same-origin-inactive-document-expected.txt: Added.
+        * http/tests/security/named-window-property-from-same-origin-inactive-document.html: Added.
+        * http/tests/security/resources/innocent-victim-with-named-elements.html: Added.
+        * http/tests/security/xss-DENIED-named-window-property-from-cross-origin-inactive-document-expected.txt: Added.
+        * http/tests/security/xss-DENIED-named-window-property-from-cross-origin-inactive-document.html: Added.
+
 2017-05-18  Andy Estes  <[email protected]>
 
         Add "countryCode" to ApplePayErrorContactField

Added: trunk/LayoutTests/http/tests/security/named-window-property-from-same-origin-inactive-document-expected.txt (0 => 217061)


--- trunk/LayoutTests/http/tests/security/named-window-property-from-same-origin-inactive-document-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/named-window-property-from-same-origin-inactive-document-expected.txt	2017-05-18 19:40:48 UTC (rev 217061)
@@ -0,0 +1,15 @@
+This tests that an inactive document can access a named element in a same-origin active document.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Lookup named element whose name corresponds to an element in the initial about:blank document:
+PASS frame.contentDocument.getElementById('A') is not elementAInInactiveDocument
+PASS elementAInActiveDocumentFunction() is frame.contentDocument.getElementById('A')
+
+Lookup named element whose name does not correspond to an element in the initial about:blank document:
+PASS elementBInActiveDocumentFunction() is frame.contentDocument.getElementById('B')
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/http/tests/security/named-window-property-from-same-origin-inactive-document.html (0 => 217061)


--- trunk/LayoutTests/http/tests/security/named-window-property-from-same-origin-inactive-document.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/named-window-property-from-same-origin-inactive-document.html	2017-05-18 19:40:48 UTC (rev 217061)
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script>
+window.jsTestIsAsync = true;
+</script>
+</head>
+<body>
+<script>
+description("This tests that an inactive document can access a named element in a same-origin active document.");
+
+var frame = document.body.appendChild(document.createElement("iframe")); // Loads about:blank
+
+var frameDocument = frame.contentDocument;
+var elementAInInactiveDocument = frameDocument.createElement("div");
+elementAInInactiveDocument.id = "A";
+frameDocument.body.appendChild(elementAInInactiveDocument);
+
+var elementAInActiveDocumentFunction = frame.contentWindow.Function("return A;");
+var elementBInActiveDocumentFunction = frame.contentWindow.Function("return B;");
+
+frame._onload_ = function ()
+{
+    debug("Lookup named element whose name corresponds to an element in the initial about:blank document:");
+    shouldNotBe("frame.contentDocument.getElementById('A')", "elementAInInactiveDocument");
+    shouldBe("elementAInActiveDocumentFunction()", "frame.contentDocument.getElementById('A')");
+
+    debug("<br>Lookup named element whose name does not correspond to an element in the initial about:blank document:");
+    shouldBe("elementBInActiveDocumentFunction()", "frame.contentDocument.getElementById('B')");
+
+    finishJSTest();
+}
+
+frame.src = "" // about:blank becomes the inactive document
+</script>
+<script src=""
+</body>
+</html>

Added: trunk/LayoutTests/http/tests/security/resources/innocent-victim-with-named-elements.html (0 => 217061)


--- trunk/LayoutTests/http/tests/security/resources/innocent-victim-with-named-elements.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/resources/innocent-victim-with-named-elements.html	2017-05-18 19:40:48 UTC (rev 217061)
@@ -0,0 +1,7 @@
+<html>
+<body>
+This page doesn't do anything special except have some named elements.<br>
+<div id="A"></div>
+<div id="B"></div>
+</body>
+</html>

Added: trunk/LayoutTests/http/tests/security/xss-DENIED-named-window-property-from-cross-origin-inactive-document-expected.txt (0 => 217061)


--- trunk/LayoutTests/http/tests/security/xss-DENIED-named-window-property-from-cross-origin-inactive-document-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/xss-DENIED-named-window-property-from-cross-origin-inactive-document-expected.txt	2017-05-18 19:40:48 UTC (rev 217061)
@@ -0,0 +1,14 @@
+This tests that an inactive document cannot access a named element in a cross-origin active document.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Lookup named element whose name corresponds to an element in the initial about:blank document:
+PASS elementAInActiveDocumentFunction() threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+
+Lookup named element whose name does not correspond to an element in the initial about:blank document:
+PASS elementBInActiveDocumentFunction() threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/http/tests/security/xss-DENIED-named-window-property-from-cross-origin-inactive-document.html (0 => 217061)


--- trunk/LayoutTests/http/tests/security/xss-DENIED-named-window-property-from-cross-origin-inactive-document.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/xss-DENIED-named-window-property-from-cross-origin-inactive-document.html	2017-05-18 19:40:48 UTC (rev 217061)
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script>
+window.jsTestIsAsync = true;
+</script>
+</head>
+<body>
+<script>
+description("This tests that an inactive document cannot access a named element in a cross-origin active document.");
+
+var frame = document.body.appendChild(document.createElement("iframe")); // Loads about:blank
+
+var frameDocument = frame.contentDocument;
+var elementAInInactiveDocument = frameDocument.createElement("div");
+elementAInInactiveDocument.id = "A";
+frameDocument.body.appendChild(elementAInInactiveDocument);
+
+var elementAInActiveDocumentFunction = frame.contentWindow.Function("return A;");
+var elementBInActiveDocumentFunction = frame.contentWindow.Function("return B;");
+
+frame._onload_ = function ()
+{
+    debug("Lookup named element whose name corresponds to an element in the initial about:blank document:")
+    shouldThrow("elementAInActiveDocumentFunction()", '"SecurityError (DOM Exception 18): Blocked a frame with origin \\"http://127.0.0.1:8000\\" from accessing a frame with origin \\"http://localhost:8000\\". Protocols, domains, and ports must match."');
+
+    debug("<br>Lookup named element whose name does not correspond to an element in the initial about:blank document:");
+    shouldThrow("elementBInActiveDocumentFunction()", '"SecurityError (DOM Exception 18): Blocked a frame with origin \\"http://127.0.0.1:8000\\" from accessing a frame with origin \\"http://localhost:8000\\". Protocols, domains, and ports must match."');
+
+    finishJSTest();
+}
+
+frame.src = "" // about:blank becomes the inactive document
+</script>
+<script src=""
+</body>
+</html>

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to