Modified: trunk/LayoutTests/imported/w3c/ChangeLog (218920 => 218921)
--- trunk/LayoutTests/imported/w3c/ChangeLog 2017-06-29 06:07:41 UTC (rev 218920)
+++ trunk/LayoutTests/imported/w3c/ChangeLog 2017-06-29 07:43:07 UTC (rev 218921)
@@ -1,3 +1,17 @@
+2017-06-28 Frederic Wang <[email protected]>
+
+ Align Document::canNavigate on the HTM5 specification
+ https://bugs.webkit.org/show_bug.cgi?id=173162
+
+ Reviewed by Chris Dumez.
+
+ Test expectation for popup navigation are updated now that the following tests pass:
+ - iframe_sandbox_popups_escaping-3
+ - iframe_sandbox_popups_nonescaping-3
+
+ * web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_escaping-3-expected.txt: Update expectation to PASS.
+ * web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_nonescaping-3-expected.txt: Update expectation to PASS.
+
2017-06-27 Saam Barati <[email protected]>
Function constructor needs to follow the spec and validate parameters and body independently
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_escaping-3-expected.txt (218920 => 218921)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_escaping-3-expected.txt 2017-06-29 06:07:41 UTC (rev 218920)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_escaping-3-expected.txt 2017-06-29 07:43:07 UTC (rev 218921)
@@ -1,10 +1,5 @@
-CONSOLE MESSAGE: line 15: Unsafe _javascript_ attempt to initiate navigation for frame with URL 'about:blank' from frame with URL 'http://localhost:8800/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_helper-3.html'. The frame attempting navigation is sandboxed, and is therefore disallowed from navigating its ancestors.
-CONSOLE MESSAGE: line 15: SecurityError (DOM Exception 18): The operation is insecure.
+PASS Check that popups from a sandboxed iframe escape the sandbox if
+ allow-popups-to-escape-sandbox is used
-Harness Error (TIMEOUT), message = null
-
-TIMEOUT Check that popups from a sandboxed iframe escape the sandbox if
- allow-popups-to-escape-sandbox is used Test timed out
-
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_nonescaping-3-expected.txt (218920 => 218921)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_nonescaping-3-expected.txt 2017-06-29 06:07:41 UTC (rev 218920)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_nonescaping-3-expected.txt 2017-06-29 07:43:07 UTC (rev 218921)
@@ -1,9 +1,4 @@
-CONSOLE MESSAGE: line 15: Unsafe _javascript_ attempt to initiate navigation for frame with URL 'about:blank' from frame with URL 'http://localhost:8800/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_helper-3.html'. The frame attempting navigation is sandboxed, and is therefore disallowed from navigating its ancestors.
-CONSOLE MESSAGE: line 15: SecurityError (DOM Exception 18): The operation is insecure.
+PASS Check that popups from a sandboxed iframe do not escape the sandbox
-Harness Error (TIMEOUT), message = null
-
-NOTRUN Check that popups from a sandboxed iframe do not escape the sandbox
-
Modified: trunk/Source/WebCore/ChangeLog (218920 => 218921)
--- trunk/Source/WebCore/ChangeLog 2017-06-29 06:07:41 UTC (rev 218920)
+++ trunk/Source/WebCore/ChangeLog 2017-06-29 07:43:07 UTC (rev 218921)
@@ -1,3 +1,26 @@
+2017-06-28 Frederic Wang <[email protected]>
+
+ Align Document::canNavigate on the HTM5 specification
+ https://bugs.webkit.org/show_bug.cgi?id=173162
+
+ Reviewed by Chris Dumez.
+
+ Currently when a frame A with a sandboxed navigation flag tries and navigates another frame B
+ then Document::canNavigate verifies the cases where we try to navigate A's top frame (in
+ that case the allow-top-navigation flag is needed) or not (in that case, B must be a
+ descendant of A). This patch refines that a bit to check the case where B is a popup (in that
+ case navigation is permitted if A is the opener of B). This change aligns on the HTML5
+ specification and allows to pass more W3C Web Platform tests.
+ See https://html.spec.whatwg.org/multipage/browsers.html#allowed-to-navigate
+
+ Tests: imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_escaping-3.html
+ imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_nonescaping-3.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::canNavigate): This refines the case where the document's frame has the
+ sandbox navigation flag set in order to handle popup navigation. New comments referring to
+ the HTML5 specification are also added.
+
2017-06-28 Myles C. Maxfield <[email protected]>
Only apply font features for the particular type of font they are being applied to
Modified: trunk/Source/WebCore/dom/Document.cpp (218920 => 218921)
--- trunk/Source/WebCore/dom/Document.cpp 2017-06-29 06:07:41 UTC (rev 218920)
+++ trunk/Source/WebCore/dom/Document.cpp 2017-06-29 07:43:07 UTC (rev 218921)
@@ -3101,23 +3101,42 @@
if (!targetFrame)
return true;
- // Frame-busting is generally allowed, but blocked for sandboxed frames lacking the 'allow-top-navigation' flag.
+ // Cases (i) and (ii) pass the tests from the specifications but might not pass the "security origin" tests.
+ // Hence they are kept for backward compatibility.
+
+ // i. A frame can navigate its top ancestor when its 'allow-top-navigation' flag is set (sometimes known as 'frame-busting').
if (!isSandboxed(SandboxTopNavigation) && targetFrame == &m_frame->tree().top())
return true;
- if (isSandboxed(SandboxNavigation)) {
- if (targetFrame->tree().isDescendantOf(m_frame))
- return true;
+ // ii. A sandboxed frame can always navigate its descendants.
+ if (isSandboxed(SandboxNavigation) && targetFrame->tree().isDescendantOf(m_frame))
+ return true;
- const char* reason = "The frame attempting navigation is sandboxed, and is therefore disallowed from navigating its ancestors.";
- if (isSandboxed(SandboxTopNavigation) && targetFrame == &m_frame->tree().top())
- reason = "The frame attempting navigation of the top-level window is sandboxed, but the 'allow-top-navigation' flag is not set.";
+ // From https://html.spec.whatwg.org/multipage/browsers.html#allowed-to-navigate.
+ // 1. If A is not the same browsing context as B, and A is not one of the ancestor browsing contexts of B, and B is not a top-level browsing context, and A's active document's active sandboxing
+ // flag set has its sandboxed navigation browsing context flag set, then abort these steps negatively.
+ if (m_frame != targetFrame && isSandboxed(SandboxNavigation) && targetFrame->tree().parent() && !targetFrame->tree().isDescendantOf(m_frame)) {
+ printNavigationErrorMessage(targetFrame, url(), ASCIILiteral("The frame attempting navigation is sandboxed, and is therefore disallowed from navigating its ancestors."));
+ return false;
+ }
- printNavigationErrorMessage(targetFrame, url(), reason);
+ // 2. Otherwise, if B is a top-level browsing context, and is one of the ancestor browsing contexts of A, and A's active document's active sandboxing flag set has its sandboxed
+ // top-level navigation browsing context flag set, then abort these steps negatively.
+ if (m_frame != targetFrame && targetFrame == &m_frame->tree().top() && isSandboxed(SandboxTopNavigation)) {
+ printNavigationErrorMessage(targetFrame, url(), ASCIILiteral("The frame attempting navigation of the top-level window is sandboxed, but the 'allow-top-navigation' flag is not set."));
return false;
}
- // This is the normal case. A document can navigate its decendant frames,
+ // 3. Otherwise, if B is a top-level browsing context, and is neither A nor one of the ancestor browsing contexts of A, and A's Document's active sandboxing flag set has its
+ // sandboxed navigation browsing context flag set, and A is not the one permitted sandboxed navigator of B, then abort these steps negatively.
+ if (!targetFrame->tree().parent() && m_frame != targetFrame && targetFrame != &m_frame->tree().top() && isSandboxed(SandboxNavigation) && targetFrame->loader().opener() != m_frame) {
+ printNavigationErrorMessage(targetFrame, url(), ASCIILiteral("The frame attempting navigation is sandboxed, and is not allowed to navigate this popup."));
+ return false;
+ }
+
+ // 4. Otherwise, terminate positively!
+
+ // This is the normal case. A document can navigate its descendant frames,
// or, more generally, a document can navigate a frame if the document is
// in the same origin as any of that frame's ancestors (in the frame
// hierarchy).
