Diff
Modified: trunk/LayoutTests/ChangeLog (231958 => 231959)
--- trunk/LayoutTests/ChangeLog 2018-05-18 16:32:14 UTC (rev 231958)
+++ trunk/LayoutTests/ChangeLog 2018-05-18 17:03:56 UTC (rev 231959)
@@ -1,3 +1,16 @@
+2018-05-18 Chris Dumez <[email protected]>
+
+ Unreviewed, rolling out r231935.
+
+ Caused an accessibility test to fail
+
+ Reverted changeset:
+
+ "RenderLayer::scrollRectToVisible() should not propagate a
+ subframe's scroll to its cross-origin parent"
+ https://bugs.webkit.org/show_bug.cgi?id=185664
+ https://trac.webkit.org/changeset/231935
+
2018-05-18 Dirk Schulze <[email protected]>
Make all SVG shape interfaces inherit from SVGGeometryElement
Deleted: trunk/LayoutTests/http/tests/navigation/fragment-navigation-cross-origin-subframe-no-scrolling-parent-expected.txt (231958 => 231959)
--- trunk/LayoutTests/http/tests/navigation/fragment-navigation-cross-origin-subframe-no-scrolling-parent-expected.txt 2018-05-18 16:32:14 UTC (rev 231958)
+++ trunk/LayoutTests/http/tests/navigation/fragment-navigation-cross-origin-subframe-no-scrolling-parent-expected.txt 2018-05-18 17:03:56 UTC (rev 231959)
@@ -1,10 +0,0 @@
-Tests that a fragment navigation in a cross-origin subframe does not scroll its parent.
-
-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-
-
-PASS window.scrollY is 0
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
Deleted: trunk/LayoutTests/http/tests/navigation/fragment-navigation-cross-origin-subframe-no-scrolling-parent.html (231958 => 231959)
--- trunk/LayoutTests/http/tests/navigation/fragment-navigation-cross-origin-subframe-no-scrolling-parent.html 2018-05-18 16:32:14 UTC (rev 231958)
+++ trunk/LayoutTests/http/tests/navigation/fragment-navigation-cross-origin-subframe-no-scrolling-parent.html 2018-05-18 17:03:56 UTC (rev 231959)
@@ -1,20 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-<script src=""
-</head>
-<body>
-<script>
-description("Tests that a fragment navigation in a cross-origin subframe does not scroll its parent.");
-jsTestIsAsync = true;
-
-_onload_ = () => {
- setTimeout(function() {
- shouldBe("window.scrollY", "0");
- finishJSTest();
- }, 0);
-}
-</script>
-<iframe src="" style="position: relative; top: 800px;"></iframe>
-</body>
-</html>
Deleted: trunk/LayoutTests/http/tests/navigation/resources/clear-fragment.html (231958 => 231959)
--- trunk/LayoutTests/http/tests/navigation/resources/clear-fragment.html 2018-05-18 16:32:14 UTC (rev 231958)
+++ trunk/LayoutTests/http/tests/navigation/resources/clear-fragment.html 2018-05-18 17:03:56 UTC (rev 231959)
@@ -1,12 +0,0 @@
-<!DOCTYPE html>
-<html>
-<body>
-<script>
-document.location.hash = '';
-</script>
-<div id="test">TEST</div>
-<script>
-test.offsetHeight;
-</script>
-</body>
-</html>
Modified: trunk/Source/WebCore/ChangeLog (231958 => 231959)
--- trunk/Source/WebCore/ChangeLog 2018-05-18 16:32:14 UTC (rev 231958)
+++ trunk/Source/WebCore/ChangeLog 2018-05-18 17:03:56 UTC (rev 231959)
@@ -1,3 +1,16 @@
+2018-05-18 Chris Dumez <[email protected]>
+
+ Unreviewed, rolling out r231935.
+
+ Caused an accessibility test to fail
+
+ Reverted changeset:
+
+ "RenderLayer::scrollRectToVisible() should not propagate a
+ subframe's scroll to its cross-origin parent"
+ https://bugs.webkit.org/show_bug.cgi?id=185664
+ https://trac.webkit.org/changeset/231935
+
2018-05-18 Zalan Bujtas <[email protected]>
[LFC] Implement height computation for non-replaced floating elements.
Modified: trunk/Source/WebCore/dom/Document.cpp (231958 => 231959)
--- trunk/Source/WebCore/dom/Document.cpp 2018-05-18 16:32:14 UTC (rev 231958)
+++ trunk/Source/WebCore/dom/Document.cpp 2018-05-18 17:03:56 UTC (rev 231959)
@@ -3264,6 +3264,23 @@
return false;
}
+Frame* Document::findUnsafeParentScrollPropagationBoundary()
+{
+ Frame* currentFrame = m_frame;
+ if (!currentFrame)
+ return nullptr;
+
+ Frame* ancestorFrame = currentFrame->tree().parent();
+
+ while (ancestorFrame) {
+ if (!ancestorFrame->document()->securityOrigin().canAccess(securityOrigin()))
+ return currentFrame;
+ currentFrame = ancestorFrame;
+ ancestorFrame = ancestorFrame->tree().parent();
+ }
+ return nullptr;
+}
+
void Document::didRemoveAllPendingStylesheet()
{
if (auto* parser = scriptableDocumentParser())
Modified: trunk/Source/WebCore/dom/Document.h (231958 => 231959)
--- trunk/Source/WebCore/dom/Document.h 2018-05-18 16:32:14 UTC (rev 231958)
+++ trunk/Source/WebCore/dom/Document.h 2018-05-18 17:03:56 UTC (rev 231959)
@@ -675,6 +675,7 @@
SocketProvider* socketProvider() final;
bool canNavigate(Frame* targetFrame);
+ Frame* findUnsafeParentScrollPropagationBoundary();
bool usesStyleBasedEditability() const;
void setHasElementUsingStyleBasedEditability();
Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (231958 => 231959)
--- trunk/Source/WebCore/loader/FrameLoader.cpp 2018-05-18 16:32:14 UTC (rev 231958)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2018-05-18 17:03:56 UTC (rev 231959)
@@ -3028,8 +3028,17 @@
if (!view)
return;
+ // Leaking scroll position to a cross-origin ancestor would permit the so-called "framesniffing" attack.
+ RefPtr<Frame> boundaryFrame(url.hasFragmentIdentifier() ? m_frame.document()->findUnsafeParentScrollPropagationBoundary() : 0);
+
+ if (boundaryFrame)
+ boundaryFrame->view()->setSafeToPropagateScrollToParent(false);
+
if (isSameDocumentReload(isNewNavigation, m_loadType) || itemAllowsScrollRestoration(history().currentItem()))
view->scrollToFragment(url);
+
+ if (boundaryFrame)
+ boundaryFrame->view()->setSafeToPropagateScrollToParent(true);
}
bool FrameLoader::shouldClose()
Modified: trunk/Source/WebCore/page/FrameView.cpp (231958 => 231959)
--- trunk/Source/WebCore/page/FrameView.cpp 2018-05-18 16:32:14 UTC (rev 231958)
+++ trunk/Source/WebCore/page/FrameView.cpp 2018-05-18 17:03:56 UTC (rev 231959)
@@ -179,6 +179,7 @@
, m_overflowStatusDirty(true)
, m_wasScrolledByUser(false)
, m_inProgrammaticScroll(false)
+ , m_safeToPropagateScrollToParent(true)
, m_delayedScrollEventTimer(*this, &FrameView::sendScrollEvent)
, m_selectionRevealModeForFocusedElement(SelectionRevealMode::DoNotReveal)
, m_delayedScrollToFocusedElementTimer(*this, &FrameView::scrollToFocusedElementTimerFired)
@@ -263,6 +264,7 @@
m_updateEmbeddedObjectsTimer.stop();
m_firstLayoutCallbackPending = false;
m_wasScrolledByUser = false;
+ m_safeToPropagateScrollToParent = true;
m_delayedScrollEventTimer.stop();
m_shouldScrollToFocusedElement = false;
m_delayedScrollToFocusedElementTimer.stop();
@@ -3056,23 +3058,6 @@
return true;
}
-bool FrameView::safeToPropagateScrollToParent() const
-{
- auto* document = frame().document();
- if (!document)
- return false;
-
- auto* parentFrame = frame().tree().parent();
- if (!parentFrame)
- return false;
-
- auto* parentDocument = parentFrame->document();
- if (!parentDocument)
- return false;
-
- return document->securityOrigin().canAccess(parentDocument->securityOrigin());
-}
-
void FrameView::scrollToAnchor()
{
RefPtr<ContainerNode> anchorNode = m_maintainScrollPositionAnchor;
Modified: trunk/Source/WebCore/page/FrameView.h (231958 => 231959)
--- trunk/Source/WebCore/page/FrameView.h 2018-05-18 16:32:14 UTC (rev 231958)
+++ trunk/Source/WebCore/page/FrameView.h 2018-05-18 17:03:56 UTC (rev 231959)
@@ -337,7 +337,8 @@
WEBCORE_EXPORT bool wasScrolledByUser() const;
WEBCORE_EXPORT void setWasScrolledByUser(bool);
- bool safeToPropagateScrollToParent() const;
+ bool safeToPropagateScrollToParent() const { return m_safeToPropagateScrollToParent; }
+ void setSafeToPropagateScrollToParent(bool isSafe) { m_safeToPropagateScrollToParent = isSafe; }
void addEmbeddedObjectToUpdate(RenderEmbeddedObject&);
void removeEmbeddedObjectToUpdate(RenderEmbeddedObject&);
@@ -822,6 +823,7 @@
bool m_wasScrolledByUser;
bool m_inProgrammaticScroll;
+ bool m_safeToPropagateScrollToParent;
Timer m_delayedScrollEventTimer;
bool m_shouldScrollToFocusedElement { false };
SelectionRevealMode m_selectionRevealModeForFocusedElement;
