Title: [232584] trunk
- Revision
- 232584
- Author
- [email protected]
- Date
- 2018-06-07 09:46:47 -0700 (Thu, 07 Jun 2018)
Log Message
Handle Storage Access API calls in the absence of an attached frame
https://bugs.webkit.org/show_bug.cgi?id=186373
<rdar://problem/40028265>
Reviewed by Daniel Bates.
Source/WebCore:
Tests: http/tests/storageAccess/has-storage-access-crash.html
http/tests/storageAccess/request-storage-access-crash.html
The new frame-specific storage access checks were done without confirming a
frame was present, although the frame state was validated in other parts of
the same method.
This patch checks for a non-null frame before making frame-specific calls.
* dom/Document.cpp:
(WebCore::Document::hasStorageAccess):
(WebCore::Document::requestStorageAccess):
LayoutTests:
* http/tests/storageAccess/has-storage-access-crash-expected.txt: Added.
* http/tests/storageAccess/has-storage-access-crash.html: Added.
* http/tests/storageAccess/request-storage-access-crash-expected.txt: Added.
* http/tests/storageAccess/request-storage-access-crash.html: Added.
* platform/mac-wk2/TestExpectations: Add the two new tests for HighSierra+
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (232583 => 232584)
--- trunk/LayoutTests/ChangeLog 2018-06-07 16:24:49 UTC (rev 232583)
+++ trunk/LayoutTests/ChangeLog 2018-06-07 16:46:47 UTC (rev 232584)
@@ -1,3 +1,17 @@
+2018-06-07 Brent Fulgham <[email protected]>
+
+ Handle Storage Access API calls in the absence of an attached frame
+ https://bugs.webkit.org/show_bug.cgi?id=186373
+ <rdar://problem/40028265>
+
+ Reviewed by Daniel Bates.
+
+ * http/tests/storageAccess/has-storage-access-crash-expected.txt: Added.
+ * http/tests/storageAccess/has-storage-access-crash.html: Added.
+ * http/tests/storageAccess/request-storage-access-crash-expected.txt: Added.
+ * http/tests/storageAccess/request-storage-access-crash.html: Added.
+ * platform/mac-wk2/TestExpectations: Add the two new tests for HighSierra+
+
2018-06-06 Youenn Fablet <[email protected]>
HTTP Header values validation is too strict
Added: trunk/LayoutTests/http/tests/storageAccess/has-storage-access-crash-expected.txt (0 => 232584)
--- trunk/LayoutTests/http/tests/storageAccess/has-storage-access-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/storageAccess/has-storage-access-crash-expected.txt 2018-06-07 16:46:47 UTC (rev 232584)
@@ -0,0 +1,5 @@
+Test that querying storage access API on a detached frame doesn't crash.
+
+[object HTMLDocument]
+SUCCESS: Did not crash.
+
Added: trunk/LayoutTests/http/tests/storageAccess/has-storage-access-crash.html (0 => 232584)
--- trunk/LayoutTests/http/tests/storageAccess/has-storage-access-crash.html (rev 0)
+++ trunk/LayoutTests/http/tests/storageAccess/has-storage-access-crash.html 2018-06-07 16:46:47 UTC (rev 232584)
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <script>
+ function debug(str) {
+ var c = document.getElementById("console")
+ c.innerHTML += (str + "<br>")
+ }
+
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+
+ function runTest() {
+ var testDiv = document.getElementById("test");
+ var testFrame = document.createElement("iframe");
+ testDiv.appendChild(testFrame);
+ var testFrameDocument = testFrame.contentDocument;
+ testFrame.outerHTML = testFrameDocument;
+
+ testFrameDocument.hasStorageAccess();
+
+ debug("SUCCESS: Did not crash.")
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+ </script>
+</head>
+<body _onload_="runTest()">
+ <div id="test">
+ <p>Test that querying storage access API on a detached frame doesn't crash.</p>
+ </div>
+ <pre id="console"></pre>
+</body>
+</html>
\ No newline at end of file
Added: trunk/LayoutTests/http/tests/storageAccess/request-storage-access-crash-expected.txt (0 => 232584)
--- trunk/LayoutTests/http/tests/storageAccess/request-storage-access-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/storageAccess/request-storage-access-crash-expected.txt 2018-06-07 16:46:47 UTC (rev 232584)
@@ -0,0 +1,5 @@
+Test that requesting storage access API on a detached frame doesn't crash.
+
+[object HTMLDocument]
+SUCCESS: Did not crash.
+
Added: trunk/LayoutTests/http/tests/storageAccess/request-storage-access-crash.html (0 => 232584)
--- trunk/LayoutTests/http/tests/storageAccess/request-storage-access-crash.html (rev 0)
+++ trunk/LayoutTests/http/tests/storageAccess/request-storage-access-crash.html 2018-06-07 16:46:47 UTC (rev 232584)
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <script>
+ function debug(str) {
+ var c = document.getElementById("console")
+ c.innerHTML += (str + "<br>")
+ }
+
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+
+ function runTest() {
+ var testDiv = document.getElementById("test");
+ var testFrame = document.createElement("iframe");
+ testDiv.appendChild(testFrame);
+ var testFrameDocument = testFrame.contentDocument;
+ testFrame.outerHTML = testFrameDocument;
+
+ testFrameDocument.requestStorageAccess();
+
+ debug("SUCCESS: Did not crash.")
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+ </script>
+</head>
+<body _onload_="runTest()">
+ <div id="test">
+ <p>Test that requesting storage access API on a detached frame doesn't crash.</p>
+ </div>
+ <pre id="console"></pre>
+</body>
+</html>
\ No newline at end of file
Modified: trunk/LayoutTests/platform/mac-wk2/TestExpectations (232583 => 232584)
--- trunk/LayoutTests/platform/mac-wk2/TestExpectations 2018-06-07 16:24:49 UTC (rev 232583)
+++ trunk/LayoutTests/platform/mac-wk2/TestExpectations 2018-06-07 16:46:47 UTC (rev 232584)
@@ -721,8 +721,11 @@
# Touch events are not available on open source bots, thus only tested on Mac.
http/tests/resourceLoadStatistics/user-interaction-in-cross-origin-sub-frame.html [ Pass ]
http/tests/resourceLoadStatistics/user-interaction-reported-after-website-data-removal.html [ Pass ]
+
+[ HighSierra+ ] http/tests/storageAccess/has-storage-access-crash.html [ Pass ]
[ HighSierra+ ] http/tests/storageAccess/request-and-grant-storage-access-cross-origin-non-sandboxed-iframe.html [ Pass ]
[ HighSierra+ ] http/tests/storageAccess/request-and-grant-storage-access-cross-origin-sandboxed-iframe.html [ Pass ]
+[ HighSierra+ ] http/tests/storageAccess/request-storage-access-crash.html [ Pass ]
[ HighSierra+ ] http/tests/storageAccess/request-storage-access-cross-origin-sandboxed-iframe-with-unique-origin.html [ Pass ]
[ HighSierra+ ] http/tests/storageAccess/request-storage-access-cross-origin-sandboxed-iframe-without-allow-token.html [ Pass ]
[ HighSierra+ ] http/tests/storageAccess/request-storage-access-same-origin-iframe.html [ Pass ]
Modified: trunk/Source/WebCore/ChangeLog (232583 => 232584)
--- trunk/Source/WebCore/ChangeLog 2018-06-07 16:24:49 UTC (rev 232583)
+++ trunk/Source/WebCore/ChangeLog 2018-06-07 16:46:47 UTC (rev 232584)
@@ -1,3 +1,24 @@
+2018-06-07 Brent Fulgham <[email protected]>
+
+ Handle Storage Access API calls in the absence of an attached frame
+ https://bugs.webkit.org/show_bug.cgi?id=186373
+ <rdar://problem/40028265>
+
+ Reviewed by Daniel Bates.
+
+ Tests: http/tests/storageAccess/has-storage-access-crash.html
+ http/tests/storageAccess/request-storage-access-crash.html
+
+ The new frame-specific storage access checks were done without confirming a
+ frame was present, although the frame state was validated in other parts of
+ the same method.
+
+ This patch checks for a non-null frame before making frame-specific calls.
+
+ * dom/Document.cpp:
+ (WebCore::Document::hasStorageAccess):
+ (WebCore::Document::requestStorageAccess):
+
2018-06-07 Zalan Bujtas <[email protected]>
[LFC] Merge height and vertical margin computation
Modified: trunk/Source/WebCore/dom/Document.cpp (232583 => 232584)
--- trunk/Source/WebCore/dom/Document.cpp 2018-06-07 16:24:49 UTC (rev 232583)
+++ trunk/Source/WebCore/dom/Document.cpp 2018-06-07 16:46:47 UTC (rev 232584)
@@ -7527,7 +7527,7 @@
ASSERT(settings().storageAccessAPIEnabled());
#if HAVE(CFNETWORK_STORAGE_PARTITIONING)
- if (hasFrameSpecificStorageAccess()) {
+ if (m_frame && hasFrameSpecificStorageAccess()) {
promise->resolve<IDLBoolean>(true);
return;
}
@@ -7578,7 +7578,7 @@
ASSERT(settings().storageAccessAPIEnabled());
#if HAVE(CFNETWORK_STORAGE_PARTITIONING)
- if (hasFrameSpecificStorageAccess()) {
+ if (m_frame && hasFrameSpecificStorageAccess()) {
promise->resolve();
return;
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
