Diff
Modified: trunk/LayoutTests/ChangeLog (236612 => 236613)
--- trunk/LayoutTests/ChangeLog 2018-09-28 21:08:54 UTC (rev 236612)
+++ trunk/LayoutTests/ChangeLog 2018-09-28 21:56:33 UTC (rev 236613)
@@ -1,3 +1,16 @@
+2018-09-28 Chris Dumez <[email protected]>
+
+ document.open() should throw errors for cross-origin calls
+ https://bugs.webkit.org/show_bug.cgi?id=189371
+ <rdar://problem/44282700>
+
+ Reviewed by Youenn Fablet.
+
+ Tweak a couple of existing tests to reflect behavior change.
+
+ * fast/dom/HTMLDocument/document-open-return-value.html:
+ * fast/parser/tokenizer-close-during-document-write.html:
+
2018-09-28 Commit Queue <[email protected]>
Unreviewed, rolling out r236605.
Modified: trunk/LayoutTests/fast/dom/HTMLDocument/document-open-return-value.html (236612 => 236613)
--- trunk/LayoutTests/fast/dom/HTMLDocument/document-open-return-value.html 2018-09-28 21:08:54 UTC (rev 236612)
+++ trunk/LayoutTests/fast/dom/HTMLDocument/document-open-return-value.html 2018-09-28 21:56:33 UTC (rev 236613)
@@ -14,5 +14,5 @@
document.getElementById("result").innerHTML = d.body.innerHTML;
}
</script>
-<iframe src=""
+<iframe srcdoc="FAILURE"></iframe>
</body>
Modified: trunk/LayoutTests/fast/parser/tokenizer-close-during-document-write.html (236612 => 236613)
--- trunk/LayoutTests/fast/parser/tokenizer-close-during-document-write.html 2018-09-28 21:08:54 UTC (rev 236612)
+++ trunk/LayoutTests/fast/parser/tokenizer-close-during-document-write.html 2018-09-28 21:56:33 UTC (rev 236613)
@@ -2,7 +2,7 @@
<p>Test for <a href=''>bug 39008</a>:
Webkit crashes on clicking back button when in hotmail.</p>
<div id="result">Running...</div>
-<iframe src=""
+<iframe src=""
<script>
if (window.testRunner)
testRunner.dumpAsText();
Modified: trunk/LayoutTests/imported/w3c/ChangeLog (236612 => 236613)
--- trunk/LayoutTests/imported/w3c/ChangeLog 2018-09-28 21:08:54 UTC (rev 236612)
+++ trunk/LayoutTests/imported/w3c/ChangeLog 2018-09-28 21:56:33 UTC (rev 236613)
@@ -1,3 +1,16 @@
+2018-09-28 Chris Dumez <[email protected]>
+
+ document.open() should throw errors for cross-origin calls
+ https://bugs.webkit.org/show_bug.cgi?id=189371
+ <rdar://problem/44282700>
+
+ Reviewed by Youenn Fablet.
+
+ Rebaseline existing WPT tests now that more checks are passing.
+
+ * web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/bailout-exception-vs-return-origin.sub.window-expected.txt:
+ * web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/bailout-side-effects-same-origin-domain.sub.window-expected.txt:
+
2018-09-27 Andy Estes <[email protected]>
[Payment Request] Update web platform tests
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/bailout-exception-vs-return-origin.sub.window-expected.txt (236612 => 236613)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/bailout-exception-vs-return-origin.sub.window-expected.txt 2018-09-28 21:08:54 UTC (rev 236612)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/bailout-exception-vs-return-origin.sub.window-expected.txt 2018-09-28 21:56:33 UTC (rev 236613)
@@ -2,17 +2,9 @@
PASS document.open should throw an InvalidStateError with XML document even if it is cross-origin
FAIL document.open should throw an InvalidStateError when the throw-on-dynamic-markup-insertion counter is incremented even if the document is cross-origin assert_throws: opening a document when the throw-on-dynamic-markup-insertion counter is incremented should throw an InvalidStateError function "() => {
iframe.contentDocument.open();
- }" did not throw
-FAIL document.open should throw a SecurityError with cross-origin document even when there is an active parser executing script assert_throws: opening a same origin-domain (but not same origin) document should throw a SecurityError function "() => {
- iframe.contentDocument.open();
- }" did not throw
-FAIL document.open should throw a SecurityError with cross-origin document even when the ignore-opens-during-unload counter is greater than 0 (during beforeunload event) assert_throws: opening a same origin-domain (but not same origin) document should throw a SecurityError function "() => {
- iframe.contentDocument.open();
- }" did not throw
-FAIL document.open should throw a SecurityError with cross-origin document even when the ignore-opens-during-unload counter is greater than 0 (during pagehide event) assert_throws: opening a same origin-domain (but not same origin) document should throw a SecurityError function "() => {
- iframe.contentDocument.open();
- }" did not throw
-FAIL document.open should throw a SecurityError with cross-origin document even when the ignore-opens-during-unload counter is greater than 0 (during unload event) assert_throws: opening a same origin-domain (but not same origin) document should throw a SecurityError function "() => {
- iframe.contentDocument.open();
- }" did not throw
+ }" threw object "SecurityError: The operation is insecure." that is not a DOMException InvalidStateError: property "code" is equal to 18, expected 11
+PASS document.open should throw a SecurityError with cross-origin document even when there is an active parser executing script
+PASS document.open should throw a SecurityError with cross-origin document even when the ignore-opens-during-unload counter is greater than 0 (during beforeunload event)
+PASS document.open should throw a SecurityError with cross-origin document even when the ignore-opens-during-unload counter is greater than 0 (during pagehide event)
+PASS document.open should throw a SecurityError with cross-origin document even when the ignore-opens-during-unload counter is greater than 0 (during unload event)
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/bailout-side-effects-same-origin-domain.sub.window-expected.txt (236612 => 236613)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/bailout-side-effects-same-origin-domain.sub.window-expected.txt 2018-09-28 21:08:54 UTC (rev 236612)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/bailout-side-effects-same-origin-domain.sub.window-expected.txt 2018-09-28 21:56:33 UTC (rev 236613)
@@ -1,5 +1,3 @@
-FAIL document.open bailout should not have any side effects (same origin-domain (but not same origin) document) assert_throws: document.open() should throw a SecurityError on a same origin-domain (but not same origin) document function "() => {
- ctx.iframes[0].contentDocument.open();
- }" did not throw
+PASS document.open bailout should not have any side effects (same origin-domain (but not same origin) document)
Modified: trunk/Source/WebCore/ChangeLog (236612 => 236613)
--- trunk/Source/WebCore/ChangeLog 2018-09-28 21:08:54 UTC (rev 236612)
+++ trunk/Source/WebCore/ChangeLog 2018-09-28 21:56:33 UTC (rev 236613)
@@ -1,3 +1,22 @@
+2018-09-28 Chris Dumez <[email protected]>
+
+ document.open() should throw errors for cross-origin calls
+ https://bugs.webkit.org/show_bug.cgi?id=189371
+ <rdar://problem/44282700>
+
+ Reviewed by Youenn Fablet.
+
+ document.open() / document.write() should throw errors for cross-origin calls as per:
+ - https://html.spec.whatwg.org/#document-open-steps (Step 4)
+
+ No new tests, rebaselined existing tests.
+
+ * dom/Document.cpp:
+ (WebCore::Document::open):
+ (WebCore::Document::write):
+ (WebCore::Document::writeln):
+ * dom/Document.h:
+
2018-09-28 Ryosuke Niwa <[email protected]>
Rename createMarkup to serializePreservingVisualAppearance
Modified: trunk/Source/WebCore/dom/Document.cpp (236612 => 236613)
--- trunk/Source/WebCore/dom/Document.cpp 2018-09-28 21:08:54 UTC (rev 236612)
+++ trunk/Source/WebCore/dom/Document.cpp 2018-09-28 21:56:33 UTC (rev 236613)
@@ -2666,14 +2666,20 @@
if (!isHTMLDocument() || m_throwOnDynamicMarkupInsertionCount)
return Exception { InvalidStateError };
- open(responsibleDocument);
+ auto result = open(responsibleDocument);
+ if (UNLIKELY(result.hasException()))
+ return result.releaseException();
+
return *this;
}
-void Document::open(Document* responsibleDocument)
+ExceptionOr<void> Document::open(Document* responsibleDocument)
{
+ if (responsibleDocument && !responsibleDocument->securityOrigin().isSameOriginAs(securityOrigin()))
+ return Exception { SecurityError };
+
if (m_ignoreOpensDuringUnloadCount)
- return;
+ return { };
if (m_frame) {
if (ScriptableDocumentParser* parser = scriptableDocumentParser()) {
@@ -2680,10 +2686,10 @@
if (parser->isParsing()) {
// FIXME: HTML5 doesn't tell us to check this, it might not be correct.
if (parser->isExecutingScript())
- return;
+ return { };
if (!parser->wasCreatedByScript() && parser->hasInsertionPoint())
- return;
+ return { };
}
}
@@ -2713,6 +2719,8 @@
if (m_frame)
m_frame->loader().didExplicitOpen();
+
+ return { };
}
// https://html.spec.whatwg.org/#fully-active
@@ -3030,7 +3038,7 @@
return MonotonicTime::now() - m_documentCreationTime;
}
-void Document::write(Document* responsibleDocument, SegmentedString&& text)
+ExceptionOr<void> Document::write(Document* responsibleDocument, SegmentedString&& text)
{
NestingLevelIncrementer nestingLevelIncrementer(m_writeRecursionDepth);
@@ -3038,17 +3046,21 @@
m_writeRecursionIsTooDeep = (m_writeRecursionDepth > cMaxWriteRecursionDepth) || m_writeRecursionIsTooDeep;
if (m_writeRecursionIsTooDeep)
- return;
+ return { };
bool hasInsertionPoint = m_parser && m_parser->hasInsertionPoint();
if (!hasInsertionPoint && (m_ignoreOpensDuringUnloadCount || m_ignoreDestructiveWriteCount))
- return;
+ return { };
- if (!hasInsertionPoint)
- open(responsibleDocument);
+ if (!hasInsertionPoint) {
+ auto result = open(responsibleDocument);
+ if (UNLIKELY(result.hasException()))
+ return result.releaseException();
+ }
ASSERT(m_parser);
m_parser->insert(WTFMove(text));
+ return { };
}
ExceptionOr<void> Document::write(Document* responsibleDocument, Vector<String>&& strings)
@@ -3060,9 +3072,7 @@
for (auto& string : strings)
text.append(WTFMove(string));
- write(responsibleDocument, WTFMove(text));
-
- return { };
+ return write(responsibleDocument, WTFMove(text));
}
ExceptionOr<void> Document::writeln(Document* responsibleDocument, Vector<String>&& strings)
@@ -3075,9 +3085,7 @@
text.append(WTFMove(string));
text.append("\n"_s);
- write(responsibleDocument, WTFMove(text));
-
- return { };
+ return write(responsibleDocument, WTFMove(text));
}
Seconds Document::minimumDOMTimerInterval() const
Modified: trunk/Source/WebCore/dom/Document.h (236612 => 236613)
--- trunk/Source/WebCore/dom/Document.h 2018-09-28 21:08:54 UTC (rev 236612)
+++ trunk/Source/WebCore/dom/Document.h 2018-09-28 21:56:33 UTC (rev 236613)
@@ -647,7 +647,7 @@
WEBCORE_EXPORT ExceptionOr<Document&> openForBindings(Document* responsibleDocument, const String&, const String&);
// FIXME: We should rename this at some point and give back the name 'open' to the HTML specified ones.
- WEBCORE_EXPORT void open(Document* responsibleDocument = nullptr);
+ WEBCORE_EXPORT ExceptionOr<void> open(Document* responsibleDocument = nullptr);
void implicitOpen();
WEBCORE_EXPORT ExceptionOr<void> closeForBindings();
@@ -663,7 +663,7 @@
void cancelParsing();
- void write(Document* responsibleDocument, SegmentedString&&);
+ ExceptionOr<void> write(Document* responsibleDocument, SegmentedString&&);
WEBCORE_EXPORT ExceptionOr<void> write(Document* responsibleDocument, Vector<String>&&);
WEBCORE_EXPORT ExceptionOr<void> writeln(Document* responsibleDocument, Vector<String>&&);
