Diff
Modified: trunk/LayoutTests/ChangeLog (237111 => 237112)
--- trunk/LayoutTests/ChangeLog 2018-10-15 15:29:47 UTC (rev 237111)
+++ trunk/LayoutTests/ChangeLog 2018-10-15 15:34:39 UTC (rev 237112)
@@ -1,3 +1,35 @@
+2018-10-15 Chris Dumez <cdu...@apple.com>
+
+ Restrict browsing context lookup by name to frames that are related to one another
+ https://bugs.webkit.org/show_bug.cgi?id=190475
+
+ Reviewed by Alex Christensen.
+
+ * http/tests/dom/new-window-can-target-opener-expected.txt: Added.
+ * http/tests/dom/new-window-can-target-opener.html: Added.
+ * http/tests/dom/noopener-window-cannot-target-opener-expected.txt: Added.
+ * http/tests/dom/noopener-window-cannot-target-opener.html: Added.
+ * http/tests/dom/noopener-window-not-targetable-expected.txt: Added.
+ * http/tests/dom/noopener-window-not-targetable.html: Added.
+ * http/tests/dom/noopener-window-not-targetable2-expected.txt: Added.
+ * http/tests/dom/noopener-window-not-targetable2.html: Added.
+ * http/tests/dom/noreferrer-window-not-targetable-expected.txt: Added.
+ * http/tests/dom/noreferrer-window-not-targetable.html: Added.
+ * http/tests/dom/opened-window-not-targetable-after-disowning-opener-expected.txt: Added.
+ * http/tests/dom/opened-window-not-targetable-after-disowning-opener.html: Added.
+ * http/tests/dom/resources/new-window-can-target-opener-win.html: Added.
+ * http/tests/dom/resources/noopener-window-cannot-target-opener-win.html: Added.
+ Add layout test coverage.
+
+ * fast/dom/Window/a-rel-noopener-expected.txt:
+ * fast/dom/Window/area-rel-noopener-expected.txt:
+ * fast/dom/Window/resources/rel-noopener.js:
+ * http/tests/navigation/no-referrer-target-blank-expected.txt:
+ * http/tests/navigation/resources/no-referrer-helper.php:
+ * platform/mac-wk1/imported/w3c/web-platform-tests/html/browsers/windows/noreferrer-window-name-expected.txt:
+ * platform/wk2/imported/w3c/web-platform-tests/html/browsers/windows/noreferrer-window-name-expected.txt:
+ Update / rebaseline existing tests to reflect behavior change.
+
2018-10-15 YUHAN WU <yuhan...@apple.com>
Implement error handler of MediaRecorder
Modified: trunk/LayoutTests/fast/dom/Window/a-rel-noopener-expected.txt (237111 => 237112)
--- trunk/LayoutTests/fast/dom/Window/a-rel-noopener-expected.txt 2018-10-15 15:29:47 UTC (rev 237111)
+++ trunk/LayoutTests/fast/dom/Window/a-rel-noopener-expected.txt 2018-10-15 15:34:39 UTC (rev 237112)
@@ -1,3 +1,4 @@
+CONSOLE MESSAGE: line 11: PASS: window.opener is null
Test that window.opener is null when a new window is opened from an anchor element with rel='noopener'.
-PASS: window.opener is null
+
Modified: trunk/LayoutTests/fast/dom/Window/area-rel-noopener-expected.txt (237111 => 237112)
--- trunk/LayoutTests/fast/dom/Window/area-rel-noopener-expected.txt 2018-10-15 15:29:47 UTC (rev 237111)
+++ trunk/LayoutTests/fast/dom/Window/area-rel-noopener-expected.txt 2018-10-15 15:34:39 UTC (rev 237112)
@@ -1,4 +1,5 @@
+CONSOLE MESSAGE: line 11: PASS: window.opener is null
Test that window.opener is null when a new window is opened from an area element with rel='noopener'.
-PASS: window.opener is null
+
Modified: trunk/LayoutTests/fast/dom/Window/resources/rel-noopener.js (237111 => 237112)
--- trunk/LayoutTests/fast/dom/Window/resources/rel-noopener.js 2018-10-15 15:29:47 UTC (rev 237111)
+++ trunk/LayoutTests/fast/dom/Window/resources/rel-noopener.js 2018-10-15 15:34:39 UTC (rev 237112)
@@ -5,11 +5,10 @@
}
if (document.location.hash === "#new-window") {
- var console = window.open("", "originalWindow").document.getElementById("console");
if (window.opener)
- console.innerText = "FAIL: window.opener is non-null";
+ console.log("FAIL: window.opener is non-null");
else
- console.innerText = "PASS: window.opener is null";
+ console.log("PASS: window.opener is null");
testRunner.notifyDone();
} else {
window.name = "originalWindow";
Added: trunk/LayoutTests/http/tests/dom/new-window-can-target-opener-expected.txt (0 => 237112)
--- trunk/LayoutTests/http/tests/dom/new-window-can-target-opener-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/dom/new-window-can-target-opener-expected.txt 2018-10-15 15:34:39 UTC (rev 237112)
@@ -0,0 +1,9 @@
+CONSOLE MESSAGE: line 15: PASS: New window should have an opener
+CONSOLE MESSAGE: line 21: PASS: New window should be able to look up opener by name
+CONSOLE MESSAGE: line 27: PASS: New window should have URL 'http://127.0.0.1:8000/dom/new-window-can-target-opener.html'
+Make sure that windows opened via window.open can target their opener
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+
Added: trunk/LayoutTests/http/tests/dom/new-window-can-target-opener.html (0 => 237112)
--- trunk/LayoutTests/http/tests/dom/new-window-can-target-opener.html (rev 0)
+++ trunk/LayoutTests/http/tests/dom/new-window-can-target-opener.html 2018-10-15 15:34:39 UTC (rev 237112)
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script>
+description("Make sure that windows opened via window.open can target their opener");
+jsTestIsAsync = true;
+
+if (window.testRunner)
+ testRunner.setCanOpenWindows();
+
+_onload_ = function() {
+ window.name = "opener";
+ w = open("resources/new-window-can-target-opener-win.html", "");
+}
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/dom/noopener-window-cannot-target-opener-expected.txt (0 => 237112)
--- trunk/LayoutTests/http/tests/dom/noopener-window-cannot-target-opener-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/dom/noopener-window-cannot-target-opener-expected.txt 2018-10-15 15:34:39 UTC (rev 237112)
@@ -0,0 +1,9 @@
+CONSOLE MESSAGE: line 17: PASS: New window should not have an opener
+CONSOLE MESSAGE: line 21: PASS: New window should have URL 'about:blank'
+Make sure that windows opened with 'noopener' via window.open cannot target their opener.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS w is null
+
Added: trunk/LayoutTests/http/tests/dom/noopener-window-cannot-target-opener.html (0 => 237112)
--- trunk/LayoutTests/http/tests/dom/noopener-window-cannot-target-opener.html (rev 0)
+++ trunk/LayoutTests/http/tests/dom/noopener-window-cannot-target-opener.html 2018-10-15 15:34:39 UTC (rev 237112)
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script>
+description("Make sure that windows opened with 'noopener' via window.open cannot target their opener.");
+jsTestIsAsync = true;
+
+if (window.testRunner)
+ testRunner.setCanOpenWindows();
+
+_onload_ = function() {
+ window.name = "opener";
+ w = open("resources/noopener-window-cannot-target-opener-win.html", "", "noopener");
+ shouldBeNull("w");
+}
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/dom/noopener-window-not-targetable-expected.txt (0 => 237112)
--- trunk/LayoutTests/http/tests/dom/noopener-window-not-targetable-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/dom/noopener-window-not-targetable-expected.txt 2018-10-15 15:34:39 UTC (rev 237112)
@@ -0,0 +1,11 @@
+Make sure that windows opened with 'noopener' via an anchor are not targetable. If testing manually, you should see 2 tabs open.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS w.location.href is "about:blank"
+PASS testRunner.windowCount() is 3
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/http/tests/dom/noopener-window-not-targetable.html (0 => 237112)
--- trunk/LayoutTests/http/tests/dom/noopener-window-not-targetable.html (rev 0)
+++ trunk/LayoutTests/http/tests/dom/noopener-window-not-targetable.html 2018-10-15 15:34:39 UTC (rev 237112)
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<a id="testLink" target="foo" rel="noopener" href=""
+<script>
+description("Make sure that windows opened with 'noopener' via an anchor are not targetable. If testing manually, you should see 2 tabs open.");
+jsTestIsAsync = true;
+
+if (window.testRunner)
+ testRunner.setCanOpenWindows();
+
+_onload_ = function() {
+ testLink.click();
+
+ setTimeout(function() {
+ w = open("/navigation/resources/otherpage.html", "foo"); // Should create a new window.
+ shouldBeEqualToString("w.location.href", "about:blank");
+ w._onload_ = function() {
+ if (window.testRunner)
+ shouldBe("testRunner.windowCount()", "3");
+ finishJSTest();
+ }
+ }, 100);
+}
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/dom/noopener-window-not-targetable2-expected.txt (0 => 237112)
--- trunk/LayoutTests/http/tests/dom/noopener-window-not-targetable2-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/dom/noopener-window-not-targetable2-expected.txt 2018-10-15 15:34:39 UTC (rev 237112)
@@ -0,0 +1,12 @@
+Make sure that windows opened with 'noopener' via window.open are not targetable. If testing manually, you should see 2 tabs open.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS w is null
+PASS w.location.href is "about:blank"
+PASS testRunner.windowCount() is 3
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/http/tests/dom/noopener-window-not-targetable2.html (0 => 237112)
--- trunk/LayoutTests/http/tests/dom/noopener-window-not-targetable2.html (rev 0)
+++ trunk/LayoutTests/http/tests/dom/noopener-window-not-targetable2.html 2018-10-15 15:34:39 UTC (rev 237112)
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script>
+description("Make sure that windows opened with 'noopener' via window.open are not targetable. If testing manually, you should see 2 tabs open.");
+jsTestIsAsync = true;
+
+if (window.testRunner)
+ testRunner.setCanOpenWindows();
+
+_onload_ = function() {
+ w = window.open("/navigation/resources/otherpage.html", "foo", "noopener");
+ shouldBeNull("w");
+
+ setTimeout(function() {
+ w = open("/navigation/resources/otherpage.html", "foo"); // Should create a new window.
+ shouldBeEqualToString("w.location.href", "about:blank");
+ w._onload_ = function() {
+ if (window.testRunner)
+ shouldBe("testRunner.windowCount()", "3");
+ finishJSTest();
+ }
+ }, 100);
+}
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/dom/noreferrer-window-not-targetable-expected.txt (0 => 237112)
--- trunk/LayoutTests/http/tests/dom/noreferrer-window-not-targetable-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/dom/noreferrer-window-not-targetable-expected.txt 2018-10-15 15:34:39 UTC (rev 237112)
@@ -0,0 +1,11 @@
+Make sure that windows opened with 'noreferrer' are not targetable. If testing manually, you should see 2 tabs open.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS w.location.href is "about:blank"
+PASS testRunner.windowCount() is 3
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/http/tests/dom/noreferrer-window-not-targetable.html (0 => 237112)
--- trunk/LayoutTests/http/tests/dom/noreferrer-window-not-targetable.html (rev 0)
+++ trunk/LayoutTests/http/tests/dom/noreferrer-window-not-targetable.html 2018-10-15 15:34:39 UTC (rev 237112)
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<a id="testLink" target="foo" rel="noreferrer" href=""
+<script>
+description("Make sure that windows opened with 'noreferrer' are not targetable. If testing manually, you should see 2 tabs open.");
+jsTestIsAsync = true;
+
+if (window.testRunner)
+ testRunner.setCanOpenWindows();
+
+_onload_ = function() {
+ testLink.click();
+ setTimeout(function() {
+ w = open("/navigation/resources/otherpage.html", "foo"); // Should create a new window.
+ shouldBeEqualToString("w.location.href", "about:blank");
+ w._onload_ = function() {
+ if (window.testRunner)
+ shouldBe("testRunner.windowCount()", "3");
+ finishJSTest();
+ }
+ }, 100);
+}
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/dom/opened-window-not-targetable-after-disowning-opener-expected.txt (0 => 237112)
--- trunk/LayoutTests/http/tests/dom/opened-window-not-targetable-after-disowning-opener-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/dom/opened-window-not-targetable-after-disowning-opener-expected.txt 2018-10-15 15:34:39 UTC (rev 237112)
@@ -0,0 +1,11 @@
+Make sure that windows opened via window.open are not targetable by their opener after it is disowned. If testing manually, you should see 2 tabs open.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS w.location.href is "about:blank"
+PASS testRunner.windowCount() is 3
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/http/tests/dom/opened-window-not-targetable-after-disowning-opener.html (0 => 237112)
--- trunk/LayoutTests/http/tests/dom/opened-window-not-targetable-after-disowning-opener.html (rev 0)
+++ trunk/LayoutTests/http/tests/dom/opened-window-not-targetable-after-disowning-opener.html 2018-10-15 15:34:39 UTC (rev 237112)
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script>
+description("Make sure that windows opened via window.open are not targetable by their opener after it is disowned. If testing manually, you should see 2 tabs open.");
+jsTestIsAsync = true;
+
+if (window.testRunner)
+ testRunner.setCanOpenWindows();
+
+_onload_ = function() {
+ w = window.open("/navigation/resources/otherpage.html", "foo");
+ w.opener = null;
+
+ setTimeout(function() {
+ w = open("/navigation/resources/otherpage.html", "foo"); // Should create a new window.
+ shouldBeEqualToString("w.location.href", "about:blank");
+ w._onload_ = function() {
+ if (window.testRunner)
+ shouldBe("testRunner.windowCount()", "3");
+ finishJSTest();
+ }
+ }, 100);
+}
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/dom/resources/new-window-can-target-opener-win.html (0 => 237112)
--- trunk/LayoutTests/http/tests/dom/resources/new-window-can-target-opener-win.html (rev 0)
+++ trunk/LayoutTests/http/tests/dom/resources/new-window-can-target-opener-win.html 2018-10-15 15:34:39 UTC (rev 237112)
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script>
+jsTestIsAsync = true;
+
+if (window.testRunner)
+ testRunner.setCanOpenWindows();
+
+_onload_ = function() {
+ if (window.opener)
+ console.log("PASS: New window should have an opener");
+ else
+ console.log("FAIL: New window should have an opener");
+
+ openerByName = open("", "opener"); // Should return the opener.
+ if (openerByName === opener)
+ console.log("PASS: New window should be able to look up opener by name");
+ else
+ console.log("FAIL: New window should be able to look up opener by name");
+
+ const expectedOpenerURL = "http://127.0.0.1:8000/dom/new-window-can-target-opener.html";
+ if (openerByName.location.href == expectedOpenerURL)
+ console.log("PASS: New window should have URL '" + expectedOpenerURL + "'");
+ else
+ console.log("FAIL: New window should have URL '" + expectedOpenerURL + "' but got '" + openerByName.location.href + "'");
+
+ finishJSTest();
+};
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/dom/resources/noopener-window-cannot-target-opener-win.html (0 => 237112)
--- trunk/LayoutTests/http/tests/dom/resources/noopener-window-cannot-target-opener-win.html (rev 0)
+++ trunk/LayoutTests/http/tests/dom/resources/noopener-window-cannot-target-opener-win.html 2018-10-15 15:34:39 UTC (rev 237112)
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script>
+jsTestIsAsync = true;
+
+if (window.testRunner)
+ testRunner.setCanOpenWindows();
+
+_onload_ = function() {
+ if (window.opener)
+ console.log("FAIL: New window should not have an opener");
+ else
+ console.log("PASS: New window should not have an opener");
+
+ opener = open("", "opener"); // Should open a new window.
+ if (opener.location.href == "about:blank")
+ console.log("PASS: New window should have URL 'about:blank'");
+ else
+ console.log("FAIL: New window should have URL 'about:blank' but got '" + opener.location.href + "'");
+
+ finishJSTest();
+};
+</script>
+</body>
+</html>
Modified: trunk/LayoutTests/http/tests/navigation/no-referrer-reset-expected.txt (237111 => 237112)
--- trunk/LayoutTests/http/tests/navigation/no-referrer-reset-expected.txt 2018-10-15 15:29:47 UTC (rev 237111)
+++ trunk/LayoutTests/http/tests/navigation/no-referrer-reset-expected.txt 2018-10-15 15:34:39 UTC (rev 237112)
@@ -1,3 +1,5 @@
+CONSOLE MESSAGE: line 15: Referrer: http://127.0.0.1:8000/navigation/resources/no-referrer-reset-helper.php
+CONSOLE MESSAGE: line 16: window.opener: http://127.0.0.1:8000/navigation/no-referrer-reset.html
This tests whether referrer information gets properly set and reset when "noreferrer" links are present. We do the following:
1. Open a link in a new window: referrer is sent and window.opener is sent.
2. Click a rel="noreferrer" link: referrer is null, but window.opener remains set since the link was not opened with target="_blank".
@@ -7,5 +9,3 @@
window.opener: http://127.0.0.1:8000/navigation/no-referrer-reset.html
Referrer:
window.opener: http://127.0.0.1:8000/navigation/no-referrer-reset.html
-Referrer: http://127.0.0.1:8000/navigation/resources/no-referrer-reset-helper.php
-window.opener: http://127.0.0.1:8000/navigation/no-referrer-reset.html
Modified: trunk/LayoutTests/http/tests/navigation/no-referrer-subframe-expected.txt (237111 => 237112)
--- trunk/LayoutTests/http/tests/navigation/no-referrer-subframe-expected.txt 2018-10-15 15:29:47 UTC (rev 237111)
+++ trunk/LayoutTests/http/tests/navigation/no-referrer-subframe-expected.txt 2018-10-15 15:34:39 UTC (rev 237112)
@@ -1,4 +1,5 @@
+CONSOLE MESSAGE: line 15: Referrer:
+CONSOLE MESSAGE: line 16: window.opener:
This tests behavior of "noreferrer" links in subframes. A referrer should not be sent and window.opener should remain null.
Load subframe
-Referrer:
-window.opener:
+
Modified: trunk/LayoutTests/http/tests/navigation/no-referrer-target-blank-expected.txt (237111 => 237112)
--- trunk/LayoutTests/http/tests/navigation/no-referrer-target-blank-expected.txt 2018-10-15 15:29:47 UTC (rev 237111)
+++ trunk/LayoutTests/http/tests/navigation/no-referrer-target-blank-expected.txt 2018-10-15 15:34:39 UTC (rev 237112)
@@ -1,4 +1,5 @@
+CONSOLE MESSAGE: line 15: Referrer:
+CONSOLE MESSAGE: line 16: window.opener:
This tests the functionality of the "noreferrer" link relation on anchor tags. The link below should not send an http referrer, and the resulting window should have its opener attribute set to null. The values of the referrer and window.opener should be empty below.
Start no referrer test
-Referrer:
-window.opener:
+
Modified: trunk/LayoutTests/http/tests/navigation/resources/no-referrer-helper.php (237111 => 237112)
--- trunk/LayoutTests/http/tests/navigation/resources/no-referrer-helper.php 2018-10-15 15:29:47 UTC (rev 237111)
+++ trunk/LayoutTests/http/tests/navigation/resources/no-referrer-helper.php 2018-10-15 15:34:39 UTC (rev 237112)
@@ -18,11 +18,8 @@
document.getElementById('console').appendChild(line);
}
- var consoleWindow = window.open("", "consoleWindow");
- if (consoleWindow) {
- consoleWindow.log(document.getElementById("referrer").innerText);
- consoleWindow.log("window.opener: " + (window.opener ? window.opener.location : ""));
- }
+ console.log(document.getElementById("referrer").innerText);
+ console.log("window.opener: " + (window.opener ? window.opener.location : ""));
if (window.testRunner)
testRunner.notifyDone();
Modified: trunk/LayoutTests/platform/mac-wk1/imported/w3c/web-platform-tests/html/browsers/windows/noreferrer-window-name-expected.txt (237111 => 237112)
--- trunk/LayoutTests/platform/mac-wk1/imported/w3c/web-platform-tests/html/browsers/windows/noreferrer-window-name-expected.txt 2018-10-15 15:29:47 UTC (rev 237111)
+++ trunk/LayoutTests/platform/mac-wk1/imported/w3c/web-platform-tests/html/browsers/windows/noreferrer-window-name-expected.txt 2018-10-15 15:34:39 UTC (rev 237112)
@@ -1,10 +1,4 @@
-CONSOLE MESSAGE: line 37: Unsafe _javascript_ attempt to initiate navigation for frame with URL '' from frame with URL 'http://localhost:8800/html/browsers/windows/noreferrer-window-name.html'. The frame attempting navigation is neither same-origin with the target, nor is it the target's parent or opener.
-CONSOLE MESSAGE: line 38: Unsafe _javascript_ attempt to initiate navigation for frame with URL '' from frame with URL 'http://localhost:8800/html/browsers/windows/noreferrer-window-name.html'. The frame attempting navigation is neither same-origin with the target, nor is it the target's parent or opener.
-
-CONSOLE MESSAGE: line 38: Unsafe _javascript_ attempt to initiate navigation for frame with URL '' from frame with URL 'http://localhost:8800/html/browsers/windows/noreferrer-window-name.html'. The frame attempting navigation is neither same-origin with the target, nor is it the target's parent or opener.
-
-
Harness Error (TIMEOUT), message = null
PASS Following a noreferrer link with a named target should not cause creation of a window that can be targeted by another noreferrer link with the same named target
Modified: trunk/LayoutTests/platform/wk2/imported/w3c/web-platform-tests/html/browsers/windows/noreferrer-window-name-expected.txt (237111 => 237112)
--- trunk/LayoutTests/platform/wk2/imported/w3c/web-platform-tests/html/browsers/windows/noreferrer-window-name-expected.txt 2018-10-15 15:29:47 UTC (rev 237111)
+++ trunk/LayoutTests/platform/wk2/imported/w3c/web-platform-tests/html/browsers/windows/noreferrer-window-name-expected.txt 2018-10-15 15:34:39 UTC (rev 237112)
@@ -1,6 +1,4 @@
-CONSOLE MESSAGE: Unsafe _javascript_ attempt to initiate navigation for frame with URL '' from frame with URL 'http://localhost:8800/html/browsers/windows/noreferrer-window-name.html'. The frame attempting navigation is neither same-origin with the target, nor is it the target's parent or opener.
-
Harness Error (TIMEOUT), message = null
TIMEOUT Following a noreferrer link with a named target should not cause creation of a window that can be targeted by another noreferrer link with the same named target Test timed out
Modified: trunk/Source/WebCore/ChangeLog (237111 => 237112)
--- trunk/Source/WebCore/ChangeLog 2018-10-15 15:29:47 UTC (rev 237111)
+++ trunk/Source/WebCore/ChangeLog 2018-10-15 15:34:39 UTC (rev 237112)
@@ -1,3 +1,37 @@
+2018-10-15 Chris Dumez <cdu...@apple.com>
+
+ Restrict browsing context lookup by name to frames that are related to one another
+ https://bugs.webkit.org/show_bug.cgi?id=190475
+
+ Reviewed by Alex Christensen.
+
+ Update our frame lookup by name logic to take in the active / requesting frame and
+ only a return a frame that is related to it. By related to it, I mean:
+ - Ancestor <-> Descendant relationship
+ - Opener <-> Openee relationship
+
+ Being able to look up unrelated frames makes process swapping difficult so we need
+ to be stricter.
+
+ This change is being discussed at:
+ - https://github.com/whatwg/html/issues/313
+
+ Tests: http/tests/dom/new-window-can-target-opener.html
+ http/tests/dom/noopener-window-cannot-target-opener.html
+ http/tests/dom/noopener-window-not-targetable.html
+ http/tests/dom/noopener-window-not-targetable2.html
+ http/tests/dom/noreferrer-window-not-targetable.html
+ http/tests/dom/opened-window-not-targetable-after-disowning-opener.html
+
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::findFrameForNavigation):
+ * page/FrameTree.cpp:
+ (WebCore::isFrameFamiliarWith):
+ (WebCore::FrameTree::find const):
+ * page/FrameTree.h:
+ * rendering/HitTestResult.cpp:
+ (WebCore::HitTestResult::targetFrame const):
+
2018-10-15 Alex Christensen <achristen...@webkit.org>
Shrink more enum classes
Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (237111 => 237112)
--- trunk/Source/WebCore/loader/FrameLoader.cpp 2018-10-15 15:29:47 UTC (rev 237111)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2018-10-15 15:34:39 UTC (rev 237112)
@@ -3540,12 +3540,12 @@
Frame* FrameLoader::findFrameForNavigation(const AtomicString& name, Document* activeDocument)
{
- Frame* frame = m_frame.tree().find(name);
-
// FIXME: Eventually all callers should supply the actual activeDocument so we can call canNavigate with the right document.
if (!activeDocument)
activeDocument = m_frame.document();
+ auto* frame = m_frame.tree().find(name, activeDocument->frame() ? *activeDocument->frame() : m_frame);
+
if (!activeDocument->canNavigate(frame))
return nullptr;
Modified: trunk/Source/WebCore/page/FrameTree.cpp (237111 => 237112)
--- trunk/Source/WebCore/page/FrameTree.cpp 2018-10-15 15:29:47 UTC (rev 237111)
+++ trunk/Source/WebCore/page/FrameTree.cpp 2018-10-15 15:34:39 UTC (rev 237112)
@@ -208,8 +208,24 @@
return nullptr;
}
-Frame* FrameTree::find(const AtomicString& name) const
+// FrameTree::find() only returns frames in pages that are related to the active
+// page by an opener <-> openee relationship.
+static bool isFrameFamiliarWith(Frame& frameA, Frame& frameB)
{
+ if (frameA.page() == frameB.page())
+ return true;
+
+ if (auto* frameAOpener = frameA.mainFrame().loader().opener())
+ return isFrameFamiliarWith(*frameAOpener, frameB);
+
+ if (auto* frameBOpener = frameB.mainFrame().loader().opener())
+ return isFrameFamiliarWith(frameA, *frameBOpener);
+
+ return false;
+}
+
+Frame* FrameTree::find(const AtomicString& name, Frame& activeFrame) const
+{
// FIXME: _current is not part of the HTML specification.
if (equalIgnoringASCIICase(name, "_self") || name == "_current" || name.isEmpty())
return &m_thisFrame;
@@ -245,8 +261,8 @@
for (auto* otherPage : page->group().pages()) {
if (otherPage == page)
continue;
- for (Frame* frame = &otherPage->mainFrame(); frame; frame = frame->tree().traverseNext()) {
- if (frame->tree().uniqueName() == name)
+ for (auto* frame = &otherPage->mainFrame(); frame; frame = frame->tree().traverseNext()) {
+ if (frame->tree().uniqueName() == name && isFrameFamiliarWith(activeFrame, *frame))
return frame;
}
}
Modified: trunk/Source/WebCore/page/FrameTree.h (237111 => 237112)
--- trunk/Source/WebCore/page/FrameTree.h 2018-10-15 15:29:47 UTC (rev 237111)
+++ trunk/Source/WebCore/page/FrameTree.h 2018-10-15 15:34:39 UTC (rev 237112)
@@ -75,7 +75,7 @@
Frame* child(unsigned index) const;
Frame* child(const AtomicString& name) const;
- WEBCORE_EXPORT Frame* find(const AtomicString& name) const;
+ WEBCORE_EXPORT Frame* find(const AtomicString& name, Frame& activeFrame) const;
WEBCORE_EXPORT unsigned childCount() const;
WEBCORE_EXPORT Frame& top() const;
Modified: trunk/Source/WebCore/rendering/HitTestResult.cpp (237111 => 237112)
--- trunk/Source/WebCore/rendering/HitTestResult.cpp 2018-10-15 15:29:47 UTC (rev 237111)
+++ trunk/Source/WebCore/rendering/HitTestResult.cpp 2018-10-15 15:34:39 UTC (rev 237112)
@@ -177,13 +177,13 @@
Frame* HitTestResult::targetFrame() const
{
if (!m_innerURLElement)
- return 0;
+ return nullptr;
Frame* frame = m_innerURLElement->document().frame();
if (!frame)
- return 0;
+ return nullptr;
- return frame->tree().find(m_innerURLElement->target());
+ return frame->tree().find(m_innerURLElement->target(), *frame);
}
bool HitTestResult::isSelected() const
Modified: trunk/Source/WebKit/ChangeLog (237111 => 237112)
--- trunk/Source/WebKit/ChangeLog 2018-10-15 15:29:47 UTC (rev 237111)
+++ trunk/Source/WebKit/ChangeLog 2018-10-15 15:34:39 UTC (rev 237112)
@@ -1,3 +1,13 @@
+2018-10-15 Chris Dumez <cdu...@apple.com>
+
+ Restrict browsing context lookup by name to frames that are related to one another
+ https://bugs.webkit.org/show_bug.cgi?id=190475
+
+ Reviewed by Alex Christensen.
+
+ * WebProcess/Plugins/PluginView.cpp:
+ (WebKit::PluginView::performJavaScriptURLRequest):
+
2018-10-15 Alex Christensen <achristen...@webkit.org>
Fix assertion after r237102
Modified: trunk/Source/WebKit/WebProcess/Plugins/PluginView.cpp (237111 => 237112)
--- trunk/Source/WebKit/WebProcess/Plugins/PluginView.cpp 2018-10-15 15:29:47 UTC (rev 237111)
+++ trunk/Source/WebKit/WebProcess/Plugins/PluginView.cpp 2018-10-15 15:34:39 UTC (rev 237112)
@@ -1238,7 +1238,7 @@
if (!request->target().isNull()) {
// For security reasons, only allow JS requests to be made on the frame that contains the plug-in.
- if (frame->tree().find(request->target()) != frame) {
+ if (frame->tree().find(request->target(), *frame) != frame) {
// Let the plug-in know that its frame load failed.
m_plugin->frameDidFail(request->requestID(), false);
return;
Modified: trunk/Source/WebKitLegacy/mac/ChangeLog (237111 => 237112)
--- trunk/Source/WebKitLegacy/mac/ChangeLog 2018-10-15 15:29:47 UTC (rev 237111)
+++ trunk/Source/WebKitLegacy/mac/ChangeLog 2018-10-15 15:34:39 UTC (rev 237112)
@@ -1,3 +1,13 @@
+2018-10-15 Chris Dumez <cdu...@apple.com>
+
+ Restrict browsing context lookup by name to frames that are related to one another
+ https://bugs.webkit.org/show_bug.cgi?id=190475
+
+ Reviewed by Alex Christensen.
+
+ * WebView/WebFrame.mm:
+ (-[WebFrame findFrameNamed:]):
+
2018-10-15 Alex Christensen <achristen...@webkit.org>
Remove InjectedBundle processing of back/forward lists
Modified: trunk/Source/WebKitLegacy/mac/WebView/WebFrame.mm (237111 => 237112)
--- trunk/Source/WebKitLegacy/mac/WebView/WebFrame.mm 2018-10-15 15:29:47 UTC (rev 237111)
+++ trunk/Source/WebKitLegacy/mac/WebView/WebFrame.mm 2018-10-15 15:34:39 UTC (rev 237112)
@@ -2587,7 +2587,7 @@
Frame* coreFrame = _private->coreFrame;
if (!coreFrame)
return nil;
- return kit(coreFrame->tree().find(name));
+ return kit(coreFrame->tree().find(name, *coreFrame));
}
- (WebFrame *)parentFrame
Modified: trunk/Source/WebKitLegacy/win/WebFrame.cpp (237111 => 237112)
--- trunk/Source/WebKitLegacy/win/WebFrame.cpp 2018-10-15 15:29:47 UTC (rev 237111)
+++ trunk/Source/WebKitLegacy/win/WebFrame.cpp 2018-10-15 15:34:39 UTC (rev 237112)
@@ -732,7 +732,7 @@
if (!coreFrame)
return E_UNEXPECTED;
- Frame* foundFrame = coreFrame->tree().find(AtomicString(name, SysStringLen(name)));
+ Frame* foundFrame = coreFrame->tree().find(AtomicString(name, SysStringLen(name)), *coreFrame);
if (!foundFrame)
return S_OK;