Diff
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/ChangeLog (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/ChangeLog 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/ChangeLog 2019-05-17 10:15:15 UTC (rev 245444)
@@ -1,3 +1,48 @@
+2019-05-02 Chris Dumez <[email protected]>
+
+ Setting a frame's src to a _javascript_ URL should not run it synchronously
+ https://bugs.webkit.org/show_bug.cgi?id=197466
+
+ Reviewed by Darin Adler.
+
+ * fast/dom/frame-src-_javascript_-url-async-expected.txt: Added.
+ * fast/dom/frame-src-_javascript_-url-async.html: Added.
+ Add layout test coverage for the fact that the _javascript_ URL is executed asynchronously
+ whether set during parsing or later via JS. Also makes sure that executing the _javascript_
+ URL asynchronously does not replace the frame's window. This test passes in both Chrome
+ and Firefox.
+
+ * imported/blink/fast/frames/navigation-in-pagehide.html:
+ Re-sync this test from the Blink repository.
+
+ * fast/dom/Element/id-in-frameset-expected.txt:
+ * fast/dom/Element/id-in-frameset.html:
+ * fast/dom/insertedIntoDocument-iframe-expected.txt:
+ * fast/dom/_javascript_-url-exception-isolation-expected.txt:
+ * fast/dom/_javascript_-url-exception-isolation.html:
+ * fast/dom/no-assert-for-malformed-js-url-attribute-expected.txt:
+ * fast/dom/resources/_javascript_-url-crash-function-iframe.html:
+ * fast/frames/adopt-from-created-document.html:
+ * fast/frames/out-of-document-iframe-has-child-frame.html:
+ * fast/loader/_javascript_-url-iframe-remove-on-navigate-async-delegate.html:
+ * fast/loader/_javascript_-url-iframe-remove-on-navigate.html:
+ * fast/loader/unload-mutation-crash.html:
+ * fast/parser/resources/set-parent-to-_javascript_-url.html:
+ * fast/parser/xml-error-adopted.xml:
+ * http/tests/navigation/lockedhistory-iframe-expected.txt:
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-_javascript_-url-iframe-in-iframe-expected.txt:
+ * http/tests/security/contentSecurityPolicy/_javascript_-url-allowed-expected.txt:
+ * http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-by-default-src-star-expected.txt:
+ * http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-expected.txt:
+ * http/tests/security/_javascript_URL/xss-ALLOWED-from-_javascript_-url-sub-frame-2-level.html:
+ * http/tests/security/_javascript_URL/xss-ALLOWED-from-_javascript_-url-sub-frame.html:
+ * http/tests/security/_javascript_URL/xss-ALLOWED-to-_javascript_-url-from-javscript-url.html:
+ * imported/blink/loader/iframe-sync-loads-expected.txt:
+ * js/dom/call-base-resolution.html:
+ * platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-_javascript_-url-iframe-in-iframe-expected.txt:
+ Update / Rebaseline existing tests to reflect behavior change. I ran those tests in Firefox and Chrome to confirm that our behavior
+ is indeed aligned.
+
2019-02-21 Daniel Bates <[email protected]>
Fix the test failure following r241918
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/Element/id-in-frameset-expected.txt (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/Element/id-in-frameset-expected.txt 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/Element/id-in-frameset-expected.txt 2019-05-17 10:15:15 UTC (rev 245444)
@@ -1,2 +1,2 @@
-ALERT: 1
+ALERT: 2
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/Element/id-in-frameset.html (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/Element/id-in-frameset.html 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/Element/id-in-frameset.html 2019-05-17 10:15:15 UTC (rev 245444)
@@ -1,5 +1,10 @@
<html>
-
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+</script>
<frameset id="frameset">
<frame name="frame2" src=""
<frame name="frame1" src=""
@@ -16,6 +21,8 @@
top.frameset.removeChild(top.frame2.frameElement);
log(top.frameset.children.length);
+ if (window.testRunner)
+ testRunner.notifyDone();
">
<frame name="frame3" src=""
Added: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/frame-src-_javascript_-url-async-expected.txt (0 => 245444)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/frame-src-_javascript_-url-async-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/frame-src-_javascript_-url-async-expected.txt 2019-05-17 10:15:15 UTC (rev 245444)
@@ -0,0 +1,21 @@
+Checks that setting an iframe's src attribute to a _javascript_ URL runs the _javascript_ asynchronously
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS frame2.contentWindow is initialFrame2Window
+PASS frame2.contentDocument is initialFrame2Document
+PASS messages is "1234"
+PASS frame1.contentWindow is initialFrame1Window
+PASS frame1.contentDocument is initialFrame1Document
+PASS frame2.contentWindow is initialFrame2Window
+PASS frame2.contentDocument is initialFrame2Document
+PASS frame3.contentWindow is initialFrame3Window
+PASS frame3.contentDocument is not initialFrame3Document
+PASS frame3.contentWindow is initialFrame3Window
+PASS frame3.contentDocument is not initialFrame3Document
+PASS frame3.contentDocument.documentElement.textContent is "1"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/frame-src-_javascript_-url-async.html (0 => 245444)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/frame-src-_javascript_-url-async.html (rev 0)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/frame-src-_javascript_-url-async.html 2019-05-17 10:15:15 UTC (rev 245444)
@@ -0,0 +1,52 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src=""
+<script>
+description("Checks that setting an iframe's src attribute to a _javascript_ URL runs the _javascript_ asynchronously");
+jsTestIsAsync = true;
+
+let messages = "";
+const expectedMessageCount = 4;
+function log(msg)
+{
+ messages += msg;
+ if (messages.length == expectedMessageCount) {
+ shouldBeEqualToString("messages", "1234");
+ shouldBe("frame1.contentWindow", "initialFrame1Window");
+ shouldBe("frame1.contentDocument", "initialFrame1Document");
+ shouldBe("frame2.contentWindow", "initialFrame2Window");
+ shouldBe("frame2.contentDocument", "initialFrame2Document");
+ shouldBe("frame3.contentWindow", "initialFrame3Window");
+ // Firefox 66 and Chrome 74 disagree here, we match Chrome.
+ shouldNotBe("frame3.contentDocument", "initialFrame3Document");
+ setTimeout(() => {
+ shouldBe("frame3.contentWindow", "initialFrame3Window");
+ shouldNotBe("frame3.contentDocument", "initialFrame3Document");
+ shouldBeEqualToString("frame3.contentDocument.documentElement.textContent", "1");
+ finishJSTest();
+ }), 0;
+ }
+}
+</script>
+<iframe id="frame1" src=""
+<iframe id="frame2"></iframe>
+<iframe id="frame3" src=""
+<script>
+frame1 = document.getElementById("frame1");
+frame2 = document.getElementById("frame2");
+frame3 = document.getElementById("frame3");
+initialFrame1Window = frame1.contentWindow;
+initialFrame1Document = frame1.contentDocument;
+initialFrame2Window = frame2.contentWindow;
+initialFrame2Document = frame2.contentDocument;
+initialFrame3Window = frame3.contentWindow;
+initialFrame3Document = frame3.contentDocument;
+log('1');
+frame2.src = ""
+shouldBe("frame2.contentWindow", "initialFrame2Window");
+shouldBe("frame2.contentDocument", "initialFrame2Document");
+log('2');
+</script>
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/insertedIntoDocument-iframe-expected.txt (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/insertedIntoDocument-iframe-expected.txt 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/insertedIntoDocument-iframe-expected.txt 2019-05-17 10:15:15 UTC (rev 245444)
@@ -1 +1,3 @@
+CONSOLE MESSAGE: line 1: TypeError: Argument 1 ('child') to Node.removeChild must be an instance of Node
PASS
+
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/_javascript_-url-exception-isolation-expected.txt (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/_javascript_-url-exception-isolation-expected.txt 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/_javascript_-url-exception-isolation-expected.txt 2019-05-17 10:15:15 UTC (rev 245444)
@@ -1,5 +1,5 @@
CONSOLE MESSAGE: line 1: 42
-CONSOLE MESSAGE: line 25: SyntaxError: Unexpected token '<'
+CONSOLE MESSAGE: line 1: SyntaxError: Unexpected token '<'
Exceptions thrown in _javascript_ URLs should not propagate to the main script.
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/_javascript_-url-exception-isolation.html (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/_javascript_-url-exception-isolation.html 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/_javascript_-url-exception-isolation.html 2019-05-17 10:15:15 UTC (rev 245444)
@@ -20,9 +20,12 @@
}
shouldBeFalse('caughtException');
+var subframe2 = document.createElement("iframe");
+document.body.appendChild(subframe2);
+
// Compile-time exception.
try {
- subframe.src = '';
+ subframe2.src = '';
} catch(e) {
caughtException = true;
}
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/no-assert-for-malformed-js-url-attribute-expected.txt (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/no-assert-for-malformed-js-url-attribute-expected.txt 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/no-assert-for-malformed-js-url-attribute-expected.txt 2019-05-17 10:15:15 UTC (rev 245444)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: line 14: SyntaxError: Unexpected identifier 'orem'
+CONSOLE MESSAGE: line 1: SyntaxError: Unexpected identifier 'orem'
This tests that we do not assert when a malformed JS URL is passed to the 'src' attribute of an iframe. The test passes if it does not ASSERT.
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/resources/_javascript_-url-crash-function-iframe.html (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/resources/_javascript_-url-crash-function-iframe.html 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/dom/resources/_javascript_-url-crash-function-iframe.html 2019-05-17 10:15:15 UTC (rev 245444)
@@ -16,7 +16,9 @@
setTimeout(function ()
{
test();
- if (window.testRunner)
- testRunner.notifyDone();
+ top.setTimeout(() => {
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }, 0);
}, 0);
</script>
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/frames/adopt-from-created-document.html (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/frames/adopt-from-created-document.html 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/frames/adopt-from-created-document.html 2019-05-17 10:15:15 UTC (rev 245444)
@@ -8,10 +8,10 @@
alert(2);
var ifr = doc.createElement('iframe');
alert(3);
-ifr.setAttribute('src', '_javascript_:alert(6)');
+ifr.setAttribute('src', '_javascript_:alert(7)');
alert(4);
var adopted = document.adoptNode(ifr)
alert(5);
document.body.appendChild(adopted);
-alert(7);
+alert(6);
</script>
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/frames/out-of-document-iframe-has-child-frame.html (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/frames/out-of-document-iframe-has-child-frame.html 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/frames/out-of-document-iframe-has-child-frame.html 2019-05-17 10:15:15 UTC (rev 245444)
@@ -1,6 +1,6 @@
<html>
<head>
-<script src=""
+<script src=""
</head>
<body>
<div id="main"/>
@@ -7,6 +7,7 @@
<script>
description("This tests that several ways of making an iframe that isn't inserted into a document tree"
+ " but has a child frame will fail.");
+jsTestIsAsync = true;
main = document.getElementById("main");
@@ -44,9 +45,11 @@
helperFrame.src = ""
document.body.appendChild(container);
} catch (e) { }
-shouldBeTrue("targetFrame3.contentWindow == undefined");
-isSuccessfullyParsed();
+setTimeout(() => {
+ shouldBeTrue("targetFrame3.contentWindow == undefined");
+ finishJSTest();
+}, 0);
</script>
</body>
</html>
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/loader/_javascript_-url-iframe-remove-on-navigate-async-delegate.html (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/loader/_javascript_-url-iframe-remove-on-navigate-async-delegate.html 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/loader/_javascript_-url-iframe-remove-on-navigate-async-delegate.html 2019-05-17 10:15:15 UTC (rev 245444)
@@ -8,13 +8,14 @@
}
let frame = document.getElementById("target");
-frame.contentWindow._onbeforeunload_ = function() {
- setTimeout(function() {
- frame.src = ""
- }, 0);
-};
window.addEventListener("load", function() {
+ frame.contentWindow._onbeforeunload_ = function() {
+ setTimeout(function() {
+ frame.src = ""
+ }, 0);
+ };
+
document.write("PASS - _javascript_ URL blocked without crashing.");
if (window.testRunner)
testRunner.notifyDone();
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/loader/_javascript_-url-iframe-remove-on-navigate.html (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/loader/_javascript_-url-iframe-remove-on-navigate.html 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/loader/_javascript_-url-iframe-remove-on-navigate.html 2019-05-17 10:15:15 UTC (rev 245444)
@@ -6,13 +6,13 @@
}
let frame = document.getElementById("target");
-frame.contentWindow._onbeforeunload_ = function() {
- setTimeout(function() {
- frame.src = ""
- }, 0);
-};
window.addEventListener("load", function() {
+ frame.contentWindow._onbeforeunload_ = function() {
+ setTimeout(function() {
+ frame.src = ""
+ }, 0);
+ };
document.write("PASS - _javascript_ URL blocked without crashing.");
if (window.testRunner)
testRunner.notifyDone();
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/loader/unload-mutation-crash.html (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/loader/unload-mutation-crash.html 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/loader/unload-mutation-crash.html 2019-05-17 10:15:15 UTC (rev 245444)
@@ -2,8 +2,10 @@
<html>
<head>
<script>
-if (window.testRunner)
- window.testRunner.dumpAsText();
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
function start() {
window.firstFrame = document.createElement('iframe');
@@ -20,6 +22,8 @@
window.firstFrame.src = '';
document.write("PASS. WebKit didn't crash.");
+ if (window.testRunner)
+ testRunner.notifyDone();
}
</script>
</head>
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/parser/resources/set-parent-to-_javascript_-url.html (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/parser/resources/set-parent-to-_javascript_-url.html 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/parser/resources/set-parent-to-_javascript_-url.html 2019-05-17 10:15:15 UTC (rev 245444)
@@ -1,7 +1,7 @@
<script>
const parent = window.parent;
alert(1);
-parent.document.getElementsByTagName('iframe')[0].src = ""
-alert(4);
+parent.document.getElementsByTagName('iframe')[0].src = ""
+alert(2);
parent.setTimeout("done()", 0);
</script>
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/fast/parser/xml-error-adopted.xml (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/fast/parser/xml-error-adopted.xml 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/fast/parser/xml-error-adopted.xml 2019-05-17 10:15:15 UTC (rev 245444)
@@ -15,7 +15,9 @@
testRunner.notifyDone();
}
-setTimeout(test, 0);
+_onload_ = () => {
+ setTimeout(test, 0);
+};
</script>
<elt attr="1" attr="2"/>
-</svg>
\ No newline at end of file
+</svg>
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/navigation/lockedhistory-iframe-expected.txt (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/navigation/lockedhistory-iframe-expected.txt 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/navigation/lockedhistory-iframe-expected.txt 2019-05-17 10:15:15 UTC (rev 245444)
@@ -4,5 +4,6 @@
============== Back Forward List ==============
curr-> http://127.0.0.1:8000/navigation/lockedhistory-iframe.html **nav target**
- about:blank (in frame "<!--frame1-->")
+ http://127.0.0.1:8000/navigation/lockedhistory-iframe.html# (in frame "<!--frame1-->")
+ about:blank (in frame "<!--frame2-->")
===============================================
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-_javascript_-url-iframe-in-iframe-expected.txt (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-_javascript_-url-iframe-in-iframe-expected.txt 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-_javascript_-url-iframe-in-iframe-expected.txt 2019-05-17 10:15:15 UTC (rev 245444)
@@ -6,8 +6,9 @@
frame "<!--frame2-->" - didFinishDocumentLoadForFrame
frame "<!--frame2-->" - didHandleOnloadEventsForFrame
frame "<!--frame2-->" - didFinishLoadForFrame
+frame "<!--frame2-->" - willPerformClientRedirectToURL: _javascript_:document.write('%3Cimg%20src=%22http://127.0.0.1:8000/security/resources/compass.jpg%22%3E');
+frame "<!--frame1-->" - didFinishDocumentLoadForFrame
CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/resources/compass.jpg because 'block-all-mixed-content' appears in the Content Security Policy.
-frame "<!--frame1-->" - didFinishDocumentLoadForFrame
frame "<!--frame1-->" - didFinishLoadForFrame
main frame - didFinishLoadForFrame
This test loads a secure iframe that loads an insecure image inside a _javascript_ URL iframe. We should trigger a mixed content block because the child frame has CSP directive block-all-mixed-content and a _javascript_ URL executes in the same origin as its embedding document.
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-allowed-expected.txt (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-allowed-expected.txt 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-allowed-expected.txt 2019-05-17 10:15:15 UTC (rev 245444)
@@ -1,7 +1,7 @@
CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
-ALERT: PASS
CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
+ALERT: PASS
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-by-default-src-star-expected.txt (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-by-default-src-star-expected.txt 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-by-default-src-star-expected.txt 2019-05-17 10:15:15 UTC (rev 245444)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy.
CONSOLE MESSAGE: Refused to load _javascript_:alert('FAIL'); because it appears in neither the object-src directive nor the default-src directive of the Content Security Policy.
CONSOLE MESSAGE: Refused to load _javascript_:alert('FAIL'); because it appears in neither the object-src directive nor the default-src directive of the Content Security Policy.
+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy.
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-expected.txt (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-expected.txt 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-expected.txt 2019-05-17 10:15:15 UTC (rev 245444)
@@ -1,7 +1,7 @@
CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
-CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/_javascript_URL/xss-ALLOWED-from-_javascript_-url-sub-frame-2-level.html (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/_javascript_URL/xss-ALLOWED-from-_javascript_-url-sub-frame-2-level.html 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/_javascript_URL/xss-ALLOWED-from-_javascript_-url-sub-frame-2-level.html 2019-05-17 10:15:15 UTC (rev 245444)
@@ -7,11 +7,13 @@
if (window.testRunner) {
testRunner.dumpAsText();
testRunner.dumpChildFramesAsText();
+ testRunner.waitUntilDone();
}
var innerURL = '_javascript_:\\\"<html>'
+ "<scr" + "ipt>"
+ 'top.document.getElementById(\\\\\\\"accessMe\\\\\\\").innerHTML = \\\\\\\"PASS: Cross frame access from a _javascript_: URL inside another _javascript_: URL was allowed!\\\\\\\";'
+ + 'top.setTimeout(() => { testRunner.notifyDone(); }, 0);'
+ "</scri" + "pt>"
+ "<body>"
+ "<p>Inner-inner iframe.</p>"
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/_javascript_URL/xss-ALLOWED-from-_javascript_-url-sub-frame.html (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/_javascript_URL/xss-ALLOWED-from-_javascript_-url-sub-frame.html 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/_javascript_URL/xss-ALLOWED-from-_javascript_-url-sub-frame.html 2019-05-17 10:15:15 UTC (rev 245444)
@@ -7,6 +7,7 @@
if (window.testRunner) {
testRunner.dumpAsText();
testRunner.dumpChildFramesAsText();
+ testRunner.waitUntilDone();
}
var url = ""
@@ -20,6 +21,12 @@
var iframe = document.getElementById("aFrame");
iframe.src = ""
+ _onload_ = () => {
+ setTimeout(() => {
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }, 0);
+ }
</script>
</body>
</html>
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/_javascript_URL/xss-ALLOWED-to-_javascript_-url-from-javscript-url.html (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/_javascript_URL/xss-ALLOWED-to-_javascript_-url-from-javscript-url.html 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/_javascript_URL/xss-ALLOWED-to-_javascript_-url-from-javscript-url.html 2019-05-17 10:15:15 UTC (rev 245444)
@@ -7,6 +7,7 @@
if (window.testRunner) {
testRunner.dumpAsText();
testRunner.dumpChildFramesAsText();
+ testRunner.waitUntilDone();
}
var innerURL = '_javascript_:\\\"<html>'
@@ -30,6 +31,13 @@
var iframe = document.getElementById("aFrame");
iframe.src = ""
+
+ _onload_ = () => {
+ setTimeout(() => {
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }, 0);
+ };
</script>
</body>
</html>
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/imported/blink/fast/frames/navigation-in-pagehide.html (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/imported/blink/fast/frames/navigation-in-pagehide.html 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/imported/blink/fast/frames/navigation-in-pagehide.html 2019-05-17 10:15:15 UTC (rev 245444)
@@ -17,7 +17,7 @@
var div = document.createElement('div');
firstFrame.appendChild(div);
secondFrame = document.createElement('iframe');
- secondFrame.src = '';
+ secondFrame.src = '';
div.appendChild(secondFrame);
var firstFrameRoot = firstFrame.contentDocument.documentElement;
document.documentElement.appendChild(div);
@@ -24,13 +24,6 @@
firstFrameRoot.appendChild(secondFrame);
}
-function maybeStart() {
- if (callbackCount++ > 1) {
- reallyStart();
- return;
- }
-}
-
function reallyStart(frame) {
secondFrame.contentWindow._onpagehide_ = function () {
firstFrame.src = '';
@@ -39,7 +32,7 @@
if (window.location.hash == '#done') {
if (window.testRunner)
- window.testRunner.notifyDone();
+ testRunner.notifyDone();
return;
}
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/imported/blink/loader/iframe-sync-loads-expected.txt (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/imported/blink/loader/iframe-sync-loads-expected.txt 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/imported/blink/loader/iframe-sync-loads-expected.txt 2019-05-17 10:15:15 UTC (rev 245444)
@@ -1,4 +1,4 @@
- sync : src = ""
+ASYNC : src = ""
ASYNC : src = ""
ASYNC : srcdoc = "content"
done
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/js/dom/call-base-resolution.html (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/js/dom/call-base-resolution.html 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/js/dom/call-base-resolution.html 2019-05-17 10:15:15 UTC (rev 245444)
@@ -4,7 +4,7 @@
</head>
<body>
-<script src=""
+<script src=""
<script>
window.name = "o";
function f() {
@@ -77,7 +77,5 @@
parent.testFailed(results + ' should be ' + expected + ', but was not.');
">
</iframe>
-<script src=""
-
</body>
</html>
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-_javascript_-url-iframe-in-iframe-expected.txt (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-_javascript_-url-iframe-in-iframe-expected.txt 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-_javascript_-url-iframe-in-iframe-expected.txt 2019-05-17 10:15:15 UTC (rev 245444)
@@ -6,8 +6,9 @@
frame "<!--frame2-->" - didFinishDocumentLoadForFrame
frame "<!--frame2-->" - didHandleOnloadEventsForFrame
frame "<!--frame2-->" - didFinishLoadForFrame
+frame "<!--frame2-->" - willPerformClientRedirectToURL: _javascript_:document.write('<img src=""
+frame "<!--frame1-->" - didFinishDocumentLoadForFrame
CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/resources/compass.jpg because 'block-all-mixed-content' appears in the Content Security Policy.
-frame "<!--frame1-->" - didFinishDocumentLoadForFrame
frame "<!--frame1-->" - didFinishLoadForFrame
main frame - didFinishLoadForFrame
This test loads a secure iframe that loads an insecure image inside a _javascript_ URL iframe. We should trigger a mixed content block because the child frame has CSP directive block-all-mixed-content and a _javascript_ URL executes in the same origin as its embedding document.
Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/ChangeLog (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/Source/WebCore/ChangeLog 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/ChangeLog 2019-05-17 10:15:15 UTC (rev 245444)
@@ -1,3 +1,33 @@
+2019-05-02 Chris Dumez <[email protected]>
+
+ Setting a frame's src to a _javascript_ URL should not run it synchronously
+ https://bugs.webkit.org/show_bug.cgi?id=197466
+
+ Reviewed by Darin Adler.
+
+ When an iframe's src attribute is set to a _javascript_ URL, whether when parsing
+ or later on via JS, we now execute the URL's _javascript_ asynchronously. We used
+ to execute it synchronously, which was a source of bugs and also did not match
+ other browsers.
+
+ I have verified that our new behavior is aligned with both Firefox and Chrome.
+
+ Note that for backward-compatibility and interoperability with Blink
+ (https://bugs.chromium.org/p/chromium/issues/detail?id=923585), the
+ "_javascript_:''" URL will still run synchronously. We should consider dropping
+ this quirk at some point.
+
+ Test: fast/dom/frame-src-_javascript_-url-async.html
+
+ * loader/NavigationScheduler.cpp:
+ (WebCore::ScheduledLocationChange::ScheduledLocationChange):
+ (WebCore::ScheduledLocationChange::~ScheduledLocationChange):
+ (WebCore::NavigationScheduler::scheduleLocationChange):
+ * loader/NavigationScheduler.h:
+ (WebCore::NavigationScheduler::scheduleLocationChange):
+ * loader/SubframeLoader.cpp:
+ (WebCore::SubframeLoader::requestFrame):
+
2019-02-21 Daniel Bates <[email protected]>
Same Site Lax cookies are not sent with cross-site redirect from client-initiated load
Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/loader/NavigationScheduler.cpp (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/Source/WebCore/loader/NavigationScheduler.cpp 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/loader/NavigationScheduler.cpp 2019-05-17 10:15:15 UTC (rev 245444)
@@ -193,9 +193,18 @@
class ScheduledLocationChange : public ScheduledURLNavigation {
public:
- ScheduledLocationChange(Document& initiatingDocument, SecurityOrigin* securityOrigin, const URL& url, const String& referrer, LockHistory lockHistory, LockBackForwardList lockBackForwardList, bool duringLoad)
- : ScheduledURLNavigation(initiatingDocument, 0.0, securityOrigin, url, referrer, lockHistory, lockBackForwardList, duringLoad, true) { }
+ ScheduledLocationChange(Document& initiatingDocument, SecurityOrigin* securityOrigin, const URL& url, const String& referrer, LockHistory lockHistory, LockBackForwardList lockBackForwardList, bool duringLoad, CompletionHandler<void()>&& completionHandler)
+ : ScheduledURLNavigation(initiatingDocument, 0.0, securityOrigin, url, referrer, lockHistory, lockBackForwardList, duringLoad, true)
+ , m_completionHandler(WTFMove(completionHandler))
+ {
+ }
+ ~ScheduledLocationChange()
+ {
+ if (m_completionHandler)
+ m_completionHandler();
+ }
+
void fire(Frame& frame) override
{
UserGestureIndicator gestureIndicator { userGestureToForward() };
@@ -203,8 +212,13 @@
ResourceRequest resourceRequest { url(), referrer(), ResourceRequestCachePolicy::UseProtocolCachePolicy };
FrameLoadRequest frameLoadRequest { initiatingDocument(), *securityOrigin(), resourceRequest, "_self", lockHistory(), lockBackForwardList(), MaybeSendReferrer, AllowNavigationToInvalidURL::No, NewFrameOpenerPolicy::Allow, shouldOpenExternalURLs(), initiatedByMainFrame() };
+ auto completionHandler = WTFMove(m_completionHandler);
frame.loader().changeLocation(WTFMove(frameLoadRequest));
+ completionHandler();
}
+
+private:
+ CompletionHandler<void()> m_completionHandler;
};
class ScheduledRefresh : public ScheduledURLNavigation {
@@ -405,10 +419,10 @@
return LockBackForwardList::No;
}
-void NavigationScheduler::scheduleLocationChange(Document& initiatingDocument, SecurityOrigin& securityOrigin, const URL& url, const String& referrer, LockHistory lockHistory, LockBackForwardList lockBackForwardList)
+void NavigationScheduler::scheduleLocationChange(Document& initiatingDocument, SecurityOrigin& securityOrigin, const URL& url, const String& referrer, LockHistory lockHistory, LockBackForwardList lockBackForwardList, CompletionHandler<void()>&& completionHandler)
{
if (!shouldScheduleNavigation(url))
- return;
+ return completionHandler();
if (lockBackForwardList == LockBackForwardList::No)
lockBackForwardList = mustLockBackForwardList(m_frame);
@@ -424,7 +438,7 @@
FrameLoadRequest frameLoadRequest { initiatingDocument, securityOrigin, resourceRequest, "_self"_s, lockHistory, lockBackForwardList, MaybeSendReferrer, AllowNavigationToInvalidURL::No, NewFrameOpenerPolicy::Allow, initiatingDocument.shouldOpenExternalURLsPolicyToPropagate(), initiatedByMainFrame };
loader.changeLocation(WTFMove(frameLoadRequest));
- return;
+ return completionHandler();
}
// Handle a location change of a page with no document as a special case.
@@ -431,7 +445,7 @@
// This may happen when a frame changes the location of another frame.
bool duringLoad = !loader.stateMachine().committedFirstRealDocumentLoad();
- schedule(std::make_unique<ScheduledLocationChange>(initiatingDocument, &securityOrigin, url, referrer, lockHistory, lockBackForwardList, duringLoad));
+ schedule(std::make_unique<ScheduledLocationChange>(initiatingDocument, &securityOrigin, url, referrer, lockHistory, lockBackForwardList, duringLoad, WTFMove(completionHandler)));
}
void NavigationScheduler::scheduleFormSubmission(Ref<FormSubmission>&& submission)
Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/loader/NavigationScheduler.h (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/Source/WebCore/loader/NavigationScheduler.h 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/loader/NavigationScheduler.h 2019-05-17 10:15:15 UTC (rev 245444)
@@ -53,7 +53,7 @@
bool locationChangePending();
void scheduleRedirect(Document& initiatingDocument, double delay, const URL&);
- void scheduleLocationChange(Document& initiatingDocument, SecurityOrigin&, const URL&, const String& referrer, LockHistory = LockHistory::Yes, LockBackForwardList = LockBackForwardList::Yes);
+ void scheduleLocationChange(Document& initiatingDocument, SecurityOrigin&, const URL&, const String& referrer, LockHistory = LockHistory::Yes, LockBackForwardList = LockBackForwardList::Yes, CompletionHandler<void()>&& = [] { });
void scheduleFormSubmission(Ref<FormSubmission>&&);
void scheduleRefresh(Document& initiatingDocument);
void scheduleHistoryNavigation(int steps);
Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/loader/SubframeLoader.cpp (245443 => 245444)
--- releases/WebKitGTK/webkit-2.24/Source/WebCore/loader/SubframeLoader.cpp 2019-05-17 10:14:58 UTC (rev 245443)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/loader/SubframeLoader.cpp 2019-05-17 10:15:15 UTC (rev 245444)
@@ -56,6 +56,7 @@
#include "SecurityOrigin.h"
#include "SecurityPolicy.h"
#include "Settings.h"
+#include <wtf/CompletionHandler.h>
namespace WebCore {
@@ -86,17 +87,27 @@
if (shouldConvertInvalidURLsToBlank() && !url.isValid())
url = ""
- bool hasExistingFrame = ownerElement.contentFrame();
+ // If we will schedule a _javascript_ URL load, we need to delay the firing of the load event at least until we've run the _javascript_ in the URL.
+ CompletionHandlerCallingScope stopDelayingLoadEvent;
+ if (!scriptURL.isEmpty()) {
+ ownerElement.document().incrementLoadEventDelayCount();
+ stopDelayingLoadEvent = CompletionHandlerCallingScope([ownerDocument = makeRef(ownerElement.document())] {
+ ownerDocument->decrementLoadEventDelayCount();
+ });
+ }
+
Frame* frame = loadOrRedirectSubframe(ownerElement, url, frameName, lockHistory, lockBackForwardList);
if (!frame)
return false;
- // If we create a new subframe then an empty document is loaded into it synchronously and may
- // cause script execution (say, via a DOM load event handler) that can do anything, including
- // navigating the subframe. We only want to evaluate scriptURL if the frame has not been navigated.
- bool canExecuteScript = hasExistingFrame || (frame->loader().documentLoader() && frame->loader().documentLoader()->originalURL() == WTF::blankURL());
- if (!scriptURL.isEmpty() && canExecuteScript && ownerElement.isURLAllowed(scriptURL))
- frame->script().executeIfJavaScriptURL(scriptURL);
+ if (!scriptURL.isEmpty() && ownerElement.isURLAllowed(scriptURL)) {
+ // FIXME: Some sites rely on the _javascript_:'' loading synchronously, which is why we have this special case.
+ // Blink has the same workaround (https://bugs.chromium.org/p/chromium/issues/detail?id=923585).
+ if (urlString == "_javascript_:''" || urlString == "_javascript_:\"\"")
+ frame->script().executeIfJavaScriptURL(scriptURL);
+ else
+ frame->navigationScheduler().scheduleLocationChange(ownerElement.document(), ownerElement.document().securityOrigin(), scriptURL, m_frame.loader().outgoingReferrer(), lockHistory, lockBackForwardList, stopDelayingLoadEvent.release());
+ }
return true;
}
