Title: [245538] trunk
- Revision
- 245538
- Author
- [email protected]
- Date
- 2019-05-20 15:53:03 -0700 (Mon, 20 May 2019)
Log Message
Fix security check in ScriptController::canAccessFromCurrentOrigin()
https://bugs.webkit.org/show_bug.cgi?id=196730
<rdar://problem/49731231>
Reviewed by Ryosuke Niwa.
Source/WebCore:
Fix security check in ScriptController::canAccessFromCurrentOrigin() when there is no
current JS exec state. Instead of returning true unconditionally, we now fall back to
using the accessing document's origin for the security check. The new behavior is
aligned with Blink:
https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/html/html_frame_element_base.cc?rcl=d3f22423d512b45466f1694020e20da9e0c6ee6a&l=62
This fix is based on a patch from Sergei Glazunov <[email protected]>.
Test: http/tests/security/showModalDialog-sync-cross-origin-page-load2.html
* bindings/js/ScriptController.cpp:
(WebCore::ScriptController::canAccessFromCurrentOrigin):
* bindings/js/ScriptController.h:
* html/HTMLFrameElementBase.cpp:
(WebCore::HTMLFrameElementBase::isURLAllowed const):
LayoutTests:
Add layout test coverage.
* http/tests/security/showModalDialog-sync-cross-origin-page-load2-expected.txt: Added.
* http/tests/security/showModalDialog-sync-cross-origin-page-load2.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (245537 => 245538)
--- trunk/LayoutTests/ChangeLog 2019-05-20 21:20:02 UTC (rev 245537)
+++ trunk/LayoutTests/ChangeLog 2019-05-20 22:53:03 UTC (rev 245538)
@@ -1,3 +1,16 @@
+2019-05-20 Chris Dumez <[email protected]>
+
+ Fix security check in ScriptController::canAccessFromCurrentOrigin()
+ https://bugs.webkit.org/show_bug.cgi?id=196730
+ <rdar://problem/49731231>
+
+ Reviewed by Ryosuke Niwa.
+
+ Add layout test coverage.
+
+ * http/tests/security/showModalDialog-sync-cross-origin-page-load2-expected.txt: Added.
+ * http/tests/security/showModalDialog-sync-cross-origin-page-load2.html: Added.
+
2019-05-20 Gabe Giosia <[email protected]>
Range getBoundingClientRect returning zero rect on simple text node with <br> before it
Added: trunk/LayoutTests/http/tests/security/showModalDialog-sync-cross-origin-page-load2-expected.txt (0 => 245538)
--- trunk/LayoutTests/http/tests/security/showModalDialog-sync-cross-origin-page-load2-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/showModalDialog-sync-cross-origin-page-load2-expected.txt 2019-05-20 22:53:03 UTC (rev 245538)
@@ -0,0 +1,2 @@
+This test passes if it does not alert the fail.html's content when clicking the button.
+
Added: trunk/LayoutTests/http/tests/security/showModalDialog-sync-cross-origin-page-load2.html (0 => 245538)
--- trunk/LayoutTests/http/tests/security/showModalDialog-sync-cross-origin-page-load2.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/showModalDialog-sync-cross-origin-page-load2.html 2019-05-20 22:53:03 UTC (rev 245538)
@@ -0,0 +1,73 @@
+<!DOCTYPE html>
+<html>
+<body>
+<b>This test passes if it does not alert the fail.html's content when clicking the button.</b><br>
+<input id="testButton" type="button" value="Click me"></input>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.setCanOpenWindows();
+ testRunner.waitUntilDone();
+}
+
+let counter = 0;
+function run(event) {
+ ++counter;
+ if (counter == 2) {
+ event.target.src = ""
+ } else if (counter == 3) {
+ frame = event.target;
+
+ a = frame.contentDocument.createElement("a");
+ a.href = ""
+ a.click();
+
+ showModalDialog(URL.createObjectURL(new Blob([`
+ <script>
+ timeout = 0;
+ let intervalID = setInterval(() => {
+ try {
+ opener.frame.contentWindow.foo;
+ timeout++;
+ if (timeout == 200)
+ throw "";
+ } catch (e) {
+ clearInterval(intervalID);
+
+ window.close();
+ if (window.testRunner)
+ testRunner.abortModal();
+ }
+ }, 10);
+ </scr` + "ipt>"], {type: "text/html"})));
+
+ setTimeout(() => {
+ setTimeout(() => {
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }, 0);
+ }, 0);
+ }
+}
+
+testButton._onclick_ = _ => {
+ frame = document.body.appendChild(document.createElement("iframe"));
+ frame.contentWindow.location = `_javascript_:'<b><p><iframe`
+ + ` _onload_="top.run(event)"></iframe></b></p>'`;
+}
+
+cache_frame = document.body.appendChild(document.createElement("iframe"));
+cache_frame.src = ""
+cache_frame.style.display = "none";
+
+_onload_ = function() {
+ if (!window.internals)
+ return;
+
+ internals.withUserGesture(() => {
+ testButton.click();
+ });
+}
+</script>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (245537 => 245538)
--- trunk/Source/WebCore/ChangeLog 2019-05-20 21:20:02 UTC (rev 245537)
+++ trunk/Source/WebCore/ChangeLog 2019-05-20 22:53:03 UTC (rev 245538)
@@ -1,3 +1,27 @@
+2019-05-20 Chris Dumez <[email protected]>
+
+ Fix security check in ScriptController::canAccessFromCurrentOrigin()
+ https://bugs.webkit.org/show_bug.cgi?id=196730
+ <rdar://problem/49731231>
+
+ Reviewed by Ryosuke Niwa.
+
+ Fix security check in ScriptController::canAccessFromCurrentOrigin() when there is no
+ current JS exec state. Instead of returning true unconditionally, we now fall back to
+ using the accessing document's origin for the security check. The new behavior is
+ aligned with Blink:
+ https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/html/html_frame_element_base.cc?rcl=d3f22423d512b45466f1694020e20da9e0c6ee6a&l=62
+
+ This fix is based on a patch from Sergei Glazunov <[email protected]>.
+
+ Test: http/tests/security/showModalDialog-sync-cross-origin-page-load2.html
+
+ * bindings/js/ScriptController.cpp:
+ (WebCore::ScriptController::canAccessFromCurrentOrigin):
+ * bindings/js/ScriptController.h:
+ * html/HTMLFrameElementBase.cpp:
+ (WebCore::HTMLFrameElementBase::isURLAllowed const):
+
2019-05-20 Gabe Giosia <[email protected]>
Range getBoundingClientRect returning zero rect on simple text node with <br> before it
Modified: trunk/Source/WebCore/bindings/js/ScriptController.cpp (245537 => 245538)
--- trunk/Source/WebCore/bindings/js/ScriptController.cpp 2019-05-20 21:20:02 UTC (rev 245537)
+++ trunk/Source/WebCore/bindings/js/ScriptController.cpp 2019-05-20 22:53:03 UTC (rev 245538)
@@ -383,13 +383,15 @@
jsWindowProxy->window()->setWebAssemblyEnabled(false, errorMessage);
}
-bool ScriptController::canAccessFromCurrentOrigin(Frame* frame)
+bool ScriptController::canAccessFromCurrentOrigin(Frame* frame, Document& accessingDocument)
{
auto* state = JSExecState::currentState();
- // If the current state is null we're in a call path where the DOM security check doesn't apply (eg. parser).
- if (!state)
- return true;
+ // If the current state is null we should use the accessing document for the security check.
+ if (!state) {
+ auto* targetDocument = frame ? frame->document() : nullptr;
+ return targetDocument && accessingDocument.securityOrigin().canAccess(targetDocument->securityOrigin());
+ }
return BindingSecurity::shouldAllowAccessToFrame(state, frame);
}
Modified: trunk/Source/WebCore/bindings/js/ScriptController.h (245537 => 245538)
--- trunk/Source/WebCore/bindings/js/ScriptController.h 2019-05-20 21:20:02 UTC (rev 245537)
+++ trunk/Source/WebCore/bindings/js/ScriptController.h 2019-05-20 22:53:03 UTC (rev 245538)
@@ -123,7 +123,7 @@
void disableEval(const String& errorMessage);
void disableWebAssembly(const String& errorMessage);
- static bool canAccessFromCurrentOrigin(Frame*);
+ static bool canAccessFromCurrentOrigin(Frame*, Document& accessingDocument);
WEBCORE_EXPORT bool canExecuteScripts(ReasonForCallingCanExecuteScripts);
void setPaused(bool b) { m_paused = b; }
Modified: trunk/Source/WebCore/html/HTMLFrameElementBase.cpp (245537 => 245538)
--- trunk/Source/WebCore/html/HTMLFrameElementBase.cpp 2019-05-20 21:20:02 UTC (rev 245537)
+++ trunk/Source/WebCore/html/HTMLFrameElementBase.cpp 2019-05-20 22:53:03 UTC (rev 245538)
@@ -73,7 +73,7 @@
if (WTF::protocolIsJavaScript(completeURL)) {
RefPtr<Document> contentDoc = this->contentDocument();
- if (contentDoc && !ScriptController::canAccessFromCurrentOrigin(contentDoc->frame()))
+ if (contentDoc && !ScriptController::canAccessFromCurrentOrigin(contentDoc->frame(), document()))
return false;
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
