Title: [248227] releases/WebKitGTK/webkit-2.24
- Revision
- 248227
- Author
- [email protected]
- Date
- 2019-08-03 20:22:58 -0700 (Sat, 03 Aug 2019)
Log Message
Merge r245538 - Fix security check in ScriptController::canAccessFromCurrentOrigin()
https://bugs.webkit.org/show_bug.cgi?id=196730
<rdar://problem/49731231>
Reviewed by Ryosuke Niwa.
Source/WebCore:
Fix security check in ScriptController::canAccessFromCurrentOrigin() when there is no
current JS exec state. Instead of returning true unconditionally, we now fall back to
using the accessing document's origin for the security check. The new behavior is
aligned with Blink:
https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/html/html_frame_element_base.cc?rcl=d3f22423d512b45466f1694020e20da9e0c6ee6a&l=62
This fix is based on a patch from Sergei Glazunov <[email protected]>.
Test: http/tests/security/showModalDialog-sync-cross-origin-page-load2.html
* bindings/js/ScriptController.cpp:
(WebCore::ScriptController::canAccessFromCurrentOrigin):
* bindings/js/ScriptController.h:
* html/HTMLFrameElementBase.cpp:
(WebCore::HTMLFrameElementBase::isURLAllowed const):
LayoutTests:
Add layout test coverage.
* http/tests/security/showModalDialog-sync-cross-origin-page-load2-expected.txt: Added.
* http/tests/security/showModalDialog-sync-cross-origin-page-load2.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/ChangeLog (248226 => 248227)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/ChangeLog 2019-08-04 03:22:54 UTC (rev 248226)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/ChangeLog 2019-08-04 03:22:58 UTC (rev 248227)
@@ -1,3 +1,16 @@
+2019-05-20 Chris Dumez <[email protected]>
+
+ Fix security check in ScriptController::canAccessFromCurrentOrigin()
+ https://bugs.webkit.org/show_bug.cgi?id=196730
+ <rdar://problem/49731231>
+
+ Reviewed by Ryosuke Niwa.
+
+ Add layout test coverage.
+
+ * http/tests/security/showModalDialog-sync-cross-origin-page-load2-expected.txt: Added.
+ * http/tests/security/showModalDialog-sync-cross-origin-page-load2.html: Added.
+
2019-05-08 Zalan Bujtas <[email protected]>
Do not mix inline and block level boxes.
Added: releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/showModalDialog-sync-cross-origin-page-load2-expected.txt (0 => 248227)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/showModalDialog-sync-cross-origin-page-load2-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/showModalDialog-sync-cross-origin-page-load2-expected.txt 2019-08-04 03:22:58 UTC (rev 248227)
@@ -0,0 +1,2 @@
+This test passes if it does not alert the fail.html's content when clicking the button.
+
Added: releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/showModalDialog-sync-cross-origin-page-load2.html (0 => 248227)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/showModalDialog-sync-cross-origin-page-load2.html (rev 0)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/showModalDialog-sync-cross-origin-page-load2.html 2019-08-04 03:22:58 UTC (rev 248227)
@@ -0,0 +1,73 @@
+<!DOCTYPE html>
+<html>
+<body>
+<b>This test passes if it does not alert the fail.html's content when clicking the button.</b><br>
+<input id="testButton" type="button" value="Click me"></input>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.setCanOpenWindows();
+ testRunner.waitUntilDone();
+}
+
+let counter = 0;
+function run(event) {
+ ++counter;
+ if (counter == 2) {
+ event.target.src = ""
+ } else if (counter == 3) {
+ frame = event.target;
+
+ a = frame.contentDocument.createElement("a");
+ a.href = ""
+ a.click();
+
+ showModalDialog(URL.createObjectURL(new Blob([`
+ <script>
+ timeout = 0;
+ let intervalID = setInterval(() => {
+ try {
+ opener.frame.contentWindow.foo;
+ timeout++;
+ if (timeout == 200)
+ throw "";
+ } catch (e) {
+ clearInterval(intervalID);
+
+ window.close();
+ if (window.testRunner)
+ testRunner.abortModal();
+ }
+ }, 10);
+ </scr` + "ipt>"], {type: "text/html"})));
+
+ setTimeout(() => {
+ setTimeout(() => {
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }, 0);
+ }, 0);
+ }
+}
+
+testButton._onclick_ = _ => {
+ frame = document.body.appendChild(document.createElement("iframe"));
+ frame.contentWindow.location = `_javascript_:'<b><p><iframe`
+ + ` _onload_="top.run(event)"></iframe></b></p>'`;
+}
+
+cache_frame = document.body.appendChild(document.createElement("iframe"));
+cache_frame.src = ""
+cache_frame.style.display = "none";
+
+_onload_ = function() {
+ if (!window.internals)
+ return;
+
+ internals.withUserGesture(() => {
+ testButton.click();
+ });
+}
+</script>
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/ChangeLog (248226 => 248227)
--- releases/WebKitGTK/webkit-2.24/Source/WebCore/ChangeLog 2019-08-04 03:22:54 UTC (rev 248226)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/ChangeLog 2019-08-04 03:22:58 UTC (rev 248227)
@@ -1,3 +1,27 @@
+2019-05-20 Chris Dumez <[email protected]>
+
+ Fix security check in ScriptController::canAccessFromCurrentOrigin()
+ https://bugs.webkit.org/show_bug.cgi?id=196730
+ <rdar://problem/49731231>
+
+ Reviewed by Ryosuke Niwa.
+
+ Fix security check in ScriptController::canAccessFromCurrentOrigin() when there is no
+ current JS exec state. Instead of returning true unconditionally, we now fall back to
+ using the accessing document's origin for the security check. The new behavior is
+ aligned with Blink:
+ https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/html/html_frame_element_base.cc?rcl=d3f22423d512b45466f1694020e20da9e0c6ee6a&l=62
+
+ This fix is based on a patch from Sergei Glazunov <[email protected]>.
+
+ Test: http/tests/security/showModalDialog-sync-cross-origin-page-load2.html
+
+ * bindings/js/ScriptController.cpp:
+ (WebCore::ScriptController::canAccessFromCurrentOrigin):
+ * bindings/js/ScriptController.h:
+ * html/HTMLFrameElementBase.cpp:
+ (WebCore::HTMLFrameElementBase::isURLAllowed const):
+
2019-05-10 Brent Fulgham <[email protected]>
Gracefully handle inaccessible font face data
Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/bindings/js/ScriptController.cpp (248226 => 248227)
--- releases/WebKitGTK/webkit-2.24/Source/WebCore/bindings/js/ScriptController.cpp 2019-08-04 03:22:54 UTC (rev 248226)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/bindings/js/ScriptController.cpp 2019-08-04 03:22:58 UTC (rev 248227)
@@ -378,13 +378,15 @@
jsWindowProxy->window()->setWebAssemblyEnabled(false, errorMessage);
}
-bool ScriptController::canAccessFromCurrentOrigin(Frame* frame)
+bool ScriptController::canAccessFromCurrentOrigin(Frame* frame, Document& accessingDocument)
{
auto* state = JSExecState::currentState();
- // If the current state is null we're in a call path where the DOM security check doesn't apply (eg. parser).
- if (!state)
- return true;
+ // If the current state is null we should use the accessing document for the security check.
+ if (!state) {
+ auto* targetDocument = frame ? frame->document() : nullptr;
+ return targetDocument && accessingDocument.securityOrigin().canAccess(targetDocument->securityOrigin());
+ }
return BindingSecurity::shouldAllowAccessToFrame(state, frame);
}
Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/bindings/js/ScriptController.h (248226 => 248227)
--- releases/WebKitGTK/webkit-2.24/Source/WebCore/bindings/js/ScriptController.h 2019-08-04 03:22:54 UTC (rev 248226)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/bindings/js/ScriptController.h 2019-08-04 03:22:58 UTC (rev 248227)
@@ -119,7 +119,7 @@
void disableEval(const String& errorMessage);
void disableWebAssembly(const String& errorMessage);
- static bool canAccessFromCurrentOrigin(Frame*);
+ static bool canAccessFromCurrentOrigin(Frame*, Document& accessingDocument);
WEBCORE_EXPORT bool canExecuteScripts(ReasonForCallingCanExecuteScripts);
void setPaused(bool b) { m_paused = b; }
Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/html/HTMLFrameElementBase.cpp (248226 => 248227)
--- releases/WebKitGTK/webkit-2.24/Source/WebCore/html/HTMLFrameElementBase.cpp 2019-08-04 03:22:54 UTC (rev 248226)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/html/HTMLFrameElementBase.cpp 2019-08-04 03:22:58 UTC (rev 248227)
@@ -73,7 +73,7 @@
if (WTF::protocolIsJavaScript(completeURL)) {
RefPtr<Document> contentDoc = this->contentDocument();
- if (contentDoc && !ScriptController::canAccessFromCurrentOrigin(contentDoc->frame()))
+ if (contentDoc && !ScriptController::canAccessFromCurrentOrigin(contentDoc->frame(), document()))
return false;
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
