Diff
Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-location-put-expected.txt (253417 => 253418)
--- trunk/LayoutTests/http/tests/security/cross-frame-access-location-put-expected.txt 2019-12-12 03:49:14 UTC (rev 253417)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-location-put-expected.txt 2019-12-12 03:51:12 UTC (rev 253418)
@@ -3,6 +3,7 @@
SecurityError: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a cross-origin frame. Protocols, domains, and ports must match.
SecurityError: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a cross-origin frame. Protocols, domains, and ports must match.
SecurityError: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a cross-origin frame. Protocols, domains, and ports must match.
+SecurityError: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a cross-origin frame. Protocols, domains, and ports must match.
--------
Modified: trunk/LayoutTests/http/tests/security/location-cross-origin-expected.txt (253417 => 253418)
--- trunk/LayoutTests/http/tests/security/location-cross-origin-expected.txt 2019-12-12 03:49:14 UTC (rev 253417)
+++ trunk/LayoutTests/http/tests/security/location-cross-origin-expected.txt 2019-12-12 03:51:12 UTC (rev 253418)
@@ -36,7 +36,7 @@
PASS frames[0].location.hash = 1 threw exception SecurityError: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a cross-origin frame. Protocols, domains, and ports must match..
PASS frames[0].location.origin = 1 threw exception SecurityError: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a cross-origin frame. Protocols, domains, and ports must match..
PASS frames[0].location.ancestorOrigins = 1 threw exception SecurityError: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a cross-origin frame. Protocols, domains, and ports must match..
-FAIL frames[0].location.toString = 1 should throw a SecurityError. Did not throw.
+PASS frames[0].location.toString = 1 threw exception SecurityError: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a cross-origin frame. Protocols, domains, and ports must match..
PASS frames[0].location.reload = 1 threw exception SecurityError: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a cross-origin frame. Protocols, domains, and ports must match..
PASS frames[0].location.replace = 1 threw exception SecurityError: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a cross-origin frame. Protocols, domains, and ports must match..
PASS frames[0].location.assign = 1 threw exception SecurityError: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a cross-origin frame. Protocols, domains, and ports must match..
Modified: trunk/LayoutTests/imported/w3c/ChangeLog (253417 => 253418)
--- trunk/LayoutTests/imported/w3c/ChangeLog 2019-12-12 03:49:14 UTC (rev 253417)
+++ trunk/LayoutTests/imported/w3c/ChangeLog 2019-12-12 03:51:12 UTC (rev 253418)
@@ -1,5 +1,19 @@
2019-12-11 Chris Dumez <[email protected]>
+ Trying to set toString / valueOf on a cross-origin Location object should throw a SecurityError
+ https://bugs.webkit.org/show_bug.cgi?id=205143
+
+ Reviewed by Ryosuke Niwa.
+
+ * web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects-expected.txt:
+ Rebaseline WPT test now that more checks are passing.
+
+ * web-platform-tests/html/browsers/origin/cross-origin-objects/frame.html:
+ Resync from upstream ab28e18f067f17a76d9. This was causing 3 sanity checks in cross-origin-objects.html
+ to fail.
+
+2019-12-11 Chris Dumez <[email protected]>
+
[Bindings] Cross-origin checks happen too late for overloaded methods
https://bugs.webkit.org/show_bug.cgi?id=205092
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects-expected.txt (253417 => 253418)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects-expected.txt 2019-12-12 03:49:14 UTC (rev 253417)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects-expected.txt 2019-12-12 03:51:12 UTC (rev 253418)
@@ -8,18 +8,12 @@
CONSOLE MESSAGE: Unable to post message to http://does-not.exist. Recipient has origin http://127.0.0.1:8800.
-FAIL Basic sanity-checking (cross-origin) assert_equals: Overrides visible in the same-origin case expected (string) "override" but got (function) function "function focus() {
- [native code]
-}"
-FAIL Basic sanity-checking (same-origin + document.domain) assert_equals: Overrides visible in the same-origin case expected (string) "override" but got (function) function "function focus() {
- [native code]
-}"
-FAIL Basic sanity-checking (cross-site) assert_equals: Overrides visible in the same-origin case expected (string) "override" but got (function) function "function focus() {
- [native code]
-}"
-FAIL Only whitelisted properties are accessible cross-origin (cross-origin) assert_throws: Should throw when writing to toString on Location function "function () { win.location[prop] = undefined; }" did not throw
-FAIL Only whitelisted properties are accessible cross-origin (same-origin + document.domain) assert_throws: Should throw when writing to toString on Location function "function () { win.location[prop] = undefined; }" did not throw
-FAIL Only whitelisted properties are accessible cross-origin (cross-site) assert_throws: Should throw when writing to toString on Location function "function () { win.location[prop] = undefined; }" did not throw
+PASS Basic sanity-checking (cross-origin)
+PASS Basic sanity-checking (same-origin + document.domain)
+PASS Basic sanity-checking (cross-site)
+PASS Only whitelisted properties are accessible cross-origin (cross-origin)
+PASS Only whitelisted properties are accessible cross-origin (same-origin + document.domain)
+PASS Only whitelisted properties are accessible cross-origin (cross-site)
FAIL Only whitelisted properties are usable as cross-origin this objects (cross-origin) promise_test: Unhandled rejection with value: object "SyntaxError: The string did not match the expected pattern."
FAIL Only whitelisted properties are usable as cross-origin this objects (same-origin + document.domain) assert_throws: Should throw when calling window.AudioContext with cross-origin this object function "function webkitAudioContext() {
[native code]
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/cross-origin-objects/frame.html (253417 => 253418)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/cross-origin-objects/frame.html 2019-12-12 03:49:14 UTC (rev 253417)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/cross-origin-objects/frame.html 2019-12-12 03:51:12 UTC (rev 253418)
@@ -6,9 +6,10 @@
document.domain = document.domain;
}
- // Override the |frames| property to test that such overrides are
+ // Override the |frames| and |focus| property to test that such overrides are
// properly ignored cross-origin.
window.frames = "override";
+ window.focus = "override";
// Also add a |then| property to test that it doesn't get exposed.
window.then = "something";
Modified: trunk/Source/WebCore/ChangeLog (253417 => 253418)
--- trunk/Source/WebCore/ChangeLog 2019-12-12 03:49:14 UTC (rev 253417)
+++ trunk/Source/WebCore/ChangeLog 2019-12-12 03:51:12 UTC (rev 253418)
@@ -1,3 +1,21 @@
+2019-12-11 Chris Dumez <[email protected]>
+
+ Trying to set toString / valueOf on a cross-origin Location object should throw a SecurityError
+ https://bugs.webkit.org/show_bug.cgi?id=205143
+
+ Reviewed by Ryosuke Niwa.
+
+ Trying to set toString / valueOf on a cross-origin Location object should throw a SecurityError.
+ We previously silently ignored those.
+
+ No new tests, rebaselined existing test.
+
+ fast/dom/Window/Location/location-override-toString.html also makes sure we still cannot override the
+ value to location.toString (same origin).
+
+ * bindings/js/JSLocationCustom.cpp:
+ (WebCore::putCommon):
+
2019-12-11 Wenson Hsieh <[email protected]>
Implement DisplayListRecorder::Recorder::getCTM and DisplayListRecorder::Recorder::setCTM
Modified: trunk/Source/WebCore/bindings/js/JSLocationCustom.cpp (253417 => 253418)
--- trunk/Source/WebCore/bindings/js/JSLocationCustom.cpp 2019-12-12 03:49:14 UTC (rev 253417)
+++ trunk/Source/WebCore/bindings/js/JSLocationCustom.cpp 2019-12-12 03:51:12 UTC (rev 253418)
@@ -109,9 +109,6 @@
static bool putCommon(JSLocation& thisObject, JSGlobalObject& lexicalGlobalObject, PropertyName propertyName)
{
VM& vm = lexicalGlobalObject.vm();
- // Silently block access to toString and valueOf.
- if (propertyName == vm.propertyNames->toString || propertyName == vm.propertyNames->valueOf)
- return true;
// Always allow assigning to the whole location.
// However, alllowing assigning of pieces might inadvertently disclose parts of the original location.
