- Revision
- 253483
- Author
- [email protected]
- Date
- 2019-12-13 09:53:34 -0800 (Fri, 13 Dec 2019)
Log Message
Behavior of [[GetOwnProperty]] for cross-origin windows is not spec-compliant
https://bugs.webkit.org/show_bug.cgi?id=205184
Reviewed by Darin Adler.
LayoutTests/imported/w3c:
Rebaseline WPT test now that more checks are passing.
* web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects-expected.txt:
Source/WebCore:
Behavior of [[GetOwnProperty]] for cross-origin windows is not spec-compliant:
- https://html.spec.whatwg.org/#crossorigingetownpropertyhelper-(-o,-p-)
We should be able to return frames by name, even if their name conflict with the name of a
same-origin window property (e.g. "close"). Previously, we would throw a SecurityError in
this case.
No new tests, rebaselined existing test.
* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::jsDOMWindowGetOwnPropertySlotRestrictedAccess):
LayoutTests:
* http/tests/security/document-all-expected.txt:
The test is accessing the "alert" property on a cross-origin window. We used to throw a SecurityError,
but we now return a Window object since there is a Window whose name is "alert". The test still passes
as it is not able to call alert() cross-origin.
* http/tests/security/xss-DENIED-window-name-navigator-expected.txt:
* http/tests/security/xss-DENIED-window-name-navigator.html:
Update test to use console.log() to print the result instead of alert() since alert() is not allowed
in a sandbox iframe. I updated the expectation so that top.navigator returns the window with the
name "navigator" instead of undefined, as per the behavior change in this patch. I have verified that
our behavior on this test is consistent with Firefox and Chrome.
Modified Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (253482 => 253483)
--- trunk/LayoutTests/ChangeLog 2019-12-13 17:49:53 UTC (rev 253482)
+++ trunk/LayoutTests/ChangeLog 2019-12-13 17:53:34 UTC (rev 253483)
@@ -1,3 +1,22 @@
+2019-12-13 Chris Dumez <[email protected]>
+
+ Behavior of [[GetOwnProperty]] for cross-origin windows is not spec-compliant
+ https://bugs.webkit.org/show_bug.cgi?id=205184
+
+ Reviewed by Darin Adler.
+
+ * http/tests/security/document-all-expected.txt:
+ The test is accessing the "alert" property on a cross-origin window. We used to throw a SecurityError,
+ but we now return a Window object since there is a Window whose name is "alert". The test still passes
+ as it is not able to call alert() cross-origin.
+
+ * http/tests/security/xss-DENIED-window-name-navigator-expected.txt:
+ * http/tests/security/xss-DENIED-window-name-navigator.html:
+ Update test to use console.log() to print the result instead of alert() since alert() is not allowed
+ in a sandbox iframe. I updated the expectation so that top.navigator returns the window with the
+ name "navigator" instead of undefined, as per the behavior change in this patch. I have verified that
+ our behavior on this test is consistent with Firefox and Chrome.
+
2019-12-13 Carlos Alberto Lopez Perez <[email protected]>
Fix some errors on the TestExpectations files.
Modified: trunk/LayoutTests/http/tests/security/document-all-expected.txt (253482 => 253483)
--- trunk/LayoutTests/http/tests/security/document-all-expected.txt 2019-12-13 17:49:53 UTC (rev 253482)
+++ trunk/LayoutTests/http/tests/security/document-all-expected.txt 2019-12-13 17:53:34 UTC (rev 253483)
@@ -1,2 +1,2 @@
-CONSOLE MESSAGE: line 1: SecurityError: Blocked a frame with origin "null" from accessing a cross-origin frame. Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 1: TypeError: Illegal constructor
Modified: trunk/LayoutTests/http/tests/security/xss-DENIED-window-name-navigator-expected.txt (253482 => 253483)
--- trunk/LayoutTests/http/tests/security/xss-DENIED-window-name-navigator-expected.txt 2019-12-13 17:49:53 UTC (rev 253482)
+++ trunk/LayoutTests/http/tests/security/xss-DENIED-window-name-navigator-expected.txt 2019-12-13 17:53:34 UTC (rev 253483)
@@ -1,2 +1,2 @@
-CONSOLE MESSAGE: line 1: SecurityError: Sandbox access violation: Blocked a frame at "null" from accessing a cross-origin frame. The frame requesting access is sandboxed and lacks the "allow-same-origin" flag.
+CONSOLE MESSAGE: line 1: PASS
Modified: trunk/LayoutTests/http/tests/security/xss-DENIED-window-name-navigator.html (253482 => 253483)
--- trunk/LayoutTests/http/tests/security/xss-DENIED-window-name-navigator.html 2019-12-13 17:49:53 UTC (rev 253482)
+++ trunk/LayoutTests/http/tests/security/xss-DENIED-window-name-navigator.html 2019-12-13 17:53:34 UTC (rev 253483)
@@ -5,5 +5,5 @@
<iframe sandbox="allow-scripts"
src=""
window.name='navigator';
- alert(top.navigator === undefined ? 'PASS' : 'FAIL');
+ console.log(top.navigator === self ? 'PASS' : 'FAIL');
</script>"></iframe>
Modified: trunk/LayoutTests/imported/w3c/ChangeLog (253482 => 253483)
--- trunk/LayoutTests/imported/w3c/ChangeLog 2019-12-13 17:49:53 UTC (rev 253482)
+++ trunk/LayoutTests/imported/w3c/ChangeLog 2019-12-13 17:53:34 UTC (rev 253483)
@@ -1,3 +1,14 @@
+2019-12-13 Chris Dumez <[email protected]>
+
+ Behavior of [[GetOwnProperty]] for cross-origin windows is not spec-compliant
+ https://bugs.webkit.org/show_bug.cgi?id=205184
+
+ Reviewed by Darin Adler.
+
+ Rebaseline WPT test now that more checks are passing.
+
+ * web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects-expected.txt:
+
2019-12-13 Chris Lord <[email protected]>
Implement OffscreenCanvas.convertToBlob
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects-expected.txt (253482 => 253483)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects-expected.txt 2019-12-13 17:49:53 UTC (rev 253482)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects-expected.txt 2019-12-13 17:53:34 UTC (rev 253483)
@@ -66,9 +66,9 @@
PASS [[GetOwnProperty]] - Subframe named 'then' should shadow the default 'then' value (cross-origin)
PASS [[GetOwnProperty]] - Subframe named 'then' should shadow the default 'then' value (same-origin + document.domain)
PASS [[GetOwnProperty]] - Subframe named 'then' should shadow the default 'then' value (cross-site)
-FAIL [[GetOwnProperty]] - Subframes should be visible cross-origin only if their names don't match the names of cross-origin-exposed IDL properties (cross-origin) Blocked a frame with origin "http://localhost:8800" from accessing a cross-origin frame. Protocols, domains, and ports must match.
-FAIL [[GetOwnProperty]] - Subframes should be visible cross-origin only if their names don't match the names of cross-origin-exposed IDL properties (same-origin + document.domain) Blocked a frame with origin "http://localhost:8800" from accessing a cross-origin frame. Protocols, domains, and ports must match.
-FAIL [[GetOwnProperty]] - Subframes should be visible cross-origin only if their names don't match the names of cross-origin-exposed IDL properties (cross-site) Blocked a frame with origin "http://localhost:8800" from accessing a cross-origin frame. Protocols, domains, and ports must match.
+PASS [[GetOwnProperty]] - Subframes should be visible cross-origin only if their names don't match the names of cross-origin-exposed IDL properties (cross-origin)
+PASS [[GetOwnProperty]] - Subframes should be visible cross-origin only if their names don't match the names of cross-origin-exposed IDL properties (same-origin + document.domain)
+PASS [[GetOwnProperty]] - Subframes should be visible cross-origin only if their names don't match the names of cross-origin-exposed IDL properties (cross-site)
PASS [[GetOwnProperty]] - Should be able to get a property descriptor for an indexed property only if it corresponds to a child window. (cross-origin)
PASS [[GetOwnProperty]] - Should be able to get a property descriptor for an indexed property only if it corresponds to a child window. (same-origin + document.domain)
PASS [[GetOwnProperty]] - Should be able to get a property descriptor for an indexed property only if it corresponds to a child window. (cross-site)
Modified: trunk/Source/WebCore/ChangeLog (253482 => 253483)
--- trunk/Source/WebCore/ChangeLog 2019-12-13 17:49:53 UTC (rev 253482)
+++ trunk/Source/WebCore/ChangeLog 2019-12-13 17:53:34 UTC (rev 253483)
@@ -1,3 +1,22 @@
+2019-12-13 Chris Dumez <[email protected]>
+
+ Behavior of [[GetOwnProperty]] for cross-origin windows is not spec-compliant
+ https://bugs.webkit.org/show_bug.cgi?id=205184
+
+ Reviewed by Darin Adler.
+
+ Behavior of [[GetOwnProperty]] for cross-origin windows is not spec-compliant:
+ - https://html.spec.whatwg.org/#crossorigingetownpropertyhelper-(-o,-p-)
+
+ We should be able to return frames by name, even if their name conflict with the name of a
+ same-origin window property (e.g. "close"). Previously, we would throw a SecurityError in
+ this case.
+
+ No new tests, rebaselined existing test.
+
+ * bindings/js/JSDOMWindowCustom.cpp:
+ (WebCore::jsDOMWindowGetOwnPropertySlotRestrictedAccess):
+
2019-12-13 Eric Carlson <[email protected]>
Add infrastructure needed for playing media player in the GPU process
Modified: trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp (253482 => 253483)
--- trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp 2019-12-13 17:49:53 UTC (rev 253482)
+++ trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp 2019-12-13 17:53:34 UTC (rev 253483)
@@ -141,13 +141,6 @@
slot.setCustomGetterSetter(thisObject, static_cast<unsigned>(JSC::PropertyAttribute::CustomAccessor | JSC::PropertyAttribute::DontEnum), customGetterSetter);
return true;
}
-
- // For any other entries in the static property table, deny access. (Early return also prevents
- // named getter from returning frames with matching names - this seems a little questionable, see
- // FIXME comment on prototype search below.)
- throwSecurityError(lexicalGlobalObject, scope, errorMessage);
- slot.setUndefined();
- return false;
}
// Check for child frames by name before built-in properties to match Mozilla. This does
