Diff
Modified: branches/chromium/1025/LayoutTests/http/tests/security/cross-frame-access-call-expected.txt (112460 => 112461)
--- branches/chromium/1025/LayoutTests/http/tests/security/cross-frame-access-call-expected.txt 2012-03-28 22:43:04 UTC (rev 112460)
+++ branches/chromium/1025/LayoutTests/http/tests/security/cross-frame-access-call-expected.txt 2012-03-28 22:43:50 UTC (rev 112461)
@@ -52,8 +52,10 @@
CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+
----- tests for calling methods of another frame using Function.call -----
PASS: window.setTimeout.call(targetWindow, 'void(0);', 0) should be 'undefined' and is.
@@ -82,5 +84,7 @@
PASS: window.moveTo.call(targetWindow, 0, 0); should be 'undefined' and is.
PASS: window.resizeBy.call(targetWindow, 0, 0); should be 'undefined' and is.
PASS: window.resizeTo.call(targetWindow, 0, 0); should be 'undefined' and is.
+PASS: window.showModalDialog.call(targetWindow); should be 'undefined' and is.
+PASS: window.eval.call(targetWindow, '1+2'); should be 'EvalError: The "this" value passed to eval must be the global object from which eval originated' and is.
PASS: window.location.toString.call(targetWindow.location) should be 'undefined' and is.
Modified: branches/chromium/1025/LayoutTests/http/tests/security/cross-frame-access-call.html (112460 => 112461)
--- branches/chromium/1025/LayoutTests/http/tests/security/cross-frame-access-call.html 2012-03-28 22:43:04 UTC (rev 112460)
+++ branches/chromium/1025/LayoutTests/http/tests/security/cross-frame-access-call.html 2012-03-28 22:43:50 UTC (rev 112461)
@@ -54,10 +54,10 @@
shouldBe("window.moveTo.call(targetWindow, 0, 0);", "undefined");
shouldBe("window.resizeBy.call(targetWindow, 0, 0);", "undefined");
shouldBe("window.resizeTo.call(targetWindow, 0, 0);", "undefined");
+ shouldBe("window.showModalDialog.call(targetWindow);", "undefined");
- // FIXME: showModalDialog now works on DRT and thus breaks this test. Will uncomment after adding a separate test for Mac for showModalDialog - Bug #39897
- // Throws a TypeError and logs to the error console
- // shouldBe("window.showModalDialog.call(targetWindow);", '"TypeError: Result of _expression_ \'window.showModalDialog\' [undefined] is not an object."');
+ // Throws an EvalError and logs to the error console
+ shouldBe("window.eval.call(targetWindow, '1+2');", '"EvalError: The \\"this\\" value passed to eval must be the global object from which eval originated"');
// - Tests for the Location object -
// undefined value indicates failure
Modified: branches/chromium/1025/LayoutTests/http/tests/security/cross-frame-access-get-expected.txt (112460 => 112461)
--- branches/chromium/1025/LayoutTests/http/tests/security/cross-frame-access-get-expected.txt 2012-03-28 22:43:04 UTC (rev 112460)
+++ branches/chromium/1025/LayoutTests/http/tests/security/cross-frame-access-get-expected.txt 2012-03-28 22:43:50 UTC (rev 112461)
@@ -376,6 +376,8 @@
CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-get.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-get.html. Domains, protocols and ports must match.
+
This test checks cross-frame access security (rdar://problem/5251309).
@@ -536,6 +538,7 @@
PASS: canGet('targetWindow.scrollTo') should be 'false' and is.
PASS: canGet('targetWindow.setInterval') should be 'false' and is.
PASS: canGet('targetWindow.setTimeout') should be 'false' and is.
+PASS: canGet('targetWindow.showModalDialog') should be 'false' and is.
PASS: canGet('targetWindow.stop') should be 'false' and is.
----- tests for getting of not allowed Attributes -----
Modified: branches/chromium/1025/LayoutTests/http/tests/security/cross-frame-access-get.html (112460 => 112461)
--- branches/chromium/1025/LayoutTests/http/tests/security/cross-frame-access-get.html 2012-03-28 22:43:04 UTC (rev 112460)
+++ branches/chromium/1025/LayoutTests/http/tests/security/cross-frame-access-get.html 2012-03-28 22:43:50 UTC (rev 112461)
@@ -133,9 +133,7 @@
"scrollTo",
"setInterval",
"setTimeout",
- // FIXME: This function is now implemented on mac and hence the expected output changes. Uncomment after adding a
- // mac specific test for showModalDialog. Bug# 39897
- // "showModalDialog",
+ "showModalDialog",
"stop"
];
Modified: branches/chromium/1025/LayoutTests/platform/chromium/http/tests/security/aboutBlank/xss-DENIED-set-opener-expected.txt (112460 => 112461)
--- branches/chromium/1025/LayoutTests/platform/chromium/http/tests/security/aboutBlank/xss-DENIED-set-opener-expected.txt 2012-03-28 22:43:04 UTC (rev 112460)
+++ branches/chromium/1025/LayoutTests/platform/chromium/http/tests/security/aboutBlank/xss-DENIED-set-opener-expected.txt 2012-03-28 22:43:50 UTC (rev 112461)
@@ -1,5 +1,7 @@
CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/aboutBlank/xss-DENIED-set-opener.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/aboutBlank/xss-DENIED-set-opener.html. Domains, protocols and ports must match.
+
CONSOLE MESSAGE: line 1: Uncaught TypeError: Cannot read property 'body' of undefined
This page opens a window to "", injects malicious code, and then uses window.open.call to set its opener to the victim. The opened window then tries to scripts its opener.
Code injected into window:
Modified: branches/chromium/1025/LayoutTests/platform/chromium/http/tests/security/cross-frame-access-call-expected.txt (112460 => 112461)
--- branches/chromium/1025/LayoutTests/platform/chromium/http/tests/security/cross-frame-access-call-expected.txt 2012-03-28 22:43:04 UTC (rev 112460)
+++ branches/chromium/1025/LayoutTests/platform/chromium/http/tests/security/cross-frame-access-call-expected.txt 2012-03-28 22:43:50 UTC (rev 112461)
@@ -20,7 +20,7 @@
CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
-CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL about:blank from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
@@ -52,8 +52,10 @@
CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+
----- tests for calling methods of another frame using Function.call -----
PASS: window.setTimeout.call(targetWindow, 'void(0);', 0) should be 'undefined' and is.
@@ -67,7 +69,7 @@
PASS: window.openDatabase.call(targetWindow, 'name', '1.0', 'description', 0) should be 'undefined' and is.
PASS: window.atob.call(targetWindow, 'string') should be 'undefined' and is.
PASS: window.btoa.call(targetWindow, 'string') should be 'undefined' and is.
-*** FAIL: window.open.call(targetWindow, '') should be 'undefined' but instead is [object DOMWindow]. ***
+PASS: window.open.call(targetWindow, '') should be 'undefined' and is.
PASS: window.addEventListener.call(targetWindow, 'load', null, false); should be 'undefined' and is.
PASS: window.removeEventListener.call(targetWindow, 'load', null, false); should be 'undefined' and is.
PASS: window.clearTimeout.call(targetWindow, 0); should be 'undefined' and is.
@@ -82,5 +84,7 @@
PASS: window.moveTo.call(targetWindow, 0, 0); should be 'undefined' and is.
PASS: window.resizeBy.call(targetWindow, 0, 0); should be 'undefined' and is.
PASS: window.resizeTo.call(targetWindow, 0, 0); should be 'undefined' and is.
+PASS: window.showModalDialog.call(targetWindow); should be 'undefined' and is.
+*** FAIL: window.eval.call(targetWindow, '1+2'); should be 'EvalError: The "this" value passed to eval must be the global object from which eval originated' but instead is 3. ***
PASS: window.location.toString.call(targetWindow.location) should be 'undefined' and is.
Modified: branches/chromium/1025/Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp (112460 => 112461)
--- branches/chromium/1025/Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp 2012-03-28 22:43:04 UTC (rev 112460)
+++ branches/chromium/1025/Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp 2012-03-28 22:43:50 UTC (rev 112461)
@@ -426,18 +426,17 @@
{
INC_STATS("DOM.DOMWindow.showModalDialog()");
DOMWindow* impl = V8DOMWindow::toNative(args.Holder());
-
V8BindingState* state = V8BindingState::Only();
+ if (!V8BindingSecurity::canAccessFrame(state, impl->frame(), true))
+ return v8::Undefined();
- DOMWindow* activeWindow = state->activeWindow();
- DOMWindow* firstWindow = state->firstWindow();
-
// FIXME: Handle exceptions properly.
String urlString = toWebCoreStringWithNullOrUndefinedCheck(args[0]);
+ DialogHandler handler(args[1]);
String dialogFeaturesString = toWebCoreStringWithNullOrUndefinedCheck(args[2]);
- DialogHandler handler(args[1]);
-
+ DOMWindow* activeWindow = state->activeWindow();
+ DOMWindow* firstWindow = state->firstWindow();
impl->showModalDialog(urlString, dialogFeaturesString, activeWindow, firstWindow, setUpDialog, &handler);
return handler.returnValue();
@@ -447,20 +446,21 @@
{
INC_STATS("DOM.DOMWindow.open()");
DOMWindow* impl = V8DOMWindow::toNative(args.Holder());
-
V8BindingState* state = V8BindingState::Only();
+ if (!V8BindingSecurity::canAccessFrame(state, impl->frame(), true))
+ return v8::Undefined();
- DOMWindow* activeWindow = state->activeWindow();
- DOMWindow* firstWindow = state->firstWindow();
-
// FIXME: Handle exceptions properly.
String urlString = toWebCoreStringWithNullOrUndefinedCheck(args[0]);
AtomicString frameName = (args[1]->IsUndefined() || args[1]->IsNull()) ? "_blank" : AtomicString(toWebCoreString(args[1]));
String windowFeaturesString = toWebCoreStringWithNullOrUndefinedCheck(args[2]);
+ DOMWindow* activeWindow = state->activeWindow();
+ DOMWindow* firstWindow = state->firstWindow();
RefPtr<DOMWindow> openedWindow = impl->open(urlString, frameName, windowFeaturesString, activeWindow, firstWindow);
if (!openedWindow)
return v8::Undefined();
+
return toV8(openedWindow.release());
}
