Diff
Modified: trunk/Source/WebCore/ChangeLog (124643 => 124644)
--- trunk/Source/WebCore/ChangeLog 2012-08-03 19:58:17 UTC (rev 124643)
+++ trunk/Source/WebCore/ChangeLog 2012-08-03 20:03:57 UTC (rev 124644)
@@ -1,3 +1,27 @@
+2012-08-03 Sheriff Bot <[email protected]>
+
+ Unreviewed, rolling out r124594.
+ http://trac.webkit.org/changeset/124594
+ https://bugs.webkit.org/show_bug.cgi?id=93152
+
+ Broke PlatformAppBrowserTest.Iframes browser_test on Chromium
+ bots (Requested by dimich on #webkit).
+
+ * bindings/generic/BindingSecurity.cpp:
+ (WebCore::canAccess):
+ (WebCore::BindingSecurity::canAccessFrame):
+ (WebCore::BindingSecurity::shouldAllowAccessToNode):
+ * bindings/v8/BindingState.cpp:
+ (WebCore::immediatelyReportUnsafeAccessTo):
+ * bindings/v8/BindingState.h:
+ (WebCore):
+ * bindings/v8/V8DOMWindowShell.cpp:
+ (WebCore::reportUnsafeJavaScriptAccess):
+ * bindings/v8/V8Proxy.cpp:
+ (WebCore::V8Proxy::reportUnsafeAccessTo):
+ * bindings/v8/V8Proxy.h:
+ (V8Proxy):
+
2012-08-03 Terry Anderson <[email protected]>
Apply target fuzzing when sending a context menu event
Modified: trunk/Source/WebCore/bindings/generic/BindingSecurity.cpp (124643 => 124644)
--- trunk/Source/WebCore/bindings/generic/BindingSecurity.cpp 2012-08-03 19:58:17 UTC (rev 124643)
+++ trunk/Source/WebCore/bindings/generic/BindingSecurity.cpp 2012-08-03 20:03:57 UTC (rev 124644)
@@ -42,28 +42,40 @@
namespace WebCore {
-static bool canAccessDocument(BindingState* state, Document* targetDocument, bool reportError)
+static bool canAccess(DOMWindow* activeWindow, DOMWindow* targetWindow)
{
- // We have seen crashes were the target is 0, but we don't have a test case for it.
- if (!targetDocument)
+ ASSERT(targetWindow);
+ if (activeWindow == targetWindow)
+ return true;
+
+ if (!activeWindow)
return false;
- DOMWindow* active = activeWindow(state);
- if (!active)
+ SecurityOrigin* activeSecurityOrigin = activeWindow->securityOrigin();
+ SecurityOrigin* targetSecurityOrigin = targetWindow->securityOrigin();
+
+ // We have seen crashes were the security origin of the target has not been
+ // initialized. Defend against that.
+ if (!targetSecurityOrigin)
return false;
- if (active->securityOrigin()->canAccess(targetDocument->securityOrigin()))
+ if (activeSecurityOrigin->canAccess(targetSecurityOrigin))
return true;
- if (reportError)
- immediatelyReportUnsafeAccessTo(state, targetDocument);
-
return false;
}
bool BindingSecurity::canAccessFrame(BindingState* state, Frame* target, bool reportError)
{
- return target && canAccessDocument(state, target->document(), reportError);
+ if (!target)
+ return false;
+
+ if (!canAccess(activeWindow(state), target->domWindow())) {
+ if (reportError)
+ immediatelyReportUnsafeAccessTo(state, target);
+ return false;
+ }
+ return true;
}
bool BindingSecurity::shouldAllowAccessToNode(BindingState* state, Node* node)
@@ -71,7 +83,6 @@
if (!node)
return false;
- // FIXME: We shouldn't need to go through the frame here because we already have the document.
Frame* target = node->document()->frame();
if (!target)
return false;
Modified: trunk/Source/WebCore/bindings/v8/BindingState.cpp (124643 => 124644)
--- trunk/Source/WebCore/bindings/v8/BindingState.cpp 2012-08-03 19:58:17 UTC (rev 124643)
+++ trunk/Source/WebCore/bindings/v8/BindingState.cpp 2012-08-03 20:03:57 UTC (rev 124644)
@@ -89,9 +89,9 @@
return V8Proxy::retrieveFrame(context);
}
-void immediatelyReportUnsafeAccessTo(BindingState*, Document* targetDocument)
+void immediatelyReportUnsafeAccessTo(BindingState*, Frame* target)
{
- V8Proxy::reportUnsafeAccessTo(targetDocument);
+ V8Proxy::reportUnsafeAccessTo(target);
}
}
Modified: trunk/Source/WebCore/bindings/v8/BindingState.h (124643 => 124644)
--- trunk/Source/WebCore/bindings/v8/BindingState.h 2012-08-03 19:58:17 UTC (rev 124643)
+++ trunk/Source/WebCore/bindings/v8/BindingState.h 2012-08-03 20:03:57 UTC (rev 124644)
@@ -34,7 +34,6 @@
namespace WebCore {
class DOMWindow;
-class Document;
class Frame;
class BindingState {
@@ -54,7 +53,7 @@
// are any subtle differences between the currentFrame and the lexicalGlobalObject.
Frame* currentFrame(BindingState*);
-void immediatelyReportUnsafeAccessTo(BindingState*, Document* targetDocument);
+void immediatelyReportUnsafeAccessTo(BindingState*, Frame*);
}
Modified: trunk/Source/WebCore/bindings/v8/V8DOMWindowShell.cpp (124643 => 124644)
--- trunk/Source/WebCore/bindings/v8/V8DOMWindowShell.cpp 2012-08-03 19:58:17 UTC (rev 124643)
+++ trunk/Source/WebCore/bindings/v8/V8DOMWindowShell.cpp 2012-08-03 20:03:57 UTC (rev 124644)
@@ -152,7 +152,7 @@
{
Frame* target = getTargetFrame(host, data);
if (target)
- V8Proxy::reportUnsafeAccessTo(target->document());
+ V8Proxy::reportUnsafeAccessTo(target);
}
PassRefPtr<V8DOMWindowShell> V8DOMWindowShell::create(Frame* frame)
Modified: trunk/Source/WebCore/bindings/v8/V8Proxy.cpp (124643 => 124644)
--- trunk/Source/WebCore/bindings/v8/V8Proxy.cpp 2012-08-03 19:58:17 UTC (rev 124643)
+++ trunk/Source/WebCore/bindings/v8/V8Proxy.cpp 2012-08-03 20:03:57 UTC (rev 124644)
@@ -124,12 +124,13 @@
typedef HashMap<void*, v8::Object*> DOMObjectMap;
typedef HashMap<int, v8::FunctionTemplate*> FunctionTemplateMap;
-void V8Proxy::reportUnsafeAccessTo(Document* targetDocument)
+void V8Proxy::reportUnsafeAccessTo(Frame* target)
{
+ ASSERT(target);
+ Document* targetDocument = target->document();
if (!targetDocument)
return;
- // FIXME: We should pass both the active and target documents in as arguments.
Frame* source = firstFrame(BindingState::instance());
if (!source)
return;
Modified: trunk/Source/WebCore/bindings/v8/V8Proxy.h (124643 => 124644)
--- trunk/Source/WebCore/bindings/v8/V8Proxy.h 2012-08-03 19:58:17 UTC (rev 124643)
+++ trunk/Source/WebCore/bindings/v8/V8Proxy.h 2012-08-03 20:03:57 UTC (rev 124644)
@@ -224,7 +224,8 @@
static const V8Extensions& extensions();
- static void reportUnsafeAccessTo(Document* targetDocument);
+ // Report an unsafe attempt to access the given frame on the console.
+ static void reportUnsafeAccessTo(Frame* target);
private:
void resetIsolatedWorlds();
