Diff
Modified: trunk/LayoutTests/ChangeLog (126248 => 126249)
--- trunk/LayoutTests/ChangeLog 2012-08-22 01:47:20 UTC (rev 126248)
+++ trunk/LayoutTests/ChangeLog 2012-08-22 01:50:40 UTC (rev 126249)
@@ -1,3 +1,29 @@
+2012-08-21 Adam Barth <[email protected]>
+
+ V8 shouldn't have its own way of printing cross-origin error messages
+ https://bugs.webkit.org/show_bug.cgi?id=94641
+
+ Reviewed by Eric Seidel.
+
+ Update these results to reflect the new error messages. These error
+ messages are both more correct and more like _javascript_Core.
+
+ * platform/chromium/http/tests/security/cross-frame-access-private-browsing-expected.txt: Added.
+ - We don't use the private browsing setting to implement private browsing.
+ * platform/chromium/http/tests/security/cross-frame-access-document-direct-expected.txt:
+ * platform/chromium/http/tests/security/inactive-document-with-empty-security-origin-expected.txt:
+ * platform/chromium/http/tests/security/listener/xss-inactive-closure-expected.txt:
+ * platform/chromium/http/tests/security/xss-eval-expected.txt:
+ - Previously, we were incorrectly using the first script rather
+ than the active script when printing the error message.
+ * platform/chromium/http/tests/security/listener/xss-JSTargetNode-onclick-addEventListener-expected.txt: Removed.
+ * platform/chromium/http/tests/security/listener/xss-JSTargetNode-onclick-shortcut-expected.txt: Removed.
+ * platform/chromium/http/tests/security/listener/xss-XMLHttpRequest-addEventListener-expected.txt: Removed.
+ * platform/chromium/http/tests/security/listener/xss-XMLHttpRequest-shortcut-expected.txt: Removed.
+ * platform/chromium/http/tests/security/listener/xss-window-onclick-addEventListener-expected.txt: Removed.
+ * platform/chromium/http/tests/security/listener/xss-window-onclick-shortcut-expected.txt: Removed.
+ - These results are now identical to JSC.
+
2012-08-21 Shinya Kawanaka <[email protected]>
A shadow element in ShadowDOM of a button element does not work.
Modified: trunk/LayoutTests/platform/chromium/http/tests/security/cross-frame-access-document-direct-expected.txt (126248 => 126249)
--- trunk/LayoutTests/platform/chromium/http/tests/security/cross-frame-access-document-direct-expected.txt 2012-08-22 01:47:20 UTC (rev 126248)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/cross-frame-access-document-direct-expected.txt 2012-08-22 01:50:40 UTC (rev 126249)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-document-direct-test-victim.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-document-direct.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-document-direct-test-victim.html from frame with URL http://127.0.0.1:8000/security/resources/cross-frame-iframe-for-document-direct-test.html. Domains, protocols and ports must match.
Test cross-origin direct document access.
Added: trunk/LayoutTests/platform/chromium/http/tests/security/cross-frame-access-private-browsing-expected.txt (0 => 126249)
--- trunk/LayoutTests/platform/chromium/http/tests/security/cross-frame-access-private-browsing-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/cross-frame-access-private-browsing-expected.txt 2012-08-22 01:50:40 UTC (rev 126249)
@@ -0,0 +1,12 @@
+CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-private-browsing.html. Domains, protocols and ports must match.
+
+This test checks cross-frame access security checks don't log when private browsing is enabled (rdar://problem/5394877).
+
+
+Attempting to violate the same-origin policy with private browsing enabled. If this succeeds the console should not log the violation.
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+Inner iframe.
Modified: trunk/LayoutTests/platform/chromium/http/tests/security/inactive-document-with-empty-security-origin-expected.txt (126248 => 126249)
--- trunk/LayoutTests/platform/chromium/http/tests/security/inactive-document-with-empty-security-origin-expected.txt 2012-08-22 01:47:20 UTC (rev 126248)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/inactive-document-with-empty-security-origin-expected.txt 2012-08-22 01:50:40 UTC (rev 126249)
@@ -1,3 +1,3 @@
-CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL about:blank from frame with URL http://127.0.0.1:8000/security/inactive-document-with-empty-security-origin.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL about:blank from frame with URL http://127.0.0.1:8000/security/inactive-document-with-empty-security-origin.html#stop. Domains, protocols and ports must match.
This test passes if it doesn't alert something ugly.
Deleted: trunk/LayoutTests/platform/chromium/http/tests/security/listener/xss-JSTargetNode-onclick-addEventListener-expected.txt (126248 => 126249)
--- trunk/LayoutTests/platform/chromium/http/tests/security/listener/xss-JSTargetNode-onclick-addEventListener-expected.txt 2012-08-22 01:47:20 UTC (rev 126248)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/listener/xss-JSTargetNode-onclick-addEventListener-expected.txt 2012-08-22 01:50:40 UTC (rev 126249)
@@ -1,5 +0,0 @@
-CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe.html from frame with URL http://127.0.0.1:8000/security/listener/resources/childWithButton.html. Domains, protocols and ports must match.
-
-This tests that frame used when setting eventListeners on an EventTarget using addEventListener is the target nodes frame. (rdar://problem/5426142). This test passes if you don't see an alert dialog with the domain of "localhost" in it and an "Unsafe _javascript_" warning is logged to the console.
-
-
Deleted: trunk/LayoutTests/platform/chromium/http/tests/security/listener/xss-JSTargetNode-onclick-shortcut-expected.txt (126248 => 126249)
--- trunk/LayoutTests/platform/chromium/http/tests/security/listener/xss-JSTargetNode-onclick-shortcut-expected.txt 2012-08-22 01:47:20 UTC (rev 126248)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/listener/xss-JSTargetNode-onclick-shortcut-expected.txt 2012-08-22 01:50:40 UTC (rev 126249)
@@ -1,5 +0,0 @@
-CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe.html from frame with URL http://127.0.0.1:8000/security/listener/resources/childWithButton.html. Domains, protocols and ports must match.
-
-This tests that frame used when setting eventListeners on an EventTarget with the shortcut (onclick, etc), is the target nodes frame. (rdar://problem/5426142). This test passes if you don't see an alert dialog with the domain of "localhost" in it and an "Unsafe _javascript_" warning is logged to the console.
-
-
Deleted: trunk/LayoutTests/platform/chromium/http/tests/security/listener/xss-XMLHttpRequest-addEventListener-expected.txt (126248 => 126249)
--- trunk/LayoutTests/platform/chromium/http/tests/security/listener/xss-XMLHttpRequest-addEventListener-expected.txt 2012-08-22 01:47:20 UTC (rev 126248)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/listener/xss-XMLHttpRequest-addEventListener-expected.txt 2012-08-22 01:50:40 UTC (rev 126249)
@@ -1,5 +0,0 @@
-CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe.html from frame with URL http://127.0.0.1:8000/security/listener/resources/childWithXMLHttpRequest.html. Domains, protocols and ports must match.
-
-This tests that frame used when setting eventListeners on an XMLHttpRequest using addEventListener, is the requests frame. (rdar://problem/5426142). This test passes if you don't see an alert dialog with the domain of "localhost" in it and an "Unsafe _javascript_" warning is logged to the console.
-
-
Deleted: trunk/LayoutTests/platform/chromium/http/tests/security/listener/xss-XMLHttpRequest-shortcut-expected.txt (126248 => 126249)
--- trunk/LayoutTests/platform/chromium/http/tests/security/listener/xss-XMLHttpRequest-shortcut-expected.txt 2012-08-22 01:47:20 UTC (rev 126248)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/listener/xss-XMLHttpRequest-shortcut-expected.txt 2012-08-22 01:50:40 UTC (rev 126249)
@@ -1,5 +0,0 @@
-CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe.html from frame with URL http://127.0.0.1:8000/security/listener/resources/childWithXMLHttpRequest.html. Domains, protocols and ports must match.
-
-This tests that frame used when setting eventListeners on an XMLHttpRequest with the shortcut (onreadystatechange), is the requests frame. (rdar://problem/5426142). This test passes if you don't see an alert dialog with the domain of "localhost" in it and an "Unsafe _javascript_" warning is logged to the console.
-
-
Modified: trunk/LayoutTests/platform/chromium/http/tests/security/listener/xss-inactive-closure-expected.txt (126248 => 126249)
--- trunk/LayoutTests/platform/chromium/http/tests/security/listener/xss-inactive-closure-expected.txt 2012-08-22 01:47:20 UTC (rev 126248)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/listener/xss-inactive-closure-expected.txt 2012-08-22 01:50:40 UTC (rev 126249)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/listener/resources/xss-inactive-closure-child-2.html from frame with URL http://127.0.0.1:8000/security/listener/resources/childWithButton.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/listener/resources/xss-inactive-closure-child-2.html from frame with URL http://127.0.0.1:8000/security/listener/resources/xss-inactive-closure-child.html. Domains, protocols and ports must match.
This tests that when a frame navigates to a new page, closures in the old page cannot access page content of the new page if there are from different domains.
Deleted: trunk/LayoutTests/platform/chromium/http/tests/security/listener/xss-window-onclick-addEventListener-expected.txt (126248 => 126249)
--- trunk/LayoutTests/platform/chromium/http/tests/security/listener/xss-window-onclick-addEventListener-expected.txt 2012-08-22 01:47:20 UTC (rev 126248)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/listener/xss-window-onclick-addEventListener-expected.txt 2012-08-22 01:50:40 UTC (rev 126249)
@@ -1,5 +0,0 @@
-CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe.html from frame with URL http://127.0.0.1:8000/security/listener/resources/childWindow.html. Domains, protocols and ports must match.
-
-This tests that frame used when setting eventListeners on the window using addEventListener is the window's frame. (rdar://problem/5426142). This test passes if you don't see an alert dialog with the domain of "localhost" in it and an "Unsafe _javascript_" warning is logged to the console.
-
-
Deleted: trunk/LayoutTests/platform/chromium/http/tests/security/listener/xss-window-onclick-shortcut-expected.txt (126248 => 126249)
--- trunk/LayoutTests/platform/chromium/http/tests/security/listener/xss-window-onclick-shortcut-expected.txt 2012-08-22 01:47:20 UTC (rev 126248)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/listener/xss-window-onclick-shortcut-expected.txt 2012-08-22 01:50:40 UTC (rev 126249)
@@ -1,5 +0,0 @@
-CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe.html from frame with URL http://127.0.0.1:8000/security/listener/resources/childWindow.html. Domains, protocols and ports must match.
-
-This tests that frame used when setting eventListeners on the window with the shortcut (onclick, etc), is the window's frame. (rdar://problem/5426142). This test passes if you don't see an alert dialog with the domain of "localhost" in it and an "Unsafe _javascript_" warning is logged to the console.
-
-
Modified: trunk/LayoutTests/platform/chromium/http/tests/security/xss-eval-expected.txt (126248 => 126249)
--- trunk/LayoutTests/platform/chromium/http/tests/security/xss-eval-expected.txt 2012-08-22 01:47:20 UTC (rev 126248)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/xss-eval-expected.txt 2012-08-22 01:50:40 UTC (rev 126249)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/xss-eval3.html from frame with URL http://127.0.0.1:8000/security/xss-eval.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/xss-eval3.html from frame with URL http://127.0.0.1:8000/security/resources/xss-eval2.html. Domains, protocols and ports must match.
This page verifies that you can't use eval to subvert cross-domain checks.
Modified: trunk/Source/WebCore/ChangeLog (126248 => 126249)
--- trunk/Source/WebCore/ChangeLog 2012-08-22 01:47:20 UTC (rev 126248)
+++ trunk/Source/WebCore/ChangeLog 2012-08-22 01:50:40 UTC (rev 126249)
@@ -1,3 +1,30 @@
+2012-08-21 Adam Barth <[email protected]>
+
+ V8 shouldn't have its own way of printing cross-origin error messages
+ https://bugs.webkit.org/show_bug.cgi?id=94641
+
+ Reviewed by Eric Seidel.
+
+ V8 used to re-implement (poorly) the code for printing out an error
+ message when a same-origin check failed. This patch deletes that code
+ in favor of just calling the WebCore version of the code. There more to
+ clean up here, but I had to stop before spidering over the whole
+ codebase.
+
+ * bindings/generic/BindingSecurity.cpp:
+ (WebCore::canAccessDocument):
+ * bindings/js/BindingState.cpp:
+ * bindings/js/BindingState.h:
+ * bindings/v8/BindingState.cpp:
+ (WebCore::printErrorMessageForFrame):
+ * bindings/v8/BindingState.h:
+ (WebCore):
+ * bindings/v8/V8DOMWindowShell.cpp:
+ (WebCore::reportUnsafeJavaScriptAccess):
+ * bindings/v8/V8Proxy.cpp:
+ * bindings/v8/V8Proxy.h:
+ (V8Proxy):
+
2012-08-21 Shinya Kawanaka <[email protected]>
A shadow element in ShadowDOM of a button element does not work.
Modified: trunk/Source/WebCore/bindings/generic/BindingSecurity.cpp (126248 => 126249)
--- trunk/Source/WebCore/bindings/generic/BindingSecurity.cpp 2012-08-22 01:47:20 UTC (rev 126248)
+++ trunk/Source/WebCore/bindings/generic/BindingSecurity.cpp 2012-08-22 01:50:40 UTC (rev 126249)
@@ -55,7 +55,7 @@
return true;
if (reportingOption == ReportSecurityError)
- immediatelyReportUnsafeAccessTo(state, targetDocument);
+ printErrorMessageForFrame(targetDocument->frame(), targetDocument->domWindow()->crossDomainAccessErrorMessage(active));
return false;
}
Modified: trunk/Source/WebCore/bindings/js/BindingState.cpp (126248 => 126249)
--- trunk/Source/WebCore/bindings/js/BindingState.cpp 2012-08-22 01:47:20 UTC (rev 126248)
+++ trunk/Source/WebCore/bindings/js/BindingState.cpp 2012-08-22 01:50:40 UTC (rev 126249)
@@ -47,9 +47,4 @@
return asJSDOMWindow(exec->dynamicGlobalObject())->impl();
}
-void immediatelyReportUnsafeAccessTo(ExecState* exec, Document* target)
-{
- printErrorMessageForFrame(target->frame(), target->domWindow()->crossDomainAccessErrorMessage(activeDOMWindow(exec)));
}
-
-}
Modified: trunk/Source/WebCore/bindings/js/BindingState.h (126248 => 126249)
--- trunk/Source/WebCore/bindings/js/BindingState.h 2012-08-22 01:47:20 UTC (rev 126248)
+++ trunk/Source/WebCore/bindings/js/BindingState.h 2012-08-22 01:50:40 UTC (rev 126249)
@@ -48,8 +48,6 @@
inline Frame* activeFrame(BindingState*) { return 0; }
inline Frame* firstFrame(BindingState*) { return 0; }
-void immediatelyReportUnsafeAccessTo(BindingState*, Document* target);
-
}
#endif
Modified: trunk/Source/WebCore/bindings/v8/BindingState.cpp (126248 => 126249)
--- trunk/Source/WebCore/bindings/v8/BindingState.cpp 2012-08-22 01:47:20 UTC (rev 126248)
+++ trunk/Source/WebCore/bindings/v8/BindingState.cpp 2012-08-22 01:50:40 UTC (rev 126249)
@@ -98,9 +98,11 @@
return current->document();
}
-void immediatelyReportUnsafeAccessTo(BindingState*, Document* targetDocument)
+void printErrorMessageForFrame(Frame* frame, const String& message)
{
- V8Proxy::reportUnsafeAccessTo(targetDocument);
+ if (!frame)
+ return;
+ frame->document()->domWindow()->printErrorMessage(message);
}
}
Modified: trunk/Source/WebCore/bindings/v8/BindingState.h (126248 => 126249)
--- trunk/Source/WebCore/bindings/v8/BindingState.h 2012-08-22 01:47:20 UTC (rev 126248)
+++ trunk/Source/WebCore/bindings/v8/BindingState.h 2012-08-22 01:50:40 UTC (rev 126249)
@@ -31,6 +31,8 @@
#ifndef BindingState_h
#define BindingState_h
+#include <wtf/text/WTFString.h>
+
namespace WebCore {
class DOMWindow;
@@ -55,7 +57,8 @@
Frame* currentFrame(BindingState*);
Document* currentDocument(BindingState*);
-void immediatelyReportUnsafeAccessTo(BindingState*, Document* targetDocument);
+// FIXME: This function is redundant with the copy in JSDOMBinding.cpp.
+void printErrorMessageForFrame(Frame*, const String& message);
}
Modified: trunk/Source/WebCore/bindings/v8/V8DOMWindowShell.cpp (126248 => 126249)
--- trunk/Source/WebCore/bindings/v8/V8DOMWindowShell.cpp 2012-08-22 01:47:20 UTC (rev 126248)
+++ trunk/Source/WebCore/bindings/v8/V8DOMWindowShell.cpp 2012-08-22 01:50:40 UTC (rev 126249)
@@ -153,8 +153,10 @@
static void reportUnsafeJavaScriptAccess(v8::Local<v8::Object> host, v8::AccessType type, v8::Local<v8::Value> data)
{
Frame* target = getTargetFrame(host, data);
- if (target)
- V8Proxy::reportUnsafeAccessTo(target->document());
+ if (!target)
+ return;
+ DOMWindow* targetWindow = target->document()->domWindow();
+ targetWindow->printErrorMessage(targetWindow->crossDomainAccessErrorMessage(activeDOMWindow(BindingState::instance())));
}
PassRefPtr<V8DOMWindowShell> V8DOMWindowShell::create(Frame* frame)
Modified: trunk/Source/WebCore/bindings/v8/V8Proxy.cpp (126248 => 126249)
--- trunk/Source/WebCore/bindings/v8/V8Proxy.cpp 2012-08-22 01:47:20 UTC (rev 126248)
+++ trunk/Source/WebCore/bindings/v8/V8Proxy.cpp 2012-08-22 01:50:40 UTC (rev 126249)
@@ -77,33 +77,6 @@
namespace WebCore {
-void V8Proxy::reportUnsafeAccessTo(Document* targetDocument)
-{
- if (!targetDocument)
- return;
-
- // FIXME: We should pass both the active and target documents in as arguments.
- Frame* source = firstFrame(BindingState::instance());
- if (!source)
- return;
-
- Document* sourceDocument = source->document();
- if (!sourceDocument)
- return; // Ignore error if the source document is gone.
-
- // FIXME: This error message should contain more specifics of why the same
- // origin check has failed.
- String str = "Unsafe _javascript_ attempt to access frame with URL " + targetDocument->url().string() +
- " from frame with URL " + sourceDocument->url().string() + ". Domains, protocols and ports must match.\n";
-
- RefPtr<ScriptCallStack> stackTrace = createScriptCallStack(ScriptCallStack::maxCallStackSizeToCapture, true);
-
- // NOTE: Safari prints the message in the target page, but it seems like
- // it should be in the source page. Even for delayed messages, we put it in
- // the source page.
- sourceDocument->addConsoleMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, str, stackTrace.release());
-}
-
// FIXME: This will be soon removed when we move runScript() to ScriptController.
static v8::Local<v8::Value> handleMaxRecursionDepthExceeded()
{
Modified: trunk/Source/WebCore/bindings/v8/V8Proxy.h (126248 => 126249)
--- trunk/Source/WebCore/bindings/v8/V8Proxy.h 2012-08-22 01:47:20 UTC (rev 126248)
+++ trunk/Source/WebCore/bindings/v8/V8Proxy.h 2012-08-22 01:50:40 UTC (rev 126249)
@@ -110,8 +110,6 @@
// will be moved to ScriptController.
V8DOMWindowShell* windowShell() const;
- static void reportUnsafeAccessTo(Document* targetDocument);
-
// FIXME: Move m_isolatedWorlds to ScriptController and remove this getter.
IsolatedWorldMap& isolatedWorlds() { return m_isolatedWorlds; }
