Diff
Modified: trunk/LayoutTests/ChangeLog (127512 => 127513)
--- trunk/LayoutTests/ChangeLog 2012-09-04 22:14:36 UTC (rev 127512)
+++ trunk/LayoutTests/ChangeLog 2012-09-04 22:20:43 UTC (rev 127513)
@@ -1,3 +1,25 @@
+2012-09-04 Jeffrey Pfau <jp...@apple.com>
+
+ Make plugins respect third-party storage blocking setting
+ https://bugs.webkit.org/show_bug.cgi?id=94888
+
+ Reviewed by Brady Eidson.
+
+ Created tests for plugins in a third party and first party context when third-party blocking is on and off.
+
+ * http/tests/security/cross-origin-plugin-allowed-expected.txt: Added.
+ * http/tests/security/cross-origin-plugin-allowed.html: Added.
+ * http/tests/security/cross-origin-plugin-expected.txt: Added.
+ * http/tests/security/cross-origin-plugin-private-browsing-toggled-allowed-expected.txt: Added.
+ * http/tests/security/cross-origin-plugin-private-browsing-toggled-allowed.html: Added.
+ * http/tests/security/cross-origin-plugin-private-browsing-toggled-expected.txt: Added.
+ * http/tests/security/cross-origin-plugin-private-browsing-toggled.html: Added.
+ * http/tests/security/cross-origin-plugin.html: Added.
+ * http/tests/security/resources/cross-origin-iframe-for-plugin.html: Added.
+ * http/tests/security/resources/cross-origin-iframe-for-plugin-async.html: Added.
+ * platform/mac-wk2/http/tests/security/cross-origin-plugin-expected.txt: Added.
+ * platform/mac-wk2/http/tests/security/cross-origin-plugin-private-browsing-toggled-expected.txt: Added.
+
2012-09-04 Roger Fong <roger_f...@apple.com>
Unreviewed. Rebaseline Windows expected results for accessibility\canvas-description-and-role-expected.txt.
Added: trunk/LayoutTests/http/tests/security/cross-origin-plugin-allowed-expected.txt (0 => 127513)
--- trunk/LayoutTests/http/tests/security/cross-origin-plugin-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/cross-origin-plugin-allowed-expected.txt 2012-09-04 22:20:43 UTC (rev 127513)
@@ -0,0 +1,16 @@
+This iframe should not have private browsing enabled:
+
+
+This iframe should not have private browsing enabled:
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+false
+
+--------
+Frame: '<!--framePath //<!--frame1-->-->'
+--------
+false
Added: trunk/LayoutTests/http/tests/security/cross-origin-plugin-allowed.html (0 => 127513)
--- trunk/LayoutTests/http/tests/security/cross-origin-plugin-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/cross-origin-plugin-allowed.html 2012-09-04 22:20:43 UTC (rev 127513)
@@ -0,0 +1,16 @@
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+}
+
+</script>
+<body>
+<p>This iframe should not have private browsing enabled:</p>
+<iframe src=""
+<p>This iframe should not have private browsing enabled:</p>
+<iframe src=""
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/cross-origin-plugin-expected.txt (0 => 127513)
--- trunk/LayoutTests/http/tests/security/cross-origin-plugin-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/cross-origin-plugin-expected.txt 2012-09-04 22:20:43 UTC (rev 127513)
@@ -0,0 +1,16 @@
+This iframe should have private browsing enabled:
+
+
+This iframe should not have private browsing enabled:
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+false
+
+--------
+Frame: '<!--framePath //<!--frame1-->-->'
+--------
+false
Added: trunk/LayoutTests/http/tests/security/cross-origin-plugin-private-browsing-toggled-allowed-expected.txt (0 => 127513)
--- trunk/LayoutTests/http/tests/security/cross-origin-plugin-private-browsing-toggled-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/cross-origin-plugin-private-browsing-toggled-allowed-expected.txt 2012-09-04 22:20:43 UTC (rev 127513)
@@ -0,0 +1,16 @@
+This iframe should not have private browsing enabled:
+
+
+This iframe should not have private browsing enabled:
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+false
+
+--------
+Frame: '<!--framePath //<!--frame1-->-->'
+--------
+false
Added: trunk/LayoutTests/http/tests/security/cross-origin-plugin-private-browsing-toggled-allowed.html (0 => 127513)
--- trunk/LayoutTests/http/tests/security/cross-origin-plugin-private-browsing-toggled-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/cross-origin-plugin-private-browsing-toggled-allowed.html 2012-09-04 22:20:43 UTC (rev 127513)
@@ -0,0 +1,37 @@
+<html>
+<head>
+<script>
+var frames = 2;
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.setPrivateBrowsingEnabled(true);
+ testRunner.waitUntilDone();
+}
+
+function decrement() {
+ --frames;
+ if (!frames) {
+ if (window.testRunner)
+ testRunner.setPrivateBrowsingEnabled(false);
+ for (var i = 0; i < 2; ++i) {
+ var frame = document.getElementsByTagName('iframe')[i].contentWindow;
+ frame.postMessage('loaded', '*');
+ }
+ frames = 2;
+ }
+}
+
+window._onmessage_ = function() {
+ --frames;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+</script>
+<body>
+<p>This iframe should not have private browsing enabled:</p>
+<iframe src="" _onload_="decrement()"></iframe>
+<p>This iframe should not have private browsing enabled:</p>
+<iframe src="" _onload_="decrement()"></iframe>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/cross-origin-plugin-private-browsing-toggled-expected.txt (0 => 127513)
--- trunk/LayoutTests/http/tests/security/cross-origin-plugin-private-browsing-toggled-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/cross-origin-plugin-private-browsing-toggled-expected.txt 2012-09-04 22:20:43 UTC (rev 127513)
@@ -0,0 +1,16 @@
+This iframe should have private browsing enabled:
+
+
+This iframe should not have private browsing enabled:
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+false
+
+--------
+Frame: '<!--framePath //<!--frame1-->-->'
+--------
+false
Added: trunk/LayoutTests/http/tests/security/cross-origin-plugin-private-browsing-toggled.html (0 => 127513)
--- trunk/LayoutTests/http/tests/security/cross-origin-plugin-private-browsing-toggled.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/cross-origin-plugin-private-browsing-toggled.html 2012-09-04 22:20:43 UTC (rev 127513)
@@ -0,0 +1,40 @@
+<html>
+<head>
+<script>
+var frames = 2;
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.setPrivateBrowsingEnabled(true);
+ testRunner.waitUntilDone();
+ internals.settings.setThirdPartyStorageBlockingEnabled(true);
+}
+
+function decrement() {
+ --frames;
+ if (!frames) {
+ if (window.testRunner)
+ testRunner.setPrivateBrowsingEnabled(false);
+ for (var i = 0; i < 2; ++i) {
+ var frame = document.getElementsByTagName('iframe')[i].contentWindow;
+ frame.postMessage('loaded', '*');
+ }
+ frames = 2;
+ }
+}
+
+window._onmessage_ = function() {
+ --frames;
+ if (window.testRunner) {
+ internals.settings.setThirdPartyStorageBlockingEnabled(false);
+ testRunner.notifyDone();
+ }
+}
+</script>
+<body>
+<p>This iframe should have private browsing enabled:</p>
+<iframe src="" _onload_="decrement()"></iframe>
+<p>This iframe should not have private browsing enabled:</p>
+<iframe src="" _onload_="decrement()"></iframe>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/cross-origin-plugin.html (0 => 127513)
--- trunk/LayoutTests/http/tests/security/cross-origin-plugin.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/cross-origin-plugin.html 2012-09-04 22:20:43 UTC (rev 127513)
@@ -0,0 +1,23 @@
+<html>
+<head>
+<script>
+var frames = 2;
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ internals.settings.setThirdPartyStorageBlockingEnabled(true);
+}
+
+function decrement() {
+ --frames;
+ if (!frames && window.testRunner)
+ internals.settings.setThirdPartyStorageBlockingEnabled(false);
+}
+</script>
+<body>
+<p>This iframe should have private browsing enabled:</p>
+<iframe src="" _onload_="decrement()"></iframe>
+<p>This iframe should not have private browsing enabled:</p>
+<iframe src="" _onload_="decrement()"></iframe>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/resources/cross-origin-iframe-for-plugin-async.html (0 => 127513)
--- trunk/LayoutTests/http/tests/security/resources/cross-origin-iframe-for-plugin-async.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/resources/cross-origin-iframe-for-plugin-async.html 2012-09-04 22:20:43 UTC (rev 127513)
@@ -0,0 +1,13 @@
+<html>
+<head>
+<script>
+window._onmessage_ = function() {
+ document.write(plg.privateBrowsingEnabled);
+ window.parent.postMessage('complete', '*');
+}
+</script>
+</head>
+<body>
+<embed name="plg" type="application/x-webkit-test-netscape" test="private-browsing"></embed>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/resources/cross-origin-iframe-for-plugin.html (0 => 127513)
--- trunk/LayoutTests/http/tests/security/resources/cross-origin-iframe-for-plugin.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/resources/cross-origin-iframe-for-plugin.html 2012-09-04 22:20:43 UTC (rev 127513)
@@ -0,0 +1,12 @@
+<html>
+<head>
+<script>
+window._onload_ = function() {
+ document.write(plg.privateBrowsingEnabled);
+}
+</script>
+</head>
+<body>
+<embed name="plg" type="application/x-webkit-test-netscape" test="private-browsing"></embed>
+</body>
+</html>
Added: trunk/LayoutTests/platform/mac-wk2/http/tests/security/cross-origin-plugin-expected.txt (0 => 127513)
--- trunk/LayoutTests/platform/mac-wk2/http/tests/security/cross-origin-plugin-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/mac-wk2/http/tests/security/cross-origin-plugin-expected.txt 2012-09-04 22:20:43 UTC (rev 127513)
@@ -0,0 +1,16 @@
+This iframe should have private browsing enabled:
+
+
+This iframe should not have private browsing enabled:
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+true
+
+--------
+Frame: '<!--framePath //<!--frame1-->-->'
+--------
+false
Added: trunk/LayoutTests/platform/mac-wk2/http/tests/security/cross-origin-plugin-private-browsing-toggled-expected.txt (0 => 127513)
--- trunk/LayoutTests/platform/mac-wk2/http/tests/security/cross-origin-plugin-private-browsing-toggled-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/mac-wk2/http/tests/security/cross-origin-plugin-private-browsing-toggled-expected.txt 2012-09-04 22:20:43 UTC (rev 127513)
@@ -0,0 +1,16 @@
+This iframe should have private browsing enabled:
+
+
+This iframe should not have private browsing enabled:
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+true
+
+--------
+Frame: '<!--framePath //<!--frame1-->-->'
+--------
+false
Modified: trunk/Source/WebCore/ChangeLog (127512 => 127513)
--- trunk/Source/WebCore/ChangeLog 2012-09-04 22:14:36 UTC (rev 127512)
+++ trunk/Source/WebCore/ChangeLog 2012-09-04 22:20:43 UTC (rev 127513)
@@ -1,3 +1,19 @@
+2012-09-04 Jeffrey Pfau <jp...@apple.com>
+
+ Make plugins respect third-party storage blocking setting
+ https://bugs.webkit.org/show_bug.cgi?id=94888
+
+ Reviewed by Brady Eidson.
+
+ Added functions for discerning if a plugin should be able to access its storage in its current origin.
+
+ Tests: http/tests/security/cross-origin-plugin-allowed.html
+ http/tests/security/cross-origin-plugin.html
+
+ * WebCore.exp.in: Export FrameTree::top and SecurityOrigin::canAccessStorage
+ * page/SecurityOrigin.h: Added canAccessPluginStorage
+ (WebCore::SecurityOrigin::canAccessPluginStorage):
+
2012-09-04 Robert Hogan <rob...@webkit.org>
Regression(r127163): Heap-use-after-free in WebCore::RenderBoxModelObject::hasSelfPaintingLayer
Modified: trunk/Source/WebCore/WebCore.exp.in (127512 => 127513)
--- trunk/Source/WebCore/WebCore.exp.in 2012-09-04 22:14:36 UTC (rev 127512)
+++ trunk/Source/WebCore/WebCore.exp.in 2012-09-04 22:20:43 UTC (rev 127513)
@@ -1177,6 +1177,7 @@
__ZNK7WebCore14SecurityOrigin18databaseIdentifierEv
__ZNK7WebCore14SecurityOrigin5equalEPKS0_
__ZNK7WebCore14SecurityOrigin8toStringEv
+__ZNK7WebCore14SecurityOrigin16canAccessStorageEPKS0_
__ZNK7WebCore15AffineTransform10isIdentityEv
__ZNK7WebCore15AffineTransform12isInvertibleEv
__ZNK7WebCore15AffineTransform7inverseEv
@@ -1373,6 +1374,7 @@
__ZNK7WebCore9FloatQuad11boundingBoxEv
__ZNK7WebCore9FloatRect10intersectsERKS0_
__ZNK7WebCore9FloatSize6isZeroEv
+__ZNK7WebCore9FrameTree3topEv
__ZNK7WebCore9FrameTree10childCountEv
__ZNK7WebCore9FrameTree12traverseNextEPKNS_5FrameE
__ZNK7WebCore9FrameTree14isDescendantOfEPKNS_5FrameE
Modified: trunk/Source/WebCore/page/SecurityOrigin.h (127512 => 127513)
--- trunk/Source/WebCore/page/SecurityOrigin.h 2012-09-04 22:14:36 UTC (rev 127512)
+++ trunk/Source/WebCore/page/SecurityOrigin.h 2012-09-04 22:20:43 UTC (rev 127513)
@@ -139,6 +139,7 @@
bool canAccessDatabase(const SecurityOrigin* topOrigin = 0) const { return canAccessStorage(topOrigin); };
bool canAccessLocalStorage(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin); };
bool canAccessSharedWorkers(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin); }
+ bool canAccessPluginStorage(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin); }
bool canAccessCookies() const { return !isUnique(); }
bool canAccessPasswordManager() const { return !isUnique(); }
bool canAccessFileSystem() const { return !isUnique(); }
Modified: trunk/Source/WebKit2/ChangeLog (127512 => 127513)
--- trunk/Source/WebKit2/ChangeLog 2012-09-04 22:14:36 UTC (rev 127512)
+++ trunk/Source/WebKit2/ChangeLog 2012-09-04 22:20:43 UTC (rev 127513)
@@ -1,3 +1,16 @@
+2012-09-04 Jeffrey Pfau <jp...@apple.com>
+
+ Make plugins respect third-party storage blocking setting
+ https://bugs.webkit.org/show_bug.cgi?id=94888
+
+ Reviewed by Brady Eidson.
+
+ Plugins that are in a third-party context should be put into private browsing mode so their storage is temporary.
+
+ * WebProcess/Plugins/PluginView.cpp:
+ (WebKit::PluginView::isPrivateBrowsingEnabled): Put the plugin into private browsing mode if it is in a third-party context.
+ (WebKit::PluginView::privateBrowsingStateChanged): Make sure a plugin doesn't leave private browsing mode if it's in a third-party context.
+
2012-09-04 Pekka Vuorela <pvuor...@iki.fi>
[Qt] Remove use of deprecated QInputMethod method
Modified: trunk/Source/WebKit2/WebProcess/Plugins/PluginView.cpp (127512 => 127513)
--- trunk/Source/WebKit2/WebProcess/Plugins/PluginView.cpp 2012-09-04 22:14:36 UTC (rev 127512)
+++ trunk/Source/WebKit2/WebProcess/Plugins/PluginView.cpp 2012-09-04 22:20:43 UTC (rev 127513)
@@ -583,6 +583,9 @@
if (!m_isInitialized || !m_plugin)
return;
+ if (!privateBrowsingEnabled && !frame()->document()->securityOrigin()->canAccessPluginStorage(frame()->tree()->top()->document()->securityOrigin()))
+ return;
+
m_plugin->privateBrowsingStateChanged(privateBrowsingEnabled);
}
@@ -1273,6 +1276,9 @@
if (!frame())
return true;
+ if (!frame()->document()->securityOrigin()->canAccessPluginStorage(frame()->tree()->top()->document()->securityOrigin()))
+ return true;
+
Settings* settings = frame()->settings();
if (!settings)
return true;