Diff
Modified: trunk/LayoutTests/ChangeLog (133018 => 133019)
--- trunk/LayoutTests/ChangeLog 2012-10-31 13:25:53 UTC (rev 133018)
+++ trunk/LayoutTests/ChangeLog 2012-10-31 13:33:12 UTC (rev 133019)
@@ -1,3 +1,19 @@
+2012-10-31 Mike West <[email protected]>
+
+ X-Frame-Options console message should be associated with a request.
+ https://bugs.webkit.org/show_bug.cgi?id=100735
+
+ Reviewed by Pavel Feldman.
+
+ * http/tests/inspector/network/x-frame-options-deny-expected.txt:
+ * http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt:
+ * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt:
+ * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt:
+ * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt:
+ * http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt:
+ * http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-expected.txt:
+ Update tests with new console message.
+
2012-10-31 Raphael Kubo da Costa <[email protected]>
[EFL] Unreviewed, unskip media/video-seek-past-end-playing.html on WK2.
Modified: trunk/LayoutTests/http/tests/inspector/network/x-frame-options-deny-expected.txt (133018 => 133019)
--- trunk/LayoutTests/http/tests/inspector/network/x-frame-options-deny-expected.txt 2012-10-31 13:25:53 UTC (rev 133018)
+++ trunk/LayoutTests/http/tests/inspector/network/x-frame-options-deny-expected.txt 2012-10-31 13:33:12 UTC (rev 133019)
@@ -1,5 +1,4 @@
-CONSOLE MESSAGE: Refused to display document because display forbidden by X-Frame-Options.
-
+CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi' in a frame because it set 'X-Frame-Options' to 'deny'.
Tests that responseReceived is called on NetworkDispatcher for resource requests denied due to X-Frame-Options header.
Modified: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt (133018 => 133019)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt 2012-10-31 13:25:53 UTC (rev 133018)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt 2012-10-31 13:33:12 UTC (rev 133019)
@@ -1,7 +1,6 @@
http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny.html, http method GET> redirectResponse (null)
<unknown> - didFinishLoading
-CONSOLE MESSAGE: Refused to display document because display forbidden by X-Frame-Options.
-
+CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi' in a frame because it set 'X-Frame-Options' to 'deny'.
http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi">
There should be no content in the iframe below
Modified: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt (133018 => 133019)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt 2012-10-31 13:25:53 UTC (rev 133018)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt 2012-10-31 13:33:12 UTC (rev 133019)
@@ -2,8 +2,7 @@
<unknown> - didFinishLoading
http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html, http status code 200>
http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html">
-CONSOLE MESSAGE: Refused to display document because display forbidden by X-Frame-Options.
-
+CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html' in a frame because it set 'X-Frame-Options' to 'deny'.
about:blank - willSendRequest <NSURLRequest URL about:blank, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag.html, http method GET> redirectResponse (null)
about:blank - didReceiveResponse <NSURLResponse about:blank, http status code 0>
There should be no content in the iframe below
Modified: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt (133018 => 133019)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt 2012-10-31 13:25:53 UTC (rev 133018)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt 2012-10-31 13:33:12 UTC (rev 133019)
@@ -2,8 +2,7 @@
<unknown> - didFinishLoading
http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html, http status code 200>
http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html">
-CONSOLE MESSAGE: Refused to display document because display forbidden by X-Frame-Options.
-
+CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html' in a frame because it set 'X-Frame-Options' to 'deny'.
about:blank - willSendRequest <NSURLRequest URL about:blank, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html, http method GET> redirectResponse (null)
about:blank - didReceiveResponse <NSURLResponse about:blank, http status code 0>
There should be no content in the iframe below
Modified: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt (133018 => 133019)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt 2012-10-31 13:25:53 UTC (rev 133018)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt 2012-10-31 13:33:12 UTC (rev 133019)
@@ -2,8 +2,7 @@
<unknown> - didFinishLoading
http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html - didReceiveResponse <NSURLResponse http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html, http status code 200>
http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html">
-CONSOLE MESSAGE: Refused to display document because display forbidden by X-Frame-Options.
-
+CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
about:blank - willSendRequest <NSURLRequest URL about:blank, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html, http method GET> redirectResponse (null)
about:blank - didReceiveResponse <NSURLResponse about:blank, http status code 0>
There should be no content in the iframe below
Modified: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt (133018 => 133019)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt 2012-10-31 13:25:53 UTC (rev 133018)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt 2012-10-31 13:33:12 UTC (rev 133019)
@@ -1,7 +1,6 @@
http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi - willSendRequest <NSURLRequest URL http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html, http method GET> redirectResponse (null)
<unknown> - didFinishLoading
-CONSOLE MESSAGE: Refused to display document because display forbidden by X-Frame-Options.
-
+CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi">
There should be no content in the iframe below
Modified: trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-expected.txt (133018 => 133019)
--- trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-expected.txt 2012-10-31 13:25:53 UTC (rev 133018)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/meta-tag-http-refresh-x-frame-options-expected.txt 2012-10-31 13:33:12 UTC (rev 133019)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: Refused to display document because display forbidden by X-Frame-Options.
+CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/xssAuditor/resources/echo-head.pl?q=%3Cmeta+http-equiv%3D%22x-frame-options%22+content%3D%22deny%22%3E' in a frame because it set 'X-Frame-Options' to 'deny'.
-
Modified: trunk/Source/WebCore/ChangeLog (133018 => 133019)
--- trunk/Source/WebCore/ChangeLog 2012-10-31 13:25:53 UTC (rev 133018)
+++ trunk/Source/WebCore/ChangeLog 2012-10-31 13:33:12 UTC (rev 133019)
@@ -1,3 +1,27 @@
+2012-10-31 Mike West <[email protected]>
+
+ X-Frame-Options console message should be associated with a request.
+ https://bugs.webkit.org/show_bug.cgi?id=100735
+
+ Reviewed by Pavel Feldman.
+
+ In 99941, we added the possibility to tie console messages to requests,
+ which enables automatic generation of stack traces, line numbers, etc.
+ making the error simpler to diagnose for web developers. This patch
+ uses the piping laid in that patch to improve the console message
+ generated when a document is blocked by X-Frame-Options.
+
+ No new tests; the functionality is covered by changes to existing tests.
+
+ * dom/Document.cpp:
+ (WebCore::Document::processHttpEquiv):
+ Grab the request identifier from the currently active DocumentLoader
+ and pass it into the console message.
+ * loader/MainResourceLoader.cpp:
+ (WebCore::MainResourceLoader::didReceiveResponse):
+ Grab the request identifier from the MainResourceLoader, and pass it
+ into the console message.
+
2012-10-31 Sheriff Bot <[email protected]>
Unreviewed, rolling out r133015.
Modified: trunk/Source/WebCore/dom/Document.cpp (133018 => 133019)
--- trunk/Source/WebCore/dom/Document.cpp 2012-10-31 13:25:53 UTC (rev 133018)
+++ trunk/Source/WebCore/dom/Document.cpp 2012-10-31 13:33:12 UTC (rev 133019)
@@ -108,6 +108,7 @@
#include "InspectorInstrumentation.h"
#include "Language.h"
#include "Logging.h"
+#include "MainResourceLoader.h"
#include "MediaCanStartListener.h"
#include "MediaQueryList.h"
#include "MediaQueryMatcher.h"
@@ -2950,11 +2951,14 @@
if (frame) {
FrameLoader* frameLoader = frame->loader();
if (frameLoader->shouldInterruptLoadForXFrameOptions(content, url())) {
+ unsigned long requestIdentifier = 0;
+ if (frameLoader->activeDocumentLoader() && frameLoader->activeDocumentLoader()->mainResourceLoader())
+ requestIdentifier = frameLoader->activeDocumentLoader()->mainResourceLoader()->identifier();
+ String message = "Refused to display '" + url().string() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'.";
+
frameLoader->stopAllLoaders();
frame->navigationScheduler()->scheduleLocationChange(securityOrigin(), blankURL(), String());
-
- DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to display document because display forbidden by X-Frame-Options.\n")));
- addConsoleMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage);
+ addConsoleMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message, url().string(), 0, 0, requestIdentifier);
}
}
} else if (equalIgnoringCase(equiv, "x-webkit-csp"))
Modified: trunk/Source/WebCore/loader/MainResourceLoader.cpp (133018 => 133019)
--- trunk/Source/WebCore/loader/MainResourceLoader.cpp 2012-10-31 13:25:53 UTC (rev 133018)
+++ trunk/Source/WebCore/loader/MainResourceLoader.cpp 2012-10-31 13:33:12 UTC (rev 133019)
@@ -373,8 +373,8 @@
String content = it->value;
if (m_frame->loader()->shouldInterruptLoadForXFrameOptions(content, r.url())) {
InspectorInstrumentation::continueAfterXFrameOptionsDenied(m_frame.get(), documentLoader(), identifier(), r);
- DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to display document because display forbidden by X-Frame-Options.\n")));
- m_frame->document()->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage);
+ String message = "Refused to display '" + r.url().string() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'.";
+ m_frame->document()->addConsoleMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message, r.url().string(), 0, 0, identifier());
cancel();
return;
