Diff
Modified: trunk/LayoutTests/ChangeLog (149325 => 149326)
--- trunk/LayoutTests/ChangeLog 2013-04-29 22:40:07 UTC (rev 149325)
+++ trunk/LayoutTests/ChangeLog 2013-04-29 22:44:35 UTC (rev 149326)
@@ -1,3 +1,21 @@
+2013-04-22 Jeffrey Pfau <jp...@apple.com>
+
+ Change approach to third-party blocking for LocalStorage
+ https://bugs.webkit.org/show_bug.cgi?id=115004
+
+ Reviewed by Maciej Stachowiak.
+
+ * http/tests/security/cross-origin-local-storage-allowed-expected.txt:
+ * http/tests/security/cross-origin-local-storage-allowed.html:
+ * http/tests/security/cross-origin-local-storage-expected.txt:
+ * http/tests/security/cross-origin-local-storage-wk1.html:
+ * http/tests/security/cross-origin-local-storage-wk1-expected.txt:
+ * http/tests/security/cross-origin-local-storage.html:
+ * http/tests/security/resources/cross-origin-iframe-for-local-storage.html:
+ * http/tests/security/resources/load-local-storage.html: Added.
+ * platform/mac-wk2/http/tests/security/cross-origin-local-storage-wk1-expected.txt:
+ * platform/mac/http/tests/security/cross-origin-local-storage-wk1-expected.txt:
+
2013-04-29 Yi Shen <max.hong.s...@gmail.com>
HTML Editing: Insertion point jumps when using link detection
Modified: trunk/LayoutTests/http/tests/security/cross-origin-local-storage-allowed-expected.txt (149325 => 149326)
--- trunk/LayoutTests/http/tests/security/cross-origin-local-storage-allowed-expected.txt 2013-04-29 22:40:07 UTC (rev 149325)
+++ trunk/LayoutTests/http/tests/security/cross-origin-local-storage-allowed-expected.txt 2013-04-29 22:44:35 UTC (rev 149326)
@@ -1,16 +1 @@
-This iframe should not return any errors:
-
-
-This iframe should not return any errors:
-
-
-
---------
-Frame: '<!--framePath //<!--frame0-->-->'
---------
-No exception
-
---------
-Frame: '<!--framePath //<!--frame1-->-->'
---------
-No exception
+Got value: value
Modified: trunk/LayoutTests/http/tests/security/cross-origin-local-storage-allowed.html (149325 => 149326)
--- trunk/LayoutTests/http/tests/security/cross-origin-local-storage-allowed.html 2013-04-29 22:40:07 UTC (rev 149325)
+++ trunk/LayoutTests/http/tests/security/cross-origin-local-storage-allowed.html 2013-04-29 22:44:35 UTC (rev 149326)
@@ -3,14 +3,16 @@
<script>
if (window.testRunner) {
testRunner.dumpAsText();
- testRunner.dumpChildFramesAsText();
+ testRunner.waitUntilDone();
+ internals.settings.setStorageBlockingPolicy('AllowAll');
}
+
+function continueTest() {
+ window.location.href = '';
+}
</script>
</head>
<body>
-<p>This iframe should not return any errors:</p>
-<iframe src=""
-<p>This iframe should not return any errors:</p>
-<iframe src=""
+<iframe src="" _onload_="continueTest()"></iframe>
</body>
</html>
Modified: trunk/LayoutTests/http/tests/security/cross-origin-local-storage-expected.txt (149325 => 149326)
--- trunk/LayoutTests/http/tests/security/cross-origin-local-storage-expected.txt 2013-04-29 22:40:07 UTC (rev 149325)
+++ trunk/LayoutTests/http/tests/security/cross-origin-local-storage-expected.txt 2013-04-29 22:44:35 UTC (rev 149326)
@@ -1,16 +1 @@
-This iframe should return a security error:
-
-
-This iframe should not return any errors:
-
-
-
---------
-Frame: '<!--framePath //<!--frame0-->-->'
---------
-SecurityError
-
---------
-Frame: '<!--framePath //<!--frame1-->-->'
---------
-No exception
+No value
Modified: trunk/LayoutTests/http/tests/security/cross-origin-local-storage-wk1-expected.txt (149325 => 149326)
--- trunk/LayoutTests/http/tests/security/cross-origin-local-storage-wk1-expected.txt 2013-04-29 22:40:07 UTC (rev 149325)
+++ trunk/LayoutTests/http/tests/security/cross-origin-local-storage-wk1-expected.txt 2013-04-29 22:44:35 UTC (rev 149326)
@@ -1,16 +1 @@
-This iframe should return a security error:
-
-
-This iframe should not return any errors:
-
-
-
---------
-Frame: '<!--framePath //<!--frame0-->-->'
---------
-No exception
-
---------
-Frame: '<!--framePath //<!--frame1-->-->'
---------
-No exception
+Got value: value
Modified: trunk/LayoutTests/http/tests/security/cross-origin-local-storage-wk1.html (149325 => 149326)
--- trunk/LayoutTests/http/tests/security/cross-origin-local-storage-wk1.html 2013-04-29 22:40:07 UTC (rev 149325)
+++ trunk/LayoutTests/http/tests/security/cross-origin-local-storage-wk1.html 2013-04-29 22:44:35 UTC (rev 149326)
@@ -1,24 +1,18 @@
<html>
<head>
<script>
-var frames = 2;
if (window.testRunner) {
testRunner.dumpAsText();
- testRunner.dumpChildFramesAsText();
+ testRunner.waitUntilDone();
testRunner.overridePreference('WebKitStorageBlockingPolicy', 1);
}
-function decrement() {
- --frames;
- if (!frames && window.testRunner)
- testRunner.overridePreference('WebKitStorageBlockingPolicy', 0);
+function continueTest() {
+ window.location.href = '';
}
</script>
</head>
<body>
-<p>This iframe should return a security error:</p>
-<iframe src="" _onload_="decrement()"></iframe>
-<p>This iframe should not return any errors:</p>
-<iframe src="" _onload_="decrement()"></iframe>
+<iframe src="" _onload_="continueTest()"></iframe>
</body>
</html>
Modified: trunk/LayoutTests/http/tests/security/cross-origin-local-storage.html (149325 => 149326)
--- trunk/LayoutTests/http/tests/security/cross-origin-local-storage.html 2013-04-29 22:40:07 UTC (rev 149325)
+++ trunk/LayoutTests/http/tests/security/cross-origin-local-storage.html 2013-04-29 22:44:35 UTC (rev 149326)
@@ -1,24 +1,18 @@
<html>
<head>
<script>
-var frames = 2;
if (window.testRunner) {
testRunner.dumpAsText();
- testRunner.dumpChildFramesAsText();
+ testRunner.waitUntilDone();
internals.settings.setStorageBlockingPolicy('BlockThirdParty');
}
-function decrement() {
- --frames;
- if (!frames && window.testRunner)
- internals.settings.setStorageBlockingPolicy('AllowAll');
+function continueTest() {
+ window.location.href = '';
}
</script>
</head>
<body>
-<p>This iframe should return a security error:</p>
-<iframe src="" _onload_="decrement()"></iframe>
-<p>This iframe should not return any errors:</p>
-<iframe src="" _onload_="decrement()"></iframe>
+<iframe src="" _onload_="continueTest()"></iframe>
</body>
</html>
Modified: trunk/LayoutTests/http/tests/security/resources/cross-origin-iframe-for-local-storage.html (149325 => 149326)
--- trunk/LayoutTests/http/tests/security/resources/cross-origin-iframe-for-local-storage.html 2013-04-29 22:40:07 UTC (rev 149325)
+++ trunk/LayoutTests/http/tests/security/resources/cross-origin-iframe-for-local-storage.html 2013-04-29 22:44:35 UTC (rev 149326)
@@ -3,6 +3,7 @@
<script>
try {
var c = window.localStorage;
+ c['test'] = 'value';
document.write('No exception');
} catch (exception) {
document.write(exception.name);
Added: trunk/LayoutTests/http/tests/security/resources/load-local-storage.html (0 => 149326)
--- trunk/LayoutTests/http/tests/security/resources/load-local-storage.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/resources/load-local-storage.html 2013-04-29 22:44:35 UTC (rev 149326)
@@ -0,0 +1,26 @@
+<html>
+<head>
+<script>
+try {
+ var c = window.localStorage;
+ var value = c['test'];
+ if (value) {
+ c.clear();
+ document.write('Got value: ' + value);
+ } else {
+ document.write('No value');
+ }
+} catch (exception) {
+ document.write(exception.name);
+}
+
+if (window.testRunner) {
+ internals.settings.setStorageBlockingPolicy('AllowAll');
+ testRunner.overridePreference('WebKitStorageBlockingPolicy', 0);
+ testRunner.notifyDone();
+}
+</script>
+</head>
+<body>
+</body>
+</head>
Modified: trunk/LayoutTests/platform/mac/http/tests/security/cross-origin-local-storage-wk1-expected.txt (149325 => 149326)
--- trunk/LayoutTests/platform/mac/http/tests/security/cross-origin-local-storage-wk1-expected.txt 2013-04-29 22:40:07 UTC (rev 149325)
+++ trunk/LayoutTests/platform/mac/http/tests/security/cross-origin-local-storage-wk1-expected.txt 2013-04-29 22:44:35 UTC (rev 149326)
@@ -1,16 +1 @@
-This iframe should return a security error:
-
-
-This iframe should not return any errors:
-
-
-
---------
-Frame: '<!--framePath //<!--frame0-->-->'
---------
-SecurityError
-
---------
-Frame: '<!--framePath //<!--frame1-->-->'
---------
-No exception
+No value
Modified: trunk/LayoutTests/platform/mac-wk2/http/tests/security/cross-origin-local-storage-wk1-expected.txt (149325 => 149326)
--- trunk/LayoutTests/platform/mac-wk2/http/tests/security/cross-origin-local-storage-wk1-expected.txt 2013-04-29 22:40:07 UTC (rev 149325)
+++ trunk/LayoutTests/platform/mac-wk2/http/tests/security/cross-origin-local-storage-wk1-expected.txt 2013-04-29 22:44:35 UTC (rev 149326)
@@ -1,16 +1 @@
-This iframe should return a security error:
-
-
-This iframe should not return any errors:
-
-
-
---------
-Frame: '<!--framePath //<!--frame0-->-->'
---------
-No exception
-
---------
-Frame: '<!--framePath //<!--frame1-->-->'
---------
-No exception
+Got value: value
Modified: trunk/Source/WebCore/ChangeLog (149325 => 149326)
--- trunk/Source/WebCore/ChangeLog 2013-04-29 22:40:07 UTC (rev 149325)
+++ trunk/Source/WebCore/ChangeLog 2013-04-29 22:44:35 UTC (rev 149326)
@@ -1,3 +1,27 @@
+2013-04-22 Jeffrey Pfau <jp...@apple.com>
+
+ Change approach to third-party blocking for LocalStorage
+ https://bugs.webkit.org/show_bug.cgi?id=115004
+
+ Reviewed by Maciej Stachowiak.
+
+ Instead of outright blocking LocalStorage that's used in a third-party
+ context, silently partition it based on the origin of the top context.
+ These partitions are then discarded when the page group is unloaded.
+
+ No new tests; modified existing tests to account for changes.
+
+ * page/DOMWindow.cpp:
+ (WebCore::DOMWindow::localStorage):
+ * page/PageGroup.cpp:
+ (WebCore::PageGroup::localStorage):
+ (WebCore):
+ (WebCore::PageGroup::transientLocalStorage):
+ * page/PageGroup.h:
+ (PageGroup):
+ * page/SecurityOrigin.cpp:
+ (WebCore::SecurityOrigin::canAccessStorage):
+
2013-04-29 Yi Shen <max.hong.s...@gmail.com>
HTML Editing: Insertion point jumps when using link detection
Modified: trunk/Source/WebCore/page/DOMWindow.cpp (149325 => 149326)
--- trunk/Source/WebCore/page/DOMWindow.cpp 2013-04-29 22:40:07 UTC (rev 149325)
+++ trunk/Source/WebCore/page/DOMWindow.cpp 2013-04-29 22:44:35 UTC (rev 149326)
@@ -791,7 +791,7 @@
if (!document)
return 0;
- if (!document->securityOrigin()->canAccessLocalStorage(document->topOrigin())) {
+ if (!document->securityOrigin()->canAccessLocalStorage(0)) {
ec = SECURITY_ERR;
return 0;
}
@@ -811,7 +811,12 @@
if (!page->settings()->localStorageEnabled())
return 0;
- RefPtr<StorageArea> storageArea = page->group().localStorage()->storageArea(document->securityOrigin());
+ RefPtr<StorageArea> storageArea;
+ if (!document->securityOrigin()->canAccessLocalStorage(document->topOrigin()))
+ storageArea = page->group().transientLocalStorage(document->topOrigin())->storageArea(document->securityOrigin());
+ else
+ storageArea = page->group().localStorage()->storageArea(document->securityOrigin());
+
if (!storageArea->canAccessStorage(m_frame)) {
ec = SECURITY_ERR;
return 0;
Modified: trunk/Source/WebCore/page/PageGroup.cpp (149325 => 149326)
--- trunk/Source/WebCore/page/PageGroup.cpp 2013-04-29 22:40:07 UTC (rev 149325)
+++ trunk/Source/WebCore/page/PageGroup.cpp 2013-04-29 22:44:35 UTC (rev 149326)
@@ -263,6 +263,15 @@
return m_localStorage.get();
}
+StorageNamespace* PageGroup::transientLocalStorage(const SecurityOrigin* topOrigin)
+{
+ String topOriginString = topOrigin->toString();
+ if (!m_transientLocalStorage.get(topOriginString))
+ m_transientLocalStorage.set(topOriginString, StorageNamespace::sessionStorageNamespace(*this->pages().begin()));
+
+ return m_transientLocalStorage.get(topOriginString).get();
+}
+
void PageGroup::addUserScriptToWorld(DOMWrapperWorld* world, const String& source, const KURL& url,
const Vector<String>& whitelist, const Vector<String>& blacklist,
UserScriptInjectionTime injectionTime, UserContentInjectedFrames injectedFrames)
Modified: trunk/Source/WebCore/page/PageGroup.h (149325 => 149326)
--- trunk/Source/WebCore/page/PageGroup.h 2013-04-29 22:40:07 UTC (rev 149325)
+++ trunk/Source/WebCore/page/PageGroup.h 2013-04-29 22:44:35 UTC (rev 149326)
@@ -87,6 +87,8 @@
StorageNamespace* localStorage();
bool hasLocalStorage() { return m_localStorage; }
+ StorageNamespace* transientLocalStorage(const SecurityOrigin* topOrigin);
+
void addUserScriptToWorld(DOMWrapperWorld*, const String& source, const KURL&,
const Vector<String>& whitelist, const Vector<String>& blacklist,
UserScriptInjectionTime, UserContentInjectedFrames);
@@ -128,6 +130,7 @@
unsigned m_identifier;
RefPtr<StorageNamespace> m_localStorage;
+ HashMap<String, RefPtr<StorageNamespace> > m_transientLocalStorage;
OwnPtr<UserScriptMap> m_userScripts;
OwnPtr<UserStyleSheetMap> m_userStyleSheets;
Modified: trunk/Source/WebCore/page/SecurityOrigin.cpp (149325 => 149326)
--- trunk/Source/WebCore/page/SecurityOrigin.cpp 2013-04-29 22:40:07 UTC (rev 149325)
+++ trunk/Source/WebCore/page/SecurityOrigin.cpp 2013-04-29 22:44:35 UTC (rev 149326)
@@ -388,11 +388,14 @@
if (isUnique())
return false;
+ if (m_storageBlockingPolicy == BlockAllStorage)
+ return false;
+
// FIXME: This check should be replaced with an ASSERT once we can guarantee that topOrigin is not null.
if (!topOrigin)
return true;
- if (m_storageBlockingPolicy == BlockAllStorage || topOrigin->m_storageBlockingPolicy == BlockAllStorage)
+ if (topOrigin->m_storageBlockingPolicy == BlockAllStorage)
return false;
if ((m_storageBlockingPolicy == BlockThirdPartyStorage || topOrigin->m_storageBlockingPolicy == BlockThirdPartyStorage) && topOrigin->isThirdParty(this))