- Revision
- 150490
- Author
- [email protected]
- Date
- 2013-05-21 17:03:15 -0700 (Tue, 21 May 2013)
Log Message
Allow session storage for third-party origins even if third-party data access is blocked.
https://bugs.webkit.org/show_bug.cgi?id=116532
Reviewed by Anders Carlsson.
Source/WebCore:
In http://trac.webkit.org/changeset/149326 we relaxed our policy for
localStorage when third-party data blocking is enabled to create a
transient, session-scoped storage area for the third-party origin
instead of throwing an exception. Since this gives essentially the same
behavior as sessionStorage, we might as well also allow sessionStorage
for third-party origins.
Test: http/tests/security/cross-origin-session-storage-third-party-blocked.html
* WebCore.exp.in: Updated the symbol for
SecurityOrigin::canAccessStorage.
* page/DOMWindow.cpp:
(WebCore::DOMWindow::sessionStorage): Called canAccessSessionStorage()
rather than canAccessLocalStorage().
* page/SecurityOrigin.cpp:
(WebCore::SecurityOrigin::canAccessStorage): Passed in an enum
indicating if access should be allowed from third-party origins.
* page/SecurityOrigin.h:
(WebCore::SecurityOrigin::canAccessSessionStorage): Called
canAccessStorage() with AlwaysAllowFromThirdParty.
(SecurityOrigin):
LayoutTests:
* http/tests/security/cross-origin-session-storage-third-party-blocked-expected.txt: Renamed from LayoutTests/http/tests/security/cross-origin-session-storage-expected.txt.
* http/tests/security/cross-origin-session-storage-third-party-blocked.html: Renamed from LayoutTests/http/tests/security/cross-origin-session-storage.html.
Modified Paths
Removed Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (150489 => 150490)
--- trunk/LayoutTests/ChangeLog 2013-05-21 23:53:49 UTC (rev 150489)
+++ trunk/LayoutTests/ChangeLog 2013-05-22 00:03:15 UTC (rev 150490)
@@ -1,3 +1,13 @@
+2013-05-21 Andy Estes <[email protected]>
+
+ Allow session storage for third-party origins even if third-party data access is blocked.
+ https://bugs.webkit.org/show_bug.cgi?id=116532
+
+ Reviewed by Anders Carlsson.
+
+ * http/tests/security/cross-origin-session-storage-third-party-blocked-expected.txt: Renamed from LayoutTests/http/tests/security/cross-origin-session-storage-expected.txt.
+ * http/tests/security/cross-origin-session-storage-third-party-blocked.html: Renamed from LayoutTests/http/tests/security/cross-origin-session-storage.html.
+
2013-05-21 Ryosuke Niwa <[email protected]>
Web Inspector: inspector/styles/import-pseudoclass-crash.html intermittently hits an assertion in HTMLLinkElement::startLoadingDynamicSheet
Deleted: trunk/LayoutTests/http/tests/security/cross-origin-session-storage-expected.txt (150489 => 150490)
--- trunk/LayoutTests/http/tests/security/cross-origin-session-storage-expected.txt 2013-05-21 23:53:49 UTC (rev 150489)
+++ trunk/LayoutTests/http/tests/security/cross-origin-session-storage-expected.txt 2013-05-22 00:03:15 UTC (rev 150490)
@@ -1,16 +0,0 @@
-This iframe should return a security error:
-
-
-This iframe should not return any errors:
-
-
-
---------
-Frame: '<!--framePath //<!--frame0-->-->'
---------
-SecurityError
-
---------
-Frame: '<!--framePath //<!--frame1-->-->'
---------
-No exception
Deleted: trunk/LayoutTests/http/tests/security/cross-origin-session-storage.html (150489 => 150490)
--- trunk/LayoutTests/http/tests/security/cross-origin-session-storage.html 2013-05-21 23:53:49 UTC (rev 150489)
+++ trunk/LayoutTests/http/tests/security/cross-origin-session-storage.html 2013-05-22 00:03:15 UTC (rev 150490)
@@ -1,24 +0,0 @@
-<html>
-<head>
-<script>
-var frames = 2;
-if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.dumpChildFramesAsText();
- internals.settings.setStorageBlockingPolicy('BlockThirdParty');
-}
-
-function decrement() {
- --frames;
- if (!frames && window.testRunner)
- internals.settings.setStorageBlockingPolicy('AllowAll');
-}
-</script>
-</head>
-<body>
-<p>This iframe should return a security error:</p>
-<iframe src="" _onload_="decrement()"></iframe>
-<p>This iframe should not return any errors:</p>
-<iframe src="" _onload_="decrement()"></iframe>
-</body>
-</html>
Modified: trunk/Source/WebCore/ChangeLog (150489 => 150490)
--- trunk/Source/WebCore/ChangeLog 2013-05-21 23:53:49 UTC (rev 150489)
+++ trunk/Source/WebCore/ChangeLog 2013-05-22 00:03:15 UTC (rev 150490)
@@ -1,3 +1,32 @@
+2013-05-21 Andy Estes <[email protected]>
+
+ Allow session storage for third-party origins even if third-party data access is blocked.
+ https://bugs.webkit.org/show_bug.cgi?id=116532
+
+ Reviewed by Anders Carlsson.
+
+ In http://trac.webkit.org/changeset/149326 we relaxed our policy for
+ localStorage when third-party data blocking is enabled to create a
+ transient, session-scoped storage area for the third-party origin
+ instead of throwing an exception. Since this gives essentially the same
+ behavior as sessionStorage, we might as well also allow sessionStorage
+ for third-party origins.
+
+ Test: http/tests/security/cross-origin-session-storage-third-party-blocked.html
+
+ * WebCore.exp.in: Updated the symbol for
+ SecurityOrigin::canAccessStorage.
+ * page/DOMWindow.cpp:
+ (WebCore::DOMWindow::sessionStorage): Called canAccessSessionStorage()
+ rather than canAccessLocalStorage().
+ * page/SecurityOrigin.cpp:
+ (WebCore::SecurityOrigin::canAccessStorage): Passed in an enum
+ indicating if access should be allowed from third-party origins.
+ * page/SecurityOrigin.h:
+ (WebCore::SecurityOrigin::canAccessSessionStorage): Called
+ canAccessStorage() with AlwaysAllowFromThirdParty.
+ (SecurityOrigin):
+
2013-05-21 Hugo Parente Lima <[email protected]>
[EFL] Add missing #if guards on drag support methods
Modified: trunk/Source/WebCore/WebCore.exp.in (150489 => 150490)
--- trunk/Source/WebCore/WebCore.exp.in 2013-05-21 23:53:49 UTC (rev 150489)
+++ trunk/Source/WebCore/WebCore.exp.in 2013-05-22 00:03:15 UTC (rev 150490)
@@ -1420,7 +1420,7 @@
__ZNK7WebCore14SecurityOrigin10canDisplayERKNS_4KURLE
__ZNK7WebCore14SecurityOrigin11toRawStringEv
__ZNK7WebCore14SecurityOrigin12isolatedCopyEv
-__ZNK7WebCore14SecurityOrigin16canAccessStorageEPKS0_
+__ZNK7WebCore14SecurityOrigin16canAccessStorageEPKS0_NS0_25ShouldAllowFromThirdPartyE
__ZNK7WebCore14SecurityOrigin18databaseIdentifierEv
__ZNK7WebCore14SecurityOrigin5equalEPKS0_
__ZNK7WebCore14SecurityOrigin8toStringEv
Modified: trunk/Source/WebCore/page/DOMWindow.cpp (150489 => 150490)
--- trunk/Source/WebCore/page/DOMWindow.cpp 2013-05-21 23:53:49 UTC (rev 150489)
+++ trunk/Source/WebCore/page/DOMWindow.cpp 2013-05-22 00:03:15 UTC (rev 150490)
@@ -745,7 +745,7 @@
if (!document)
return 0;
- if (!document->securityOrigin()->canAccessLocalStorage(document->topOrigin())) {
+ if (!document->securityOrigin()->canAccessSessionStorage(document->topOrigin())) {
ec = SECURITY_ERR;
return 0;
}
Modified: trunk/Source/WebCore/page/SecurityOrigin.cpp (150489 => 150490)
--- trunk/Source/WebCore/page/SecurityOrigin.cpp 2013-05-21 23:53:49 UTC (rev 150489)
+++ trunk/Source/WebCore/page/SecurityOrigin.cpp 2013-05-22 00:03:15 UTC (rev 150490)
@@ -381,7 +381,7 @@
return true;
}
-bool SecurityOrigin::canAccessStorage(const SecurityOrigin* topOrigin) const
+bool SecurityOrigin::canAccessStorage(const SecurityOrigin* topOrigin, ShouldAllowFromThirdParty shouldAllowFromThirdParty) const
{
if (isUnique())
return false;
@@ -396,6 +396,9 @@
if (topOrigin->m_storageBlockingPolicy == BlockAllStorage)
return false;
+ if (shouldAllowFromThirdParty == AlwaysAllowFromThirdParty)
+ return true;
+
if ((m_storageBlockingPolicy == BlockThirdPartyStorage || topOrigin->m_storageBlockingPolicy == BlockThirdPartyStorage) && topOrigin->isThirdParty(this))
return false;
Modified: trunk/Source/WebCore/page/SecurityOrigin.h (150489 => 150490)
--- trunk/Source/WebCore/page/SecurityOrigin.h 2013-05-21 23:53:49 UTC (rev 150489)
+++ trunk/Source/WebCore/page/SecurityOrigin.h 2013-05-22 00:03:15 UTC (rev 150490)
@@ -146,6 +146,7 @@
#endif
bool canAccessDatabase(const SecurityOrigin* topOrigin = 0) const { return canAccessStorage(topOrigin); };
+ bool canAccessSessionStorage(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin, AlwaysAllowFromThirdParty); }
bool canAccessLocalStorage(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin); };
bool canAccessSharedWorkers(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin); }
bool canAccessPluginStorage(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin); }
@@ -155,11 +156,6 @@
bool canAccessFileSystem() const { return !isUnique(); }
Policy canShowNotifications() const;
- // Technically, we should always allow access to sessionStorage, but we
- // currently don't handle creating a sessionStorage area for unique
- // origins.
- bool canAccessSessionStorage() const { return !isUnique(); }
-
// The local SecurityOrigin is the most privileged SecurityOrigin.
// The local SecurityOrigin can script any document, navigate to local
// resources, and can set arbitrary headers on XMLHttpRequests.
@@ -219,7 +215,9 @@
// FIXME: Rename this function to something more semantic.
bool passesFileCheck(const SecurityOrigin*) const;
bool isThirdParty(const SecurityOrigin*) const;
- bool canAccessStorage(const SecurityOrigin*) const;
+
+ enum ShouldAllowFromThirdParty { AlwaysAllowFromThirdParty, MaybeAllowFromThirdParty };
+ bool canAccessStorage(const SecurityOrigin*, ShouldAllowFromThirdParty = MaybeAllowFromThirdParty) const;
String m_protocol;
String m_host;
