Diff
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog (197338 => 197339)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-02-29 11:17:55 UTC (rev 197338)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-02-29 11:19:35 UTC (rev 197339)
@@ -1,3 +1,21 @@
+2016-02-27 Chris Dumez <cdu...@apple.com>
+
+ Prevent cross-origin access to Location.assign() / Location.reload()
+ https://bugs.webkit.org/show_bug.cgi?id=154779
+
+ Reviewed by Darin Adler.
+
+ Update existing layout tests now that we prevent cross-origin access to
+ Location.assign() / Location.reload().
+
+ * http/tests/security/cross-frame-access-getOwnPropertyDescriptor-expected.txt:
+ * http/tests/security/cross-frame-access-getOwnPropertyDescriptor.html:
+ * http/tests/security/cross-frame-access-location-get-expected.txt:
+ * http/tests/security/cross-frame-access-location-get-override-expected.txt:
+ * http/tests/security/cross-frame-access-location-get-override.html:
+ * http/tests/security/cross-frame-access-location-get.html:
+ * http/tests/security/xss-DENIED-defineProperty-expected.txt:
+
2016-02-26 Said Abou-Hallawa <sabouhall...@apple.com>
<g> wrapping <symbol> causes display of hidden <symbol>
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-getOwnPropertyDescriptor-expected.txt (197338 => 197339)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-getOwnPropertyDescriptor-expected.txt 2016-02-29 11:17:55 UTC (rev 197338)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-getOwnPropertyDescriptor-expected.txt 2016-02-29 11:19:35 UTC (rev 197339)
@@ -194,6 +194,8 @@
CONSOLE MESSAGE: line 64: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
CONSOLE MESSAGE: line 64: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
CONSOLE MESSAGE: line 64: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 64: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 64: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
CONSOLE MESSAGE: line 224: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
This test checks cross-frame access security of getOwnPropertyDescriptor (https://bugs.webkit.org/show_bug.cgi?id=32119).
@@ -408,9 +410,9 @@
PASS: canGetDescriptor(targetLocation, 'toString') should be 'false' and is.
PASS: canGetDescriptor(targetLocation, 'valueOf') should be 'false' and is.
PASS: canGetDescriptor(targetLocation, 'customProperty') should be 'false' and is.
-PASS: canGetDescriptor(targetLocation, 'assign') should be 'true' and is.
+PASS: canGetDescriptor(targetLocation, 'assign') should be 'false' and is.
+PASS: canGetDescriptor(targetLocation, 'reload') should be 'false' and is.
PASS: canGetDescriptor(targetLocation, 'replace') should be 'true' and is.
-PASS: canGetDescriptor(targetLocation, 'reload') should be 'true' and is.
----- tests access to cross domain history object -----
PASS: canGetDescriptor(targetHistory, 'length') should be 'false' and is.
PASS: canGetDescriptor(targetHistory, 'pushState') should be 'false' and is.
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-getOwnPropertyDescriptor.html (197338 => 197339)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-getOwnPropertyDescriptor.html 2016-02-29 11:17:55 UTC (rev 197338)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-getOwnPropertyDescriptor.html 2016-02-29 11:19:35 UTC (rev 197339)
@@ -253,10 +253,10 @@
log("----- tests access to cross domain location object -----");
window.targetLocation = targetWindow.location;
var locationPropertiesNotAllowed = [
- "protocol", "host", "hostname", "port", "pathname", "search", "hash", "toString", "valueOf", "customProperty"
+ "protocol", "host", "hostname", "port", "pathname", "search", "hash", "toString", "valueOf", "customProperty", "assign", "reload"
];
var locationPropertiesAllowed = [
- "assign", "replace", "reload"
+ "replace"
];
for (var i = 0; i < locationPropertiesNotAllowed.length; i++)
shouldBeFalse("canGetDescriptor(targetLocation, '" + locationPropertiesNotAllowed[i] + "')");
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-location-get-expected.txt (197338 => 197339)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-location-get-expected.txt 2016-02-29 11:17:55 UTC (rev 197338)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-location-get-expected.txt 2016-02-29 11:19:35 UTC (rev 197339)
@@ -10,6 +10,8 @@
CONSOLE MESSAGE: line 55: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
CONSOLE MESSAGE: line 55: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
CONSOLE MESSAGE: line 55: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 55: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 55: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
----- tests for getting window.location's properties -----
@@ -26,8 +28,8 @@
PASS: canGet('targetWindow.location.port') should be 'false' and is.
PASS: canGet('targetWindow.location.protocol') should be 'false' and is.
PASS: canGet('targetWindow.location.search') should be 'false' and is.
-PASS: canGet('targetWindow.location.assign') should be 'true' and is.
-PASS: canGet('targetWindow.location.reload') should be 'true' and is.
+PASS: canGet('targetWindow.location.assign') should be 'false' and is.
+PASS: canGet('targetWindow.location.reload') should be 'false' and is.
PASS: canGet('targetWindow.location.replace') should be 'true' and is.
PASS: canGet('targetWindow.location.existingCustomProperty') should be 'false' and is.
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-location-get-override-expected.txt (197338 => 197339)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-location-get-override-expected.txt 2016-02-29 11:17:55 UTC (rev 197338)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-location-get-override-expected.txt 2016-02-29 11:19:35 UTC (rev 197339)
@@ -1,10 +1,10 @@
+CONSOLE MESSAGE: line 55: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 55: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
----- tests for getting a targetWindow's location object's functions which have custom overrides. The desired behavior is for the targetWindow to return the builtin function, not the override -----
-PASS: canGet('targetWindow.location.assign') should be 'true' and is.
-PASS: toString('targetWindow.location.assign') should be 'function assign() { [native code]}' and is.
-PASS: canGet('targetWindow.location.reload') should be 'true' and is.
-PASS: toString('targetWindow.location.reload') should be 'function reload() { [native code]}' and is.
+PASS: canGet('targetWindow.location.assign') should be 'false' and is.
+PASS: canGet('targetWindow.location.reload') should be 'false' and is.
PASS: canGet('targetWindow.location.replace') should be 'true' and is.
PASS: toString('targetWindow.location.replace') should be 'function replace() { [native code]}' and is.
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-location-get-override.html (197338 => 197339)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-location-get-override.html 2016-02-29 11:17:55 UTC (rev 197338)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-location-get-override.html 2016-02-29 11:19:35 UTC (rev 197339)
@@ -40,12 +40,10 @@
// We should test overriding using window.location.__proto__ once the Location object has a proper prototype.
// Overriden using window.location.assign = function() { return "new assign" }
- shouldBeTrue("canGet('targetWindow.location.assign')");
- shouldBe("toString('targetWindow.location.assign')", "toString('window.location.assign')");
+ shouldBeFalse("canGet('targetWindow.location.assign')");
// Overriden using window.location.reload = "new reload"
- shouldBeTrue("canGet('targetWindow.location.reload')");
- shouldBe("toString('targetWindow.location.reload')", "toString('window.location.reload')");
+ shouldBeFalse("canGet('targetWindow.location.reload')");
// Overriden using window.location.reload = "new replace"
shouldBeTrue("canGet('targetWindow.location.replace')");
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-location-get.html (197338 => 197339)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-location-get.html 2016-02-29 11:17:55 UTC (rev 197338)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-location-get.html 2016-02-29 11:19:35 UTC (rev 197339)
@@ -50,9 +50,9 @@
shouldBeFalse("canGet('targetWindow.location.port')");
shouldBeFalse("canGet('targetWindow.location.protocol')");
shouldBeFalse("canGet('targetWindow.location.search')");
+ shouldBeFalse("canGet('targetWindow.location.assign')");
+ shouldBeFalse("canGet('targetWindow.location.reload')");
- shouldBeTrue("canGet('targetWindow.location.assign')");
- shouldBeTrue("canGet('targetWindow.location.reload')");
shouldBeTrue("canGet('targetWindow.location.replace')");
shouldBeFalse("canGet('targetWindow.location.existingCustomProperty')");
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/xss-DENIED-defineProperty-expected.txt (197338 => 197339)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/xss-DENIED-defineProperty-expected.txt 2016-02-29 11:17:55 UTC (rev 197338)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/xss-DENIED-defineProperty-expected.txt 2016-02-29 11:19:35 UTC (rev 197339)
@@ -52,6 +52,12 @@
CONSOLE MESSAGE: line 36: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
CONSOLE MESSAGE: line 36: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
CONSOLE MESSAGE: line 36: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 38: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 38: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 38: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 38: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 38: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 38: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
CONSOLE MESSAGE: line 40: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
CONSOLE MESSAGE: line 40: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
CONSOLE MESSAGE: line 40: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog (197338 => 197339)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-02-29 11:17:55 UTC (rev 197338)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-02-29 11:19:35 UTC (rev 197339)
@@ -1,3 +1,22 @@
+2016-02-27 Chris Dumez <cdu...@apple.com>
+
+ Prevent cross-origin access to Location.assign() / Location.reload()
+ https://bugs.webkit.org/show_bug.cgi?id=154779
+
+ Reviewed by Darin Adler.
+
+ Prevent cross-origin access to Location.assign() / Location.reload()
+ to match the latest specification:
+ - https://html.spec.whatwg.org/multipage/browsers.html#crossoriginproperties-(-o-)
+
+ Firefox and Chrome already prevent this but WebKit allowed it.
+
+ No new tests, already covered by existing tests.
+
+ * bindings/js/JSLocationCustom.cpp:
+ (WebCore::JSLocation::getOwnPropertySlotDelegate):
+ (WebCore::JSLocation::putDelegate): Deleted.
+
2016-02-26 Carlos Garcia Campos <cgar...@igalia.com>
Network cache: old pages returned by disk cache on history navigation after session is restored
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/bindings/js/JSLocationCustom.cpp (197338 => 197339)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/bindings/js/JSLocationCustom.cpp 2016-02-29 11:17:55 UTC (rev 197338)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/bindings/js/JSLocationCustom.cpp 2016-02-29 11:19:35 UTC (rev 197339)
@@ -47,25 +47,13 @@
if (shouldAllowAccessToFrame(exec, frame, message))
return false;
- // Check for the few functions that we allow, even when called cross-domain.
- // Make these read-only / non-configurable to prevent writes via defineProperty.
+ // We only allow access to Location.replace() cross origin.
+ // Make it read-only / non-configurable to prevent writes via defineProperty.
if (propertyName == exec->propertyNames().replace) {
slot.setCustom(this, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<jsLocationInstanceFunctionReplace, 1>);
return true;
}
- if (propertyName == exec->propertyNames().reload) {
- slot.setCustom(this, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<jsLocationInstanceFunctionReload, 0>);
- return true;
- }
- if (propertyName == exec->propertyNames().assign) {
- slot.setCustom(this, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<jsLocationInstanceFunctionAssign, 1>);
- return true;
- }
- // FIXME: Other implementers of the Window cross-domain scheme (Window, History) allow toString,
- // but for now we have decided not to, partly because it seems silly to return "[Object Location]" in
- // such cases when normally the string form of Location would be the URL.
-
printErrorMessageForFrame(frame, message);
slot.setUndefined();
return true;
