[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.15.1-1414-gc69ee75
abarth at webkit.org
abarth at webkit.org
Thu Oct 29 20:48:20 UTC 2009
The following commit has been merged in the webkit-1.1 branch:
commit 0e7ddb4c8d506c3b4e1762cfad7baabc7bcc072d
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue Oct 20 01:19:01 2009 +0000
2009-10-19 Adam Barth <abarth at webkit.org>
Reviewed by Eric Seidel.
Bypass popup blocker using click event
https://bugs.webkit.org/show_bug.cgi?id=21501
Test that a fake event can't get around the popup blocker.
* http/tests/security/popup-blocked-from-fake-event-expected.txt: Added.
* http/tests/security/popup-blocked-from-fake-event.html: Added.
2009-10-19 Adam Barth <abarth at webkit.org>
Reviewed by Eric Seidel.
Bypass popup blocker using click event
https://bugs.webkit.org/show_bug.cgi?id=21501
Keep track of which events were generated by JavaScript and use that
inforation when figuring out if we're processing a user gesture.
Test: http/tests/security/popup-blocked-from-fake-event.html
* bindings/js/ScriptController.cpp:
(WebCore::ScriptController::processingUserGestureEvent):
* bindings/v8/ScriptController.cpp:
(WebCore::ScriptController::processingUserGesture):
* dom/Document.cpp:
(WebCore::Document::createEvent):
* dom/Event.cpp:
(WebCore::Event::Event):
* dom/Event.h:
(WebCore::Event::createdByDOM):
(WebCore::Event::setCreatedByDOM):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@49827 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 952846d..0cc2532 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2009-10-19 Adam Barth <abarth at webkit.org>
+
+ Reviewed by Eric Seidel.
+
+ Bypass popup blocker using click event
+ https://bugs.webkit.org/show_bug.cgi?id=21501
+
+ Test that a fake event can't get around the popup blocker.
+
+ * http/tests/security/popup-blocked-from-fake-event-expected.txt: Added.
+ * http/tests/security/popup-blocked-from-fake-event.html: Added.
+
2009-10-19 Jason Yan <tailofthesun at gmail.com>
Reviewed by Eric Seidel.
diff --git a/LayoutTests/http/tests/security/popup-blocked-from-fake-event-expected.txt b/LayoutTests/http/tests/security/popup-blocked-from-fake-event-expected.txt
new file mode 100644
index 0000000..0a15ab7
--- /dev/null
+++ b/LayoutTests/http/tests/security/popup-blocked-from-fake-event-expected.txt
@@ -0,0 +1,2 @@
+ALERT: PASS
+Go?
diff --git a/LayoutTests/http/tests/security/popup-blocked-from-fake-event.html b/LayoutTests/http/tests/security/popup-blocked-from-fake-event.html
new file mode 100644
index 0000000..a421e91
--- /dev/null
+++ b/LayoutTests/http/tests/security/popup-blocked-from-fake-event.html
@@ -0,0 +1,20 @@
+<html>
+<body>
+<a id="test" onclick="go()">Go?</a>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.setCloseRemainingWindowsWhenComplete(true);
+}
+
+oClickEvent = document.createEvent("MouseEvents");
+oClickEvent.initEvent("click", true, true, window, 0, 0, 0, 0, 0, false, false, false, false, 0, null);
+document.getElementById("test").dispatchEvent(oClickEvent);
+
+function go() {
+ oWin = window.open("about:blank", "blabla");
+ alert(oWin ? "FAIL" : "PASS");
+}
+</script>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 036201a..150313b 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,27 @@
+2009-10-19 Adam Barth <abarth at webkit.org>
+
+ Reviewed by Eric Seidel.
+
+ Bypass popup blocker using click event
+ https://bugs.webkit.org/show_bug.cgi?id=21501
+
+ Keep track of which events were generated by JavaScript and use that
+ inforation when figuring out if we're processing a user gesture.
+
+ Test: http/tests/security/popup-blocked-from-fake-event.html
+
+ * bindings/js/ScriptController.cpp:
+ (WebCore::ScriptController::processingUserGestureEvent):
+ * bindings/v8/ScriptController.cpp:
+ (WebCore::ScriptController::processingUserGesture):
+ * dom/Document.cpp:
+ (WebCore::Document::createEvent):
+ * dom/Event.cpp:
+ (WebCore::Event::Event):
+ * dom/Event.h:
+ (WebCore::Event::createdByDOM):
+ (WebCore::Event::setCreatedByDOM):
+
2009-10-19 Dumitru Daniliuc <dumi at chromium.org>
Reviewed by Darin Adler.
diff --git a/WebCore/bindings/js/ScriptController.cpp b/WebCore/bindings/js/ScriptController.cpp
index e99bb35..54acc90 100644
--- a/WebCore/bindings/js/ScriptController.cpp
+++ b/WebCore/bindings/js/ScriptController.cpp
@@ -186,6 +186,9 @@ bool ScriptController::processingUserGestureEvent() const
return false;
if (Event* event = m_windowShell->window()->currentEvent()) {
+ if (event->createdByDOM())
+ return false;
+
const AtomicString& type = event->type();
if ( // mouse events
type == eventNames().clickEvent || type == eventNames().mousedownEvent ||
diff --git a/WebCore/bindings/v8/ScriptController.cpp b/WebCore/bindings/v8/ScriptController.cpp
index f808151..493c43e 100644
--- a/WebCore/bindings/v8/ScriptController.cpp
+++ b/WebCore/bindings/v8/ScriptController.cpp
@@ -160,6 +160,9 @@ bool ScriptController::processingUserGesture() const
// Based on code from kjs_bindings.cpp.
// Note: This is more liberal than Firefox's implementation.
if (event) {
+ if (event->createdByDOM())
+ return false;
+
const AtomicString& type = event->type();
bool eventOk =
// mouse events
diff --git a/WebCore/dom/Document.cpp b/WebCore/dom/Document.cpp
index c28b2eb..475a8c1 100644
--- a/WebCore/dom/Document.cpp
+++ b/WebCore/dom/Document.cpp
@@ -2891,42 +2891,47 @@ void Document::dispatchWindowLoadEvent()
PassRefPtr<Event> Document::createEvent(const String& eventType, ExceptionCode& ec)
{
+ RefPtr<Event> event;
if (eventType == "Event" || eventType == "Events" || eventType == "HTMLEvents")
- return Event::create();
- if (eventType == "KeyboardEvent" || eventType == "KeyboardEvents")
- return KeyboardEvent::create();
- if (eventType == "MessageEvent")
- return MessageEvent::create();
- if (eventType == "MouseEvent" || eventType == "MouseEvents")
- return MouseEvent::create();
- if (eventType == "MutationEvent" || eventType == "MutationEvents")
- return MutationEvent::create();
- if (eventType == "OverflowEvent")
- return OverflowEvent::create();
- if (eventType == "PageTransitionEvent")
- return PageTransitionEvent::create();
- if (eventType == "ProgressEvent")
- return ProgressEvent::create();
+ event = Event::create();
+ else if (eventType == "KeyboardEvent" || eventType == "KeyboardEvents")
+ event = KeyboardEvent::create();
+ else if (eventType == "MessageEvent")
+ event = MessageEvent::create();
+ else if (eventType == "MouseEvent" || eventType == "MouseEvents")
+ event = MouseEvent::create();
+ else if (eventType == "MutationEvent" || eventType == "MutationEvents")
+ event = MutationEvent::create();
+ else if (eventType == "OverflowEvent")
+ event = OverflowEvent::create();
+ else if (eventType == "PageTransitionEvent")
+ event = PageTransitionEvent::create();
+ else if (eventType == "ProgressEvent")
+ event = ProgressEvent::create();
#if ENABLE(DOM_STORAGE)
- if (eventType == "StorageEvent")
- return StorageEvent::create();
+ else if (eventType == "StorageEvent")
+ event = StorageEvent::create();
#endif
- if (eventType == "TextEvent")
- return TextEvent::create();
- if (eventType == "UIEvent" || eventType == "UIEvents")
- return UIEvent::create();
- if (eventType == "WebKitAnimationEvent")
- return WebKitAnimationEvent::create();
- if (eventType == "WebKitTransitionEvent")
- return WebKitTransitionEvent::create();
- if (eventType == "WheelEvent")
- return WheelEvent::create();
+ else if (eventType == "TextEvent")
+ event = TextEvent::create();
+ else if (eventType == "UIEvent" || eventType == "UIEvents")
+ event = UIEvent::create();
+ else if (eventType == "WebKitAnimationEvent")
+ event = WebKitAnimationEvent::create();
+ else if (eventType == "WebKitTransitionEvent")
+ event = WebKitTransitionEvent::create();
+ else if (eventType == "WheelEvent")
+ event = WheelEvent::create();
#if ENABLE(SVG)
- if (eventType == "SVGEvents")
- return Event::create();
- if (eventType == "SVGZoomEvents")
- return SVGZoomEvent::create();
+ else if (eventType == "SVGEvents")
+ event = Event::create();
+ else if (eventType == "SVGZoomEvents")
+ event = SVGZoomEvent::create();
#endif
+ if (event) {
+ event->setCreatedByDOM(true);
+ return event.release();
+ }
ec = NOT_SUPPORTED_ERR;
return 0;
}
diff --git a/WebCore/dom/Event.cpp b/WebCore/dom/Event.cpp
index aa9e09e..ba310ef 100644
--- a/WebCore/dom/Event.cpp
+++ b/WebCore/dom/Event.cpp
@@ -35,6 +35,7 @@ Event::Event()
, m_defaultPrevented(false)
, m_defaultHandled(false)
, m_cancelBubble(false)
+ , m_createdByDOM(false)
, m_eventPhase(0)
, m_currentTarget(0)
, m_createTime(static_cast<DOMTimeStamp>(currentTime() * 1000.0))
@@ -49,6 +50,7 @@ Event::Event(const AtomicString& eventType, bool canBubbleArg, bool cancelableAr
, m_defaultPrevented(false)
, m_defaultHandled(false)
, m_cancelBubble(false)
+ , m_createdByDOM(false)
, m_eventPhase(0)
, m_currentTarget(0)
, m_createTime(static_cast<DOMTimeStamp>(currentTime() * 1000.0))
diff --git a/WebCore/dom/Event.h b/WebCore/dom/Event.h
index 58b1f80..74a2f10 100644
--- a/WebCore/dom/Event.h
+++ b/WebCore/dom/Event.h
@@ -145,6 +145,9 @@ namespace WebCore {
virtual Clipboard* clipboard() const { return 0; }
+ bool createdByDOM() const { return m_createdByDOM; }
+ void setCreatedByDOM(bool createdByDOM) { m_createdByDOM = createdByDOM; }
+
protected:
Event();
Event(const AtomicString& type, bool canBubble, bool cancelable);
@@ -162,6 +165,9 @@ namespace WebCore {
bool m_defaultHandled;
bool m_cancelBubble;
+ // Whether this event was created by document.createEvent().
+ bool m_createdByDOM;
+
unsigned short m_eventPhase;
EventTarget* m_currentTarget;
RefPtr<EventTarget> m_target;
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list