[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373
abarth at webkit.org
abarth at webkit.org
Thu Apr 8 00:59:32 UTC 2010
The following commit has been merged in the webkit-1.2 branch:
commit da56e7aac6f440abc7a74eaaf38972f5444e3d38
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Mon Jan 11 00:47:33 2010 +0000
2010-01-10 Adam Barth <abarth at webkit.org>
Reviewed by Darin Adler.
Add defensive initialization of iframe sandbox flags
https://bugs.webkit.org/show_bug.cgi?id=32368
Test the mutating the allow-same-origin directive in the sandbox
attribute does not affect the current document (but does affect the
next document).
* http/tests/security/resources/sandboxed-iframe-origin-add-step1.html: Added.
* http/tests/security/resources/sandboxed-iframe-origin-add-step2.html: Added.
* http/tests/security/resources/sandboxed-iframe-origin-remove-step1.html: Added.
* http/tests/security/resources/sandboxed-iframe-origin-remove-step2.html: Added.
* http/tests/security/sandboxed-iframe-origin-add-expected.txt: Added.
* http/tests/security/sandboxed-iframe-origin-add.html: Added.
* http/tests/security/sandboxed-iframe-origin-remove-expected.txt: Added.
* http/tests/security/sandboxed-iframe-origin-remove.html: Added.
2010-01-10 Adam Barth <abarth at webkit.org>
Reviewed by Darin Adler.
Add defensive initialization of iframe sandbox flags
https://bugs.webkit.org/show_bug.cgi?id=32368
We now initialize the SecurityOrigin's sandbox state directly duing
construction. This lets us properly set the isUnique bit.
Tests: http/tests/security/sandboxed-iframe-origin-add.html
http/tests/security/sandboxed-iframe-origin-remove.html
* WebCore.base.exp:
* dom/Document.cpp:
(WebCore::Document::initSecurityContext):
* page/SecurityOrigin.cpp:
(WebCore::SecurityOrigin::SecurityOrigin):
(WebCore::SecurityOrigin::create):
(WebCore::SecurityOrigin::setSandboxFlags):
* page/SecurityOrigin.h:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@53056 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index d9e3042..11bf352 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,5 +1,25 @@
2010-01-10 Adam Barth <abarth at webkit.org>
+ Reviewed by Darin Adler.
+
+ Add defensive initialization of iframe sandbox flags
+ https://bugs.webkit.org/show_bug.cgi?id=32368
+
+ Test the mutating the allow-same-origin directive in the sandbox
+ attribute does not affect the current document (but does affect the
+ next document).
+
+ * http/tests/security/resources/sandboxed-iframe-origin-add-step1.html: Added.
+ * http/tests/security/resources/sandboxed-iframe-origin-add-step2.html: Added.
+ * http/tests/security/resources/sandboxed-iframe-origin-remove-step1.html: Added.
+ * http/tests/security/resources/sandboxed-iframe-origin-remove-step2.html: Added.
+ * http/tests/security/sandboxed-iframe-origin-add-expected.txt: Added.
+ * http/tests/security/sandboxed-iframe-origin-add.html: Added.
+ * http/tests/security/sandboxed-iframe-origin-remove-expected.txt: Added.
+ * http/tests/security/sandboxed-iframe-origin-remove.html: Added.
+
+2010-01-10 Adam Barth <abarth at webkit.org>
+
Reviewed by Nikolas Zimmermann.
http/tests/security/xss-DENIED-window-open-javascript-url.html timed out on Windows Debug Bot
diff --git a/LayoutTests/http/tests/security/resources/sandboxed-iframe-origin-add-step1.html b/LayoutTests/http/tests/security/resources/sandboxed-iframe-origin-add-step1.html
new file mode 100644
index 0000000..6c79e77
--- /dev/null
+++ b/LayoutTests/http/tests/security/resources/sandboxed-iframe-origin-add-step1.html
@@ -0,0 +1,11 @@
+<script>
+window.addEventListener("message", function (evt) {
+ try {
+ top.fail();
+ } catch(e) {
+ top.postMessage("step1-done", "*");
+ }
+}, false);
+
+top.postMessage("step1-ready", "*");
+</script>
diff --git a/LayoutTests/http/tests/security/resources/sandboxed-iframe-origin-add-step2.html b/LayoutTests/http/tests/security/resources/sandboxed-iframe-origin-add-step2.html
new file mode 100644
index 0000000..07fd776
--- /dev/null
+++ b/LayoutTests/http/tests/security/resources/sandboxed-iframe-origin-add-step2.html
@@ -0,0 +1,3 @@
+<script>
+top.pass();
+</script>
diff --git a/LayoutTests/http/tests/security/resources/sandboxed-iframe-origin-remove-step1.html b/LayoutTests/http/tests/security/resources/sandboxed-iframe-origin-remove-step1.html
new file mode 100644
index 0000000..fcfaf08
--- /dev/null
+++ b/LayoutTests/http/tests/security/resources/sandboxed-iframe-origin-remove-step1.html
@@ -0,0 +1,8 @@
+<script>
+window.addEventListener("message", function (evt) {
+ top.pass();
+ top.postMessage("step1-done", "*");
+}, false);
+
+top.postMessage("step1-ready", "*");
+</script>
diff --git a/LayoutTests/http/tests/security/resources/sandboxed-iframe-origin-remove-step2.html b/LayoutTests/http/tests/security/resources/sandboxed-iframe-origin-remove-step2.html
new file mode 100644
index 0000000..2a92a60
--- /dev/null
+++ b/LayoutTests/http/tests/security/resources/sandboxed-iframe-origin-remove-step2.html
@@ -0,0 +1,7 @@
+<script>
+try {
+ top.fail();
+} catch(e) {
+ top.postMessage("step2-done", "*");
+}
+</script>
diff --git a/LayoutTests/http/tests/security/sandboxed-iframe-origin-add-expected.txt b/LayoutTests/http/tests/security/sandboxed-iframe-origin-add-expected.txt
new file mode 100644
index 0000000..b18d6d5
--- /dev/null
+++ b/LayoutTests/http/tests/security/sandboxed-iframe-origin-add-expected.txt
@@ -0,0 +1,6 @@
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/sandboxed-iframe-origin-add.html from frame with URL http://127.0.0.1:8000/security/resources/sandboxed-iframe-origin-add-step1.html. Domains, protocols and ports must match.
+
+Test that adding allow-origin after creating an iframe doesn't modify the origin of an existing document, but it doesn modify the origin of the next document.
+
+PASS
+
diff --git a/LayoutTests/http/tests/security/sandboxed-iframe-origin-add.html b/LayoutTests/http/tests/security/sandboxed-iframe-origin-add.html
new file mode 100644
index 0000000..9bf3e7c
--- /dev/null
+++ b/LayoutTests/http/tests/security/sandboxed-iframe-origin-add.html
@@ -0,0 +1,50 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+function log(msg) {
+ var div = document.createElement("div");
+ div.innerText = msg;
+ document.getElementById("console").appendChild(div);
+}
+
+function fail() {
+ log("FAIL: The origin of the document was mutated.");
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+
+function pass() {
+ log("PASS");
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+
+window.addEventListener("message", function (evt) {
+ var fr = document.getElementById("theFrame");
+ if (evt.data == "step1-ready") {
+ fr.sandbox = "allow-scripts allow-same-origin";
+ fr.contentWindow.postMessage("go", "*");
+ } else if (evt.data == "step1-done")
+ fr.src = "resources/sandboxed-iframe-origin-add-step2.html";
+}, false);
+
+</script>
+</head>
+
+<body>
+<p>Test that adding allow-origin after creating an iframe doesn't modify
+the origin of an existing document, but it doesn modify the origin of the
+next document.</p>
+
+<div id="console"></div>
+
+<iframe id="theFrame" sandbox="allow-scripts"
+ src="resources/sandboxed-iframe-origin-add-step1.html">
+</iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/sandboxed-iframe-origin-remove-expected.txt b/LayoutTests/http/tests/security/sandboxed-iframe-origin-remove-expected.txt
new file mode 100644
index 0000000..fda220c
--- /dev/null
+++ b/LayoutTests/http/tests/security/sandboxed-iframe-origin-remove-expected.txt
@@ -0,0 +1,6 @@
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/sandboxed-iframe-origin-remove.html from frame with URL http://127.0.0.1:8000/security/resources/sandboxed-iframe-origin-remove-step2.html. Domains, protocols and ports must match.
+
+Test that removing allow-origin after creating an iframe doesn't modify the origin of an existing document, but it doesn modify the origin of the next document.
+
+PASS
+
diff --git a/LayoutTests/http/tests/security/sandboxed-iframe-origin-remove.html b/LayoutTests/http/tests/security/sandboxed-iframe-origin-remove.html
new file mode 100644
index 0000000..3e533a4
--- /dev/null
+++ b/LayoutTests/http/tests/security/sandboxed-iframe-origin-remove.html
@@ -0,0 +1,52 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+function log(msg) {
+ var div = document.createElement("div");
+ div.innerText = msg;
+ document.getElementById("console").appendChild(div);
+}
+
+function fail() {
+ log("FAIL: The origin of the document was mutated.");
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+
+function pass() {
+ log("PASS");
+}
+
+window.addEventListener("message", function (evt) {
+ var fr = document.getElementById("theFrame");
+ if (evt.data == "step1-ready") {
+ fr.sandbox = "allow-scripts";
+ fr.contentWindow.postMessage("go", "*");
+ } else if (evt.data == "step1-done")
+ fr.src = "resources/sandboxed-iframe-origin-remove-step2.html";
+ else if (evt.data == "step2-done") {
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ }
+}, false);
+
+</script>
+</head>
+
+<body>
+<p>Test that removing allow-origin after creating an iframe doesn't modify
+the origin of an existing document, but it doesn modify the origin of the
+next document.</p>
+
+<div id="console"></div>
+
+<iframe id="theFrame" sandbox="allow-scripts allow-same-origin"
+ src="resources/sandboxed-iframe-origin-remove-step1.html">
+</iframe>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 5c9ae7b..5b87801 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,25 @@
+2010-01-10 Adam Barth <abarth at webkit.org>
+
+ Reviewed by Darin Adler.
+
+ Add defensive initialization of iframe sandbox flags
+ https://bugs.webkit.org/show_bug.cgi?id=32368
+
+ We now initialize the SecurityOrigin's sandbox state directly duing
+ construction. This lets us properly set the isUnique bit.
+
+ Tests: http/tests/security/sandboxed-iframe-origin-add.html
+ http/tests/security/sandboxed-iframe-origin-remove.html
+
+ * WebCore.base.exp:
+ * dom/Document.cpp:
+ (WebCore::Document::initSecurityContext):
+ * page/SecurityOrigin.cpp:
+ (WebCore::SecurityOrigin::SecurityOrigin):
+ (WebCore::SecurityOrigin::create):
+ (WebCore::SecurityOrigin::setSandboxFlags):
+ * page/SecurityOrigin.h:
+
2010-01-10 Pavel Feldman <pfeldman at chromium.org>
Reviewed by Timothy Hatcher.
diff --git a/WebCore/WebCore.base.exp b/WebCore/WebCore.base.exp
index 7e854b4..3399a4e 100644
--- a/WebCore/WebCore.base.exp
+++ b/WebCore/WebCore.base.exp
@@ -300,7 +300,7 @@ __ZN7WebCore14SecurityOrigin18shouldHideReferrerERKNS_4KURLERKNS_6StringE
__ZN7WebCore14SecurityOrigin24registerURLSchemeAsLocalERKNS_6StringE
__ZN7WebCore14SecurityOrigin25whiteListAccessFromOriginERKS0_RKNS_6StringES5_b
__ZN7WebCore14SecurityOrigin27resetOriginAccessWhiteListsEv
-__ZN7WebCore14SecurityOrigin6createERKNS_4KURLE
+__ZN7WebCore14SecurityOrigin6createERKNS_4KURLEi
__ZN7WebCore14SecurityOrigin7canLoadERKNS_4KURLERKNS_6StringEPNS_8DocumentE
__ZN7WebCore15ArchiveResource6createEN3WTF10PassRefPtrINS_12SharedBufferEEERKNS_4KURLERKNS_6StringESA_SA_RKNS_16ResourceResponseE
__ZN7WebCore15BackForwardList10removeItemEPNS_11HistoryItemE
diff --git a/WebCore/dom/Document.cpp b/WebCore/dom/Document.cpp
index fe24a57..37635f8 100644
--- a/WebCore/dom/Document.cpp
+++ b/WebCore/dom/Document.cpp
@@ -4340,10 +4340,8 @@ void Document::initSecurityContext()
// loading URL.
const KURL& url = m_frame->loader()->url();
m_cookieURL = url;
- ScriptExecutionContext::setSecurityOrigin(SecurityOrigin::create(url));
+ ScriptExecutionContext::setSecurityOrigin(SecurityOrigin::create(url, m_frame->loader()->sandboxFlags()));
- updateSandboxFlags();
-
if (SecurityOrigin::allowSubstituteDataAccessToLocal()) {
// If this document was loaded with substituteData, then the document can
// load local resources. See https://bugs.webkit.org/show_bug.cgi?id=16756
diff --git a/WebCore/page/SecurityOrigin.cpp b/WebCore/page/SecurityOrigin.cpp
index cdc80bc..a2bdfaf 100644
--- a/WebCore/page/SecurityOrigin.cpp
+++ b/WebCore/page/SecurityOrigin.cpp
@@ -77,12 +77,12 @@ static URLSchemesMap& schemesWithUniqueOrigins()
return schemesWithUniqueOrigins;
}
-SecurityOrigin::SecurityOrigin(const KURL& url)
- : m_sandboxFlags(SandboxNone)
+SecurityOrigin::SecurityOrigin(const KURL& url, SandboxFlags sandboxFlags)
+ : m_sandboxFlags(sandboxFlags)
, m_protocol(url.protocol().isNull() ? "" : url.protocol().lower())
, m_host(url.host().isNull() ? "" : url.host().lower())
, m_port(url.port())
- , m_isUnique(false)
+ , m_isUnique(isSandboxed(SandboxOrigin) || shouldTreatURLSchemeAsNoAccess(m_protocol))
, m_universalAccess(false)
, m_domainWasSetInDOM(false)
{
@@ -90,14 +90,6 @@ SecurityOrigin::SecurityOrigin(const KURL& url)
if (m_protocol == "about" || m_protocol == "javascript")
m_protocol = "";
- // Some URLs are not allowed access to anything other than themselves.
- if (shouldTreatURLSchemeAsNoAccess(m_protocol))
- m_isUnique = true;
-
- // If this ASSERT becomes false in the future, please consider the impact
- // of m_sandoxFlags on m_isUnique.
- ASSERT(m_sandboxFlags == SandboxNone);
-
// document.domain starts as m_host, but can be set by the DOM.
m_domain = m_host;
@@ -131,11 +123,11 @@ bool SecurityOrigin::isEmpty() const
return m_protocol.isEmpty();
}
-PassRefPtr<SecurityOrigin> SecurityOrigin::create(const KURL& url)
+PassRefPtr<SecurityOrigin> SecurityOrigin::create(const KURL& url, SandboxFlags sandboxFlags)
{
if (!url.isValid())
- return adoptRef(new SecurityOrigin(KURL()));
- return adoptRef(new SecurityOrigin(url));
+ return adoptRef(new SecurityOrigin(KURL(), sandboxFlags));
+ return adoptRef(new SecurityOrigin(url, sandboxFlags));
}
PassRefPtr<SecurityOrigin> SecurityOrigin::createEmpty()
@@ -271,18 +263,11 @@ void SecurityOrigin::grantUniversalAccess()
void SecurityOrigin::setSandboxFlags(SandboxFlags flags)
{
+ // Although you might think that we should set m_isUnique based on
+ // SandboxOrigin, that's not actually the right behavior. We're supposed to
+ // freeze the origin of a document when it is created, even if the sandbox
+ // flags change after that point in time.
m_sandboxFlags = flags;
- if (isSandboxed(SandboxOrigin))
- m_isUnique = true;
-
- // Although you might think that we should set m_isUnique to false when
- // flags doesn't contain SandboxOrigin, that's not actually the right
- // behavior. We're supposed to freeze the origin of a document when it
- // is created, even if the sandbox flags change after that point in time.
- //
- // FIXME: Our current behavior here is buggy because we need to
- // distinguish between the sandbox flags at creation and the
- // sandbox flags that might come about later.
}
bool SecurityOrigin::isLocal() const
diff --git a/WebCore/page/SecurityOrigin.h b/WebCore/page/SecurityOrigin.h
index 4a6eb3c..3514401 100644
--- a/WebCore/page/SecurityOrigin.h
+++ b/WebCore/page/SecurityOrigin.h
@@ -49,7 +49,7 @@ class SecurityOrigin : public ThreadSafeShared<SecurityOrigin> {
public:
static PassRefPtr<SecurityOrigin> createFromDatabaseIdentifier(const String&);
static PassRefPtr<SecurityOrigin> createFromString(const String&);
- static PassRefPtr<SecurityOrigin> create(const KURL&);
+ static PassRefPtr<SecurityOrigin> create(const KURL&, SandboxFlags = SandboxNone);
static PassRefPtr<SecurityOrigin> createEmpty();
// Create a deep copy of this SecurityOrigin. This method is useful
@@ -187,7 +187,7 @@ public:
static void resetOriginAccessWhiteLists();
private:
- explicit SecurityOrigin(const KURL&);
+ SecurityOrigin(const KURL&, SandboxFlags);
explicit SecurityOrigin(const SecurityOrigin*);
SandboxFlags m_sandboxFlags;
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list