[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373

eric at webkit.org eric at webkit.org
Thu Apr 8 02:14:05 UTC 2010 

The following commit has been merged in the webkit-1.2 branch:
commit 06b53e478d37f2ba155b9135fbb04f2c8f55ee33
Author: eric at webkit.org <eric at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Mon Mar 8 19:40:49 2010 +0000

    2010-03-08  Adam Barth  <abarth at webkit.org>
    
            Reviewed by Nate Chapin.
    
            [V8] Block popups from inline script
            https://bugs.webkit.org/show_bug.cgi?id=35474
    
            Test that we block popups generated from <script>window.open(...)</script>.
    
            * http/tests/security/popup-blocked-from-window-open-expected.txt: Added.
            * http/tests/security/popup-blocked-from-window-open.html: Added.
    2010-03-08  Adam Barth  <abarth at webkit.org>
    
            Reviewed by Nate Chapin.
    
            [V8] Block popups from inline script
            https://bugs.webkit.org/show_bug.cgi?id=35474
    
            Apparently, we're supposed to look at the sourceURL to figure out
            whether we're running a script tag or a hyperlink.  This logic is
            copied from the JSC version.
    
            Test: http/tests/security/popup-blocked-from-window-open.html
    
            * bindings/v8/ScriptController.cpp:
            (WebCore::ScriptController::processingUserGesture):
            (WebCore::ScriptController::evaluate):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@55674 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 588bf60..ea09140 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2010-03-08  Adam Barth  <abarth at webkit.org>
+
+        Reviewed by Nate Chapin.
+
+        [V8] Block popups from inline script
+        https://bugs.webkit.org/show_bug.cgi?id=35474
+
+        Test that we block popups generated from <script>window.open(...)</script>.
+
+        * http/tests/security/popup-blocked-from-window-open-expected.txt: Added.
+        * http/tests/security/popup-blocked-from-window-open.html: Added.
+
 2010-03-08  Brady Eidson  <beidson at apple.com>
 
         Reviewed by Anders Carlsson.
diff --git a/LayoutTests/fast/events/resize-subframe-expected.txt b/LayoutTests/http/tests/security/popup-blocked-from-window-open-expected.txt
similarity index 100%
copy from LayoutTests/fast/events/resize-subframe-expected.txt
copy to LayoutTests/http/tests/security/popup-blocked-from-window-open-expected.txt
diff --git a/LayoutTests/http/tests/security/popup-blocked-from-window-open.html b/LayoutTests/http/tests/security/popup-blocked-from-window-open.html
new file mode 100644
index 0000000..4541344
--- /dev/null
+++ b/LayoutTests/http/tests/security/popup-blocked-from-window-open.html
@@ -0,0 +1,13 @@
+<html> 
+<body>
+<script> 
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.setCloseRemainingWindowsWhenComplete(true);
+}
+
+win = window.open("about:blank");
+alert(win ? "FAIL" : "PASS");
+</script> 
+</body> 
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 40bb6b6..a672cd3 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,20 @@
+2010-03-08  Adam Barth  <abarth at webkit.org>
+
+        Reviewed by Nate Chapin.
+
+        [V8] Block popups from inline script
+        https://bugs.webkit.org/show_bug.cgi?id=35474
+
+        Apparently, we're supposed to look at the sourceURL to figure out
+        whether we're running a script tag or a hyperlink.  This logic is
+        copied from the JSC version.
+
+        Test: http/tests/security/popup-blocked-from-window-open.html
+
+        * bindings/v8/ScriptController.cpp:
+        (WebCore::ScriptController::processingUserGesture):
+        (WebCore::ScriptController::evaluate):
+
 2010-03-08  Stuart Morgan  <stuartmorgan at chromium.org>
 
         Reviewed by Darin Adler.
diff --git a/WebCore/bindings/v8/ScriptController.cpp b/WebCore/bindings/v8/ScriptController.cpp
index db20a3d..5609af6 100644
--- a/WebCore/bindings/v8/ScriptController.cpp
+++ b/WebCore/bindings/v8/ScriptController.cpp
@@ -190,7 +190,7 @@ bool ScriptController::processingUserGesture(DOMWrapperWorld*) const
 
         if (eventOk)
             return true;
-    } else if (activeProxy->inlineCode() && !activeProxy->timerCallback()) {
+    } else if (m_sourceURL && m_sourceURL->isNull() && !activeProxy->timerCallback()) {
         // This is the <a href="javascript:window.open('...')> case -> we let it through.
         return true;
     }
@@ -219,7 +219,9 @@ void ScriptController::evaluateInIsolatedWorld(unsigned worldID, const Vector<Sc
 ScriptValue ScriptController::evaluate(const ScriptSourceCode& sourceCode)
 {
     String sourceURL = sourceCode.url();
-    
+    const String* savedSourceURL = m_sourceURL;
+    m_sourceURL = &sourceURL;
+
     if (!m_XSSAuditor->canEvaluate(sourceCode.source())) {
         // This script is not safe to be evaluated.
         return ScriptValue();
@@ -237,9 +239,11 @@ ScriptValue ScriptController::evaluate(const ScriptSourceCode& sourceCode)
     v8::Local<v8::Value> object = m_proxy->evaluate(sourceCode, 0);
 
     // Evaluating the JavaScript could cause the frame to be deallocated
-    // so we starot the keep alive timer here.
+    // so we start the keep alive timer here.
     m_frame->keepAlive();
 
+    m_sourceURL = savedSourceURL;
+
     if (object.IsEmpty() || object->IsUndefined())
         return ScriptValue();
 

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list