[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
inferno at chromium.org
inferno at chromium.org
Wed Dec 22 15:48:11 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 1d255ef5df232168dc0bb7a9380adc90d1198e99
Author: inferno at chromium.org <inferno at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Fri Nov 12 18:18:31 2010 +0000
2010-11-11 Abhishek Arya <inferno at chromium.org>
Reviewed by Adam Barth.
Not allow drag and drop across different origins.
https://bugs.webkit.org/show_bug.cgi?id=49098
Test: http/tests/security/drag-drop-different-origin.html
* page/DragController.cpp:
(WebCore::DragController::tryDocumentDrag):
* page/SecurityOrigin.cpp:
(WebCore::SecurityOrigin::canDropOnTarget):
* page/SecurityOrigin.h:
2010-11-10 Abhishek Arya <inferno at chromium.org>
Reviewed by Adam Barth.
Check that drag and drop is not allowed across different origins.
https://bugs.webkit.org/show_bug.cgi?id=49098
* http/tests/security/drag-drop-different-origin-expected.txt: Added.
* http/tests/security/drag-drop-different-origin.html: Added.
* http/tests/security/resources/drag-drop.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@71925 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 275a1c7..f81597a 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2010-11-10 Abhishek Arya <inferno at chromium.org>
+
+ Reviewed by Adam Barth.
+
+ Check that drag and drop is not allowed across different origins.
+ https://bugs.webkit.org/show_bug.cgi?id=49098
+
+ * http/tests/security/drag-drop-different-origin-expected.txt: Added.
+ * http/tests/security/drag-drop-different-origin.html: Added.
+ * http/tests/security/resources/drag-drop.html: Added.
+
2010-11-12 Mihai Parparita <mihaip at chromium.org>
Unreviewed Chromium expectations update.
diff --git a/LayoutTests/http/tests/security/drag-drop-different-origin-expected.txt b/LayoutTests/http/tests/security/drag-drop-different-origin-expected.txt
new file mode 100644
index 0000000..33a1f92
--- /dev/null
+++ b/LayoutTests/http/tests/security/drag-drop-different-origin-expected.txt
@@ -0,0 +1,2 @@
+ALERT: PASS
+Dragme
diff --git a/LayoutTests/http/tests/security/drag-drop-different-origin.html b/LayoutTests/http/tests/security/drag-drop-different-origin.html
new file mode 100644
index 0000000..4e624d7
--- /dev/null
+++ b/LayoutTests/http/tests/security/drag-drop-different-origin.html
@@ -0,0 +1,45 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+function moveToCenter(element)
+{
+ x = element.offsetParent.offsetLeft + element.offsetLeft + element.offsetWidth / 2;
+ y = element.offsetParent.offsetTop + element.offsetTop + element.offsetHeight / 2;
+ eventSender.mouseMoveTo(x, y);
+}
+
+function runTest() {
+
+ var x, y;
+ var span = document.getElementById("span");
+ moveToCenter(span);
+ eventSender.mouseDown();
+ eventSender.mouseUp();
+ eventSender.mouseDown();
+ eventSender.mouseUp();
+
+ eventSender.leapForward(1000);
+
+ eventSender.mouseDown();
+
+ eventSender.leapForward(500);
+
+ var input = document.getElementById("target");
+ moveToCenter(input);
+ eventSender.leapForward(500);
+ eventSender.mouseUp();
+
+ input.contentWindow.postMessage("go", "*");
+}
+</script>
+</head>
+<body onload="runTest()">
+<span id="span">Dragme</span>
+<iframe id="target" src="http://localhost:8000/security/resources/drag-drop.html"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/resources/drag-drop.html b/LayoutTests/http/tests/security/resources/drag-drop.html
new file mode 100644
index 0000000..b3f71de
--- /dev/null
+++ b/LayoutTests/http/tests/security/resources/drag-drop.html
@@ -0,0 +1,16 @@
+<script>
+ window.addEventListener("message", receiveMessage, false);
+
+ function receiveMessage(event)
+ {
+ if (document.body.innerHTML.match(/Dragme/i))
+ alert("FAIL");
+ else
+ alert("PASS");
+
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ }
+</script>
+<body contenteditable="true">
+</body>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index eb3040a..3cf7d58 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,18 @@
+2010-11-11 Abhishek Arya <inferno at chromium.org>
+
+ Reviewed by Adam Barth.
+
+ Not allow drag and drop across different origins.
+ https://bugs.webkit.org/show_bug.cgi?id=49098
+
+ Test: http/tests/security/drag-drop-different-origin.html
+
+ * page/DragController.cpp:
+ (WebCore::DragController::tryDocumentDrag):
+ * page/SecurityOrigin.cpp:
+ (WebCore::SecurityOrigin::canDropOnTarget):
+ * page/SecurityOrigin.h:
+
2010-11-11 Alexander Pavlov <apavlov at chromium.org>
Reviewed by Yury Semikhatsky.
diff --git a/WebCore/page/DragController.cpp b/WebCore/page/DragController.cpp
index 2e7d241..eb90f85 100644
--- a/WebCore/page/DragController.cpp
+++ b/WebCore/page/DragController.cpp
@@ -295,6 +295,9 @@ bool DragController::tryDocumentDrag(DragData* dragData, DragDestinationAction a
if (!m_documentUnderMouse)
return false;
+ if (m_dragInitiator && !m_documentUnderMouse->securityOrigin()->canReceiveDragData(m_dragInitiator->securityOrigin()))
+ return false;
+
m_isHandlingDrag = false;
if (actionMask & DragDestinationActionDHTML) {
m_isHandlingDrag = tryDHTMLDrag(dragData, operation);
diff --git a/WebCore/page/SecurityOrigin.cpp b/WebCore/page/SecurityOrigin.cpp
index f0e999f..9ad23c6 100644
--- a/WebCore/page/SecurityOrigin.cpp
+++ b/WebCore/page/SecurityOrigin.cpp
@@ -273,6 +273,18 @@ bool SecurityOrigin::taintsCanvas(const KURL& url) const
return true;
}
+bool SecurityOrigin::canReceiveDragData(const SecurityOrigin* dragInitiator) const
+{
+ // FIXME: Currently we treat data URLs as having a unique origin, contrary to the
+ // current (9/19/2009) draft of the HTML5 specification. We still want to allow
+ // drop across data URLs, so we special case data URLs below. If we change to
+ // match HTML5 w.r.t. data URL security, then we can remove this check.
+ if (m_protocol == "data")
+ return true;
+
+ return canAccess(dragInitiator);
+}
+
bool SecurityOrigin::isAccessWhiteListed(const SecurityOrigin* targetOrigin) const
{
if (OriginAccessWhiteList* list = originAccessMap().get(toString())) {
diff --git a/WebCore/page/SecurityOrigin.h b/WebCore/page/SecurityOrigin.h
index 2a63966..db6c44e 100644
--- a/WebCore/page/SecurityOrigin.h
+++ b/WebCore/page/SecurityOrigin.h
@@ -84,6 +84,11 @@ public:
// drawing an image onto an HTML canvas element with the drawImage API.
bool taintsCanvas(const KURL&) const;
+ // Returns true if this SecurityOrigin can receive drag content from the
+ // initiator. For example, call this function before allowing content to be
+ // dropped onto a target.
+ bool canReceiveDragData(const SecurityOrigin* dragInitiator) const;
+
// Returns true if |document| can display content from the given URL (e.g.,
// in an iframe or as an image). For example, web sites generally cannot
// display content from the user's files system.
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list