[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

Wed Dec 22 15:48:11 UTC 2010

The following commit has been merged in the debian/experimental branch:
commit 1d255ef5df232168dc0bb7a9380adc90d1198e99
Author: inferno at chromium.org <inferno at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Fri Nov 12 18:18:31 2010 +0000

    2010-11-11  Abhishek Arya  <inferno at chromium.org>
    
            Reviewed by Adam Barth.
    
            Not allow drag and drop across different origins.
            https://bugs.webkit.org/show_bug.cgi?id=49098
    
            Test: http/tests/security/drag-drop-different-origin.html
    
            * page/DragController.cpp:
            (WebCore::DragController::tryDocumentDrag):
            * page/SecurityOrigin.cpp:
            (WebCore::SecurityOrigin::canDropOnTarget):
            * page/SecurityOrigin.h:
    2010-11-10  Abhishek Arya  <inferno at chromium.org>
    
            Reviewed by Adam Barth.
    
            Check that drag and drop is not allowed across different origins.
            https://bugs.webkit.org/show_bug.cgi?id=49098
    
            * http/tests/security/drag-drop-different-origin-expected.txt: Added.
            * http/tests/security/drag-drop-different-origin.html: Added.
            * http/tests/security/resources/drag-drop.html: Added.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@71925 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 275a1c7..f81597a 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2010-11-10  Abhishek Arya  <inferno at chromium.org>
+
+        Reviewed by Adam Barth.
+
+        Check that drag and drop is not allowed across different origins.
+        https://bugs.webkit.org/show_bug.cgi?id=49098
+  
+        * http/tests/security/drag-drop-different-origin-expected.txt: Added.
+        * http/tests/security/drag-drop-different-origin.html: Added.
+        * http/tests/security/resources/drag-drop.html: Added.
+
 2010-11-12  Mihai Parparita  <mihaip at chromium.org>
 
         Unreviewed Chromium expectations update.
diff --git a/LayoutTests/http/tests/security/drag-drop-different-origin-expected.txt b/LayoutTests/http/tests/security/drag-drop-different-origin-expected.txt
new file mode 100644
index 0000000..33a1f92
--- /dev/null
+++ b/LayoutTests/http/tests/security/drag-drop-different-origin-expected.txt
@@ -0,0 +1,2 @@
+ALERT: PASS
+Dragme 
diff --git a/LayoutTests/http/tests/security/drag-drop-different-origin.html b/LayoutTests/http/tests/security/drag-drop-different-origin.html
new file mode 100644
index 0000000..4e624d7
--- /dev/null
+++ b/LayoutTests/http/tests/security/drag-drop-different-origin.html
@@ -0,0 +1,45 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function moveToCenter(element)
+{
+    x = element.offsetParent.offsetLeft + element.offsetLeft + element.offsetWidth / 2;
+    y = element.offsetParent.offsetTop + element.offsetTop + element.offsetHeight / 2;
+    eventSender.mouseMoveTo(x, y);
+}
+
+function runTest() {
+
+    var x, y;
+    var span = document.getElementById("span");
+    moveToCenter(span);
+    eventSender.mouseDown();
+    eventSender.mouseUp();
+    eventSender.mouseDown();
+    eventSender.mouseUp();
+
+    eventSender.leapForward(1000);
+
+    eventSender.mouseDown();
+
+    eventSender.leapForward(500);
+
+    var input = document.getElementById("target");
+    moveToCenter(input);
+    eventSender.leapForward(500);
+    eventSender.mouseUp();
+    
+    input.contentWindow.postMessage("go", "*");
+}
+</script>
+</head>
+<body onload="runTest()">
+<span id="span">Dragme</span>
+<iframe id="target" src="http://localhost:8000/security/resources/drag-drop.html"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/resources/drag-drop.html b/LayoutTests/http/tests/security/resources/drag-drop.html
new file mode 100644
index 0000000..b3f71de
--- /dev/null
+++ b/LayoutTests/http/tests/security/resources/drag-drop.html
@@ -0,0 +1,16 @@
+<script>
+    window.addEventListener("message", receiveMessage, false);
+    
+    function receiveMessage(event)
+    {
+        if (document.body.innerHTML.match(/Dragme/i))
+            alert("FAIL");
+        else
+            alert("PASS");
+        
+        if (window.layoutTestController)
+            layoutTestController.notifyDone();
+    }
+</script>
+<body contenteditable="true">
+</body>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index eb3040a..3cf7d58 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,18 @@
+2010-11-11  Abhishek Arya  <inferno at chromium.org>
+
+        Reviewed by Adam Barth.
+
+        Not allow drag and drop across different origins.
+        https://bugs.webkit.org/show_bug.cgi?id=49098
+
+        Test: http/tests/security/drag-drop-different-origin.html
+
+        * page/DragController.cpp:
+        (WebCore::DragController::tryDocumentDrag):
+        * page/SecurityOrigin.cpp:
+        (WebCore::SecurityOrigin::canDropOnTarget):
+        * page/SecurityOrigin.h:
+
 2010-11-11  Alexander Pavlov  <apavlov at chromium.org>
 
         Reviewed by Yury Semikhatsky.
diff --git a/WebCore/page/DragController.cpp b/WebCore/page/DragController.cpp
index 2e7d241..eb90f85 100644
--- a/WebCore/page/DragController.cpp
+++ b/WebCore/page/DragController.cpp
@@ -295,6 +295,9 @@ bool DragController::tryDocumentDrag(DragData* dragData, DragDestinationAction a
     if (!m_documentUnderMouse)
         return false;
 
+    if (m_dragInitiator && !m_documentUnderMouse->securityOrigin()->canReceiveDragData(m_dragInitiator->securityOrigin()))
+        return false;
+
     m_isHandlingDrag = false;
     if (actionMask & DragDestinationActionDHTML) {
         m_isHandlingDrag = tryDHTMLDrag(dragData, operation);
diff --git a/WebCore/page/SecurityOrigin.cpp b/WebCore/page/SecurityOrigin.cpp
index f0e999f..9ad23c6 100644
--- a/WebCore/page/SecurityOrigin.cpp
+++ b/WebCore/page/SecurityOrigin.cpp
@@ -273,6 +273,18 @@ bool SecurityOrigin::taintsCanvas(const KURL& url) const
     return true;
 }
 
+bool SecurityOrigin::canReceiveDragData(const SecurityOrigin* dragInitiator) const
+{
+    // FIXME: Currently we treat data URLs as having a unique origin, contrary to the
+    // current (9/19/2009) draft of the HTML5 specification. We still want to allow
+    // drop across data URLs, so we special case data URLs below. If we change to
+    // match HTML5 w.r.t. data URL security, then we can remove this check.
+    if (m_protocol == "data")
+        return true;
+
+    return canAccess(dragInitiator);  
+}
+
 bool SecurityOrigin::isAccessWhiteListed(const SecurityOrigin* targetOrigin) const
 {
     if (OriginAccessWhiteList* list = originAccessMap().get(toString())) {
diff --git a/WebCore/page/SecurityOrigin.h b/WebCore/page/SecurityOrigin.h
index 2a63966..db6c44e 100644
--- a/WebCore/page/SecurityOrigin.h
+++ b/WebCore/page/SecurityOrigin.h
@@ -84,6 +84,11 @@ public:
     // drawing an image onto an HTML canvas element with the drawImage API.
     bool taintsCanvas(const KURL&) const;
 
+    // Returns true if this SecurityOrigin can receive drag content from the
+    // initiator. For example, call this function before allowing content to be
+    // dropped onto a target.
+    bool canReceiveDragData(const SecurityOrigin* dragInitiator) const;    
+
     // Returns true if |document| can display content from the given URL (e.g.,
     // in an iframe or as an image). For example, web sites generally cannot
     // display content from the user's files system.

-- 
WebKit Debian packaging

