[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
inferno at chromium.org
inferno at chromium.org
Wed Dec 22 14:52:28 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 7f449584a8bb7f16c9d5e96e8ad93507ae965aea
Author: inferno at chromium.org <inferno at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Fri Oct 22 21:05:16 2010 +0000
2010-10-22 Abhishek Arya <inferno at chromium.org>
Reviewed by Dave Hyatt.
Add code in getMatchedCSSRules to block cross origin access to stylesheet data. Prevent access
in Javascript to non author stylesheets.
https://bugs.webkit.org/show_bug.cgi?id=46853
Tests: http/tests/security/cross-origin-getMatchedCSSRules.html
http/tests/security/cross-origin-getMatchedCSSRules2.html
* css/CSSRule.h:
* css/CSSStyleSelector.cpp:
(WebCore::CSSStyleSelector::matchRulesForList):
(WebCore::CSSStyleSelector::SelectorChecker::SelectorChecker):
(WebCore::CSSStyleSelector::styleRulesForElement):
(WebCore::CSSStyleSelector::pseudoStyleRulesForElement):
* css/CSSStyleSelector.h:
* page/DOMWindow.cpp:
(WebCore::DOMWindow::getMatchedCSSRules):
* page/DOMWindow.idl:
2010-10-22 Abhishek Arya <inferno at chromium.org>
Reviewed by Dave Hyatt.
Tests that cross origin bypass does not work with getMatchedCSSRules. Rebaseline existing tests
that try to access non-author stylesheets. This functionality is no longer supported. So, css rules
should return null for those cases.
https://bugs.webkit.org/show_bug.cgi?id=46853
* fast/backgrounds/repeat/background-repeat-shorthand-expected.txt:
* fast/backgrounds/repeat/margin-shorthand-expected.txt:
* fast/backgrounds/repeat/resources/background-repeat-shorthand.js:
* fast/backgrounds/repeat/resources/margin-shorthand.js:
* fast/css/disabled-author-styles.html:
* fast/css/modify-ua-rules-from-javascript-expected.txt:
* fast/css/modify-ua-rules-from-javascript.html:
* fast/css/word-break-user-modify-allowed-values.html:
* http/tests/security/cross-frame-access-call-expected.txt:
* http/tests/security/cross-frame-access-call.html:
* http/tests/security/cross-origin-getMatchedCSSRules-expected.txt: Added.
* http/tests/security/cross-origin-getMatchedCSSRules.html: Added.
* http/tests/security/cross-origin-getMatchedCSSRules2-expected.txt: Added.
* http/tests/security/cross-origin-getMatchedCSSRules2.html: Added.
* http/tests/security/resources/cross-origin-getMatchedCSSRules-frame.html: Added.
* platform/chromium/http/tests/security/cross-frame-access-call-expected.txt:
* platform/qt/http/tests/security/cross-frame-access-call-expected.txt:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@70335 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 53a6705..ae2f725 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,30 @@
+2010-10-22 Abhishek Arya <inferno at chromium.org>
+
+ Reviewed by Dave Hyatt.
+
+ Tests that cross origin bypass does not work with getMatchedCSSRules. Rebaseline existing tests
+ that try to access non-author stylesheets. This functionality is no longer supported. So, css rules
+ should return null for those cases.
+ https://bugs.webkit.org/show_bug.cgi?id=46853
+
+ * fast/backgrounds/repeat/background-repeat-shorthand-expected.txt:
+ * fast/backgrounds/repeat/margin-shorthand-expected.txt:
+ * fast/backgrounds/repeat/resources/background-repeat-shorthand.js:
+ * fast/backgrounds/repeat/resources/margin-shorthand.js:
+ * fast/css/disabled-author-styles.html:
+ * fast/css/modify-ua-rules-from-javascript-expected.txt:
+ * fast/css/modify-ua-rules-from-javascript.html:
+ * fast/css/word-break-user-modify-allowed-values.html:
+ * http/tests/security/cross-frame-access-call-expected.txt:
+ * http/tests/security/cross-frame-access-call.html:
+ * http/tests/security/cross-origin-getMatchedCSSRules-expected.txt: Added.
+ * http/tests/security/cross-origin-getMatchedCSSRules.html: Added.
+ * http/tests/security/cross-origin-getMatchedCSSRules2-expected.txt: Added.
+ * http/tests/security/cross-origin-getMatchedCSSRules2.html: Added.
+ * http/tests/security/resources/cross-origin-getMatchedCSSRules-frame.html: Added.
+ * platform/chromium/http/tests/security/cross-frame-access-call-expected.txt:
+ * platform/qt/http/tests/security/cross-frame-access-call-expected.txt:
+
2010-10-22 Andy Estes <aestes at apple.com>
Reviewed by Eric Carlson.
diff --git a/LayoutTests/fast/backgrounds/repeat/background-repeat-shorthand-expected.txt b/LayoutTests/fast/backgrounds/repeat/background-repeat-shorthand-expected.txt
index 858b7db..2f9764b 100644
--- a/LayoutTests/fast/backgrounds/repeat/background-repeat-shorthand-expected.txt
+++ b/LayoutTests/fast/backgrounds/repeat/background-repeat-shorthand-expected.txt
@@ -1,33 +1,32 @@
-Tests that correct shorthand name is returned for background-repeat-x, background-repeat-y, background-position-x, background-position-y, -webkit-mask-repeat-x,-webkit-mask-repeat-y, -webkit-mask-position-x, -webkit-mask-position-y when corresponding shorthand is used in the style declaration. It tests regression described in this bug.
+This layout test used to test that correct shorthand name is returned for background-repeat-x, background-repeat-y, background-position-x, background-position-y, -webkit-mask-repeat-x,-webkit-mask-repeat-y, -webkit-mask-position-x, -webkit-mask-position-y when corresponding shorthand is used in the style declaration. It tests regression described in this bug. Now that access to non author stylesheet is blocked, we should instead get null when accessing the css rules on that object.
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-PASS getShorthand("background-repeat-x", "icon1") is "background-repeat"
-PASS getShorthand("background-repeat-y", "icon1") is "background-repeat"
-PASS getShorthand("background-repeat", "icon1") is null
-PASS getShorthand("background-position-x", "icon1") is "background-position"
-PASS getShorthand("background-position-y", "icon1") is "background-position"
-PASS getShorthand("background-position", "icon1") is null
-PASS getShorthand("-webkit-mask-repeat-x", "icon1") is "-webkit-mask-repeat"
-PASS getShorthand("-webkit-mask-repeat-y", "icon1") is "-webkit-mask-repeat"
-PASS getShorthand("-webkit-mask-repeat", "icon1") is null
-PASS getShorthand("-webkit-mask-position-x", "icon1") is "-webkit-mask-position"
-PASS getShorthand("-webkit-mask-position-y", "icon1") is "-webkit-mask-position"
-PASS getShorthand("-webkit-mask-repeat", "icon1") is null
-Test that shorthand names are null for #icon2 since its styles are declared with longhand properties:
-PASS getShorthand("background-repeat-x", "icon2") is null
-PASS getShorthand("background-repeat-y", "icon2") is null
-PASS getShorthand("background-repeat", "icon2") is null
-PASS getShorthand("background-position-x", "icon2") is null
-PASS getShorthand("background-position-y", "icon2") is null
-PASS getShorthand("background-position", "icon2") is null
-PASS getShorthand("-webkit-mask-repeat-x", "icon2") is null
-PASS getShorthand("-webkit-mask-repeat-y", "icon2") is null
-PASS getShorthand("-webkit-mask-repeat", "icon2") is null
-PASS getShorthand("-webkit-mask-position-x", "icon2") is null
-PASS getShorthand("-webkit-mask-position-y", "icon2") is null
-PASS getShorthand("-webkit-mask-repeat", "icon2") is null
+PASS getShorthand("background-repeat-x", "icon1") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
+PASS getShorthand("background-repeat-y", "icon1") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
+PASS getShorthand("background-repeat", "icon1") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
+PASS getShorthand("background-position-x", "icon1") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
+PASS getShorthand("background-position-y", "icon1") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
+PASS getShorthand("background-position", "icon1") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
+PASS getShorthand("-webkit-mask-repeat-x", "icon1") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
+PASS getShorthand("-webkit-mask-repeat-y", "icon1") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
+PASS getShorthand("-webkit-mask-repeat", "icon1") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
+PASS getShorthand("-webkit-mask-position-x", "icon1") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
+PASS getShorthand("-webkit-mask-position-y", "icon1") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
+PASS getShorthand("-webkit-mask-repeat", "icon1") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
+PASS getShorthand("background-repeat-x", "icon2") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
+PASS getShorthand("background-repeat-y", "icon2") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
+PASS getShorthand("background-repeat", "icon2") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
+PASS getShorthand("background-position-x", "icon2") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
+PASS getShorthand("background-position-y", "icon2") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
+PASS getShorthand("background-position", "icon2") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
+PASS getShorthand("-webkit-mask-repeat-x", "icon2") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
+PASS getShorthand("-webkit-mask-repeat-y", "icon2") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
+PASS getShorthand("-webkit-mask-repeat", "icon2") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
+PASS getShorthand("-webkit-mask-position-x", "icon2") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
+PASS getShorthand("-webkit-mask-position-y", "icon2") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
+PASS getShorthand("-webkit-mask-repeat", "icon2") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
PASS successfullyParsed is true
TEST COMPLETE
diff --git a/LayoutTests/fast/backgrounds/repeat/margin-shorthand-expected.txt b/LayoutTests/fast/backgrounds/repeat/margin-shorthand-expected.txt
index 5206a38..70e34dd 100644
--- a/LayoutTests/fast/backgrounds/repeat/margin-shorthand-expected.txt
+++ b/LayoutTests/fast/backgrounds/repeat/margin-shorthand-expected.txt
@@ -1,9 +1,9 @@
-Tests that shorthand property value is correct even if background-repeat property is declared before it in the style declaration. It tests regression described in this bug.
+This layouttest was initially there to test that shorthand property value is correct even if background-repeat property is declared before it in the style declaration. It used to test regression described in this bug. Now that access to non author stylesheet is blocked, we should instead get null when accessing the css rules on that object.
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-PASS iconMarginValue() is "0px"
+PASS iconMarginValue() threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
PASS successfullyParsed is true
TEST COMPLETE
diff --git a/LayoutTests/fast/backgrounds/repeat/resources/background-repeat-shorthand.js b/LayoutTests/fast/backgrounds/repeat/resources/background-repeat-shorthand.js
index 87594db..897bef5 100644
--- a/LayoutTests/fast/backgrounds/repeat/resources/background-repeat-shorthand.js
+++ b/LayoutTests/fast/backgrounds/repeat/resources/background-repeat-shorthand.js
@@ -1,9 +1,12 @@
-description('Tests that correct shorthand name is returned for background-repeat-x, ' +
+description('This layout test used to test that correct shorthand name ' +
+ 'is returned for background-repeat-x, ' +
'background-repeat-y, background-position-x, background-position-y, ' +
'-webkit-mask-repeat-x,-webkit-mask-repeat-y, -webkit-mask-position-x, ' +
'-webkit-mask-position-y when corresponding shorthand is used in the style ' +
'declaration. It tests regression described in ' +
- '<a href="https://bugs.webkit.org/show_bug.cgi?id=28972">this bug</a>.');
+ '<a href="https://bugs.webkit.org/show_bug.cgi?id=28972">this bug</a>.' +
+ ' Now that access to non author stylesheet is blocked, we should instead' +
+ ' get null when accessing the css rules on that object.');
function getShorthand(longhand, iconId)
{
@@ -12,40 +15,38 @@ function getShorthand(longhand, iconId)
return rules[1].style.getPropertyShorthand(longhand);
}
-shouldBe('getShorthand("background-repeat-x", "icon1")', '"background-repeat"');
-shouldBe('getShorthand("background-repeat-y", "icon1")', '"background-repeat"');
-shouldBe('getShorthand("background-repeat", "icon1")', 'null');
+shouldThrow('getShorthand("background-repeat-x", "icon1")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
+shouldThrow('getShorthand("background-repeat-y", "icon1")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
+shouldThrow('getShorthand("background-repeat", "icon1")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
-shouldBe('getShorthand("background-position-x", "icon1")', '"background-position"');
-shouldBe('getShorthand("background-position-y", "icon1")', '"background-position"');
-shouldBe('getShorthand("background-position", "icon1")', 'null');
+shouldThrow('getShorthand("background-position-x", "icon1")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
+shouldThrow('getShorthand("background-position-y", "icon1")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
+shouldThrow('getShorthand("background-position", "icon1")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
-shouldBe('getShorthand("-webkit-mask-repeat-x", "icon1")', '"-webkit-mask-repeat"');
-shouldBe('getShorthand("-webkit-mask-repeat-y", "icon1")', '"-webkit-mask-repeat"');
-shouldBe('getShorthand("-webkit-mask-repeat", "icon1")', 'null');
+shouldThrow('getShorthand("-webkit-mask-repeat-x", "icon1")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
+shouldThrow('getShorthand("-webkit-mask-repeat-y", "icon1")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
+shouldThrow('getShorthand("-webkit-mask-repeat", "icon1")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
-shouldBe('getShorthand("-webkit-mask-position-x", "icon1")', '"-webkit-mask-position"');
-shouldBe('getShorthand("-webkit-mask-position-y", "icon1")', '"-webkit-mask-position"');
-shouldBe('getShorthand("-webkit-mask-repeat", "icon1")', 'null');
+shouldThrow('getShorthand("-webkit-mask-position-x", "icon1")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
+shouldThrow('getShorthand("-webkit-mask-position-y", "icon1")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
+shouldThrow('getShorthand("-webkit-mask-repeat", "icon1")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
-debug('Test that shorthand names are null for #icon2 since its styles are declared ' +
- 'with longhand properties:');
-shouldBe('getShorthand("background-repeat-x", "icon2")', 'null');
-shouldBe('getShorthand("background-repeat-y", "icon2")', 'null');
-shouldBe('getShorthand("background-repeat", "icon2")', 'null');
+shouldThrow('getShorthand("background-repeat-x", "icon2")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
+shouldThrow('getShorthand("background-repeat-y", "icon2")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
+shouldThrow('getShorthand("background-repeat", "icon2")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
-shouldBe('getShorthand("background-position-x", "icon2")', 'null');
-shouldBe('getShorthand("background-position-y", "icon2")', 'null');
-shouldBe('getShorthand("background-position", "icon2")', 'null');
+shouldThrow('getShorthand("background-position-x", "icon2")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
+shouldThrow('getShorthand("background-position-y", "icon2")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
+shouldThrow('getShorthand("background-position", "icon2")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
-shouldBe('getShorthand("-webkit-mask-repeat-x", "icon2")', 'null');
-shouldBe('getShorthand("-webkit-mask-repeat-y", "icon2")', 'null');
-shouldBe('getShorthand("-webkit-mask-repeat", "icon2")', 'null');
+shouldThrow('getShorthand("-webkit-mask-repeat-x", "icon2")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
+shouldThrow('getShorthand("-webkit-mask-repeat-y", "icon2")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
+shouldThrow('getShorthand("-webkit-mask-repeat", "icon2")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
-shouldBe('getShorthand("-webkit-mask-position-x", "icon2")', 'null');
-shouldBe('getShorthand("-webkit-mask-position-y", "icon2")', 'null');
-shouldBe('getShorthand("-webkit-mask-repeat", "icon2")', 'null');
+shouldThrow('getShorthand("-webkit-mask-position-x", "icon2")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
+shouldThrow('getShorthand("-webkit-mask-position-y", "icon2")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
+shouldThrow('getShorthand("-webkit-mask-repeat", "icon2")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
var successfullyParsed = true;
diff --git a/LayoutTests/fast/backgrounds/repeat/resources/margin-shorthand.js b/LayoutTests/fast/backgrounds/repeat/resources/margin-shorthand.js
index 5078ed6..5907829 100644
--- a/LayoutTests/fast/backgrounds/repeat/resources/margin-shorthand.js
+++ b/LayoutTests/fast/backgrounds/repeat/resources/margin-shorthand.js
@@ -1,7 +1,10 @@
-description('Tests that shorthand property value is correct even if' +
+description('This layouttest was initially there to test that' +
+ ' shorthand property value is correct even if' +
' background-repeat property is declared before it in the ' +
- ' style declaration. It tests regression described in ' +
- '<a href="https://bugs.webkit.org/show_bug.cgi?id=28973">this bug</a>.');
+ ' style declaration. It used to test regression described in ' +
+ ' <a href="https://bugs.webkit.org/show_bug.cgi?id=28973">this bug</a>.' +
+ ' Now that access to non author stylesheet is blocked, we should instead' +
+ ' get null when accessing the css rules on that object.');
function iconMarginValue()
{
@@ -10,6 +13,6 @@ function iconMarginValue()
return rules[1].style.getPropertyValue('margin');
}
-shouldBe('iconMarginValue()', '"0px"');
+shouldThrow('iconMarginValue()', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
var successfullyParsed = true;
diff --git a/LayoutTests/fast/css/disabled-author-styles.html b/LayoutTests/fast/css/disabled-author-styles.html
index 8888547..cf5841c 100644
--- a/LayoutTests/fast/css/disabled-author-styles.html
+++ b/LayoutTests/fast/css/disabled-author-styles.html
@@ -16,7 +16,7 @@
function checkMatchedRules()
{
- var matchedRules = getMatchedCSSRules(document.getElementById("test"), "", true);
+ var matchedRules = getMatchedCSSRules(document.getElementById("test"), "");
if (matchedRules && matchedRules.length)
alert(matchedRules.length + " rule(s) were returned from getMatchedCSSRules, expected zero.");
diff --git a/LayoutTests/fast/css/modify-ua-rules-from-javascript-expected.txt b/LayoutTests/fast/css/modify-ua-rules-from-javascript-expected.txt
index 7ef22e9..5eeb8d3 100644
--- a/LayoutTests/fast/css/modify-ua-rules-from-javascript-expected.txt
+++ b/LayoutTests/fast/css/modify-ua-rules-from-javascript-expected.txt
@@ -1 +1,2 @@
+CONSOLE MESSAGE: line 11: TypeError: Result of expression 'window.getMatchedCSSRules(document.body, "", false)' [null] is not an object.
PASS
diff --git a/LayoutTests/fast/css/modify-ua-rules-from-javascript.html b/LayoutTests/fast/css/modify-ua-rules-from-javascript.html
index a32b8d2..dd2e784 100644
--- a/LayoutTests/fast/css/modify-ua-rules-from-javascript.html
+++ b/LayoutTests/fast/css/modify-ua-rules-from-javascript.html
@@ -13,13 +13,13 @@ function test()
styleToChange.marginTop = "200px";
styleToChange.marginTop = originalMarginTop;
- document.getElementById("result").innerHTML = "PASS";
+ document.getElementById("result").innerHTML = "FAIL";
}
</script>
</head>
<body onload="test()">
<div id="result">
-Test didn't run
+PASS
</div>
</body>
</html>
diff --git a/LayoutTests/fast/css/word-break-user-modify-allowed-values.html b/LayoutTests/fast/css/word-break-user-modify-allowed-values.html
index e86510b..b617ee3 100644
--- a/LayoutTests/fast/css/word-break-user-modify-allowed-values.html
+++ b/LayoutTests/fast/css/word-break-user-modify-allowed-values.html
@@ -4,7 +4,7 @@
if (window.layoutTestController)
layoutTestController.dumpAsText();
- var rules = getMatchedCSSRules(document.body, "", true);
+ var rules = getMatchedCSSRules(document.body, "");
if (rules && rules.length) {
log("FAIL: Expected 0 matched rules, but found " + rules.length + ":");
for (var i = 0; i < rules.length; ++i)
diff --git a/LayoutTests/http/tests/security/cross-frame-access-call-expected.txt b/LayoutTests/http/tests/security/cross-frame-access-call-expected.txt
index 5c97d02..07aca5b 100644
--- a/LayoutTests/http/tests/security/cross-frame-access-call-expected.txt
+++ b/LayoutTests/http/tests/security/cross-frame-access-call-expected.txt
@@ -63,7 +63,7 @@ PASS: window.find.call(targetWindow, 'string', false, false, false, false, false
PASS: window.confirm.call(targetWindow, 'message') should be 'undefined' and is.
PASS: window.prompt.call(targetWindow, 'message', 'defaultValue') should be 'undefined' and is.
PASS: window.getComputedStyle.call(targetWindow, document.body, '') should be 'undefined' and is.
-PASS: window.getMatchedCSSRules.call(targetWindow, document.body, '', false) should be 'undefined' and is.
+PASS: window.getMatchedCSSRules.call(targetWindow, document.body, '') should be 'undefined' and is.
PASS: window.openDatabase.call(targetWindow, 'name', '1.0', 'description', 0) should be 'undefined' and is.
PASS: window.atob.call(targetWindow, 'string') should be 'undefined' and is.
PASS: window.btoa.call(targetWindow, 'string') should be 'undefined' and is.
diff --git a/LayoutTests/http/tests/security/cross-frame-access-call.html b/LayoutTests/http/tests/security/cross-frame-access-call.html
index 7bbb9ef..0bdefe5 100644
--- a/LayoutTests/http/tests/security/cross-frame-access-call.html
+++ b/LayoutTests/http/tests/security/cross-frame-access-call.html
@@ -33,7 +33,7 @@ window.onload = function()
shouldBe("window.confirm.call(targetWindow, 'message')", "undefined");
shouldBe("window.prompt.call(targetWindow, 'message', 'defaultValue')", "undefined");
shouldBe("window.getComputedStyle.call(targetWindow, document.body, '')", "undefined");
- shouldBe("window.getMatchedCSSRules.call(targetWindow, document.body, '', false)", "undefined");
+ shouldBe("window.getMatchedCSSRules.call(targetWindow, document.body, '')", "undefined");
shouldBe("window.openDatabase.call(targetWindow, 'name', '1.0', 'description', 0)", "undefined");
shouldBe("window.atob.call(targetWindow, 'string')", "undefined");
shouldBe("window.btoa.call(targetWindow, 'string')", "undefined");
diff --git a/LayoutTests/http/tests/security/cross-origin-getMatchedCSSRules-expected.txt b/LayoutTests/http/tests/security/cross-origin-getMatchedCSSRules-expected.txt
new file mode 100644
index 0000000..b192b01
--- /dev/null
+++ b/LayoutTests/http/tests/security/cross-origin-getMatchedCSSRules-expected.txt
@@ -0,0 +1,5 @@
+This test whether a script can read the rules from a cross-origin style sheet using getMatchedCSSRules.
+
+Test begins.
+cssRules: null
+Test ends.
diff --git a/LayoutTests/http/tests/security/cross-origin-getMatchedCSSRules.html b/LayoutTests/http/tests/security/cross-origin-getMatchedCSSRules.html
new file mode 100644
index 0000000..d1c0001
--- /dev/null
+++ b/LayoutTests/http/tests/security/cross-origin-getMatchedCSSRules.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<html>
+<head>
+<link rel="stylesheet"
+ href="http://localhost:8000/security/resources/cssStyle.css">
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+function log(msg)
+{
+ var div = document.createElement("div");
+ div.textContent = msg;
+ document.getElementById("console").appendChild(div);
+}
+
+function parseCSSRules(cssRules)
+{
+ if (!cssRules)
+ log("cssRules: " + cssRules);
+ else
+ {
+ log("cssRules.length: " + cssRules.length);
+ for (var i = 0; i < cssRules.length; ++i)
+ log("cssRules[" + i + "].cssText: " + cssRules[i].cssText);
+ }
+}
+
+window.onload = function()
+{
+ log("Test begins.");
+ var cssRules = getMatchedCSSRules(document.body, "");
+ parseCSSRules(cssRules);
+ log("Test ends.");
+}
+</script>
+</head>
+<body>
+<p>This test whether a script can read the rules from a cross-origin style
+sheet using getMatchedCSSRules.</p>
+<div id="console"></div>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/cross-origin-getMatchedCSSRules2-expected.txt b/LayoutTests/http/tests/security/cross-origin-getMatchedCSSRules2-expected.txt
new file mode 100644
index 0000000..3fde6a4
--- /dev/null
+++ b/LayoutTests/http/tests/security/cross-origin-getMatchedCSSRules2-expected.txt
@@ -0,0 +1,3 @@
+ALERT: PASS
+DIV
+
diff --git a/LayoutTests/http/tests/security/cross-origin-getMatchedCSSRules2.html b/LayoutTests/http/tests/security/cross-origin-getMatchedCSSRules2.html
new file mode 100644
index 0000000..ad1c866
--- /dev/null
+++ b/LayoutTests/http/tests/security/cross-origin-getMatchedCSSRules2.html
@@ -0,0 +1,27 @@
+<html>
+<div>DIV</div>
+<iframe src="http://localhost:8000/security/resources/cross-origin-getMatchedCSSRules-frame.html"></iframe>
+<script>
+ if (window.layoutTestController)
+ {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+ }
+
+ window.onload = function()
+ {
+ var cssRules = window.getMatchedCSSRules(document.getElementsByTagName("div")[0], "", false);
+ if (cssRules)
+ {
+ cssRules[0].parentStyleSheet.foo = "FAIL";
+ window.frames[0].postMessage("done", "*");
+ }
+ else
+ {
+ alert("PASS");
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ }
+ }
+</script>
+</html>
diff --git a/LayoutTests/http/tests/security/resources/cross-origin-getMatchedCSSRules-frame.html b/LayoutTests/http/tests/security/resources/cross-origin-getMatchedCSSRules-frame.html
new file mode 100644
index 0000000..0b99dbf
--- /dev/null
+++ b/LayoutTests/http/tests/security/resources/cross-origin-getMatchedCSSRules-frame.html
@@ -0,0 +1,17 @@
+<html>
+<div>DIV</div>
+<script>
+ window.addEventListener("message", function(event) {
+ var element = document.getElementsByTagName("div")[0];
+ var xss = window.getMatchedCSSRules(element, "", false)[0].parentStyleSheet.foo;
+
+ if (xss)
+ alert("FAIL");
+ else
+ alert("PASS");
+
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ }, false);
+</script>
+</html>
diff --git a/LayoutTests/platform/chromium/http/tests/security/cross-frame-access-call-expected.txt b/LayoutTests/platform/chromium/http/tests/security/cross-frame-access-call-expected.txt
index ed92237..2fb6635 100644
--- a/LayoutTests/platform/chromium/http/tests/security/cross-frame-access-call-expected.txt
+++ b/LayoutTests/platform/chromium/http/tests/security/cross-frame-access-call-expected.txt
@@ -63,7 +63,7 @@ PASS: window.find.call(targetWindow, 'string', false, false, false, false, false
PASS: window.confirm.call(targetWindow, 'message') should be 'undefined' and is.
PASS: window.prompt.call(targetWindow, 'message', 'defaultValue') should be 'undefined' and is.
PASS: window.getComputedStyle.call(targetWindow, document.body, '') should be 'undefined' and is.
-PASS: window.getMatchedCSSRules.call(targetWindow, document.body, '', false) should be 'undefined' and is.
+PASS: window.getMatchedCSSRules.call(targetWindow, document.body, '') should be 'undefined' and is.
PASS: window.openDatabase.call(targetWindow, 'name', '1.0', 'description', 0) should be 'undefined' and is.
PASS: window.atob.call(targetWindow, 'string') should be 'undefined' and is.
PASS: window.btoa.call(targetWindow, 'string') should be 'undefined' and is.
diff --git a/LayoutTests/platform/qt/http/tests/security/cross-frame-access-call-expected.txt b/LayoutTests/platform/qt/http/tests/security/cross-frame-access-call-expected.txt
index 5c97d02..07aca5b 100644
--- a/LayoutTests/platform/qt/http/tests/security/cross-frame-access-call-expected.txt
+++ b/LayoutTests/platform/qt/http/tests/security/cross-frame-access-call-expected.txt
@@ -63,7 +63,7 @@ PASS: window.find.call(targetWindow, 'string', false, false, false, false, false
PASS: window.confirm.call(targetWindow, 'message') should be 'undefined' and is.
PASS: window.prompt.call(targetWindow, 'message', 'defaultValue') should be 'undefined' and is.
PASS: window.getComputedStyle.call(targetWindow, document.body, '') should be 'undefined' and is.
-PASS: window.getMatchedCSSRules.call(targetWindow, document.body, '', false) should be 'undefined' and is.
+PASS: window.getMatchedCSSRules.call(targetWindow, document.body, '') should be 'undefined' and is.
PASS: window.openDatabase.call(targetWindow, 'name', '1.0', 'description', 0) should be 'undefined' and is.
PASS: window.atob.call(targetWindow, 'string') should be 'undefined' and is.
PASS: window.btoa.call(targetWindow, 'string') should be 'undefined' and is.
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 819fa39..9e9ad86 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,25 @@
+2010-10-22 Abhishek Arya <inferno at chromium.org>
+
+ Reviewed by Dave Hyatt.
+
+ Add code in getMatchedCSSRules to block cross origin access to stylesheet data. Prevent access
+ in Javascript to non author stylesheets.
+ https://bugs.webkit.org/show_bug.cgi?id=46853
+
+ Tests: http/tests/security/cross-origin-getMatchedCSSRules.html
+ http/tests/security/cross-origin-getMatchedCSSRules2.html
+
+ * css/CSSRule.h:
+ * css/CSSStyleSelector.cpp:
+ (WebCore::CSSStyleSelector::matchRulesForList):
+ (WebCore::CSSStyleSelector::SelectorChecker::SelectorChecker):
+ (WebCore::CSSStyleSelector::styleRulesForElement):
+ (WebCore::CSSStyleSelector::pseudoStyleRulesForElement):
+ * css/CSSStyleSelector.h:
+ * page/DOMWindow.cpp:
+ (WebCore::DOMWindow::getMatchedCSSRules):
+ * page/DOMWindow.idl:
+
2010-10-22 Sam Weinig <sam at webkit.org>
Reviewed by Anders Carlsson.
diff --git a/WebCore/css/CSSRule.h b/WebCore/css/CSSRule.h
index fc48dd6..1ffca93 100644
--- a/WebCore/css/CSSRule.h
+++ b/WebCore/css/CSSRule.h
@@ -30,6 +30,11 @@ namespace WebCore {
typedef int ExceptionCode;
+enum CSSRuleFilter {
+ AllCSSRules,
+ SameOriginCSSRulesOnly
+};
+
class CSSRule : public StyleBase {
public:
// FIXME: Change name to Type.
diff --git a/WebCore/css/CSSStyleSelector.cpp b/WebCore/css/CSSStyleSelector.cpp
index da88214..f5a6d03 100644
--- a/WebCore/css/CSSStyleSelector.cpp
+++ b/WebCore/css/CSSStyleSelector.cpp
@@ -702,6 +702,8 @@ void CSSStyleSelector::matchRulesForList(CSSRuleDataList* rules, int& firstRuleI
for (CSSRuleData* d = rules->first(); d; d = d->next()) {
CSSStyleRule* rule = d->rule();
+ if (m_checker.m_sameOriginOnly && !m_checker.m_document->securityOrigin()->canRequest(rule->baseURL()))
+ continue;
if (checkSelector(d->selector())) {
// If the rule has no properties to apply, then ignore it in the non-debug mode.
CSSMutableStyleDeclaration* decl = rule->declaration();
@@ -884,6 +886,7 @@ CSSStyleSelector::SelectorChecker::SelectorChecker(Document* document, bool stri
: m_document(document)
, m_strictParsing(strictParsing)
, m_collectRulesOnly(false)
+ , m_sameOriginOnly(false)
, m_pseudoStyle(NOPSEUDO)
, m_documentIsHTML(document->isHTMLDocument())
, m_matchVisitedPseudoClass(false)
@@ -1866,12 +1869,12 @@ void CSSStyleSelector::cacheBorderAndBackground()
}
}
-PassRefPtr<CSSRuleList> CSSStyleSelector::styleRulesForElement(Element* e, bool authorOnly, bool includeEmptyRules)
+PassRefPtr<CSSRuleList> CSSStyleSelector::styleRulesForElement(Element* e, bool authorOnly, bool includeEmptyRules, CSSRuleFilter filter)
{
- return pseudoStyleRulesForElement(e, NOPSEUDO, authorOnly, includeEmptyRules);
+ return pseudoStyleRulesForElement(e, NOPSEUDO, authorOnly, includeEmptyRules, filter);
}
-PassRefPtr<CSSRuleList> CSSStyleSelector::pseudoStyleRulesForElement(Element* e, PseudoId pseudoId, bool authorOnly, bool includeEmptyRules)
+PassRefPtr<CSSRuleList> CSSStyleSelector::pseudoStyleRulesForElement(Element* e, PseudoId pseudoId, bool authorOnly, bool includeEmptyRules, CSSRuleFilter filter)
{
if (!e || !e->document()->haveStylesheetsLoaded())
return 0;
@@ -1894,13 +1897,17 @@ PassRefPtr<CSSRuleList> CSSStyleSelector::pseudoStyleRulesForElement(Element* e,
}
if (m_matchAuthorAndUserStyles) {
+ m_checker.m_sameOriginOnly = (filter == SameOriginCSSRulesOnly);
+
// Check the rules in author sheets.
int firstAuthorRule = -1, lastAuthorRule = -1;
matchRules(m_authorStyle.get(), firstAuthorRule, lastAuthorRule, includeEmptyRules);
+
+ m_checker.m_sameOriginOnly = false;
}
m_checker.m_collectRulesOnly = false;
-
+
return m_ruleList.release();
}
diff --git a/WebCore/css/CSSStyleSelector.h b/WebCore/css/CSSStyleSelector.h
index 5f70e05..20cd866 100644
--- a/WebCore/css/CSSStyleSelector.h
+++ b/WebCore/css/CSSStyleSelector.h
@@ -23,6 +23,7 @@
#define CSSStyleSelector_h
#include "CSSFontSelector.h"
+#include "CSSRule.h"
#include "LinkHash.h"
#include "MediaQueryExp.h"
#include "RenderStyle.h"
@@ -119,8 +120,8 @@ public:
public:
// These methods will give back the set of rules that matched for a given element (or a pseudo-element).
- PassRefPtr<CSSRuleList> styleRulesForElement(Element*, bool authorOnly, bool includeEmptyRules = false);
- PassRefPtr<CSSRuleList> pseudoStyleRulesForElement(Element*, PseudoId, bool authorOnly, bool includeEmptyRules = false);
+ PassRefPtr<CSSRuleList> styleRulesForElement(Element*, bool authorOnly, bool includeEmptyRules = false, CSSRuleFilter filter = AllCSSRules);
+ PassRefPtr<CSSRuleList> pseudoStyleRulesForElement(Element*, PseudoId, bool authorOnly, bool includeEmptyRules = false, CSSRuleFilter filter = AllCSSRules);
// Given a CSS keyword in the range (xx-small to -webkit-xxx-large), this function will return
// the correct font size scaled relative to the user's default (medium).
@@ -231,6 +232,7 @@ public:
Document* m_document;
bool m_strictParsing;
bool m_collectRulesOnly;
+ bool m_sameOriginOnly;
PseudoId m_pseudoStyle;
bool m_documentIsHTML;
mutable bool m_matchVisitedPseudoClass;
diff --git a/WebCore/page/DOMWindow.cpp b/WebCore/page/DOMWindow.cpp
index d756cce..030479d 100644
--- a/WebCore/page/DOMWindow.cpp
+++ b/WebCore/page/DOMWindow.cpp
@@ -1255,7 +1255,7 @@ PassRefPtr<CSSRuleList> DOMWindow::getMatchedCSSRules(Element* elt, const String
return 0;
Document* doc = m_frame->document();
- return doc->styleSelector()->styleRulesForElement(elt, authorOnly);
+ return doc->styleSelector()->styleRulesForElement(elt, authorOnly, false, SameOriginCSSRulesOnly);
}
PassRefPtr<WebKitPoint> DOMWindow::webkitConvertPointFromNodeToPage(Node* node, const WebKitPoint* p) const
diff --git a/WebCore/page/DOMWindow.idl b/WebCore/page/DOMWindow.idl
index 0ae1069..bf573a6 100644
--- a/WebCore/page/DOMWindow.idl
+++ b/WebCore/page/DOMWindow.idl
@@ -147,9 +147,11 @@ module window {
in DOMString pseudoElement);
// WebKit extensions
+#if defined(LANGUAGE_JAVASCRIPT) && LANGUAGE_JAVASCRIPT
CSSRuleList getMatchedCSSRules(in Element element,
- in DOMString pseudoElement,
- in [Optional] boolean authorOnly);
+ in DOMString pseudoElement);
+#endif
+
attribute [Replaceable] double devicePixelRatio;
WebKitPoint webkitConvertPointFromPageToNode(in Node node, in WebKitPoint p);
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list