[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.21-584-g1e41756
abarth at webkit.org
abarth at webkit.org
Fri Feb 26 22:16:37 UTC 2010
The following commit has been merged in the webkit-1.1 branch:
commit 4221728293c9a6a84b4b0683ca24bded62206196
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Wed Feb 10 08:36:58 2010 +0000
2010-02-10 Adam Barth <abarth at webkit.org>
Reviewed by Darin Adler.
Freeze sandbox attributes on creation
https://bugs.webkit.org/show_bug.cgi?id=34184
Test that allow-forms is frozen on document creation.
* fast/frames/resources/sandboxed-iframe-form-dynamic-allowed.html: Added.
* fast/frames/resources/sandboxed-iframe-form-dynamic-disallowed.html: Added.
* fast/frames/sandboxed-iframe-forms-dynamic-expected.txt: Added.
* fast/frames/sandboxed-iframe-forms-dynamic.html: Added.
2010-02-10 Adam Barth <abarth at webkit.org>
Reviewed by Darin Adler.
Freeze sandbox attributes on creation
https://bugs.webkit.org/show_bug.cgi?id=34184
This is how the spec works now.
Test: fast/frames/sandboxed-iframe-forms-dynamic.html
* bindings/ScriptControllerBase.cpp:
(WebCore::ScriptController::canExecuteScripts):
* bindings/generic/BindingDOMWindow.h:
(WebCore::::createWindow):
* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::createWindow):
* dom/Document.cpp:
* dom/Document.h:
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::submitForm):
(WebCore::FrameLoader::requestObject):
(WebCore::FrameLoader::shouldAllowNavigation):
(WebCore::FrameLoader::updateSandboxFlags):
* page/SecurityOrigin.cpp:
* page/SecurityOrigin.h:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@54587 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 00daa00..c281d4a 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,17 @@
+2010-02-10 Adam Barth <abarth at webkit.org>
+
+ Reviewed by Darin Adler.
+
+ Freeze sandbox attributes on creation
+ https://bugs.webkit.org/show_bug.cgi?id=34184
+
+ Test that allow-forms is frozen on document creation.
+
+ * fast/frames/resources/sandboxed-iframe-form-dynamic-allowed.html: Added.
+ * fast/frames/resources/sandboxed-iframe-form-dynamic-disallowed.html: Added.
+ * fast/frames/sandboxed-iframe-forms-dynamic-expected.txt: Added.
+ * fast/frames/sandboxed-iframe-forms-dynamic.html: Added.
+
2010-02-09 Csaba Osztrogonác <ossy at webkit.org>
[Qt] Unreviewed. Roll-out r54543, because layout tests crash in debug mode.
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 1b57d1d..6376914 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,30 @@
+2010-02-10 Adam Barth <abarth at webkit.org>
+
+ Reviewed by Darin Adler.
+
+ Freeze sandbox attributes on creation
+ https://bugs.webkit.org/show_bug.cgi?id=34184
+
+ This is how the spec works now.
+
+ Test: fast/frames/sandboxed-iframe-forms-dynamic.html
+
+ * bindings/ScriptControllerBase.cpp:
+ (WebCore::ScriptController::canExecuteScripts):
+ * bindings/generic/BindingDOMWindow.h:
+ (WebCore::::createWindow):
+ * bindings/js/JSDOMWindowCustom.cpp:
+ (WebCore::createWindow):
+ * dom/Document.cpp:
+ * dom/Document.h:
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::submitForm):
+ (WebCore::FrameLoader::requestObject):
+ (WebCore::FrameLoader::shouldAllowNavigation):
+ (WebCore::FrameLoader::updateSandboxFlags):
+ * page/SecurityOrigin.cpp:
+ * page/SecurityOrigin.h:
+
2010-02-09 Ariya Hidayat <ariya.hidayat at gmail.com>
Rubber-stamped by Kenneth Rohde Christiansen.
diff --git a/WebCore/bindings/ScriptControllerBase.cpp b/WebCore/bindings/ScriptControllerBase.cpp
index f1217e3..abe96ee 100644
--- a/WebCore/bindings/ScriptControllerBase.cpp
+++ b/WebCore/bindings/ScriptControllerBase.cpp
@@ -33,6 +33,7 @@ namespace WebCore {
bool ScriptController::canExecuteScripts()
{
+ // FIXME: We should get this information from the document instead of the frame.
if (m_frame->loader()->isSandboxed(SandboxScripts))
return false;
diff --git a/WebCore/bindings/generic/BindingDOMWindow.h b/WebCore/bindings/generic/BindingDOMWindow.h
index b968e2c..d6d3087 100644
--- a/WebCore/bindings/generic/BindingDOMWindow.h
+++ b/WebCore/bindings/generic/BindingDOMWindow.h
@@ -35,6 +35,7 @@
#include "FrameLoadRequest.h"
#include "GenericBinding.h"
#include "Page.h"
+#include "SecurityOrigin.h"
namespace WebCore {
@@ -68,9 +69,11 @@ Frame* BindingDOMWindow<Binding>::createWindow(State<Binding>* state,
ASSERT(callingFrame);
ASSERT(enteredFrame);
- // Sandboxed iframes cannot open new auxiliary browsing contexts.
- if (callingFrame && callingFrame->loader()->isSandboxed(SandboxNavigation))
- return 0;
+ if (Document* callingDocument = callingFrame->document()) {
+ // Sandboxed iframes cannot open new auxiliary browsing contexts.
+ if (callingDocument->securityOrigin()->isSandboxed(SandboxNavigation))
+ return 0;
+ }
ResourceRequest request;
diff --git a/WebCore/bindings/js/JSDOMWindowCustom.cpp b/WebCore/bindings/js/JSDOMWindowCustom.cpp
index 9e7856b..b8cd1dc 100644
--- a/WebCore/bindings/js/JSDOMWindowCustom.cpp
+++ b/WebCore/bindings/js/JSDOMWindowCustom.cpp
@@ -666,9 +666,11 @@ static Frame* createWindow(ExecState* exec, Frame* lexicalFrame, Frame* dynamicF
ASSERT(lexicalFrame);
ASSERT(dynamicFrame);
- // Sandboxed iframes cannot open new auxiliary browsing contexts.
- if (lexicalFrame && lexicalFrame->loader()->isSandboxed(SandboxNavigation))
- return 0;
+ if (Document* lexicalDocument = lexicalFrame->document()) {
+ // Sandboxed iframes cannot open new auxiliary browsing contexts.
+ if (lexicalDocument->securityOrigin()->isSandboxed(SandboxNavigation))
+ return 0;
+ }
ResourceRequest request;
diff --git a/WebCore/dom/Document.cpp b/WebCore/dom/Document.cpp
index 6cf8665..ca3ad71 100644
--- a/WebCore/dom/Document.cpp
+++ b/WebCore/dom/Document.cpp
@@ -4492,12 +4492,6 @@ void Document::statePopped(SerializedScriptValue* stateObject)
m_pendingStateObject = stateObject;
}
-void Document::updateSandboxFlags()
-{
- if (m_frame && securityOrigin())
- securityOrigin()->setSandboxFlags(m_frame->loader()->sandboxFlags());
-}
-
void Document::updateFocusAppearanceSoon(bool restorePreviousSelection)
{
m_updateFocusAppearanceRestoresSelection = restorePreviousSelection;
diff --git a/WebCore/dom/Document.h b/WebCore/dom/Document.h
index 9038f22..05b3216 100644
--- a/WebCore/dom/Document.h
+++ b/WebCore/dom/Document.h
@@ -915,8 +915,6 @@ public:
void updateURLForPushOrReplaceState(const KURL&);
void statePopped(SerializedScriptValue*);
- void updateSandboxFlags(); // Set sandbox flags as determined by the frame.
-
bool processingLoadEvent() const { return m_processingLoadEvent; }
#if ENABLE(DATABASE)
diff --git a/WebCore/loader/FrameLoader.cpp b/WebCore/loader/FrameLoader.cpp
index 330b4b0..a21ff93 100644
--- a/WebCore/loader/FrameLoader.cpp
+++ b/WebCore/loader/FrameLoader.cpp
@@ -450,7 +450,7 @@ void FrameLoader::submitForm(const char* action, const String& url, PassRefPtr<F
if (u.isEmpty())
return;
- if (isSandboxed(SandboxForms))
+ if (isDocumentSandboxed(SandboxForms))
return;
if (protocolIsJavaScript(u)) {
@@ -1278,7 +1278,7 @@ bool FrameLoader::requestObject(RenderPart* renderer, const String& url, const A
if (!m_client->allowPlugins(settings && settings->arePluginsEnabled())
|| (!settings->isJavaEnabled() && MIMETypeRegistry::isJavaAppletMIMEType(mimeType)))
return false;
- if (isSandboxed(SandboxPlugins))
+ if (isDocumentSandboxed(SandboxPlugins))
return false;
return loadPlugin(renderer, completedURL, mimeType, paramNames, paramValues, useFallback);
}
@@ -2241,7 +2241,7 @@ bool FrameLoader::shouldAllowNavigation(Frame* targetFrame) const
return true;
// A sandboxed frame can only navigate itself and its descendants.
- if (isSandboxed(SandboxNavigation) && !targetFrame->tree()->isDescendantOf(m_frame))
+ if (isDocumentSandboxed(SandboxNavigation) && !targetFrame->tree()->isDescendantOf(m_frame))
return false;
// Let a frame navigate the top-level window that contains it. This is
@@ -3950,12 +3950,15 @@ void FrameLoader::updateSandboxFlags()
m_sandboxFlags = flags;
- m_frame->document()->updateSandboxFlags();
-
for (Frame* child = m_frame->tree()->firstChild(); child; child = child->tree()->nextSibling())
child->loader()->updateSandboxFlags();
}
+bool FrameLoader::isDocumentSandboxed(SandboxFlags mask) const
+{
+ return m_frame->document() && m_frame->document()->securityOrigin()->isSandboxed(mask);
+}
+
PassRefPtr<Widget> FrameLoader::createJavaAppletWidget(const IntSize& size, HTMLAppletElement* element, const HashMap<String, String>& args)
{
String baseURLString;
diff --git a/WebCore/loader/FrameLoader.h b/WebCore/loader/FrameLoader.h
index 87dd7a0..6533445 100644
--- a/WebCore/loader/FrameLoader.h
+++ b/WebCore/loader/FrameLoader.h
@@ -445,7 +445,9 @@ private:
bool shouldTreatURLAsSameAsCurrent(const KURL&) const;
void updateSandboxFlags();
-
+ // FIXME: isDocumentSandboxed should eventually replace isSandboxed.
+ bool isDocumentSandboxed(SandboxFlags) const;
+
Frame* m_frame;
FrameLoaderClient* m_client;
diff --git a/WebCore/page/SecurityOrigin.cpp b/WebCore/page/SecurityOrigin.cpp
index b2a1c89..af63637 100644
--- a/WebCore/page/SecurityOrigin.cpp
+++ b/WebCore/page/SecurityOrigin.cpp
@@ -286,15 +286,6 @@ void SecurityOrigin::grantUniversalAccess()
m_universalAccess = true;
}
-void SecurityOrigin::setSandboxFlags(SandboxFlags flags)
-{
- // Although you might think that we should set m_isUnique based on
- // SandboxOrigin, that's not actually the right behavior. We're supposed to
- // freeze the origin of a document when it is created, even if the sandbox
- // flags change after that point in time.
- m_sandboxFlags = flags;
-}
-
bool SecurityOrigin::isLocal() const
{
return shouldTreatURLSchemeAsLocal(m_protocol);
diff --git a/WebCore/page/SecurityOrigin.h b/WebCore/page/SecurityOrigin.h
index 71681d7..b441474 100644
--- a/WebCore/page/SecurityOrigin.h
+++ b/WebCore/page/SecurityOrigin.h
@@ -114,7 +114,6 @@ public:
// WARNING: This is an extremely powerful ability. Use with caution!
void grantUniversalAccess();
- void setSandboxFlags(SandboxFlags);
bool isSandboxed(SandboxFlags mask) const { return m_sandboxFlags & mask; }
bool canAccessDatabase() const { return !isUnique(); }
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list