[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198
abarth at webkit.org
abarth at webkit.org
Sun Feb 20 23:37:00 UTC 2011
The following commit has been merged in the webkit-1.3 branch:
commit 3a2486e332f4902745422089710e2e7318ee83bd
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Sat Jan 22 06:41:45 2011 +0000
2011-01-21 Yury Semikhatsky <yurys at chromium.org>
Reviewed by Adam Barth.
Regression: new window.onerror() implementation leaks cross-origin Javascript errors
https://bugs.webkit.org/show_bug.cgi?id=52903
In case of an exception in a script from different domain only generic message
will be passed to window.onerror hander.
Tests: http/tests/security/cross-origin-script-window-onerror-redirected.html
http/tests/security/cross-origin-script-window-onerror.html
* bindings/js/CachedScriptSourceProvider.h: use URL from the resource response to make sure we do all
cross origin checks agains real script URL, not the original URL which may have resulted in a sequence
of redirects to different domains.
(WebCore::CachedScriptSourceProvider::CachedScriptSourceProvider):
* bindings/v8/ScriptSourceCode.h: same for v8.
(WebCore::ScriptSourceCode::url):
* dom/ScriptExecutionContext.cpp:
(WebCore::ScriptExecutionContext::dispatchErrorEvent): in case the error occurred in a script we cannot
access provide concise "Script error." message without any information about the error source. This is
what Firefox does in this case.
2011-01-21 Yury Semikhatsky <yurys at chromium.org>
Reviewed by Adam Barth.
Regression: new window.onerror() implementation leaks cross-origin Javascript errors
https://bugs.webkit.org/show_bug.cgi?id=52903
A couple of tests to check that window.onerror won't reveal any content of the resource
from a different domain if the latter is referenced via <script src=...>
* http/tests/security/cross-origin-script-window-onerror-expected.txt: Added.
* http/tests/security/cross-origin-script-window-onerror-redirected-expected.txt: Added.
* http/tests/security/cross-origin-script-window-onerror-redirected.html: Added.
* http/tests/security/cross-origin-script-window-onerror.html: Added.
* http/tests/security/resources/cross-origin-script.txt: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@76429 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index f77efbc..38c6e86 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,19 @@
+2011-01-21 Yury Semikhatsky <yurys at chromium.org>
+
+ Reviewed by Adam Barth.
+
+ Regression: new window.onerror() implementation leaks cross-origin Javascript errors
+ https://bugs.webkit.org/show_bug.cgi?id=52903
+
+ A couple of tests to check that window.onerror won't reveal any content of the resource
+ from a different domain if the latter is referenced via <script src=...>
+
+ * http/tests/security/cross-origin-script-window-onerror-expected.txt: Added.
+ * http/tests/security/cross-origin-script-window-onerror-redirected-expected.txt: Added.
+ * http/tests/security/cross-origin-script-window-onerror-redirected.html: Added.
+ * http/tests/security/cross-origin-script-window-onerror.html: Added.
+ * http/tests/security/resources/cross-origin-script.txt: Added.
+
2011-01-21 Maciej Stachowiak <mjs at apple.com>
Reviewed by Geoffrey Garen.
diff --git a/LayoutTests/http/tests/security/cross-origin-script-window-onerror-expected.txt b/LayoutTests/http/tests/security/cross-origin-script-window-onerror-expected.txt
new file mode 100644
index 0000000..e09f02d
--- /dev/null
+++ b/LayoutTests/http/tests/security/cross-origin-script-window-onerror-expected.txt
@@ -0,0 +1,3 @@
+Test that window.onerror won't reveal any potentially sensitive script content if the latter is loaded from a different domain. The test passes if you don't see any data from the linked resource. Bug 52903.
+
+window.onerror message: Script error. at : 0
diff --git a/LayoutTests/http/tests/security/cross-origin-script-window-onerror-redirected-expected.txt b/LayoutTests/http/tests/security/cross-origin-script-window-onerror-redirected-expected.txt
new file mode 100644
index 0000000..260d8d3
--- /dev/null
+++ b/LayoutTests/http/tests/security/cross-origin-script-window-onerror-redirected-expected.txt
@@ -0,0 +1,3 @@
+Test that window.onerror won't reveal any potentially sensitive script content if the latter is loaded from a different domain after a redirect. The test passes if you don't see any data from the linked resource. Bug 52903.
+
+window.onerror message: Script error. at : 0
diff --git a/LayoutTests/http/tests/security/cross-origin-script-window-onerror-redirected.html b/LayoutTests/http/tests/security/cross-origin-script-window-onerror-redirected.html
new file mode 100755
index 0000000..b6a09c5
--- /dev/null
+++ b/LayoutTests/http/tests/security/cross-origin-script-window-onerror-redirected.html
@@ -0,0 +1,23 @@
+<html>
+<body>
+<p>
+Test that window.onerror won't reveal any potentially sensitive script content if the latter is loaded from a different domain after a redirect. The test passes if you don't see any data from the linked resource. <a href="https://bugs.webkit.org/show_bug.cgi?id=52903">Bug 52903.</a>
+</p>
+<div id="result"></div>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.waitUntilDone();
+ layoutTestController.dumpAsText();
+}
+
+window.onerror = function(message, url, line) {
+ document.getElementById("result").textContent = "window.onerror message: " + message + " at " + url + ": " + line;
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ return false;
+}
+</script>
+<script src="resources/redir.php?url=http://localhost:8000/security/resources/cross-origin-script.txt">
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/cross-origin-script-window-onerror.html b/LayoutTests/http/tests/security/cross-origin-script-window-onerror.html
new file mode 100755
index 0000000..9d35114
--- /dev/null
+++ b/LayoutTests/http/tests/security/cross-origin-script-window-onerror.html
@@ -0,0 +1,25 @@
+<html>
+<body>
+<p>
+Test that window.onerror won't reveal any potentially sensitive script content if the latter is loaded from a different domain. The test passes if you don't see any data from the linked resource. <a href="https://bugs.webkit.org/show_bug.cgi?id=52903">Bug 52903.</a>
+</p>
+
+</p>
+<div id="result"></div>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.waitUntilDone();
+ layoutTestController.dumpAsText();
+}
+
+window.onerror = function(message, url, line) {
+ document.getElementById("result").textContent = "window.onerror message: " + message + " at " + url + ": " + line;
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ return false;
+}
+</script>
+<script src="http://localhost:8000/security/resources/cross-origin-script.txt">
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/resources/cross-origin-script.txt b/LayoutTests/http/tests/security/resources/cross-origin-script.txt
new file mode 100755
index 0000000..dad0cf6
--- /dev/null
+++ b/LayoutTests/http/tests/security/resources/cross-origin-script.txt
@@ -0,0 +1 @@
+FAIL: some sensitive user data the test should not be able to see.
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 3cded15..c9a6896 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,27 @@
+2011-01-21 Yury Semikhatsky <yurys at chromium.org>
+
+ Reviewed by Adam Barth.
+
+ Regression: new window.onerror() implementation leaks cross-origin Javascript errors
+ https://bugs.webkit.org/show_bug.cgi?id=52903
+
+ In case of an exception in a script from different domain only generic message
+ will be passed to window.onerror hander.
+
+ Tests: http/tests/security/cross-origin-script-window-onerror-redirected.html
+ http/tests/security/cross-origin-script-window-onerror.html
+
+ * bindings/js/CachedScriptSourceProvider.h: use URL from the resource response to make sure we do all
+ cross origin checks agains real script URL, not the original URL which may have resulted in a sequence
+ of redirects to different domains.
+ (WebCore::CachedScriptSourceProvider::CachedScriptSourceProvider):
+ * bindings/v8/ScriptSourceCode.h: same for v8.
+ (WebCore::ScriptSourceCode::url):
+ * dom/ScriptExecutionContext.cpp:
+ (WebCore::ScriptExecutionContext::dispatchErrorEvent): in case the error occurred in a script we cannot
+ access provide concise "Script error." message without any information about the error source. This is
+ what Firefox does in this case.
+
2011-01-21 Andreas Kling <kling at webkit.org>
Reviewed by Kenneth Rohde Christiansen.
diff --git a/Source/WebCore/bindings/js/CachedScriptSourceProvider.h b/Source/WebCore/bindings/js/CachedScriptSourceProvider.h
index 9bae8ca..8f63a69 100644
--- a/Source/WebCore/bindings/js/CachedScriptSourceProvider.h
+++ b/Source/WebCore/bindings/js/CachedScriptSourceProvider.h
@@ -57,7 +57,7 @@ namespace WebCore {
private:
CachedScriptSourceProvider(CachedScript* cachedScript)
- : ScriptSourceProvider(stringToUString(cachedScript->url()), cachedScript->sourceProviderCache())
+ : ScriptSourceProvider(stringToUString(cachedScript->response().url()), cachedScript->sourceProviderCache())
, m_cachedScript(cachedScript)
{
m_cachedScript->addClient(this);
diff --git a/Source/WebCore/bindings/v8/ScriptSourceCode.h b/Source/WebCore/bindings/v8/ScriptSourceCode.h
index 2478151..d7d1510 100644
--- a/Source/WebCore/bindings/v8/ScriptSourceCode.h
+++ b/Source/WebCore/bindings/v8/ScriptSourceCode.h
@@ -63,7 +63,12 @@ public:
const String& source() const { return m_source; }
CachedScript* cachedScript() const { return m_cachedScript.get(); }
- const KURL& url() const { return m_url; }
+ const KURL& url() const
+ {
+ if (m_cachedScript)
+ return m_cachedScript->response().url();
+ return m_url;
+ }
int startLine() const { return m_startPosition.m_line.oneBasedInt(); }
const TextPosition1& startPosition() const { return m_startPosition; }
diff --git a/Source/WebCore/dom/ScriptExecutionContext.cpp b/Source/WebCore/dom/ScriptExecutionContext.cpp
index 9fdf85e..8f4ca07 100644
--- a/Source/WebCore/dom/ScriptExecutionContext.cpp
+++ b/Source/WebCore/dom/ScriptExecutionContext.cpp
@@ -294,9 +294,23 @@ bool ScriptExecutionContext::dispatchErrorEvent(const String& errorMessage, int
if (!target)
return false;
+ String message;
+ int line;
+ String sourceName;
+ KURL targetUrl = completeURL(sourceURL);
+ if (securityOrigin()->canRequest(targetUrl)) {
+ message = errorMessage;
+ line = lineNumber;
+ sourceName = sourceURL;
+ } else {
+ message = "Script error.";
+ sourceName = String();
+ line = 0;
+ }
+
ASSERT(!m_inDispatchErrorEvent);
m_inDispatchErrorEvent = true;
- RefPtr<ErrorEvent> errorEvent = ErrorEvent::create(errorMessage, sourceURL, lineNumber);
+ RefPtr<ErrorEvent> errorEvent = ErrorEvent::create(message, sourceName, line);
target->dispatchEvent(errorEvent);
m_inDispatchErrorEvent = false;
return errorEvent->defaultPrevented();
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list