[SCM] WebKit Debian packaging branch, debian/experimental, updated. debian/1.3.8-1-1049-g2e11a8e
abarth at webkit.org
abarth at webkit.org
Fri Jan 21 14:50:26 UTC 2011
The following commit has been merged in the debian/experimental branch:
commit 14e0854013adaa96cf58f0a6122c4d7eb082082a
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Sun Jan 2 02:28:41 2011 +0000
2011-01-01 Adam Barth <abarth at webkit.org>
Reviewed by Eric Seidel.
sandbox iframes have access to top.history methods
https://bugs.webkit.org/show_bug.cgi?id=38152
To enforce the sandbox restrictions on History, we need to pass the
ScriptExecutionContext to WebCore. This patch leaves the original
History methods in place because they are used directly by folks who
don't care about security checks.
Test: fast/frames/sandboxed-iframe-history-denied.html
* page/History.cpp:
(WebCore::History::back):
(WebCore::History::forward):
(WebCore::History::go):
* page/History.h:
* page/History.idl:
2011-01-01 Justin Schuh <jschuh at chromium.org>
Reviewed by Eric Seidel.
sandbox iframes have access to top.history methods
https://bugs.webkit.org/show_bug.cgi?id=38152
Test that sandboxed iframes cannot use history to navigate the top
frame. This test is less than ideal, as described in the test itself.
If I was really on top of things, I'd add a test for successful use of
the history API when allow-top-navigation is set, but that test would
be complicated and I'm lazy (enough to copy directly from abarth).
* fast/frames/sandboxed-iframe-history-denied-expected.txt: Added.
* fast/frames/sandboxed-iframe-history-denied.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@74853 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index ee04b99..07d28f5 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,19 @@
+2011-01-01 Justin Schuh <jschuh at chromium.org>
+
+ Reviewed by Eric Seidel.
+
+ sandbox iframes have access to top.history methods
+ https://bugs.webkit.org/show_bug.cgi?id=38152
+
+ Test that sandboxed iframes cannot use history to navigate the top
+ frame. This test is less than ideal, as described in the test itself.
+ If I was really on top of things, I'd add a test for successful use of
+ the history API when allow-top-navigation is set, but that test would
+ be complicated and I'm lazy (enough to copy directly from abarth).
+
+ * fast/frames/sandboxed-iframe-history-denied-expected.txt: Added.
+ * fast/frames/sandboxed-iframe-history-denied.html: Added.
+
2011-01-01 Kent Tamura <tkent at chromium.org>
Unreviewed, test expectation update.
diff --git a/LayoutTests/fast/frames/sandboxed-iframe-history-denied-expected.txt b/LayoutTests/fast/frames/sandboxed-iframe-history-denied-expected.txt
new file mode 100644
index 0000000..a18c293
--- /dev/null
+++ b/LayoutTests/fast/frames/sandboxed-iframe-history-denied-expected.txt
@@ -0,0 +1,4 @@
+ALERT: PASS
+This test verifies that a sandboxed IFrame cannot navigate the top-level frame using the history API.
+
+
diff --git a/LayoutTests/fast/frames/sandboxed-iframe-history-denied.html b/LayoutTests/fast/frames/sandboxed-iframe-history-denied.html
new file mode 100644
index 0000000..8617aff
--- /dev/null
+++ b/LayoutTests/fast/frames/sandboxed-iframe-history-denied.html
@@ -0,0 +1,32 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+window.unload = function() {
+ alert("FAIL");
+}
+
+window.onload = function() {
+ // There's no way to write a test that determinstically fails because the
+ // history API is asynchronous. There's no way to know whether the
+ // asynchronous haven't yet happened or never will. Consequently, we just
+ // wait for a bit.
+ setTimeout(function() {
+ alert("PASS");
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ }, 20);
+}
+</script>
+</head>
+<body>
+<p>This test verifies that a sandboxed IFrame cannot navigate the top-level frame using the history API.</p>
+<iframe sandbox="allow-scripts" src="data:text/html,<script>top.history.back()</script>">
+<iframe sandbox="allow-scripts" src="data:text/html,<script>top.history.forward()</script>">
+<iframe sandbox="allow-scripts" src="data:text/html,<script>top.history.go(-1)</script>">
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 58f3d96..f494367 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,5 +1,26 @@
2011-01-01 Adam Barth <abarth at webkit.org>
+ Reviewed by Eric Seidel.
+
+ sandbox iframes have access to top.history methods
+ https://bugs.webkit.org/show_bug.cgi?id=38152
+
+ To enforce the sandbox restrictions on History, we need to pass the
+ ScriptExecutionContext to WebCore. This patch leaves the original
+ History methods in place because they are used directly by folks who
+ don't care about security checks.
+
+ Test: fast/frames/sandboxed-iframe-history-denied.html
+
+ * page/History.cpp:
+ (WebCore::History::back):
+ (WebCore::History::forward):
+ (WebCore::History::go):
+ * page/History.h:
+ * page/History.idl:
+
+2011-01-01 Adam Barth <abarth at webkit.org>
+
Remove empty file.
* Android.mk:
diff --git a/WebCore/page/History.cpp b/WebCore/page/History.cpp
index 95b1350..1d1e77a 100644
--- a/WebCore/page/History.cpp
+++ b/WebCore/page/History.cpp
@@ -27,6 +27,7 @@
#include "History.h"
#include "BackForwardController.h"
+#include "Document.h"
#include "ExceptionCode.h"
#include "Frame.h"
#include "FrameLoader.h"
@@ -62,22 +63,45 @@ unsigned History::length() const
void History::back()
{
- if (!m_frame)
- return;
- m_frame->navigationScheduler()->scheduleHistoryNavigation(-1);
+ go(-1);
+}
+
+void History::back(ScriptExecutionContext* context)
+{
+ go(context, -1);
}
void History::forward()
{
+ go(1);
+}
+
+void History::forward(ScriptExecutionContext* context)
+{
+ go(context, 1);
+}
+
+void History::go(int distance)
+{
if (!m_frame)
return;
- m_frame->navigationScheduler()->scheduleHistoryNavigation(1);
+
+ m_frame->navigationScheduler()->scheduleHistoryNavigation(distance);
}
-void History::go(int distance)
+void History::go(ScriptExecutionContext* context, int distance)
{
if (!m_frame)
return;
+
+ ASSERT(WTF::isMainThread());
+ Frame* activeFrame = static_cast<Document*>(context)->frame();
+ if (!activeFrame)
+ return;
+
+ if (!activeFrame->loader()->shouldAllowNavigation(m_frame))
+ return;
+
m_frame->navigationScheduler()->scheduleHistoryNavigation(distance);
}
diff --git a/WebCore/page/History.h b/WebCore/page/History.h
index e885847..9ec1914 100644
--- a/WebCore/page/History.h
+++ b/WebCore/page/History.h
@@ -34,6 +34,7 @@
namespace WebCore {
class Frame;
+class ScriptExecutionContext;
class SerializedScriptValue;
typedef int ExceptionCode;
@@ -49,6 +50,10 @@ public:
void forward();
void go(int distance);
+ void back(ScriptExecutionContext*);
+ void forward(ScriptExecutionContext*);
+ void go(ScriptExecutionContext*, int distance);
+
enum StateObjectType {
StateObjectPush,
StateObjectReplace
diff --git a/WebCore/page/History.idl b/WebCore/page/History.idl
index d1be5ae..d8eac60 100644
--- a/WebCore/page/History.idl
+++ b/WebCore/page/History.idl
@@ -37,9 +37,9 @@ module window {
] History {
readonly attribute unsigned long length;
- [DoNotCheckDomainSecurity] void back();
- [DoNotCheckDomainSecurity] void forward();
- [DoNotCheckDomainSecurity] void go(in long distance);
+ [DoNotCheckDomainSecurity, CallWith=ScriptExecutionContext] void back();
+ [DoNotCheckDomainSecurity, CallWith=ScriptExecutionContext] void forward();
+ [DoNotCheckDomainSecurity, CallWith=ScriptExecutionContext] void go(in long distance);
[Custom, EnabledAtRuntime] void pushState(in any data, in DOMString title, in optional DOMString url)
raises(DOMException);
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list