[SCM] WebKit Debian packaging branch, debian/experimental, updated. debian/1.3.8-1-1049-g2e11a8e
abarth at webkit.org
abarth at webkit.org
Fri Jan 21 14:50:28 UTC 2011
The following commit has been merged in the debian/experimental branch:
commit 442f0795064ce730ba517af6fd1c3ff9c888eac3
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Sun Jan 2 04:33:03 2011 +0000
2011-01-01 Adam Barth <abarth at webkit.org>
Reviewed by Eric Seidel.
forbid sandboxed frames to call top.close() when allow-same-origin is not setted
https://bugs.webkit.org/show_bug.cgi?id=38340
We now pass the ScriptExecutionContext to window.close so it can find
the Frame and check whether navigation is allowed. This check will
almost always pass because you can only close top-level frames, but the
check will fail when the calling script is sandboxed.
Tests: fast/frames/sandboxed-iframe-close-top-noclose.html
fast/frames/sandboxed-iframe-close-top.html
* page/DOMWindow.cpp:
(WebCore::DOMWindow::close):
* page/DOMWindow.h:
* page/DOMWindow.idl:
2011-01-01 Adam Barth <abarth at webkit.org>
Reviewed by Eric Seidel.
forbid sandboxed frames to call top.close() when allow-same-origin is not setted
https://bugs.webkit.org/show_bug.cgi?id=38340
Test the interaction between the HTML5 sandbox and window.close.
* fast/frames/resources/close-top.html: Added.
* fast/frames/resources/sandboxed-iframe-close-top-does-close.html: Added.
* fast/frames/resources/sandboxed-iframe-close-top-does-not-close.html: Added.
* fast/frames/sandboxed-iframe-close-top-expected.txt: Added.
* fast/frames/sandboxed-iframe-close-top-noclose-expected.txt: Added.
* fast/frames/sandboxed-iframe-close-top-noclose.html: Added.
* fast/frames/sandboxed-iframe-close-top.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@74854 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 07d28f5..117e5fe 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,20 @@
+2011-01-01 Adam Barth <abarth at webkit.org>
+
+ Reviewed by Eric Seidel.
+
+ forbid sandboxed frames to call top.close() when allow-same-origin is not setted
+ https://bugs.webkit.org/show_bug.cgi?id=38340
+
+ Test the interaction between the HTML5 sandbox and window.close.
+
+ * fast/frames/resources/close-top.html: Added.
+ * fast/frames/resources/sandboxed-iframe-close-top-does-close.html: Added.
+ * fast/frames/resources/sandboxed-iframe-close-top-does-not-close.html: Added.
+ * fast/frames/sandboxed-iframe-close-top-expected.txt: Added.
+ * fast/frames/sandboxed-iframe-close-top-noclose-expected.txt: Added.
+ * fast/frames/sandboxed-iframe-close-top-noclose.html: Added.
+ * fast/frames/sandboxed-iframe-close-top.html: Added.
+
2011-01-01 Justin Schuh <jschuh at chromium.org>
Reviewed by Eric Seidel.
diff --git a/LayoutTests/fast/frames/resources/close-top.html b/LayoutTests/fast/frames/resources/close-top.html
new file mode 100644
index 0000000..9957cd9
--- /dev/null
+++ b/LayoutTests/fast/frames/resources/close-top.html
@@ -0,0 +1,3 @@
+<script>
+top.close()
+</script>
diff --git a/LayoutTests/fast/frames/resources/sandboxed-iframe-close-top-does-close.html b/LayoutTests/fast/frames/resources/sandboxed-iframe-close-top-does-close.html
new file mode 100644
index 0000000..052194a
--- /dev/null
+++ b/LayoutTests/fast/frames/resources/sandboxed-iframe-close-top-does-close.html
@@ -0,0 +1,12 @@
+<script>
+var haveCalledDone = false;
+window.addEventListener('beforeunload', function() {
+ if (!haveCalledDone) {
+ haveCalledDone = true;
+ opener.done();
+ }
+}, false);
+</script>
+<iframe sandbox="allow-scripts allow-top-navigation"
+ src="close-top.html">
+</iframe>
diff --git a/LayoutTests/fast/frames/resources/sandboxed-iframe-close-top-does-not-close.html b/LayoutTests/fast/frames/resources/sandboxed-iframe-close-top-does-not-close.html
new file mode 100644
index 0000000..5b4d705
--- /dev/null
+++ b/LayoutTests/fast/frames/resources/sandboxed-iframe-close-top-does-not-close.html
@@ -0,0 +1,19 @@
+<script>
+var waitingForClose = true;
+window.addEventListener('beforeunload', function() {
+ if (waitingForClose)
+ alert("FAIL");
+}, false);
+
+window.onload = function() {
+ // There's no real way to know whether the iframe's attempt to close us
+ // actually failed because it would succeed asynchronously and there is no
+ // failure event. The best we can do is wait around for a while. The one
+ // saving grace is that this test is deterministic when it passes.
+ window.setTimeout(function() {
+ waitingForClose = false;
+ opener.done();
+ }, 100);
+}
+</script>
+<iframe sandbox="allow-scripts" src="close-top.html"></iframe>
diff --git a/LayoutTests/fast/frames/sandboxed-iframe-close-top-expected.txt b/LayoutTests/fast/frames/sandboxed-iframe-close-top-expected.txt
new file mode 100644
index 0000000..b4671ad
--- /dev/null
+++ b/LayoutTests/fast/frames/sandboxed-iframe-close-top-expected.txt
@@ -0,0 +1,4 @@
+ALERT: PASS
+This test verifies that a sandboxed IFrame can close a top-level frame with allow-top-navigation.
+
+Start Test
diff --git a/LayoutTests/fast/frames/sandboxed-iframe-close-top-noclose-expected.txt b/LayoutTests/fast/frames/sandboxed-iframe-close-top-noclose-expected.txt
new file mode 100644
index 0000000..9bc1900
--- /dev/null
+++ b/LayoutTests/fast/frames/sandboxed-iframe-close-top-noclose-expected.txt
@@ -0,0 +1,3 @@
+This test verifies that a sandboxed IFrame can close a top-level frame with allow-top-navigation.
+
+Start Test
diff --git a/LayoutTests/fast/frames/sandboxed-iframe-close-top-noclose.html b/LayoutTests/fast/frames/sandboxed-iframe-close-top-noclose.html
new file mode 100644
index 0000000..ac37186
--- /dev/null
+++ b/LayoutTests/fast/frames/sandboxed-iframe-close-top-noclose.html
@@ -0,0 +1,30 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+ layoutTestController.setCanOpenWindows();
+ layoutTestController.setCloseRemainingWindowsWhenComplete(true);
+}
+</script>
+</head>
+<body>
+<p>This test verifies that a sandboxed IFrame can close a top-level frame
+with allow-top-navigation.</p>
+<button onclick="start()">Start Test</button>
+<script>
+function start() {
+ window.wnd = window.open("resources/sandboxed-iframe-close-top-does-not-close.html");
+}
+
+function done() {
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+
+// In LayoutTests mode we can start automagically.
+start();
+</script>
+</body>
+</html>
diff --git a/LayoutTests/fast/frames/sandboxed-iframe-close-top.html b/LayoutTests/fast/frames/sandboxed-iframe-close-top.html
new file mode 100644
index 0000000..68947c5
--- /dev/null
+++ b/LayoutTests/fast/frames/sandboxed-iframe-close-top.html
@@ -0,0 +1,35 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+ layoutTestController.setCanOpenWindows();
+ layoutTestController.setCloseRemainingWindowsWhenComplete(true);
+}
+</script>
+</head>
+<body>
+<p>This test verifies that a sandboxed IFrame can close a top-level frame
+with allow-top-navigation.</p>
+<button onclick="start()">Start Test</button>
+<script>
+function start() {
+ window.wnd = window.open("resources/sandboxed-iframe-close-top-does-close.html");
+}
+
+function done() {
+ alert("PASS");
+ // We end the test asynchronously becaues this function is being called
+ // from a strange callstack.
+ window.setTimeout(function () {
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ }, 0);
+}
+
+// In LayoutTests mode we can start automagically.
+start();
+</script>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index f494367..6fba0ea 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -2,6 +2,26 @@
Reviewed by Eric Seidel.
+ forbid sandboxed frames to call top.close() when allow-same-origin is not setted
+ https://bugs.webkit.org/show_bug.cgi?id=38340
+
+ We now pass the ScriptExecutionContext to window.close so it can find
+ the Frame and check whether navigation is allowed. This check will
+ almost always pass because you can only close top-level frames, but the
+ check will fail when the calling script is sandboxed.
+
+ Tests: fast/frames/sandboxed-iframe-close-top-noclose.html
+ fast/frames/sandboxed-iframe-close-top.html
+
+ * page/DOMWindow.cpp:
+ (WebCore::DOMWindow::close):
+ * page/DOMWindow.h:
+ * page/DOMWindow.idl:
+
+2011-01-01 Adam Barth <abarth at webkit.org>
+
+ Reviewed by Eric Seidel.
+
sandbox iframes have access to top.history methods
https://bugs.webkit.org/show_bug.cgi?id=38152
diff --git a/WebCore/page/DOMWindow.cpp b/WebCore/page/DOMWindow.cpp
index 2fd4a7e..dd700f9 100644
--- a/WebCore/page/DOMWindow.cpp
+++ b/WebCore/page/DOMWindow.cpp
@@ -860,7 +860,7 @@ void DOMWindow::blur()
page->chrome()->unfocus();
}
-void DOMWindow::close()
+void DOMWindow::close(ScriptExecutionContext* context)
{
if (!m_frame)
return;
@@ -872,6 +872,16 @@ void DOMWindow::close()
if (m_frame != page->mainFrame())
return;
+ if (context) {
+ ASSERT(WTF::isMainThread());
+ Frame* activeFrame = static_cast<Document*>(context)->frame();
+ if (!activeFrame)
+ return;
+
+ if (!activeFrame->loader()->shouldAllowNavigation(m_frame))
+ return;
+ }
+
Settings* settings = m_frame->settings();
bool allowScriptsToCloseWindows = settings && settings->allowScriptsToCloseWindows();
diff --git a/WebCore/page/DOMWindow.h b/WebCore/page/DOMWindow.h
index e5dc019..1c84f3c 100644
--- a/WebCore/page/DOMWindow.h
+++ b/WebCore/page/DOMWindow.h
@@ -129,7 +129,7 @@ namespace WebCore {
void focus();
void blur();
- void close();
+ void close(ScriptExecutionContext* = 0);
void print();
void stop();
diff --git a/WebCore/page/DOMWindow.idl b/WebCore/page/DOMWindow.idl
index 4e7985f..f3aa7ba 100644
--- a/WebCore/page/DOMWindow.idl
+++ b/WebCore/page/DOMWindow.idl
@@ -66,7 +66,7 @@ module window {
[DoNotCheckDomainSecurity] void focus();
[DoNotCheckDomainSecurity] void blur();
- [DoNotCheckDomainSecurity] void close();
+ [DoNotCheckDomainSecurity, CallWith=ScriptExecutionContext] void close();
void print();
void stop();
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list