WebCore:

2009-04-03 Sam Weinig <sam@webkit.org> Reviewed by Darin Adler. <rdar://problem/6330929> https://bugs.webkit.org/show_bug.cgi?id=21456 Don't update the document pointer for all inactive windows on navigations. This change causes us to differ slightly from Firefox when accessing the document from within a closure tied to a navigated context, but as all browsers differ on this edge case, I don't foresee compatibility issues. Test: http/tests/security/cross-frame-access-document-direct.html * bindings/js/JSDOMWindowBase.cpp: (WebCore::JSDOMWindowBase::~JSDOMWindowBase): * bindings/js/ScriptController.cpp: (WebCore::ScriptController::clearWindowShell): (WebCore::ScriptController::initScript): (WebCore::ScriptController::updateDocument): * bindings/js/ScriptController.h: LayoutTests: 2009-04-03 Sam Weinig <sam@webkit.org> Reviewed by Darin Adler. Update tests for <rdar://problem/6330929> https://bugs.webkit.org/show_bug.cgi?id=21456 * dom/xhtml/level2/html/HTMLFormElement10-expected.txt: * fast/dom/Window/dom-access-from-closure-iframe-expected.txt: * fast/dom/Window/dom-access-from-closure-window-expected.txt: * http/tests/security/cross-frame-access-document-direct-expected.txt: Added. * http/tests/security/cross-frame-access-document-direct.html: Added. * http/tests/security/resources/cross-frame-iframe-for-document-direct-test-victim.html: Added. * http/tests/security/resources/cross-frame-iframe-for-document-direct-test.html: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@42223 268f45cc-cd09-0410-ab3c-d52691b4dbfc
rjbailey · Apr 4, 2009 · be6430f · be6430f
1 parent 382e908
commit be6430f
Show file tree

Hide file tree

Showing 12 changed files with 99 additions and 13 deletions.
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
@@ -1,3 +1,18 @@
+2009-04-03  Sam Weinig  <sam@webkit.org>
+
+        Reviewed by Darin Adler.
+
+        Update tests for <rdar://problem/6330929>
+        https://bugs.webkit.org/show_bug.cgi?id=21456
+
+        * dom/xhtml/level2/html/HTMLFormElement10-expected.txt:
+        * fast/dom/Window/dom-access-from-closure-iframe-expected.txt:
+        * fast/dom/Window/dom-access-from-closure-window-expected.txt:
+        * http/tests/security/cross-frame-access-document-direct-expected.txt: Added.
+        * http/tests/security/cross-frame-access-document-direct.html: Added.
+        * http/tests/security/resources/cross-frame-iframe-for-document-direct-test-victim.html: Added.
+        * http/tests/security/resources/cross-frame-iframe-for-document-direct-test.html: Added.
+
 2009-04-03  Chris Marrin  <cmarrin@apple.com>
 
         Reviewed by Simon Fraser.

diff --git a/LayoutTests/dom/xhtml/level2/html/HTMLFormElement10-expected.txt b/LayoutTests/dom/xhtml/level2/html/HTMLFormElement10-expected.txt
@@ -1,2 +1 @@
-Test	http://www.w3.org/2001/DOM-Test-Suite/level2/html/HTMLFormElement10
-Status	Success
+
diff --git a/LayoutTests/fast/dom/Window/dom-access-from-closure-iframe-expected.txt b/LayoutTests/fast/dom/Window/dom-access-from-closure-iframe-expected.txt
@@ -1,4 +1,4 @@
-document.URL: LayoutTests/fast/dom/Window/resources/notify-parent-done.html
+document.URL: LayoutTests/fast/dom/Window/resources/dom-access-from-closure-iframe-child.html
 window.document.URL: LayoutTests/fast/dom/Window/resources/notify-parent-done.html
 name: child
 window.name: child

diff --git a/LayoutTests/fast/dom/Window/dom-access-from-closure-window-expected.txt b/LayoutTests/fast/dom/Window/dom-access-from-closure-window-expected.txt
@@ -1,4 +1,4 @@
-document.URL: LayoutTests/fast/dom/Window/resources/notify-opener-done.html
+document.URL: LayoutTests/fast/dom/Window/resources/dom-access-from-closure-window-child.html
 window.document.URL: LayoutTests/fast/dom/Window/resources/notify-opener-done.html
 name: child
 window.name: child

diff --git a/LayoutTests/http/tests/security/cross-frame-access-document-direct-expected.txt b/LayoutTests/http/tests/security/cross-frame-access-document-direct-expected.txt
@@ -0,0 +1,9 @@
+Test cross-origin direct document access.
+
+
+
+--------
+Frame: 'theFrame'
+--------
+PASS: Cross origin direct document access denied.
+
diff --git a/LayoutTests/http/tests/security/cross-frame-access-document-direct.html b/LayoutTests/http/tests/security/cross-frame-access-document-direct.html
@@ -0,0 +1,20 @@
+<script>
+    if (window.layoutTestController) {
+        layoutTestController.dumpAsText();
+        layoutTestController.dumpChildFramesAsText();
+        layoutTestController.waitUntilDone();
+    }
+
+    addEventListener("message", function() {
+        // Call injected function.
+        attack();
+
+        // Post message to victim to check if it was accessed.
+        document.getElementById('theFrame').contentWindow.postMessage("test", "*");
+    }, false);
+</script>
+<body>
+    <p>Test cross-origin direct document access.</p>
+    <iframe id="theFrame" src="resources/cross-frame-iframe-for-document-direct-test.html"></iframe>
+</body>
+</html>
diff --git a/...sts/http/tests/security/resources/cross-frame-iframe-for-document-direct-test-victim.html b/...sts/http/tests/security/resources/cross-frame-iframe-for-document-direct-test-victim.html
@@ -0,0 +1,23 @@
+<script>
+    function log(msg)
+    {
+        document.getElementById("console").appendChild(document.createTextNode(msg + "\n"));
+    }
+
+    onload = function()
+    {
+        parent.postMessage("finishedLoading", "*");
+    }
+
+    addEventListener("message", function() {
+        if (document.fail) {
+            log("FAIL: Cross origin direct document access allowed.");
+        } else {
+            log("PASS: Cross origin direct document access denied.");
+        }
+
+        if (window.layoutTestController)
+            layoutTestController.notifyDone();
+    }, false);
+</script>
+<pre id="console"></pre>
diff --git a/LayoutTests/http/tests/security/resources/cross-frame-iframe-for-document-direct-test.html b/LayoutTests/http/tests/security/resources/cross-frame-iframe-for-document-direct-test.html
@@ -0,0 +1,6 @@
+<script>
+parent.attack = function() {
+    document.fail = "FAIL";
+}
+window.location = "http://localhost:8000/security/resources/cross-frame-iframe-for-document-direct-test-victim.html";
+</script>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
@@ -1,3 +1,25 @@
+2009-04-03  Sam Weinig  <sam@webkit.org>
+
+        Reviewed by Darin Adler.
+
+        <rdar://problem/6330929>
+        https://bugs.webkit.org/show_bug.cgi?id=21456
+
+        Don't update the document pointer for all inactive windows on navigations.
+        This change causes us to differ slightly from Firefox when accessing the
+        document from within a closure tied to a navigated context, but as all
+        browsers differ on this edge case, I don't foresee compatibility issues.
+
+        Test: http/tests/security/cross-frame-access-document-direct.html
+
+        * bindings/js/JSDOMWindowBase.cpp:
+        (WebCore::JSDOMWindowBase::~JSDOMWindowBase):
+        * bindings/js/ScriptController.cpp:
+        (WebCore::ScriptController::clearWindowShell):
+        (WebCore::ScriptController::initScript):
+        (WebCore::ScriptController::updateDocument):
+        * bindings/js/ScriptController.h:
+
 2009-04-03  Chris Marrin  <cmarrin@apple.com>
 
         Reviewed by Simon Fraser.

diff --git a/WebCore/bindings/js/JSDOMWindowBase.cpp b/WebCore/bindings/js/JSDOMWindowBase.cpp
@@ -149,8 +149,6 @@ void JSDOMWindowBase::updateDocument()
 
 JSDOMWindowBase::~JSDOMWindowBase()
 {
-    if (d()->impl->frame())
-        d()->impl->frame()->script()->clearFormerWindow(asJSDOMWindow(this));
 }
 
 ScriptExecutionContext* JSDOMWindowBase::scriptExecutionContext() const

diff --git a/WebCore/bindings/js/ScriptController.cpp b/WebCore/bindings/js/ScriptController.cpp
@@ -123,7 +123,6 @@ void ScriptController::clearWindowShell()
 
     JSLock lock(false);
     m_windowShell->window()->clear();
-    m_liveFormerWindows.add(m_windowShell->window());
     m_windowShell->setWindow(m_frame->domWindow());
     if (Page* page = m_frame->page()) {
         attachDebugger(page->debugger());
@@ -160,7 +159,7 @@ void ScriptController::initScript()
     JSLock lock(false);
 
     m_windowShell = new JSDOMWindowShell(m_frame->domWindow());
-    updateDocument();
+    m_windowShell->window()->updateDocument();
 
     if (Page* page = m_frame->page()) {
         attachDebugger(page->debugger());
@@ -252,9 +251,6 @@ void ScriptController::updateDocument()
     JSLock lock(false);
     if (m_windowShell)
         m_windowShell->window()->updateDocument();
-    HashSet<JSDOMWindow*>::iterator end = m_liveFormerWindows.end();
-    for (HashSet<JSDOMWindow*>::iterator it = m_liveFormerWindows.begin(); it != end; ++it)
-        (*it)->updateDocument();
 }
 
 void ScriptController::updateSecurityOrigin()

diff --git a/WebCore/bindings/js/ScriptController.h b/WebCore/bindings/js/ScriptController.h
@@ -101,7 +101,6 @@ class ScriptController {
     const String* sourceURL() const { return m_sourceURL; } // 0 if we are not evaluating any script
 
     void clearWindowShell();
-    void clearFormerWindow(JSDOMWindow* window) { m_liveFormerWindows.remove(window); }
     void updateDocument();
 
     // Notifies the ScriptController that the securityOrigin of the current
@@ -148,7 +147,6 @@ class ScriptController {
     bool isJavaScriptAnchorNavigation() const;
 
     JSC::ProtectedPtr<JSDOMWindowShell> m_windowShell;
-    HashSet<JSDOMWindow*> m_liveFormerWindows;
     Frame* m_frame;
     int m_handlerLineno;
     const String* m_sourceURL;