From 2dafc5396632b1f9831f704f35d13d70194db484 Mon Sep 17 00:00:00 2001 From: Dave Tapuska Date: Tue, 13 Aug 2019 14:02:21 -0400 Subject: [PATCH] Explicitly prevent sandboxed navigation via History Previously, sandboxed navigation did not prevent navigation via the history API; the check for the navigation was after the unload steps of the history traversal. This adds an explicit check in those methods to prevent such navigation. Fixes #880. --- source | 79 +++++++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 56 insertions(+), 23 deletions(-) diff --git a/source b/source index 9a4b136e372..3b8721775c3 100644 --- a/source +++ b/source @@ -81627,24 +81627,52 @@ interface History { null.

When the go(delta) method is - invoked, if delta is zero, the user agent must act as if the - location.reload() method was called instead. Otherwise, - the user agent must traverse the history by a delta whose value is - delta. If this History object is associated with a Document - that is not fully active, invoking must instead throw a - "SecurityError" DOMException.

+ invoked:

-

When the back() method is invoked, the user - agent must traverse the history by a delta −1. If this History - object is associated with a Document that is not fully active, - invoking must instead throw a "SecurityError" - DOMException.

+
    +

  1. Let document be this History object's associated + Document.

    2. -

    When the forward() method is invoked, the - user agent must traverse the history by a delta +1. If this History - object is associated with a Document that is not fully active, - invoking must instead throw a "SecurityError" - DOMException.

    +

  2. If document is not fully active, then throw a + "SecurityError" + DOMException.

    3. + + +

  3. If delta is 0, then act as if the location.reload() method was called, and return.

    4. + +

  4. Traverse the history by a delta with delta and + document's browsing context.

    5. +
+ +

When the back() method is invoked:

+ +
    +

  1. Let document be this History object's associated + Document.

    2. + +

  2. If document is not fully active, then throw a + "SecurityError" + DOMException.

    3. + +

  3. Traverse the history by a delta with −1 and + document's browsing context.

    4. +
+ +

When the forward() method is invoked:

+ + +
    +

  1. Let document be this History object's associated + Document.

    2. + +

  2. If document is not fully active, then throw a + "SecurityError" + DOMException.

    3. + +

  3. Traverse the history by a delta with +1 and + document's browsing context.

    4. +
@@ -81676,14 +81704,16 @@ interface History {
-

To traverse the history by a delta delta, the user agent must - append a task to this top-level browsing context's - session history traversal queue, the task - consisting of running the following steps:

+

To traverse the history by a delta given delta and browsing + context source browsing context, the user agent must append a task to this top-level browsing context's session + history traversal queue, the task consisting of running + the following steps:

    -

  1. If the index of the current entry of the joint session history plus delta is less than zero or greater than or equal to the number of items in the +

  2. If the index of the current entry of the joint session history plus + delta is less than zero or greater than or equal to the number of items in the joint session history, then return.

  3. Let specified entry be the entry in the joint session @@ -81693,6 +81723,9 @@ interface History {

  4. Let specified browsing context be the browsing context of the specified entry.

    5. +

  5. If source browsing context is not allowed to navigate + specified browsing context, then return.

    6. +

  6. If the specified browsing context's active document's unload a document algorithm is currently running, return.

    7. @@ -81740,8 +81773,8 @@ interface History {

When the user navigates through a browsing context, e.g. using a browser's back - and forward buttons, the user agent must traverse the history by a delta equivalent - to the action specified by the user.

+ and forward buttons, the user agent must traverse the history by a delta with a delta + equivalent to the action specified by the user and the browsing context being operated on.