Context Navigation

← Previous Changeset
Next Changeset →

Changeset 34506 in webkit

Timestamp:

Jun 11, 2008 11:41:53 PM (16 years ago)

Author:

abarth@webkit.org

Message:

WebCore:

008-06-11 Adam Barth <abarth@webkit.org>

Reviewed by Sam Weinig.

https://bugs.webkit.org/show_bug.cgi?id=19460

Update the security context of a document after calling document.open
or document.write. Basically, when a script open()s a document, the
document gains the security context of the script. Our implementation
now matches Firefox 3 on all these tests.

Tests: http/tests/security/aboutBlank/security-context-alias.html

http/tests/security/aboutBlank/security-context-grandchildren-alias.html
http/tests/security/aboutBlank/security-context-grandchildren.html
http/tests/security/aboutBlank/security-context-window-open.html
http/tests/security/aboutBlank/security-context-with-base-tag.html
http/tests/security/aboutBlank/security-context-write.html
http/tests/security/aboutBlank/security-context-writeln.html
http/tests/security/aboutBlank/security-context.html
http/tests/security/cookies/document-open.html

bindings/js/JSDOMWindowBase.cpp: (WebCore::createWindow):
bindings/js/JSHTMLDocumentCustom.cpp: (WebCore::JSHTMLDocument::open): (WebCore::JSHTMLDocument::write): (WebCore::JSHTMLDocument::writeln):
dom/Document.cpp: (WebCore::Document::open): (WebCore::Document::write): (WebCore::Document::writeln):
dom/Document.h:

LayoutTests:

008-06-11 Adam Barth <abarth@webkit.org>

Reviewed by Sam Weinig.

Tests for the security context of about:blank documents. These test
results all match Firefox 3.

fast/dom/resource-locations-in-created-html-document.html:
http/tests/security/aboutBlank/resources/iframe-with-about-blank-children.html: Added.
http/tests/security/aboutBlank/security-context-alias-expected.txt: Added.
http/tests/security/aboutBlank/security-context-alias.html: Added.
http/tests/security/aboutBlank/security-context-expected.txt: Added.
http/tests/security/aboutBlank/security-context-grandchildren-alias-expected.txt: Added.
http/tests/security/aboutBlank/security-context-grandchildren-alias.html: Added.
http/tests/security/aboutBlank/security-context-grandchildren-expected.txt: Added.
http/tests/security/aboutBlank/security-context-grandchildren.html: Added.
http/tests/security/aboutBlank/security-context-window-open-expected.txt: Added.
http/tests/security/aboutBlank/security-context-window-open.html: Added.
http/tests/security/aboutBlank/security-context-with-base-tag-expected.txt: Added.
http/tests/security/aboutBlank/security-context-with-base-tag.html: Added.
http/tests/security/aboutBlank/security-context-write-expected.txt: Added.
http/tests/security/aboutBlank/security-context-write.html: Added.
http/tests/security/aboutBlank/security-context-writeln-expected.txt: Added.
http/tests/security/aboutBlank/security-context-writeln.html: Added.
http/tests/security/aboutBlank/security-context.html: Added.
http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url-expected.txt:
http/tests/security/cookies/document-open-expected.txt: Added.
http/tests/security/cookies/document-open.html: Added.

Location:

trunk

Files:

: 20 added
: 8 edited

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r34505
+                      r34506
+-06-11  Adam Barth  <abarth@webkit.org>
+        Reviewed by Sam Weinig.
+        Tests for the security context of about:blank documents.  These test
+        results all match Firefox 3.
+        * fast/dom/resource-locations-in-created-html-document.html:
+        * http/tests/security/aboutBlank/resources/iframe-with-about-blank-children.html: Added.
+        * http/tests/security/aboutBlank/security-context-alias-expected.txt: Added.
+        * http/tests/security/aboutBlank/security-context-alias.html: Added.
+        * http/tests/security/aboutBlank/security-context-expected.txt: Added.
+        * http/tests/security/aboutBlank/security-context-grandchildren-alias-expected.txt: Added.
+        * http/tests/security/aboutBlank/security-context-grandchildren-alias.html: Added.
+        * http/tests/security/aboutBlank/security-context-grandchildren-expected.txt: Added.
+        * http/tests/security/aboutBlank/security-context-grandchildren.html: Added.
+        * http/tests/security/aboutBlank/security-context-window-open-expected.txt: Added.
+        * http/tests/security/aboutBlank/security-context-window-open.html: Added.
+        * http/tests/security/aboutBlank/security-context-with-base-tag-expected.txt: Added.
+        * http/tests/security/aboutBlank/security-context-with-base-tag.html: Added.
+        * http/tests/security/aboutBlank/security-context-write-expected.txt: Added.
+        * http/tests/security/aboutBlank/security-context-write.html: Added.
+        * http/tests/security/aboutBlank/security-context-writeln-expected.txt: Added.
+        * http/tests/security/aboutBlank/security-context-writeln.html: Added.
+        * http/tests/security/aboutBlank/security-context.html: Added.
+        * http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url-expected.txt:
+        * http/tests/security/cookies/document-open-expected.txt: Added.
+        * http/tests/security/cookies/document-open.html: Added.
 -06-11  Adam Barth  <abarth@webkit.org>

trunk/LayoutTests/fast/dom/resource-locations-in-created-html-document.html

r14980	r34506
11	11	htmlDoc.write('<html><img id="theImage" src="/test"></html>');
12	12
13		if (htmlDoc.getElementById('theImage').src == '/test')
	13	if (htmlDoc.getElementById('theImage').src == 'file:///test')
14	14	document.getElementById('result').innerHTML = 'SUCCESS';
15	15	}

trunk/LayoutTests/http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url-expected.txt

r29266	r34506
1		CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/innocent-victim-with-notify.html from frame with URL ~~about:blank~~. Domains, protocols and ports must match.
	1	CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/innocent-victim-with-notify.html from frame with URL http://127.0.0.1:8000/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url.html. Domains, protocols and ports must match.
2	2
3	3	CONSOLE MESSAGE: line 1: Undefined value

trunk/WebCore/ChangeLog

-                      r34505
+                      r34506
+-06-11  Adam Barth  <abarth@webkit.org>
+        Reviewed by Sam Weinig.
+        https://bugs.webkit.org/show_bug.cgi?id=19460
+        Update the security context of a document after calling document.open
+        or document.write.  Basically, when a script open()s a document, the
+        document gains the security context of the script.  Our implementation
+        now matches Firefox 3 on all these tests.
+        Tests: http/tests/security/aboutBlank/security-context-alias.html
+               http/tests/security/aboutBlank/security-context-grandchildren-alias.html
+               http/tests/security/aboutBlank/security-context-grandchildren.html
+               http/tests/security/aboutBlank/security-context-window-open.html
+               http/tests/security/aboutBlank/security-context-with-base-tag.html
+               http/tests/security/aboutBlank/security-context-write.html
+               http/tests/security/aboutBlank/security-context-writeln.html
+               http/tests/security/aboutBlank/security-context.html
+               http/tests/security/cookies/document-open.html
+        * bindings/js/JSDOMWindowBase.cpp:
+        (WebCore::createWindow):
+        * bindings/js/JSHTMLDocumentCustom.cpp:
+        (WebCore::JSHTMLDocument::open):
+        (WebCore::JSHTMLDocument::write):
+        (WebCore::JSHTMLDocument::writeln):
+        * dom/Document.cpp:
+        (WebCore::Document::open):
+        (WebCore::Document::write):
+        (WebCore::Document::writeln):
+        * dom/Document.h:
 -06-11  Adam Barth  <abarth@webkit.org>

trunk/WebCore/bindings/js/JSDOMWindowBase.cpp

-                      r34432
+                      r34506
         bool userGesture = activeFrame->scriptProxy()->processingUserGesture();
         if (created) {
+        if (created)
             newFrame->loader()->changeLocation(completedURL, activeFrame->loader()->outgoingReferrer(), false, userGesture);
+            if (Document* oldDoc = openerFrame->document())
+                newFrame->document()->setBaseURL(oldDoc->baseURL());
+        } else if (!url.isEmpty())
+        else if (!url.isEmpty())
             newFrame->loader()->scheduleLocationChange(completedURL.string(), activeFrame->loader()->outgoingReferrer(), false, userGesture);
+    }

trunk/WebCore/bindings/js/JSHTMLDocumentCustom.cpp

-                      r34355
+                      r34506
 #include "HTMLNames.h"
 #include "JSDOMWindow.h"
+#include "JSDOMWindowCustom.h"
 #include "JSDOMWindowShell.h"
 #include "JSHTMLCollection.h"
 …
+    }
+    // document.open clobbers the security context of the document and
+    // aliases it with the active security context.
+    Document* activeDocument = asJSDOMWindow(exec->lexicalGlobalObject())->impl()->document();
     // In the case of two parameters or fewer, do a normal document open.
     static_cast<HTMLDocument*>(impl())->open();
+    static_cast<HTMLDocument*>(impl())->open(activeDocument);
     return jsUndefined();
+}
 …
 JSValue* JSHTMLDocument::write(ExecState* exec, const List& args)
+{
+    static_cast<HTMLDocument*>(impl())->write(writeHelper(exec, args));
+    Document* activeDocument = asJSDOMWindow(exec->lexicalGlobalObject())->impl()->document();
+    static_cast<HTMLDocument*>(impl())->write(writeHelper(exec, args), activeDocument);
     return jsUndefined();
+}
 …
 JSValue* JSHTMLDocument::writeln(ExecState* exec, const List& args)
+{
+    static_cast<HTMLDocument*>(impl())->write(writeHelper(exec, args) + "\n");
+    Document* activeDocument = asJSDOMWindow(exec->lexicalGlobalObject())->impl()->document();
+    static_cast<HTMLDocument*>(impl())->write(writeHelper(exec, args) + "\n", activeDocument);
     return jsUndefined();
+}

trunk/WebCore/dom/Document.cpp

-                      r34505
+                      r34506
+}
+void Document::open()
+{
+    // This is work that we should probably do in clear(), but we can't have it
+    // happen when implicitOpen() is called unless we reorganize Frame code.
+    if (Document* parent = parentDocument()) {
+        if (m_url.isEmpty() || m_url == blankURL())
+            setURL(parent->url());
+        if (m_baseURL.isEmpty() || m_baseURL == blankURL())
+            setBaseURL(parent->baseURL());
+void Document::open(Document* ownerDocument)
+{
+    if (ownerDocument) {
+        setURL(ownerDocument->url());
+        setBaseURL(ownerDocument->url());
+        m_cookieURL = ownerDocument->cookieURL();
+        m_securityOrigin = ownerDocument->securityOrigin();
+    }
 …
+}
 void Document::write(const String& text)
+void Document::write(const String& text, Document* ownerDocument)
+{
 #ifdef INSTRUMENT_LAYOUT_SCHEDULING
 …
     if (!m_tokenizer) {
         open();
+        open(ownerDocument);
         ASSERT(m_tokenizer);
         if (!m_tokenizer)
             return;
         write("<html>");
+        write("<html>", ownerDocument);
+    }
     m_tokenizer->write(text, false);
 …
+}
 void Document::writeln(const String& text)
+{
     write(text);
     write("\n");
+void Document::writeln(const String& text, Document* ownerDocument)
+{
+    write(text, ownerDocument);
+    write("\n", ownerDocument);
+}

trunk/WebCore/dom/Document.h

-                      r34505
+                      r34506
     void setVisuallyOrdered();
     void open();
+    void open(Document* ownerDocument = 0);
     void implicitOpen();
     void close();
 …
     void cancelParsing();
     void write(const String& text);
     void writeln(const String& text);
+    void write(const String& text, Document* ownerDocument = 0);
+    void writeln(const String& text, Document* ownerDocument = 0);
     void finishParsing();
     void clear();

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 34506 in webkit

Legend:

Download in other formats: