Changeset 34506 in webkit
- Timestamp:
- Jun 11, 2008 11:41:53 PM (16 years ago)
- Location:
- trunk
- Files:
-
- 20 added
- 8 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r34505 r34506 1 2008-06-11 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Sam Weinig. 4 5 Tests for the security context of about:blank documents. These test 6 results all match Firefox 3. 7 8 * fast/dom/resource-locations-in-created-html-document.html: 9 * http/tests/security/aboutBlank/resources/iframe-with-about-blank-children.html: Added. 10 * http/tests/security/aboutBlank/security-context-alias-expected.txt: Added. 11 * http/tests/security/aboutBlank/security-context-alias.html: Added. 12 * http/tests/security/aboutBlank/security-context-expected.txt: Added. 13 * http/tests/security/aboutBlank/security-context-grandchildren-alias-expected.txt: Added. 14 * http/tests/security/aboutBlank/security-context-grandchildren-alias.html: Added. 15 * http/tests/security/aboutBlank/security-context-grandchildren-expected.txt: Added. 16 * http/tests/security/aboutBlank/security-context-grandchildren.html: Added. 17 * http/tests/security/aboutBlank/security-context-window-open-expected.txt: Added. 18 * http/tests/security/aboutBlank/security-context-window-open.html: Added. 19 * http/tests/security/aboutBlank/security-context-with-base-tag-expected.txt: Added. 20 * http/tests/security/aboutBlank/security-context-with-base-tag.html: Added. 21 * http/tests/security/aboutBlank/security-context-write-expected.txt: Added. 22 * http/tests/security/aboutBlank/security-context-write.html: Added. 23 * http/tests/security/aboutBlank/security-context-writeln-expected.txt: Added. 24 * http/tests/security/aboutBlank/security-context-writeln.html: Added. 25 * http/tests/security/aboutBlank/security-context.html: Added. 26 * http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url-expected.txt: 27 * http/tests/security/cookies/document-open-expected.txt: Added. 28 * http/tests/security/cookies/document-open.html: Added. 29 1 30 2008-06-11 Adam Barth <abarth@webkit.org> 2 31 -
trunk/LayoutTests/fast/dom/resource-locations-in-created-html-document.html
r14980 r34506 11 11 htmlDoc.write('<html><img id="theImage" src="/test"></html>'); 12 12 13 if (htmlDoc.getElementById('theImage').src == ' /test')13 if (htmlDoc.getElementById('theImage').src == 'file:///test') 14 14 document.getElementById('result').innerHTML = 'SUCCESS'; 15 15 } -
trunk/LayoutTests/http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url-expected.txt
r29266 r34506 1 CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/innocent-victim-with-notify.html from frame with URL about:blank. Domains, protocols and ports must match.1 CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/innocent-victim-with-notify.html from frame with URL http://127.0.0.1:8000/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url.html. Domains, protocols and ports must match. 2 2 3 3 CONSOLE MESSAGE: line 1: Undefined value -
trunk/WebCore/ChangeLog
r34505 r34506 1 2008-06-11 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Sam Weinig. 4 5 https://bugs.webkit.org/show_bug.cgi?id=19460 6 7 Update the security context of a document after calling document.open 8 or document.write. Basically, when a script open()s a document, the 9 document gains the security context of the script. Our implementation 10 now matches Firefox 3 on all these tests. 11 12 Tests: http/tests/security/aboutBlank/security-context-alias.html 13 http/tests/security/aboutBlank/security-context-grandchildren-alias.html 14 http/tests/security/aboutBlank/security-context-grandchildren.html 15 http/tests/security/aboutBlank/security-context-window-open.html 16 http/tests/security/aboutBlank/security-context-with-base-tag.html 17 http/tests/security/aboutBlank/security-context-write.html 18 http/tests/security/aboutBlank/security-context-writeln.html 19 http/tests/security/aboutBlank/security-context.html 20 http/tests/security/cookies/document-open.html 21 22 * bindings/js/JSDOMWindowBase.cpp: 23 (WebCore::createWindow): 24 * bindings/js/JSHTMLDocumentCustom.cpp: 25 (WebCore::JSHTMLDocument::open): 26 (WebCore::JSHTMLDocument::write): 27 (WebCore::JSHTMLDocument::writeln): 28 * dom/Document.cpp: 29 (WebCore::Document::open): 30 (WebCore::Document::write): 31 (WebCore::Document::writeln): 32 * dom/Document.h: 33 1 34 2008-06-11 Adam Barth <abarth@webkit.org> 2 35 -
trunk/WebCore/bindings/js/JSDOMWindowBase.cpp
r34432 r34506 309 309 bool userGesture = activeFrame->scriptProxy()->processingUserGesture(); 310 310 311 if (created) {311 if (created) 312 312 newFrame->loader()->changeLocation(completedURL, activeFrame->loader()->outgoingReferrer(), false, userGesture); 313 if (Document* oldDoc = openerFrame->document()) 314 newFrame->document()->setBaseURL(oldDoc->baseURL()); 315 } else if (!url.isEmpty()) 313 else if (!url.isEmpty()) 316 314 newFrame->loader()->scheduleLocationChange(completedURL.string(), activeFrame->loader()->outgoingReferrer(), false, userGesture); 317 315 } -
trunk/WebCore/bindings/js/JSHTMLDocumentCustom.cpp
r34355 r34506 35 35 #include "HTMLNames.h" 36 36 #include "JSDOMWindow.h" 37 #include "JSDOMWindowCustom.h" 37 38 #include "JSDOMWindowShell.h" 38 39 #include "JSHTMLCollection.h" … … 112 113 } 113 114 115 // document.open clobbers the security context of the document and 116 // aliases it with the active security context. 117 Document* activeDocument = asJSDOMWindow(exec->lexicalGlobalObject())->impl()->document(); 118 114 119 // In the case of two parameters or fewer, do a normal document open. 115 static_cast<HTMLDocument*>(impl())->open( );120 static_cast<HTMLDocument*>(impl())->open(activeDocument); 116 121 return jsUndefined(); 117 122 } … … 134 139 JSValue* JSHTMLDocument::write(ExecState* exec, const List& args) 135 140 { 136 static_cast<HTMLDocument*>(impl())->write(writeHelper(exec, args)); 141 Document* activeDocument = asJSDOMWindow(exec->lexicalGlobalObject())->impl()->document(); 142 static_cast<HTMLDocument*>(impl())->write(writeHelper(exec, args), activeDocument); 137 143 return jsUndefined(); 138 144 } … … 140 146 JSValue* JSHTMLDocument::writeln(ExecState* exec, const List& args) 141 147 { 142 static_cast<HTMLDocument*>(impl())->write(writeHelper(exec, args) + "\n"); 148 Document* activeDocument = asJSDOMWindow(exec->lexicalGlobalObject())->impl()->document(); 149 static_cast<HTMLDocument*>(impl())->write(writeHelper(exec, args) + "\n", activeDocument); 143 150 return jsUndefined(); 144 151 } -
trunk/WebCore/dom/Document.cpp
r34505 r34506 1390 1390 } 1391 1391 1392 void Document::open() 1393 { 1394 // This is work that we should probably do in clear(), but we can't have it 1395 // happen when implicitOpen() is called unless we reorganize Frame code. 1396 if (Document* parent = parentDocument()) { 1397 if (m_url.isEmpty() || m_url == blankURL()) 1398 setURL(parent->url()); 1399 if (m_baseURL.isEmpty() || m_baseURL == blankURL()) 1400 setBaseURL(parent->baseURL()); 1392 void Document::open(Document* ownerDocument) 1393 { 1394 if (ownerDocument) { 1395 setURL(ownerDocument->url()); 1396 setBaseURL(ownerDocument->url()); 1397 m_cookieURL = ownerDocument->cookieURL(); 1398 m_securityOrigin = ownerDocument->securityOrigin(); 1401 1399 } 1402 1400 … … 1646 1644 } 1647 1645 1648 void Document::write(const String& text )1646 void Document::write(const String& text, Document* ownerDocument) 1649 1647 { 1650 1648 #ifdef INSTRUMENT_LAYOUT_SCHEDULING … … 1654 1652 1655 1653 if (!m_tokenizer) { 1656 open( );1654 open(ownerDocument); 1657 1655 ASSERT(m_tokenizer); 1658 1656 if (!m_tokenizer) 1659 1657 return; 1660 write("<html>" );1658 write("<html>", ownerDocument); 1661 1659 } 1662 1660 m_tokenizer->write(text, false); … … 1668 1666 } 1669 1667 1670 void Document::writeln(const String& text )1671 { 1672 write(text );1673 write("\n" );1668 void Document::writeln(const String& text, Document* ownerDocument) 1669 { 1670 write(text, ownerDocument); 1671 write("\n", ownerDocument); 1674 1672 } 1675 1673 -
trunk/WebCore/dom/Document.h
r34505 r34506 380 380 void setVisuallyOrdered(); 381 381 382 void open( );382 void open(Document* ownerDocument = 0); 383 383 void implicitOpen(); 384 384 void close(); … … 386 386 void cancelParsing(); 387 387 388 void write(const String& text );389 void writeln(const String& text );388 void write(const String& text, Document* ownerDocument = 0); 389 void writeln(const String& text, Document* ownerDocument = 0); 390 390 void finishParsing(); 391 391 void clear();
Note: See TracChangeset
for help on using the changeset viewer.