Changeset 30634 in webkit

Timestamp:

Feb 27, 2008 3:59:54 PM (16 years ago)

Author:

weinig@apple.com

Message:

WebCore:

Reviewed by Darin.

Fix for <rdar://problem/5768769>

• Don't allow cross-origin calls using window.functionName.call(otherFrame) syntax.

• bindings/js/JSLocation.cpp: (WebCore::jsLocationProtoFuncToString): Do same-origin check.
• bindings/js/kjs_window.cpp: (KJS::windowProtoFuncAToB): Ditto. (KJS::windowProtoFuncBToA): Ditto. (KJS::windowProtoFuncOpen): Ditto. (KJS::windowProtoFuncClearTimeout): Ditto.
• bindings/scripts/CodeGeneratorJS.pm: Ditto.

LayoutTests:

Reviewed by Darin.

Updates tests for <rdar://problem/5768769>

• http/tests/security/aboutBlank/xss-DENIED-set-opener-expected.txt:
• http/tests/security/cross-frame-access-call-expected.txt:
• http/tests/security/cross-frame-access-call.html:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/aboutBlank/xss-DENIED-set-opener-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/cross-frame-access-call-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/cross-frame-access-call.html (modified) (1 diff)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/bindings/js/JSLocation.cpp (modified) (1 diff)
• WebCore/bindings/js/kjs_window.cpp (modified) (4 diffs)
• WebCore/bindings/scripts/CodeGeneratorJS.pm (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2008-02-27  Sam Weinig  <sam@webkit.org>
+
+        Reviewed by Darin.
+
+        Updates tests for <rdar://problem/5768769>
+
+        * http/tests/security/aboutBlank/xss-DENIED-set-opener-expected.txt:
+        * http/tests/security/cross-frame-access-call-expected.txt:
+        * http/tests/security/cross-frame-access-call.html:
+
 2008-02-27  Brady Eidson  <beidson@apple.com>
 

trunk/LayoutTests/http/tests/security/aboutBlank/xss-DENIED-set-opener-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/aboutBlank/xss-DENIED-set-opener.html. Domains, protocols and ports must match.
+
 CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/innocent-victim.html from frame with URL about:blank. Domains, protocols and ports must match.
 

trunk/LayoutTests/http/tests/security/cross-frame-access-call-expected.txt

@@ -7 +7 @@
 CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
 
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 55: Undefined value
 
 
 ----- tests for calling methods of another frame using Function.call -----
 
-PASS: setTimeout.call(targetWindow, 'void(0);', 0) should be 'undefined' and is.
-PASS: setInterval.call(targetWindow, 'void(0);', 0) should be 'undefined' and is.
+PASS: window.setTimeout.call(targetWindow, 'void(0);', 0) should be 'undefined' and is.
+PASS: window.setInterval.call(targetWindow, 'void(0);', 0) should be 'undefined' and is.
+PASS: window.getSelection.call(targetWindow) should be 'undefined' and is.
+PASS: window.find.call(targetWindow, 'string', false, false, false, false, false, false) should be 'undefined' and is.
+PASS: window.confirm.call(targetWindow, 'message') should be 'undefined' and is.
+PASS: window.prompt.call(targetWindow, 'message', 'defaultValue') should be 'undefined' and is.
+PASS: window.getComputedStyle.call(targetWindow, document.body, '') should be 'undefined' and is.
+PASS: window.getMatchedCSSRules.call(targetWindow, document.body, '', false) should be 'undefined' and is.
+PASS: window.openDatabase.call(targetWindow, 'name') should be 'undefined' and is.
+PASS: window.atob.call(targetWindow, 'string') should be 'undefined' and is.
+PASS: window.btoa.call(targetWindow, 'string') should be 'undefined' and is.
+PASS: window.open.call(targetWindow, '') should be 'undefined' and is.
 

trunk/LayoutTests/http/tests/security/cross-frame-access-call.html

@@ -17 +17 @@
     log("\n----- tests for calling methods of another frame using Function.call -----\n");
 
+    // Allowed
+    // void focus();
+    // void blur();
+    // void close();
+    // void postMessage(in DOMString message);
+
+    // - Tests for the Window object - 
     // undefined value indicates failure
-    shouldBe("setTimeout.call(targetWindow, 'void(0);', 0)", undefined);
-    shouldBe("setInterval.call(targetWindow, 'void(0);', 0)", undefined);
+    shouldBe("window.setTimeout.call(targetWindow, 'void(0);', 0)", "undefined");
+    shouldBe("window.setInterval.call(targetWindow, 'void(0);', 0)", "undefined");
+    shouldBe("window.getSelection.call(targetWindow)", "undefined");
+    shouldBe("window.find.call(targetWindow, 'string', false, false, false, false, false, false)", "undefined");
+    shouldBe("window.confirm.call(targetWindow, 'message')", "undefined");
+    shouldBe("window.prompt.call(targetWindow, 'message', 'defaultValue')", "undefined");
+    shouldBe("window.getComputedStyle.call(targetWindow, document.body, '')", "undefined");
+    shouldBe("window.getMatchedCSSRules.call(targetWindow, document.body, '', false)", "undefined");
+    shouldBe("window.openDatabase.call(targetWindow, 'name')", "undefined");
+    shouldBe("window.atob.call(targetWindow, 'string')", "undefined");
+    shouldBe("window.btoa.call(targetWindow, 'string')", "undefined");
+    shouldBe("window.open.call(targetWindow, '')", "undefined");
 
-    // these always return undefined so we use the error console to detect failure
-    addEventListener.call(targetWindow, "load", null, false);
-    removeEventListener.call(targetWindow, "load", null, false);
+    // These always return undefined so we use the error console to detect failure
+    window.addEventListener.call(targetWindow, "load", null, false);
+    window.removeEventListener.call(targetWindow, "load", null, false);
+    window.clearTimeout.call(targetWindow, 0);
+    window.clearInterval.call(targetWindow, 0);
+    window.print.call(targetWindow);
+    window.stop.call(targetWindow);
+    window.alert.call(targetWindow, 'message');
+    window.scrollBy.call(targetWindow, 0, 0);
+    window.scrollTo.call(targetWindow, 0, 0);
+    window.scroll.call(targetWindow, 0, 0);
+    window.moveBy.call(targetWindow, 0, 0);
+    window.moveTo.call(targetWindow, 0, 0);
+    window.resizeBy.call(targetWindow, 0, 0);
+    window.resizeTo.call(targetWindow, 0, 0);
+    window.showModalDialog.call(targetWindow);
+
+    // - Tests for the Location object -
+    // undefined value indicates failure
+    shouldBe("window.location.toString.call(targetWindow.location)", "undefined");
 
     // Work around DRT bug that causes subsequent tests to fail.

trunk/WebCore/ChangeLog

@@ +1 @@
+2008-02-27  Sam Weinig  <sam@webkit.org>
+
+        Reviewed by Darin.
+
+        Fix for <rdar://problem/5768769>
+
+        - Don't allow cross-origin calls using window.functionName.call(otherFrame)
+          syntax.
+
+        * bindings/js/JSLocation.cpp:
+        (WebCore::jsLocationProtoFuncToString): Do same-origin check.
+        * bindings/js/kjs_window.cpp:
+        (KJS::windowProtoFuncAToB): Ditto.
+        (KJS::windowProtoFuncBToA): Ditto.
+        (KJS::windowProtoFuncOpen): Ditto.
+        (KJS::windowProtoFuncClearTimeout): Ditto.
+        * bindings/scripts/CodeGeneratorJS.pm: Ditto.
+
 2008-02-27  David Hyatt  <hyatt@apple.com>
 

trunk/WebCore/bindings/js/JSLocation.cpp

@@ -302 +302 @@
     if (!frame)
         return jsUndefined();
+    if (!allowsAccessFromFrame(exec, frame))
+        return jsUndefined();
 
     const KURL& url = frame->loader()->url();

trunk/WebCore/bindings/js/kjs_window.cpp

@@ -1074 +1074 @@
     if (!thisObj->inherits(&Window::info))
         return throwError(exec, TypeError);
+    if (!static_cast<Window*>(thisObj)->allowsAccessFrom(exec)) 
+        return jsUndefined();
 
     if (args.size() < 1)
@@ -1103 +1105 @@
     if (!thisObj->inherits(&Window::info))
         return throwError(exec, TypeError);
+    if (!static_cast<Window*>(thisObj)->allowsAccessFrom(exec)) 
+        return jsUndefined();
 
     if (args.size() < 1)
@@ -1132 +1136 @@
         return throwError(exec, TypeError);
     Window* window = static_cast<Window*>(thisObj);
+    if (!window->allowsAccessFrom(exec)) 
+        return jsUndefined();
+
     Frame* frame = window->impl()->frame();
     if (!frame)
@@ -1221 +1228 @@
         return throwError(exec, TypeError);
     Window* window = static_cast<Window*>(thisObj);
+    if (!window->allowsAccessFrom(exec)) 
+        return jsUndefined();
 
     window->clearTimeout(args[0]->toInt32(exec));

trunk/WebCore/bindings/scripts/CodeGeneratorJS.pm

@@ -1150 +1150 @@
             push(@implContent, "    $className* castedThisObj = static_cast<$className*>(thisObj);\n");
 
+            if ($dataNode->extendedAttributes->{"CheckDomainSecurity"} && 
+                !$function->signature->extendedAttributes->{"DoNotCheckDomainSecurity"}) {
+                push(@implContent, "    if (!castedThisObj->allowsAccessFrom(exec))\n");
+                push(@implContent, "        return jsUndefined();\n");
+            }
+
             if ($function->signature->extendedAttributes->{"Custom"}) {
-                push(@implContent, "        return castedThisObj->" . $codeGenerator->WK_lcfirst($function->signature->name) . "(exec, args);\n");
+                push(@implContent, "    return castedThisObj->" . $codeGenerator->WK_lcfirst($function->signature->name) . "(exec, args);\n");
             } else {
                 if ($podType) {