Changeset 273901 in webkit

Timestamp:

Mar 4, 2021 10:26:22 AM (17 months ago)

Author:

keith_miller@apple.com

Message:

window proxy of detached iframe doesn't respect updates to global values
​https://bugs.webkit.org/show_bug.cgi?id=206445

Reviewed by Chris Dumez.

Source/WebCore:

According to the html spec the frame should only be needing for
COOP access violation reporting, which we don't support. This
patch removes our old behavior of blocking stores to windows that
have been detached.

I also removed some stale caching code from
getOwnPropertySlotByIndex since it's only accessed once now.

• bindings/js/JSDOMWindowCustom.cpp:

(WebCore::JSDOMWindow::getOwnPropertySlotByIndex):
(WebCore::JSDOMWindow::doPutPropertySecurityCheck):
(WebCore::JSDOMWindow::put):
(WebCore::JSDOMWindow::putByIndex):

LayoutTests:

• fast/frames/iframe-detached-window-still-writable-eval-expected.txt: Added.
• fast/frames/iframe-detached-window-still-writable-eval.html: Added.
• fast/frames/iframe-detached-window-still-writable-expected.txt: Added.
• fast/frames/iframe-detached-window-still-writable.html: Added.
• http/tests/dom/cross-origin-detached-window-properties-expected.txt:
• http/tests/dom/cross-origin-detached-window-properties.html:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/frames/iframe-detached-window-still-writable-eval-expected.txt (added)
• LayoutTests/fast/frames/iframe-detached-window-still-writable-eval.html (added)
• LayoutTests/fast/frames/iframe-detached-window-still-writable-expected.txt (added)
• LayoutTests/fast/frames/iframe-detached-window-still-writable.html (added)
• LayoutTests/http/tests/dom/cross-origin-detached-window-properties-expected.txt (modified) (2 diffs)
• LayoutTests/http/tests/dom/cross-origin-detached-window-properties.html (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMWindowCustom.cpp (modified) (5 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2021-03-04  Keith Miller  <keith_miller@apple.com>
+
+        window proxy of detached iframe doesn't respect updates to global values
+        https://bugs.webkit.org/show_bug.cgi?id=206445
+
+        Reviewed by Chris Dumez.
+
+        * fast/frames/iframe-detached-window-still-writable-eval-expected.txt: Added.
+        * fast/frames/iframe-detached-window-still-writable-eval.html: Added.
+        * fast/frames/iframe-detached-window-still-writable-expected.txt: Added.
+        * fast/frames/iframe-detached-window-still-writable.html: Added.
+        * http/tests/dom/cross-origin-detached-window-properties-expected.txt:
+        * http/tests/dom/cross-origin-detached-window-properties.html:
+
 2021-03-04  Jon Lee  <jonlee@apple.com>
 

trunk/LayoutTests/http/tests/dom/cross-origin-detached-window-properties-expected.txt

@@ -33 +33 @@
 PASS w.performance threw exception SecurityError: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a cross-origin frame. Protocols, domains, and ports must match..
 PASS w.foo threw exception SecurityError: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a cross-origin frame. Protocols, domains, and ports must match..
+PASS w.foo = 1 threw exception SecurityError: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a cross-origin frame. Protocols, domains, and ports must match..
+PASS w[0] = 1 threw exception SecurityError: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a cross-origin frame. Protocols, domains, and ports must match..
 PASS w.location.foo threw exception SecurityError: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a cross-origin frame. Protocols, domains, and ports must match..
 
@@ -64 +66 @@
 PASS w.performance threw exception SecurityError: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a cross-origin frame. Protocols, domains, and ports must match..
 PASS w.foo threw exception SecurityError: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a cross-origin frame. Protocols, domains, and ports must match..
+PASS w.foo = 1 threw exception SecurityError: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a cross-origin frame. Protocols, domains, and ports must match..
+PASS w[0] = 1 threw exception SecurityError: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a cross-origin frame. Protocols, domains, and ports must match..
 PASS w.location.foo threw exception SecurityError: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a cross-origin frame. Protocols, domains, and ports must match..
 PASS successfullyParsed is true

trunk/LayoutTests/http/tests/dom/cross-origin-detached-window-properties.html

@@ -49 +49 @@
 
     shouldThrowErrorName("w.foo", "SecurityError");
+    shouldThrowErrorName("w.foo = 1", "SecurityError");
+    shouldThrowErrorName("w[0] = 1", "SecurityError");
     shouldThrowErrorName("w.location.foo", "SecurityError");
 }

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2021-03-04  Keith Miller  <keith_miller@apple.com>
+
+        window proxy of detached iframe doesn't respect updates to global values
+        https://bugs.webkit.org/show_bug.cgi?id=206445
+
+        Reviewed by Chris Dumez.
+
+        According to the html spec the frame should only be needing for
+        COOP access violation reporting, which we don't support. This
+        patch removes our old behavior of blocking stores to windows that
+        have been detached.
+
+        I also removed some stale caching code from
+        getOwnPropertySlotByIndex since it's only accessed once now.
+
+        * bindings/js/JSDOMWindowCustom.cpp:
+        (WebCore::JSDOMWindow::getOwnPropertySlotByIndex):
+        (WebCore::JSDOMWindow::doPutPropertySecurityCheck):
+        (WebCore::JSDOMWindow::put):
+        (WebCore::JSDOMWindow::putByIndex):
+
 2021-03-04  Alex Christensen  <achristensen@webkit.org>
 

trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp

@@ -299 +299 @@
     slot.disableCaching();
 
-    String errorMessage;
-    Optional<bool> cachedIsCrossOriginAccess;
-    auto isCrossOriginAccess = [&] {
-        if (!cachedIsCrossOriginAccess)
-            cachedIsCrossOriginAccess = !BindingSecurity::shouldAllowAccessToDOMWindow(*lexicalGlobalObject, window, errorMessage);
-        return *cachedIsCrossOriginAccess;
-    };
-
     // (1) First, indexed properties.
     // These are also allowed cross-origin, so come before the access check.
@@ -315 +307 @@
 
     // Hand off all cross-domain/frameless access to jsDOMWindowGetOwnPropertySlotRestrictedAccess.
-    if (isCrossOriginAccess())
+    String errorMessage;
+    if (!BindingSecurity::shouldAllowAccessToDOMWindow(*lexicalGlobalObject, window, errorMessage))
         return jsDOMWindowGetOwnPropertySlotRestrictedAccess<DOMWindowType::Local>(thisObject, window, *lexicalGlobalObject, Identifier::from(vm, index), slot, errorMessage);
 
@@ -328 +321 @@
 
     auto* thisObject = jsCast<JSDOMWindow*>(cell);
-    if (!thisObject->wrapped().frame())
-        return;
 
     String errorMessage;
@@ -347 +338 @@
 
     auto* thisObject = jsCast<JSDOMWindow*>(cell);
-    if (!thisObject->wrapped().frame())
-        return false;
 
     String errorMessage;
@@ -368 +357 @@
 bool JSDOMWindow::putByIndex(JSCell* cell, JSGlobalObject* lexicalGlobalObject, unsigned index, JSValue value, bool shouldThrow)
 {
+    VM& vm = lexicalGlobalObject->vm();
     auto* thisObject = jsCast<JSDOMWindow*>(cell);
-    if (!thisObject->wrapped().frame() || !BindingSecurity::shouldAllowAccessToDOMWindow(lexicalGlobalObject, thisObject->wrapped()))
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    String errorMessage;
+    if (!BindingSecurity::shouldAllowAccessToDOMWindow(*lexicalGlobalObject, thisObject->wrapped(), errorMessage)) {
+        throwSecurityError(*lexicalGlobalObject, scope, errorMessage);
         return false;
+    }
     
     return Base::putByIndex(thisObject, lexicalGlobalObject, index, value, shouldThrow);