Changeset 100213 in webkit
- Timestamp:
- Nov 14, 2011 4:24:33 PM (12 years ago)
- Location:
- trunk
- Files:
-
- 19 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r100211 r100213 1 2011-11-14 Adam Barth <abarth@webkit.org> 2 3 Unique origins shouldn't remember their scheme, host, or port 4 https://bugs.webkit.org/show_bug.cgi?id=72308 5 6 Reviewed by Eric Seidel. 7 8 * fast/filesystem/async-operations-expected.txt: 9 * fast/filesystem/not-enough-arguments-expected.txt: 10 * fast/filesystem/read-directory-expected.txt: 11 * fast/filesystem/simple-persistent-expected.txt: 12 * fast/filesystem/simple-readonly-expected.txt: 13 * fast/filesystem/simple-temporary-expected.txt: 14 - Update test results to show that we no longer leak the scheme in 15 storage identifiers. 16 * fast/frames/resources/sandboxed-iframe-storage-disallowed.html: 17 - Inline script because the sandbox iframe isn't allowed to load 18 local resources. 19 * fast/frames/sandboxed-iframe-attribute-parsing.html: 20 * fast/frames/sandboxed-iframe-forms-dynamic.html: 21 * fast/frames/sandboxed-iframe-forms.html: 22 * fast/frames/sandboxed-iframe-navigation-top-by-constant-name.html: 23 * fast/frames/sandboxed-iframe-navigation-top-by-constant-name2.html: 24 * fast/frames/sandboxed-iframe-navigation-top-by-name.html: 25 * fast/frames/sandboxed-iframe-navigation-top.html: 26 * media/video-controls-no-scripting.html: 27 - Previously sandboxed local iframes still got universal access 28 when we're running with universal access for file URLs! Now that 29 they correctly get unique origins, we need to update these tests 30 to allow-same-origin access in order for them to function 31 properly. 32 1 33 2011-11-14 Julien Chaffraix <jchaffraix@webkit.org> 2 34 -
trunk/LayoutTests/fast/filesystem/async-operations-expected.txt
r72882 r100213 5 5 6 6 requested FileSystem. 7 Got FileSystem: file__0:Temporary7 Got FileSystem:__0:Temporary 8 8 Starting async test stage 1. 9 9 Starting async test stage 2. -
trunk/LayoutTests/fast/filesystem/not-enough-arguments-expected.txt
r96956 r100213 4 4 5 5 6 Successfully obtained Persistent FileSystem: file__0:Temporary6 Successfully obtained Persistent FileSystem:__0:Temporary 7 7 PASS fileSystem.root.moveTo() threw exception TypeError: Not enough arguments. 8 8 PASS fileSystem.root.copyTo() threw exception TypeError: Not enough arguments. -
trunk/LayoutTests/fast/filesystem/read-directory-expected.txt
r72882 r100213 4 4 5 5 6 Successfully obtained Persistent FileSystem: file__0:Temporary6 Successfully obtained Persistent FileSystem:__0:Temporary 7 7 PASS readEntriesCount is entriesCallbackCount 8 8 PASS resultEntries.length is testEntriesCount -
trunk/LayoutTests/fast/filesystem/simple-persistent-expected.txt
r72882 r100213 4 4 5 5 6 Successfully obtained PERSISTENT FileSystem: file__0:Persistent6 Successfully obtained PERSISTENT FileSystem:__0:Persistent 7 7 PASS fileSystem.name.length > 0 is true 8 8 PASS fileSystem.root.fullPath is "/" -
trunk/LayoutTests/fast/filesystem/simple-readonly-expected.txt
r97542 r100213 7 7 trying to set readonly property fileSystem.name 8 8 fileSystem.name = 'bar' 9 PASS fileSystem.name is still file__0:Temporary9 PASS fileSystem.name is still __0:Temporary 10 10 root = fileSystem.root 11 11 root.getFile('foo', {create:true}, getFileCallback, errorCallback) -
trunk/LayoutTests/fast/filesystem/simple-temporary-expected.txt
r72882 r100213 4 4 5 5 6 Successfully obtained TEMPORARY FileSystem: file__0:Temporary6 Successfully obtained TEMPORARY FileSystem:__0:Temporary 7 7 PASS fileSystem.name.length > 0 is true 8 8 PASS fileSystem.root.fullPath is "/" -
trunk/LayoutTests/fast/frames/resources/sandboxed-iframe-storage-disallowed.html
r98733 r100213 1 1 <html> 2 2 <head> 3 <script src="../../js/resources/js-test-pre.js"></script> 3 <script> 4 // This code is inlined from js-test-pre.js because this document is displayed 5 // in a sandboxed iframe and cannot load local resources. 6 7 if (window.layoutTestController) 8 layoutTestController.dumpAsText(); 9 10 function debug(msg) 11 { 12 var span = document.createElement("span"); 13 document.getElementById("console").appendChild(span); 14 span.innerHTML = msg + '<br />'; 15 } 16 17 function escapeHTML(text) 18 { 19 return text.replace(/&/g, "&").replace(/</g, "<").replace(/\0/g, "\\0"); 20 } 21 22 function testPassed(msg) 23 { 24 debug('<span><span class="pass">PASS</span> ' + escapeHTML(msg) + '</span>'); 25 } 26 27 function testFailed(msg) 28 { 29 debug('<span><span class="fail">FAIL</span> ' + escapeHTML(msg) + '</span>'); 30 } 31 32 function shouldThrow(_a, _e) 33 { 34 var exception; 35 var _av; 36 try { 37 _av = eval(_a); 38 } catch (e) { 39 exception = e; 40 } 41 42 var _ev; 43 if (_e) 44 _ev = eval(_e); 45 46 if (exception) { 47 if (typeof _e == "undefined" || exception == _ev) 48 testPassed(_a + " threw exception " + exception + "."); 49 else 50 testFailed(_a + " should throw " + (typeof _e == "undefined" ? "an exception" : _ev) + ". Threw exception " + exception + "."); 51 } else if (typeof _av == "undefined") 52 testFailed(_a + " should throw " + (typeof _e == "undefined" ? "an exception" : _ev) + ". Was undefined."); 53 else 54 testFailed(_a + " should throw " + (typeof _e == "undefined" ? "an exception" : _ev) + ". Was " + _av + "."); 55 } 56 </script> 4 57 <script> 5 58 -
trunk/LayoutTests/fast/frames/sandboxed-iframe-attribute-parsing.html
r51579 r100213 57 57 58 58 <!-- plain, proper attribute value --> 59 <iframe sandbox="allow-scripts "59 <iframe sandbox="allow-scripts allow-same-origin" 60 60 name="f1" 61 61 src="resources/sandboxed-iframe-attribute-parsing-allowed.html"> … … 67 67 allow-scripts 68 68 69 "69 allow-same-origin" 70 70 name="f2" 71 71 src="resources/sandboxed-iframe-attribute-parsing-allowed.html"> … … 104 104 'Kyssarna' ('The kisses'), Esaias Tegnér, 1782-1846 105 105 106 allow-scripts 106 allow-scripts allow-same-origin 107 107 108 108 int main(void) … … 115 115 116 116 <!-- tab characters before and after attribute value --> 117 <iframe sandbox=" allow-scripts "117 <iframe sandbox=" allow-scripts allow-same-origin" 118 118 name="f4" 119 119 src="resources/sandboxed-iframe-attribute-parsing-allowed.html"> … … 121 121 122 122 <!-- mixed case --> 123 <iframe sandbox="AlLoW-sCrIpTs "123 <iframe sandbox="AlLoW-sCrIpTs allow-same-origin" 124 124 name="f5" 125 125 src="resources/sandboxed-iframe-attribute-parsing-allowed.html"> … … 128 128 <!-- iframes where script execution is disallowed --> 129 129 130 <iframe sandbox="allowscripts "130 <iframe sandbox="allowscripts allow-same-origin" 131 131 src="resources/sandboxed-iframe-attribute-parsing-disallowed.html"> 132 132 </iframe> 133 133 134 <iframe sandbox="allows-cripts "134 <iframe sandbox="allows-cripts allow-same-origin" 135 135 src="resources/sandboxed-iframe-attribute-parsing-disallowed.html"> 136 136 </iframe> 137 137 138 <iframe sandbox="-allow-scripts "138 <iframe sandbox="-allow-scripts allow-same-origin" 139 139 src="resources/sandboxed-iframe-attribute-parsing-disallowed.html"> 140 140 </iframe> 141 141 142 <iframe sandbox="allow_scripts "142 <iframe sandbox="allow_scripts allow-same-origin" 143 143 src="resources/sandboxed-iframe-attribute-parsing-disallowed.html"> 144 144 </iframe> 145 145 146 <iframe sandbox="allowScripts "146 <iframe sandbox="allowScripts allow-same-origin" 147 147 src="resources/sandboxed-iframe-attribute-parsing-disallowed.html"> 148 148 </iframe> 149 149 150 <iframe sandbox="aallow-scripts "150 <iframe sandbox="aallow-scripts allow-same-origin" 151 151 src="resources/sandboxed-iframe-attribute-parsing-disallowed.html"> 152 152 </iframe> 153 153 154 <iframe sandbox="allow-scriptss "154 <iframe sandbox="allow-scriptss allow-same-origin" 155 155 src="resources/sandboxed-iframe-attribute-parsing-disallowed.html"> 156 156 </iframe> -
trunk/LayoutTests/fast/frames/sandboxed-iframe-forms-dynamic.html
r56290 r100213 31 31 frameElements = document.getElementsByTagName("iframe"); 32 32 33 frameElements[0].sandbox = "allow-scripts ";34 frameElements[1].sandbox = "allow-scripts allow-forms ";35 frameElements[2].sandbox = "allow-scripts ";33 frameElements[0].sandbox = "allow-scripts allow-same-origin"; 34 frameElements[1].sandbox = "allow-scripts allow-forms allow-same-origin"; 35 frameElements[2].sandbox = "allow-scripts allow-same-origin"; 36 36 37 37 frames[0].postMessage("go", "*"); … … 46 46 47 47 <iframe style="width: 60px; height: 60px;" 48 sandbox="allow-scripts allow-forms "48 sandbox="allow-scripts allow-forms allow-same-origin" 49 49 src="resources/sandboxed-iframe-form-dynamic-allowed.html"> 50 50 </iframe> 51 51 <iframe style="width: 60px; height: 60px;" 52 sandbox="allow-scripts "52 sandbox="allow-scripts allow-same-origin" 53 53 src="resources/sandboxed-iframe-form-dynamic-disallowed.html"> 54 54 </iframe> 55 55 <iframe style="width: 60px; height: 60px;" 56 sandbox="allow-scripts allow-forms "56 sandbox="allow-scripts allow-forms allow-same-origin" 57 57 src="resources/sandboxed-iframe-form-dynamic-allowed.html"> 58 58 </iframe> -
trunk/LayoutTests/fast/frames/sandboxed-iframe-forms.html
r51577 r100213 42 42 43 43 <iframe style="width: 60px; height: 60px;" 44 sandbox="allow-scripts allow-forms "44 sandbox="allow-scripts allow-forms allow-same-origin" 45 45 src="resources/sandboxed-iframe-form-allowed.html"> 46 46 </iframe> 47 47 <iframe style="width: 60px; height: 60px;" 48 sandbox="allow-scripts allow-forms "48 sandbox="allow-scripts allow-forms allow-same-origin" 49 49 src="resources/sandboxed-iframe-form-allowed.html"> 50 50 </iframe> 51 51 <iframe style="width: 60px; height: 60px;" 52 sandbox="allow-scripts allow-forms "52 sandbox="allow-scripts allow-forms allow-same-origin" 53 53 src="resources/sandboxed-iframe-form-allowed.html"> 54 54 </iframe> 55 55 <iframe style="width: 60px; height: 60px;" 56 sandbox="allow-scripts allow-forms "56 sandbox="allow-scripts allow-forms allow-same-origin" 57 57 src="resources/sandboxed-iframe-form-allowed.html"> 58 58 </iframe> 59 59 <iframe style="width: 60px; height: 60px;" 60 sandbox="allow-scripts allow-forms "60 sandbox="allow-scripts allow-forms allow-same-origin" 61 61 src="resources/sandboxed-iframe-form-allowed.html"> 62 62 </iframe> … … 65 65 66 66 <iframe style="width: 60px; height: 60px;" 67 sandbox="allow-scripts "67 sandbox="allow-scripts allow-same-origin" 68 68 src="resources/sandboxed-iframe-form-disallowed.html"> 69 69 </iframe> … … 72 72 73 73 <iframe style="width: 60px; height: 60px;" 74 sandbox="allow-scripts allow-forms "74 sandbox="allow-scripts allow-forms allow-same-origin" 75 75 src="resources/sandboxed-iframe-form-allowed.html"> 76 76 </iframe> 77 77 <iframe style="width: 60px; height: 60px;" 78 sandbox="allow-scripts allow-forms "78 sandbox="allow-scripts allow-forms allow-same-origin" 79 79 src="resources/sandboxed-iframe-form-allowed.html"> 80 80 </iframe> 81 81 <iframe style="width: 60px; height: 60px;" 82 sandbox="allow-scripts allow-forms "82 sandbox="allow-scripts allow-forms allow-same-origin" 83 83 src="resources/sandboxed-iframe-form-allowed.html"> 84 84 </iframe> 85 85 <iframe style="width: 60px; height: 60px;" 86 sandbox="allow-scripts allow-forms "86 sandbox="allow-scripts allow-forms allow-same-origin" 87 87 src="resources/sandboxed-iframe-form-allowed.html"> 88 88 </iframe> 89 89 <iframe style="width: 60px; height: 60px;" 90 sandbox="allow-scripts allow-forms "90 sandbox="allow-scripts allow-forms allow-same-origin" 91 91 src="resources/sandboxed-iframe-form-allowed.html"> 92 92 </iframe> -
trunk/LayoutTests/fast/frames/sandboxed-iframe-navigation-top-by-constant-name.html
r56591 r100213 10 10 <body> 11 11 <p>This test verifies that a sandboxed IFrame can navigate the top-level frame with allow-top-navigation.</p> 12 <iframe sandbox="allow-scripts allow-top-navigation "12 <iframe sandbox="allow-scripts allow-top-navigation allow-same-origin" 13 13 src="resources/navigate-top-by-constant-name-to-pass.html"> 14 14 </body> -
trunk/LayoutTests/fast/frames/sandboxed-iframe-navigation-top-by-constant-name2.html
r56591 r100213 10 10 <body> 11 11 <p>This test verifies that a sandboxed IFrame can navigate the top-level frame with allow-top-navigation.</p> 12 <iframe sandbox="allow-scripts allow-top-navigation "12 <iframe sandbox="allow-scripts allow-top-navigation allow-same-origin" 13 13 src="resources/navigate-top-by-constant-name2-to-pass.html"> 14 14 </body> -
trunk/LayoutTests/fast/frames/sandboxed-iframe-navigation-top-by-name.html
r56591 r100213 11 11 <body> 12 12 <p>This test verifies that a sandboxed IFrame can navigate the top-level frame with allow-top-navigation.</p> 13 <iframe sandbox="allow-scripts allow-top-navigation "13 <iframe sandbox="allow-scripts allow-top-navigation allow-same-origin" 14 14 src="resources/navigate-top-by-name-to-pass.html"> 15 15 </body> -
trunk/LayoutTests/fast/frames/sandboxed-iframe-navigation-top.html
r56591 r100213 10 10 <body> 11 11 <p>This test verifies that a sandboxed IFrame can navigate the top-level frame with allow-top-navigation.</p> 12 <iframe sandbox="allow-scripts allow-top-navigation "12 <iframe sandbox="allow-scripts allow-top-navigation allow-same-origin" 13 13 src="resources/navigate-top-to-pass.html"> 14 14 </body> -
trunk/LayoutTests/media/video-controls-no-scripting.html
r93148 r100213 28 28 <body> 29 29 30 <iframe sandbox src="resources/video-controls-no-scripting-iframe.html" id="fr" style="width: 400px; height: 320px; border: 1px solid black;"></iframe>30 <iframe sandbox="allow-same-origin" src="resources/video-controls-no-scripting-iframe.html" id="fr" style="width: 400px; height: 320px; border: 1px solid black;"></iframe> 31 31 32 32 <p>Tests that the built-in controls are always enabled when JavaScript is disabled.</p> -
trunk/Source/WebCore/ChangeLog
r100203 r100213 1 2011-11-14 Adam Barth <abarth@webkit.org> 2 3 Unique origins shouldn't remember their scheme, host, or port 4 https://bugs.webkit.org/show_bug.cgi?id=72308 5 6 Reviewed by Eric Seidel. 7 8 This patch contains the bulk (all?) of the behavior differences in this 9 patch series. Unique origins shouldn't remember their schemes. Doing 10 so causes some privileges (e.g., local access) to leak into unique 11 origins. 12 13 * page/SecurityOrigin.cpp: 14 (WebCore::SecurityOrigin::SecurityOrigin): 15 - Explicitly clear out the protocol, host, and port for unique 16 origins. A future patch will refactor all this code to be more 17 elegant. 18 * platform/SchemeRegistry.cpp: 19 (WebCore::schemesWithUniqueOrigins): 20 - Merge "about" and "javascript" in with the general case now that 21 we don't have a separate notion of an empty origin. 22 1 23 2011-11-14 Adam Barth <abarth@webkit.org> 2 24 -
trunk/Source/WebCore/page/SecurityOrigin.cpp
r100203 r100213 42 42 namespace WebCore { 43 43 44 const int InvalidPort = 0; 44 45 const int MaxAllowedPort = 65535; 45 46 … … 66 67 , m_enforceFilePathSeparation(false) 67 68 { 68 // These protocols do not create security origins; the owner frame provides the origin69 if (m_protocol == "about" || m_protocol == "javascript")70 m_protocol = "";71 72 69 #if ENABLE(BLOB) || ENABLE(FILE_SYSTEM) 73 70 bool isBlobOrFileSystemProtocol = false; … … 94 91 if (schemeRequiresAuthority(m_protocol) && m_host.isEmpty()) 95 92 m_isUnique = true; 93 96 94 if (m_protocol.isEmpty()) 97 95 m_isUnique = true; … … 117 115 118 116 if (isDefaultPortForProtocol(m_port, m_protocol)) 119 m_port = 0; 117 m_port = InvalidPort; 118 119 // Don't leak details from URLs into unique origins. 120 if (m_isUnique) { 121 m_protocol = ""; 122 m_host = ""; 123 m_port = InvalidPort; 124 } 120 125 } 121 126 -
trunk/Source/WebCore/platform/SchemeRegistry.cpp
r99509 r100213 69 69 DEFINE_STATIC_LOCAL(URLSchemesMap, schemesWithUniqueOrigins, ()); 70 70 71 // This is a willful violation of HTML5. 72 // See https://bugs.webkit.org/show_bug.cgi?id=11885 73 if (schemesWithUniqueOrigins.isEmpty()) 71 if (schemesWithUniqueOrigins.isEmpty()) { 72 schemesWithUniqueOrigins.add("about"); 73 schemesWithUniqueOrigins.add("javascript"); 74 // This is a willful violation of HTML5. 75 // See https://bugs.webkit.org/show_bug.cgi?id=11885 74 76 schemesWithUniqueOrigins.add("data"); 77 } 75 78 76 79 return schemesWithUniqueOrigins;
Note: See TracChangeset
for help on using the changeset viewer.