Changeset 128070 in webkit

Timestamp:

Sep 10, 2012 9:45:08 AM (12 years ago)

Author:

commit-queue@webkit.org

Message:

Source/WebCore: Clarify the cause of console warnings generated by "cross-origin" access to sandboxed iframes.
​https://bugs.webkit.org/show_bug.cgi?id=64079

Patch by Mike West <​mkwst@chromium.org> on 2012-09-10
Reviewed by Adam Barth.

The error message generated when accessing cross-origin content is a bit
too generic at the moment, which is misleading when the "cross-origin"
nature of an access attempt isn't visible in the URLs that the error
displays. Sandboxed iframes, for example, are put into unique origins by
default, meaning that all access in or out are subject to cross-origin
restrictions, even if the resources would otherwise be same-origin.

This patch improces the error message to explicitly point to sandboxing
as the core of cross-origin requests when relevant. It adds a single new
test to check access from parents to children, and relies on existing
tests for access in the other direction.

Test: http/tests/security/sandboxed-iframe-blocks-access-from-parent.html

• page/DOMWindow.cpp:

(WebCore::DOMWindow::crossDomainAccessErrorMessage):

Check 'isSandboxed(SandboxOrigin)' against the document and
activeWindow when generating the error message. If one or the other
is sandboxed, make that clear in the console warning.

LayoutTests: Console warnings generated by script access to sandboxed iframes should make the violation clear.
​https://bugs.webkit.org/show_bug.cgi?id=64079

Patch by Mike West <​mkwst@chromium.org> on 2012-09-10
Reviewed by Adam Barth.

• http/tests/security/resources/blank.html: Added.

Adding a blank resource for a same-origin access test.

• http/tests/security/sandboxed-iframe-blocks-access-from-parent-expected.txt: Added.
• http/tests/security/sandboxed-iframe-blocks-access-from-parent.html: Added.

Parents shouldn't be able to access properties (like location) of
their sandboxed child frames.

• http/tests/security/sandboxed-iframe-modify-self-expected.txt:
• http/tests/security/sandboxed-iframe-origin-add-expected.txt:
• http/tests/security/sandboxed-iframe-origin-remove-expected.txt:
• http/tests/security/srcdoc-in-sandbox-cannot-access-parent-expected.txt:
• http/tests/security/xss-DENIED-sandboxed-iframe-expected.txt:
• platform/chromium/http/tests/security/sandboxed-iframe-modify-self-expected.txt:
• platform/chromium/http/tests/security/srcdoc-in-sandbox-cannot-access-parent-expected.txt:

Updating existing error messages.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-in-http-header-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/resources/blank.html (added)
• LayoutTests/http/tests/security/sandboxed-iframe-blocks-access-from-parent-expected.txt (added)
• LayoutTests/http/tests/security/sandboxed-iframe-blocks-access-from-parent.html (added)
• LayoutTests/http/tests/security/sandboxed-iframe-modify-self-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/sandboxed-iframe-origin-add-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/sandboxed-iframe-origin-remove-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/srcdoc-in-sandbox-cannot-access-parent-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xss-DENIED-sandboxed-iframe-expected.txt (modified) (1 diff)
• LayoutTests/platform/chromium/http/tests/security/sandboxed-iframe-modify-self-expected.txt (modified) (1 diff)
• LayoutTests/platform/chromium/http/tests/security/srcdoc-in-sandbox-cannot-access-parent-expected.txt (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/page/DOMWindow.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-09-10  Mike West  <mkwst@chromium.org>
+
+        Console warnings generated by script access to sandboxed iframes should make the violation clear.
+        https://bugs.webkit.org/show_bug.cgi?id=64079
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/resources/blank.html: Added.
+            Adding a blank resource for a same-origin access test.
+        * http/tests/security/sandboxed-iframe-blocks-access-from-parent-expected.txt: Added.
+        * http/tests/security/sandboxed-iframe-blocks-access-from-parent.html: Added.
+            Parents shouldn't be able to access properties (like location) of
+            their sandboxed child frames.
+        * http/tests/security/sandboxed-iframe-modify-self-expected.txt:
+        * http/tests/security/sandboxed-iframe-origin-add-expected.txt:
+        * http/tests/security/sandboxed-iframe-origin-remove-expected.txt:
+        * http/tests/security/srcdoc-in-sandbox-cannot-access-parent-expected.txt:
+        * http/tests/security/xss-DENIED-sandboxed-iframe-expected.txt:
+        * platform/chromium/http/tests/security/sandboxed-iframe-modify-self-expected.txt:
+        * platform/chromium/http/tests/security/srcdoc-in-sandbox-cannot-access-parent-expected.txt:
+            Updating existing error messages.
+
 2012-09-10  Fady Samuel  <fsamuel@chromium.org>
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-expected.txt

@@ -1 +1 @@
 ALERT: Script executed in iframe.
-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/resources/sandbox.php?sandbox=allow-scripts from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Sandbox access violation: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/resources/sandbox.php?sandbox=allow-scripts from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header.html. The frame being accessed is sandboxed into a unique origin.
 
 ALERT: PASS: Iframe was in a unique origin

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-in-http-header-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/resources/sandbox.php?sandbox=allow-top-navigation from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/sandbox-in-http-header.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Sandbox access violation: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/resources/sandbox.php?sandbox=allow-top-navigation from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/sandbox-in-http-header.html. The frame being accessed is sandboxed into a unique origin.
 
 ALERT: PASS: Iframe was in a unique origin

trunk/LayoutTests/http/tests/security/sandboxed-iframe-modify-self-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/sandboxed-iframe-modify-self.html from frame with URL http://127.0.0.1:8000/security/resources/sandboxed-iframe-modify-self.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Sandbox access violation: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/sandboxed-iframe-modify-self.html from frame with URL http://127.0.0.1:8000/security/resources/sandboxed-iframe-modify-self.html. The frame requesting access is sandboxed into a unique origin.
 
 This is a "sanity" test case to verify that a sandboxed frame cannot break out of its sandbox by modifying its own sandbox attribute. Two attempts are made:

trunk/LayoutTests/http/tests/security/sandboxed-iframe-origin-add-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/sandboxed-iframe-origin-add.html from frame with URL http://127.0.0.1:8000/security/resources/sandboxed-iframe-origin-add-step1.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Sandbox access violation: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/sandboxed-iframe-origin-add.html from frame with URL http://127.0.0.1:8000/security/resources/sandboxed-iframe-origin-add-step1.html. The frame requesting access is sandboxed into a unique origin.
 
 Test that adding allow-origin after creating an iframe doesn't modify the origin of an existing document, but it doesn modify the origin of the next document.

trunk/LayoutTests/http/tests/security/sandboxed-iframe-origin-remove-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/sandboxed-iframe-origin-remove.html from frame with URL http://127.0.0.1:8000/security/resources/sandboxed-iframe-origin-remove-step2.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Sandbox access violation: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/sandboxed-iframe-origin-remove.html from frame with URL http://127.0.0.1:8000/security/resources/sandboxed-iframe-origin-remove-step2.html. The frame requesting access is sandboxed into a unique origin.
 
 Test that removing allow-origin after creating an iframe doesn't modify the origin of an existing document, but it doesn modify the origin of the next document.

trunk/LayoutTests/http/tests/security/srcdoc-in-sandbox-cannot-access-parent-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/srcdoc-in-sandbox-cannot-access-parent.html from frame with URL about:srcdoc. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Sandbox access violation: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/srcdoc-in-sandbox-cannot-access-parent.html from frame with URL about:srcdoc. The frame requesting access is sandboxed into a unique origin.
 
 CONSOLE MESSAGE: line 4: TypeError: 'undefined' is not an object (evaluating 'parent.document.getElementById')

trunk/LayoutTests/http/tests/security/xss-DENIED-sandboxed-iframe-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/xss-DENIED-sandboxed-iframe.html from frame with URL http://127.0.0.1:8000/security/resources/xss-DENIED-sandboxed-iframe-attacker.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Sandbox access violation: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/xss-DENIED-sandboxed-iframe.html from frame with URL http://127.0.0.1:8000/security/resources/xss-DENIED-sandboxed-iframe-attacker.html. The frame requesting access is sandboxed into a unique origin.
 
-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/xss-DENIED-sandboxed-iframe.html from frame with URL http://127.0.0.1:8000/security/resources/xss-DENIED-sandboxed-iframe-attacker.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Sandbox access violation: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/xss-DENIED-sandboxed-iframe.html from frame with URL http://127.0.0.1:8000/security/resources/xss-DENIED-sandboxed-iframe-attacker.html. The frame requesting access is sandboxed into a unique origin.
 
 This test verifies that sandboxed iframe prevents cross-domain script access. It will print "PASS" on success.

trunk/LayoutTests/platform/chromium/http/tests/security/sandboxed-iframe-modify-self-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: Unsafe JavaScript attempt to initiate a navigation change for frame with URL http://127.0.0.1:8000/security/sandboxed-iframe-form-top.html from frame with URL http://127.0.0.1:8000/security/resources/sandboxed-iframe-form-top.html.
 
-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/sandboxed-iframe-modify-self.html from frame with URL http://127.0.0.1:8000/security/resources/sandboxed-iframe-modify-self.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Sandbox access violation: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/sandboxed-iframe-modify-self.html from frame with URL http://127.0.0.1:8000/security/resources/sandboxed-iframe-modify-self.html. The frame requesting access is sandboxed into a unique origin.
 
 This is a "sanity" test case to verify that a sandboxed frame cannot break out of its sandbox by modifying its own sandbox attribute. Two attempts are made:

trunk/LayoutTests/platform/chromium/http/tests/security/srcdoc-in-sandbox-cannot-access-parent-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/srcdoc-in-sandbox-cannot-access-parent.html from frame with URL about:srcdoc. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Sandbox access violation: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/srcdoc-in-sandbox-cannot-access-parent.html from frame with URL about:srcdoc. The frame requesting access is sandboxed into a unique origin.
 
 CONSOLE MESSAGE: line 4: Uncaught TypeError: Cannot call method 'getElementById' of undefined

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-09-10  Mike West  <mkwst@chromium.org>
+
+        Clarify the cause of console warnings generated by "cross-origin" access to sandboxed iframes.
+        https://bugs.webkit.org/show_bug.cgi?id=64079
+
+        Reviewed by Adam Barth.
+
+        The error message generated when accessing cross-origin content is a bit
+        too generic at the moment, which is misleading when the "cross-origin"
+        nature of an access attempt isn't visible in the URLs that the error
+        displays. Sandboxed iframes, for example, are put into unique origins by
+        default, meaning that all access in or out are subject to cross-origin
+        restrictions, even if the resources would otherwise be same-origin.
+
+        This patch improces the error message to explicitly point to sandboxing
+        as the core of cross-origin requests when relevant. It adds a single new
+        test to check access from parents to children, and relies on existing
+        tests for access in the other direction.
+
+        Test: http/tests/security/sandboxed-iframe-blocks-access-from-parent.html
+
+        * page/DOMWindow.cpp:
+        (WebCore::DOMWindow::crossDomainAccessErrorMessage):
+            Check 'isSandboxed(SandboxOrigin)' against the document and
+            activeWindow when generating the error message. If one or the other
+            is sandboxed, make that clear in the console warning.
+
 2012-09-10  Tommy Widenflycht  <tommyw@google.com>
 

trunk/Source/WebCore/page/DOMWindow.cpp

@@ -1756 +1756 @@
         return String();
 
-    // FIXME: This error message should contain more specifics of why the same origin check has failed.
-    // Perhaps we should involve the security origin object in composing it.
     // FIXME: This message, and other console messages, have extra newlines. Should remove them.
-    return "Unsafe JavaScript attempt to access frame with URL " + document()->url().string() + " from frame with URL " + activeWindowURL.string() + ". Domains, protocols and ports must match.\n";
+    String message = makeString("Unsafe JavaScript attempt to access frame with URL ", document()->url().string(), " from frame with URL ", activeWindowURL.string(), ".");
+    if (document()->isSandboxed(SandboxOrigin) || activeWindow->document()->isSandboxed(SandboxOrigin)) {
+        if (document()->isSandboxed(SandboxOrigin) && activeWindow->document()->isSandboxed(SandboxOrigin))
+            return makeString("Sandbox access violation: ", message, " Both frames are sandboxed into unique origins.\n");
+        if (document()->isSandboxed(SandboxOrigin))
+            return makeString("Sandbox access violation: ", message, " The frame being accessed is sandboxed into a unique origin.\n");
+        return makeString("Sandbox access violation: ", message, " The frame requesting access is sandboxed into a unique origin.\n");
+    }
+    return makeString(message, " Domains, protocols and ports must match.\n");
 }