Changeset 141418 in webkit
- Timestamp:
- Jan 31, 2013 6:57:55 AM (11 years ago)
- Location:
- trunk
- Files:
-
- 12 added
- 13 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r141416 r141418 1 2013-01-31 Mike West <mkwst@chromium.org> 2 3 Allow blocking of IndexedDB in third-party contexts 4 https://bugs.webkit.org/show_bug.cgi?id=94171 5 6 Reviewed by Jochen Eisinger. 7 8 Add tests to ensure that IndexedDB can be blocked in a third-party 9 context in both normal documents and in workers. These tests are 10 modeled after the existing cross-origin-websql* tests; it might be 11 possible to reuse some code in the future. 12 13 * http/tests/security/cross-origin-indexeddb-allowed-expected.txt: Added. 14 * http/tests/security/cross-origin-indexeddb-allowed.html: Added. 15 * http/tests/security/cross-origin-indexeddb-expected.txt: Added. 16 * http/tests/security/cross-origin-indexeddb.html: Added. 17 * http/tests/security/cross-origin-worker-indexeddb-allowed-expected.txt: Added. 18 * http/tests/security/cross-origin-worker-indexeddb-allowed.html: Added. 19 * http/tests/security/cross-origin-worker-indexeddb-expected.txt: Added. 20 * http/tests/security/cross-origin-worker-indexeddb.html: Added. 21 * http/tests/security/resources/cross-origin-iframe-for-indexeddb.html: Added. 22 * http/tests/security/resources/cross-origin-iframe-for-worker-indexeddb.html: Added. 23 * http/tests/security/resources/document-for-cross-origin-worker-indexeddb.html: Added. 24 * http/tests/security/resources/worker-for-indexeddb.js: Added. 25 (self.onmessage): 26 Add exciting new tests, with more boilerplate than I expected! 27 * platform/efl/TestExpectations: 28 * platform/mac-snowleopard/TestExpectations: 29 * platform/mac/TestExpectations: 30 * platform/qt/TestExpectations: 31 * platform/win/TestExpectations: 32 * platform/wincairo/TestExpectations: 33 Skip these IndexedDB tests on platforms where the feature isn't 34 enabled. 35 1 36 2013-01-31 Ádám Kallai <kadam@inf.u-szeged.hu> 2 37 -
trunk/LayoutTests/platform/efl/TestExpectations
r141386 r141418 1116 1116 Bug(EFL) storage/indexeddb 1117 1117 Bug(EFL) http/tests/inspector/indexeddb 1118 Bug(EFL) http/tests/security/cross-origin-indexeddb-allowed.html 1119 Bug(EFL) http/tests/security/cross-origin-indexeddb.html 1120 Bug(EFL) http/tests/security/cross-origin-worker-indexeddb-allowed.html 1121 Bug(EFL) http/tests/security/cross-origin-worker-indexeddb.html 1118 1122 1119 1123 # Quota API is not supported. -
trunk/LayoutTests/platform/mac-snowleopard/TestExpectations
r131228 r141418 135 135 storage/indexeddb 136 136 http/tests/inspector/indexeddb 137 http/tests/security/cross-origin-indexeddb-allowed.html 138 http/tests/security/cross-origin-indexeddb.html 139 http/tests/security/cross-origin-worker-indexeddb-allowed.html 140 http/tests/security/cross-origin-worker-indexeddb.html 137 141 138 142 # Philip's canvas tests that fail on SnowLeopard only -
trunk/LayoutTests/platform/mac/TestExpectations
r141362 r141418 136 136 storage/indexeddb 137 137 http/tests/inspector/indexeddb 138 http/tests/security/cross-origin-indexeddb-allowed.html 139 http/tests/security/cross-origin-indexeddb.html 140 http/tests/security/cross-origin-worker-indexeddb-allowed.html 141 http/tests/security/cross-origin-worker-indexeddb.html 138 142 139 143 # This port doesn't support DeviceMotion or DeviceOrientation. -
trunk/LayoutTests/platform/qt/TestExpectations
r141416 r141418 115 115 storage/indexeddb 116 116 http/tests/inspector/indexeddb 117 http/tests/security/cross-origin-indexeddb-allowed.html 118 http/tests/security/cross-origin-indexeddb.html 119 http/tests/security/cross-origin-worker-indexeddb-allowed.html 120 http/tests/security/cross-origin-worker-indexeddb.html 117 121 118 122 inspector/timeline/timeline-animation-frame.html -
trunk/LayoutTests/platform/win/TestExpectations
r141354 r141418 1094 1094 storage/indexeddb 1095 1095 http/tests/inspector/indexeddb 1096 http/tests/security/cross-origin-indexeddb-allowed.html 1097 http/tests/security/cross-origin-indexeddb.html 1098 http/tests/security/cross-origin-worker-indexeddb-allowed.html 1099 http/tests/security/cross-origin-worker-indexeddb.html 1096 1100 1097 1101 # StorageTracker is not enabled. -
trunk/LayoutTests/platform/wincairo/TestExpectations
r141354 r141418 1619 1619 storage/indexeddb 1620 1620 http/tests/inspector/indexeddb 1621 http/tests/security/cross-origin-indexeddb-allowed.html 1622 http/tests/security/cross-origin-indexeddb.html 1623 http/tests/security/cross-origin-worker-indexeddb-allowed.html 1624 http/tests/security/cross-origin-worker-indexeddb.html 1621 1625 1622 1626 # StorageTracker is not enabled. -
trunk/Source/WebCore/ChangeLog
r141417 r141418 1 2013-01-31 Mike West <mkwst@chromium.org> 2 3 Allow blocking of IndexedDB in third-party contexts 4 https://bugs.webkit.org/show_bug.cgi?id=94171 5 6 Reviewed by Jochen Eisinger. 7 8 This patch ensures that the origin of the top window is passed into 9 SecurityOrigin::canAccessDatabase when working with IndexedDB. Giving 10 SecurityOrigin access to this data means that it can properly check 11 whether the database is being opened in a third-party context, and 12 therefore properly enforce the third-party access checks that were 13 added in http://trac.webkit.org/changeset/125736. 14 15 Third-party checks are added to IDBFactory::open, 16 IDBFactory::deleteDatabase, and IDBFactory::getDatabaseNames; each will 17 now throw a SECURITY_ERR exception when access in a third-party context 18 if third-party access checks are enabled. 19 20 To make this process slightly more clear, and avoid some ugly casting 21 logic, this patch adds a 'topOrigin' method to ScriptExecutionContext, 22 and implements it on both WorkerContext and Document. 23 24 Tests: http/tests/security/cross-origin-indexeddb-allowed.html 25 http/tests/security/cross-origin-indexeddb.html 26 http/tests/security/cross-origin-worker-indexeddb-allowed.html 27 http/tests/security/cross-origin-worker-indexeddb.html 28 29 * Modules/indexeddb/IDBFactory.cpp: 30 (WebCore::IDBFactory::getDatabaseNames): 31 (WebCore::IDBFactory::openInternal): 32 (WebCore::IDBFactory::deleteDatabase): 33 Grab the SecurityOrigin of the current context's top-level origin, 34 and pass it to SecurityOrigin::canAccessDatabase to ensure that 35 access checks are properly applied to these three methods. 36 * dom/Document.cpp: 37 (WebCore::Document::topOrigin): 38 (WebCore): 39 * dom/Document.h: 40 (Document): 41 * dom/ScriptExecutionContext.h: 42 (ScriptExecutionContext): 43 Add a topOrigin() method to ScriptExecutionContext, and implement it 44 on Document in order to give callers access to the top document's 45 SecurityOrigin without casting ScriptExecutionContext. 46 * workers/WorkerContext.h: 47 Change the existing topOrigin() method to override the new method 48 on ScriptExecutionContext. 49 1 50 2013-01-31 Eugene Klyuchnikov <eustas@chromium.org> 2 51 -
trunk/Source/WebCore/Modules/indexeddb/IDBFactory.cpp
r141090 r141418 96 96 } 97 97 98 PassRefPtr<IDBRequest> IDBFactory::getDatabaseNames(ScriptExecutionContext* context, ExceptionCode& )98 PassRefPtr<IDBRequest> IDBFactory::getDatabaseNames(ScriptExecutionContext* context, ExceptionCode& ec) 99 99 { 100 100 if (!isContextValid(context)) 101 101 return 0; 102 if (!context->securityOrigin()->canAccessDatabase(context->topOrigin())) { 103 ec = SECURITY_ERR; 104 return 0; 105 } 102 106 103 107 RefPtr<IDBRequest> request = IDBRequest::create(context, IDBAny::create(this), 0); … … 126 130 if (!isContextValid(context)) 127 131 return 0; 132 if (!context->securityOrigin()->canAccessDatabase(context->topOrigin())) { 133 ec = SECURITY_ERR; 134 return 0; 135 } 128 136 129 137 RefPtr<IDBDatabaseCallbacksImpl> databaseCallbacks = IDBDatabaseCallbacksImpl::create(); … … 147 155 if (!isContextValid(context)) 148 156 return 0; 157 if (!context->securityOrigin()->canAccessDatabase(context->topOrigin())) { 158 ec = SECURITY_ERR; 159 return 0; 160 } 149 161 150 162 RefPtr<IDBOpenDBRequest> request = IDBOpenDBRequest::create(context, 0, 0, IDBDatabaseMetadata::DefaultIntVersion); -
trunk/Source/WebCore/dom/Document.cpp
r141136 r141418 4777 4777 } 4778 4778 4779 const SecurityOrigin* Document::topOrigin() const 4780 { 4781 return topDocument()->securityOrigin(); 4782 } 4783 4779 4784 struct PerformTaskContext { 4780 4785 WTF_MAKE_NONCOPYABLE(PerformTaskContext); WTF_MAKE_FAST_ALLOCATED; -
trunk/Source/WebCore/dom/Document.h
r141136 r141418 1200 1200 virtual void addConsoleMessage(MessageSource, MessageLevel, const String& message, unsigned long requestIdentifier = 0); 1201 1201 1202 virtual const SecurityOrigin* topOrigin() const OVERRIDE; 1203 1202 1204 protected: 1203 1205 Document(Frame*, const KURL&, bool isXHTML, bool isHTML); -
trunk/Source/WebCore/dom/ScriptExecutionContext.h
r137318 r141418 90 90 virtual void addConsoleMessage(MessageSource, MessageLevel, const String& message, unsigned long requestIdentifier = 0) = 0; 91 91 92 virtual const SecurityOrigin* topOrigin() const = 0; 93 92 94 #if ENABLE(BLOB) 93 95 PublicURLManager& publicURLManager(); -
trunk/Source/WebCore/workers/WorkerContext.h
r137318 r141418 139 139 void notifyObserversOfStop(); 140 140 141 const SecurityOrigin* topOrigin() const{ return m_topOrigin.get(); }141 virtual const SecurityOrigin* topOrigin() const OVERRIDE { return m_topOrigin.get(); } 142 142 143 143 protected:
Note: See TracChangeset
for help on using the changeset viewer.