Changeset 141418 in webkit


Ignore:
Timestamp:
Jan 31, 2013 6:57:55 AM (11 years ago)
Author:
mkwst@chromium.org
Message:

Allow blocking of IndexedDB in third-party contexts
https://bugs.webkit.org/show_bug.cgi?id=94171

Reviewed by Jochen Eisinger.

Source/WebCore:

This patch ensures that the origin of the top window is passed into
SecurityOrigin::canAccessDatabase when working with IndexedDB. Giving
SecurityOrigin access to this data means that it can properly check
whether the database is being opened in a third-party context, and
therefore properly enforce the third-party access checks that were
added in http://trac.webkit.org/changeset/125736.

Third-party checks are added to IDBFactory::open,
IDBFactory::deleteDatabase, and IDBFactory::getDatabaseNames; each will
now throw a SECURITY_ERR exception when access in a third-party context
if third-party access checks are enabled.

To make this process slightly more clear, and avoid some ugly casting
logic, this patch adds a 'topOrigin' method to ScriptExecutionContext,
and implements it on both WorkerContext and Document.

Tests: http/tests/security/cross-origin-indexeddb-allowed.html

http/tests/security/cross-origin-indexeddb.html
http/tests/security/cross-origin-worker-indexeddb-allowed.html
http/tests/security/cross-origin-worker-indexeddb.html

  • Modules/indexeddb/IDBFactory.cpp:

(WebCore::IDBFactory::getDatabaseNames):
(WebCore::IDBFactory::openInternal):
(WebCore::IDBFactory::deleteDatabase):

Grab the SecurityOrigin of the current context's top-level origin,
and pass it to SecurityOrigin::canAccessDatabase to ensure that
access checks are properly applied to these three methods.

  • dom/Document.cpp:

(WebCore::Document::topOrigin):
(WebCore):

  • dom/Document.h:

(Document):

  • dom/ScriptExecutionContext.h:

(ScriptExecutionContext):

Add a topOrigin() method to ScriptExecutionContext, and implement it
on Document in order to give callers access to the top document's
SecurityOrigin without casting ScriptExecutionContext.

  • workers/WorkerContext.h:

Change the existing topOrigin() method to override the new method
on ScriptExecutionContext.

LayoutTests:

Add tests to ensure that IndexedDB can be blocked in a third-party
context in both normal documents and in workers. These tests are
modeled after the existing cross-origin-websql* tests; it might be
possible to reuse some code in the future.

  • http/tests/security/cross-origin-indexeddb-allowed-expected.txt: Added.
  • http/tests/security/cross-origin-indexeddb-allowed.html: Added.
  • http/tests/security/cross-origin-indexeddb-expected.txt: Added.
  • http/tests/security/cross-origin-indexeddb.html: Added.
  • http/tests/security/cross-origin-worker-indexeddb-allowed-expected.txt: Added.
  • http/tests/security/cross-origin-worker-indexeddb-allowed.html: Added.
  • http/tests/security/cross-origin-worker-indexeddb-expected.txt: Added.
  • http/tests/security/cross-origin-worker-indexeddb.html: Added.
  • http/tests/security/resources/cross-origin-iframe-for-indexeddb.html: Added.
  • http/tests/security/resources/cross-origin-iframe-for-worker-indexeddb.html: Added.
  • http/tests/security/resources/document-for-cross-origin-worker-indexeddb.html: Added.
  • http/tests/security/resources/worker-for-indexeddb.js: Added.

(self.onmessage):

Add exciting new tests, with more boilerplate than I expected!

  • platform/efl/TestExpectations:
  • platform/mac-snowleopard/TestExpectations:
  • platform/mac/TestExpectations:
  • platform/qt/TestExpectations:
  • platform/win/TestExpectations:
  • platform/wincairo/TestExpectations:

Skip these IndexedDB tests on platforms where the feature isn't
enabled.

Location:
trunk
Files:
12 added
13 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r141416 r141418  
     12013-01-31  Mike West  <mkwst@chromium.org>
     2
     3        Allow blocking of IndexedDB in third-party contexts
     4        https://bugs.webkit.org/show_bug.cgi?id=94171
     5
     6        Reviewed by Jochen Eisinger.
     7
     8        Add tests to ensure that IndexedDB can be blocked in a third-party
     9        context in both normal documents and in workers. These tests are
     10        modeled after the existing cross-origin-websql* tests; it might be
     11        possible to reuse some code in the future.
     12
     13        * http/tests/security/cross-origin-indexeddb-allowed-expected.txt: Added.
     14        * http/tests/security/cross-origin-indexeddb-allowed.html: Added.
     15        * http/tests/security/cross-origin-indexeddb-expected.txt: Added.
     16        * http/tests/security/cross-origin-indexeddb.html: Added.
     17        * http/tests/security/cross-origin-worker-indexeddb-allowed-expected.txt: Added.
     18        * http/tests/security/cross-origin-worker-indexeddb-allowed.html: Added.
     19        * http/tests/security/cross-origin-worker-indexeddb-expected.txt: Added.
     20        * http/tests/security/cross-origin-worker-indexeddb.html: Added.
     21        * http/tests/security/resources/cross-origin-iframe-for-indexeddb.html: Added.
     22        * http/tests/security/resources/cross-origin-iframe-for-worker-indexeddb.html: Added.
     23        * http/tests/security/resources/document-for-cross-origin-worker-indexeddb.html: Added.
     24        * http/tests/security/resources/worker-for-indexeddb.js: Added.
     25        (self.onmessage):
     26            Add exciting new tests, with more boilerplate than I expected!
     27        * platform/efl/TestExpectations:
     28        * platform/mac-snowleopard/TestExpectations:
     29        * platform/mac/TestExpectations:
     30        * platform/qt/TestExpectations:
     31        * platform/win/TestExpectations:
     32        * platform/wincairo/TestExpectations:
     33            Skip these IndexedDB tests on platforms where the feature isn't
     34            enabled.
     35
    1362013-01-31  Ádám Kallai  <kadam@inf.u-szeged.hu>
    237
  • trunk/LayoutTests/platform/efl/TestExpectations

    r141386 r141418  
    11161116Bug(EFL) storage/indexeddb
    11171117Bug(EFL) http/tests/inspector/indexeddb
     1118Bug(EFL) http/tests/security/cross-origin-indexeddb-allowed.html
     1119Bug(EFL) http/tests/security/cross-origin-indexeddb.html
     1120Bug(EFL) http/tests/security/cross-origin-worker-indexeddb-allowed.html
     1121Bug(EFL) http/tests/security/cross-origin-worker-indexeddb.html
    11181122
    11191123# Quota API is not supported.
  • trunk/LayoutTests/platform/mac-snowleopard/TestExpectations

    r131228 r141418  
    135135storage/indexeddb
    136136http/tests/inspector/indexeddb
     137http/tests/security/cross-origin-indexeddb-allowed.html
     138http/tests/security/cross-origin-indexeddb.html
     139http/tests/security/cross-origin-worker-indexeddb-allowed.html
     140http/tests/security/cross-origin-worker-indexeddb.html
    137141
    138142# Philip's canvas tests that fail on SnowLeopard only
  • trunk/LayoutTests/platform/mac/TestExpectations

    r141362 r141418  
    136136storage/indexeddb
    137137http/tests/inspector/indexeddb
     138http/tests/security/cross-origin-indexeddb-allowed.html
     139http/tests/security/cross-origin-indexeddb.html
     140http/tests/security/cross-origin-worker-indexeddb-allowed.html
     141http/tests/security/cross-origin-worker-indexeddb.html
    138142
    139143# This port doesn't support DeviceMotion or DeviceOrientation.
  • trunk/LayoutTests/platform/qt/TestExpectations

    r141416 r141418  
    115115storage/indexeddb
    116116http/tests/inspector/indexeddb
     117http/tests/security/cross-origin-indexeddb-allowed.html
     118http/tests/security/cross-origin-indexeddb.html
     119http/tests/security/cross-origin-worker-indexeddb-allowed.html
     120http/tests/security/cross-origin-worker-indexeddb.html
    117121
    118122inspector/timeline/timeline-animation-frame.html
  • trunk/LayoutTests/platform/win/TestExpectations

    r141354 r141418  
    10941094storage/indexeddb
    10951095http/tests/inspector/indexeddb
     1096http/tests/security/cross-origin-indexeddb-allowed.html
     1097http/tests/security/cross-origin-indexeddb.html
     1098http/tests/security/cross-origin-worker-indexeddb-allowed.html
     1099http/tests/security/cross-origin-worker-indexeddb.html
    10961100
    10971101# StorageTracker is not enabled.
  • trunk/LayoutTests/platform/wincairo/TestExpectations

    r141354 r141418  
    16191619storage/indexeddb
    16201620http/tests/inspector/indexeddb
     1621http/tests/security/cross-origin-indexeddb-allowed.html
     1622http/tests/security/cross-origin-indexeddb.html
     1623http/tests/security/cross-origin-worker-indexeddb-allowed.html
     1624http/tests/security/cross-origin-worker-indexeddb.html
    16211625
    16221626# StorageTracker is not enabled.
  • trunk/Source/WebCore/ChangeLog

    r141417 r141418  
     12013-01-31  Mike West  <mkwst@chromium.org>
     2
     3        Allow blocking of IndexedDB in third-party contexts
     4        https://bugs.webkit.org/show_bug.cgi?id=94171
     5
     6        Reviewed by Jochen Eisinger.
     7
     8        This patch ensures that the origin of the top window is passed into
     9        SecurityOrigin::canAccessDatabase when working with IndexedDB. Giving
     10        SecurityOrigin access to this data means that it can properly check
     11        whether the database is being opened in a third-party context, and
     12        therefore properly enforce the third-party access checks that were
     13        added in http://trac.webkit.org/changeset/125736.
     14
     15        Third-party checks are added to IDBFactory::open,
     16        IDBFactory::deleteDatabase, and IDBFactory::getDatabaseNames; each will
     17        now throw a SECURITY_ERR exception when access in a third-party context
     18        if third-party access checks are enabled.
     19
     20        To make this process slightly more clear, and avoid some ugly casting
     21        logic, this patch adds a 'topOrigin'  method to ScriptExecutionContext,
     22        and implements it on both WorkerContext and Document.
     23
     24        Tests: http/tests/security/cross-origin-indexeddb-allowed.html
     25               http/tests/security/cross-origin-indexeddb.html
     26               http/tests/security/cross-origin-worker-indexeddb-allowed.html
     27               http/tests/security/cross-origin-worker-indexeddb.html
     28
     29        * Modules/indexeddb/IDBFactory.cpp:
     30        (WebCore::IDBFactory::getDatabaseNames):
     31        (WebCore::IDBFactory::openInternal):
     32        (WebCore::IDBFactory::deleteDatabase):
     33            Grab the SecurityOrigin of the current context's top-level origin,
     34            and pass it to SecurityOrigin::canAccessDatabase to ensure that
     35            access checks are properly applied to these three methods.
     36        * dom/Document.cpp:
     37        (WebCore::Document::topOrigin):
     38        (WebCore):
     39        * dom/Document.h:
     40        (Document):
     41        * dom/ScriptExecutionContext.h:
     42        (ScriptExecutionContext):
     43            Add a topOrigin() method to ScriptExecutionContext, and implement it
     44            on Document in order to give callers access to the top document's
     45            SecurityOrigin without casting ScriptExecutionContext.
     46        * workers/WorkerContext.h:
     47            Change the existing topOrigin() method to override the new method
     48            on ScriptExecutionContext.
     49
    1502013-01-31  Eugene Klyuchnikov  <eustas@chromium.org>
    251
  • trunk/Source/WebCore/Modules/indexeddb/IDBFactory.cpp

    r141090 r141418  
    9696}
    9797
    98 PassRefPtr<IDBRequest> IDBFactory::getDatabaseNames(ScriptExecutionContext* context, ExceptionCode&)
     98PassRefPtr<IDBRequest> IDBFactory::getDatabaseNames(ScriptExecutionContext* context, ExceptionCode& ec)
    9999{
    100100    if (!isContextValid(context))
    101101        return 0;
     102    if (!context->securityOrigin()->canAccessDatabase(context->topOrigin())) {
     103        ec = SECURITY_ERR;
     104        return 0;
     105    }
    102106
    103107    RefPtr<IDBRequest> request = IDBRequest::create(context, IDBAny::create(this), 0);
     
    126130    if (!isContextValid(context))
    127131        return 0;
     132    if (!context->securityOrigin()->canAccessDatabase(context->topOrigin())) {
     133        ec = SECURITY_ERR;
     134        return 0;
     135    }
    128136
    129137    RefPtr<IDBDatabaseCallbacksImpl> databaseCallbacks = IDBDatabaseCallbacksImpl::create();
     
    147155    if (!isContextValid(context))
    148156        return 0;
     157    if (!context->securityOrigin()->canAccessDatabase(context->topOrigin())) {
     158        ec = SECURITY_ERR;
     159        return 0;
     160    }
    149161
    150162    RefPtr<IDBOpenDBRequest> request = IDBOpenDBRequest::create(context, 0, 0, IDBDatabaseMetadata::DefaultIntVersion);
  • trunk/Source/WebCore/dom/Document.cpp

    r141136 r141418  
    47774777}
    47784778
     4779const SecurityOrigin* Document::topOrigin() const
     4780{
     4781    return topDocument()->securityOrigin();
     4782}
     4783
    47794784struct PerformTaskContext {
    47804785    WTF_MAKE_NONCOPYABLE(PerformTaskContext); WTF_MAKE_FAST_ALLOCATED;
  • trunk/Source/WebCore/dom/Document.h

    r141136 r141418  
    12001200    virtual void addConsoleMessage(MessageSource, MessageLevel, const String& message, unsigned long requestIdentifier = 0);
    12011201
     1202    virtual const SecurityOrigin* topOrigin() const OVERRIDE;
     1203
    12021204protected:
    12031205    Document(Frame*, const KURL&, bool isXHTML, bool isHTML);
  • trunk/Source/WebCore/dom/ScriptExecutionContext.h

    r137318 r141418  
    9090    virtual void addConsoleMessage(MessageSource, MessageLevel, const String& message, unsigned long requestIdentifier = 0) = 0;
    9191
     92    virtual const SecurityOrigin* topOrigin() const = 0;
     93
    9294#if ENABLE(BLOB)
    9395    PublicURLManager& publicURLManager();
  • trunk/Source/WebCore/workers/WorkerContext.h

    r137318 r141418  
    139139        void notifyObserversOfStop();
    140140
    141         const SecurityOrigin* topOrigin() const { return m_topOrigin.get(); }
     141        virtual const SecurityOrigin* topOrigin() const OVERRIDE { return m_topOrigin.get(); }
    142142
    143143    protected:
Note: See TracChangeset for help on using the changeset viewer.