Changeset 142734 in webkit


Ignore:
Timestamp:
Feb 13, 2013 3:19:08 AM (11 years ago)
Author:
mkwst@chromium.org
Message:

location.href does not throw SECURITY_ERR when accessed across origins with JSC bindings
https://bugs.webkit.org/show_bug.cgi?id=43891

Reviewed by Adam Barth.

Source/WebCore:

Other browsers (IE, Firefox, and Opera) throw an exception when accessing
properties of a Location object across origins, as the spec suggests[1].
WebKit is currently the outlier.

This has a few negative effects: developers are forced to hack around
access violations in two ways rather than having a single code path, and
(more annoyingly) developers are unable to avoid generating the error
message. See every ad on the internet for the effect on the console. :)

This patch adds a SECURITY_ERR exception to these access violations,
which is the first step towards getting rid of the console spam. Getting
rid of the message entirely will require a solution to
http://wkbug.com/98050.

A fairly inconclusive thread[2] on webkit-dev popped up in 2010 and
trailed off without reaching conclusion. A more recent thread reached
agreement that this patch seems like a reasonable thing to do[3].

This is the JSC half of the patch. V8 is coming in http://wkbug.com/43892

[1]: http://www.whatwg.org/specs/web-apps/current-work/multipage/history.html#security-location
[2]: https://lists.webkit.org/pipermail/webkit-dev/2010-August/013880.html
[2]: https://lists.webkit.org/pipermail/webkit-dev/2012-February/023636.html

  • bindings/js/JSLocationCustom.cpp:

(WebCore::JSLocation::getOwnPropertySlotDelegate):

LayoutTests:

  • http/tests/plugins/resources/cross-frame-object-access.html:
  • http/tests/security/cross-frame-access-callback-explicit-domain-DENY-expected.txt:
  • http/tests/security/cross-frame-access-location-get-expected.txt:
  • http/tests/security/cross-frame-access-location-get.html:
  • http/tests/security/resources/cross-frame-access.js:

(accessThrowsException):

  • http/tests/security/resources/cross-frame-iframe-callback-explicit-domain-DENY.html:
  • http/tests/security/resources/cross-frame-iframe-for-location-get-test.html:

Adjusting tests to check for exceptions, and adjusting expectations to match.

  • platform/chromium/http/tests/security/cross-frame-access-callback-explicit-domain-DENY-expected.txt: Copied from LayoutTests/http/tests/security/cross-frame-access-callback-explicit-domain-DENY-expected.txt.
  • platform/chromium/http/tests/security/cross-frame-access-location-get-expected.txt: Added.
  • platform/chromium/http/tests/security/sandboxed-iframe-blocks-access-from-parent-expected.txt: Copied from LayoutTests/http/tests/security/sandboxed-iframe-blocks-access-from-parent-expected.txt.

V8 fails at the moment: http://wkbug.com/43892

Location:
trunk
Files:
2 added
11 edited
1 copied

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r142733 r142734  
     12013-02-13  Mike West  <mkwst@chromium.org>
     2
     3        location.href does not throw SECURITY_ERR when accessed across origins with JSC bindings
     4        https://bugs.webkit.org/show_bug.cgi?id=43891
     5
     6        Reviewed by Adam Barth.
     7
     8        * http/tests/plugins/resources/cross-frame-object-access.html:
     9        * http/tests/security/cross-frame-access-callback-explicit-domain-DENY-expected.txt:
     10        * http/tests/security/cross-frame-access-location-get-expected.txt:
     11        * http/tests/security/cross-frame-access-location-get.html:
     12        * http/tests/security/resources/cross-frame-access.js:
     13        (accessThrowsException):
     14        * http/tests/security/resources/cross-frame-iframe-callback-explicit-domain-DENY.html:
     15        * http/tests/security/resources/cross-frame-iframe-for-location-get-test.html:
     16            Adjusting tests to check for exceptions, and adjusting expectations to match.
     17        * platform/chromium/http/tests/security/cross-frame-access-callback-explicit-domain-DENY-expected.txt: Copied from LayoutTests/http/tests/security/cross-frame-access-callback-explicit-domain-DENY-expected.txt.
     18        * platform/chromium/http/tests/security/cross-frame-access-location-get-expected.txt: Added.
     19        * platform/chromium/http/tests/security/sandboxed-iframe-blocks-access-from-parent-expected.txt: Copied from LayoutTests/http/tests/security/sandboxed-iframe-blocks-access-from-parent-expected.txt.
     20            V8 fails at the moment: http://wkbug.com/43892
     21
    1222013-02-13  Vsevolod Vlasov  <vsevik@chromium.org>
    223

  • trunk/LayoutTests/http/tests/plugins/resources/cross-frame-object-access.html

    r28715 r142734  
    1515    }
    1616
    17     if (l.href) {
    18         debug('could access top.location.href');
    19         return false;
     17    try {
     18        if (l.href) {
     19            debug('could access top.location.href');
     20            return false;
     21        }
     22    } catch (e) {
     23        return true;
    2024    }
    21    
    2225    return true;
    2326}

  • trunk/LayoutTests/http/tests/security/cross-frame-access-callback-explicit-domain-DENY-expected.txt

    r128208 r142734  
     1CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/cross-frame-access-callback-explicit-domain-DENY.html from frame with URL http://127.0.0.1:8000/security/resources/cross-frame-iframe-callback-explicit-domain-DENY.html. The frame requesting access set 'document.domain' to '127.0.0.1', but the frame being accessed did not. Both must set 'document.domain' to the same value to allow access.
     2
    13CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/cross-frame-access-callback-explicit-domain-DENY.html from frame with URL http://127.0.0.1:8000/security/resources/cross-frame-iframe-callback-explicit-domain-DENY.html. The frame requesting access set 'document.domain' to '127.0.0.1', but the frame being accessed did not. Both must set 'document.domain' to the same value to allow access.
    24
     
    911--------
    1012PASS: canGet('parentWindow.location.href') should be 'false' and is.
     13PASS: accessThrowsException('parentWindow.location.href') should be 'true' and is.
     14

  • trunk/LayoutTests/http/tests/security/cross-frame-access-location-get-expected.txt

    r104803 r142734  
     1CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-location-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-location-get.html. Domains, protocols and ports must match.
     2
     3CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-location-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-location-get.html. Domains, protocols and ports must match.
     4
     5CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-location-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-location-get.html. Domains, protocols and ports must match.
     6
     7CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-location-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-location-get.html. Domains, protocols and ports must match.
     8
     9CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-location-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-location-get.html. Domains, protocols and ports must match.
     10
     11CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-location-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-location-get.html. Domains, protocols and ports must match.
     12
     13CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-location-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-location-get.html. Domains, protocols and ports must match.
     14
     15CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-location-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-location-get.html. Domains, protocols and ports must match.
     16
     17CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-location-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-location-get.html. Domains, protocols and ports must match.
     18
     19CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-location-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-location-get.html. Domains, protocols and ports must match.
     20
     21CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-location-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-location-get.html. Domains, protocols and ports must match.
     22
    123CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-location-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-location-get.html. Domains, protocols and ports must match.
    224
     
    3153Firefox allows access to 'location.toString' but throws an exception when you call it.
    3254PASS: canGet('targetWindow.location.toString') should be 'false' and is.
     55PASS: accessThrowsException('targetWindow.location.toString') should be 'true' and is.
    3356PASS: canGet('targetWindow.location.href') should be 'false' and is.
    3457PASS: canGet('targetWindow.location.hash') should be 'false' and is.
     
    3962PASS: canGet('targetWindow.location.protocol') should be 'false' and is.
    4063PASS: canGet('targetWindow.location.search') should be 'false' and is.
     64PASS: canGet('targetWindow.location.existingCustomProperty') should be 'false' and is.
     65PASS: canGet('targetWindow.location[1]') should be 'false' and is.
     66PASS: accessThrowsException('targetWindow.location.href') should be 'true' and is.
     67PASS: accessThrowsException('targetWindow.location.hash') should be 'true' and is.
     68PASS: accessThrowsException('targetWindow.location.host') should be 'true' and is.
     69PASS: accessThrowsException('targetWindow.location.hostname') should be 'true' and is.
     70PASS: accessThrowsException('targetWindow.location.pathname') should be 'true' and is.
     71PASS: accessThrowsException('targetWindow.location.port') should be 'true' and is.
     72PASS: accessThrowsException('targetWindow.location.protocol') should be 'true' and is.
     73PASS: accessThrowsException('targetWindow.location.search') should be 'true' and is.
     74PASS: accessThrowsException('targetWindow.location.existingCustomProperty') should be 'true' and is.
     75PASS: accessThrowsException('targetWindow.location[1]') should be 'true' and is.
    4176PASS: canGet('targetWindow.location.assign') should be 'true' and is.
    4277PASS: canGet('targetWindow.location.reload') should be 'true' and is.
    4378PASS: canGet('targetWindow.location.replace') should be 'true' and is.
    44 PASS: canGet('targetWindow.location.existingCustomProperty') should be 'false' and is.
    4579

  • trunk/LayoutTests/http/tests/security/cross-frame-access-location-get.html

    r120174 r142734  
    4242            log("Firefox allows access to 'location.toString' but throws an exception when you call it.");
    4343            shouldBeFalse("canGet('targetWindow.location.toString')");
     44            shouldBeTrue("accessThrowsException('targetWindow.location.toString')");
    4445
    4546            shouldBeFalse("canGet('targetWindow.location.href')");
     
    5152            shouldBeFalse("canGet('targetWindow.location.protocol')");
    5253            shouldBeFalse("canGet('targetWindow.location.search')");
     54            shouldBeFalse("canGet('targetWindow.location.existingCustomProperty')");
     55            shouldBeFalse("canGet('targetWindow.location[1]')");
     56
     57            shouldBeTrue("accessThrowsException('targetWindow.location.href')");
     58            shouldBeTrue("accessThrowsException('targetWindow.location.hash')");
     59            shouldBeTrue("accessThrowsException('targetWindow.location.host')");
     60            shouldBeTrue("accessThrowsException('targetWindow.location.hostname')");
     61            shouldBeTrue("accessThrowsException('targetWindow.location.pathname')");
     62            shouldBeTrue("accessThrowsException('targetWindow.location.port')");
     63            shouldBeTrue("accessThrowsException('targetWindow.location.protocol')");
     64            shouldBeTrue("accessThrowsException('targetWindow.location.search')");
     65            shouldBeTrue("accessThrowsException('targetWindow.location.existingCustomProperty')");
     66            shouldBeTrue("accessThrowsException('targetWindow.location[1]')");
    5367
    5468            shouldBeTrue("canGet('targetWindow.location.assign')");
     
    5670            shouldBeTrue("canGet('targetWindow.location.replace')");
    5771
    58             shouldBeFalse("canGet('targetWindow.location.existingCustomProperty')");
    5972        }
    6073    </script>

  • trunk/LayoutTests/http/tests/security/resources/cross-frame-access.js

    r120174 r142734  
    5656    } catch(e) {
    5757        return false;
     58    }
     59}
     60
     61function accessThrowsException(keyPath) {
     62    try {
     63        eval("window." + keyPath);
     64        return false;
     65    } catch (e) {
     66        return true;
    5867    }
    5968}

  • trunk/LayoutTests/http/tests/security/resources/cross-frame-iframe-callback-explicit-domain-DENY.html

    r120174 r142734  
    11<script src="cross-frame-access.js"></script>
    22<body>
    3 <div id=console></div>
     3<pre id=console></pre>
    44<script>
    55var parentWindow = window.parent;
     
    77{
    88    shouldBeFalse("canGet('parentWindow.location.href')");
     9    shouldBeTrue("accessThrowsException('parentWindow.location.href')");
    910    if (window.testRunner)
    1011        testRunner.notifyDone();

  • trunk/LayoutTests/http/tests/security/resources/cross-frame-iframe-for-location-get-test.html

    r120174 r142734  
    22<head>
    33    <script>
    4         window.location.existingCustomProperty = 1;
     4        window.location.existingCustomProperty = 1;
     5        window.location[1] = 1;
    56
    67        window.onload = function()

  • trunk/LayoutTests/http/tests/security/sandboxed-iframe-blocks-access-from-parent-expected.txt

    r128070 r142734  
    11CONSOLE MESSAGE: Sandbox access violation: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/resources/blank.html from frame with URL http://127.0.0.1:8000/security/sandboxed-iframe-blocks-access-from-parent.html. The frame being accessed is sandboxed into a unique origin.
    22
     3CONSOLE MESSAGE: line 12: SecurityError: DOM Exception 18: An attempt was made to break through the security policy of the user agent.
    34Sandboxing a frame puts it into a unique origin by default, which the containing document shouldn't have script access to. This test passes if a console warning is generated, noting the access violation.
    45

  • trunk/Source/WebCore/ChangeLog

    r142731 r142734  
     12013-02-13  Mike West  <mkwst@chromium.org>
     2
     3        location.href does not throw SECURITY_ERR when accessed across origins with JSC bindings
     4        https://bugs.webkit.org/show_bug.cgi?id=43891
     5
     6        Reviewed by Adam Barth.
     7
     8        Other browsers (IE, Firefox, and Opera) throw an exception when accessing
     9        properties of a Location object across origins, as the spec suggests[1].
     10        WebKit is currently the outlier.
     11
     12        This has a few negative effects: developers are forced to hack around
     13        access violations in two ways rather than having a single code path, and
     14        (more annoyingly) developers are unable to avoid generating the error
     15        message. See every ad on the internet for the effect on the console. :)
     16
     17        This patch adds a SECURITY_ERR exception to these access violations,
     18        which is the first step towards getting rid of the console spam. Getting
     19        rid of the message entirely will require a solution to
     20        http://wkbug.com/98050.
     21
     22        A fairly inconclusive thread[2] on webkit-dev popped up in 2010 and
     23        trailed off without reaching conclusion. A more recent thread reached
     24        agreement that this patch seems like a reasonable thing to do[3].
     25
     26        This is the JSC half of the patch. V8 is coming in http://wkbug.com/43892
     27
     28        [1]: http://www.whatwg.org/specs/web-apps/current-work/multipage/history.html#security-location
     29        [2]: https://lists.webkit.org/pipermail/webkit-dev/2010-August/013880.html
     30        [2]: https://lists.webkit.org/pipermail/webkit-dev/2012-February/023636.html
     31
     32        * bindings/js/JSLocationCustom.cpp:
     33        (WebCore::JSLocation::getOwnPropertySlotDelegate):
     34
    1352013-02-13  Andrew Wilson  <atwilson@chromium.org>
    236

  • trunk/Source/WebCore/bindings/js/JSLocationCustom.cpp

    r128400 r142734  
    8282    // such cases when normally the string form of Location would be the URL.
    8383
     84    // FIXME: Move this message into the exception once http://wkbug.com/98050 is fixed.
    8485    printErrorMessageForFrame(frame, message);
     86    setDOMException(exec, SECURITY_ERR);
    8587    slot.setUndefined();
    8688    return true;
Note: See TracChangeset for help on using the changeset viewer.