Changeset 147402 in webkit
- Timestamp:
- Apr 2, 2013 1:28:07 AM (11 years ago)
- Location:
- trunk
- Files:
-
- 22 edited
-
LayoutTests/ChangeLog (modified) (1 diff)
-
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt (modified) (1 diff)
-
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt (modified) (1 diff)
-
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt (modified) (1 diff)
-
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html (modified) (1 diff)
-
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt (modified) (1 diff)
-
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html (modified) (1 diff)
-
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html (modified) (1 diff)
-
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny.html (modified) (1 diff)
-
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt (modified) (1 diff)
-
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny.html (modified) (2 diffs)
-
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt (modified) (1 diff)
-
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html (modified) (1 diff)
-
LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt (modified) (1 diff)
-
LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt (modified) (1 diff)
-
LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt (modified) (1 diff)
-
LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt (modified) (1 diff)
-
LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt (modified) (1 diff)
-
LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt (modified) (1 diff)
-
Source/WebCore/ChangeLog (modified) (1 diff)
-
Source/WebCore/dom/Document.cpp (modified) (1 diff)
-
Source/WebCore/loader/DocumentLoader.cpp (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r147400 r147402 1 2013-04-02 Mike West <mkwst@chromium.org> 2 3 X-Frame-Options: Blocked frames should not inherit their parent's SecurityOrigin. 4 https://bugs.webkit.org/show_bug.cgi?id=112903 5 6 Reviewed by Adam Barth. 7 8 * http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt: 9 * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt: 10 * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt: 11 * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html: 12 * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt: 13 * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html: 14 * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html: 15 * http/tests/security/XFrameOptions/x-frame-options-deny.html: 16 * http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt: 17 * http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny.html: 18 * http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt: 19 * http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html: 20 * platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt: 21 * platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt: 22 * platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt: 23 * platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt: 24 * platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt: 25 * platform/chromium/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt: 26 1 27 2013-04-02 Shinya Kawanaka <shinyak@chromium.org> 2 28 -
trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt
r147164 r147402 2 2 <unknown> - didFinishLoading 3 3 CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi' in a frame because it set 'X-Frame-Options' to 'deny'. 4 ALERT: PASS: onload fired. 4 CONSOLE MESSAGE: Sandbox access violation: Blocked a frame at "http://127.0.0.1:8000" from accessing a frame at "null". The frame being accessed is sandboxed and lacks the "allow-same-origin" flag. 5 CONSOLE MESSAGE: line 13: PASS: Could not read contentWindow.location.href 5 6 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi"> 6 7 There should be no content in the iframe below -
trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt
r136031 r147402 4 4 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html"> 5 5 CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html' in a frame because it set 'X-Frame-Options' to 'deny'. 6 data:text/html,%3Cp%3E%3C/p%3E - willSendRequest <NSURLRequest URL data:text/html,%3Cp%3E%3C/p%3E, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag.html, http method GET> redirectResponse (null) 7 data:text/html,%3Cp%3E%3C/p%3E - didReceiveResponse <NSURLResponse data:text/html,%3Cp%3E%3C/p%3E, http status code 0> 8 data:text/html,%3Cp%3E%3C/p%3E - didFinishLoading 9 CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match. 10 11 CONSOLE MESSAGE: line 13: PASS: Could not read contentWindow.location.href 6 12 There should be no content in the iframe below 7 13 -
trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt
r136031 r147402 4 4 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html"> 5 5 CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html' in a frame because it set 'X-Frame-Options' to 'deny'. 6 data:text/html,%3Cp%3E%3C/p%3E - willSendRequest <NSURLRequest URL data:text/html,%3Cp%3E%3C/p%3E, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html, http method GET> redirectResponse (null) 7 data:text/html,%3Cp%3E%3C/p%3E - didReceiveResponse <NSURLResponse data:text/html,%3Cp%3E%3C/p%3E, http status code 0> 8 CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match. 9 10 CONSOLE MESSAGE: line 13: PASS: Could not read contentWindow.location.href 6 11 There should be no content in the iframe below 7 12 -
trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html
r120174 r147402 7 7 } 8 8 9 function checkIfDone() 10 { 11 if (document.getElementsByTagName("iframe")[0].contentWindow.location == "about:blank") 12 testRunner.notifyDone(); 9 function checkIfDone() { 10 var url = document.querySelector('iframe').contentWindow.location.href; 11 12 if (!url) 13 console.log("PASS: Could not read contentWindow.location.href"); 14 else 15 console.log("FAIL: Could read contentWindow.location.href"); 16 testRunner.notifyDone(); 13 17 } 14 18 </script> -
trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt
r136031 r147402 4 4 http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html"> 5 5 CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html' in a frame because it set 'X-Frame-Options' to 'sameorigin'. 6 data:text/html,%3Cp%3E%3C/p%3E - willSendRequest <NSURLRequest URL data:text/html,%3Cp%3E%3C/p%3E, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html, http method GET> redirectResponse (null) 7 data:text/html,%3Cp%3E%3C/p%3E - didReceiveResponse <NSURLResponse data:text/html,%3Cp%3E%3C/p%3E, http status code 0> 8 data:text/html,%3Cp%3E%3C/p%3E - didFinishLoading 9 CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match. 10 11 CONSOLE MESSAGE: line 13: PASS: Could not read contentWindow.location.href 6 12 There should be no content in the iframe below 7 13 -
trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html
r120174 r147402 7 7 } 8 8 9 function checkIfDone() 10 { 11 if (document.getElementsByTagName("iframe")[0].contentWindow.location == "about:blank") 12 testRunner.notifyDone(); 9 function checkIfDone() { 10 var url = document.querySelector('iframe').contentWindow.location.href; 11 12 if (!url) 13 console.log("PASS: Could not read contentWindow.location.href"); 14 else 15 console.log("FAIL: Could read contentWindow.location.href"); 16 testRunner.notifyDone(); 13 17 } 14 18 </script> -
trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html
r120174 r147402 7 7 } 8 8 9 function checkIfDone() { 10 var url = document.querySelector('iframe').contentWindow.location.href; 9 11 10 function checkIfDone() 11 { 12 if (document.getElementsByTagName("iframe")[0].contentWindow.location == "about:blank") 13 testRunner.notifyDone(); 12 if (!url) 13 console.log("PASS: Could not read contentWindow.location.href"); 14 else 15 console.log("FAIL: Could read contentWindow.location.href"); 16 testRunner.notifyDone(); 14 17 } 15 18 </script> -
trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny.html
r147164 r147402 4 4 testRunner.dumpChildFramesAsText(); 5 5 testRunner.dumpResourceLoadCallbacks(); 6 testRunner.waitUntilDone(); 7 } 8 9 function checkIfDone() { 10 var url = document.querySelector('iframe').contentWindow.location.href; 11 12 if (!url) 13 console.log("PASS: Could not read contentWindow.location.href"); 14 else 15 console.log("FAIL: Could read contentWindow.location.href"); 16 testRunner.notifyDone(); 6 17 } 7 18 </script> 8 19 9 20 <p>There should be no content in the iframe below</p> 10 <iframe style="width:500px; height:500px" src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi" onload=" alert('PASS: onload fired.');"></iframe>21 <iframe style="width:500px; height:500px" src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi" onload="checkIfDone()"></iframe> -
trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt
r147086 r147402 2 2 <unknown> - didFinishLoading 3 3 CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN, SAMEORIGIN'. 4 CONSOLE MESSAGE: Sandbox access violation: Blocked a frame at "http://127.0.0.1:8000" from accessing a frame at "null". The frame being accessed is sandboxed and lacks the "allow-same-origin" flag. 5 CONSOLE MESSAGE: line 16: PASS: Could not read contentWindow.location.href 4 6 http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi"> 5 7 The frame below should not load, proving that 'sameorigin, sameorigin' === 'sameorigin'. -
trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny.html
r147086 r147402 7 7 testRunner.dumpChildFramesAsText(); 8 8 testRunner.dumpResourceLoadCallbacks(); 9 testRunner.waitUntilDone(); 10 } 11 12 function checkIfDone() { 13 var url = document.querySelector('iframe').contentWindow.location.href; 14 15 if (!url) 16 console.log("PASS: Could not read contentWindow.location.href"); 17 else 18 console.log("FAIL: Could read contentWindow.location.href"); 19 testRunner.notifyDone(); 9 20 } 10 21 </script> … … 12 23 <body> 13 24 <p>The frame below should not load, proving that 'sameorigin, sameorigin' === 'sameorigin'.</p> 14 <iframe style="width:500px; height:500px" src="http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi" ></iframe>25 <iframe style="width:500px; height:500px" src="http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi" onload="checkIfDone()"></iframe> 15 26 </body> 16 27 </html> -
trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt
r147164 r147402 2 2 <unknown> - didFinishLoading 3 3 CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi' in a frame because it set 'X-Frame-Options' to 'sameorigin'. 4 ALERT: PASS: onload fired. 4 CONSOLE MESSAGE: Sandbox access violation: Blocked a frame at "http://127.0.0.1:8000" from accessing a frame at "null". The frame being accessed is sandboxed and lacks the "allow-same-origin" flag. 5 CONSOLE MESSAGE: line 13: PASS: Could not read contentWindow.location.href 5 6 http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi"> 6 7 There should be no content in the iframe below -
trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html
r147164 r147402 4 4 testRunner.dumpChildFramesAsText(); 5 5 testRunner.dumpResourceLoadCallbacks(); 6 testRunner.waitUntilDone(); 7 } 8 9 function checkIfDone() { 10 var url = document.querySelector('iframe').contentWindow.location.href; 11 12 if (!url) 13 console.log("PASS: Could not read contentWindow.location.href"); 14 else 15 console.log("FAIL: Could read contentWindow.location.href"); 16 testRunner.notifyDone(); 6 17 } 7 18 </script> 8 19 9 20 <p>There should be no content in the iframe below</p> 10 <iframe style="width:500px; height:500px" src="http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi" onload=" alert('PASS: onload fired.');"></iframe>21 <iframe style="width:500px; height:500px" src="http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi" onload="checkIfDone()"></iframe> -
trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt
r147164 r147402 1 1 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny.html, http method GET> redirectResponse (null) 2 2 CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi' in a frame because it set 'X-Frame-Options' to 'deny'. 3 ALERT: PASS: onload fired. 3 CONSOLE MESSAGE: Sandbox access violation: Blocked a frame at "http://127.0.0.1:8000" from accessing a frame at "null". The frame being accessed is sandboxed and lacks the "allow-same-origin" flag. 4 CONSOLE MESSAGE: line 13: PASS: Could not read contentWindow.location.href 4 5 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi"> 5 6 There should be no content in the iframe below -
trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt
r144262 r147402 3 3 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html - didFinishLoading 4 4 CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html' in a frame because it set 'X-Frame-Options' to 'deny'. 5 data:text/html,<p></p> - willSendRequest <NSURLRequest URL data:text/html,<p></p>, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag.html, http method GET> redirectResponse (null) 6 data:text/html,<p></p> - didReceiveResponse <NSURLResponse data:text/html,<p></p>, http status code 0> 7 CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match. 8 9 CONSOLE MESSAGE: line 13: PASS: Could not read contentWindow.location.href 5 10 There should be no content in the iframe below 6 11 -
trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt
r144262 r147402 3 3 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html - didFinishLoading 4 4 CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html' in a frame because it set 'X-Frame-Options' to 'deny'. 5 data:text/html,<p></p> - willSendRequest <NSURLRequest URL data:text/html,<p></p>, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html, http method GET> redirectResponse (null) 6 data:text/html,<p></p> - didReceiveResponse <NSURLResponse data:text/html,<p></p>, http status code 0> 7 CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match. 8 9 CONSOLE MESSAGE: line 13: PASS: Could not read contentWindow.location.href 5 10 There should be no content in the iframe below 6 11 -
trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt
r144262 r147402 3 3 http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html - didFinishLoading 4 4 CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html' in a frame because it set 'X-Frame-Options' to 'sameorigin'. 5 data:text/html,<p></p> - willSendRequest <NSURLRequest URL data:text/html,<p></p>, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html, http method GET> redirectResponse (null) 6 data:text/html,<p></p> - didReceiveResponse <NSURLResponse data:text/html,<p></p>, http status code 0> 7 CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match. 8 9 CONSOLE MESSAGE: line 13: PASS: Could not read contentWindow.location.href 5 10 There should be no content in the iframe below 6 11 -
trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt
r147086 r147402 1 1 http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi - willSendRequest <NSURLRequest URL http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny.html, http method GET> redirectResponse (null) 2 2 CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN, SAMEORIGIN'. 3 CONSOLE MESSAGE: Sandbox access violation: Blocked a frame at "http://127.0.0.1:8000" from accessing a frame at "null". The frame being accessed is sandboxed and lacks the "allow-same-origin" flag. 4 CONSOLE MESSAGE: line 16: PASS: Could not read contentWindow.location.href 3 5 http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi"> 4 6 The frame below should not load, proving that 'sameorigin, sameorigin' === 'sameorigin'. -
trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt
r147164 r147402 1 1 http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi - willSendRequest <NSURLRequest URL http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html, http method GET> redirectResponse (null) 2 2 CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi' in a frame because it set 'X-Frame-Options' to 'sameorigin'. 3 ALERT: PASS: onload fired. 3 CONSOLE MESSAGE: Sandbox access violation: Blocked a frame at "http://127.0.0.1:8000" from accessing a frame at "null". The frame being accessed is sandboxed and lacks the "allow-same-origin" flag. 4 CONSOLE MESSAGE: line 13: PASS: Could not read contentWindow.location.href 4 5 http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi"> 5 6 There should be no content in the iframe below -
trunk/Source/WebCore/ChangeLog
r147395 r147402 1 2013-04-02 Mike West <mkwst@chromium.org> 2 3 X-Frame-Options: Blocked frames should not inherit their parent's SecurityOrigin. 4 https://bugs.webkit.org/show_bug.cgi?id=112903 5 6 Reviewed by Adam Barth. 7 8 This change brings WebKit in line with IE and Gecko's behavior, both of 9 which treat the blocked frame as being cross-origin for the purposes of 10 access checks ('[frame].contentWindow.location.href' is inaccessible, 11 for example). 12 13 * dom/Document.cpp: 14 (WebCore::Document::processHttpEquiv): 15 Rather than redirecting to 'about:blank', redirect to 16 'data:text/html,<p></p>' which does not inherit the SecurityOrigin 17 of the parent. 18 * loader/DocumentLoader.cpp: 19 (WebCore::DocumentLoader::responseReceived): 20 Before calling cancelMainResourceLoad, ensure that the frame's 21 document is sandboxed into a unique origin so that it doesn't 22 inherit the parent's SecurityOrigin. 23 1 24 2013-04-01 Elliott Sprehn <esprehn@chromium.org> 2 25 -
trunk/Source/WebCore/dom/Document.cpp
r146935 r147402 2949 2949 String message = "Refused to display '" + url().elidedString() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'."; 2950 2950 frameLoader->stopAllLoaders(); 2951 frame->navigationScheduler()->scheduleLocationChange(securityOrigin(), blankURL(), String()); 2951 // Stopping the loader isn't enough, as we're already parsing the document; to honor the header's 2952 // intent, we must navigate away from the possibly partially-rendered document to a location that 2953 // doesn't inherit the parent's SecurityOrigin. 2954 frame->navigationScheduler()->scheduleLocationChange(securityOrigin(), "data:text/html,<p></p>", String()); 2952 2955 addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, message, requestIdentifier); 2953 2956 } -
trunk/Source/WebCore/loader/DocumentLoader.cpp
r147336 r147402 592 592 String message = "Refused to display '" + response.url().elidedString() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'."; 593 593 frame()->document()->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, message, identifier); 594 frame()->document()->enforceSandboxFlags(SandboxOrigin); 594 595 if (HTMLFrameOwnerElement* ownerElement = frame()->ownerElement()) 595 596 ownerElement->dispatchEvent(Event::create(eventNames().loadEvent, false, false));
Note: See TracChangeset
for help on using the changeset viewer.
