Changeset 205171 in webkit

Timestamp:

Aug 29, 2016 10:24:13 PM (8 years ago)

Author:

Chris Dumez

Message:

We should throw a SecurityError when denying setting a cross-origin Location property
​https://bugs.webkit.org/show_bug.cgi?id=161368

Reviewed by Ryosuke Niwa.

Source/WebCore:

We should throw a SecurityError when denying setting a cross-origin
Location property:

• ​https://html.spec.whatwg.org/#location-set
• ​https://html.spec.whatwg.org/#crossoriginset-(-o,-p,-v,-receiver-)
• ​https://html.spec.whatwg.org/#location-getownproperty

Firefox and Chrome already throw. We currently ignore and log an error
message.

No new tests, updated existing tests.

• bindings/js/JSLocationCustom.cpp:

(WebCore::JSLocation::putDelegate):

LayoutTests:

Update / Rebaseline existing tests to reflect behavior change.

• http/tests/security/cross-frame-access-location-put-expected.txt:
• http/tests/security/location-cross-origin-expected.txt:
• http/tests/security/location-cross-origin.html:
• http/tests/security/xss-DENIED-assign-location-hash-expected.txt:
• http/tests/security/xss-DENIED-assign-location-host-expected.txt:
• http/tests/security/xss-DENIED-assign-location-hostname-expected.txt:
• http/tests/security/xss-DENIED-assign-location-nonstandardProperty-expected.txt:
• http/tests/security/xss-DENIED-assign-location-pathname-expected.txt:
• http/tests/security/xss-DENIED-assign-location-protocol-expected.txt:
• http/tests/security/xss-DENIED-assign-location-reload-expected.txt:
• http/tests/security/xss-DENIED-assign-location-search-expected.txt:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/cross-frame-access-location-put-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/location-cross-origin-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/location-cross-origin.html (modified) (1 diff)
• LayoutTests/http/tests/security/xss-DENIED-assign-location-hash-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xss-DENIED-assign-location-host-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xss-DENIED-assign-location-hostname-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xss-DENIED-assign-location-nonstandardProperty-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xss-DENIED-assign-location-pathname-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xss-DENIED-assign-location-protocol-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xss-DENIED-assign-location-reload-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xss-DENIED-assign-location-search-expected.txt (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/JSLocationCustom.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-08-29  Chris Dumez  <cdumez@apple.com>
+
+        We should throw a SecurityError when denying setting a cross-origin Location property
+        https://bugs.webkit.org/show_bug.cgi?id=161368
+
+        Reviewed by Ryosuke Niwa.
+
+        Update / Rebaseline existing tests to reflect behavior change.
+
+        * http/tests/security/cross-frame-access-location-put-expected.txt:
+        * http/tests/security/location-cross-origin-expected.txt:
+        * http/tests/security/location-cross-origin.html:
+        * http/tests/security/xss-DENIED-assign-location-hash-expected.txt:
+        * http/tests/security/xss-DENIED-assign-location-host-expected.txt:
+        * http/tests/security/xss-DENIED-assign-location-hostname-expected.txt:
+        * http/tests/security/xss-DENIED-assign-location-nonstandardProperty-expected.txt:
+        * http/tests/security/xss-DENIED-assign-location-pathname-expected.txt:
+        * http/tests/security/xss-DENIED-assign-location-protocol-expected.txt:
+        * http/tests/security/xss-DENIED-assign-location-reload-expected.txt:
+        * http/tests/security/xss-DENIED-assign-location-search-expected.txt:
+
 2016-08-29  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
 

trunk/LayoutTests/http/tests/security/cross-frame-access-location-put-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 29: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 29: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 29: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 29: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 
+SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 
 

trunk/LayoutTests/http/tests/security/location-cross-origin-expected.txt

@@ -28 +28 @@
 PASS Object.getOwnPropertyDescriptor(window.location, 'toString').value.call(frames[0].location) threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
 PASS Object.getOwnPropertyDescriptor(window.location, 'href').get.call(frames[0].location) threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS frames[0].location.protocol = 1 threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS frames[0].location.host = 1 threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS frames[0].location.hostname = 1 threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS frames[0].location.port = 1 threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS frames[0].location.pathname = 1 threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS frames[0].location.search = 1 threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS frames[0].location.hash = 1 threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS frames[0].location.origin = 1 threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS frames[0].location.ancestorOrigins = 1 threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+FAIL frames[0].location.toString = 1 should throw a SecurityError. Did not throw.
+PASS frames[0].location.reload = 1 threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS frames[0].location.replace = 1 threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS frames[0].location.assign = 1 threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS Object.getOwnPropertyDescriptor(window.location, 'protocol').set.call(frames[0].location, 1) threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS Object.getOwnPropertyDescriptor(window.location, 'host').set.call(frames[0].location, 1) threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS Object.getOwnPropertyDescriptor(window.location, 'hostname').set.call(frames[0].location, 1) threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS Object.getOwnPropertyDescriptor(window.location, 'port').set.call(frames[0].location, 1) threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS Object.getOwnPropertyDescriptor(window.location, 'pathname').set.call(frames[0].location, 1) threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS Object.getOwnPropertyDescriptor(window.location, 'search').set.call(frames[0].location, 1) threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS Object.getOwnPropertyDescriptor(window.location, 'hash').set.call(frames[0].location, 1) threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
 PASS frames[0].location.href = 'about:blank' did not throw exception.
 PASS frames[0].location.href is "about:blank"

trunk/LayoutTests/http/tests/security/location-cross-origin.html

@@ -35 +35 @@
     shouldThrowErrorName("Object.getOwnPropertyDescriptor(window.location, 'href').get.call(frames[0].location)", "SecurityError");
 
+    shouldThrowErrorName("frames[0].location.protocol = 1", "SecurityError");
+    shouldThrowErrorName("frames[0].location.host = 1", "SecurityError");
+    shouldThrowErrorName("frames[0].location.hostname = 1", "SecurityError");
+    shouldThrowErrorName("frames[0].location.port = 1", "SecurityError");
+    shouldThrowErrorName("frames[0].location.pathname = 1", "SecurityError");
+    shouldThrowErrorName("frames[0].location.search = 1", "SecurityError");
+    shouldThrowErrorName("frames[0].location.hash = 1", "SecurityError");
+    shouldThrowErrorName("frames[0].location.origin = 1", "SecurityError");
+    shouldThrowErrorName("frames[0].location.ancestorOrigins = 1", "SecurityError");
+    shouldThrowErrorName("frames[0].location.toString = 1", "SecurityError");
+    shouldThrowErrorName("frames[0].location.reload = 1", "SecurityError");
+    shouldThrowErrorName("frames[0].location.replace = 1", "SecurityError");
+    shouldThrowErrorName("frames[0].location.assign = 1", "SecurityError");
+
+    shouldThrowErrorName("Object.getOwnPropertyDescriptor(window.location, 'protocol').set.call(frames[0].location, 1)", "SecurityError");
+    shouldThrowErrorName("Object.getOwnPropertyDescriptor(window.location, 'host').set.call(frames[0].location, 1)", "SecurityError");
+    shouldThrowErrorName("Object.getOwnPropertyDescriptor(window.location, 'hostname').set.call(frames[0].location, 1)", "SecurityError");
+    shouldThrowErrorName("Object.getOwnPropertyDescriptor(window.location, 'port').set.call(frames[0].location, 1)", "SecurityError");
+    shouldThrowErrorName("Object.getOwnPropertyDescriptor(window.location, 'pathname').set.call(frames[0].location, 1)", "SecurityError");
+    shouldThrowErrorName("Object.getOwnPropertyDescriptor(window.location, 'search').set.call(frames[0].location, 1)", "SecurityError");
+    shouldThrowErrorName("Object.getOwnPropertyDescriptor(window.location, 'hash').set.call(frames[0].location, 1)", "SecurityError");
+
     // Setting 'href' cross origin should be allowed.
     shouldNotThrow("frames[0].location.href = 'about:blank'");

trunk/LayoutTests/http/tests/security/xss-DENIED-assign-location-hash-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 4: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 4: SecurityError (DOM Exception 18): Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
 
 PASS: cross-site assignment of location.hash not allowed

trunk/LayoutTests/http/tests/security/xss-DENIED-assign-location-host-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 4: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 4: SecurityError (DOM Exception 18): Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
 
 PASS: cross-site assignment of location.host not allowed

trunk/LayoutTests/http/tests/security/xss-DENIED-assign-location-hostname-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 4: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 4: SecurityError (DOM Exception 18): Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
 
 PASS: cross-site assignment of location.hostname not allowed

trunk/LayoutTests/http/tests/security/xss-DENIED-assign-location-nonstandardProperty-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 4: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 4: SecurityError (DOM Exception 18): Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
 
 PASS: cross-site assignment of location.nonstandardProperty not allowed

trunk/LayoutTests/http/tests/security/xss-DENIED-assign-location-pathname-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 4: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 4: SecurityError (DOM Exception 18): Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
 
 PASS: cross-site assignment of location.pathname not allowed

trunk/LayoutTests/http/tests/security/xss-DENIED-assign-location-protocol-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 4: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 4: SecurityError (DOM Exception 18): Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
 
 PASS: cross-site assignment of location.protocol not allowed

trunk/LayoutTests/http/tests/security/xss-DENIED-assign-location-reload-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 4: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 4: SecurityError (DOM Exception 18): Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
 
 PASS: cross-site assignment of location.replace not allowed

trunk/LayoutTests/http/tests/security/xss-DENIED-assign-location-search-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 4: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 4: SecurityError (DOM Exception 18): Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
 
 PASS: cross-site assignment of location.search not allowed

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-08-29  Chris Dumez  <cdumez@apple.com>
+
+        We should throw a SecurityError when denying setting a cross-origin Location property
+        https://bugs.webkit.org/show_bug.cgi?id=161368
+
+        Reviewed by Ryosuke Niwa.
+
+        We should throw a SecurityError when denying setting a cross-origin
+        Location property:
+        - https://html.spec.whatwg.org/#location-set
+        - https://html.spec.whatwg.org/#crossoriginset-(-o,-p,-v,-receiver-)
+        - https://html.spec.whatwg.org/#location-getownproperty
+
+        Firefox and Chrome already throw. We currently ignore and log an error
+        message.
+
+        No new tests, updated existing tests.
+
+        * bindings/js/JSLocationCustom.cpp:
+        (WebCore::JSLocation::putDelegate):
+
 2016-08-29  Brent Fulgham  <bfulgham@apple.com>
 

trunk/Source/WebCore/bindings/js/JSLocationCustom.cpp

@@ -79 +79 @@
     // disclose other parts of the original location.
     if (propertyName != exec->propertyNames().href) {
-        // FIXME: We should throw a SecurityError.
-        printErrorMessageForFrame(frame, errorMessage);
+        throwSecurityError(*exec, errorMessage);
         return true;
     }