Changeset 205171 in webkit
- Timestamp:
- Aug 29, 2016 10:24:13 PM (8 years ago)
- Location:
- trunk
- Files:
-
- 14 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r205170 r205171 1 2016-08-29 Chris Dumez <cdumez@apple.com> 2 3 We should throw a SecurityError when denying setting a cross-origin Location property 4 https://bugs.webkit.org/show_bug.cgi?id=161368 5 6 Reviewed by Ryosuke Niwa. 7 8 Update / Rebaseline existing tests to reflect behavior change. 9 10 * http/tests/security/cross-frame-access-location-put-expected.txt: 11 * http/tests/security/location-cross-origin-expected.txt: 12 * http/tests/security/location-cross-origin.html: 13 * http/tests/security/xss-DENIED-assign-location-hash-expected.txt: 14 * http/tests/security/xss-DENIED-assign-location-host-expected.txt: 15 * http/tests/security/xss-DENIED-assign-location-hostname-expected.txt: 16 * http/tests/security/xss-DENIED-assign-location-nonstandardProperty-expected.txt: 17 * http/tests/security/xss-DENIED-assign-location-pathname-expected.txt: 18 * http/tests/security/xss-DENIED-assign-location-protocol-expected.txt: 19 * http/tests/security/xss-DENIED-assign-location-reload-expected.txt: 20 * http/tests/security/xss-DENIED-assign-location-search-expected.txt: 21 1 22 2016-08-29 Gyuyoung Kim <gyuyoung.kim@webkit.org> 2 23 -
trunk/LayoutTests/http/tests/security/cross-frame-access-location-put-expected.txt
r178527 r205171 1 CONSOLE MESSAGE: line 29: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.2 CONSOLE MESSAGE: line 29: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.3 CONSOLE MESSAGE: line 29: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.4 CONSOLE MESSAGE: line 29: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.5 1 2 SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match. 3 SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match. 4 SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match. 5 SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match. 6 6 7 7 -
trunk/LayoutTests/http/tests/security/location-cross-origin-expected.txt
r205154 r205171 28 28 PASS Object.getOwnPropertyDescriptor(window.location, 'toString').value.call(frames[0].location) threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.. 29 29 PASS Object.getOwnPropertyDescriptor(window.location, 'href').get.call(frames[0].location) threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.. 30 PASS frames[0].location.protocol = 1 threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.. 31 PASS frames[0].location.host = 1 threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.. 32 PASS frames[0].location.hostname = 1 threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.. 33 PASS frames[0].location.port = 1 threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.. 34 PASS frames[0].location.pathname = 1 threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.. 35 PASS frames[0].location.search = 1 threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.. 36 PASS frames[0].location.hash = 1 threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.. 37 PASS frames[0].location.origin = 1 threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.. 38 PASS frames[0].location.ancestorOrigins = 1 threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.. 39 FAIL frames[0].location.toString = 1 should throw a SecurityError. Did not throw. 40 PASS frames[0].location.reload = 1 threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.. 41 PASS frames[0].location.replace = 1 threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.. 42 PASS frames[0].location.assign = 1 threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.. 43 PASS Object.getOwnPropertyDescriptor(window.location, 'protocol').set.call(frames[0].location, 1) threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.. 44 PASS Object.getOwnPropertyDescriptor(window.location, 'host').set.call(frames[0].location, 1) threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.. 45 PASS Object.getOwnPropertyDescriptor(window.location, 'hostname').set.call(frames[0].location, 1) threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.. 46 PASS Object.getOwnPropertyDescriptor(window.location, 'port').set.call(frames[0].location, 1) threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.. 47 PASS Object.getOwnPropertyDescriptor(window.location, 'pathname').set.call(frames[0].location, 1) threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.. 48 PASS Object.getOwnPropertyDescriptor(window.location, 'search').set.call(frames[0].location, 1) threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.. 49 PASS Object.getOwnPropertyDescriptor(window.location, 'hash').set.call(frames[0].location, 1) threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.. 30 50 PASS frames[0].location.href = 'about:blank' did not throw exception. 31 51 PASS frames[0].location.href is "about:blank" -
trunk/LayoutTests/http/tests/security/location-cross-origin.html
r205154 r205171 35 35 shouldThrowErrorName("Object.getOwnPropertyDescriptor(window.location, 'href').get.call(frames[0].location)", "SecurityError"); 36 36 37 shouldThrowErrorName("frames[0].location.protocol = 1", "SecurityError"); 38 shouldThrowErrorName("frames[0].location.host = 1", "SecurityError"); 39 shouldThrowErrorName("frames[0].location.hostname = 1", "SecurityError"); 40 shouldThrowErrorName("frames[0].location.port = 1", "SecurityError"); 41 shouldThrowErrorName("frames[0].location.pathname = 1", "SecurityError"); 42 shouldThrowErrorName("frames[0].location.search = 1", "SecurityError"); 43 shouldThrowErrorName("frames[0].location.hash = 1", "SecurityError"); 44 shouldThrowErrorName("frames[0].location.origin = 1", "SecurityError"); 45 shouldThrowErrorName("frames[0].location.ancestorOrigins = 1", "SecurityError"); 46 shouldThrowErrorName("frames[0].location.toString = 1", "SecurityError"); 47 shouldThrowErrorName("frames[0].location.reload = 1", "SecurityError"); 48 shouldThrowErrorName("frames[0].location.replace = 1", "SecurityError"); 49 shouldThrowErrorName("frames[0].location.assign = 1", "SecurityError"); 50 51 shouldThrowErrorName("Object.getOwnPropertyDescriptor(window.location, 'protocol').set.call(frames[0].location, 1)", "SecurityError"); 52 shouldThrowErrorName("Object.getOwnPropertyDescriptor(window.location, 'host').set.call(frames[0].location, 1)", "SecurityError"); 53 shouldThrowErrorName("Object.getOwnPropertyDescriptor(window.location, 'hostname').set.call(frames[0].location, 1)", "SecurityError"); 54 shouldThrowErrorName("Object.getOwnPropertyDescriptor(window.location, 'port').set.call(frames[0].location, 1)", "SecurityError"); 55 shouldThrowErrorName("Object.getOwnPropertyDescriptor(window.location, 'pathname').set.call(frames[0].location, 1)", "SecurityError"); 56 shouldThrowErrorName("Object.getOwnPropertyDescriptor(window.location, 'search').set.call(frames[0].location, 1)", "SecurityError"); 57 shouldThrowErrorName("Object.getOwnPropertyDescriptor(window.location, 'hash').set.call(frames[0].location, 1)", "SecurityError"); 58 37 59 // Setting 'href' cross origin should be allowed. 38 60 shouldNotThrow("frames[0].location.href = 'about:blank'"); -
trunk/LayoutTests/http/tests/security/xss-DENIED-assign-location-hash-expected.txt
r178527 r205171 1 CONSOLE MESSAGE: line 4: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.1 CONSOLE MESSAGE: line 4: SecurityError (DOM Exception 18): Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match. 2 2 3 3 PASS: cross-site assignment of location.hash not allowed -
trunk/LayoutTests/http/tests/security/xss-DENIED-assign-location-host-expected.txt
r178527 r205171 1 CONSOLE MESSAGE: line 4: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.1 CONSOLE MESSAGE: line 4: SecurityError (DOM Exception 18): Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match. 2 2 3 3 PASS: cross-site assignment of location.host not allowed -
trunk/LayoutTests/http/tests/security/xss-DENIED-assign-location-hostname-expected.txt
r178527 r205171 1 CONSOLE MESSAGE: line 4: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.1 CONSOLE MESSAGE: line 4: SecurityError (DOM Exception 18): Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match. 2 2 3 3 PASS: cross-site assignment of location.hostname not allowed -
trunk/LayoutTests/http/tests/security/xss-DENIED-assign-location-nonstandardProperty-expected.txt
r178527 r205171 1 CONSOLE MESSAGE: line 4: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.1 CONSOLE MESSAGE: line 4: SecurityError (DOM Exception 18): Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match. 2 2 3 3 PASS: cross-site assignment of location.nonstandardProperty not allowed -
trunk/LayoutTests/http/tests/security/xss-DENIED-assign-location-pathname-expected.txt
r178527 r205171 1 CONSOLE MESSAGE: line 4: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.1 CONSOLE MESSAGE: line 4: SecurityError (DOM Exception 18): Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match. 2 2 3 3 PASS: cross-site assignment of location.pathname not allowed -
trunk/LayoutTests/http/tests/security/xss-DENIED-assign-location-protocol-expected.txt
r178527 r205171 1 CONSOLE MESSAGE: line 4: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.1 CONSOLE MESSAGE: line 4: SecurityError (DOM Exception 18): Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match. 2 2 3 3 PASS: cross-site assignment of location.protocol not allowed -
trunk/LayoutTests/http/tests/security/xss-DENIED-assign-location-reload-expected.txt
r178527 r205171 1 CONSOLE MESSAGE: line 4: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.1 CONSOLE MESSAGE: line 4: SecurityError (DOM Exception 18): Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match. 2 2 3 3 PASS: cross-site assignment of location.replace not allowed -
trunk/LayoutTests/http/tests/security/xss-DENIED-assign-location-search-expected.txt
r178527 r205171 1 CONSOLE MESSAGE: line 4: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.1 CONSOLE MESSAGE: line 4: SecurityError (DOM Exception 18): Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match. 2 2 3 3 PASS: cross-site assignment of location.search not allowed -
trunk/Source/WebCore/ChangeLog
r205163 r205171 1 2016-08-29 Chris Dumez <cdumez@apple.com> 2 3 We should throw a SecurityError when denying setting a cross-origin Location property 4 https://bugs.webkit.org/show_bug.cgi?id=161368 5 6 Reviewed by Ryosuke Niwa. 7 8 We should throw a SecurityError when denying setting a cross-origin 9 Location property: 10 - https://html.spec.whatwg.org/#location-set 11 - https://html.spec.whatwg.org/#crossoriginset-(-o,-p,-v,-receiver-) 12 - https://html.spec.whatwg.org/#location-getownproperty 13 14 Firefox and Chrome already throw. We currently ignore and log an error 15 message. 16 17 No new tests, updated existing tests. 18 19 * bindings/js/JSLocationCustom.cpp: 20 (WebCore::JSLocation::putDelegate): 21 1 22 2016-08-29 Brent Fulgham <bfulgham@apple.com> 2 23 -
trunk/Source/WebCore/bindings/js/JSLocationCustom.cpp
r205154 r205171 79 79 // disclose other parts of the original location. 80 80 if (propertyName != exec->propertyNames().href) { 81 // FIXME: We should throw a SecurityError. 82 printErrorMessageForFrame(frame, errorMessage); 81 throwSecurityError(*exec, errorMessage); 83 82 return true; 84 83 }
Note: See TracChangeset
for help on using the changeset viewer.