Changeset 205200 in webkit

Timestamp:

Aug 30, 2016 3:24:39 PM (8 years ago)

Author:

Chris Dumez

Message:

Delete? should throw for cross-origin Window / Location objects
​https://bugs.webkit.org/show_bug.cgi?id=161397

Reviewed by Ryosuke Niwa.

Source/WebCore:

Delete? should throw for cross-origin Window / Location objects:

• ​https://github.com/whatwg/html/pull/1728

Firefox and Chrome already throw. Previously, WebKit was merely
ignoring the call and logging an error message.

No new tests, updated existing test.

• bindings/js/JSDOMWindowCustom.cpp:

(WebCore::JSDOMWindow::deleteProperty):
(WebCore::JSDOMWindow::deletePropertyByIndex):

• bindings/js/JSLocationCustom.cpp:

(WebCore::JSLocation::deleteProperty):
(WebCore::JSLocation::deletePropertyByIndex):

LayoutTests:

Update / rebaseline existing test to reflect behavior change.

• http/tests/security/cross-frame-access-delete-expected.txt:
• http/tests/security/cross-frame-access-delete.html:
• http/tests/security/resources/cross-frame-iframe-for-delete-test.html:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/cross-frame-access-delete-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/cross-frame-access-delete.html (modified) (4 diffs)
• LayoutTests/http/tests/security/resources/cross-frame-iframe-for-delete-test.html (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMWindowCustom.cpp (modified) (2 diffs)
• Source/WebCore/bindings/js/JSLocationCustom.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-08-30  Chris Dumez  <cdumez@apple.com>
+
+        [[Delete]] should throw for cross-origin Window / Location objects
+        https://bugs.webkit.org/show_bug.cgi?id=161397
+
+        Reviewed by Ryosuke Niwa.
+
+        Update / rebaseline existing test to reflect behavior change.
+
+        * http/tests/security/cross-frame-access-delete-expected.txt:
+        * http/tests/security/cross-frame-access-delete.html:
+        * http/tests/security/resources/cross-frame-iframe-for-delete-test.html:
+
 2016-08-30  Ryan Haddad  <ryanhaddad@apple.com>
 

trunk/LayoutTests/http/tests/security/cross-frame-access-delete-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+Tests [[Delete]] for cross origin Window / Location.
 
-PASS: eval('delete targetWindow.existingProperty') should be 'false' and is.
-PASS: eval('delete targetWindow[1]') should be 'false' and is.
-PASS: eval('delete targetWindow.location.existingProperty') should be 'false' and is.
-PASS: eval('delete targetWindow.location[1]') should be 'false' and is.
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS delete targetWindow.existingProperty threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS delete targetWindow.name threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS delete targetWindow[1] threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS delete targetWindow.location.existingProperty threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS delete targetWindow.location.host threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS delete targetWindow.location[1] threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS: successfullyParsed should be 'true' and is.
+
+TEST COMPLETE
+
 
 

trunk/LayoutTests/http/tests/security/cross-frame-access-delete.html

@@ -1 +1 @@
 <html>
 <head>
+    <script src="/js-test-resources/js-test-pre.js"></script>
     <script src="resources/cross-frame-access.js"></script>
     <script>
-        if (window.testRunner) {
-            testRunner.dumpAsText();
+        description("Tests [[Delete]] for cross origin Window / Location.");
+        jsTestIsAsync = true;
+
+        if (window.testRunner)
             testRunner.dumpChildFramesAsText();
-            testRunner.waitUntilDone();
-        }
 
         receiver = function(e)
@@ -13 +14 @@
             if (e.data == "setValuesComplete")
                 deleteTest();
+            if (e.data == "checkValuesComplete")
+                finishJSTest();
         }
         addEventListener('message', receiver, false);
@@ -20 +23 @@
             targetWindow = frames[0];
 
-            shouldBe("eval('delete targetWindow.existingProperty')", "false");
-            shouldBe("eval('delete targetWindow[1]')", "false");
-            shouldBe("eval('delete targetWindow.location.existingProperty')", "false");
-            shouldBe("eval('delete targetWindow.location[1]')", "false");
+            shouldThrowErrorName("delete targetWindow.existingProperty", "SecurityError");
+            shouldThrowErrorName("delete targetWindow.name", "SecurityError");
+            shouldThrowErrorName("delete targetWindow[1]", "SecurityError");
+            shouldThrowErrorName("delete targetWindow.location.existingProperty", "SecurityError");
+            shouldThrowErrorName("delete targetWindow.location.host", "SecurityError");
+            shouldThrowErrorName("delete targetWindow.location[1]", "SecurityError");
 
             targetWindow.postMessage("deletingValuesComplete", "*");
@@ -32 +37 @@
     <iframe src="http://localhost:8000/security/resources/cross-frame-iframe-for-delete-test.html"></iframe>
     <pre id="console"></pre>
+    <script src="/js-test-resources/js-test-post.js"></script>
 </body>
 </html>

trunk/LayoutTests/http/tests/security/resources/cross-frame-iframe-for-delete-test.html

@@ -33 +33 @@
             shouldBe("window.location[1]", "'test value'");
 
-            if (window.testRunner)
-                testRunner.notifyDone();
+             window.parent.postMessage("checkValuesComplete", "*");
         }
     </script>

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-08-30  Chris Dumez  <cdumez@apple.com>
+
+        [[Delete]] should throw for cross-origin Window / Location objects
+        https://bugs.webkit.org/show_bug.cgi?id=161397
+
+        Reviewed by Ryosuke Niwa.
+
+        [[Delete]] should throw for cross-origin Window / Location objects:
+        - https://github.com/whatwg/html/pull/1728
+
+        Firefox and Chrome already throw. Previously, WebKit was merely
+        ignoring the call and logging an error message.
+
+        No new tests, updated existing test.
+
+        * bindings/js/JSDOMWindowCustom.cpp:
+        (WebCore::JSDOMWindow::deleteProperty):
+        (WebCore::JSDOMWindow::deletePropertyByIndex):
+        * bindings/js/JSLocationCustom.cpp:
+        (WebCore::JSLocation::deleteProperty):
+        (WebCore::JSLocation::deletePropertyByIndex):
+
 2016-08-30  Brady Eidson  <beidson@apple.com>
 

trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp

@@ -270 +270 @@
     JSDOMWindow* thisObject = jsCast<JSDOMWindow*>(cell);
     // Only allow deleting properties by frames in the same origin.
-    if (!BindingSecurity::shouldAllowAccessToDOMWindow(exec, thisObject->wrapped()))
+    if (!BindingSecurity::shouldAllowAccessToDOMWindow(exec, thisObject->wrapped(), ThrowSecurityError))
         return false;
     return Base::deleteProperty(thisObject, exec, propertyName);
@@ -279 +279 @@
     JSDOMWindow* thisObject = jsCast<JSDOMWindow*>(cell);
     // Only allow deleting properties by frames in the same origin.
-    if (!BindingSecurity::shouldAllowAccessToDOMWindow(exec, thisObject->wrapped()))
+    if (!BindingSecurity::shouldAllowAccessToDOMWindow(exec, thisObject->wrapped(), ThrowSecurityError))
         return false;
     return Base::deletePropertyByIndex(thisObject, exec, propertyName);

trunk/Source/WebCore/bindings/js/JSLocationCustom.cpp

@@ -95 +95 @@
     JSLocation* thisObject = jsCast<JSLocation*>(cell);
     // Only allow deleting by frames in the same origin.
-    if (!shouldAllowAccessToFrame(exec, thisObject->wrapped().frame()))
+    if (!BindingSecurity::shouldAllowAccessToFrame(exec, thisObject->wrapped().frame(), ThrowSecurityError))
         return false;
     return Base::deleteProperty(thisObject, exec, propertyName);
@@ -104 +104 @@
     JSLocation* thisObject = jsCast<JSLocation*>(cell);
     // Only allow deleting by frames in the same origin.
-    if (!shouldAllowAccessToFrame(exec, thisObject->wrapped().frame()))
+    if (!BindingSecurity::shouldAllowAccessToFrame(exec, thisObject->wrapped().frame(), ThrowSecurityError))
         return false;
     return Base::deletePropertyByIndex(thisObject, exec, propertyName);