Changeset 205205 in webkit


Ignore:
Timestamp:
Aug 30, 2016 3:49:45 PM (8 years ago)
Author:
Chris Dumez
Message:

Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object
https://bugs.webkit.org/show_bug.cgi?id=161396

Reviewed by Ryosuke Niwa.

Source/JavaScriptCore:

Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object:

Firefox and Chrome already throw. However, WebKit merely ignores the call and logs an error message.

Note that technically, we should also throw in the same origin case.
However, not all browsers agree on this yet so I haven't not changed
the behavior for the same origin case.

  • runtime/ObjectConstructor.cpp:

(JSC::objectConstructorSetPrototypeOf):

LayoutTests:

Update / rebaseline existing test to reflect behavior change.

  • http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt:
  • http/tests/security/cross-frame-access-object-setPrototypeOf.html:
Location:
trunk
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r205203 r205205  
     12016-08-30  Chris Dumez  <cdumez@apple.com>
     2
     3        Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object
     4        https://bugs.webkit.org/show_bug.cgi?id=161396
     5
     6        Reviewed by Ryosuke Niwa.
     7
     8        Update / rebaseline existing test to reflect behavior change.
     9
     10        * http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt:
     11        * http/tests/security/cross-frame-access-object-setPrototypeOf.html:
     12
    1132016-08-30  Jiewen Tan  <jiewen_tan@apple.com>
    214
  • trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt

    r205037 r205205  
    1 CONSOLE MESSAGE: line 22: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
    2 This tests that you can't set the prototype of the window or history objects cross-origin using Object.setPrototypeOf().
     1CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
     2CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
     3This tests that you can't set the prototype of the window or location objects cross-origin using Object.setPrototypeOf()
     4
     5On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
     6
    37
    48PASS: targetWindow instanceof Array should be 'false' and is.
     9PASS Object.setPrototypeOf(targetWindow, Array.prototype) threw exception TypeError: Permission denied.
    510PASS: targetWindow instanceof Array should be 'false' and is.
     11PASS: targetWindow.location instanceof Array should be 'false' and is.
     12PASS Object.setPrototypeOf(targetWindow.location, Array.prototype) threw exception TypeError: Permission denied.
     13PASS: targetWindow.location instanceof Array should be 'false' and is.
     14PASS: successfullyParsed should be 'true' and is.
    615
     16TEST COMPLETE
     17
     18
  • trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf.html

    r205037 r205205  
    11<html>
    22<head>
     3    <script src="/js-test-resources/js-test-pre.js"></script>
    34    <script src="resources/cross-frame-access.js"></script>
    45    <script>
    5         if (window.testRunner) {
    6             testRunner.dumpAsText();
    7             testRunner.waitUntilDone();
    8         }
     6        description("This tests that you can't set the prototype of the window or location objects cross-origin using Object.setPrototypeOf()");
     7        jsTestIsAsync = true;
    98
    109        // Set up listener for message from iframe
     
    1918
    2019            shouldBeFalse("targetWindow instanceof Array");
    21 
    22             Object.setPrototypeOf(targetWindow, Array.prototype);
    23 
     20            shouldThrowErrorName("Object.setPrototypeOf(targetWindow, Array.prototype)", "TypeError");
    2421            shouldBeFalse("targetWindow instanceof Array");
    2522
    26             if (window.testRunner)
    27                 testRunner.notifyDone();
     23            shouldBeFalse("targetWindow.location instanceof Array");
     24            shouldThrowErrorName("Object.setPrototypeOf(targetWindow.location, Array.prototype)", "TypeError");
     25            shouldBeFalse("targetWindow.location instanceof Array");
     26
     27            finishJSTest();
    2828        }
    2929    </script>
    3030</head>
    3131<body>
    32     <div>This tests that you can't set the prototype of the window or history objects cross-origin using Object.setPrototypeOf().</div>
    3332    <iframe id="target" src="http://localhost:8000/security/resources/cross-frame-iframe-for-object-setPrototypeOf-test.html"></iframe>
    3433    <pre id="console"></pre>
     34    <script src="/js-test-resources/js-test-post.js"></script>
    3535</body>
    3636</html>
  • trunk/Source/JavaScriptCore/ChangeLog

    r205204 r205205  
     12016-08-30  Chris Dumez  <cdumez@apple.com>
     2
     3        Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object
     4        https://bugs.webkit.org/show_bug.cgi?id=161396
     5
     6        Reviewed by Ryosuke Niwa.
     7
     8        Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object:
     9        - https://html.spec.whatwg.org/#windowproxy-setprototypeof
     10        - https://html.spec.whatwg.org/#location-setprototypeof
     11        - https://tc39.github.io/ecma262/#sec-object.setprototypeof (step 5)
     12
     13        Firefox and Chrome already throw. However, WebKit merely ignores the call and logs an error message.
     14
     15        Note that technically, we should also throw in the same origin case.
     16        However, not all browsers agree on this yet so I haven't not changed
     17        the behavior for the same origin case.
     18
     19        * runtime/ObjectConstructor.cpp:
     20        (JSC::objectConstructorSetPrototypeOf):
     21
    1222016-08-30  Benjamin Poulain  <bpoulain@apple.com>
    223
  • trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp

    r205198 r205205  
    233233        return JSValue::encode(objectValue);
    234234
    235     if (!checkProtoSetterAccessAllowed(exec, object))
     235    if (!checkProtoSetterAccessAllowed(exec, object)) {
     236        throwTypeError(exec, ASCIILiteral("Permission denied"));
    236237        return JSValue::encode(objectValue);
     238    }
    237239
    238240    bool shouldThrowIfCantSet = true;
Note: See TracChangeset for help on using the changeset viewer.