Context Navigation

← Previous Changeset
Next Changeset →

Changeset 205297 in webkit

Timestamp:

Sep 1, 2016 10:48:25 AM (8 years ago)

Author:

Chris Dumez

Message:

Align cross-origin proto getter / setter behavior with the specification
https://bugs.webkit.org/show_bug.cgi?id=161455

Reviewed by Mark Lam.

Source/JavaScriptCore:

Align cross-origin proto getter / setter behavior with the specification:

The setter should throw a TypeError:

The getter should return null:

I have verified that this aligns our behavior with Firefox and Chrome.

runtime/JSGlobalObjectFunctions.cpp:

(JSC::GlobalFuncProtoGetterFunctor::operator()):
(JSC::globalFuncProtoSetter):

LayoutTests:

Add layout test coverage.

http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt:
http/tests/security/cross-frame-access-object-getPrototypeOf.html:
http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt:
http/tests/security/cross-frame-access-object-setPrototypeOf.html:

Location:

trunk

Files:

: 7 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt (modified) (2 diffs)
LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf.html (modified) (1 diff)
LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt (modified) (2 diffs)
LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf.html (modified) (1 diff)
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r205296
+                      r205297
+-09-01  Chris Dumez  <cdumez@apple.com>
+        Align cross-origin proto getter / setter behavior with the specification
+        https://bugs.webkit.org/show_bug.cgi?id=161455
+        Reviewed by Mark Lam.
+        Add layout test coverage.
+        * http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt:
+        * http/tests/security/cross-frame-access-object-getPrototypeOf.html:
+        * http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt:
+        * http/tests/security/cross-frame-access-object-setPrototypeOf.html:
 -09-01  Ryan Haddad  <ryanhaddad@apple.com>

trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt

-                      r205258
+                      r205297
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 …
 PASS: Object.getPrototypeOf(targetWindow) should be 'null' and is.
 PASS: Object.getPrototypeOf(targetWindow.location) should be 'null' and is.
+PASS: protoGetter.call(targetWindow) should be 'null' and is.
+PASS: protoGetter.call(targetWindow.location) should be 'null' and is.
 PASS targetWindow.history threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
 PASS: successfullyParsed should be 'true' and is.

trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf.html

-                      r205258
+                      r205297
             shouldBeNull("Object.getPrototypeOf(targetWindow)");
             shouldBeNull("Object.getPrototypeOf(targetWindow.location)");
+            protoGetter = Object.getOwnPropertyDescriptor(Object.prototype, '__proto__').get;
+            shouldBeNull("protoGetter.call(targetWindow)");
+            shouldBeNull("protoGetter.call(targetWindow.location)");
             shouldThrowErrorName("targetWindow.history", "SecurityError");

trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt

-                      r205205
+                      r205297
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 …
 PASS Object.setPrototypeOf(targetWindow.location, Array.prototype) threw exception TypeError: Permission denied.
 PASS: targetWindow.location instanceof Array should be 'false' and is.
+PASS: targetWindow instanceof Array should be 'false' and is.
+PASS protoSetter.call(targetWindow, Array.prototype) threw exception TypeError: Permission denied.
+PASS: targetWindow instanceof Array should be 'false' and is.
+PASS: targetWindow.location instanceof Array should be 'false' and is.
+PASS protoSetter.call(targetWindow.location, Array.prototype) threw exception TypeError: Permission denied.
+PASS: targetWindow.location instanceof Array should be 'false' and is.
 PASS: successfullyParsed should be 'true' and is.

trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf.html

-                      r205205
+                      r205297
             shouldBeFalse("targetWindow.location instanceof Array");
+            protoSetter = Object.getOwnPropertyDescriptor(Object.prototype, '__proto__').set;
+            shouldBeFalse("targetWindow instanceof Array");
+            shouldThrowErrorName("protoSetter.call(targetWindow, Array.prototype)", "TypeError");
+            shouldBeFalse("targetWindow instanceof Array");
+            shouldBeFalse("targetWindow.location instanceof Array");
+            shouldThrowErrorName("protoSetter.call(targetWindow.location, Array.prototype)", "TypeError");
+            shouldBeFalse("targetWindow.location instanceof Array");
             finishJSTest();
+        }

trunk/Source/JavaScriptCore/ChangeLog

-                      r205285
+                      r205297
+-09-01  Chris Dumez  <cdumez@apple.com>
+        Align cross-origin proto getter / setter behavior with the specification
+        https://bugs.webkit.org/show_bug.cgi?id=161455
+        Reviewed by Mark Lam.
+        Align cross-origin proto getter / setter behavior with the specification:
+        The setter should throw a TypeError:
+        - https://html.spec.whatwg.org/#windowproxy-setprototypeof
+        - https://html.spec.whatwg.org/#location-setprototypeof
+        - https://tc39.github.io/ecma262/#sec-object.setprototypeof (step 5)
+        The getter should return null:
+        - https://html.spec.whatwg.org/#windowproxy-getprototypeof
+        - https://html.spec.whatwg.org/#location-getprototypeof
+        I have verified that this aligns our behavior with Firefox and Chrome.
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::GlobalFuncProtoGetterFunctor::operator()):
+        (JSC::globalFuncProtoSetter):
 -09-01  Csaba Osztrogonác  <ossy@webkit.org>

trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp

-                      r205198
+                      r205297
         if (m_thisObject->allowsAccessFrom(visitor->callFrame()))
             m_result = JSValue::encode(m_thisObject->getPrototype(m_exec->vm(), m_exec));
+        else
+            m_result = JSValue::encode(jsNull());
         return StackVisitor::Done;
 …
         return JSValue::encode(jsUndefined());
+    if (!checkProtoSetterAccessAllowed(exec, thisObject))
+    if (!checkProtoSetterAccessAllowed(exec, thisObject)) {
+        throwTypeError(exec, scope, ASCIILiteral("Permission denied"));
         return JSValue::encode(jsUndefined());
+    }
     // Setting __proto__ to a non-object, non-null value is silently ignored to match Mozilla.

Note: See TracChangeset for help on using the changeset viewer.