Changeset 205409 in webkit

Timestamp:

Sep 3, 2016 3:50:55 PM (8 years ago)

Author:

Chris Dumez

Message:

Align cross-Origin Object.getOwnPropertyNames() with the HTML specification
​https://bugs.webkit.org/show_bug.cgi?id=161457

Reviewed by Darin Adler.

Source/WebCore:

Align cross-Origin Object.getOwnPropertyNames() with the HTML specification:

• ​https://html.spec.whatwg.org/#windowproxy-ownpropertykeys
• ​https://html.spec.whatwg.org/#location-ownpropertykeys
• ​https://html.spec.whatwg.org/#crossoriginproperties-(-o-)

We should list cross origin properties.

Firefox complies with the specification. However, WebKit was returning an
empty array and logs a security error message.

No new tests, updated existing test.

• bindings/js/JSDOMWindowCustom.cpp:

(WebCore::addCrossOriginPropertyNames):
(WebCore::JSDOMWindow::getOwnPropertyNames):

• bindings/js/JSLocationCustom.cpp:

(WebCore::addCrossOriginPropertyNames):
(WebCore::JSLocation::getOwnPropertyNames):

LayoutTests:

Add test coverage.

• http/tests/security/cross-frame-access-enumeration-expected.txt:
• http/tests/security/cross-frame-access-enumeration.html:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/cross-frame-access-enumeration-expected.txt (modified) (2 diffs)
• LayoutTests/http/tests/security/cross-frame-access-enumeration.html (modified) (4 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMWindowCustom.cpp (modified) (1 diff)
• Source/WebCore/bindings/js/JSLocationCustom.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-09-03  Chris Dumez  <cdumez@apple.com>
+
+        Align cross-Origin Object.getOwnPropertyNames() with the HTML specification
+        https://bugs.webkit.org/show_bug.cgi?id=161457
+
+        Reviewed by Darin Adler.
+
+        Add test coverage.
+
+        * http/tests/security/cross-frame-access-enumeration-expected.txt:
+        * http/tests/security/cross-frame-access-enumeration.html:
+
 2016-09-03  Chris Dumez  <cdumez@apple.com>
 

trunk/LayoutTests/http/tests/security/cross-frame-access-enumeration-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 29: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 29: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 48: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 55: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 29: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 75: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 82: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-This tests that variable names can't be enumerated cross domain (see http://bugs.webkit.org/show_bug.cgi?id=16387)
+CONSOLE MESSAGE: line 28: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 28: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+Tests enumeration of Window / Location properties cross origin.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
 
 
@@ -15 +12 @@
 PASS: Cross frame access by getting the keys of the Location object was denied.
 PASS: Cross frame access by getting the property names of the Location object was denied.
+PASS: areArraysEqual(Object.getOwnPropertyNames(b_win).sort(), whitelistedWindowProperties.sort()) should be 'true' and is.
+PASS: areArraysEqual(Object.getOwnPropertyNames(b_win.location).sort(), whitelistedLocationProperties.sort()) should be 'true' and is.
+PASS: successfullyParsed should be 'true' and is.
 
+TEST COMPLETE
+

trunk/LayoutTests/http/tests/security/cross-frame-access-enumeration.html

@@ -1 +1 @@
 <html>
 <head>
+    <script src='/resources/js-test-pre.js'></script>
     <script src="resources/cross-frame-access.js"></script>
     <script>
+        description("Tests enumeration of Window / Location properties cross origin.");
+        jsTestIsAsync = true;
+
         window.onload = function()
         {
-            if (window.testRunner) {
-                testRunner.dumpAsText();
-                testRunner.waitUntilDone();
-            }
-
             if (window.testRunner) {
                 setTimeout(pollForTest, 1);
@@ -28 +27 @@
             }
             runTest();
-            testRunner.notifyDone();
+            finishJSTest();
         }
 
@@ -34 +33 @@
         {
             // Test enumerating the Window object
-            var b_win = document.getElementsByTagName("iframe")[0].contentWindow;
+            b_win = document.getElementsByTagName("iframe")[0].contentWindow;
             try {
                 for (var k in b_win) {
@@ -86 +85 @@
             }
             log("PASS: Cross frame access by getting the property names of the Location object was denied.");
+
+            whitelistedWindowProperties = ['location', 'postMessage', 'window', 'frames', 'self', 'top', 'parent', 'opener', 'closed', 'close', 'blur', 'focus', 'length'];
+            whitelistedLocationProperties = ['href', 'replace'];
+            shouldBeTrue("areArraysEqual(Object.getOwnPropertyNames(b_win).sort(), whitelistedWindowProperties.sort())");
+            shouldBeTrue("areArraysEqual(Object.getOwnPropertyNames(b_win.location).sort(), whitelistedLocationProperties.sort())");
         }
     </script>
 </head>
 <body>
-    <p>This tests that variable names can't be enumerated cross domain (see http://bugs.webkit.org/show_bug.cgi?id=16387)</p>
     <iframe src="http://localhost:8000/security/resources/cross-frame-iframe-for-enumeration-test.html"></iframe>
-    <pre id="console"></pre>
+    <script src='/resources/js-test-post.js'></script>
 </body>
 </html>

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-09-03  Chris Dumez  <cdumez@apple.com>
+
+        Align cross-Origin Object.getOwnPropertyNames() with the HTML specification
+        https://bugs.webkit.org/show_bug.cgi?id=161457
+
+        Reviewed by Darin Adler.
+
+        Align cross-Origin Object.getOwnPropertyNames() with the HTML specification:
+        - https://html.spec.whatwg.org/#windowproxy-ownpropertykeys
+        - https://html.spec.whatwg.org/#location-ownpropertykeys
+        - https://html.spec.whatwg.org/#crossoriginproperties-(-o-)
+
+        We should list cross origin properties.
+
+        Firefox complies with the specification. However, WebKit was returning an
+        empty array and logs a security error message.
+
+        No new tests, updated existing test.
+
+        * bindings/js/JSDOMWindowCustom.cpp:
+        (WebCore::addCrossOriginPropertyNames):
+        (WebCore::JSDOMWindow::getOwnPropertyNames):
+        * bindings/js/JSLocationCustom.cpp:
+        (WebCore::addCrossOriginPropertyNames):
+        (WebCore::JSLocation::getOwnPropertyNames):
+
 2016-09-03  Frédéric Wang  <fwang@igalia.com>
 

trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp

@@ -320 +320 @@
 }
 
+static void addCrossOriginWindowPropertyNames(ExecState& state, PropertyNameArray& propertyNames)
+{
+    // https://html.spec.whatwg.org/#crossoriginproperties-(-o-)
+    static const Identifier* properties[] = {
+        &state.propertyNames().blur, &state.propertyNames().close, &state.propertyNames().closed,
+        &state.propertyNames().focus, &state.propertyNames().frames, &state.propertyNames().length,
+        &state.propertyNames().location, &state.propertyNames().opener, &state.propertyNames().parent,
+        &state.propertyNames().postMessage, &state.propertyNames().self, &state.propertyNames().top,
+        &state.propertyNames().window
+    };
+    for (auto* property : properties)
+        propertyNames.add(*property);
+}
+
 void JSDOMWindow::getOwnPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
 {
     JSDOMWindow* thisObject = jsCast<JSDOMWindow*>(object);
-    // Only allow the window to enumerated by frames in the same origin.
-    if (!BindingSecurity::shouldAllowAccessToDOMWindow(exec, thisObject->wrapped()))
+    if (!BindingSecurity::shouldAllowAccessToDOMWindow(exec, thisObject->wrapped(), DoNotReportSecurityError)) {
+        addCrossOriginWindowPropertyNames(*exec, propertyNames);
         return;
+    }
     Base::getOwnPropertyNames(thisObject, exec, propertyNames, mode);
 }

trunk/Source/WebCore/bindings/js/JSLocationCustom.cpp

@@ -109 +109 @@
 }
 
+static void addCrossOriginLocationPropertyNames(ExecState& state, PropertyNameArray& propertyNames)
+{
+    // https://html.spec.whatwg.org/#crossoriginproperties-(-o-)
+    static const Identifier* properties[] = { &state.propertyNames().href, &state.propertyNames().replace };
+    for (auto* property : properties)
+        propertyNames.add(*property);
+}
+
 void JSLocation::getOwnPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
 {
     JSLocation* thisObject = jsCast<JSLocation*>(object);
-    // Only allow the location object to enumerated by frames in the same origin.
-    if (!shouldAllowAccessToFrame(exec, thisObject->wrapped().frame()))
+    if (!BindingSecurity::shouldAllowAccessToFrame(exec, thisObject->wrapped().frame(), DoNotReportSecurityError)) {
+        addCrossOriginLocationPropertyNames(*exec, propertyNames);
         return;
+    }
     Base::getOwnPropertyNames(thisObject, exec, propertyNames, mode);
 }