Changeset 218835 in webkit

Timestamp:

Jun 27, 2017 8:59:48 AM (7 years ago)

Author:

fred.wang@free.fr

Message:

Some tests to verify forbidden frame navigation time out
​https://bugs.webkit.org/show_bug.cgi?id=173657

Patch by Frederic Wang <​fwang@igalia.com> on 2017-06-27
Reviewed by Chris Dumez.

LayoutTests/imported/w3c:

• web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_allow_top_navigation-2-expected.txt: Update the text expectation to PASS.
• web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_allow_top_navigation_by_user_activation_without_user_gesture-expected.txt: Ditto.
• web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_navigate_ancestor-1-expected.txt: Ditto.
• web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_escaping-3-expected.txt: Add the security error until bug 173162 is fixed.
• web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_nonescaping-3-expected.txt: Ditto.

Source/WebCore:

Currently some tests try and perform a forbidden frame navigation and verify the
corresponding console error. However, WebKit does not raise any exception for such error so
the tests have to wait until the timeout limit to complete, which makes execution slow.
This patch modifies the setters of window.location for which such error may happen in order
to raise an exception so the tests behave as expected.

No new tests, already covered by existing tests.

• page/Location.cpp: Adjust Location::setLocation to return a security exception and pass it

to the callers.
(WebCore::Location::setHref): Adjust function to possibly return an exception.
(WebCore::Location::setProtocol): Ditto.
(WebCore::Location::setHost): Ditto.
(WebCore::Location::setHostname): Ditto.
(WebCore::Location::setPort): Ditto.
(WebCore::Location::setPathname): Ditto.
(WebCore::Location::setSearch): Ditto.
(WebCore::Location::setHash): Ditto.
(WebCore::Location::assign): Ditto.
(WebCore::Location::setLocation): FrameLoader::findFrameForNavigation is really only used
to verify whether navigating m_frame is permitted so it is more simple and clearer to do it
directly. When navigation is not permitted, this function now raises a security exception.

• page/Location.h: Modify some setters to return an ExceptionOr<void>.
• page/Location.idl: Allow some setters to raise an exception.

LayoutTests:

• fast/frames/sandboxed-iframe-navigation-top-denied-expected.txt: Add the security error.
• http/tests/security/frameNavigation/inactive-function-in-popup-navigate-child.html: Adjust

the test to catch and dump the exception and complete immediately.

• http/tests/security/frameNavigation/inactive-function-in-popup-navigate-child-expected.txt:

Add the dumped security error exception.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/frames/sandboxed-iframe-navigation-top-denied-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/frameNavigation/inactive-function-in-popup-navigate-child-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/frameNavigation/inactive-function-in-popup-navigate-child.html (modified) (1 diff)
• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_allow_top_navigation-2-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_allow_top_navigation_by_user_activation_without_user_gesture-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_navigate_ancestor-1-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_escaping-3-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_nonescaping-3-expected.txt (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/page/Location.cpp (modified) (5 diffs)
• Source/WebCore/page/Location.h (modified) (3 diffs)
• Source/WebCore/page/Location.idl (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2017-06-27  Frederic Wang  <fwang@igalia.com>
+
+        Some tests to verify forbidden frame navigation time out
+        https://bugs.webkit.org/show_bug.cgi?id=173657
+
+        Reviewed by Chris Dumez.
+
+        * fast/frames/sandboxed-iframe-navigation-top-denied-expected.txt: Add the security error.
+        * http/tests/security/frameNavigation/inactive-function-in-popup-navigate-child.html: Adjust
+        the test to catch and dump the exception and complete immediately.
+        * http/tests/security/frameNavigation/inactive-function-in-popup-navigate-child-expected.txt:
+        Add the dumped security error exception.
+
 2017-06-27  Youenn Fablet  <youenn@apple.com>
 

trunk/LayoutTests/fast/frames/sandboxed-iframe-navigation-top-denied-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: Unsafe JavaScript attempt to initiate navigation for frame with URL 'navigate-top-to-fail.html'. The frame attempting navigation of the top-level window is sandboxed, but the 'allow-top-navigation' flag is not set.
 
+CONSOLE MESSAGE: SecurityError (DOM Exception 18): The operation is insecure.
 This test verifies that a sandboxed IFrame cannot navigate the top-level frame without allow-top-navigation. This test passes if the navigation does not occur.
 

trunk/LayoutTests/http/tests/security/frameNavigation/inactive-function-in-popup-navigate-child-expected.txt

@@ -3 +3 @@
 iframe-with-inner-frame-on-foreign-domain-LOADED
 Attempting navigation...
+SecurityError (DOM Exception 18): The operation is insecure.

trunk/LayoutTests/http/tests/security/frameNavigation/inactive-function-in-popup-navigate-child.html

@@ -31 +31 @@
     if (e.data = "iframe-with-inner-frame-on-foreign-domain-LOADED") {
         log("Attempting navigation...");
-        window.savedFunction();
-        setTimeout(function() {
-            // Unfortunately, there's no way to receive positive confirmation
-            // that the navigation failed, so we just complete the test
-            // asynchronously.
+        try {
+            window.savedFunction();
             if (window.testRunner)
                 testRunner.notifyDone();
-        }, 0);
+        } catch(e) {
+            log(e);
+            testRunner.notifyDone();
+        }
         return;
     }

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2017-06-27  Frederic Wang  <fwang@igalia.com>
+
+        Some tests to verify forbidden frame navigation time out
+        https://bugs.webkit.org/show_bug.cgi?id=173657
+
+        Reviewed by Chris Dumez.
+
+        * web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_allow_top_navigation-2-expected.txt: Update the text expectation to PASS.
+        * web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_allow_top_navigation_by_user_activation_without_user_gesture-expected.txt: Ditto.
+        * web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_navigate_ancestor-1-expected.txt: Ditto.
+        * web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_escaping-3-expected.txt: Add the security error until bug 173162 is fixed.
+        * web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_nonescaping-3-expected.txt: Ditto.
+
 2017-06-23  Youenn Fablet  <youenn@apple.com>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_allow_top_navigation-2-expected.txt

@@ -3 +3 @@
 
 
-Harness Error (TIMEOUT), message = null
+PASS Frames without `allow-top-navigation` should not be able to navigate the top frame. 
 
-TIMEOUT Frames without `allow-top-navigation` should not be able to navigate the top frame. Test timed out
-

trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_allow_top_navigation_by_user_activation_without_user_gesture-expected.txt

@@ -6 +6 @@
 
 
-FAIL The sandboxed iframe should post a message saying the test was in the state of 'PASS'. assert_equals: The message should say 'PASS' instead of 'FAIL' expected "PASS" but got "FAIL"
+PASS The sandboxed iframe should post a message saying the test was in the state of 'PASS'. 
 

trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_navigate_ancestor-1-expected.txt

@@ -3 +3 @@
 
 
-Harness Error (TIMEOUT), message = null
+PASS Check that sandboxed iframe can not navigate their ancestors 
 
-NOTRUN Check that sandboxed iframe can not navigate their ancestors 
-

trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_escaping-3-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: line 15: Unsafe JavaScript attempt to initiate navigation for frame with URL 'about:blank' from frame with URL 'http://localhost:8800/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_helper-3.html'. The frame attempting navigation is sandboxed, and is therefore disallowed from navigating its ancestors.
 
+CONSOLE MESSAGE: line 15: SecurityError (DOM Exception 18): The operation is insecure.
 
 

trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_nonescaping-3-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: line 15: Unsafe JavaScript attempt to initiate navigation for frame with URL 'about:blank' from frame with URL 'http://localhost:8800/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_popups_helper-3.html'. The frame attempting navigation is sandboxed, and is therefore disallowed from navigating its ancestors.
 
+CONSOLE MESSAGE: line 15: SecurityError (DOM Exception 18): The operation is insecure.
 
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-06-27  Frederic Wang  <fwang@igalia.com>
+
+        Some tests to verify forbidden frame navigation time out
+        https://bugs.webkit.org/show_bug.cgi?id=173657
+
+        Reviewed by Chris Dumez.
+
+        Currently some tests try and perform a forbidden frame navigation and verify the
+        corresponding console error. However, WebKit does not raise any exception for such error so
+        the tests have to wait until the timeout limit to complete, which makes execution slow.
+        This patch modifies the setters of window.location for which such error may happen in order
+        to raise an exception so the tests behave as expected.
+
+        No new tests, already covered by existing tests.
+
+        * page/Location.cpp: Adjust Location::setLocation to return a security exception and pass it
+        to the callers.
+        (WebCore::Location::setHref): Adjust function to possibly return an exception.
+        (WebCore::Location::setProtocol): Ditto.
+        (WebCore::Location::setHost): Ditto.
+        (WebCore::Location::setHostname): Ditto.
+        (WebCore::Location::setPort): Ditto.
+        (WebCore::Location::setPathname): Ditto.
+        (WebCore::Location::setSearch): Ditto.
+        (WebCore::Location::setHash): Ditto.
+        (WebCore::Location::assign): Ditto.
+        (WebCore::Location::setLocation): FrameLoader::findFrameForNavigation is really only used
+        to verify whether navigating m_frame is permitted so it is more simple and clearer to do it
+        directly. When navigation is not permitted, this function now raises a security exception.
+        * page/Location.h: Modify some setters to return an ExceptionOr<void>.
+        * page/Location.idl: Allow some setters to raise an exception.
+
 2017-06-26  Fujii Hironori  <Hironori.Fujii@sony.com>
 

trunk/Source/WebCore/page/Location.cpp

@@ -151 +151 @@
 }
 
-void Location::setHref(DOMWindow& activeWindow, DOMWindow& firstWindow, const String& url)
-{
-    if (!m_frame)
-        return;
-    setLocation(activeWindow, firstWindow, url);
+ExceptionOr<void> Location::setHref(DOMWindow& activeWindow, DOMWindow& firstWindow, const String& url)
+{
+    if (!m_frame)
+        return { };
+    return setLocation(activeWindow, firstWindow, url);
 }
 
@@ -165 +165 @@
     if (!url.setProtocol(protocol))
         return Exception { SYNTAX_ERR };
-    setLocation(activeWindow, firstWindow, url.string());
-    return { };
-}
-
-void Location::setHost(DOMWindow& activeWindow, DOMWindow& firstWindow, const String& host)
-{
-    if (!m_frame)
-        return;
+    return setLocation(activeWindow, firstWindow, url.string());
+}
+
+ExceptionOr<void> Location::setHost(DOMWindow& activeWindow, DOMWindow& firstWindow, const String& host)
+{
+    if (!m_frame)
+        return { };
     URL url = m_frame->document()->url();
     url.setHostAndPort(host);
-    setLocation(activeWindow, firstWindow, url.string());
-}
-
-void Location::setHostname(DOMWindow& activeWindow, DOMWindow& firstWindow, const String& hostname)
-{
-    if (!m_frame)
-        return;
+    return setLocation(activeWindow, firstWindow, url.string());
+}
+
+ExceptionOr<void> Location::setHostname(DOMWindow& activeWindow, DOMWindow& firstWindow, const String& hostname)
+{
+    if (!m_frame)
+        return { };
     URL url = m_frame->document()->url();
     url.setHost(hostname);
-    setLocation(activeWindow, firstWindow, url.string());
-}
-
-void Location::setPort(DOMWindow& activeWindow, DOMWindow& firstWindow, const String& portString)
-{
-    if (!m_frame)
-        return;
+    return setLocation(activeWindow, firstWindow, url.string());
+}
+
+ExceptionOr<void> Location::setPort(DOMWindow& activeWindow, DOMWindow& firstWindow, const String& portString)
+{
+    if (!m_frame)
+        return { };
     URL url = m_frame->document()->url();
     int port = portString.toInt();
@@ -197 +196 @@
     else
         url.setPort(port);
-    setLocation(activeWindow, firstWindow, url.string());
-}
-
-void Location::setPathname(DOMWindow& activeWindow, DOMWindow& firstWindow, const String& pathname)
-{
-    if (!m_frame)
-        return;
+    return setLocation(activeWindow, firstWindow, url.string());
+}
+
+ExceptionOr<void> Location::setPathname(DOMWindow& activeWindow, DOMWindow& firstWindow, const String& pathname)
+{
+    if (!m_frame)
+        return { };
     URL url = m_frame->document()->url();
     url.setPath(pathname);
-    setLocation(activeWindow, firstWindow, url.string());
-}
-
-void Location::setSearch(DOMWindow& activeWindow, DOMWindow& firstWindow, const String& search)
-{
-    if (!m_frame)
-        return;
+    return setLocation(activeWindow, firstWindow, url.string());
+}
+
+ExceptionOr<void> Location::setSearch(DOMWindow& activeWindow, DOMWindow& firstWindow, const String& search)
+{
+    if (!m_frame)
+        return { };
     URL url = m_frame->document()->url();
     url.setQuery(search);
-    setLocation(activeWindow, firstWindow, url.string());
-}
-
-void Location::setHash(DOMWindow& activeWindow, DOMWindow& firstWindow, const String& hash)
-{
-    if (!m_frame)
-        return;
+    return setLocation(activeWindow, firstWindow, url.string());
+}
+
+ExceptionOr<void> Location::setHash(DOMWindow& activeWindow, DOMWindow& firstWindow, const String& hash)
+{
+    if (!m_frame)
+        return { };
     ASSERT(m_frame->document());
     auto url = m_frame->document()->url();
@@ -233 +232 @@
     // cases where fragment identifiers are ignored or invalid. 
     if (equalIgnoringNullity(oldFragmentIdentifier, url.fragmentIdentifier()))
-        return;
-    setLocation(activeWindow, firstWindow, url.string());
-}
-
-void Location::assign(DOMWindow& activeWindow, DOMWindow& firstWindow, const String& url)
-{
-    if (!m_frame)
-        return;
-    setLocation(activeWindow, firstWindow, url);
+        return { };
+    return setLocation(activeWindow, firstWindow, url.string());
+}
+
+ExceptionOr<void> Location::assign(DOMWindow& activeWindow, DOMWindow& firstWindow, const String& url)
+{
+    if (!m_frame)
+        return { };
+    return setLocation(activeWindow, firstWindow, url);
 }
 
@@ -281 +280 @@
 }
 
-void Location::setLocation(DOMWindow& activeWindow, DOMWindow& firstWindow, const String& url)
+ExceptionOr<void> Location::setLocation(DOMWindow& activeWindow, DOMWindow& firstWindow, const String& url)
 {
     ASSERT(m_frame);
-    auto* targetFrame = m_frame->loader().findFrameForNavigation({ }, activeWindow.document());
-    if (!targetFrame)
-        return;
-    ASSERT(targetFrame->document());
-    ASSERT(targetFrame->document()->domWindow());
-    targetFrame->document()->domWindow()->setLocation(activeWindow, firstWindow, url);
+    if (!activeWindow.document()->canNavigate(m_frame))
+        return Exception { SECURITY_ERR };
+    ASSERT(m_frame->document());
+    ASSERT(m_frame->document()->domWindow());
+    m_frame->document()->domWindow()->setLocation(activeWindow, firstWindow, url);
+    return { };
 }
 

trunk/Source/WebCore/page/Location.h

@@ -44 +44 @@
     static Ref<Location> create(Frame* frame) { return adoptRef(*new Location(frame)); }
 
-    void setHref(DOMWindow& activeWindow, DOMWindow& firstWindow, const String&);
+    ExceptionOr<void> setHref(DOMWindow& activeWindow, DOMWindow& firstWindow, const String&);
     String href() const;
 
-    void assign(DOMWindow& activeWindow, DOMWindow& firstWindow, const String&);
+    ExceptionOr<void> assign(DOMWindow& activeWindow, DOMWindow& firstWindow, const String&);
     void replace(DOMWindow& activeWindow, DOMWindow& firstWindow, const String&);
     void reload(DOMWindow& activeWindow);
@@ -53 +53 @@
     ExceptionOr<void> setProtocol(DOMWindow& activeWindow, DOMWindow& firstWindow, const String&);
     String protocol() const;
-    void setHost(DOMWindow& activeWindow, DOMWindow& firstWindow, const String&);
+    ExceptionOr<void> setHost(DOMWindow& activeWindow, DOMWindow& firstWindow, const String&);
     String host() const;
-    void setHostname(DOMWindow& activeWindow, DOMWindow& firstWindow, const String&);
+    ExceptionOr<void> setHostname(DOMWindow& activeWindow, DOMWindow& firstWindow, const String&);
     String hostname() const;
-    void setPort(DOMWindow& activeWindow, DOMWindow& firstWindow, const String&);
+    ExceptionOr<void> setPort(DOMWindow& activeWindow, DOMWindow& firstWindow, const String&);
     String port() const;
-    void setPathname(DOMWindow& activeWindow, DOMWindow& firstWindow, const String&);
+    ExceptionOr<void> setPathname(DOMWindow& activeWindow, DOMWindow& firstWindow, const String&);
     String pathname() const;
-    void setSearch(DOMWindow& activeWindow, DOMWindow& firstWindow, const String&);
+    ExceptionOr<void> setSearch(DOMWindow& activeWindow, DOMWindow& firstWindow, const String&);
     String search() const;
-    void setHash(DOMWindow& activeWindow, DOMWindow& firstWindow, const String&);
+    ExceptionOr<void> setHash(DOMWindow& activeWindow, DOMWindow& firstWindow, const String&);
     String hash() const;
     String origin() const;
@@ -74 +74 @@
     explicit Location(Frame*);
 
-    void setLocation(DOMWindow& activeWindow, DOMWindow& firstWindow, const String&);
+    ExceptionOr<void> setLocation(DOMWindow& activeWindow, DOMWindow& firstWindow, const String&);
 
     const URL& url() const;

trunk/Source/WebCore/page/Location.idl

@@ -43 +43 @@
     Unforgeable,
 ] interface Location {
-    [SetterCallWith=ActiveWindow&FirstWindow, DoNotCheckSecurityOnSetter] stringifier attribute USVString href;
+    [SetterCallWith=ActiveWindow&FirstWindow, SetterMayThrowException, DoNotCheckSecurityOnSetter] stringifier attribute USVString href;
 
-    [CallWith=ActiveWindow&FirstWindow, ForwardDeclareInHeader] void assign(USVString url);
+    [CallWith=ActiveWindow&FirstWindow, MayThrowException, ForwardDeclareInHeader] void assign(USVString url);
     [DoNotCheckSecurity, CallWith=ActiveWindow&FirstWindow, ForwardDeclareInHeader] void replace(USVString url);
     [CallWith=ActiveWindow, ForwardDeclareInHeader] void reload();
@@ -51 +51 @@
     // URI decomposition attributes
     [SetterCallWith=ActiveWindow&FirstWindow, SetterMayThrowException] attribute USVString protocol;
-    [SetterCallWith=ActiveWindow&FirstWindow] attribute USVString host;
-    [SetterCallWith=ActiveWindow&FirstWindow] attribute USVString hostname;
-    [SetterCallWith=ActiveWindow&FirstWindow] attribute USVString port;
-    [SetterCallWith=ActiveWindow&FirstWindow] attribute USVString pathname;
-    [SetterCallWith=ActiveWindow&FirstWindow] attribute USVString search;
-    [SetterCallWith=ActiveWindow&FirstWindow] attribute USVString hash;
+    [SetterCallWith=ActiveWindow&FirstWindow, SetterMayThrowException] attribute USVString host;
+    [SetterCallWith=ActiveWindow&FirstWindow, SetterMayThrowException] attribute USVString hostname;
+    [SetterCallWith=ActiveWindow&FirstWindow, SetterMayThrowException] attribute USVString port;
+    [SetterCallWith=ActiveWindow&FirstWindow, SetterMayThrowException] attribute USVString pathname;
+    [SetterCallWith=ActiveWindow&FirstWindow, SetterMayThrowException] attribute USVString search;
+    [SetterCallWith=ActiveWindow&FirstWindow, SetterMayThrowException] attribute USVString hash;
 
     readonly attribute USVString origin;