Changeset 29380 in webkit
- Timestamp:
- Jan 10, 2008 4:23:13 PM (16 years ago)
- Location:
- trunk
- Files:
-
- 7 added
- 15 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r29374 r29380 1 2008-01-10 Sam Weinig <sam@webkit.org> 2 3 Reviewed by Anders Carlsson. 4 5 Tests for http://bugs.webkit.org/show_bug.cgi?id=16522 6 <rdar://problem/5657355> 7 8 * http/tests/security/frameNavigation/resources/frame-with-link-to-navigate.html: Added. 9 * http/tests/security/frameNavigation/resources/frame-with-plugin-to-navigate.html: Added. 10 * http/tests/security/frameNavigation/resources/navigation-happened.html: Added. 11 * http/tests/security/frameNavigation/xss-DENIED-plugin-navigation-expected.txt: Added. 12 * http/tests/security/frameNavigation/xss-DENIED-plugin-navigation.html: Added. 13 * http/tests/security/frameNavigation/xss-DENIED-targeted-link-navigation-expected.txt: Added. 14 * http/tests/security/frameNavigation/xss-DENIED-targeted-link-navigation.html: Added. 15 * platform/win/Skipped: 16 1 17 2008-01-10 Adam Roben <aroben@apple.com> 2 18 -
trunk/LayoutTests/platform/win/Skipped
r29374 r29380 203 203 http/tests/security/aboutBlank/xss-DENIED-navigate-opener-document-write.html 204 204 http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url.html 205 http/tests/security/frameNavigation/xss-DENIED-plugin-navigation.html 206 http/tests/security/frameNavigation/xss-DENIED-targeted-link-navigation.html 205 207 206 208 # DRT is not fully implemented in boomer <rdar://problem/5128261> -
trunk/WebCore/ChangeLog
r29379 r29380 1 2008-01-10 Adam Barth <hk9565@gmail.com> 2 3 Reviewed by Sam Weinig and Anders Carlsson. 4 5 Fixes: http://bugs.webkit.org/show_bug.cgi?id=16522 6 <rdar://problem/5657355> 7 8 This patch makes two changes: 9 10 1) Java calls FrameLoader::load in a slightly different way than 11 JavaScript, which previously let a malicious web site bypass the 12 shouldAllowNavigation check. This patch adds that check to that 13 code path. 14 15 2) FrameLoader now wraps calls to m_frame->tree()->find(name) with 16 findFrameForNavigation, which calls shouldAllowNavigation. This 17 treats disallowed frame navigations as if the named frame did not 18 exist, resulting in a popup window when appropriate. 19 20 Tests: http/tests/security/frameNavigation/xss-DENIED-plugin-navigation.html 21 http/tests/security/frameNavigation/xss-DENIED-targeted-link-navigation.html 22 23 * WebCore.base.exp: 24 * bindings/js/kjs_window.cpp: 25 (KJS::WindowProtoFuncOpen::callAsFunction): 26 * loader/FrameLoader.cpp: 27 (WebCore::FrameLoader::createWindow): 28 (WebCore::FrameLoader::load): 29 (WebCore::FrameLoader::post): 30 (WebCore::FrameLoader::findFrameForNavigation): 31 * loader/FrameLoader.h: 32 1 33 2008-01-10 John Sullivan <sullivan@apple.com> 2 34 -
trunk/WebCore/WebCore.base.exp
r29257 r29380 1 2 1 .objc_class_name_DOMAbstractView 3 2 .objc_class_name_DOMAttr … … 153 152 __ZN7WebCore11FrameLoader20continueLoadWithDataEPNS_12SharedBufferERKNS_6StringES5_RKNS_4KURLE 154 153 __ZN7WebCore11FrameLoader21setCurrentHistoryItemEN3WTF10PassRefPtrINS_11HistoryItemEEE 154 __ZN7WebCore11FrameLoader22findFrameForNavigationERKNS_12AtomicStringE 155 155 __ZN7WebCore11FrameLoader22setPreviousHistoryItemEN3WTF10PassRefPtrINS_11HistoryItemEEE 156 156 __ZN7WebCore11FrameLoader23reloadAllowingStaleDataERKNS_6StringE … … 733 733 _wkDrawCapsLockIndicator 734 734 _wkDrawFocusRing 735 _wkDrawMediaFullscreenButton 736 _wkDrawMediaMuteButton 737 _wkDrawMediaPauseButton 738 _wkDrawMediaPlayButton 739 _wkDrawMediaSeekBackButton 740 _wkDrawMediaSeekForwardButton 741 _wkDrawMediaSliderThumb 742 _wkDrawMediaUnMuteButton 735 743 _wkDrawTextFieldCellFocusRing 736 744 _wkFontSmoothingModeIsLCD … … 747 755 _wkGetMIMETypeForExtension 748 756 _wkGetMediaControlBackgroundImageData 749 _wkDrawMediaFullscreenButton750 _wkDrawMediaMuteButton751 _wkDrawMediaPauseButton752 _wkDrawMediaPlayButton753 _wkDrawMediaSeekBackButton754 _wkDrawMediaSeekForwardButton755 _wkDrawMediaSliderThumb756 _wkDrawMediaUnMuteButton757 757 _wkGetNSFontATSUFontId 758 758 _wkGetNSURLResponseCalculatedExpiration -
trunk/WebCore/bindings/js/kjs_window.cpp
r29365 r29380 330 330 FrameLoadRequest frameRequest(request, frameName); 331 331 332 FrameLoader* loader; 333 if (activeFrame) 334 // We need to use the active frame's loader to let FrameLoader know 335 // which principal is requesting the navigation. Unfortunately, there 336 // might not be an activeFrame, in which case we resort to using the 337 // opener's loader. 338 // 339 // See http://bugs.webkit.org/show_bug.cgi?id=16522 340 loader = activeFrame->loader(); 341 else 342 loader = openerFrame->loader(); 343 332 344 // FIXME: It's much better for client API if a new window starts with a URL, here where we 333 345 // know what URL we are going to open. Unfortunately, this code passes the empty string … … 338 350 339 351 bool created; 340 Frame* newFrame = openerFrame->loader()->createWindow(frameRequest, windowFeatures, created);352 Frame* newFrame = loader->createWindow(frameRequest, windowFeatures, created); 341 353 if (!newFrame) 342 354 return 0; … … 1064 1076 if (Frame* parent = frame->tree()->parent()) 1065 1077 frame = parent; 1078 topOrParent = true; 1079 } 1080 if (topOrParent) { 1066 1081 if (!activeFrame->loader()->shouldAllowNavigation(frame)) 1067 1082 return jsUndefined(); 1068 topOrParent = true; 1069 } 1070 if (topOrParent) { 1083 1071 1084 String completedURL; 1072 1085 if (!urlString.isEmpty()) -
trunk/WebCore/loader/FrameLoader.cpp
r29352 r29380 310 310 311 311 if (!request.frameName().isEmpty() && request.frameName() != "_blank") 312 if (Frame* frame = m_frame->tree()->find(request.frameName())) { 313 if (!shouldAllowNavigation(frame)) 314 return 0; 312 if (Frame* frame = findFrameForNavigation(request.frameName())) { 315 313 if (!request.resourceRequest().url().isEmpty()) 316 314 frame->loader()->load(request, false, true, 0, 0, HashMap<String, String>()); … … 1949 1947 referrer = String(); 1950 1948 1951 Frame* targetFrame = m_frame->tree()->find(request.frameName()); 1952 if (!shouldAllowNavigation(targetFrame)) 1953 return; 1949 Frame* targetFrame = findFrameForNavigation(request.frameName()); 1954 1950 1955 1951 if (request.resourceRequest().httpMethod() != "POST") { … … 1994 1990 1995 1991 if (!frameName.isEmpty()) { 1996 if (Frame* targetFrame = m_frame->tree()->find(frameName))1992 if (Frame* targetFrame = findFrameForNavigation(frameName)) 1997 1993 targetFrame->loader()->load(newURL, referrer, newLoadType, String(), event, formState); 1998 1994 else … … 2066 2062 } 2067 2063 2068 Frame* frame = m_frame->tree()->find(frameName);2064 Frame* frame = findFrameForNavigation(frameName); 2069 2065 if (frame) { 2070 2066 frame->loader()->load(request); … … 3245 3241 3246 3242 if (!frameName.isEmpty()) { 3247 if (Frame* targetFrame = m_frame->tree()->find(frameName))3243 if (Frame* targetFrame = findFrameForNavigation(frameName)) 3248 3244 targetFrame->loader()->load(request, action, FrameLoadTypeStandard, formState.release()); 3249 3245 else … … 3870 3866 bfItem->setIsTargetItem(true); 3871 3867 return bfItem; 3868 } 3869 3870 Frame* FrameLoader::findFrameForNavigation(const AtomicString& name) 3871 { 3872 Frame* frame = m_frame->tree()->find(name); 3873 if (shouldAllowNavigation(frame)) 3874 return frame; 3875 return 0; 3872 3876 } 3873 3877 -
trunk/WebCore/loader/FrameLoader.h
r29322 r29380 436 436 437 437 bool shouldAllowNavigation(Frame* targetFrame) const; 438 Frame* findFrameForNavigation(const AtomicString& name); 438 439 439 440 private: -
trunk/WebKit/mac/ChangeLog
r29268 r29380 1 2008-01-10 Sam Weinig <sam@webkit.org> 2 3 Reviewed by Anders Carlsson. 4 5 Fixes: http://bugs.webkit.org/show_bug.cgi?id=16522 6 <rdar://problem/5657355> 7 8 * Plugins/WebBaseNetscapePluginView.mm: 9 (-[WebBaseNetscapePluginView loadPluginRequest:]): call findFrameForNavigation 10 to ensure the shouldAllowNavigation check is made. 11 1 12 2008-01-07 Nikolas Zimmermann <zimmermann@kde.org> 2 13 -
trunk/WebKit/mac/Plugins/WebBaseNetscapePluginView.mm
r29126 r29380 2131 2131 // FIXME - need to get rid of this window creation which 2132 2132 // bypasses normal targeted link handling 2133 frame = [[self webFrame] findFrameNamed:frameName]; 2134 2133 frame = kit([[self webFrame] _frameLoader]->findFrameForNavigation(frameName)); 2135 2134 if (frame == nil) { 2136 2135 WebView *currentWebView = [self webView]; -
trunk/WebKitTools/ChangeLog
r29376 r29380 1 2008-01-10 Sam Weinig <sam@webkit.org> 2 3 Reviewed by Anders Carlsson. 4 5 Make DRT track open windows instead of allocated windows so that 6 we can avoid ASSERTION due to late deallocs out of our control. 7 8 * DumpRenderTree/mac/DumpRenderTree.mm: 9 (dumpBackForwardListForAllWindows): 10 (runTest): 11 * DumpRenderTree/mac/DumpRenderTreeMac.h: 12 * DumpRenderTree/mac/DumpRenderTreeWindow.h: 13 * DumpRenderTree/mac/DumpRenderTreeWindow.mm: 14 (+[DumpRenderTreeWindow openWindows]): 15 (-[DumpRenderTreeWindow initWithContentRect:styleMask:backing:defer:]): 16 (-[DumpRenderTreeWindow close]): 17 * DumpRenderTree/mac/LayoutTestControllerMac.mm: 18 (LayoutTestController::windowCount): 19 1 20 2008-01-10 Ada Chan <adachan@apple.com> 2 21 -
trunk/WebKitTools/DumpRenderTree/mac/DumpRenderTree.mm
r29365 r29380 707 707 static void dumpBackForwardListForAllWindows() 708 708 { 709 CFArrayRef allWindows = (CFArrayRef)[DumpRenderTreeWindow allWindows];710 unsigned count = CFArrayGetCount( allWindows);709 CFArrayRef openWindows = (CFArrayRef)[DumpRenderTreeWindow openWindows]; 710 unsigned count = CFArrayGetCount(openWindows); 711 711 for (unsigned i = 0; i < count; i++) { 712 NSWindow *window = (NSWindow *)CFArrayGetValueAtIndex( allWindows, i);712 NSWindow *window = (NSWindow *)CFArrayGetValueAtIndex(openWindows, i); 713 713 WebView *webView = [[[window contentView] subviews] objectAtIndex:0]; 714 714 dumpBackForwardListForWebView(webView); … … 867 867 868 868 if (layoutTestController->closeRemainingWindowsWhenComplete()) { 869 NSArray* array = [DumpRenderTreeWindow allWindows];870 869 NSArray* array = [DumpRenderTreeWindow openWindows]; 870 871 871 unsigned count = [array count]; 872 872 for (unsigned i = 0; i < count; i++) { … … 889 889 [pool release]; 890 890 891 // We should only have our main window left when we're done892 ASSERT(CFArrayGetCount( allWindowsRef) == 1);893 ASSERT(CFArrayGetValueAtIndex( allWindowsRef, 0) == [[mainFrame webView] window]);891 // We should only have our main window left open when we're done 892 ASSERT(CFArrayGetCount(openWindowsRef) == 1); 893 ASSERT(CFArrayGetValueAtIndex(openWindowsRef, 0) == [[mainFrame webView] window]); 894 894 895 895 delete layoutTestController; -
trunk/WebKitTools/DumpRenderTree/mac/DumpRenderTreeMac.h
r28419 r29380 39 39 @class WebView; 40 40 41 extern CFMutableArrayRef allWindowsRef;41 extern CFMutableArrayRef openWindowsRef; 42 42 extern CFMutableSetRef disallowedURLs; 43 43 extern WebFrame* mainFrame; -
trunk/WebKitTools/DumpRenderTree/mac/DumpRenderTreeWindow.h
r27949 r29380 33 33 @interface DumpRenderTreeWindow : NSWindow 34 34 // I'm not sure why we can't just use [NSApp windows] 35 + (NSArray *) allWindows;35 + (NSArray *)openWindows; 36 36 @end -
trunk/WebKitTools/DumpRenderTree/mac/DumpRenderTreeWindow.mm
r27949 r29380 36 36 #import "LayoutTestController.h" 37 37 38 CFMutableArrayRef allWindowsRef = 0;38 CFMutableArrayRef openWindowsRef = 0; 39 39 40 40 static CFArrayCallBacks NonRetainingArrayCallbacks = { … … 48 48 @implementation DumpRenderTreeWindow 49 49 50 + (NSArray *) allWindows50 + (NSArray *)openWindows 51 51 { 52 return [[(NSArray *) allWindowsRef copy] autorelease];52 return [[(NSArray *)openWindowsRef copy] autorelease]; 53 53 } 54 54 55 55 - (id)initWithContentRect:(NSRect)contentRect styleMask:(unsigned int)styleMask backing:(NSBackingStoreType)bufferingType defer:(BOOL)deferCreation 56 56 { 57 if (! allWindowsRef)58 allWindowsRef = CFArrayCreateMutable(NULL, 0, &NonRetainingArrayCallbacks);57 if (!openWindowsRef) 58 openWindowsRef = CFArrayCreateMutable(NULL, 0, &NonRetainingArrayCallbacks); 59 59 60 CFArrayAppendValue( allWindowsRef, self);60 CFArrayAppendValue(openWindowsRef, self); 61 61 62 62 return [super initWithContentRect:contentRect styleMask:styleMask backing:bufferingType defer:deferCreation]; 63 63 } 64 64 65 - (void) dealloc65 - (void)close 66 66 { 67 CFRange arrayRange = CFRangeMake(0, CFArrayGetCount( allWindowsRef));68 CFIndex i = CFArrayGetFirstIndexOfValue( allWindowsRef, arrayRange, self);67 CFRange arrayRange = CFRangeMake(0, CFArrayGetCount(openWindowsRef)); 68 CFIndex i = CFArrayGetFirstIndexOfValue(openWindowsRef, arrayRange, self); 69 69 assert(i != -1); 70 71 CFArrayRemoveValueAtIndex(allWindowsRef, i); 72 [super dealloc]; 70 CFArrayRemoveValueAtIndex(openWindowsRef, i); 71 [super close]; 73 72 } 74 73 -
trunk/WebKitTools/DumpRenderTree/mac/LayoutTestControllerMac.mm
r29365 r29380 241 241 int LayoutTestController::windowCount() 242 242 { 243 return CFArrayGetCount( allWindowsRef);243 return CFArrayGetCount(openWindowsRef); 244 244 } 245 245
Note: See TracChangeset
for help on using the changeset viewer.