Changeset 29678 in webkit

Timestamp:

Jan 20, 2008 3:18:32 PM (16 years ago)

Author:

weinig@apple.com

Message:

WebCore:

Reviewed by Sam Weinig.

Fix for ​http://bugs.webkit.org/show_bug.cgi?id=16775

We now use frame()->loader()->url() for postMessage, preventing a
malicious sender from overwriting the uri property (using a <base> tag,
for example). Also, use frame->loader()->url().host() instead of
instead of document()->SecurityOrigin()->domain() to reflect a recent
clarification in the HTML5 spec.

Tests: http/tests/security/postMessage/domain-affected-by-document-domain.html

http/tests/security/postMessage/domain-and-uri-unaffected-by-base-tag.html
http/tests/security/postMessage/javascript-page-still-sends-domain.html

• bindings/js/JSDOMWindowCustom.cpp: (WebCore::JSDOMWindow::postMessage):

LayoutTests:

Reviewed by Sam Weinig.

Tests for ​http://bugs.webkit.org/show_bug.cgi?id=16775

• http/tests/security/postMessage: Added.
• http/tests/security/postMessage/domain-and-uri-unaffected-by-base-tag-expected.txt: Added.
• http/tests/security/postMessage/domain-and-uri-unaffected-by-base-tag.html: Added.
• http/tests/security/postMessage/domain-unaffected-by-document-domain-expected.txt: Added.
• http/tests/security/postMessage/domain-unaffected-by-document-domain.html: Added.
• http/tests/security/postMessage/javascript-page-still-sends-domain-expected.txt: Added.
• http/tests/security/postMessage/javascript-page-still-sends-domain.html: Added.
• http/tests/security/postMessage/resources: Added.
• http/tests/security/postMessage/resources/javascript-post-message-sender.html: Added.
• http/tests/security/postMessage/resources/post-message-listener.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/postMessage (added)
• LayoutTests/http/tests/security/postMessage/domain-and-uri-unaffected-by-base-tag-expected.txt (added)
• LayoutTests/http/tests/security/postMessage/domain-and-uri-unaffected-by-base-tag.html (added)
• LayoutTests/http/tests/security/postMessage/domain-unaffected-by-document-domain-expected.txt (added)
• LayoutTests/http/tests/security/postMessage/domain-unaffected-by-document-domain.html (added)
• LayoutTests/http/tests/security/postMessage/javascript-page-still-sends-domain-expected.txt (added)
• LayoutTests/http/tests/security/postMessage/javascript-page-still-sends-domain.html (added)
• LayoutTests/http/tests/security/postMessage/resources (added)
• LayoutTests/http/tests/security/postMessage/resources/javascript-post-message-sender.html (added)
• LayoutTests/http/tests/security/postMessage/resources/post-message-listener.html (added)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/bindings/js/JSDOMWindowCustom.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2008-01-20  Collin Jackson  <webkit@collinjackson.com>
+
+        Reviewed by Sam Weinig.
+
+        Tests for http://bugs.webkit.org/show_bug.cgi?id=16775
+
+        * http/tests/security/postMessage: Added.
+        * http/tests/security/postMessage/domain-and-uri-unaffected-by-base-tag-expected.txt: Added.
+        * http/tests/security/postMessage/domain-and-uri-unaffected-by-base-tag.html: Added.
+        * http/tests/security/postMessage/domain-unaffected-by-document-domain-expected.txt: Added.
+        * http/tests/security/postMessage/domain-unaffected-by-document-domain.html: Added.
+        * http/tests/security/postMessage/javascript-page-still-sends-domain-expected.txt: Added.
+        * http/tests/security/postMessage/javascript-page-still-sends-domain.html: Added.
+        * http/tests/security/postMessage/resources: Added.
+        * http/tests/security/postMessage/resources/javascript-post-message-sender.html: Added.
+        * http/tests/security/postMessage/resources/post-message-listener.html: Added.
+
 2008-01-20  Antti Koivisto  <antti@apple.com>
 

trunk/WebCore/ChangeLog

@@ +1 @@
+2008-01-20  Collin Jackson  <webkit@collinjackson.com>
+
+        Reviewed by Sam Weinig.
+
+        Fix for http://bugs.webkit.org/show_bug.cgi?id=16775
+
+        We now use frame()->loader()->url() for postMessage, preventing a
+        malicious sender from overwriting the uri property (using a <base> tag,
+        for example). Also, use frame->loader()->url().host() instead of 
+        instead of document()->SecurityOrigin()->domain() to reflect a recent
+        clarification in the HTML5 spec. 
+
+        Tests: http/tests/security/postMessage/domain-affected-by-document-domain.html
+               http/tests/security/postMessage/domain-and-uri-unaffected-by-base-tag.html
+               http/tests/security/postMessage/javascript-page-still-sends-domain.html
+
+        * bindings/js/JSDOMWindowCustom.cpp:
+        (WebCore::JSDOMWindow::postMessage):
+
 2008-01-20  Antti Koivisto  <antti@apple.com>
 

trunk/WebCore/bindings/js/JSDOMWindowCustom.cpp

@@ -24 +24 @@
 #include "DOMWindow.h"
 #include "ExceptionCode.h"
+#include "Frame.h"
+#include "FrameLoader.h"
 #include "kjs_window.h"
 #include "kjs/object.h"
@@ -119 +121 @@
     
     DOMWindow* source = static_cast<JSDOMWindow*>(exec->dynamicGlobalObject())->impl();
-    String domain = source->document()->securityOrigin()->host();
-    String uri = source->document()->documentURI();
+    String domain = source->frame()->loader()->url().host();
+    String uri = source->frame()->loader()->url().string();
     String message = args[0]->toString(exec);