Changeset 50587 in webkit

Timestamp:

Nov 5, 2009 10:05:31 PM (14 years ago)

Author:

abarth@webkit.org

Message:

2009-11-05 Adam Barth <​abarth@webkit.org>

Reviewed by Sam Weinig.

Cross-domain access to stylesheet text should not be allowed
​https://bugs.webkit.org/show_bug.cgi?id=20527

Test that a script cannot read cross-origin cssRules.

• http/tests/security/cannot-read-cssrules-expected.txt: Added.
• http/tests/security/cannot-read-cssrules-redirect-expected.txt: Added.
• http/tests/security/cannot-read-cssrules-redirect.html: Added.
• http/tests/security/cannot-read-cssrules.html: Added.

2009-11-05 Adam Barth <​abarth@webkit.org>

Reviewed by Sam Weinig.

Cross-domain access to stylesheet text should not be allowed
​https://bugs.webkit.org/show_bug.cgi?id=20527

Check whether whether the current document can read the cssRules from
the style sheet. Firefox throws a security error here, but we return
null instead because that's what we usually do in these cases.

Test: http/tests/security/cannot-read-cssrules-redirect.html

http/tests/security/cannot-read-cssrules.html

• css/CSSStyleSheet.cpp: (WebCore::CSSStyleSheet::cssRules):

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/cannot-read-cssrules-expected.txt (added)
• LayoutTests/http/tests/security/cannot-read-cssrules-redirect-expected.txt (added)
• LayoutTests/http/tests/security/cannot-read-cssrules-redirect.html (added)
• LayoutTests/http/tests/security/cannot-read-cssrules.html (added)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/css/CSSStyleSheet.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2009-11-05  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Sam Weinig.
+
+        Cross-domain access to stylesheet text should not be allowed
+        https://bugs.webkit.org/show_bug.cgi?id=20527
+
+        Test that a script cannot read cross-origin cssRules.
+
+        * http/tests/security/cannot-read-cssrules-expected.txt: Added.
+        * http/tests/security/cannot-read-cssrules-redirect-expected.txt: Added.
+        * http/tests/security/cannot-read-cssrules-redirect.html: Added.
+        * http/tests/security/cannot-read-cssrules.html: Added.
+
 2009-11-05  Alice Liu  <alice.liu@apple.com>
 

trunk/WebCore/ChangeLog

@@ +1 @@
+2009-11-05  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Sam Weinig.
+
+        Cross-domain access to stylesheet text should not be allowed
+        https://bugs.webkit.org/show_bug.cgi?id=20527
+
+        Check whether whether the current document can read the cssRules from
+        the style sheet.  Firefox throws a security error here, but we return
+        null instead because that's what we usually do in these cases.
+
+        Test: http/tests/security/cannot-read-cssrules-redirect.html
+              http/tests/security/cannot-read-cssrules.html
+
+        * css/CSSStyleSheet.cpp:
+        (WebCore::CSSStyleSheet::cssRules):
+
 2009-11-05  Steve Block  <steveblock@google.com>
 

trunk/WebCore/css/CSSStyleSheet.cpp

@@ -29 +29 @@
 #include "ExceptionCode.h"
 #include "Node.h"
+#include "SecurityOrigin.h"
 #include "TextEncoding.h"
 #include <wtf/Deque.h>
@@ -119 +120 @@
 PassRefPtr<CSSRuleList> CSSStyleSheet::cssRules(bool omitCharsetRules)
 {
+    if (doc() && !doc()->securityOrigin()->canRequest(baseURL()))
+        return 0;
     return CSSRuleList::create(this, omitCharsetRules);
 }