Changeset 55674 in webkit

Timestamp:

Mar 8, 2010 11:40:49 AM (14 years ago)

Author:

eric@webkit.org

Message:

2010-03-08 Adam Barth <​abarth@webkit.org>

Reviewed by Nate Chapin.

[V8] Block popups from inline script
​https://bugs.webkit.org/show_bug.cgi?id=35474

Test that we block popups generated from <script>window.open(...)</script>.

• http/tests/security/popup-blocked-from-window-open-expected.txt: Added.
• http/tests/security/popup-blocked-from-window-open.html: Added.

2010-03-08 Adam Barth <​abarth@webkit.org>

Reviewed by Nate Chapin.

[V8] Block popups from inline script
​https://bugs.webkit.org/show_bug.cgi?id=35474

Apparently, we're supposed to look at the sourceURL to figure out
whether we're running a script tag or a hyperlink. This logic is
copied from the JSC version.

Test: http/tests/security/popup-blocked-from-window-open.html

• bindings/v8/ScriptController.cpp: (WebCore::ScriptController::processingUserGesture): (WebCore::ScriptController::evaluate):

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/popup-blocked-from-window-open-expected.txt (added)
• LayoutTests/http/tests/security/popup-blocked-from-window-open.html (added)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/bindings/v8/ScriptController.cpp (modified) (3 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2010-03-08  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Nate Chapin.
+
+        [V8] Block popups from inline script
+        https://bugs.webkit.org/show_bug.cgi?id=35474
+
+        Test that we block popups generated from <script>window.open(...)</script>.
+
+        * http/tests/security/popup-blocked-from-window-open-expected.txt: Added.
+        * http/tests/security/popup-blocked-from-window-open.html: Added.
+
 2010-03-08  Brady Eidson  <beidson@apple.com>
 

trunk/WebCore/ChangeLog

@@ +1 @@
+2010-03-08  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Nate Chapin.
+
+        [V8] Block popups from inline script
+        https://bugs.webkit.org/show_bug.cgi?id=35474
+
+        Apparently, we're supposed to look at the sourceURL to figure out
+        whether we're running a script tag or a hyperlink.  This logic is
+        copied from the JSC version.
+
+        Test: http/tests/security/popup-blocked-from-window-open.html
+
+        * bindings/v8/ScriptController.cpp:
+        (WebCore::ScriptController::processingUserGesture):
+        (WebCore::ScriptController::evaluate):
+
 2010-03-08  Stuart Morgan  <stuartmorgan@chromium.org>
 

trunk/WebCore/bindings/v8/ScriptController.cpp

@@ -191 +191 @@
         if (eventOk)
             return true;
-    } else if (activeProxy->inlineCode() && !activeProxy->timerCallback()) {
+    } else if (m_sourceURL && m_sourceURL->isNull() && !activeProxy->timerCallback()) {
         // This is the <a href="javascript:window.open('...')> case -> we let it through.
         return true;
@@ -220 +220 @@
 {
     String sourceURL = sourceCode.url();
-    
+    const String* savedSourceURL = m_sourceURL;
+    m_sourceURL = &sourceURL;
+
     if (!m_XSSAuditor->canEvaluate(sourceCode.source())) {
         // This script is not safe to be evaluated.
@@ -238 +240 @@
 
     // Evaluating the JavaScript could cause the frame to be deallocated
-    // so we starot the keep alive timer here.
+    // so we start the keep alive timer here.
     m_frame->keepAlive();
+
+    m_sourceURL = savedSourceURL;
 
     if (object.IsEmpty() || object->IsUndefined())