Changeset 70335 in webkit


Ignore:
Timestamp:
Oct 22, 2010 2:05:16 PM (13 years ago)
Author:
inferno@chromium.org
Message:

2010-10-22 Abhishek Arya <inferno@chromium.org>

Reviewed by Dave Hyatt.

Add code in getMatchedCSSRules to block cross origin access to stylesheet data. Prevent access
in Javascript to non author stylesheets.
https://bugs.webkit.org/show_bug.cgi?id=46853

Tests: http/tests/security/cross-origin-getMatchedCSSRules.html

http/tests/security/cross-origin-getMatchedCSSRules2.html

  • css/CSSRule.h:
  • css/CSSStyleSelector.cpp: (WebCore::CSSStyleSelector::matchRulesForList): (WebCore::CSSStyleSelector::SelectorChecker::SelectorChecker): (WebCore::CSSStyleSelector::styleRulesForElement): (WebCore::CSSStyleSelector::pseudoStyleRulesForElement):
  • css/CSSStyleSelector.h:
  • page/DOMWindow.cpp: (WebCore::DOMWindow::getMatchedCSSRules):
  • page/DOMWindow.idl:

2010-10-22 Abhishek Arya <inferno@chromium.org>

Reviewed by Dave Hyatt.

Tests that cross origin bypass does not work with getMatchedCSSRules. Rebaseline existing tests
that try to access non-author stylesheets. This functionality is no longer supported. So, css rules
should return null for those cases.
https://bugs.webkit.org/show_bug.cgi?id=46853

  • fast/backgrounds/repeat/background-repeat-shorthand-expected.txt:
  • fast/backgrounds/repeat/margin-shorthand-expected.txt:
  • fast/backgrounds/repeat/resources/background-repeat-shorthand.js:
  • fast/backgrounds/repeat/resources/margin-shorthand.js:
  • fast/css/disabled-author-styles.html:
  • fast/css/modify-ua-rules-from-javascript-expected.txt:
  • fast/css/modify-ua-rules-from-javascript.html:
  • fast/css/word-break-user-modify-allowed-values.html:
  • http/tests/security/cross-frame-access-call-expected.txt:
  • http/tests/security/cross-frame-access-call.html:
  • http/tests/security/cross-origin-getMatchedCSSRules-expected.txt: Added.
  • http/tests/security/cross-origin-getMatchedCSSRules.html: Added.
  • http/tests/security/cross-origin-getMatchedCSSRules2-expected.txt: Added.
  • http/tests/security/cross-origin-getMatchedCSSRules2.html: Added.
  • http/tests/security/resources/cross-origin-getMatchedCSSRules-frame.html: Added.
  • platform/chromium/http/tests/security/cross-frame-access-call-expected.txt:
  • platform/qt/http/tests/security/cross-frame-access-call-expected.txt:
Location:
trunk
Files:
5 added
19 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r70334 r70335  
     12010-10-22  Abhishek Arya  <inferno@chromium.org>
     2
     3        Reviewed by Dave Hyatt.
     4
     5        Tests that cross origin bypass does not work with getMatchedCSSRules. Rebaseline existing tests
     6        that try to access non-author stylesheets. This functionality is no longer supported. So, css rules
     7        should return null for those cases.
     8        https://bugs.webkit.org/show_bug.cgi?id=46853
     9
     10        * fast/backgrounds/repeat/background-repeat-shorthand-expected.txt:
     11        * fast/backgrounds/repeat/margin-shorthand-expected.txt:
     12        * fast/backgrounds/repeat/resources/background-repeat-shorthand.js:
     13        * fast/backgrounds/repeat/resources/margin-shorthand.js:
     14        * fast/css/disabled-author-styles.html:
     15        * fast/css/modify-ua-rules-from-javascript-expected.txt:
     16        * fast/css/modify-ua-rules-from-javascript.html:
     17        * fast/css/word-break-user-modify-allowed-values.html:
     18        * http/tests/security/cross-frame-access-call-expected.txt:
     19        * http/tests/security/cross-frame-access-call.html:
     20        * http/tests/security/cross-origin-getMatchedCSSRules-expected.txt: Added.
     21        * http/tests/security/cross-origin-getMatchedCSSRules.html: Added.
     22        * http/tests/security/cross-origin-getMatchedCSSRules2-expected.txt: Added.
     23        * http/tests/security/cross-origin-getMatchedCSSRules2.html: Added.
     24        * http/tests/security/resources/cross-origin-getMatchedCSSRules-frame.html: Added.
     25        * platform/chromium/http/tests/security/cross-frame-access-call-expected.txt:
     26        * platform/qt/http/tests/security/cross-frame-access-call-expected.txt:
     27
    1282010-10-22  Andy Estes  <aestes@apple.com>
    229
  • trunk/LayoutTests/fast/backgrounds/repeat/background-repeat-shorthand-expected.txt

    r49616 r70335  
    1 Tests that correct shorthand name is returned for background-repeat-x, background-repeat-y, background-position-x, background-position-y, -webkit-mask-repeat-x,-webkit-mask-repeat-y, -webkit-mask-position-x, -webkit-mask-position-y when corresponding shorthand is used in the style declaration. It tests regression described in this bug.
     1This layout test used to test that correct shorthand name is returned for background-repeat-x, background-repeat-y, background-position-x, background-position-y, -webkit-mask-repeat-x,-webkit-mask-repeat-y, -webkit-mask-position-x, -webkit-mask-position-y when corresponding shorthand is used in the style declaration. It tests regression described in this bug. Now that access to non author stylesheet is blocked, we should instead get null when accessing the css rules on that object.
    22
    33On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
    44
    55
    6 PASS getShorthand("background-repeat-x", "icon1") is "background-repeat"
    7 PASS getShorthand("background-repeat-y", "icon1") is "background-repeat"
    8 PASS getShorthand("background-repeat", "icon1") is null
    9 PASS getShorthand("background-position-x", "icon1") is "background-position"
    10 PASS getShorthand("background-position-y", "icon1") is "background-position"
    11 PASS getShorthand("background-position", "icon1") is null
    12 PASS getShorthand("-webkit-mask-repeat-x", "icon1") is "-webkit-mask-repeat"
    13 PASS getShorthand("-webkit-mask-repeat-y", "icon1") is "-webkit-mask-repeat"
    14 PASS getShorthand("-webkit-mask-repeat", "icon1") is null
    15 PASS getShorthand("-webkit-mask-position-x", "icon1") is "-webkit-mask-position"
    16 PASS getShorthand("-webkit-mask-position-y", "icon1") is "-webkit-mask-position"
    17 PASS getShorthand("-webkit-mask-repeat", "icon1") is null
    18 Test that shorthand names are null for #icon2 since its styles are declared with longhand properties:
    19 PASS getShorthand("background-repeat-x", "icon2") is null
    20 PASS getShorthand("background-repeat-y", "icon2") is null
    21 PASS getShorthand("background-repeat", "icon2") is null
    22 PASS getShorthand("background-position-x", "icon2") is null
    23 PASS getShorthand("background-position-y", "icon2") is null
    24 PASS getShorthand("background-position", "icon2") is null
    25 PASS getShorthand("-webkit-mask-repeat-x", "icon2") is null
    26 PASS getShorthand("-webkit-mask-repeat-y", "icon2") is null
    27 PASS getShorthand("-webkit-mask-repeat", "icon2") is null
    28 PASS getShorthand("-webkit-mask-position-x", "icon2") is null
    29 PASS getShorthand("-webkit-mask-position-y", "icon2") is null
    30 PASS getShorthand("-webkit-mask-repeat", "icon2") is null
     6PASS getShorthand("background-repeat-x", "icon1") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
     7PASS getShorthand("background-repeat-y", "icon1") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
     8PASS getShorthand("background-repeat", "icon1") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
     9PASS getShorthand("background-position-x", "icon1") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
     10PASS getShorthand("background-position-y", "icon1") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
     11PASS getShorthand("background-position", "icon1") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
     12PASS getShorthand("-webkit-mask-repeat-x", "icon1") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
     13PASS getShorthand("-webkit-mask-repeat-y", "icon1") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
     14PASS getShorthand("-webkit-mask-repeat", "icon1") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
     15PASS getShorthand("-webkit-mask-position-x", "icon1") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
     16PASS getShorthand("-webkit-mask-position-y", "icon1") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
     17PASS getShorthand("-webkit-mask-repeat", "icon1") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
     18PASS getShorthand("background-repeat-x", "icon2") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
     19PASS getShorthand("background-repeat-y", "icon2") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
     20PASS getShorthand("background-repeat", "icon2") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
     21PASS getShorthand("background-position-x", "icon2") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
     22PASS getShorthand("background-position-y", "icon2") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
     23PASS getShorthand("background-position", "icon2") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
     24PASS getShorthand("-webkit-mask-repeat-x", "icon2") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
     25PASS getShorthand("-webkit-mask-repeat-y", "icon2") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
     26PASS getShorthand("-webkit-mask-repeat", "icon2") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
     27PASS getShorthand("-webkit-mask-position-x", "icon2") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
     28PASS getShorthand("-webkit-mask-position-y", "icon2") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
     29PASS getShorthand("-webkit-mask-repeat", "icon2") threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
    3130PASS successfullyParsed is true
    3231
  • trunk/LayoutTests/fast/backgrounds/repeat/margin-shorthand-expected.txt

    r48436 r70335  
    1 Tests that shorthand property value is correct even if background-repeat property is declared before it in the style declaration. It tests regression described in this bug.
     1This layouttest was initially there to test that shorthand property value is correct even if background-repeat property is declared before it in the style declaration. It used to test regression described in this bug. Now that access to non author stylesheet is blocked, we should instead get null when accessing the css rules on that object.
    22
    33On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
    44
    55
    6 PASS iconMarginValue() is "0px"
     6PASS iconMarginValue() threw exception TypeError: Result of expression 'rules[1]' [undefined] is not an object..
    77PASS successfullyParsed is true
    88
  • trunk/LayoutTests/fast/backgrounds/repeat/resources/background-repeat-shorthand.js

    r49616 r70335  
    1 description('Tests that correct shorthand name is returned for background-repeat-x, ' +
     1description('This layout test used to test that correct shorthand name ' +
     2            'is returned for background-repeat-x, ' +
    23            'background-repeat-y, background-position-x, background-position-y, ' +
    34            '-webkit-mask-repeat-x,-webkit-mask-repeat-y, -webkit-mask-position-x, ' +
    45            '-webkit-mask-position-y when corresponding shorthand is used in the style ' +
    56            'declaration. It tests regression described in ' +
    6             '<a href="https://bugs.webkit.org/show_bug.cgi?id=28972">this bug</a>.');
     7            '<a href="https://bugs.webkit.org/show_bug.cgi?id=28972">this bug</a>.' +
     8            ' Now that access to non author stylesheet is blocked, we should instead' +
     9            ' get null when accessing the css rules on that object.');
    710
    811function getShorthand(longhand, iconId)
     
    1316}
    1417
    15 shouldBe('getShorthand("background-repeat-x", "icon1")', '"background-repeat"');
    16 shouldBe('getShorthand("background-repeat-y", "icon1")', '"background-repeat"');
    17 shouldBe('getShorthand("background-repeat", "icon1")', 'null');
     18shouldThrow('getShorthand("background-repeat-x", "icon1")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
     19shouldThrow('getShorthand("background-repeat-y", "icon1")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
     20shouldThrow('getShorthand("background-repeat", "icon1")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
    1821
    19 shouldBe('getShorthand("background-position-x", "icon1")', '"background-position"');
    20 shouldBe('getShorthand("background-position-y", "icon1")', '"background-position"');
    21 shouldBe('getShorthand("background-position", "icon1")', 'null');
     22shouldThrow('getShorthand("background-position-x", "icon1")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
     23shouldThrow('getShorthand("background-position-y", "icon1")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
     24shouldThrow('getShorthand("background-position", "icon1")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
    2225
    23 shouldBe('getShorthand("-webkit-mask-repeat-x", "icon1")', '"-webkit-mask-repeat"');
    24 shouldBe('getShorthand("-webkit-mask-repeat-y", "icon1")', '"-webkit-mask-repeat"');
    25 shouldBe('getShorthand("-webkit-mask-repeat", "icon1")', 'null');
     26shouldThrow('getShorthand("-webkit-mask-repeat-x", "icon1")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
     27shouldThrow('getShorthand("-webkit-mask-repeat-y", "icon1")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
     28shouldThrow('getShorthand("-webkit-mask-repeat", "icon1")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
    2629
    27 shouldBe('getShorthand("-webkit-mask-position-x", "icon1")', '"-webkit-mask-position"');
    28 shouldBe('getShorthand("-webkit-mask-position-y", "icon1")', '"-webkit-mask-position"');
    29 shouldBe('getShorthand("-webkit-mask-repeat", "icon1")', 'null');
     30shouldThrow('getShorthand("-webkit-mask-position-x", "icon1")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
     31shouldThrow('getShorthand("-webkit-mask-position-y", "icon1")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
     32shouldThrow('getShorthand("-webkit-mask-repeat", "icon1")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
    3033
    3134
    32 debug('Test that shorthand names are null for #icon2 since its styles are declared ' +
    33       'with longhand properties:');
    34 shouldBe('getShorthand("background-repeat-x", "icon2")', 'null');
    35 shouldBe('getShorthand("background-repeat-y", "icon2")', 'null');
    36 shouldBe('getShorthand("background-repeat", "icon2")', 'null');
     35shouldThrow('getShorthand("background-repeat-x", "icon2")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
     36shouldThrow('getShorthand("background-repeat-y", "icon2")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
     37shouldThrow('getShorthand("background-repeat", "icon2")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
    3738
    38 shouldBe('getShorthand("background-position-x", "icon2")', 'null');
    39 shouldBe('getShorthand("background-position-y", "icon2")', 'null');
    40 shouldBe('getShorthand("background-position", "icon2")', 'null');
     39shouldThrow('getShorthand("background-position-x", "icon2")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
     40shouldThrow('getShorthand("background-position-y", "icon2")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
     41shouldThrow('getShorthand("background-position", "icon2")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
    4142
    42 shouldBe('getShorthand("-webkit-mask-repeat-x", "icon2")', 'null');
    43 shouldBe('getShorthand("-webkit-mask-repeat-y", "icon2")', 'null');
    44 shouldBe('getShorthand("-webkit-mask-repeat", "icon2")', 'null');
     43shouldThrow('getShorthand("-webkit-mask-repeat-x", "icon2")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
     44shouldThrow('getShorthand("-webkit-mask-repeat-y", "icon2")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
     45shouldThrow('getShorthand("-webkit-mask-repeat", "icon2")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
    4546
    46 shouldBe('getShorthand("-webkit-mask-position-x", "icon2")', 'null');
    47 shouldBe('getShorthand("-webkit-mask-position-y", "icon2")', 'null');
    48 shouldBe('getShorthand("-webkit-mask-repeat", "icon2")', 'null');
     47shouldThrow('getShorthand("-webkit-mask-position-x", "icon2")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
     48shouldThrow('getShorthand("-webkit-mask-position-y", "icon2")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
     49shouldThrow('getShorthand("-webkit-mask-repeat", "icon2")', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
    4950
    5051
  • trunk/LayoutTests/fast/backgrounds/repeat/resources/margin-shorthand.js

    r48436 r70335  
    1 description('Tests that shorthand property value is correct even if' +
     1description('This layouttest was initially there to test that' +
     2            ' shorthand property value is correct even if' +
    23            ' background-repeat property is declared before it in the ' +
    3             ' style declaration. It tests regression described in ' +
    4             '<a href="https://bugs.webkit.org/show_bug.cgi?id=28973">this bug</a>.');
     4            ' style declaration. It used to test regression described in ' +
     5            ' <a href="https://bugs.webkit.org/show_bug.cgi?id=28973">this bug</a>.' +
     6            ' Now that access to non author stylesheet is blocked, we should instead' +
     7            ' get null when accessing the css rules on that object.');
    58
    69function iconMarginValue()
     
    1114}
    1215
    13 shouldBe('iconMarginValue()', '"0px"');
     16shouldThrow('iconMarginValue()', '"TypeError: Result of expression \'rules[1]\' [undefined] is not an object."');
    1417
    1518var successfullyParsed = true;
  • trunk/LayoutTests/fast/css/disabled-author-styles.html

    r66684 r70335  
    1717        function checkMatchedRules()
    1818        {
    19             var matchedRules = getMatchedCSSRules(document.getElementById("test"), "", true);
     19            var matchedRules = getMatchedCSSRules(document.getElementById("test"), "");
    2020            if (matchedRules && matchedRules.length)
    2121                alert(matchedRules.length + " rule(s) were returned from getMatchedCSSRules, expected zero.");
  • trunk/LayoutTests/fast/css/modify-ua-rules-from-javascript-expected.txt

    r59351 r70335  
     1CONSOLE MESSAGE: line 11: TypeError: Result of expression 'window.getMatchedCSSRules(document.body, "", false)' [null] is not an object.
    12PASS
  • trunk/LayoutTests/fast/css/modify-ua-rules-from-javascript.html

    r59351 r70335  
    1414    styleToChange.marginTop = originalMarginTop;
    1515
    16     document.getElementById("result").innerHTML = "PASS";
     16    document.getElementById("result").innerHTML = "FAIL";
    1717}
    1818</script>
     
    2020<body onload="test()">
    2121<div id="result">
    22 Test didn't run
     22PASS
    2323</div>
    2424</body>
  • trunk/LayoutTests/fast/css/word-break-user-modify-allowed-values.html

    r23847 r70335  
    55            layoutTestController.dumpAsText();
    66
    7         var rules = getMatchedCSSRules(document.body, "", true);
     7        var rules = getMatchedCSSRules(document.body, "");
    88        if (rules && rules.length) {
    99            log("FAIL: Expected 0 matched rules, but found " + rules.length + ":");
  • trunk/LayoutTests/http/tests/security/cross-frame-access-call-expected.txt

    r61599 r70335  
    6464PASS: window.prompt.call(targetWindow, 'message', 'defaultValue') should be 'undefined' and is.
    6565PASS: window.getComputedStyle.call(targetWindow, document.body, '') should be 'undefined' and is.
    66 PASS: window.getMatchedCSSRules.call(targetWindow, document.body, '', false) should be 'undefined' and is.
     66PASS: window.getMatchedCSSRules.call(targetWindow, document.body, '') should be 'undefined' and is.
    6767PASS: window.openDatabase.call(targetWindow, 'name', '1.0', 'description', 0) should be 'undefined' and is.
    6868PASS: window.atob.call(targetWindow, 'string') should be 'undefined' and is.
  • trunk/LayoutTests/http/tests/security/cross-frame-access-call.html

    r61599 r70335  
    3434    shouldBe("window.prompt.call(targetWindow, 'message', 'defaultValue')", "undefined");
    3535    shouldBe("window.getComputedStyle.call(targetWindow, document.body, '')", "undefined");
    36     shouldBe("window.getMatchedCSSRules.call(targetWindow, document.body, '', false)", "undefined");
     36    shouldBe("window.getMatchedCSSRules.call(targetWindow, document.body, '')", "undefined");
    3737    shouldBe("window.openDatabase.call(targetWindow, 'name', '1.0', 'description', 0)", "undefined");
    3838    shouldBe("window.atob.call(targetWindow, 'string')", "undefined");
  • trunk/LayoutTests/platform/chromium/http/tests/security/cross-frame-access-call-expected.txt

    r61599 r70335  
    6464PASS: window.prompt.call(targetWindow, 'message', 'defaultValue') should be 'undefined' and is.
    6565PASS: window.getComputedStyle.call(targetWindow, document.body, '') should be 'undefined' and is.
    66 PASS: window.getMatchedCSSRules.call(targetWindow, document.body, '', false) should be 'undefined' and is.
     66PASS: window.getMatchedCSSRules.call(targetWindow, document.body, '') should be 'undefined' and is.
    6767PASS: window.openDatabase.call(targetWindow, 'name', '1.0', 'description', 0) should be 'undefined' and is.
    6868PASS: window.atob.call(targetWindow, 'string') should be 'undefined' and is.
  • trunk/LayoutTests/platform/qt/http/tests/security/cross-frame-access-call-expected.txt

    r61599 r70335  
    6464PASS: window.prompt.call(targetWindow, 'message', 'defaultValue') should be 'undefined' and is.
    6565PASS: window.getComputedStyle.call(targetWindow, document.body, '') should be 'undefined' and is.
    66 PASS: window.getMatchedCSSRules.call(targetWindow, document.body, '', false) should be 'undefined' and is.
     66PASS: window.getMatchedCSSRules.call(targetWindow, document.body, '') should be 'undefined' and is.
    6767PASS: window.openDatabase.call(targetWindow, 'name', '1.0', 'description', 0) should be 'undefined' and is.
    6868PASS: window.atob.call(targetWindow, 'string') should be 'undefined' and is.
  • trunk/WebCore/ChangeLog

    r70333 r70335  
     12010-10-22  Abhishek Arya  <inferno@chromium.org>
     2
     3        Reviewed by Dave Hyatt.
     4
     5        Add code in getMatchedCSSRules to block cross origin access to stylesheet data. Prevent access
     6        in Javascript to non author stylesheets.
     7        https://bugs.webkit.org/show_bug.cgi?id=46853
     8
     9        Tests: http/tests/security/cross-origin-getMatchedCSSRules.html
     10               http/tests/security/cross-origin-getMatchedCSSRules2.html
     11
     12        * css/CSSRule.h:
     13        * css/CSSStyleSelector.cpp:
     14        (WebCore::CSSStyleSelector::matchRulesForList):
     15        (WebCore::CSSStyleSelector::SelectorChecker::SelectorChecker):
     16        (WebCore::CSSStyleSelector::styleRulesForElement):
     17        (WebCore::CSSStyleSelector::pseudoStyleRulesForElement):
     18        * css/CSSStyleSelector.h:
     19        * page/DOMWindow.cpp:
     20        (WebCore::DOMWindow::getMatchedCSSRules):
     21        * page/DOMWindow.idl:
     22
    1232010-10-22  Sam Weinig  <sam@webkit.org>
    224
  • trunk/WebCore/css/CSSRule.h

    r39601 r70335  
    3030
    3131typedef int ExceptionCode;
     32
     33enum CSSRuleFilter {
     34    AllCSSRules,
     35    SameOriginCSSRulesOnly
     36};
    3237
    3338class CSSRule : public StyleBase {
  • trunk/WebCore/css/CSSStyleSelector.cpp

    r70250 r70335  
    703703    for (CSSRuleData* d = rules->first(); d; d = d->next()) {
    704704        CSSStyleRule* rule = d->rule();
     705        if (m_checker.m_sameOriginOnly && !m_checker.m_document->securityOrigin()->canRequest(rule->baseURL()))
     706            continue;
    705707        if (checkSelector(d->selector())) {
    706708            // If the rule has no properties to apply, then ignore it in the non-debug mode.
     
    885887    , m_strictParsing(strictParsing)
    886888    , m_collectRulesOnly(false)
     889    , m_sameOriginOnly(false)
    887890    , m_pseudoStyle(NOPSEUDO)
    888891    , m_documentIsHTML(document->isHTMLDocument())
     
    18671870}
    18681871
    1869 PassRefPtr<CSSRuleList> CSSStyleSelector::styleRulesForElement(Element* e, bool authorOnly, bool includeEmptyRules)
    1870 {
    1871     return pseudoStyleRulesForElement(e, NOPSEUDO, authorOnly, includeEmptyRules);
    1872 }
    1873 
    1874 PassRefPtr<CSSRuleList> CSSStyleSelector::pseudoStyleRulesForElement(Element* e, PseudoId pseudoId, bool authorOnly, bool includeEmptyRules)
     1872PassRefPtr<CSSRuleList> CSSStyleSelector::styleRulesForElement(Element* e, bool authorOnly, bool includeEmptyRules, CSSRuleFilter filter)
     1873{
     1874    return pseudoStyleRulesForElement(e, NOPSEUDO, authorOnly, includeEmptyRules, filter);
     1875}
     1876
     1877PassRefPtr<CSSRuleList> CSSStyleSelector::pseudoStyleRulesForElement(Element* e, PseudoId pseudoId, bool authorOnly, bool includeEmptyRules, CSSRuleFilter filter)
    18751878{
    18761879    if (!e || !e->document()->haveStylesheetsLoaded())
     
    18951898
    18961899    if (m_matchAuthorAndUserStyles) {
     1900        m_checker.m_sameOriginOnly = (filter == SameOriginCSSRulesOnly);
     1901
    18971902        // Check the rules in author sheets.
    18981903        int firstAuthorRule = -1, lastAuthorRule = -1;
    18991904        matchRules(m_authorStyle.get(), firstAuthorRule, lastAuthorRule, includeEmptyRules);
     1905
     1906        m_checker.m_sameOriginOnly = false;
    19001907    }
    19011908
    19021909    m_checker.m_collectRulesOnly = false;
    1903     
     1910   
    19041911    return m_ruleList.release();
    19051912}
  • trunk/WebCore/css/CSSStyleSelector.h

    r70209 r70335  
    2424
    2525#include "CSSFontSelector.h"
     26#include "CSSRule.h"
    2627#include "LinkHash.h"
    2728#include "MediaQueryExp.h"
     
    120121    public:
    121122        // These methods will give back the set of rules that matched for a given element (or a pseudo-element).
    122         PassRefPtr<CSSRuleList> styleRulesForElement(Element*, bool authorOnly, bool includeEmptyRules = false);
    123         PassRefPtr<CSSRuleList> pseudoStyleRulesForElement(Element*, PseudoId, bool authorOnly, bool includeEmptyRules = false);
     123        PassRefPtr<CSSRuleList> styleRulesForElement(Element*, bool authorOnly, bool includeEmptyRules = false, CSSRuleFilter filter = AllCSSRules);
     124        PassRefPtr<CSSRuleList> pseudoStyleRulesForElement(Element*, PseudoId, bool authorOnly, bool includeEmptyRules = false, CSSRuleFilter filter = AllCSSRules);
    124125
    125126        // Given a CSS keyword in the range (xx-small to -webkit-xxx-large), this function will return
     
    232233            bool m_strictParsing;
    233234            bool m_collectRulesOnly;
     235            bool m_sameOriginOnly;
    234236            PseudoId m_pseudoStyle;
    235237            bool m_documentIsHTML;
  • trunk/WebCore/page/DOMWindow.cpp

    r70102 r70335  
    12561256
    12571257    Document* doc = m_frame->document();
    1258     return doc->styleSelector()->styleRulesForElement(elt, authorOnly);
     1258    return doc->styleSelector()->styleRulesForElement(elt, authorOnly, false, SameOriginCSSRulesOnly);
    12591259}
    12601260
  • trunk/WebCore/page/DOMWindow.idl

    r70102 r70335  
    148148
    149149        // WebKit extensions
     150#if defined(LANGUAGE_JAVASCRIPT) && LANGUAGE_JAVASCRIPT
    150151        CSSRuleList getMatchedCSSRules(in Element element,
    151                                        in DOMString pseudoElement,
    152                                        in [Optional] boolean authorOnly);
     152                                       in DOMString pseudoElement);
     153#endif
     154
    153155        attribute [Replaceable] double devicePixelRatio;
    154156       
Note: See TracChangeset for help on using the changeset viewer.