Context Navigation

Changeset 96260 in webkit

Timestamp:

Sep 28, 2011 2:01:37 PM (13 years ago)

Author:

commit-queue@webkit.org

Message:

JavaScript generated documents don't inherit the cookie URL
https://bugs.webkit.org/show_bug.cgi?id=69003

Patch by Sergey Glazunov <serg.glazunov@gmail.com> on 2011-09-28
Reviewed by Adam Barth.

Source/WebCore:

Test: http/tests/security/cookies/cookie-theft-with-javascript-doc.html

(WebCore::Document::setCookieURL):

(WebCore::DocumentWriter::replaceDocument):
(WebCore::DocumentWriter::begin):

LayoutTests:

http/tests/security/cookies/cookie-theft-with-javascript-doc-expected.txt: Added.
http/tests/security/cookies/cookie-theft-with-javascript-doc.html: Added.
http/tests/security/cookies/resources/innocent-victim-with-cookies.html: Added.

Location:

trunk

Files:

-                      r96258
+                      r96260
+-09-28  Sergey Glazunov  <serg.glazunov@gmail.com>
+        JavaScript generated documents don't inherit the cookie URL
+        https://bugs.webkit.org/show_bug.cgi?id=69003
+        Reviewed by Adam Barth.
+        * http/tests/security/cookies/cookie-theft-with-javascript-doc-expected.txt: Added.
+        * http/tests/security/cookies/cookie-theft-with-javascript-doc.html: Added.
+        * http/tests/security/cookies/resources/innocent-victim-with-cookies.html: Added.
 -09-28  Dimitri Glazkov  <dglazkov@chromium.org>

-                      r96258
+                      r96260
+-09-28  Sergey Glazunov  <serg.glazunov@gmail.com>
+        JavaScript generated documents don't inherit the cookie URL
+        https://bugs.webkit.org/show_bug.cgi?id=69003
+        Reviewed by Adam Barth.
+        Test: http/tests/security/cookies/cookie-theft-with-javascript-doc.html
+        * dom/Document.h:
+        (WebCore::Document::setCookieURL):
+        * loader/DocumentWriter.cpp:
+        (WebCore::DocumentWriter::replaceDocument):
+        (WebCore::DocumentWriter::begin):
+        * loader/DocumentWriter.h:
 -09-27  Dimitri Glazkov  <dglazkov@chromium.org>

r95593	r96260
824	824	//
825	825	const KURL& cookieURL() const { return m_cookieURL; }
	826	void setCookieURL(const KURL& url) { m_cookieURL = url; }
826	827
827	828	// The firstPartyForCookies is used to compute whether this document

-                      r95901
+                      r96260
+{
     m_frame->loader()->stopAllLoaders();
     begin(m_frame->document()->url(), true, m_frame->document()->securityOrigin());
+    begin(m_frame->document()->url(), true, InheritSecurityOrigin);
     if (!source.isNull()) {
 …
+}
+void DocumentWriter::begin(const KURL& urlReference, bool dispatch, SecurityOrigin* origin)
+{
+    // We need to take a reference to the security origin because |clear|
+    // might destroy the document that owns it.
+    RefPtr<SecurityOrigin> forcedSecurityOrigin = origin;
+void DocumentWriter::begin(const KURL& urlReference, bool dispatch, SecurityOriginSource originSource)
+{
+    RefPtr<Document> oldDocument = m_frame->document();
     // We grab a local copy of the URL because it's easy for callers to supply
 …
     if (m_decoder)
         document->setDecoder(m_decoder.get());
+    if (forcedSecurityOrigin)
+        document->setSecurityOrigin(forcedSecurityOrigin.get());
+    if (originSource == InheritSecurityOrigin) {
+        document->setCookieURL(oldDocument->cookieURL());
+        document->setSecurityOrigin(oldDocument->securityOrigin());
+    }
     m_frame->domWindow()->setURL(document->url());

-                      r95901
+                      r96260
     void replaceDocument(const String&);
+    enum SecurityOriginSource { CreateNewSecurityOrigin, InheritSecurityOrigin };
     void begin();
     void begin(const KURL&, bool dispatchWindowObjectAvailable = true, SecurityOrigin* forcedSecurityOrigin = 0);
+    void begin(const KURL&, bool dispatchWindowObjectAvailable = true, SecurityOriginSource = CreateNewSecurityOrigin);
     void addData(const char* bytes, size_t length);
     void end();

Note: See TracChangeset for help on using the changeset viewer.