- Revision
- 125613
- Author
- aba...@webkit.org
- Date
- 2012-08-14 15:14:47 -0700 (Tue, 14 Aug 2012)
Log Message
Delete DOMWindow::m_url
https://bugs.webkit.org/show_bug.cgi?id=93989
Reviewed by Eric Seidel.
Source/WebCore:
There's no reason for DOMWindow to keep a separate copy of the
Document's URL now that there is a predictable way to get a Document
from a DOMWindow.
* loader/DocumentWriter.cpp:
(WebCore::DocumentWriter::begin):
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::open):
* page/DOMWindow.cpp:
(WebCore::DOMWindow::crossDomainAccessErrorMessage):
* page/DOMWindow.h:
(DOMWindow):
LayoutTests:
The error messages for these tests now relect the document's updated
URL after document.write has changed the URL. Previously, we failed to
sync these changes to DOMWindow::m_url, which is why the error messages
showed the wrong URL.
* http/tests/security/aboutBlank/xss-DENIED-navigate-opener-document-write-expected.txt:
* http/tests/security/aboutBlank/xss-DENIED-set-opener-expected.txt:
Modified Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (125612 => 125613)
--- trunk/LayoutTests/ChangeLog 2012-08-14 22:05:45 UTC (rev 125612)
+++ trunk/LayoutTests/ChangeLog 2012-08-14 22:14:47 UTC (rev 125613)
@@ -1,3 +1,18 @@
+2012-08-14 Adam Barth <aba...@webkit.org>
+
+ Delete DOMWindow::m_url
+ https://bugs.webkit.org/show_bug.cgi?id=93989
+
+ Reviewed by Eric Seidel.
+
+ The error messages for these tests now relect the document's updated
+ URL after document.write has changed the URL. Previously, we failed to
+ sync these changes to DOMWindow::m_url, which is why the error messages
+ showed the wrong URL.
+
+ * http/tests/security/aboutBlank/xss-DENIED-navigate-opener-document-write-expected.txt:
+ * http/tests/security/aboutBlank/xss-DENIED-set-opener-expected.txt:
+
2012-08-14 Andrei Onea <o...@adobe.com>
[CSSRegions]Region overset property is incorectly computed when content has negative letter spacing and is flowed near to the edge of a region
Modified: trunk/LayoutTests/http/tests/security/aboutBlank/xss-DENIED-navigate-opener-document-write-expected.txt (125612 => 125613)
--- trunk/LayoutTests/http/tests/security/aboutBlank/xss-DENIED-navigate-opener-document-write-expected.txt 2012-08-14 22:05:45 UTC (rev 125612)
+++ trunk/LayoutTests/http/tests/security/aboutBlank/xss-DENIED-navigate-opener-document-write-expected.txt 2012-08-14 22:14:47 UTC (rev 125613)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/innocent-victim-with-notify.html from frame with URL about:blank. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/innocent-victim-with-notify.html from frame with URL http://127.0.0.1:8000/security/aboutBlank/xss-DENIED-navigate-opener-document-write.html. Domains, protocols and ports must match.
CONSOLE MESSAGE: line 1: TypeError: 'undefined' is not an object (evaluating 'target.document.body')
This page opens a window to "", injects malicious code, and then navigates its opener to the victim. The opened window then tries to scripts its opener after document.writeing a new document.
Modified: trunk/LayoutTests/http/tests/security/aboutBlank/xss-DENIED-set-opener-expected.txt (125612 => 125613)
--- trunk/LayoutTests/http/tests/security/aboutBlank/xss-DENIED-set-opener-expected.txt 2012-08-14 22:05:45 UTC (rev 125612)
+++ trunk/LayoutTests/http/tests/security/aboutBlank/xss-DENIED-set-opener-expected.txt 2012-08-14 22:14:47 UTC (rev 125613)
@@ -1,6 +1,6 @@
CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/aboutBlank/xss-DENIED-set-opener.html. Domains, protocols and ports must match.
-CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/innocent-victim.html from frame with URL about:blank. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/aboutBlank/xss-DENIED-set-opener.html. Domains, protocols and ports must match.
CONSOLE MESSAGE: line 1: TypeError: 'undefined' is not an object (evaluating 'target.document.body')
This page opens a window to "", injects malicious code, and then uses window.open.call to set its opener to the victim. The opened window then tries to scripts its opener.
Modified: trunk/Source/WebCore/ChangeLog (125612 => 125613)
--- trunk/Source/WebCore/ChangeLog 2012-08-14 22:05:45 UTC (rev 125612)
+++ trunk/Source/WebCore/ChangeLog 2012-08-14 22:14:47 UTC (rev 125613)
@@ -1,3 +1,23 @@
+2012-08-14 Adam Barth <aba...@webkit.org>
+
+ Delete DOMWindow::m_url
+ https://bugs.webkit.org/show_bug.cgi?id=93989
+
+ Reviewed by Eric Seidel.
+
+ There's no reason for DOMWindow to keep a separate copy of the
+ Document's URL now that there is a predictable way to get a Document
+ from a DOMWindow.
+
+ * loader/DocumentWriter.cpp:
+ (WebCore::DocumentWriter::begin):
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::open):
+ * page/DOMWindow.cpp:
+ (WebCore::DOMWindow::crossDomainAccessErrorMessage):
+ * page/DOMWindow.h:
+ (DOMWindow):
+
2012-08-14 Nikhil Bhargava <nbharg...@google.com>
De-inline stuff from RenderStyle.h
Modified: trunk/Source/WebCore/loader/DocumentWriter.cpp (125612 => 125613)
--- trunk/Source/WebCore/loader/DocumentWriter.cpp 2012-08-14 22:05:45 UTC (rev 125612)
+++ trunk/Source/WebCore/loader/DocumentWriter.cpp 2012-08-14 22:14:47 UTC (rev 125613)
@@ -147,9 +147,6 @@
document->setSecurityOrigin(ownerDocument->securityOrigin());
}
- // FIXME: DOMWindow should get the URL from the document itself.
- m_frame->domWindow()->setURL(document->url());
-
m_frame->loader()->didBeginDocument(dispatch);
document->implicitOpen();
Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (125612 => 125613)
--- trunk/Source/WebCore/loader/FrameLoader.cpp 2012-08-14 22:05:45 UTC (rev 125612)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2012-08-14 22:14:47 UTC (rev 125613)
@@ -1949,8 +1949,6 @@
m_frame->setDocument(document);
document->domWindow()->resumeFromPageCache();
- // FIXME: This shouldn't be necessary now that Document owns the DOMWindow.
- m_frame->domWindow()->setURL(document->url());
updateFirstPartyForCookies();
Modified: trunk/Source/WebCore/page/DOMWindow.cpp (125612 => 125613)
--- trunk/Source/WebCore/page/DOMWindow.cpp 2012-08-14 22:05:45 UTC (rev 125612)
+++ trunk/Source/WebCore/page/DOMWindow.cpp 2012-08-14 22:14:47 UTC (rev 125613)
@@ -1760,14 +1760,14 @@
String DOMWindow::crossDomainAccessErrorMessage(DOMWindow* activeWindow)
{
- const KURL& activeWindowURL = activeWindow->url();
+ const KURL& activeWindowURL = activeWindow->document()->url();
if (activeWindowURL.isNull())
return String();
// FIXME: This error message should contain more specifics of why the same origin check has failed.
// Perhaps we should involve the security origin object in composing it.
// FIXME: This message, and other console messages, have extra newlines. Should remove them.
- return "Unsafe _javascript_ attempt to access frame with URL " + m_url.string() + " from frame with URL " + activeWindowURL.string() + ". Domains, protocols and ports must match.\n";
+ return "Unsafe _javascript_ attempt to access frame with URL " + document()->url().string() + " from frame with URL " + activeWindowURL.string() + ". Domains, protocols and ports must match.\n";
}
bool DOMWindow::isInsecureScriptAccess(DOMWindow* activeWindow, const String& urlString)
Modified: trunk/Source/WebCore/page/DOMWindow.h (125612 => 125613)
--- trunk/Source/WebCore/page/DOMWindow.h 2012-08-14 22:05:45 UTC (rev 125612)
+++ trunk/Source/WebCore/page/DOMWindow.h 2012-08-14 22:14:47 UTC (rev 125613)
@@ -118,10 +118,6 @@
// FIXME: Callers should use document()->securityOrigin() directly.
SecurityOrigin* securityOrigin() const;
- // FIXME: We should get the URL from document()->url() directly.
- void setURL(const KURL& url) { m_url = url; }
- KURL url() const { return m_url; }
-
unsigned pendingUnloadEventListeners() const;
static bool dispatchAllPendingBeforeUnloadEvents();
@@ -434,8 +430,6 @@
void reconnectDOMWindowProperties();
void willDestroyDocumentInFrame();
- KURL m_url;
-
bool m_shouldPrintWhenFinishedLoading;
bool m_suspendedForPageCache;