Diff
Modified: trunk/LayoutTests/ChangeLog (147529 => 147530)
--- trunk/LayoutTests/ChangeLog 2013-04-03 09:19:11 UTC (rev 147529)
+++ trunk/LayoutTests/ChangeLog 2013-04-03 09:28:57 UTC (rev 147530)
@@ -1,3 +1,29 @@
+2013-04-03 Mike West <mk...@chromium.org>
+
+ X-Frame-Options: Blocked frames should not inherit their parent's SecurityOrigin.
+ https://bugs.webkit.org/show_bug.cgi?id=112903
+
+ Reviewed by Adam Barth.
+
+ * http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt:
+ * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt:
+ * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt:
+ * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html:
+ * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt:
+ * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html:
+ * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html:
+ * http/tests/security/XFrameOptions/x-frame-options-deny.html:
+ * http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt:
+ * http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny.html:
+ * http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt:
+ * http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html:
+ * platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt:
+ * platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt:
+ * platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt:
+ * platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt:
+ * platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt:
+ * platform/chromium/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt:
+
2013-04-03 Sheriff Bot <webkit.review....@gmail.com>
Unreviewed, rolling out r147409.
Modified: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt (147529 => 147530)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt 2013-04-03 09:19:11 UTC (rev 147529)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt 2013-04-03 09:28:57 UTC (rev 147530)
@@ -1,7 +1,8 @@
http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny.html, http method GET> redirectResponse (null)
<unknown> - didFinishLoading
CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi' in a frame because it set 'X-Frame-Options' to 'deny'.
-ALERT: PASS: onload fired.
+CONSOLE MESSAGE: Sandbox access violation: Blocked a frame at "http://127.0.0.1:8000" from accessing a frame at "null". The frame being accessed is sandboxed and lacks the "allow-same-origin" flag.
+CONSOLE MESSAGE: line 13: PASS: Could not read contentWindow.location.href
http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi">
There should be no content in the iframe below
Modified: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt (147529 => 147530)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt 2013-04-03 09:19:11 UTC (rev 147529)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt 2013-04-03 09:28:57 UTC (rev 147530)
@@ -3,6 +3,12 @@
http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html, http status code 200>
http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html">
CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html' in a frame because it set 'X-Frame-Options' to 'deny'.
+data:, - willSendRequest <NSURLRequest URL data:,, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag.html, http method GET> redirectResponse (null)
+data:, - didReceiveResponse <NSURLResponse data:,, http status code 0>
+data:, - didFinishLoading
+CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
+
+CONSOLE MESSAGE: line 13: PASS: Could not read contentWindow.location.href
There should be no content in the iframe below
Modified: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt (147529 => 147530)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt 2013-04-03 09:19:11 UTC (rev 147529)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt 2013-04-03 09:28:57 UTC (rev 147530)
@@ -3,6 +3,11 @@
http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html, http status code 200>
http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html">
CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html' in a frame because it set 'X-Frame-Options' to 'deny'.
+data:, - willSendRequest <NSURLRequest URL data:,, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html, http method GET> redirectResponse (null)
+data:, - didReceiveResponse <NSURLResponse data:,, http status code 0>
+CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
+
+CONSOLE MESSAGE: line 13: PASS: Could not read contentWindow.location.href
There should be no content in the iframe below
Modified: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html (147529 => 147530)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html 2013-04-03 09:19:11 UTC (rev 147529)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html 2013-04-03 09:28:57 UTC (rev 147530)
@@ -6,10 +6,14 @@
testRunner.waitUntilDone();
}
- function checkIfDone()
- {
- if (document.getElementsByTagName("iframe")[0].contentWindow.location == "about:blank")
- testRunner.notifyDone();
+ function checkIfDone() {
+ var url = ""
+
+ if (!url)
+ console.log("PASS: Could not read contentWindow.location.href");
+ else
+ console.log("FAIL: Could read contentWindow.location.href");
+ testRunner.notifyDone();
}
</script>
Modified: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt (147529 => 147530)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt 2013-04-03 09:19:11 UTC (rev 147529)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt 2013-04-03 09:28:57 UTC (rev 147530)
@@ -3,6 +3,12 @@
http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html - didReceiveResponse <NSURLResponse http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html, http status code 200>
http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html">
CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
+data:, - willSendRequest <NSURLRequest URL data:,, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html, http method GET> redirectResponse (null)
+data:, - didReceiveResponse <NSURLResponse data:,, http status code 0>
+data:, - didFinishLoading
+CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
+
+CONSOLE MESSAGE: line 13: PASS: Could not read contentWindow.location.href
There should be no content in the iframe below
Modified: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html (147529 => 147530)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html 2013-04-03 09:19:11 UTC (rev 147529)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html 2013-04-03 09:28:57 UTC (rev 147530)
@@ -6,10 +6,14 @@
testRunner.waitUntilDone();
}
- function checkIfDone()
- {
- if (document.getElementsByTagName("iframe")[0].contentWindow.location == "about:blank")
- testRunner.notifyDone();
+ function checkIfDone() {
+ var url = ""
+
+ if (!url)
+ console.log("PASS: Could not read contentWindow.location.href");
+ else
+ console.log("FAIL: Could read contentWindow.location.href");
+ testRunner.notifyDone();
}
</script>
Modified: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html (147529 => 147530)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html 2013-04-03 09:19:11 UTC (rev 147529)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html 2013-04-03 09:28:57 UTC (rev 147530)
@@ -6,11 +6,14 @@
testRunner.waitUntilDone();
}
+ function checkIfDone() {
+ var url = ""
- function checkIfDone()
- {
- if (document.getElementsByTagName("iframe")[0].contentWindow.location == "about:blank")
- testRunner.notifyDone();
+ if (!url)
+ console.log("PASS: Could not read contentWindow.location.href");
+ else
+ console.log("FAIL: Could read contentWindow.location.href");
+ testRunner.notifyDone();
}
</script>
Modified: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny.html (147529 => 147530)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny.html 2013-04-03 09:19:11 UTC (rev 147529)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny.html 2013-04-03 09:28:57 UTC (rev 147530)
@@ -3,8 +3,19 @@
testRunner.dumpAsText();
testRunner.dumpChildFramesAsText();
testRunner.dumpResourceLoadCallbacks();
+ testRunner.waitUntilDone();
}
+
+ function checkIfDone() {
+ var url = ""
+
+ if (!url)
+ console.log("PASS: Could not read contentWindow.location.href");
+ else
+ console.log("FAIL: Could read contentWindow.location.href");
+ testRunner.notifyDone();
+ }
</script>
<p>There should be no content in the iframe below</p>
-<iframe style="width:500px; height:500px" src="" _onload_="alert('PASS: onload fired.');"></iframe>
+<iframe style="width:500px; height:500px" src="" _onload_="checkIfDone()"></iframe>
Modified: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt (147529 => 147530)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt 2013-04-03 09:19:11 UTC (rev 147529)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt 2013-04-03 09:28:57 UTC (rev 147530)
@@ -1,6 +1,8 @@
http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi - willSendRequest <NSURLRequest URL http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny.html, http method GET> redirectResponse (null)
<unknown> - didFinishLoading
CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN, SAMEORIGIN'.
+CONSOLE MESSAGE: Sandbox access violation: Blocked a frame at "http://127.0.0.1:8000" from accessing a frame at "null". The frame being accessed is sandboxed and lacks the "allow-same-origin" flag.
+CONSOLE MESSAGE: line 16: PASS: Could not read contentWindow.location.href
http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi">
The frame below should not load, proving that 'sameorigin, sameorigin' === 'sameorigin'.
Modified: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny.html (147529 => 147530)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny.html 2013-04-03 09:19:11 UTC (rev 147529)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny.html 2013-04-03 09:28:57 UTC (rev 147530)
@@ -6,11 +6,22 @@
testRunner.dumpAsText();
testRunner.dumpChildFramesAsText();
testRunner.dumpResourceLoadCallbacks();
+ testRunner.waitUntilDone();
}
+
+ function checkIfDone() {
+ var url = ""
+
+ if (!url)
+ console.log("PASS: Could not read contentWindow.location.href");
+ else
+ console.log("FAIL: Could read contentWindow.location.href");
+ testRunner.notifyDone();
+ }
</script>
</head>
<body>
<p>The frame below should not load, proving that 'sameorigin, sameorigin' === 'sameorigin'.</p>
- <iframe style="width:500px; height:500px" src=""
+ <iframe style="width:500px; height:500px" src="" _onload_="checkIfDone()"></iframe>
</body>
</html>
Modified: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt (147529 => 147530)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt 2013-04-03 09:19:11 UTC (rev 147529)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt 2013-04-03 09:28:57 UTC (rev 147530)
@@ -1,7 +1,8 @@
http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi - willSendRequest <NSURLRequest URL http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html, http method GET> redirectResponse (null)
<unknown> - didFinishLoading
CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
-ALERT: PASS: onload fired.
+CONSOLE MESSAGE: Sandbox access violation: Blocked a frame at "http://127.0.0.1:8000" from accessing a frame at "null". The frame being accessed is sandboxed and lacks the "allow-same-origin" flag.
+CONSOLE MESSAGE: line 13: PASS: Could not read contentWindow.location.href
http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi">
There should be no content in the iframe below
Modified: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html (147529 => 147530)
--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html 2013-04-03 09:19:11 UTC (rev 147529)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html 2013-04-03 09:28:57 UTC (rev 147530)
@@ -3,8 +3,19 @@
testRunner.dumpAsText();
testRunner.dumpChildFramesAsText();
testRunner.dumpResourceLoadCallbacks();
+ testRunner.waitUntilDone();
}
+
+ function checkIfDone() {
+ var url = ""
+
+ if (!url)
+ console.log("PASS: Could not read contentWindow.location.href");
+ else
+ console.log("FAIL: Could read contentWindow.location.href");
+ testRunner.notifyDone();
+ }
</script>
<p>There should be no content in the iframe below</p>
-<iframe style="width:500px; height:500px" src="" _onload_="alert('PASS: onload fired.');"></iframe>
+<iframe style="width:500px; height:500px" src="" _onload_="checkIfDone()"></iframe>
Modified: trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt (147529 => 147530)
--- trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt 2013-04-03 09:19:11 UTC (rev 147529)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt 2013-04-03 09:28:57 UTC (rev 147530)
@@ -1,6 +1,7 @@
http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny.html, http method GET> redirectResponse (null)
CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi' in a frame because it set 'X-Frame-Options' to 'deny'.
-ALERT: PASS: onload fired.
+CONSOLE MESSAGE: Sandbox access violation: Blocked a frame at "http://127.0.0.1:8000" from accessing a frame at "null". The frame being accessed is sandboxed and lacks the "allow-same-origin" flag.
+CONSOLE MESSAGE: line 13: PASS: Could not read contentWindow.location.href
http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi">
There should be no content in the iframe below
Modified: trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt (147529 => 147530)
--- trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt 2013-04-03 09:19:11 UTC (rev 147529)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt 2013-04-03 09:28:57 UTC (rev 147530)
@@ -2,6 +2,11 @@
http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html, http status code 200>
http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html - didFinishLoading
CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html' in a frame because it set 'X-Frame-Options' to 'deny'.
+data:, - willSendRequest <NSURLRequest URL data:,, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag.html, http method GET> redirectResponse (null)
+data:, - didReceiveResponse <NSURLResponse data:,, http status code 0>
+CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
+
+CONSOLE MESSAGE: line 13: PASS: Could not read contentWindow.location.href
There should be no content in the iframe below
Modified: trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt (147529 => 147530)
--- trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt 2013-04-03 09:19:11 UTC (rev 147529)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt 2013-04-03 09:28:57 UTC (rev 147530)
@@ -2,6 +2,11 @@
http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html, http status code 200>
http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html - didFinishLoading
CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html' in a frame because it set 'X-Frame-Options' to 'deny'.
+data:, - willSendRequest <NSURLRequest URL data:,, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html, http method GET> redirectResponse (null)
+data:, - didReceiveResponse <NSURLResponse data:,, http status code 0>
+CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
+
+CONSOLE MESSAGE: line 13: PASS: Could not read contentWindow.location.href
There should be no content in the iframe below
Modified: trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt (147529 => 147530)
--- trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt 2013-04-03 09:19:11 UTC (rev 147529)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt 2013-04-03 09:28:57 UTC (rev 147530)
@@ -2,6 +2,11 @@
http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html - didReceiveResponse <NSURLResponse http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html, http status code 200>
http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html - didFinishLoading
CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
+data:, - willSendRequest <NSURLRequest URL data:,, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html, http method GET> redirectResponse (null)
+data:, - didReceiveResponse <NSURLResponse data:,, http status code 0>
+CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "null". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "data". Protocols must match.
+
+CONSOLE MESSAGE: line 13: PASS: Could not read contentWindow.location.href
There should be no content in the iframe below
Modified: trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt (147529 => 147530)
--- trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt 2013-04-03 09:19:11 UTC (rev 147529)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt 2013-04-03 09:28:57 UTC (rev 147530)
@@ -1,5 +1,7 @@
http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi - willSendRequest <NSURLRequest URL http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny.html, http method GET> redirectResponse (null)
CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN, SAMEORIGIN'.
+CONSOLE MESSAGE: Sandbox access violation: Blocked a frame at "http://127.0.0.1:8000" from accessing a frame at "null". The frame being accessed is sandboxed and lacks the "allow-same-origin" flag.
+CONSOLE MESSAGE: line 16: PASS: Could not read contentWindow.location.href
http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://localhost:8000/security/XFrameOptions/resources/x-frame-options-multiple-headers-sameorigin.cgi">
The frame below should not load, proving that 'sameorigin, sameorigin' === 'sameorigin'.
Modified: trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt (147529 => 147530)
--- trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt 2013-04-03 09:19:11 UTC (rev 147529)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt 2013-04-03 09:28:57 UTC (rev 147530)
@@ -1,6 +1,7 @@
http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi - willSendRequest <NSURLRequest URL http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html, http method GET> redirectResponse (null)
CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
-ALERT: PASS: onload fired.
+CONSOLE MESSAGE: Sandbox access violation: Blocked a frame at "http://127.0.0.1:8000" from accessing a frame at "null". The frame being accessed is sandboxed and lacks the "allow-same-origin" flag.
+CONSOLE MESSAGE: line 13: PASS: Could not read contentWindow.location.href
http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi">
There should be no content in the iframe below
Modified: trunk/Source/WebCore/ChangeLog (147529 => 147530)
--- trunk/Source/WebCore/ChangeLog 2013-04-03 09:19:11 UTC (rev 147529)
+++ trunk/Source/WebCore/ChangeLog 2013-04-03 09:28:57 UTC (rev 147530)
@@ -1,3 +1,25 @@
+2013-04-03 Mike West <mk...@chromium.org>
+
+ X-Frame-Options: Blocked frames should not inherit their parent's SecurityOrigin.
+ https://bugs.webkit.org/show_bug.cgi?id=112903
+
+ Reviewed by Adam Barth.
+
+ This change brings WebKit in line with IE and Gecko's behavior, both of
+ which treat the blocked frame as being cross-origin for the purposes of
+ access checks ('[frame].contentWindow.location.href' is inaccessible,
+ for example).
+
+ * dom/Document.cpp:
+ (WebCore::Document::processHttpEquiv):
+ Rather than redirecting to 'about:blank', redirect to a URL which
+ does not inherit the SecurityOrigin of the parent.
+ * loader/DocumentLoader.cpp:
+ (WebCore::DocumentLoader::responseReceived):
+ Before calling cancelMainResourceLoad, ensure that the frame's
+ document is sandboxed into a unique origin so that it doesn't inherit
+ the parent's SecurityOrigin.
+
2013-04-03 Mikhail Naganov <mnaga...@chromium.org>
[Chromium] Implement target-densityDpi viewport property emulation
Modified: trunk/Source/WebCore/dom/Document.cpp (147529 => 147530)
--- trunk/Source/WebCore/dom/Document.cpp 2013-04-03 09:19:11 UTC (rev 147529)
+++ trunk/Source/WebCore/dom/Document.cpp 2013-04-03 09:28:57 UTC (rev 147530)
@@ -2948,7 +2948,10 @@
if (frameLoader->shouldInterruptLoadForXFrameOptions(content, url(), requestIdentifier)) {
String message = "Refused to display '" + url().elidedString() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'.";
frameLoader->stopAllLoaders();
- frame->navigationScheduler()->scheduleLocationChange(securityOrigin(), blankURL(), String());
+ // Stopping the loader isn't enough, as we're already parsing the document; to honor the header's
+ // intent, we must navigate away from the possibly partially-rendered document to a location that
+ // doesn't inherit the parent's SecurityOrigin.
+ frame->navigationScheduler()->scheduleLocationChange(securityOrigin(), SecurityOrigin::urlWithUniqueSecurityOrigin(), String());
addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, message, requestIdentifier);
}
}
Modified: trunk/Source/WebCore/loader/DocumentLoader.cpp (147529 => 147530)
--- trunk/Source/WebCore/loader/DocumentLoader.cpp 2013-04-03 09:19:11 UTC (rev 147529)
+++ trunk/Source/WebCore/loader/DocumentLoader.cpp 2013-04-03 09:28:57 UTC (rev 147530)
@@ -591,6 +591,7 @@
InspectorInstrumentation::continueAfterXFrameOptionsDenied(m_frame, this, identifier, response);
String message = "Refused to display '" + response.url().elidedString() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'.";
frame()->document()->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, message, identifier);
+ frame()->document()->enforceSandboxFlags(SandboxOrigin);
if (HTMLFrameOwnerElement* ownerElement = frame()->ownerElement())
ownerElement->dispatchEvent(Event::create(eventNames().loadEvent, false, false));
cancelMainResourceLoad(frameLoader()->cancelledError(m_request));