Diff
Modified: branches/safari-600.1.4.16-branch/LayoutTests/ChangeLog (183054 => 183055)
--- branches/safari-600.1.4.16-branch/LayoutTests/ChangeLog 2015-04-21 07:21:09 UTC (rev 183054)
+++ branches/safari-600.1.4.16-branch/LayoutTests/ChangeLog 2015-04-21 07:23:44 UTC (rev 183055)
@@ -1,5 +1,19 @@
2015-04-21 Babak Shafiei <bshaf...@apple.com>
+ Merge r182284
+
+ 2015-04-02 Alexey Proskuryakov <a...@apple.com>
+
+ Clean up access checks in JSHistoryCustom.cpp
+ https://bugs.webkit.org/show_bug.cgi?id=143227
+
+ Reviewed by Sam Weinig.
+
+ * http/tests/security/cross-frame-access-call-expected.txt:
+ * http/tests/security/cross-frame-access-call.html:
+
+2015-04-21 Babak Shafiei <bshaf...@apple.com>
+
Merge r182051
2015-03-26 Zalan Bujtas <za...@apple.com>
Modified: branches/safari-600.1.4.16-branch/LayoutTests/http/tests/security/cross-frame-access-call-expected.txt (183054 => 183055)
--- branches/safari-600.1.4.16-branch/LayoutTests/http/tests/security/cross-frame-access-call-expected.txt 2015-04-21 07:21:09 UTC (rev 183054)
+++ branches/safari-600.1.4.16-branch/LayoutTests/http/tests/security/cross-frame-access-call-expected.txt 2015-04-21 07:23:44 UTC (rev 183055)
@@ -59,4 +59,6 @@
PASS: window.showModalDialog.call(targetWindow); should be 'undefined' and is.
PASS: window.eval.call(targetWindow, '1+2'); should be '3' and is.
PASS: window.location.toString.call(targetWindow.location) should be 'undefined' and is.
+PASS: history.pushState.call(targetWindow.history, {}, '', 'http://localhost:8000/foobar') should be 'undefined' and is.
+PASS: history.replaceState.call(targetWindow.history, {}, '', 'http://localhost:8000/foobar') should be 'undefined' and is.
Modified: branches/safari-600.1.4.16-branch/LayoutTests/http/tests/security/cross-frame-access-call.html (183054 => 183055)
--- branches/safari-600.1.4.16-branch/LayoutTests/http/tests/security/cross-frame-access-call.html 2015-04-21 07:21:09 UTC (rev 183054)
+++ branches/safari-600.1.4.16-branch/LayoutTests/http/tests/security/cross-frame-access-call.html 2015-04-21 07:23:44 UTC (rev 183055)
@@ -63,6 +63,10 @@
// undefined value indicates failure
shouldBe("window.location.toString.call(targetWindow.location)", "undefined");
+ // - Tests for the History object -
+ shouldBe("history.pushState.call(targetWindow.history, {}, '', 'http://localhost:8000/foobar')", "undefined"),
+ shouldBe("history.replaceState.call(targetWindow.history, {}, '', 'http://localhost:8000/foobar')", "undefined"),
+
// Work around DRT bug that causes subsequent tests to fail.
window.stop();
}
Modified: branches/safari-600.1.4.16-branch/Source/WebCore/ChangeLog (183054 => 183055)
--- branches/safari-600.1.4.16-branch/Source/WebCore/ChangeLog 2015-04-21 07:21:09 UTC (rev 183054)
+++ branches/safari-600.1.4.16-branch/Source/WebCore/ChangeLog 2015-04-21 07:23:44 UTC (rev 183055)
@@ -1,5 +1,24 @@
2015-04-21 Babak Shafiei <bshaf...@apple.com>
+ Merge r182284
+
+ 2015-04-02 Alexey Proskuryakov <a...@apple.com>
+
+ Clean up access checks in JSHistoryCustom.cpp
+ https://bugs.webkit.org/show_bug.cgi?id=143227
+
+ Reviewed by Sam Weinig.
+
+ * bindings/js/JSHistoryCustom.cpp:
+ (WebCore::JSHistory::putDelegate):
+ (WebCore::JSHistory::deleteProperty):
+ (WebCore::JSHistory::deletePropertyByIndex):
+ (WebCore::JSHistory::getOwnPropertyNames):
+ (WebCore::JSHistory::pushState):
+ (WebCore::JSHistory::replaceState):
+
+2015-04-21 Babak Shafiei <bshaf...@apple.com>
+
Merge r182051
2015-03-26 Zalan Bujtas <za...@apple.com>
Modified: branches/safari-600.1.4.16-branch/Source/WebCore/bindings/js/JSHistoryCustom.cpp (183054 => 183055)
--- branches/safari-600.1.4.16-branch/Source/WebCore/bindings/js/JSHistoryCustom.cpp 2015-04-21 07:21:09 UTC (rev 183054)
+++ branches/safari-600.1.4.16-branch/Source/WebCore/bindings/js/JSHistoryCustom.cpp 2015-04-21 07:23:44 UTC (rev 183055)
@@ -76,7 +76,6 @@
bool JSHistory::putDelegate(ExecState* exec, PropertyName, JSValue, PutPropertySlot&)
{
- // Only allow putting by frames in the same origin.
if (!shouldAllowAccessToFrame(exec, impl().frame()))
return true;
return false;
@@ -85,7 +84,6 @@
bool JSHistory::deleteProperty(JSCell* cell, ExecState* exec, PropertyName propertyName)
{
JSHistory* thisObject = jsCast<JSHistory*>(cell);
- // Only allow deleting by frames in the same origin.
if (!shouldAllowAccessToFrame(exec, thisObject->impl().frame()))
return false;
return Base::deleteProperty(thisObject, exec, propertyName);
@@ -94,7 +92,6 @@
bool JSHistory::deletePropertyByIndex(JSCell* cell, ExecState* exec, unsigned propertyName)
{
JSHistory* thisObject = jsCast<JSHistory*>(cell);
- // Only allow deleting by frames in the same origin.
if (!shouldAllowAccessToFrame(exec, thisObject->impl().frame()))
return false;
return Base::deletePropertyByIndex(thisObject, exec, propertyName);
@@ -103,7 +100,6 @@
void JSHistory::getOwnPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
{
JSHistory* thisObject = jsCast<JSHistory*>(object);
- // Only allow the history object to enumerated by frames in the same origin.
if (!shouldAllowAccessToFrame(exec, thisObject->impl().frame()))
return;
Base::getOwnPropertyNames(thisObject, exec, propertyNames, mode);
@@ -125,6 +121,9 @@
JSValue JSHistory::pushState(ExecState* exec)
{
+ if (!shouldAllowAccessToFrame(exec, impl().frame()))
+ return jsUndefined();
+
RefPtr<SerializedScriptValue> historyState = SerializedScriptValue::create(exec, exec->argument(0), 0, 0);
if (exec->hadException())
return jsUndefined();
@@ -151,6 +150,9 @@
JSValue JSHistory::replaceState(ExecState* exec)
{
+ if (!shouldAllowAccessToFrame(exec, impl().frame()))
+ return jsUndefined();
+
RefPtr<SerializedScriptValue> historyState = SerializedScriptValue::create(exec, exec->argument(0), 0, 0);
if (exec->hadException())
return jsUndefined();