[webkit-changes] [210350] branches/safari-603-branch

Thu, 05 Jan 2017 09:09:18 -0800

Title: [210350] branches/safari-603-branch

Diff

Modified: branches/safari-603-branch/LayoutTests/ChangeLog (210349 => 210350)


--- branches/safari-603-branch/LayoutTests/ChangeLog	2017-01-05 17:09:20 UTC (rev 210349)
+++ branches/safari-603-branch/LayoutTests/ChangeLog	2017-01-05 17:09:25 UTC (rev 210350)
@@ -1,5 +1,24 @@
 2017-01-05  Matthew Hanson  <matthew_han...@apple.com>
 
+        Merge r210112. rdar://problem/29742039
+
+    2016-12-22  Daniel Bates  <daba...@apple.com>
+
+            Bypass pop-up blocker from cross-origin or sandboxed frame
+            https://bugs.webkit.org/show_bug.cgi?id=166290
+            <rdar://problem/29742039>
+
+            Reviewed by Darin Adler.
+
+            * fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame-expected.txt: Added.
+            * fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame.html: Added.
+            * fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame2-expected.txt: Added.
+            * fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame2.html: Added.
+            * fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt: Added.
+            * fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame.html: Added.
+
+2017-01-05  Matthew Hanson  <matthew_han...@apple.com>
+
         Merge r210059. rdar://problem/29727145
 
     2016-12-21  Simon Fraser  <simon.fra...@apple.com>

Added: branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame-expected.txt (0 => 210350)


--- branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame-expected.txt	                        (rev 0)
+++ branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame-expected.txt	2017-01-05 17:09:25 UTC (rev 210350)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Unsafe _javascript_ attempt to initiate navigation for frame with URL 'about:blank' from frame with URL 'about:blank'. The frame attempting navigation is sandboxed, and is therefore disallowed from navigating its ancestors.
+
+ALERT: PASS
+

Added: branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame.html (0 => 210350)


--- branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame.html	                        (rev 0)
+++ branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame.html	2017-01-05 17:09:25 UTC (rev 210350)
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.setCanOpenWindows();
+    testRunner.setPopupBlockingEnabled(true);
+    testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+</script>
+</head>
+<body>
+<iframe name="A"></iframe>
+<iframe id="B" sandbox="allow-scripts allow-same-origin allow-popups"></iframe>
+<script>
+document.getElementById("B").contentWindow.eval('alert(window.open("about:blank", "A") ? "FAIL" : "PASS");');
+</script>
+</body>
+</html>

Added: branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame2-expected.txt (0 => 210350)


--- branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame2-expected.txt	                        (rev 0)
+++ branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame2-expected.txt	2017-01-05 17:09:25 UTC (rev 210350)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Unsafe _javascript_ attempt to initiate navigation for frame with URL 'about:blank' from frame with URL 'about:blank'. The frame attempting navigation is sandboxed, and is therefore disallowed from navigating its ancestors.
+
+ALERT: PASS
+

Added: branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame2.html (0 => 210350)


--- branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame2.html	                        (rev 0)
+++ branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame2.html	2017-01-05 17:09:25 UTC (rev 210350)
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.setCanOpenWindows();
+    testRunner.setPopupBlockingEnabled(true);
+    testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+</script>
+</head>
+<body>
+<iframe name="A"></iframe>
+<iframe id="B" sandbox="allow-scripts allow-same-origin allow-popups"></iframe>
+<script>
+document.getElementById("B").contentWindow.eval('alert(window.open.call(window.top, "about:blank", "A") ? "FAIL" : "PASS");');
+</script>
+</body>
+</html>

Added: branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt (0 => 210350)


--- branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt	                        (rev 0)
+++ branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt	2017-01-05 17:09:25 UTC (rev 210350)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Unsafe _javascript_ attempt to initiate navigation for frame with URL 'about:blank' from frame with URL 'data:text/html,<script>alert(window.open('about:blank', 'A') ?%20'FAIL'%20:%20'PASS');%3C/script%3E'. The frame attempting navigation is neither same-origin with the target, nor is it the target's parent or opener.
+
+ALERT: PASS
+

Added: branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame.html (0 => 210350)


--- branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame.html	                        (rev 0)
+++ branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame.html	2017-01-05 17:09:25 UTC (rev 210350)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.setCanOpenWindows();
+    testRunner.setPopupBlockingEnabled(true);
+    testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+</script>
+</head>
+<body>
+<iframe name="A"></iframe>
+<iframe name="B" src="" 'A') ? 'FAIL' : 'PASS');</script>"></iframe>
+</body>
+</html>

Modified: branches/safari-603-branch/Source/WebCore/ChangeLog (210349 => 210350)


--- branches/safari-603-branch/Source/WebCore/ChangeLog	2017-01-05 17:09:20 UTC (rev 210349)
+++ branches/safari-603-branch/Source/WebCore/ChangeLog	2017-01-05 17:09:25 UTC (rev 210350)
@@ -1,5 +1,25 @@
 2017-01-05  Matthew Hanson  <matthew_han...@apple.com>
 
+        Merge r210112. rdar://problem/29742039
+
+    2016-12-22  Daniel Bates  <daba...@apple.com>
+
+            Bypass pop-up blocker from cross-origin or sandboxed frame
+            https://bugs.webkit.org/show_bug.cgi?id=166290
+            <rdar://problem/29742039>
+
+            Reviewed by Darin Adler.
+
+            Tests: fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame.html
+                   fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame2.html
+                   fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame.html
+
+            * page/DOMWindow.cpp:
+            (WebCore::DOMWindow::open): Use FrameLoader::findFrameForNavigation() to find the
+            target frame to navigate with respect to the active document just as we do in WebCore::createWindow().
+
+2017-01-05  Matthew Hanson  <matthew_han...@apple.com>
+
         Merge r210104. rdar://problem/29139619
 
     2016-12-22  Jer Noble  <jer.no...@apple.com>

Modified: branches/safari-603-branch/Source/WebCore/page/DOMWindow.cpp (210349 => 210350)


--- branches/safari-603-branch/Source/WebCore/page/DOMWindow.cpp	2017-01-05 17:09:20 UTC (rev 210349)
+++ branches/safari-603-branch/Source/WebCore/page/DOMWindow.cpp	2017-01-05 17:09:25 UTC (rev 210350)
@@ -2245,9 +2245,9 @@
 #endif
 
     if (!firstWindow.allowPopUp()) {
-        // Because FrameTree::find() returns true for empty strings, we must check for empty frame names.
+        // Because FrameTree::findFrameForNavigation() returns true for empty strings, we must check for empty frame names.
         // Otherwise, illegitimate window.open() calls with no name will pass right through the popup blocker.
-        if (frameName.isEmpty() || !m_frame->tree().find(frameName))
+        if (frameName.isEmpty() || !m_frame->loader().findFrameForNavigation(frameName, activeDocument))
             return nullptr;
     }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to