Diff
Modified: branches/safari-603-branch/LayoutTests/ChangeLog (210349 => 210350)
--- branches/safari-603-branch/LayoutTests/ChangeLog 2017-01-05 17:09:20 UTC (rev 210349)
+++ branches/safari-603-branch/LayoutTests/ChangeLog 2017-01-05 17:09:25 UTC (rev 210350)
@@ -1,5 +1,24 @@
2017-01-05 Matthew Hanson <matthew_han...@apple.com>
+ Merge r210112. rdar://problem/29742039
+
+ 2016-12-22 Daniel Bates <daba...@apple.com>
+
+ Bypass pop-up blocker from cross-origin or sandboxed frame
+ https://bugs.webkit.org/show_bug.cgi?id=166290
+ <rdar://problem/29742039>
+
+ Reviewed by Darin Adler.
+
+ * fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame-expected.txt: Added.
+ * fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame.html: Added.
+ * fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame2-expected.txt: Added.
+ * fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame2.html: Added.
+ * fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt: Added.
+ * fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame.html: Added.
+
+2017-01-05 Matthew Hanson <matthew_han...@apple.com>
+
Merge r210059. rdar://problem/29727145
2016-12-21 Simon Fraser <simon.fra...@apple.com>
Added: branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame-expected.txt (0 => 210350)
--- branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame-expected.txt (rev 0)
+++ branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame-expected.txt 2017-01-05 17:09:25 UTC (rev 210350)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Unsafe _javascript_ attempt to initiate navigation for frame with URL 'about:blank' from frame with URL 'about:blank'. The frame attempting navigation is sandboxed, and is therefore disallowed from navigating its ancestors.
+
+ALERT: PASS
+
Added: branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame.html (0 => 210350)
--- branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame.html (rev 0)
+++ branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame.html 2017-01-05 17:09:25 UTC (rev 210350)
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.setCanOpenWindows();
+ testRunner.setPopupBlockingEnabled(true);
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+</script>
+</head>
+<body>
+<iframe name="A"></iframe>
+<iframe id="B" sandbox="allow-scripts allow-same-origin allow-popups"></iframe>
+<script>
+document.getElementById("B").contentWindow.eval('alert(window.open("about:blank", "A") ? "FAIL" : "PASS");');
+</script>
+</body>
+</html>
Added: branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame2-expected.txt (0 => 210350)
--- branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame2-expected.txt (rev 0)
+++ branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame2-expected.txt 2017-01-05 17:09:25 UTC (rev 210350)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Unsafe _javascript_ attempt to initiate navigation for frame with URL 'about:blank' from frame with URL 'about:blank'. The frame attempting navigation is sandboxed, and is therefore disallowed from navigating its ancestors.
+
+ALERT: PASS
+
Added: branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame2.html (0 => 210350)
--- branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame2.html (rev 0)
+++ branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame2.html 2017-01-05 17:09:25 UTC (rev 210350)
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.setCanOpenWindows();
+ testRunner.setPopupBlockingEnabled(true);
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+</script>
+</head>
+<body>
+<iframe name="A"></iframe>
+<iframe id="B" sandbox="allow-scripts allow-same-origin allow-popups"></iframe>
+<script>
+document.getElementById("B").contentWindow.eval('alert(window.open.call(window.top, "about:blank", "A") ? "FAIL" : "PASS");');
+</script>
+</body>
+</html>
Added: branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt (0 => 210350)
--- branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt (rev 0)
+++ branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt 2017-01-05 17:09:25 UTC (rev 210350)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Unsafe _javascript_ attempt to initiate navigation for frame with URL 'about:blank' from frame with URL 'data:text/html,<script>alert(window.open('about:blank', 'A') ?%20'FAIL'%20:%20'PASS');%3C/script%3E'. The frame attempting navigation is neither same-origin with the target, nor is it the target's parent or opener.
+
+ALERT: PASS
+
Added: branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame.html (0 => 210350)
--- branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame.html (rev 0)
+++ branches/safari-603-branch/LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame.html 2017-01-05 17:09:25 UTC (rev 210350)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.setCanOpenWindows();
+ testRunner.setPopupBlockingEnabled(true);
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+</script>
+</head>
+<body>
+<iframe name="A"></iframe>
+<iframe name="B" src="" 'A') ? 'FAIL' : 'PASS');</script>"></iframe>
+</body>
+</html>
Modified: branches/safari-603-branch/Source/WebCore/ChangeLog (210349 => 210350)
--- branches/safari-603-branch/Source/WebCore/ChangeLog 2017-01-05 17:09:20 UTC (rev 210349)
+++ branches/safari-603-branch/Source/WebCore/ChangeLog 2017-01-05 17:09:25 UTC (rev 210350)
@@ -1,5 +1,25 @@
2017-01-05 Matthew Hanson <matthew_han...@apple.com>
+ Merge r210112. rdar://problem/29742039
+
+ 2016-12-22 Daniel Bates <daba...@apple.com>
+
+ Bypass pop-up blocker from cross-origin or sandboxed frame
+ https://bugs.webkit.org/show_bug.cgi?id=166290
+ <rdar://problem/29742039>
+
+ Reviewed by Darin Adler.
+
+ Tests: fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame.html
+ fast/events/popup-blocked-from-sandboxed-frame-via-window-open-named-sibling-frame2.html
+ fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame.html
+
+ * page/DOMWindow.cpp:
+ (WebCore::DOMWindow::open): Use FrameLoader::findFrameForNavigation() to find the
+ target frame to navigate with respect to the active document just as we do in WebCore::createWindow().
+
+2017-01-05 Matthew Hanson <matthew_han...@apple.com>
+
Merge r210104. rdar://problem/29139619
2016-12-22 Jer Noble <jer.no...@apple.com>
Modified: branches/safari-603-branch/Source/WebCore/page/DOMWindow.cpp (210349 => 210350)
--- branches/safari-603-branch/Source/WebCore/page/DOMWindow.cpp 2017-01-05 17:09:20 UTC (rev 210349)
+++ branches/safari-603-branch/Source/WebCore/page/DOMWindow.cpp 2017-01-05 17:09:25 UTC (rev 210350)
@@ -2245,9 +2245,9 @@
#endif
if (!firstWindow.allowPopUp()) {
- // Because FrameTree::find() returns true for empty strings, we must check for empty frame names.
+ // Because FrameTree::findFrameForNavigation() returns true for empty strings, we must check for empty frame names.
// Otherwise, illegitimate window.open() calls with no name will pass right through the popup blocker.
- if (frameName.isEmpty() || !m_frame->tree().find(frameName))
+ if (frameName.isEmpty() || !m_frame->loader().findFrameForNavigation(frameName, activeDocument))
return nullptr;
}