Title: [91423] branches/safari-534.51-branch
- Revision
- 91423
- Author
- lforsch...@apple.com
- Date
- 2011-07-20 16:34:30 -0700 (Wed, 20 Jul 2011)
Log Message
Merge r88071.
Modified Paths
Added Paths
Diff
Modified: branches/safari-534.51-branch/LayoutTests/ChangeLog (91422 => 91423)
--- branches/safari-534.51-branch/LayoutTests/ChangeLog 2011-07-20 23:33:04 UTC (rev 91422)
+++ branches/safari-534.51-branch/LayoutTests/ChangeLog 2011-07-20 23:34:30 UTC (rev 91423)
@@ -1,5 +1,22 @@
2011-07-20 Lucas Forschler <lforsch...@apple.com>
+ Merged 88071.
+
+ 2011-06-03 Adam Barth <aba...@webkit.org>
+
+ Reviewed by Eric Seidel.
+
+ DOMWindow::setLocation doesn't understand that DOMWindow can be inactive
+ https://bugs.webkit.org/show_bug.cgi?id=62057
+
+ Test that some esoteric combination of eval, load, and Location don't
+ do something goofy.
+
+ * http/tests/security/xss-DENIED-contentWindow-eval-expected.txt: Added.
+ * http/tests/security/xss-DENIED-contentWindow-eval.html: Added.
+
+2011-07-20 Lucas Forschler <lforsch...@apple.com>
+
Merged 87743.
2011-05-31 Abhishek Arya <infe...@chromium.org>
Copied: branches/safari-534.51-branch/LayoutTests/http/tests/security/xss-DENIED-contentWindow-eval-expected.txt (from rev 88071, trunk/LayoutTests/http/tests/security/xss-DENIED-contentWindow-eval-expected.txt) (0 => 91423)
--- branches/safari-534.51-branch/LayoutTests/http/tests/security/xss-DENIED-contentWindow-eval-expected.txt (rev 0)
+++ branches/safari-534.51-branch/LayoutTests/http/tests/security/xss-DENIED-contentWindow-eval-expected.txt 2011-07-20 23:34:30 UTC (rev 91423)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: line 1: Unsafe _javascript_ attempt to access frame with URL about:blank from frame with URL about:blank. Domains, protocols and ports must match.
+
+This test passes if alert() is not called.
Copied: branches/safari-534.51-branch/LayoutTests/http/tests/security/xss-DENIED-contentWindow-eval.html (from rev 88071, trunk/LayoutTests/http/tests/security/xss-DENIED-contentWindow-eval.html) (0 => 91423)
--- branches/safari-534.51-branch/LayoutTests/http/tests/security/xss-DENIED-contentWindow-eval.html (rev 0)
+++ branches/safari-534.51-branch/LayoutTests/http/tests/security/xss-DENIED-contentWindow-eval.html 2011-07-20 23:34:30 UTC (rev 91423)
@@ -0,0 +1,17 @@
+<body>
+This test passes if alert() is not called.
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+i = document.body.appendChild(document.createElement("iframe"));
+f = frames[0].eval('(function(){location="_javascript_:alert(location)"})');
+i.src = ""
+i.addEventListener("load", f);
+i.addEventListener("load", function() {
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+});
+</script>
Modified: branches/safari-534.51-branch/Source/WebCore/ChangeLog (91422 => 91423)
--- branches/safari-534.51-branch/Source/WebCore/ChangeLog 2011-07-20 23:33:04 UTC (rev 91422)
+++ branches/safari-534.51-branch/Source/WebCore/ChangeLog 2011-07-20 23:34:30 UTC (rev 91423)
@@ -1,5 +1,25 @@
2011-07-20 Lucas Forschler <lforsch...@apple.com>
+ Merged 88071.
+
+ 2011-06-03 Adam Barth <aba...@webkit.org>
+
+ Reviewed by Eric Seidel.
+
+ DOMWindow::setLocation doesn't understand that DOMWindow can be inactive
+ https://bugs.webkit.org/show_bug.cgi?id=62057
+
+ This code gets confused when dealing with inactive DOMWindows. We
+ should just block inactive DOMWindows because there's no compatibility
+ reason to support them in this code path.
+
+ Test: http/tests/security/xss-DENIED-contentWindow-eval.html
+
+ * page/DOMWindow.cpp:
+ (WebCore::DOMWindow::isInsecureScriptAccess):
+
+2011-07-20 Lucas Forschler <lforsch...@apple.com>
+
Merged 87827.
2011-06-01 Abhishek Arya <infe...@chromium.org>
Modified: branches/safari-534.51-branch/Source/WebCore/page/DOMWindow.cpp (91422 => 91423)
--- branches/safari-534.51-branch/Source/WebCore/page/DOMWindow.cpp 2011-07-20 23:33:04 UTC (rev 91422)
+++ branches/safari-534.51-branch/Source/WebCore/page/DOMWindow.cpp 2011-07-20 23:34:30 UTC (rev 91423)
@@ -1706,14 +1706,21 @@
if (!protocolIsJavaScript(urlString))
return false;
- // FIXME: Is there some way to eliminate the need for a separate "activeWindow == this" check?
- if (activeWindow == this)
- return false;
+ // If m_frame->domWindow() != this, then |this| isn't the DOMWindow that's
+ // currently active in the frame and there's no way we should allow the
+ // access.
+ // FIXME: Remove this check if we're able to disconnect DOMWindow from
+ // Frame on navigation: https://bugs.webkit.org/show_bug.cgi?id=62054
+ if (m_frame->domWindow() == this) {
+ // FIXME: Is there some way to eliminate the need for a separate "activeWindow == this" check?
+ if (activeWindow == this)
+ return false;
- // FIXME: The name canAccess seems to be a roundabout way to ask "can execute script".
- // Can we name the SecurityOrigin function better to make this more clear?
- if (activeWindow->securityOrigin()->canAccess(securityOrigin()))
- return false;
+ // FIXME: The name canAccess seems to be a roundabout way to ask "can execute script".
+ // Can we name the SecurityOrigin function better to make this more clear?
+ if (activeWindow->securityOrigin()->canAccess(securityOrigin()))
+ return false;
+ }
printErrorMessage(crossDomainAccessErrorMessage(activeWindow));
return true;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
