[webkit-changes] [204266] trunk

[wilander]

Title: [204266] trunk

Revision

204266

Author

wilan...@apple.com

Date

2016-08-08 14:43:36 -0700 (Mon, 08 Aug 2016)

Log Message

Popups opened from a sandboxed iframe should themselves be sandboxed
https://bugs.webkit.org/show_bug.cgi?id=134850
<rdar://problem/27375388>

Reviewed by Brent Fulgham.

Source/WebCore:

Test: http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html

* loader/FrameLoader.cpp:
(WebCore::FrameLoader::continueLoadAfterNewWindowPolicy):
    Now copies the opener's frame loader effective sandbox flags to the
    new frame loader.

LayoutTests:

* http/tests/security/resources/anchor-tag-with-blank-target.html: Added.
* http/tests/security/resources/page-executing-_javascript_.html: Added.
* http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox-expected.txt: Added.
* http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/loader/FrameLoader.cpp

Added Paths

• trunk/LayoutTests/http/tests/security/resources/anchor-tag-with-blank-target.html
• trunk/LayoutTests/http/tests/security/resources/page-executing-_javascript_.html
• trunk/LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox-expected.txt
• trunk/LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html

Diff

Modified: trunk/LayoutTests/ChangeLog (204265 => 204266)

--- trunk/LayoutTests/ChangeLog	2016-08-08 21:41:52 UTC (rev 204265)
+++ trunk/LayoutTests/ChangeLog	2016-08-08 21:43:36 UTC (rev 204266)
@@ -1,3 +1,16 @@
+2016-08-08  John Wilander  <wilan...@apple.com>
+
+        Popups opened from a sandboxed iframe should themselves be sandboxed
+        https://bugs.webkit.org/show_bug.cgi?id=134850
+        <rdar://problem/27375388>
+
+        Reviewed by Brent Fulgham.
+
+        * http/tests/security/resources/anchor-tag-with-blank-target.html: Added.
+        * http/tests/security/resources/page-executing-_javascript_.html: Added.
+        * http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox-expected.txt: Added.
+        * http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html: Added.
+
 2016-08-08  Chris Dumez  <cdu...@apple.com>
 
         Align Selection API with the specification

Added: trunk/LayoutTests/http/tests/security/resources/anchor-tag-with-blank-target.html (0 => 204266)

--- trunk/LayoutTests/http/tests/security/resources/anchor-tag-with-blank-target.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/resources/anchor-tag-with-blank-target.html	2016-08-08 21:43:36 UTC (rev 204266)
@@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<html>
+<head>
+</head>
+<body>
+    <a id="theLink" target="_blank" href="" page that executes _javascript_</a>
+</body>
+</html>

Added: trunk/LayoutTests/http/tests/security/resources/page-executing-_javascript_.html (0 => 204266)

--- trunk/LayoutTests/http/tests/security/resources/page-executing-_javascript_.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/resources/page-executing-_javascript_.html	2016-08-08 21:43:36 UTC (rev 204266)
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<body>
+<noscript>Pass: _javascript_ was not allowed to execute.</noscript>
+<p id="output"></p>
+<script>
+    document.getElementById("output").innerHTML = "Fail: _javascript_ was allowed to execute.";
+</script>
+</body>
+</html>

Added: trunk/LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox-expected.txt (0 => 204266)

--- trunk/LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox-expected.txt	2016-08-08 21:43:36 UTC (rev 204266)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: Blocked script execution in 'http://127.0.0.1:8000/security/resources/page-executing-_javascript_.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
+

Added: trunk/LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html (0 => 204266)

--- trunk/LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html	2016-08-08 21:43:36 UTC (rev 204266)
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <title>Tests that windows created from a sandboxed context inherit the same sandbox</title>
+    <script src=""
+</head>
+<body>
+<script>
+    if (window.testRunner) {
+        testRunner.setCanOpenWindows();
+        testRunner.waitUntilDone();
+        testRunner.setPopupBlockingEnabled(false);
+        testRunner.dumpAsText();
+    }
+
+    function wrapUp () {
+        if (window.testRunner) {
+            testRunner.notifyDone();
+        }
+    }
+
+    function run() {
+        var iframeContentDocument = document.getElementById("theIframe").contentDocument,
+            theLink = iframeContentDocument.getElementById("theLink"),
+            clickEvent = document.createEvent("HTMLEvents");
+        clickEvent.initEvent("click", true, true);
+        theLink.dispatchEvent(clickEvent);
+
+        setTimeout(wrapUp, 500);
+    }
+</script>
+<iframe _onload_="run()" id="theIframe" sandbox="allow-same-origin allow-popups" src=""
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (204265 => 204266)

--- trunk/Source/WebCore/ChangeLog	2016-08-08 21:41:52 UTC (rev 204265)
+++ trunk/Source/WebCore/ChangeLog	2016-08-08 21:43:36 UTC (rev 204266)
@@ -1,3 +1,18 @@
+2016-08-08  John Wilander  <wilan...@apple.com>
+
+        Popups opened from a sandboxed iframe should themselves be sandboxed
+        https://bugs.webkit.org/show_bug.cgi?id=134850
+        <rdar://problem/27375388>
+
+        Reviewed by Brent Fulgham.
+
+        Test: http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html
+
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::continueLoadAfterNewWindowPolicy):
+            Now copies the opener's frame loader effective sandbox flags to the
+            new frame loader.
+
 2016-08-08  Chris Dumez  <cdu...@apple.com>
 
         Align Selection API with the specification

Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (204265 => 204266)

--- trunk/Source/WebCore/loader/FrameLoader.cpp	2016-08-08 21:41:52 UTC (rev 204265)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp	2016-08-08 21:43:36 UTC (rev 204266)
@@ -3118,6 +3118,8 @@
     if (!mainFrame)
         return;
 
+    mainFrame->loader().forceSandboxFlags(frame->loader().effectiveSandboxFlags());
+
     if (frameName != "_blank")
         mainFrame->tree().setName(frameName);
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes