Title: [204266] trunk
- Revision
- 204266
- Author
- wilan...@apple.com
- Date
- 2016-08-08 14:43:36 -0700 (Mon, 08 Aug 2016)
Log Message
Popups opened from a sandboxed iframe should themselves be sandboxed
https://bugs.webkit.org/show_bug.cgi?id=134850
<rdar://problem/27375388>
Reviewed by Brent Fulgham.
Source/WebCore:
Test: http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::continueLoadAfterNewWindowPolicy):
Now copies the opener's frame loader effective sandbox flags to the
new frame loader.
LayoutTests:
* http/tests/security/resources/anchor-tag-with-blank-target.html: Added.
* http/tests/security/resources/page-executing-_javascript_.html: Added.
* http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox-expected.txt: Added.
* http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (204265 => 204266)
--- trunk/LayoutTests/ChangeLog 2016-08-08 21:41:52 UTC (rev 204265)
+++ trunk/LayoutTests/ChangeLog 2016-08-08 21:43:36 UTC (rev 204266)
@@ -1,3 +1,16 @@
+2016-08-08 John Wilander <wilan...@apple.com>
+
+ Popups opened from a sandboxed iframe should themselves be sandboxed
+ https://bugs.webkit.org/show_bug.cgi?id=134850
+ <rdar://problem/27375388>
+
+ Reviewed by Brent Fulgham.
+
+ * http/tests/security/resources/anchor-tag-with-blank-target.html: Added.
+ * http/tests/security/resources/page-executing-_javascript_.html: Added.
+ * http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox-expected.txt: Added.
+ * http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html: Added.
+
2016-08-08 Chris Dumez <cdu...@apple.com>
Align Selection API with the specification
Added: trunk/LayoutTests/http/tests/security/resources/anchor-tag-with-blank-target.html (0 => 204266)
--- trunk/LayoutTests/http/tests/security/resources/anchor-tag-with-blank-target.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/resources/anchor-tag-with-blank-target.html 2016-08-08 21:43:36 UTC (rev 204266)
@@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<html>
+<head>
+</head>
+<body>
+ <a id="theLink" target="_blank" href="" page that executes _javascript_</a>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/resources/page-executing-_javascript_.html (0 => 204266)
--- trunk/LayoutTests/http/tests/security/resources/page-executing-_javascript_.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/resources/page-executing-_javascript_.html 2016-08-08 21:43:36 UTC (rev 204266)
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<body>
+<noscript>Pass: _javascript_ was not allowed to execute.</noscript>
+<p id="output"></p>
+<script>
+ document.getElementById("output").innerHTML = "Fail: _javascript_ was allowed to execute.";
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox-expected.txt (0 => 204266)
--- trunk/LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox-expected.txt 2016-08-08 21:43:36 UTC (rev 204266)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: Blocked script execution in 'http://127.0.0.1:8000/security/resources/page-executing-_javascript_.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
+
Added: trunk/LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html (0 => 204266)
--- trunk/LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html 2016-08-08 21:43:36 UTC (rev 204266)
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="UTF-8">
+ <title>Tests that windows created from a sandboxed context inherit the same sandbox</title>
+ <script src=""
+</head>
+<body>
+<script>
+ if (window.testRunner) {
+ testRunner.setCanOpenWindows();
+ testRunner.waitUntilDone();
+ testRunner.setPopupBlockingEnabled(false);
+ testRunner.dumpAsText();
+ }
+
+ function wrapUp () {
+ if (window.testRunner) {
+ testRunner.notifyDone();
+ }
+ }
+
+ function run() {
+ var iframeContentDocument = document.getElementById("theIframe").contentDocument,
+ theLink = iframeContentDocument.getElementById("theLink"),
+ clickEvent = document.createEvent("HTMLEvents");
+ clickEvent.initEvent("click", true, true);
+ theLink.dispatchEvent(clickEvent);
+
+ setTimeout(wrapUp, 500);
+ }
+</script>
+<iframe _onload_="run()" id="theIframe" sandbox="allow-same-origin allow-popups" src=""
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (204265 => 204266)
--- trunk/Source/WebCore/ChangeLog 2016-08-08 21:41:52 UTC (rev 204265)
+++ trunk/Source/WebCore/ChangeLog 2016-08-08 21:43:36 UTC (rev 204266)
@@ -1,3 +1,18 @@
+2016-08-08 John Wilander <wilan...@apple.com>
+
+ Popups opened from a sandboxed iframe should themselves be sandboxed
+ https://bugs.webkit.org/show_bug.cgi?id=134850
+ <rdar://problem/27375388>
+
+ Reviewed by Brent Fulgham.
+
+ Test: http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html
+
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::continueLoadAfterNewWindowPolicy):
+ Now copies the opener's frame loader effective sandbox flags to the
+ new frame loader.
+
2016-08-08 Chris Dumez <cdu...@apple.com>
Align Selection API with the specification
Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (204265 => 204266)
--- trunk/Source/WebCore/loader/FrameLoader.cpp 2016-08-08 21:41:52 UTC (rev 204265)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2016-08-08 21:43:36 UTC (rev 204266)
@@ -3118,6 +3118,8 @@
if (!mainFrame)
return;
+ mainFrame->loader().forceSandboxFlags(frame->loader().effectiveSandboxFlags());
+
if (frameName != "_blank")
mainFrame->tree().setName(frameName);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes