- Revision
- 211504
- Author
- cdu...@apple.com
- Date
- 2017-02-01 12:13:05 -0800 (Wed, 01 Feb 2017)
Log Message
REGRESSION(r205136): {}.toString.call(crossOriginWindow) should not throw
https://bugs.webkit.org/show_bug.cgi?id=167681
<rdar://problem/30301117>
Reviewed by Mark Lam.
LayoutTests/imported/w3c:
Rebaseline W3C test now that we passing one more check. We're still failing
later because {}.toString.call(crossOriginWindow) returns "[object Window]"
instead of "[object Object]". I am planning to fix this in a follow-up.
This is not a regression since we were returning "[object Window]" before
r205136.
* web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects-expected.txt:
Source/WebCore:
As per https://html.spec.whatwg.org/#crossorigingetownpropertyhelper-(-o,-p-):
"""
If P is @@toStringTag, @@hasInstance, or @@isConcatSpreadable, then return
PropertyDescriptor{ [[Value]]: undefined, [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: true }.
"""
We now implement this behavior instead of throwing.
Test: http/tests/security/symbols-cross-origin.html
* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::jsDOMWindowGetOwnPropertySlotRestrictedAccess):
* bindings/js/JSLocationCustom.cpp:
(WebCore::JSLocation::getOwnPropertySlotDelegate):
LayoutTests:
Add layout test coverage.
* http/tests/security/symbols-cross-origin-expected.txt: Added.
* http/tests/security/symbols-cross-origin.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (211503 => 211504)
--- trunk/LayoutTests/ChangeLog 2017-02-01 20:03:48 UTC (rev 211503)
+++ trunk/LayoutTests/ChangeLog 2017-02-01 20:13:05 UTC (rev 211504)
@@ -1,3 +1,16 @@
+2017-02-01 Chris Dumez <cdu...@apple.com>
+
+ REGRESSION(r205136): {}.toString.call(crossOriginWindow) should not throw
+ https://bugs.webkit.org/show_bug.cgi?id=167681
+ <rdar://problem/30301117>
+
+ Reviewed by Mark Lam.
+
+ Add layout test coverage.
+
+ * http/tests/security/symbols-cross-origin-expected.txt: Added.
+ * http/tests/security/symbols-cross-origin.html: Added.
+
2017-02-01 Antoine Quint <grao...@apple.com>
[mac-wk1] LayoutTest media/modern-media-controls/tracks-support/tracks-support-click-track-in-panel.html is a flaky timeout
Added: trunk/LayoutTests/http/tests/security/symbols-cross-origin-expected.txt (0 => 211504)
--- trunk/LayoutTests/http/tests/security/symbols-cross-origin-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/symbols-cross-origin-expected.txt 2017-02-01 20:13:05 UTC (rev 211504)
@@ -0,0 +1,24 @@
+Tests that symbols can be accessed on cross origin Window / Location objects
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+* Window
+FAIL (new Object).toString.call(crossOriginWindow) should be [object Object]. Was [object Window].
+PASS crossOriginWindow instanceof Window is false
+PASS Array.prototype.concat.call(crossOriginWindow, ['A']) is [crossOriginWindow, 'A']
+PASS crossOriginWindow.toString() threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS '' + crossOriginWindow threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS crossOriginWindow.concat(['A']) threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+
+* Location
+FAIL (new Object).toString.call(crossOriginWindow.location) should be [object Object]. Was [object Location].
+PASS crossOriginWindow.location instanceof Location is false
+PASS Array.prototype.concat.call(crossOriginWindow.location, ['A']) is [crossOriginWindow.location, 'A']
+PASS crossOriginWindow.location.toString() threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS '' + crossOriginWindow.location threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS crossOriginWindow.location.concat(['A']) threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/http/tests/security/symbols-cross-origin.html (0 => 211504)
--- trunk/LayoutTests/http/tests/security/symbols-cross-origin.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/symbols-cross-origin.html 2017-02-01 20:13:05 UTC (rev 211504)
@@ -0,0 +1,64 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src=""
+<iframe id="crossOriginFrame" src=""
+<script>
+description("Tests that symbols can be accessed on cross origin Window / Location objects");
+jsTestIsAsync = true;
+
+window._onload_ = function() {
+ crossOriginWindow = document.getElementById("crossOriginFrame").contentWindow;
+ debug("* Window");
+ try {
+ shouldBeEqualToString("(new Object).toString.call(crossOriginWindow)", "[object Object]");
+ } catch (e) {
+ testFailed("toString threw an exception: " + e);
+ }
+
+ try {
+ shouldBeFalse("crossOriginWindow instanceof Window");
+ } catch (e) {
+ testFailed("hasInstance threw an exception: " + e);
+ }
+
+ try {
+ shouldBe("Array.prototype.concat.call(crossOriginWindow, ['A'])", "[crossOriginWindow, 'A']");
+ } catch (e) {
+ testFailed("concat threw an exception: " + e);
+ }
+
+ shouldThrowErrorName("crossOriginWindow.toString()", "SecurityError");
+ shouldThrowErrorName("'' + crossOriginWindow", "SecurityError");
+ shouldThrowErrorName("crossOriginWindow.concat(['A'])", "SecurityError");
+
+ debug("");
+ debug("* Location");
+ try {
+ shouldBeEqualToString("(new Object).toString.call(crossOriginWindow.location)", "[object Object]");
+ } catch (e) {
+ testFailed("toString threw an exception: " + e);
+ }
+
+ try {
+ shouldBeFalse("crossOriginWindow.location instanceof Location");
+ } catch (e) {
+ testFailed("hasInstance threw an exception: " + e);
+ }
+
+ try {
+ shouldBe("Array.prototype.concat.call(crossOriginWindow.location, ['A'])", "[crossOriginWindow.location, 'A']");
+ } catch (e) {
+ testFailed("concat threw an exception: " + e);
+ }
+
+ shouldThrowErrorName("crossOriginWindow.location.toString()", "SecurityError");
+ shouldThrowErrorName("'' + crossOriginWindow.location", "SecurityError");
+ shouldThrowErrorName("crossOriginWindow.location.concat(['A'])", "SecurityError");
+
+ finishJSTest();
+}
+</script>
+<script src=""
+</body>
+</html>
Modified: trunk/LayoutTests/imported/w3c/ChangeLog (211503 => 211504)
--- trunk/LayoutTests/imported/w3c/ChangeLog 2017-02-01 20:03:48 UTC (rev 211503)
+++ trunk/LayoutTests/imported/w3c/ChangeLog 2017-02-01 20:13:05 UTC (rev 211504)
@@ -1,3 +1,19 @@
+2017-02-01 Chris Dumez <cdu...@apple.com>
+
+ REGRESSION(r205136): {}.toString.call(crossOriginWindow) should not throw
+ https://bugs.webkit.org/show_bug.cgi?id=167681
+ <rdar://problem/30301117>
+
+ Reviewed by Mark Lam.
+
+ Rebaseline W3C test now that we passing one more check. We're still failing
+ later because {}.toString.call(crossOriginWindow) returns "[object Window]"
+ instead of "[object Object]". I am planning to fix this in a follow-up.
+ This is not a regression since we were returning "[object Window]" before
+ r205136.
+
+ * web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects-expected.txt:
+
2017-01-30 Chris Dumez <cdu...@apple.com>
Drop legacy Attributes.isId attribute
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects-expected.txt (211503 => 211504)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects-expected.txt 2017-02-01 20:03:48 UTC (rev 211503)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects-expected.txt 2017-02-01 20:13:05 UTC (rev 211504)
@@ -21,5 +21,5 @@
PASS Same-origin observers get different functions for cross-origin objects
PASS Same-origin observers get different accessors for cross-origin Window
PASS Same-origin observers get different accessors for cross-origin Location
-FAIL {}.toString.call() does the right thing on cross-origin objects Blocked a frame with origin "http://localhost:8800" from accessing a frame with origin "http://127.0.0.1:8800". Protocols, domains, and ports must match.
+FAIL {}.toString.call() does the right thing on cross-origin objects assert_equals: expected "[object Object]" but got "[object Window]"
Modified: trunk/Source/WebCore/ChangeLog (211503 => 211504)
--- trunk/Source/WebCore/ChangeLog 2017-02-01 20:03:48 UTC (rev 211503)
+++ trunk/Source/WebCore/ChangeLog 2017-02-01 20:13:05 UTC (rev 211504)
@@ -1,3 +1,26 @@
+2017-02-01 Chris Dumez <cdu...@apple.com>
+
+ REGRESSION(r205136): {}.toString.call(crossOriginWindow) should not throw
+ https://bugs.webkit.org/show_bug.cgi?id=167681
+ <rdar://problem/30301117>
+
+ Reviewed by Mark Lam.
+
+ As per https://html.spec.whatwg.org/#crossorigingetownpropertyhelper-(-o,-p-):
+ """
+ If P is @@toStringTag, @@hasInstance, or @@isConcatSpreadable, then return
+ PropertyDescriptor{ [[Value]]: undefined, [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: true }.
+ """
+
+ We now implement this behavior instead of throwing.
+
+ Test: http/tests/security/symbols-cross-origin.html
+
+ * bindings/js/JSDOMWindowCustom.cpp:
+ (WebCore::jsDOMWindowGetOwnPropertySlotRestrictedAccess):
+ * bindings/js/JSLocationCustom.cpp:
+ (WebCore::JSLocation::getOwnPropertySlotDelegate):
+
2017-02-01 Brent Fulgham <bfulg...@apple.com>
Correct "filesHaveSameVolume" predicate
Modified: trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp (211503 => 211504)
--- trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp 2017-02-01 20:03:48 UTC (rev 211503)
+++ trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp 2017-02-01 20:13:05 UTC (rev 211504)
@@ -96,6 +96,11 @@
return true;
}
+ if (propertyName == exec->propertyNames().toStringTagSymbol || propertyName == exec->propertyNames().hasInstanceSymbol || propertyName == exec->propertyNames().isConcatSpreadableSymbol) {
+ slot.setUndefined();
+ return true;
+ }
+
// These are the functions we allow access to cross-origin (DoNotCheckSecurity in IDL).
// Always provide the original function, on a fresh uncached function object.
if (propertyName == exec->propertyNames().blur) {
Modified: trunk/Source/WebCore/bindings/js/JSLocationCustom.cpp (211503 => 211504)
--- trunk/Source/WebCore/bindings/js/JSLocationCustom.cpp 2017-02-01 20:03:48 UTC (rev 211503)
+++ trunk/Source/WebCore/bindings/js/JSLocationCustom.cpp 2017-02-01 20:13:05 UTC (rev 211504)
@@ -53,6 +53,11 @@
if (BindingSecurity::shouldAllowAccessToFrame(*state, *frame, message))
return false;
+ if (propertyName == state->propertyNames().toStringTagSymbol || propertyName == state->propertyNames().hasInstanceSymbol || propertyName == state->propertyNames().isConcatSpreadableSymbol) {
+ slot.setUndefined();
+ return true;
+ }
+
// We only allow access to Location.replace() cross origin.
if (propertyName == state->propertyNames().replace) {
slot.setCustom(this, ReadOnly | DontEnum, nonCachingStaticFunctionGetter<jsLocationInstanceFunctionReplace, 1>);
