Diff
Modified: branches/safari-603-branch/LayoutTests/ChangeLog (211712 => 211713)
--- branches/safari-603-branch/LayoutTests/ChangeLog 2017-02-06 06:17:38 UTC (rev 211712)
+++ branches/safari-603-branch/LayoutTests/ChangeLog 2017-02-06 06:17:42 UTC (rev 211713)
@@ -1,5 +1,22 @@
2017-02-05 Matthew Hanson <matthew_han...@apple.com>
+ Merge r211504. rdar://problem/30301117
+
+ 2017-02-01 Chris Dumez <cdu...@apple.com>
+
+ REGRESSION(r205136): {}.toString.call(crossOriginWindow) should not throw
+ https://bugs.webkit.org/show_bug.cgi?id=167681
+ <rdar://problem/30301117>
+
+ Reviewed by Mark Lam.
+
+ Add layout test coverage.
+
+ * http/tests/security/symbols-cross-origin-expected.txt: Added.
+ * http/tests/security/symbols-cross-origin.html: Added.
+
+2017-02-05 Matthew Hanson <matthew_han...@apple.com>
+
Merge r211659. rdar://problem/28725791
2017-02-03 Jer Noble <jer.no...@apple.com>
Added: branches/safari-603-branch/LayoutTests/http/tests/security/symbols-cross-origin-expected.txt (0 => 211713)
--- branches/safari-603-branch/LayoutTests/http/tests/security/symbols-cross-origin-expected.txt (rev 0)
+++ branches/safari-603-branch/LayoutTests/http/tests/security/symbols-cross-origin-expected.txt 2017-02-06 06:17:42 UTC (rev 211713)
@@ -0,0 +1,24 @@
+Tests that symbols can be accessed on cross origin Window / Location objects
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+* Window
+FAIL (new Object).toString.call(crossOriginWindow) should be [object Object]. Was [object Window].
+PASS crossOriginWindow instanceof Window is false
+PASS Array.prototype.concat.call(crossOriginWindow, ['A']) is [crossOriginWindow, 'A']
+PASS crossOriginWindow.toString() threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS '' + crossOriginWindow threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS crossOriginWindow.concat(['A']) threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+
+* Location
+FAIL (new Object).toString.call(crossOriginWindow.location) should be [object Object]. Was [object Location].
+PASS crossOriginWindow.location instanceof Location is false
+PASS Array.prototype.concat.call(crossOriginWindow.location, ['A']) is [crossOriginWindow.location, 'A']
+PASS crossOriginWindow.location.toString() threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS '' + crossOriginWindow.location threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS crossOriginWindow.location.concat(['A']) threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: branches/safari-603-branch/LayoutTests/http/tests/security/symbols-cross-origin.html (0 => 211713)
--- branches/safari-603-branch/LayoutTests/http/tests/security/symbols-cross-origin.html (rev 0)
+++ branches/safari-603-branch/LayoutTests/http/tests/security/symbols-cross-origin.html 2017-02-06 06:17:42 UTC (rev 211713)
@@ -0,0 +1,64 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src=""
+<iframe id="crossOriginFrame" src=""
+<script>
+description("Tests that symbols can be accessed on cross origin Window / Location objects");
+jsTestIsAsync = true;
+
+window._onload_ = function() {
+ crossOriginWindow = document.getElementById("crossOriginFrame").contentWindow;
+ debug("* Window");
+ try {
+ shouldBeEqualToString("(new Object).toString.call(crossOriginWindow)", "[object Object]");
+ } catch (e) {
+ testFailed("toString threw an exception: " + e);
+ }
+
+ try {
+ shouldBeFalse("crossOriginWindow instanceof Window");
+ } catch (e) {
+ testFailed("hasInstance threw an exception: " + e);
+ }
+
+ try {
+ shouldBe("Array.prototype.concat.call(crossOriginWindow, ['A'])", "[crossOriginWindow, 'A']");
+ } catch (e) {
+ testFailed("concat threw an exception: " + e);
+ }
+
+ shouldThrowErrorName("crossOriginWindow.toString()", "SecurityError");
+ shouldThrowErrorName("'' + crossOriginWindow", "SecurityError");
+ shouldThrowErrorName("crossOriginWindow.concat(['A'])", "SecurityError");
+
+ debug("");
+ debug("* Location");
+ try {
+ shouldBeEqualToString("(new Object).toString.call(crossOriginWindow.location)", "[object Object]");
+ } catch (e) {
+ testFailed("toString threw an exception: " + e);
+ }
+
+ try {
+ shouldBeFalse("crossOriginWindow.location instanceof Location");
+ } catch (e) {
+ testFailed("hasInstance threw an exception: " + e);
+ }
+
+ try {
+ shouldBe("Array.prototype.concat.call(crossOriginWindow.location, ['A'])", "[crossOriginWindow.location, 'A']");
+ } catch (e) {
+ testFailed("concat threw an exception: " + e);
+ }
+
+ shouldThrowErrorName("crossOriginWindow.location.toString()", "SecurityError");
+ shouldThrowErrorName("'' + crossOriginWindow.location", "SecurityError");
+ shouldThrowErrorName("crossOriginWindow.location.concat(['A'])", "SecurityError");
+
+ finishJSTest();
+}
+</script>
+<script src=""
+</body>
+</html>
Modified: branches/safari-603-branch/LayoutTests/imported/w3c/ChangeLog (211712 => 211713)
--- branches/safari-603-branch/LayoutTests/imported/w3c/ChangeLog 2017-02-06 06:17:38 UTC (rev 211712)
+++ branches/safari-603-branch/LayoutTests/imported/w3c/ChangeLog 2017-02-06 06:17:42 UTC (rev 211713)
@@ -1,3 +1,23 @@
+2017-02-05 Matthew Hanson <matthew_han...@apple.com>
+
+ Merge r211504. rdar://problem/30301117
+
+ 2017-02-01 Chris Dumez <cdu...@apple.com>
+
+ REGRESSION(r205136): {}.toString.call(crossOriginWindow) should not throw
+ https://bugs.webkit.org/show_bug.cgi?id=167681
+ <rdar://problem/30301117>
+
+ Reviewed by Mark Lam.
+
+ Rebaseline W3C test now that we passing one more check. We're still failing
+ later because {}.toString.call(crossOriginWindow) returns "[object Window]"
+ instead of "[object Object]". I am planning to fix this in a follow-up.
+ This is not a regression since we were returning "[object Window]" before
+ r205136.
+
+ * web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects-expected.txt:
+
2017-01-18 Matthew Hanson <matthew_han...@apple.com>
Merge r210860. rdar://problem/30080035
Modified: branches/safari-603-branch/LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects-expected.txt (211712 => 211713)
--- branches/safari-603-branch/LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects-expected.txt 2017-02-06 06:17:38 UTC (rev 211712)
+++ branches/safari-603-branch/LayoutTests/imported/w3c/web-platform-tests/html/browsers/origin/cross-origin-objects/cross-origin-objects-expected.txt 2017-02-06 06:17:42 UTC (rev 211713)
@@ -19,4 +19,5 @@
PASS Same-origin observers get different functions for cross-origin objects
PASS Same-origin observers get different accessors for cross-origin Window
PASS Same-origin observers get different accessors for cross-origin Location
+FAIL {}.toString.call() does the right thing on cross-origin objects assert_equals: expected "[object Object]" but got "[object Window]"
Modified: branches/safari-603-branch/Source/WebCore/ChangeLog (211712 => 211713)
--- branches/safari-603-branch/Source/WebCore/ChangeLog 2017-02-06 06:17:38 UTC (rev 211712)
+++ branches/safari-603-branch/Source/WebCore/ChangeLog 2017-02-06 06:17:42 UTC (rev 211713)
@@ -1,5 +1,32 @@
2017-02-05 Matthew Hanson <matthew_han...@apple.com>
+ Merge r211504. rdar://problem/30301117
+
+ 2017-02-01 Chris Dumez <cdu...@apple.com>
+
+ REGRESSION(r205136): {}.toString.call(crossOriginWindow) should not throw
+ https://bugs.webkit.org/show_bug.cgi?id=167681
+ <rdar://problem/30301117>
+
+ Reviewed by Mark Lam.
+
+ As per https://html.spec.whatwg.org/#crossorigingetownpropertyhelper-(-o,-p-):
+ """
+ If P is @@toStringTag, @@hasInstance, or @@isConcatSpreadable, then return
+ PropertyDescriptor{ [[Value]]: undefined, [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: true }.
+ """
+
+ We now implement this behavior instead of throwing.
+
+ Test: http/tests/security/symbols-cross-origin.html
+
+ * bindings/js/JSDOMWindowCustom.cpp:
+ (WebCore::jsDOMWindowGetOwnPropertySlotRestrictedAccess):
+ * bindings/js/JSLocationCustom.cpp:
+ (WebCore::JSLocation::getOwnPropertySlotDelegate):
+
+2017-02-05 Matthew Hanson <matthew_han...@apple.com>
+
Merge r211659. rdar://problem/28725791
2017-02-03 Jer Noble <jer.no...@apple.com>
Modified: branches/safari-603-branch/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp (211712 => 211713)
--- branches/safari-603-branch/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp 2017-02-06 06:17:38 UTC (rev 211712)
+++ branches/safari-603-branch/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp 2017-02-06 06:17:42 UTC (rev 211713)
@@ -95,6 +95,11 @@
return true;
}
+ if (propertyName == exec->propertyNames().toStringTagSymbol || propertyName == exec->propertyNames().hasInstanceSymbol || propertyName == exec->propertyNames().isConcatSpreadableSymbol) {
+ slot.setUndefined();
+ return true;
+ }
+
// These are the functions we allow access to cross-origin (DoNotCheckSecurity in IDL).
// Always provide the original function, on a fresh uncached function object.
if (propertyName == exec->propertyNames().blur) {
Modified: branches/safari-603-branch/Source/WebCore/bindings/js/JSLocationCustom.cpp (211712 => 211713)
--- branches/safari-603-branch/Source/WebCore/bindings/js/JSLocationCustom.cpp 2017-02-06 06:17:38 UTC (rev 211712)
+++ branches/safari-603-branch/Source/WebCore/bindings/js/JSLocationCustom.cpp 2017-02-06 06:17:42 UTC (rev 211713)
@@ -51,6 +51,11 @@
if (BindingSecurity::shouldAllowAccessToFrame(*state, *frame, message))
return false;
+ if (propertyName == state->propertyNames().toStringTagSymbol || propertyName == state->propertyNames().hasInstanceSymbol || propertyName == state->propertyNames().isConcatSpreadableSymbol) {
+ slot.setUndefined();
+ return true;
+ }
+
// We only allow access to Location.replace() cross origin.
if (propertyName == state->propertyNames().replace) {
slot.setCustom(this, ReadOnly | DontEnum, nonCachingStaticFunctionGetter<jsLocationInstanceFunctionReplace, 1>);