Title: [117278] releases/WebKitGTK/webkit-1.8
- Revision
- 117278
- Author
- [email protected]
- Date
- 2012-05-16 06:55:47 -0700 (Wed, 16 May 2012)
Log Message
Merge 112184 - FrameLoader::shouldAllowNavigation uses Frame for context rather than Document
https://bugs.webkit.org/show_bug.cgi?id=81020
Reviewed by Eric Seidel.
Source/WebCore:
The vast majority of security checks in the browser should use a
ScriptExecutionContext (aka a Document) to designate "who" is
attempting to perform a given action. Unfortunately,
shouldAllowNavigation was using a Frame to designate "who" is
attempting the navigation.
In cases when the executing script is "inactive" (i.e., belongs to a
document that is not currently displayed in a Frame), using the Frame
can cause us to grant the script the privileges of the document that's
currently displayed in the Frame rather than the one that contains the
script.
This patch moves shouldAllowNavigation from FrameLoader to Document
(and renames it to canNavigate), effectively change the context object
from a Frame to a Document.
Test: http/tests/security/frameNavigation/inactive-function-in-popup-navigate-child.html
* bindings/generic/BindingSecurity.h:
(BindingSecurity):
(WebCore):
* bindings/v8/V8Utilities.cpp:
(WebCore):
* bindings/v8/V8Utilities.h:
(WebCore):
- Deletes unused code.
* dom/Document.cpp:
(WebCore::canAccessAncestor):
(WebCore):
(WebCore::Document::canNavigate):
- canNavigate is copied from FrameLoader::shouldAllowNavigation.
I've added a null-check bailout if the document is inactive.
* dom/Document.h:
(Document):
* loader/FormState.cpp:
(WebCore::FormState::FormState):
(WebCore::FormState::create):
* loader/FormState.h:
(WebCore):
(FormState):
(WebCore::FormState::sourceDocument):
* loader/FormSubmission.cpp:
(WebCore::FormSubmission::create):
- Changes the context object from Frame to Document.
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::submitForm):
(WebCore::FrameLoader::loadFrameRequest):
(WebCore):
(WebCore::FrameLoader::findFrameForNavigation):
- FrameLoader::findFrameForNavigation still incorrectly uses Frame
as the context object, but that's a bug for another patch.
(WebCore::createWindow):
* loader/FrameLoader.h:
(FrameLoader):
* loader/NavigationScheduler.cpp:
(WebCore::ScheduledFormSubmission::fire):
* page/DOMWindow.cpp:
(WebCore::DOMWindow::close):
(WebCore::DOMWindow::setLocation):
(WebCore::DOMWindow::open):
* page/History.cpp:
(WebCore::History::go):
Source/WebKit/mac:
Update call site to new function name.
* WebCoreSupport/WebFrameLoaderClient.mm:
(WebFrameLoaderClient::dispatchWillSubmitForm):
Source/WebKit/win:
Update call site to new function name.
* WebFrame.cpp:
(WebFrame::dispatchWillSubmitForm):
Source/WebKit2:
Update call site to new function name.
* WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
(WebKit::WebFrameLoaderClient::dispatchWillSubmitForm):
LayoutTests:
Test that a script from an inactive document doesn't inherit the
navigation privileges of the document that currently occupies the
frame.
* http/tests/security/frameNavigation/inactive-function-in-popup-navigate-child-expected.txt: Added.
* http/tests/security/frameNavigation/inactive-function-in-popup-navigate-child.html: Added.
* http/tests/security/frameNavigation/resources/fail.html: Added.
* http/tests/security/frameNavigation/resources/iframe-with-inner-frame-on-foreign-domain.html:
* http/tests/security/frameNavigation/resources/popup-ready-to-navigate-child.html: Added.
Modified Paths
Diff
Modified: releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog (117277 => 117278)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog 2012-05-16 13:55:04 UTC (rev 117277)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog 2012-05-16 13:55:47 UTC (rev 117278)
@@ -1,3 +1,20 @@
+2012-03-26 Adam Barth <[email protected]>
+
+ FrameLoader::shouldAllowNavigation uses Frame for context rather than Document
+ https://bugs.webkit.org/show_bug.cgi?id=81020
+
+ Reviewed by Eric Seidel.
+
+ Test that a script from an inactive document doesn't inherit the
+ navigation privileges of the document that currently occupies the
+ frame.
+
+ * http/tests/security/frameNavigation/inactive-function-in-popup-navigate-child-expected.txt: Added.
+ * http/tests/security/frameNavigation/inactive-function-in-popup-navigate-child.html: Added.
+ * http/tests/security/frameNavigation/resources/fail.html: Added.
+ * http/tests/security/frameNavigation/resources/iframe-with-inner-frame-on-foreign-domain.html:
+ * http/tests/security/frameNavigation/resources/popup-ready-to-navigate-child.html: Added.
+
2012-04-12 Philippe Normand <[email protected]>
Unreviewed, GTK test_expectations post-Skipped-migration update #2.
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog (117277 => 117278)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-05-16 13:55:04 UTC (rev 117277)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-05-16 13:55:47 UTC (rev 117278)
@@ -1,3 +1,73 @@
+2012-03-26 Adam Barth <[email protected]>
+
+ FrameLoader::shouldAllowNavigation uses Frame for context rather than Document
+ https://bugs.webkit.org/show_bug.cgi?id=81020
+
+ Reviewed by Eric Seidel.
+
+ The vast majority of security checks in the browser should use a
+ ScriptExecutionContext (aka a Document) to designate "who" is
+ attempting to perform a given action. Unfortunately,
+ shouldAllowNavigation was using a Frame to designate "who" is
+ attempting the navigation.
+
+ In cases when the executing script is "inactive" (i.e., belongs to a
+ document that is not currently displayed in a Frame), using the Frame
+ can cause us to grant the script the privileges of the document that's
+ currently displayed in the Frame rather than the one that contains the
+ script.
+
+ This patch moves shouldAllowNavigation from FrameLoader to Document
+ (and renames it to canNavigate), effectively change the context object
+ from a Frame to a Document.
+
+ Test: http/tests/security/frameNavigation/inactive-function-in-popup-navigate-child.html
+
+ * bindings/generic/BindingSecurity.h:
+ (BindingSecurity):
+ (WebCore):
+ * bindings/v8/V8Utilities.cpp:
+ (WebCore):
+ * bindings/v8/V8Utilities.h:
+ (WebCore):
+ - Deletes unused code.
+ * dom/Document.cpp:
+ (WebCore::canAccessAncestor):
+ (WebCore):
+ (WebCore::Document::canNavigate):
+ - canNavigate is copied from FrameLoader::shouldAllowNavigation.
+ I've added a null-check bailout if the document is inactive.
+ * dom/Document.h:
+ (Document):
+ * loader/FormState.cpp:
+ (WebCore::FormState::FormState):
+ (WebCore::FormState::create):
+ * loader/FormState.h:
+ (WebCore):
+ (FormState):
+ (WebCore::FormState::sourceDocument):
+ * loader/FormSubmission.cpp:
+ (WebCore::FormSubmission::create):
+ - Changes the context object from Frame to Document.
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::submitForm):
+ (WebCore::FrameLoader::loadFrameRequest):
+ (WebCore):
+ (WebCore::FrameLoader::findFrameForNavigation):
+ - FrameLoader::findFrameForNavigation still incorrectly uses Frame
+ as the context object, but that's a bug for another patch.
+ (WebCore::createWindow):
+ * loader/FrameLoader.h:
+ (FrameLoader):
+ * loader/NavigationScheduler.cpp:
+ (WebCore::ScheduledFormSubmission::fire):
+ * page/DOMWindow.cpp:
+ (WebCore::DOMWindow::close):
+ (WebCore::DOMWindow::setLocation):
+ (WebCore::DOMWindow::open):
+ * page/History.cpp:
+ (WebCore::History::go):
+
2012-03-13 Stephen Chenney <[email protected]>
Crash in WebCore::GraphicsContext::paintingDisabled
Modified: releases/WebKitGTK/webkit-1.8/Source/WebKit/mac/ChangeLog (117277 => 117278)
--- releases/WebKitGTK/webkit-1.8/Source/WebKit/mac/ChangeLog 2012-05-16 13:55:04 UTC (rev 117277)
+++ releases/WebKitGTK/webkit-1.8/Source/WebKit/mac/ChangeLog 2012-05-16 13:55:47 UTC (rev 117278)
@@ -1,3 +1,15 @@
+2012-03-26 Adam Barth <[email protected]>
+
+ FrameLoader::shouldAllowNavigation uses Frame for context rather than Document
+ https://bugs.webkit.org/show_bug.cgi?id=81020
+
+ Reviewed by Eric Seidel.
+
+ Update call site to new function name.
+
+ * WebCoreSupport/WebFrameLoaderClient.mm:
+ (WebFrameLoaderClient::dispatchWillSubmitForm):
+
2012-04-18 Adam Barth <[email protected]>
FrameLoader::shouldAllowNavigation uses Frame for context rather than Document
Modified: releases/WebKitGTK/webkit-1.8/Source/WebKit/win/ChangeLog (117277 => 117278)
--- releases/WebKitGTK/webkit-1.8/Source/WebKit/win/ChangeLog 2012-05-16 13:55:04 UTC (rev 117277)
+++ releases/WebKitGTK/webkit-1.8/Source/WebKit/win/ChangeLog 2012-05-16 13:55:47 UTC (rev 117278)
@@ -1,3 +1,15 @@
+2012-03-26 Adam Barth <[email protected]>
+
+ FrameLoader::shouldAllowNavigation uses Frame for context rather than Document
+ https://bugs.webkit.org/show_bug.cgi?id=81020
+
+ Reviewed by Eric Seidel.
+
+ Update call site to new function name.
+
+ * WebFrame.cpp:
+ (WebFrame::dispatchWillSubmitForm):
+
2012-04-18 Adam Barth <[email protected]>
FrameLoader::shouldAllowNavigation uses Frame for context rather than Document
Modified: releases/WebKitGTK/webkit-1.8/Source/WebKit2/ChangeLog (117277 => 117278)
--- releases/WebKitGTK/webkit-1.8/Source/WebKit2/ChangeLog 2012-05-16 13:55:04 UTC (rev 117277)
+++ releases/WebKitGTK/webkit-1.8/Source/WebKit2/ChangeLog 2012-05-16 13:55:47 UTC (rev 117278)
@@ -1,3 +1,15 @@
+2012-03-26 Adam Barth <[email protected]>
+
+ FrameLoader::shouldAllowNavigation uses Frame for context rather than Document
+ https://bugs.webkit.org/show_bug.cgi?id=81020
+
+ Reviewed by Eric Seidel.
+
+ Update call site to new function name.
+
+ * WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
+ (WebKit::WebFrameLoaderClient::dispatchWillSubmitForm):
+
2012-04-18 Adam Barth <[email protected]>
FrameLoader::shouldAllowNavigation uses Frame for context rather than Document
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
