Diff
Modified: trunk/LayoutTests/ChangeLog (182283 => 182284)
--- trunk/LayoutTests/ChangeLog 2015-04-02 19:46:29 UTC (rev 182283)
+++ trunk/LayoutTests/ChangeLog 2015-04-02 19:50:13 UTC (rev 182284)
@@ -1,5 +1,15 @@
2015-04-02 Alexey Proskuryakov <a...@apple.com>
+ Clean up access checks in JSHistoryCustom.cpp
+ https://bugs.webkit.org/show_bug.cgi?id=143227
+
+ Reviewed by Sam Weinig.
+
+ * http/tests/security/cross-frame-access-call-expected.txt:
+ * http/tests/security/cross-frame-access-call.html:
+
+2015-04-02 Alexey Proskuryakov <a...@apple.com>
+
media/track/track-forced-subtitles-in-band.html times out
* platform/mac/TestExpectations: Update the expectations - the test doens't only fail
Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-call-expected.txt (182283 => 182284)
--- trunk/LayoutTests/http/tests/security/cross-frame-access-call-expected.txt 2015-04-02 19:46:29 UTC (rev 182283)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-call-expected.txt 2015-04-02 19:50:13 UTC (rev 182284)
@@ -59,4 +59,6 @@
PASS: window.showModalDialog.call(targetWindow); should be 'undefined' and is.
PASS: window.eval.call(targetWindow, '1+2'); should be '3' and is.
PASS: window.location.toString.call(targetWindow.location) should be 'undefined' and is.
+PASS: history.pushState.call(targetWindow.history, {}, '', 'http://localhost:8000/foobar') should be 'undefined' and is.
+PASS: history.replaceState.call(targetWindow.history, {}, '', 'http://localhost:8000/foobar') should be 'undefined' and is.
Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-call.html (182283 => 182284)
--- trunk/LayoutTests/http/tests/security/cross-frame-access-call.html 2015-04-02 19:46:29 UTC (rev 182283)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-call.html 2015-04-02 19:50:13 UTC (rev 182284)
@@ -63,6 +63,10 @@
// undefined value indicates failure
shouldBe("window.location.toString.call(targetWindow.location)", "undefined");
+ // - Tests for the History object -
+ shouldBe("history.pushState.call(targetWindow.history, {}, '', 'http://localhost:8000/foobar')", "undefined"),
+ shouldBe("history.replaceState.call(targetWindow.history, {}, '', 'http://localhost:8000/foobar')", "undefined"),
+
// Work around DRT bug that causes subsequent tests to fail.
window.stop();
}
Modified: trunk/Source/WebCore/ChangeLog (182283 => 182284)
--- trunk/Source/WebCore/ChangeLog 2015-04-02 19:46:29 UTC (rev 182283)
+++ trunk/Source/WebCore/ChangeLog 2015-04-02 19:50:13 UTC (rev 182284)
@@ -1,3 +1,18 @@
+2015-04-02 Alexey Proskuryakov <a...@apple.com>
+
+ Clean up access checks in JSHistoryCustom.cpp
+ https://bugs.webkit.org/show_bug.cgi?id=143227
+
+ Reviewed by Sam Weinig.
+
+ * bindings/js/JSHistoryCustom.cpp:
+ (WebCore::JSHistory::putDelegate):
+ (WebCore::JSHistory::deleteProperty):
+ (WebCore::JSHistory::deletePropertyByIndex):
+ (WebCore::JSHistory::getOwnPropertyNames):
+ (WebCore::JSHistory::pushState):
+ (WebCore::JSHistory::replaceState):
+
2015-04-02 Alex Christensen <achristen...@webkit.org>
[Content Extensions] Only add unique universal action locations.
Modified: trunk/Source/WebCore/bindings/js/JSHistoryCustom.cpp (182283 => 182284)
--- trunk/Source/WebCore/bindings/js/JSHistoryCustom.cpp 2015-04-02 19:46:29 UTC (rev 182283)
+++ trunk/Source/WebCore/bindings/js/JSHistoryCustom.cpp 2015-04-02 19:50:13 UTC (rev 182284)
@@ -76,7 +76,6 @@
bool JSHistory::putDelegate(ExecState* exec, PropertyName, JSValue, PutPropertySlot&)
{
- // Only allow putting by frames in the same origin.
if (!shouldAllowAccessToFrame(exec, impl().frame()))
return true;
return false;
@@ -85,7 +84,6 @@
bool JSHistory::deleteProperty(JSCell* cell, ExecState* exec, PropertyName propertyName)
{
JSHistory* thisObject = jsCast<JSHistory*>(cell);
- // Only allow deleting by frames in the same origin.
if (!shouldAllowAccessToFrame(exec, thisObject->impl().frame()))
return false;
return Base::deleteProperty(thisObject, exec, propertyName);
@@ -94,7 +92,6 @@
bool JSHistory::deletePropertyByIndex(JSCell* cell, ExecState* exec, unsigned propertyName)
{
JSHistory* thisObject = jsCast<JSHistory*>(cell);
- // Only allow deleting by frames in the same origin.
if (!shouldAllowAccessToFrame(exec, thisObject->impl().frame()))
return false;
return Base::deletePropertyByIndex(thisObject, exec, propertyName);
@@ -103,7 +100,6 @@
void JSHistory::getOwnPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
{
JSHistory* thisObject = jsCast<JSHistory*>(object);
- // Only allow the history object to enumerated by frames in the same origin.
if (!shouldAllowAccessToFrame(exec, thisObject->impl().frame()))
return;
Base::getOwnPropertyNames(thisObject, exec, propertyNames, mode);
@@ -125,6 +121,9 @@
JSValue JSHistory::pushState(ExecState* exec)
{
+ if (!shouldAllowAccessToFrame(exec, impl().frame()))
+ return jsUndefined();
+
RefPtr<SerializedScriptValue> historyState = SerializedScriptValue::create(exec, exec->argument(0), 0, 0);
if (exec->hadException())
return jsUndefined();
@@ -151,6 +150,9 @@
JSValue JSHistory::replaceState(ExecState* exec)
{
+ if (!shouldAllowAccessToFrame(exec, impl().frame()))
+ return jsUndefined();
+
RefPtr<SerializedScriptValue> historyState = SerializedScriptValue::create(exec, exec->argument(0), 0, 0);
if (exec->hadException())
return jsUndefined();
