<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[191008] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/191008">191008</a></dd>
<dt>Author</dt> <dd>dino@apple.com</dd>
<dt>Date</dt> <dd>2015-10-13 14:46:10 -0700 (Tue, 13 Oct 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>Device motion and orientation should only be visible from the main frame's security origin
https://bugs.webkit.org/show_bug.cgi?id=150072
<rdar://problem/23082036>
Reviewed by Brent Fulgham.
.:
Add a manual test for cross-origin device orientation events, while
we're waiting on the mock client to be supported everywhere.
* ManualTests/deviceorientation-child-frame.html: Added.
* ManualTests/deviceorientation-main-frame-only.html: Added.
Source/WebCore:
There are reports that gyroscope and accelerometer information can
be used to detect keyboard entry. One initial step to reduce the
risk is to forbid device motion and orientation events from
being fired in frames that are a different security origin from the main page.
Manual test: deviceorientation-main-frame-only.html
* page/DOMWindow.cpp:
(WebCore::DOMWindow::isSameSecurityOriginAsMainFrame): New helper function.
(WebCore::DOMWindow::addEventListener): Check if we are the main frame, or the
same security origin as the main frame. If not, don't add the event
listeners.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkChangeLog">trunk/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorepageDOMWindowcpp">trunk/Source/WebCore/page/DOMWindow.cpp</a></li>
<li><a href="#trunkSourceWebCorepageDOMWindowh">trunk/Source/WebCore/page/DOMWindow.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkManualTestsdeviceorientationchildframehtml">trunk/ManualTests/deviceorientation-child-frame.html</a></li>
<li><a href="#trunkManualTestsdeviceorientationmainframeonlyhtml">trunk/ManualTests/deviceorientation-main-frame-only.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/ChangeLog (191007 => 191008)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/ChangeLog 2015-10-13 21:45:43 UTC (rev 191007)
+++ trunk/ChangeLog 2015-10-13 21:46:10 UTC (rev 191008)
</span><span class="lines">@@ -1,3 +1,17 @@
</span><ins>+2015-10-13 Dean Jackson <dino@apple.com>
+
+ Device motion and orientation should only be visible from the main frame's security origin
+ https://bugs.webkit.org/show_bug.cgi?id=150072
+ <rdar://problem/23082036>
+
+ Reviewed by Brent Fulgham.
+
+ Add a manual test for cross-origin device orientation events, while
+ we're waiting on the mock client to be supported everywhere.
+
+ * ManualTests/deviceorientation-child-frame.html: Added.
+ * ManualTests/deviceorientation-main-frame-only.html: Added.
+
</ins><span class="cx"> 2015-10-12 Philip Chimento <philip.chimento@gmail.com>
</span><span class="cx">
</span><span class="cx"> [GTK] OSX linker doesn't understand --whole-archive
</span></span></pre></div>
<a id="trunkManualTestsdeviceorientationchildframehtml"></a>
<div class="addfile"><h4>Added: trunk/ManualTests/deviceorientation-child-frame.html (0 => 191008)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/ManualTests/deviceorientation-child-frame.html (rev 0)
+++ trunk/ManualTests/deviceorientation-child-frame.html 2015-10-13 21:46:10 UTC (rev 191008)
</span><span class="lines">@@ -0,0 +1,23 @@
</span><ins>+<html>
+<head>
+ <script>
+ var results = null;
+
+ function run() {
+ results = document.getElementById("results");
+ window.addEventListener("deviceorientation", handleDeviceOrientation, false);
+ }
+
+ function handleDeviceOrientation(event) {
+ results.textContent = "ERROR: Saw event in child frame.";
+ window.removeEventListener("deviceorientation", handleDeviceOrientation);
+ }
+
+ window.addEventListener("load", run, false);
+ </script>
+</head>
+<body>
+ <p>We should not see an event in here.</p>
+ <p id="results">Child frame has not seen event - this is ok.</p>
+</body>
+</html>
</ins><span class="cx">Property changes on: trunk/ManualTests/deviceorientation-child-frame.html
</span><span class="cx">___________________________________________________________________
</span></span></pre></div>
<a id="svnmimetype"></a>
<div class="addfile"><h4>Added: svn:mime-type</h4></div>
<a id="svnkeywords"></a>
<div class="addfile"><h4>Added: svn:keywords</h4></div>
<a id="svneolstyle"></a>
<div class="addfile"><h4>Added: svn:eol-style</h4></div>
<a id="trunkManualTestsdeviceorientationmainframeonlyhtml"></a>
<div class="addfile"><h4>Added: trunk/ManualTests/deviceorientation-main-frame-only.html (0 => 191008)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/ManualTests/deviceorientation-main-frame-only.html (rev 0)
+++ trunk/ManualTests/deviceorientation-main-frame-only.html 2015-10-13 21:46:10 UTC (rev 191008)
</span><span class="lines">@@ -0,0 +1,26 @@
</span><ins>+<html>
+<head>
+ <script>
+ var results = null;
+
+ function run() {
+ results = document.getElementById("results");
+ window.addEventListener("deviceorientation", handleDeviceOrientation, false);
+ }
+
+ function handleDeviceOrientation(event) {
+ results.textContent = "Saw event in the main frame - this is ok";
+ window.removeEventListener("deviceorientation", handleDeviceOrientation);
+ }
+
+ window.addEventListener("load", run, false);
+ </script>
+</head>
+<body>
+ <p>This tests that deviceorientation events are not dispatched in different origin iframes.</p>
+ <p><b>REMEMBER TO CHANGE THE SRC OF THE IFRAME TO BE CROSS-ORIGIN</b></p>
+ <p>We should be able to detect the event in the main page, but not in the frame.</p>
+ <p id="results">Main page has not seen event.</p>
+ <iframe id="frameA" src="http://127.0.0.1/device-orientation-child-frame.html"></iframe>
+</body>
+</html>
</ins><span class="cx">Property changes on: trunk/ManualTests/deviceorientation-main-frame-only.html
</span><span class="cx">___________________________________________________________________
</span></span></pre></div>
<a id="svnmimetype"></a>
<div class="addfile"><h4>Added: svn:mime-type</h4></div>
<a id="svnkeywords"></a>
<div class="addfile"><h4>Added: svn:keywords</h4></div>
<a id="svneolstyle"></a>
<div class="addfile"><h4>Added: svn:eol-style</h4></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (191007 => 191008)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2015-10-13 21:45:43 UTC (rev 191007)
+++ trunk/Source/WebCore/ChangeLog 2015-10-13 21:46:10 UTC (rev 191008)
</span><span class="lines">@@ -1,3 +1,24 @@
</span><ins>+2015-10-13 Dean Jackson <dino@apple.com>
+
+ Device motion and orientation should only be visible from the main frame's security origin
+ https://bugs.webkit.org/show_bug.cgi?id=150072
+ <rdar://problem/23082036>
+
+ Reviewed by Brent Fulgham.
+
+ There are reports that gyroscope and accelerometer information can
+ be used to detect keyboard entry. One initial step to reduce the
+ risk is to forbid device motion and orientation events from
+ being fired in frames that are a different security origin from the main page.
+
+ Manual test: deviceorientation-main-frame-only.html
+
+ * page/DOMWindow.cpp:
+ (WebCore::DOMWindow::isSameSecurityOriginAsMainFrame): New helper function.
+ (WebCore::DOMWindow::addEventListener): Check if we are the main frame, or the
+ same security origin as the main frame. If not, don't add the event
+ listeners.
+
</ins><span class="cx"> 2015-10-12 Dean Jackson <dino@apple.com>
</span><span class="cx">
</span><span class="cx"> ASSERT(m_motionManager) on emgn.com page
</span></span></pre></div>
<a id="trunkSourceWebCorepageDOMWindowcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/DOMWindow.cpp (191007 => 191008)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/DOMWindow.cpp 2015-10-13 21:45:43 UTC (rev 191007)
+++ trunk/Source/WebCore/page/DOMWindow.cpp 2015-10-13 21:46:10 UTC (rev 191008)
</span><span class="lines">@@ -1691,6 +1691,22 @@
</span><span class="cx"> window->sessionStorage(IGNORE_EXCEPTION);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool DOMWindow::isSameSecurityOriginAsMainFrame() const
+{
+ if (!m_frame || !m_frame->page() || !document())
+ return false;
+
+ if (m_frame->isMainFrame())
+ return true;
+
+ Document* mainFrameDocument = m_frame->mainFrame().document();
+
+ if (mainFrameDocument && document()->securityOrigin()->canAccess(mainFrameDocument->securityOrigin()))
+ return true;
+
+ return false;
+}
+
</ins><span class="cx"> bool DOMWindow::addEventListener(const AtomicString& eventType, RefPtr<EventListener>&& listener, bool useCapture)
</span><span class="cx"> {
</span><span class="cx"> if (!EventTarget::addEventListener(eventType, WTF::move(listener), useCapture))
</span><span class="lines">@@ -1712,17 +1728,28 @@
</span><span class="cx"> addBeforeUnloadEventListener(this);
</span><span class="cx"> #if ENABLE(DEVICE_ORIENTATION)
</span><span class="cx"> #if PLATFORM(IOS)
</span><del>- else if (eventType == eventNames().devicemotionEvent && document())
- document()->deviceMotionController()->addDeviceEventListener(this);
- else if (eventType == eventNames().deviceorientationEvent && document())
- document()->deviceOrientationController()->addDeviceEventListener(this);
</del><ins>+ else if ((eventType == eventNames().devicemotionEvent || eventType == eventNames().deviceorientationEvent) && document()) {
+ if (isSameSecurityOriginAsMainFrame()) {
+ if (eventType == eventNames().deviceorientationEvent)
+ document()->deviceOrientationController()->addDeviceEventListener(this);
+ else
+ document()->deviceMotionController()->addDeviceEventListener(this);
+ } else if (document())
+ document()->addConsoleMessage(MessageSource::JS, MessageLevel::Warning, ASCIILiteral("Blocked attempt add device motion or orientation listener from child frame that wasn't the same security origin as the main page."));
+ }
</ins><span class="cx"> #else
</span><span class="cx"> else if (eventType == eventNames().devicemotionEvent && RuntimeEnabledFeatures::sharedFeatures().deviceMotionEnabled()) {
</span><del>- if (DeviceMotionController* controller = DeviceMotionController::from(page()))
- controller->addDeviceEventListener(this);
</del><ins>+ if (isSameSecurityOriginAsMainFrame()) {
+ if (DeviceMotionController* controller = DeviceMotionController::from(page()))
+ controller->addDeviceEventListener(this);
+ } else if (document())
+ document()->addConsoleMessage(MessageSource::JS, MessageLevel::Warning, ASCIILiteral("Blocked attempt add device motion listener from child frame that wasn't the same security origin as the main page."));
</ins><span class="cx"> } else if (eventType == eventNames().deviceorientationEvent && RuntimeEnabledFeatures::sharedFeatures().deviceOrientationEnabled()) {
</span><del>- if (DeviceOrientationController* controller = DeviceOrientationController::from(page()))
- controller->addDeviceEventListener(this);
</del><ins>+ if (isSameSecurityOriginAsMainFrame()) {
+ if (DeviceOrientationController* controller = DeviceOrientationController::from(page()))
+ controller->addDeviceEventListener(this);
+ } else if (document())
+ document()->addConsoleMessage(MessageSource::JS, MessageLevel::Warning, ASCIILiteral("Blocked attempt add device orientation listener from child frame that wasn't the same security origin as the main page."));
</ins><span class="cx"> }
</span><span class="cx"> #endif // PLATFORM(IOS)
</span><span class="cx"> #endif // ENABLE(DEVICE_ORIENTATION)
</span></span></pre></div>
<a id="trunkSourceWebCorepageDOMWindowh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/DOMWindow.h (191007 => 191008)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/DOMWindow.h 2015-10-13 21:45:43 UTC (rev 191007)
+++ trunk/Source/WebCore/page/DOMWindow.h 2015-10-13 21:46:10 UTC (rev 191008)
</span><span class="lines">@@ -361,6 +361,8 @@
</span><span class="cx"> void reconnectDOMWindowProperties();
</span><span class="cx"> void willDestroyDocumentInFrame();
</span><span class="cx">
</span><ins>+ bool isSameSecurityOriginAsMainFrame() const;
+
</ins><span class="cx"> #if ENABLE(GAMEPAD)
</span><span class="cx"> void incrementGamepadEventListenerCount();
</span><span class="cx"> void decrementGamepadEventListenerCount();
</span></span></pre>
</div>
</div>
</body>
</html>