<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[196227] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/196227">196227</a></dd>
<dt>Author</dt> <dd>cdumez@apple.com</dd>
<dt>Date</dt> <dd>2016-02-06 16:18:40 -0800 (Sat, 06 Feb 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Prevent cross-origin access to window.history
https://bugs.webkit.org/show_bug.cgi?id=153931
Reviewed by Darin Adler.
Source/WebCore:
Prevent cross-origin access to window.history to match the specification [1]
and the behavior of other browsers (tested Firefox and Chrome).
[1] https://html.spec.whatwg.org/multipage/browsers.html#security-window
No new tests, already covered by existing tests that
were updated in this patch.
* bindings/js/JSHistoryCustom.cpp:
(WebCore::JSHistory::pushState):
(WebCore::JSHistory::replaceState):
(WebCore::JSHistory::state): Deleted.
* page/DOMWindow.idl:
* page/History.idl:
LayoutTests:
Update / rebaseline several layout tests now that cross-origin access to
window.history is prevented.
* fast/frames/sandboxed-iframe-history-denied-expected.txt:
* http/tests/history/cross-origin-replace-history-object-child-expected.txt:
* http/tests/security/cross-frame-access-call-expected.txt:
* http/tests/security/cross-frame-access-call.html:
* http/tests/security/cross-frame-access-delete-expected.txt:
* http/tests/security/cross-frame-access-delete.html:
* http/tests/security/cross-frame-access-history-prototype-expected.txt:
* http/tests/security/cross-frame-access-history-put.html: Removed.
* http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt:
* http/tests/security/cross-frame-access-object-getPrototypeOf.html:
* http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt:
* http/tests/security/cross-frame-access-object-setPrototypeOf.html:
* http/tests/security/resources/cross-frame-iframe-for-history-put-test.html: Removed.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsfastframessandboxediframehistorydeniedexpectedtxt">trunk/LayoutTests/fast/frames/sandboxed-iframe-history-denied-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestshistorycrossoriginreplacehistoryobjectchildexpectedtxt">trunk/LayoutTests/http/tests/history/cross-origin-replace-history-object-child-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycrossframeaccesscallexpectedtxt">trunk/LayoutTests/http/tests/security/cross-frame-access-call-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycrossframeaccesscallhtml">trunk/LayoutTests/http/tests/security/cross-frame-access-call.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycrossframeaccessdeleteexpectedtxt">trunk/LayoutTests/http/tests/security/cross-frame-access-delete-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycrossframeaccessdeletehtml">trunk/LayoutTests/http/tests/security/cross-frame-access-delete.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycrossframeaccessgetOwnPropertyDescriptorexpectedtxt">trunk/LayoutTests/http/tests/security/cross-frame-access-getOwnPropertyDescriptor-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycrossframeaccessgetOwnPropertyDescriptorhtml">trunk/LayoutTests/http/tests/security/cross-frame-access-getOwnPropertyDescriptor.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycrossframeaccesshistoryprototypeexpectedtxt">trunk/LayoutTests/http/tests/security/cross-frame-access-history-prototype-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycrossframeaccessobjectgetPrototypeOfexpectedtxt">trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycrossframeaccessobjectgetPrototypeOfhtml">trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycrossframeaccessobjectsetPrototypeOfexpectedtxt">trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycrossframeaccessobjectsetPrototypeOfhtml">trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf.html</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSHistoryCustomcpp">trunk/Source/WebCore/bindings/js/JSHistoryCustom.cpp</a></li>
<li><a href="#trunkSourceWebCorepageDOMWindowidl">trunk/Source/WebCore/page/DOMWindow.idl</a></li>
<li><a href="#trunkSourceWebCorepageHistoryidl">trunk/Source/WebCore/page/History.idl</a></li>
</ul>
<h3>Removed Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecuritycrossframeaccesshistoryputhtml">trunk/LayoutTests/http/tests/security/cross-frame-access-history-put.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityresourcescrossframeiframeforhistoryputtesthtml">trunk/LayoutTests/http/tests/security/resources/cross-frame-iframe-for-history-put-test.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (196226 => 196227)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog        2016-02-06 23:41:28 UTC (rev 196226)
+++ trunk/LayoutTests/ChangeLog        2016-02-07 00:18:40 UTC (rev 196227)
</span><span class="lines">@@ -1,3 +1,27 @@
</span><ins>+2016-02-06 Chris Dumez <cdumez@apple.com>
+
+ Prevent cross-origin access to window.history
+ https://bugs.webkit.org/show_bug.cgi?id=153931
+
+ Reviewed by Darin Adler.
+
+ Update / rebaseline several layout tests now that cross-origin access to
+ window.history is prevented.
+
+ * fast/frames/sandboxed-iframe-history-denied-expected.txt:
+ * http/tests/history/cross-origin-replace-history-object-child-expected.txt:
+ * http/tests/security/cross-frame-access-call-expected.txt:
+ * http/tests/security/cross-frame-access-call.html:
+ * http/tests/security/cross-frame-access-delete-expected.txt:
+ * http/tests/security/cross-frame-access-delete.html:
+ * http/tests/security/cross-frame-access-history-prototype-expected.txt:
+ * http/tests/security/cross-frame-access-history-put.html: Removed.
+ * http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt:
+ * http/tests/security/cross-frame-access-object-getPrototypeOf.html:
+ * http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt:
+ * http/tests/security/cross-frame-access-object-setPrototypeOf.html:
+ * http/tests/security/resources/cross-frame-iframe-for-history-put-test.html: Removed.
+
</ins><span class="cx"> 2016-02-06 Zalan Bujtas <zalan@apple.com>
</span><span class="cx">
</span><span class="cx"> Outline should contribute to visual overflow.
</span></span></pre></div>
<a id="trunkLayoutTestsfastframessandboxediframehistorydeniedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/fast/frames/sandboxed-iframe-history-denied-expected.txt (196226 => 196227)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/frames/sandboxed-iframe-history-denied-expected.txt        2016-02-06 23:41:28 UTC (rev 196226)
+++ trunk/LayoutTests/fast/frames/sandboxed-iframe-history-denied-expected.txt        2016-02-07 00:18:40 UTC (rev 196227)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><del>-CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to initiate navigation for frame with URL 'script>'. The frame attempting navigation of the top-level window is sandboxed, but the 'allow-top-navigation' flag is not set.
-
</del><ins>+CONSOLE MESSAGE: line 1: Sandbox access violation: Blocked a frame at "null" from accessing a frame at "". The frame requesting access is sandboxed and lacks the "allow-same-origin" flag.
+CONSOLE MESSAGE: line 1: TypeError: undefined is not an object (evaluating 'top.history.back')
</ins><span class="cx"> ALERT: PASS
</span><span class="cx"> This test verifies that a sandboxed IFrame cannot navigate the top-level frame using the history API.
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestshistorycrossoriginreplacehistoryobjectchildexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/history/cross-origin-replace-history-object-child-expected.txt (196226 => 196227)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/history/cross-origin-replace-history-object-child-expected.txt        2016-02-06 23:41:28 UTC (rev 196226)
+++ trunk/LayoutTests/http/tests/history/cross-origin-replace-history-object-child-expected.txt        2016-02-07 00:18:40 UTC (rev 196227)
</span><span class="lines">@@ -1,8 +1,7 @@
</span><span class="cx"> CONSOLE MESSAGE: line 30: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</span><del>-CONSOLE MESSAGE: line 24: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-ALERT: Child window's history object before attempt to clear: [object History]
</del><ins>+ALERT: Child window's history object before attempt to clear: undefined
</ins><span class="cx"> ALERT: About to shadow child window's history object: [object History]
</span><span class="cx"> ALERT: Shadowed child window's history object:
</span><span class="cx"> CONSOLE MESSAGE: line 18: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</span><del>-ALERT: Child window's history object after attempt to clear: [object History]
</del><ins>+ALERT: Child window's history object after attempt to clear: undefined
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycrossframeaccesscallexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-call-expected.txt (196226 => 196227)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/cross-frame-access-call-expected.txt        2016-02-06 23:41:28 UTC (rev 196226)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-call-expected.txt        2016-02-07 00:18:40 UTC (rev 196227)
</span><span class="lines">@@ -26,8 +26,7 @@
</span><span class="cx"> CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</span><span class="cx"> CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</span><span class="cx"> CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</span><del>-CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</del><ins>+CONSOLE MESSAGE: line 10: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</ins><span class="cx">
</span><span class="cx">
</span><span class="cx"> ----- tests for calling methods of another frame using Function.call -----
</span><span class="lines">@@ -61,6 +60,5 @@
</span><span class="cx"> PASS: window.showModalDialog.call(targetWindow); should be 'undefined' and is.
</span><span class="cx"> PASS: window.eval.call(targetWindow, '1+2'); should be '3' and is.
</span><span class="cx"> PASS: window.location.toString.call(targetWindow.location) should be 'undefined' and is.
</span><del>-PASS: history.pushState.call(targetWindow.history, {}, '', 'http://localhost:8000/foobar') should be 'undefined' and is.
-PASS: history.replaceState.call(targetWindow.history, {}, '', 'http://localhost:8000/foobar') should be 'undefined' and is.
</del><ins>+PASS: targetWindow.history should be 'undefined' and is.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycrossframeaccesscallhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-call.html (196226 => 196227)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/cross-frame-access-call.html        2016-02-06 23:41:28 UTC (rev 196226)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-call.html        2016-02-07 00:18:40 UTC (rev 196227)
</span><span class="lines">@@ -64,8 +64,7 @@
</span><span class="cx"> shouldBe("window.location.toString.call(targetWindow.location)", "undefined");
</span><span class="cx">
</span><span class="cx"> // - Tests for the History object -
</span><del>- shouldBe("history.pushState.call(targetWindow.history, {}, '', 'http://localhost:8000/foobar')", "undefined"),
- shouldBe("history.replaceState.call(targetWindow.history, {}, '', 'http://localhost:8000/foobar')", "undefined"),
</del><ins>+ shouldBeUndefined("targetWindow.history");
</ins><span class="cx">
</span><span class="cx"> // Work around DRT bug that causes subsequent tests to fail.
</span><span class="cx"> window.stop();
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycrossframeaccessdeleteexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-delete-expected.txt (196226 => 196227)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/cross-frame-access-delete-expected.txt        2016-02-06 23:41:28 UTC (rev 196226)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-delete-expected.txt        2016-02-07 00:18:40 UTC (rev 196227)
</span><span class="lines">@@ -2,13 +2,9 @@
</span><span class="cx"> CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</span><span class="cx"> CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</span><span class="cx"> CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</span><del>-CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</del><span class="cx">
</span><span class="cx"> PASS: eval('delete targetWindow.existingProperty') should be 'false' and is.
</span><span class="cx"> PASS: eval('delete targetWindow[1]') should be 'false' and is.
</span><del>-PASS: eval('delete targetWindow.history.existingProperty') should be 'false' and is.
-PASS: eval('delete targetWindow.history[1]') should be 'false' and is.
</del><span class="cx"> PASS: eval('delete targetWindow.location.existingProperty') should be 'false' and is.
</span><span class="cx"> PASS: eval('delete targetWindow.location[1]') should be 'false' and is.
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycrossframeaccessdeletehtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-delete.html (196226 => 196227)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/cross-frame-access-delete.html        2016-02-06 23:41:28 UTC (rev 196226)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-delete.html        2016-02-07 00:18:40 UTC (rev 196227)
</span><span class="lines">@@ -21,8 +21,6 @@
</span><span class="cx">
</span><span class="cx"> shouldBe("eval('delete targetWindow.existingProperty')", "false");
</span><span class="cx"> shouldBe("eval('delete targetWindow[1]')", "false");
</span><del>- shouldBe("eval('delete targetWindow.history.existingProperty')", "false");
- shouldBe("eval('delete targetWindow.history[1]')", "false");
</del><span class="cx"> shouldBe("eval('delete targetWindow.location.existingProperty')", "false");
</span><span class="cx"> shouldBe("eval('delete targetWindow.location[1]')", "false");
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycrossframeaccessgetOwnPropertyDescriptorexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-getOwnPropertyDescriptor-expected.txt (196226 => 196227)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/cross-frame-access-getOwnPropertyDescriptor-expected.txt        2016-02-06 23:41:28 UTC (rev 196226)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-getOwnPropertyDescriptor-expected.txt        2016-02-07 00:18:40 UTC (rev 196227)
</span><span class="lines">@@ -194,9 +194,7 @@
</span><span class="cx"> CONSOLE MESSAGE: line 64: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</span><span class="cx"> CONSOLE MESSAGE: line 64: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</span><span class="cx"> CONSOLE MESSAGE: line 64: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</span><del>-CONSOLE MESSAGE: line 64: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 64: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 64: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</del><ins>+CONSOLE MESSAGE: line 224: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</ins><span class="cx"> This test checks cross-frame access security of getOwnPropertyDescriptor (https://bugs.webkit.org/show_bug.cgi?id=32119).
</span><span class="cx">
</span><span class="cx">
</span><span class="lines">@@ -398,6 +396,7 @@
</span><span class="cx"> PASS: canGetDescriptor(targetWindow, 'status') should be 'false' and is.
</span><span class="cx"> PASS: canGetDescriptor(targetWindow, 'statusbar') should be 'false' and is.
</span><span class="cx"> PASS: canGetDescriptor(targetWindow, 'toolbar') should be 'false' and is.
</span><ins>+PASS: canGetDescriptor(targetWindow, 'history') should be 'false' and is.
</ins><span class="cx"> ----- tests access to cross domain location object -----
</span><span class="cx"> PASS: canGetDescriptor(targetLocation, 'protocol') should be 'false' and is.
</span><span class="cx"> PASS: canGetDescriptor(targetLocation, 'host') should be 'false' and is.
</span><span class="lines">@@ -417,7 +416,7 @@
</span><span class="cx"> PASS: canGetDescriptor(targetHistory, 'pushState') should be 'false' and is.
</span><span class="cx"> PASS: canGetDescriptor(targetHistory, 'replaceState') should be 'false' and is.
</span><span class="cx"> PASS: canGetDescriptor(targetHistory, 'customProperty') should be 'false' and is.
</span><del>-PASS: canGetDescriptor(targetHistory, 'back') should be 'true' and is.
-PASS: canGetDescriptor(targetHistory, 'forward') should be 'true' and is.
-PASS: canGetDescriptor(targetHistory, 'go') should be 'true' and is.
</del><ins>+PASS: canGetDescriptor(targetHistory, 'back') should be 'false' and is.
+PASS: canGetDescriptor(targetHistory, 'forward') should be 'false' and is.
+PASS: canGetDescriptor(targetHistory, 'go') should be 'false' and is.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycrossframeaccessgetOwnPropertyDescriptorhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-getOwnPropertyDescriptor.html (196226 => 196227)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/cross-frame-access-getOwnPropertyDescriptor.html        2016-02-06 23:41:28 UTC (rev 196226)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-getOwnPropertyDescriptor.html        2016-02-07 00:18:40 UTC (rev 196227)
</span><span class="lines">@@ -194,6 +194,7 @@
</span><span class="cx"> "status",
</span><span class="cx"> "statusbar",
</span><span class="cx"> "toolbar",
</span><ins>+ "history",
</ins><span class="cx"> ];
</span><span class="cx">
</span><span class="cx"> window.onload = function()
</span><span class="lines">@@ -265,15 +266,10 @@
</span><span class="cx"> log("----- tests access to cross domain history object -----");
</span><span class="cx"> window.targetHistory = targetWindow.history;
</span><span class="cx"> var historyPropertiesNotAllowed = [
</span><del>- "length", "pushState", "replaceState", "customProperty"
</del><ins>+ "length", "pushState", "replaceState", "customProperty", "back", "forward", "go"
</ins><span class="cx"> ];
</span><del>- var historyPropertiesAllowed = [
- "back", "forward", "go"
- ];
</del><span class="cx"> for (var i = 0; i < historyPropertiesNotAllowed.length; i++)
</span><span class="cx"> shouldBeFalse("canGetDescriptor(targetHistory, '" + historyPropertiesNotAllowed[i] + "')");
</span><del>- for (var i = 0; i < historyPropertiesAllowed.length; i++)
- shouldBeTrue("canGetDescriptor(targetHistory, '" + historyPropertiesAllowed[i] + "')");
</del><span class="cx"> }
</span><span class="cx"> </script>
</span><span class="cx"> </head>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycrossframeaccesshistoryprototypeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-history-prototype-expected.txt (196226 => 196227)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/cross-frame-access-history-prototype-expected.txt        2016-02-06 23:41:28 UTC (rev 196226)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-history-prototype-expected.txt        2016-02-07 00:18:40 UTC (rev 196227)
</span><span class="lines">@@ -1,2 +1,3 @@
</span><ins>+CONSOLE MESSAGE: line 2: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
</ins><span class="cx"> PASS: History object prototype not tainted.
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycrossframeaccesshistoryputhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/cross-frame-access-history-put.html (196226 => 196227)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/cross-frame-access-history-put.html        2016-02-06 23:41:28 UTC (rev 196226)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-history-put.html        2016-02-07 00:18:40 UTC (rev 196227)
</span><span class="lines">@@ -1,56 +0,0 @@
</span><del>-<html>
-<head>
- <script src="resources/cross-frame-access.js"></script>
- <script>
- if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.dumpChildFramesAsText();
- testRunner.waitUntilDone();
- }
-
- onload = function()
- {
- // Add manual run buttons if the browser does not support window.postMessage
- if (!window.postMessage) {
- log("YOUR BROWSER DOES NOT SUPPORT window.postMessage");
- log("To run this test manually, first click the button titled 'Step 1 - Set Test' in this frame.");
- log("Then click the button in the sub frame titled 'Step 2 - Set Check' to finish the test.\n");
-
- var button = document.createElement("button");
- button.appendChild(document.createTextNode("Step 1 - Set Test"));
- button.onclick = setTest;
- document.body.appendChild(button);
- }
- }
-
- receiver = function(e)
- {
- if (e.data == "storedOldValuesComplete")
- setTest();
- }
- addEventListener('message', receiver, false);
-
- setTest = function()
- {
- window.targetWindow = frames[0];
-
- try { targetWindow.history.back = "FAIL!! CUSTOM back"; } catch(e) { log(e); }
- try { targetWindow.history.forward = "FAIL!! CUSTOM forward"; } catch(e) { log(e); }
- try { targetWindow.history.go = "FAIL!! CUSTOM go"; } catch(e) { log(e); }
- try { targetWindow.history.toString = "FAIL!! CUSTOM toString"; } catch(e) { log(e); }
- try { targetWindow.history.length = "FAIL!! CUSTOM length"; } catch(e) { log(e); }
-
- try { targetWindow.history.customAttribute = "FAIL!! CUSTOM customAttribute"; } catch(e) { log(e); }
-
- if (window.postMessage)
- targetWindow.postMessage("settingValuesComplete", "*");
- else
- log("\nSet Test complete! Click button entitled 'Step 2 - Set Check' to finish the test.");
- }
- </script>
-</head>
-<body>
- <iframe src="http://localhost:8000/security/resources/cross-frame-iframe-for-history-put-test.html"></iframe>
- <pre id="console"></pre>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycrossframeaccessobjectgetPrototypeOfexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt (196226 => 196227)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt        2016-02-06 23:41:28 UTC (rev 196226)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt        2016-02-07 00:18:40 UTC (rev 196227)
</span><span class="lines">@@ -1,7 +1,7 @@
</span><span class="cx"> CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</span><del>-CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</del><ins>+CONSOLE MESSAGE: line 10: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</ins><span class="cx"> This tests that you can't get the prototype of the window or history objects cross-origin using Object.getPrototypeOf().
</span><span class="cx">
</span><span class="cx"> PASS: Object.getPrototypeOf(targetWindow) should be 'undefined' and is.
</span><del>-PASS: Object.getPrototypeOf(targetWindow.history) should be 'undefined' and is.
</del><ins>+PASS: targetWindow.history should be 'undefined' and is.
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycrossframeaccessobjectgetPrototypeOfhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf.html (196226 => 196227)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf.html        2016-02-06 23:41:28 UTC (rev 196226)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf.html        2016-02-07 00:18:40 UTC (rev 196227)
</span><span class="lines">@@ -19,7 +19,7 @@
</span><span class="cx"> targetWindow = document.getElementById("target").contentWindow;
</span><span class="cx">
</span><span class="cx"> shouldBeUndefined("Object.getPrototypeOf(targetWindow)");
</span><del>- shouldBeUndefined("Object.getPrototypeOf(targetWindow.history)");
</del><ins>+ shouldBeUndefined("targetWindow.history");
</ins><span class="cx">
</span><span class="cx"> if (window.testRunner)
</span><span class="cx"> testRunner.notifyDone();
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycrossframeaccessobjectsetPrototypeOfexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt (196226 => 196227)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt        2016-02-06 23:41:28 UTC (rev 196226)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt        2016-02-07 00:18:40 UTC (rev 196227)
</span><span class="lines">@@ -1,15 +1,9 @@
</span><span class="cx"> CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</span><del>-CONSOLE MESSAGE: line 23: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</del><ins>+CONSOLE MESSAGE: line 22: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</ins><span class="cx"> CONSOLE MESSAGE: line 25: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</span><del>-CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 24: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 25: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
</del><span class="cx"> This tests that you can't set the prototype of the window or history objects cross-origin using Object.setPrototypeOf().
</span><span class="cx">
</span><span class="cx"> PASS: targetWindow instanceof Array should be 'false' and is.
</span><del>-PASS: targetWindow.history instanceof Array should be 'false' and is.
</del><span class="cx"> PASS: Object.setPrototypeOf(targetWindow, Array.prototype) should be '[object Window]' and is.
</span><del>-PASS: Object.setPrototypeOf(targetWindow.history, Array.prototype) should be '[object History]' and is.
</del><span class="cx"> PASS: targetWindow instanceof Array should be 'false' and is.
</span><del>-PASS: targetWindow.history instanceof Array should be 'false' and is.
</del><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycrossframeaccessobjectsetPrototypeOfhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf.html (196226 => 196227)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf.html        2016-02-06 23:41:28 UTC (rev 196226)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf.html        2016-02-07 00:18:40 UTC (rev 196227)
</span><span class="lines">@@ -18,13 +18,10 @@
</span><span class="cx"> targetWindow = document.getElementById("target").contentWindow;
</span><span class="cx">
</span><span class="cx"> shouldBeFalse("targetWindow instanceof Array");
</span><del>- shouldBeFalse("targetWindow.history instanceof Array");
</del><span class="cx">
</span><span class="cx"> shouldBe("Object.setPrototypeOf(targetWindow, Array.prototype)", "targetWindow");
</span><del>- shouldBe("Object.setPrototypeOf(targetWindow.history, Array.prototype)", "targetWindow.history");
</del><span class="cx">
</span><span class="cx"> shouldBeFalse("targetWindow instanceof Array");
</span><del>- shouldBeFalse("targetWindow.history instanceof Array");
</del><span class="cx">
</span><span class="cx"> if (window.testRunner)
</span><span class="cx"> testRunner.notifyDone();
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityresourcescrossframeiframeforhistoryputtesthtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/resources/cross-frame-iframe-for-history-put-test.html (196226 => 196227)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/resources/cross-frame-iframe-for-history-put-test.html        2016-02-06 23:41:28 UTC (rev 196226)
+++ trunk/LayoutTests/http/tests/security/resources/cross-frame-iframe-for-history-put-test.html        2016-02-07 00:18:40 UTC (rev 196227)
</span><span class="lines">@@ -1,61 +0,0 @@
</span><del>-<html>
-<head>
- <script src="cross-frame-access.js"></script>
- <script>
- var backOld;
- var forwardOld;
- var goOld;
- var toStringOld;
- var lengthOld;
- var customAttributeOld;
-
- receiver = function(e)
- {
- if (e.data == "settingValuesComplete")
- setCheck();
- }
- addEventListener('message', receiver, false);
-
- window.onload = function()
- {
- // Add manuel run buttons if the browser does not support window.postMessage
- if (!window.postMessage) {
- var button = document.createElement("button");
- button.appendChild(document.createTextNode("Step 2 - Set Check"));
- button.onclick = setCheck;
- document.body.appendChild(button);
- }
-
- window.history.customAttribute = "customAttribute";
-
- backOld = window.history.back;
- forwardOld = window.history.forward;
- goOld = window.history.go;
- toStringOld = window.history.toString;
- lengthOld = window.history.length;
- customAttributeOld = window.history.customAttribute;
-
- if (window.postMessage)
- window.parent.postMessage("storedOldValuesComplete", "*");
- }
-
- setCheck = function()
- {
- log("\n----- tests for putting window.history's properties -----\n");
-
- shouldBe("window.history.back", "backOld");
- shouldBe("window.history.forward", "forwardOld");
- shouldBe("window.history.go", "goOld");
- shouldBe("window.history.toString", "toStringOld");
- shouldBe("window.history.length", "lengthOld", true);
- shouldBe("window.history.customAttribute", "customAttributeOld");
-
- if (window.testRunner)
- testRunner.notifyDone();
- }
- </script>
-</head>
-<body>
- <pre id="console"></pre>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (196226 => 196227)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog        2016-02-06 23:41:28 UTC (rev 196226)
+++ trunk/Source/WebCore/ChangeLog        2016-02-07 00:18:40 UTC (rev 196227)
</span><span class="lines">@@ -1,3 +1,25 @@
</span><ins>+2016-02-06 Chris Dumez <cdumez@apple.com>
+
+ Prevent cross-origin access to window.history
+ https://bugs.webkit.org/show_bug.cgi?id=153931
+
+ Reviewed by Darin Adler.
+
+ Prevent cross-origin access to window.history to match the specification [1]
+ and the behavior of other browsers (tested Firefox and Chrome).
+
+ [1] https://html.spec.whatwg.org/multipage/browsers.html#security-window
+
+ No new tests, already covered by existing tests that
+ were updated in this patch.
+
+ * bindings/js/JSHistoryCustom.cpp:
+ (WebCore::JSHistory::pushState):
+ (WebCore::JSHistory::replaceState):
+ (WebCore::JSHistory::state): Deleted.
+ * page/DOMWindow.idl:
+ * page/History.idl:
+
</ins><span class="cx"> 2016-02-06 Beth Dakin <bdakin@apple.com>
</span><span class="cx">
</span><span class="cx"> ScrollbarPainters needs to be deallocated on the main thread
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSHistoryCustomcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSHistoryCustom.cpp (196226 => 196227)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSHistoryCustom.cpp        2016-02-06 23:41:28 UTC (rev 196226)
+++ trunk/Source/WebCore/bindings/js/JSHistoryCustom.cpp        2016-02-07 00:18:40 UTC (rev 196227)
</span><span class="lines">@@ -39,73 +39,6 @@
</span><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><del>-bool JSHistory::getOwnPropertySlotDelegate(ExecState* exec, PropertyName propertyName, PropertySlot& slot)
-{
- // When accessing History cross-domain, functions are always the native built-in ones.
- // See JSDOMWindow::getOwnPropertySlotDelegate for additional details.
-
- // Our custom code is only needed to implement the Window cross-domain scheme, so if access is
- // allowed, return false so the normal lookup will take place.
- String message;
- if (shouldAllowAccessToFrame(exec, wrapped().frame(), message))
- return false;
-
- // Check for the few functions that we allow, even when called cross-domain.
- // Make these read-only / non-configurable to prevent writes via defineProperty.
- if (propertyName == exec->propertyNames().back) {
- slot.setCustom(this, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<jsHistoryPrototypeFunctionBack, 0>);
- return true;
- }
- if (propertyName == exec->propertyNames().forward) {
- slot.setCustom(this, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<jsHistoryPrototypeFunctionForward, 0>);
- return true;
- }
- if (propertyName == exec->propertyNames().go) {
- slot.setCustom(this, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<jsHistoryPrototypeFunctionGo, 1>);
- return true;
- }
- // Allow access to toString() cross-domain, but always Object.toString.
- if (propertyName == exec->propertyNames().toString) {
- slot.setCustom(this, ReadOnly | DontDelete | DontEnum, objectToStringFunctionGetter);
- return true;
- }
-
- printErrorMessageForFrame(wrapped().frame(), message);
- slot.setUndefined();
- return true;
-}
-
-bool JSHistory::putDelegate(ExecState* exec, PropertyName, JSValue, PutPropertySlot&)
-{
- if (!shouldAllowAccessToFrame(exec, wrapped().frame()))
- return true;
- return false;
-}
-
-bool JSHistory::deleteProperty(JSCell* cell, ExecState* exec, PropertyName propertyName)
-{
- JSHistory* thisObject = jsCast<JSHistory*>(cell);
- if (!shouldAllowAccessToFrame(exec, thisObject->wrapped().frame()))
- return false;
- return Base::deleteProperty(thisObject, exec, propertyName);
-}
-
-bool JSHistory::deletePropertyByIndex(JSCell* cell, ExecState* exec, unsigned propertyName)
-{
- JSHistory* thisObject = jsCast<JSHistory*>(cell);
- if (!shouldAllowAccessToFrame(exec, thisObject->wrapped().frame()))
- return false;
- return Base::deletePropertyByIndex(thisObject, exec, propertyName);
-}
-
-void JSHistory::getOwnPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
-{
- JSHistory* thisObject = jsCast<JSHistory*>(object);
- if (!shouldAllowAccessToFrame(exec, thisObject->wrapped().frame()))
- return;
- Base::getOwnPropertyNames(thisObject, exec, propertyNames, mode);
-}
-
</del><span class="cx"> JSValue JSHistory::state(ExecState& state) const
</span><span class="cx"> {
</span><span class="cx"> History& history = wrapped();
</span><span class="lines">@@ -122,9 +55,6 @@
</span><span class="cx">
</span><span class="cx"> JSValue JSHistory::pushState(ExecState& state)
</span><span class="cx"> {
</span><del>- if (!shouldAllowAccessToFrame(&state, wrapped().frame()))
- return jsUndefined();
-
</del><span class="cx"> RefPtr<SerializedScriptValue> historyState = SerializedScriptValue::create(&state, state.argument(0), 0, 0);
</span><span class="cx"> if (state.hadException())
</span><span class="cx"> return jsUndefined();
</span><span class="lines">@@ -151,9 +81,6 @@
</span><span class="cx">
</span><span class="cx"> JSValue JSHistory::replaceState(ExecState& state)
</span><span class="cx"> {
</span><del>- if (!shouldAllowAccessToFrame(&state, wrapped().frame()))
- return jsUndefined();
-
</del><span class="cx"> RefPtr<SerializedScriptValue> historyState = SerializedScriptValue::create(&state, state.argument(0), 0, 0);
</span><span class="cx"> if (state.hadException())
</span><span class="cx"> return jsUndefined();
</span></span></pre></div>
<a id="trunkSourceWebCorepageDOMWindowidl"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/DOMWindow.idl (196226 => 196227)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/DOMWindow.idl        2016-02-06 23:41:28 UTC (rev 196226)
+++ trunk/Source/WebCore/page/DOMWindow.idl        2016-02-07 00:18:40 UTC (rev 196227)
</span><span class="lines">@@ -41,7 +41,7 @@
</span><span class="cx"> ] interface DOMWindow {
</span><span class="cx"> // DOM Level 0
</span><span class="cx"> [Replaceable] readonly attribute Screen screen;
</span><del>- [Replaceable, DoNotCheckSecurityOnGetter] readonly attribute History history;
</del><ins>+ [Replaceable] readonly attribute History history;
</ins><span class="cx"> [Replaceable] readonly attribute BarProp locationbar;
</span><span class="cx"> [Replaceable] readonly attribute BarProp menubar;
</span><span class="cx"> [Replaceable] readonly attribute BarProp personalbar;
</span></span></pre></div>
<a id="trunkSourceWebCorepageHistoryidl"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/History.idl (196226 => 196227)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/History.idl        2016-02-06 23:41:28 UTC (rev 196226)
+++ trunk/Source/WebCore/page/History.idl        2016-02-07 00:18:40 UTC (rev 196227)
</span><span class="lines">@@ -24,18 +24,14 @@
</span><span class="cx"> */
</span><span class="cx">
</span><span class="cx"> [
</span><del>- JSCustomGetOwnPropertySlotAndDescriptor,
- CustomNamedSetter,
</del><span class="cx"> GenerateIsReachable=ImplFrame,
</span><del>- CustomDeleteProperty,
- CustomEnumerateProperty,
</del><span class="cx"> ] interface History {
</span><span class="cx"> readonly attribute unsigned long length;
</span><span class="cx"> [CachedAttribute, Custom] readonly attribute SerializedScriptValue state;
</span><span class="cx">
</span><del>- [DoNotCheckSecurity, CallWith=ScriptExecutionContext, ForwardDeclareInHeader] void back();
- [DoNotCheckSecurity, CallWith=ScriptExecutionContext, ForwardDeclareInHeader] void forward();
- [DoNotCheckSecurity, CallWith=ScriptExecutionContext, ForwardDeclareInHeader] void go([Default=Undefined] optional long distance);
</del><ins>+ [CallWith=ScriptExecutionContext, ForwardDeclareInHeader] void back();
+ [CallWith=ScriptExecutionContext, ForwardDeclareInHeader] void forward();
+ [CallWith=ScriptExecutionContext, ForwardDeclareInHeader] void go([Default=Undefined] optional long distance);
</ins><span class="cx">
</span><span class="cx"> [Custom, RaisesException] void pushState(any data, DOMString title, optional DOMString url);
</span><span class="cx"> [Custom, RaisesException] void replaceState(any data, DOMString title, optional DOMString url);
</span></span></pre>
</div>
</div>
</body>
</html>