<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"

"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />

<title>[197339] releases/WebKitGTK/webkit-2.12</title>

</head>

<body>

<style type="text/css"><!--

#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }

#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }

#msg dt:after { content:':';}

#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }

#msg dl a { font-weight: bold}

#msg dl a:link    { color:#fc3; }

#msg dl a:active  { color:#ff0; }

#msg dl a:visited { color:#cc6; }

h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }

#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }

#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }

#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }

#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }

#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }

#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }

#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }

#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }

#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }

#logmsg pre { background: #eee; padding: 1em; }

#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}

#logmsg dl { margin: 0; }

#logmsg dt { font-weight: bold; }

#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }

#logmsg dd:before { content:'\00bb';}

#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }

#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }

#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }

#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }

#logmsg table th.Corner { text-align: left; }

#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }

#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }

#patch { width: 100%; }

#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}

#patch .propset h4, #patch .binary h4 {margin:0;}

#patch pre {padding:0;line-height:1.2em;margin:0;}

#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}

#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}

#patch span {display:block;padding:0 10px;}

#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}

#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}

#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}

#patch .lines, .info {color:#888;background:#fff;}

--></style>

<div id="msg">

<dl class="meta">

<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/197339">197339</a></dd>

<dt>Author</dt> <dd>carlosgc@webkit.org</dd>

<dt>Date</dt> <dd>2016-02-29 03:19:35 -0800 (Mon, 29 Feb 2016)</dd>

</dl>

<h3>Log Message</h3>

<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/197263">r197263</a> - Prevent cross-origin access to Location.assign() / Location.reload()

https://bugs.webkit.org/show_bug.cgi?id=154779

Reviewed by Darin Adler.

Source/WebCore:

Prevent cross-origin access to Location.assign() / Location.reload()

to match the latest specification:

- https://html.spec.whatwg.org/multipage/browsers.html#crossoriginproperties-(-o-)

Firefox and Chrome already prevent this but WebKit allowed it.

No new tests, already covered by existing tests.

* bindings/js/JSLocationCustom.cpp:

(WebCore::JSLocation::getOwnPropertySlotDelegate):

(WebCore::JSLocation::putDelegate): Deleted.

LayoutTests:

Update existing layout tests now that we prevent cross-origin access to

Location.assign() / Location.reload().

* http/tests/security/cross-frame-access-getOwnPropertyDescriptor-expected.txt:

* http/tests/security/cross-frame-access-getOwnPropertyDescriptor.html:

* http/tests/security/cross-frame-access-location-get-expected.txt:

* http/tests/security/cross-frame-access-location-get-override-expected.txt:

* http/tests/security/cross-frame-access-location-get-override.html:

* http/tests/security/cross-frame-access-location-get.html:

* http/tests/security/xss-DENIED-defineProperty-expected.txt:</pre>

<h3>Modified Paths</h3>

<ul>

<li><a href="#releasesWebKitGTKwebkit212LayoutTestsChangeLog">releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog</a></li>

<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycrossframeaccessgetOwnPropertyDescriptorexpectedtxt">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-getOwnPropertyDescriptor-expected.txt</a></li>

<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycrossframeaccessgetOwnPropertyDescriptorhtml">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-getOwnPropertyDescriptor.html</a></li>

<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycrossframeaccesslocationgetexpectedtxt">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-location-get-expected.txt</a></li>

<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycrossframeaccesslocationgetoverrideexpectedtxt">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-location-get-override-expected.txt</a></li>

<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycrossframeaccesslocationgetoverridehtml">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-location-get-override.html</a></li>

<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycrossframeaccesslocationgethtml">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-location-get.html</a></li>

<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecurityxssDENIEDdefinePropertyexpectedtxt">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/xss-DENIED-defineProperty-expected.txt</a></li>

<li><a href="#releasesWebKitGTKwebkit212SourceWebCoreChangeLog">releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog</a></li>

<li><a href="#releasesWebKitGTKwebkit212SourceWebCorebindingsjsJSLocationCustomcpp">releases/WebKitGTK/webkit-2.12/Source/WebCore/bindings/js/JSLocationCustom.cpp</a></li>

</ul>

</div>

<div id="patch">

<h3>Diff</h3>

<a id="releasesWebKitGTKwebkit212LayoutTestsChangeLog"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog (197338 => 197339)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog        2016-02-29 11:17:55 UTC (rev 197338)

+++ releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog        2016-02-29 11:19:35 UTC (rev 197339)

</span><span class="lines">@@ -1,3 +1,21 @@

</span><ins>+2016-02-27  Chris Dumez  &lt;cdumez@apple.com&gt;

+

+        Prevent cross-origin access to Location.assign() / Location.reload()

+        https://bugs.webkit.org/show_bug.cgi?id=154779

+

+        Reviewed by Darin Adler.

+

+        Update existing layout tests now that we prevent cross-origin access to

+        Location.assign() / Location.reload().

+

+        * http/tests/security/cross-frame-access-getOwnPropertyDescriptor-expected.txt:

+        * http/tests/security/cross-frame-access-getOwnPropertyDescriptor.html:

+        * http/tests/security/cross-frame-access-location-get-expected.txt:

+        * http/tests/security/cross-frame-access-location-get-override-expected.txt:

+        * http/tests/security/cross-frame-access-location-get-override.html:

+        * http/tests/security/cross-frame-access-location-get.html:

+        * http/tests/security/xss-DENIED-defineProperty-expected.txt:

+

</ins><span class="cx"> 2016-02-26  Said Abou-Hallawa  &lt;sabouhallawa@apple.com&gt;

</span><span class="cx"> 

</span><span class="cx">         &lt;g&gt; wrapping &lt;symbol&gt; causes display of hidden &lt;symbol&gt;

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycrossframeaccessgetOwnPropertyDescriptorexpectedtxt"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-getOwnPropertyDescriptor-expected.txt (197338 => 197339)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-getOwnPropertyDescriptor-expected.txt        2016-02-29 11:17:55 UTC (rev 197338)

+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-getOwnPropertyDescriptor-expected.txt        2016-02-29 11:19:35 UTC (rev 197339)

</span><span class="lines">@@ -194,6 +194,8 @@

<span class="cx"> CONSOLE MESSAGE: line 64: Blocked a frame with origin &quot;http://127.0.0.1:8000&quot; from accessing a frame with origin &quot;http://localhost:8000&quot;. Protocols, domains, and ports must match.

<ins>+CONSOLE MESSAGE: line 64: Blocked a frame with origin &quot;http://127.0.0.1:8000&quot; from accessing a frame with origin &quot;http://localhost:8000&quot;. Protocols, domains, and ports must match.

+CONSOLE MESSAGE: line 64: Blocked a frame with origin &quot;http://127.0.0.1:8000&quot; from accessing a frame with origin &quot;http://localhost:8000&quot;. Protocols, domains, and ports must match.

</ins><span class="cx"> CONSOLE MESSAGE: line 224: Blocked a frame with origin &quot;http://127.0.0.1:8000&quot; from accessing a frame with origin &quot;http://localhost:8000&quot;. Protocols, domains, and ports must match.

<span class="cx"> This test checks cross-frame access security of getOwnPropertyDescriptor (https://bugs.webkit.org/show_bug.cgi?id=32119).

</span><span class="cx"> 

</span><span class="lines">@@ -408,9 +410,9 @@

<span class="cx"> PASS: canGetDescriptor(targetLocation, 'toString') should be 'false' and is.

<span class="cx"> PASS: canGetDescriptor(targetLocation, 'valueOf') should be 'false' and is.

<span class="cx"> PASS: canGetDescriptor(targetLocation, 'customProperty') should be 'false' and is.

<del>-PASS: canGetDescriptor(targetLocation, 'assign') should be 'true' and is.

</del><ins>+PASS: canGetDescriptor(targetLocation, 'assign') should be 'false' and is.

+PASS: canGetDescriptor(targetLocation, 'reload') should be 'false' and is.

</ins><span class="cx"> PASS: canGetDescriptor(targetLocation, 'replace') should be 'true' and is.

<del>-PASS: canGetDescriptor(targetLocation, 'reload') should be 'true' and is.

</del><span class="cx"> ----- tests access to cross domain history object -----

<span class="cx"> PASS: canGetDescriptor(targetHistory, 'length') should be 'false' and is.

<span class="cx"> PASS: canGetDescriptor(targetHistory, 'pushState') should be 'false' and is.

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycrossframeaccessgetOwnPropertyDescriptorhtml"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-getOwnPropertyDescriptor.html (197338 => 197339)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-getOwnPropertyDescriptor.html        2016-02-29 11:17:55 UTC (rev 197338)

+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-getOwnPropertyDescriptor.html        2016-02-29 11:19:35 UTC (rev 197339)

</span><span class="lines">@@ -253,10 +253,10 @@

</span><span class="cx">             log(&quot;----- tests access to cross domain location object -----&quot;);

</span><span class="cx">             window.targetLocation = targetWindow.location;

</span><span class="cx">             var locationPropertiesNotAllowed = [

</span><del>-                &quot;protocol&quot;, &quot;host&quot;, &quot;hostname&quot;, &quot;port&quot;, &quot;pathname&quot;, &quot;search&quot;, &quot;hash&quot;, &quot;toString&quot;, &quot;valueOf&quot;, &quot;customProperty&quot;

</del><ins>+                &quot;protocol&quot;, &quot;host&quot;, &quot;hostname&quot;, &quot;port&quot;, &quot;pathname&quot;, &quot;search&quot;, &quot;hash&quot;, &quot;toString&quot;, &quot;valueOf&quot;, &quot;customProperty&quot;, &quot;assign&quot;, &quot;reload&quot;

</ins><span class="cx">             ];

</span><span class="cx">             var locationPropertiesAllowed = [

</span><del>-                &quot;assign&quot;, &quot;replace&quot;, &quot;reload&quot;

</del><ins>+                &quot;replace&quot;

</ins><span class="cx">             ];

</span><span class="cx">             for (var i = 0; i &lt; locationPropertiesNotAllowed.length; i++)

</span><span class="cx">                 shouldBeFalse(&quot;canGetDescriptor(targetLocation, '&quot; + locationPropertiesNotAllowed[i] + &quot;')&quot;);

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycrossframeaccesslocationgetexpectedtxt"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-location-get-expected.txt (197338 => 197339)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-location-get-expected.txt        2016-02-29 11:17:55 UTC (rev 197338)

+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-location-get-expected.txt        2016-02-29 11:19:35 UTC (rev 197339)

</span><span class="lines">@@ -10,6 +10,8 @@

<span class="cx"> CONSOLE MESSAGE: line 55: Blocked a frame with origin &quot;http://127.0.0.1:8000&quot; from accessing a frame with origin &quot;http://localhost:8000&quot;. Protocols, domains, and ports must match.

<ins>+CONSOLE MESSAGE: line 55: Blocked a frame with origin &quot;http://127.0.0.1:8000&quot; from accessing a frame with origin &quot;http://localhost:8000&quot;. Protocols, domains, and ports must match.

+CONSOLE MESSAGE: line 55: Blocked a frame with origin &quot;http://127.0.0.1:8000&quot; from accessing a frame with origin &quot;http://localhost:8000&quot;. Protocols, domains, and ports must match.

</ins><span class="cx"> 

</span><span class="cx"> 

</span><span class="cx"> ----- tests for getting window.location's properties -----

</span><span class="lines">@@ -26,8 +28,8 @@

<span class="cx"> PASS: canGet('targetWindow.location.port') should be 'false' and is.

<span class="cx"> PASS: canGet('targetWindow.location.protocol') should be 'false' and is.

<span class="cx"> PASS: canGet('targetWindow.location.search') should be 'false' and is.

<del>-PASS: canGet('targetWindow.location.assign') should be 'true' and is.

-PASS: canGet('targetWindow.location.reload') should be 'true' and is.

</del><ins>+PASS: canGet('targetWindow.location.assign') should be 'false' and is.

+PASS: canGet('targetWindow.location.reload') should be 'false' and is.

</ins><span class="cx"> PASS: canGet('targetWindow.location.replace') should be 'true' and is.

<span class="cx"> PASS: canGet('targetWindow.location.existingCustomProperty') should be 'false' and is.

</span><span class="cx"> 

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycrossframeaccesslocationgetoverrideexpectedtxt"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-location-get-override-expected.txt (197338 => 197339)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-location-get-override-expected.txt        2016-02-29 11:17:55 UTC (rev 197338)

+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-location-get-override-expected.txt        2016-02-29 11:19:35 UTC (rev 197339)

</span><span class="lines">@@ -1,10 +1,10 @@

<ins>+CONSOLE MESSAGE: line 55: Blocked a frame with origin &quot;http://127.0.0.1:8000&quot; from accessing a frame with origin &quot;http://localhost:8000&quot;. Protocols, domains, and ports must match.

+CONSOLE MESSAGE: line 55: Blocked a frame with origin &quot;http://127.0.0.1:8000&quot; from accessing a frame with origin &quot;http://localhost:8000&quot;. Protocols, domains, and ports must match.

</ins><span class="cx"> 

</span><span class="cx"> ----- tests for getting a targetWindow's location object's functions which have custom overrides.  The desired behavior is for the targetWindow to return the builtin function, not the override -----

</span><span class="cx"> 

<del>-PASS: canGet('targetWindow.location.assign') should be 'true' and is.

-PASS: toString('targetWindow.location.assign') should be 'function assign() {    [native code]}' and is.

-PASS: canGet('targetWindow.location.reload') should be 'true' and is.

-PASS: toString('targetWindow.location.reload') should be 'function reload() {    [native code]}' and is.

</del><ins>+PASS: canGet('targetWindow.location.assign') should be 'false' and is.

+PASS: canGet('targetWindow.location.reload') should be 'false' and is.

</ins><span class="cx"> PASS: canGet('targetWindow.location.replace') should be 'true' and is.

<span class="cx"> PASS: toString('targetWindow.location.replace') should be 'function replace() {    [native code]}' and is.

</span><span class="cx"> 

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycrossframeaccesslocationgetoverridehtml"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-location-get-override.html (197338 => 197339)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-location-get-override.html        2016-02-29 11:17:55 UTC (rev 197338)

+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-location-get-override.html        2016-02-29 11:19:35 UTC (rev 197339)

</span><span class="lines">@@ -40,12 +40,10 @@

<span class="cx">             // We should test overriding using window.location.__proto__ once the Location object has a proper prototype.

</span><span class="cx"> 

</span><span class="cx">             // Overriden using window.location.assign = function() { return &quot;new assign&quot; }

</span><del>-            shouldBeTrue(&quot;canGet('targetWindow.location.assign')&quot;);

-            shouldBe(&quot;toString('targetWindow.location.assign')&quot;, &quot;toString('window.location.assign')&quot;);

</del><ins>+            shouldBeFalse(&quot;canGet('targetWindow.location.assign')&quot;);

</ins><span class="cx"> 

</span><span class="cx">             // Overriden using window.location.reload = &quot;new reload&quot;

</span><del>-            shouldBeTrue(&quot;canGet('targetWindow.location.reload')&quot;);

-            shouldBe(&quot;toString('targetWindow.location.reload')&quot;, &quot;toString('window.location.reload')&quot;);

</del><ins>+            shouldBeFalse(&quot;canGet('targetWindow.location.reload')&quot;);

</ins><span class="cx"> 

</span><span class="cx">             // Overriden using window.location.reload = &quot;new replace&quot;

</span><span class="cx">             shouldBeTrue(&quot;canGet('targetWindow.location.replace')&quot;);

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycrossframeaccesslocationgethtml"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-location-get.html (197338 => 197339)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-location-get.html        2016-02-29 11:17:55 UTC (rev 197338)

+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/cross-frame-access-location-get.html        2016-02-29 11:19:35 UTC (rev 197339)

</span><span class="lines">@@ -50,9 +50,9 @@

</span><span class="cx">             shouldBeFalse(&quot;canGet('targetWindow.location.port')&quot;);

</span><span class="cx">             shouldBeFalse(&quot;canGet('targetWindow.location.protocol')&quot;);

</span><span class="cx">             shouldBeFalse(&quot;canGet('targetWindow.location.search')&quot;);

</span><ins>+            shouldBeFalse(&quot;canGet('targetWindow.location.assign')&quot;);

+            shouldBeFalse(&quot;canGet('targetWindow.location.reload')&quot;);

</ins><span class="cx"> 

</span><del>-            shouldBeTrue(&quot;canGet('targetWindow.location.assign')&quot;);

-            shouldBeTrue(&quot;canGet('targetWindow.location.reload')&quot;);

</del><span class="cx">             shouldBeTrue(&quot;canGet('targetWindow.location.replace')&quot;);

</span><span class="cx"> 

</span><span class="cx">             shouldBeFalse(&quot;canGet('targetWindow.location.existingCustomProperty')&quot;);

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecurityxssDENIEDdefinePropertyexpectedtxt"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/xss-DENIED-defineProperty-expected.txt (197338 => 197339)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/xss-DENIED-defineProperty-expected.txt        2016-02-29 11:17:55 UTC (rev 197338)

+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/xss-DENIED-defineProperty-expected.txt        2016-02-29 11:19:35 UTC (rev 197339)

</span><span class="lines">@@ -52,6 +52,12 @@

<span class="cx"> CONSOLE MESSAGE: line 36: Blocked a frame with origin &quot;http://localhost:8000&quot; from accessing a frame with origin &quot;http://127.0.0.1:8000&quot;. Protocols, domains, and ports must match.

<ins>+CONSOLE MESSAGE: line 38: Blocked a frame with origin &quot;http://localhost:8000&quot; from accessing a frame with origin &quot;http://127.0.0.1:8000&quot;. Protocols, domains, and ports must match.

+CONSOLE MESSAGE: line 38: Blocked a frame with origin &quot;http://localhost:8000&quot; from accessing a frame with origin &quot;http://127.0.0.1:8000&quot;. Protocols, domains, and ports must match.

+CONSOLE MESSAGE: line 38: Blocked a frame with origin &quot;http://localhost:8000&quot; from accessing a frame with origin &quot;http://127.0.0.1:8000&quot;. Protocols, domains, and ports must match.

+CONSOLE MESSAGE: line 38: Blocked a frame with origin &quot;http://localhost:8000&quot; from accessing a frame with origin &quot;http://127.0.0.1:8000&quot;. Protocols, domains, and ports must match.

+CONSOLE MESSAGE: line 38: Blocked a frame with origin &quot;http://localhost:8000&quot; from accessing a frame with origin &quot;http://127.0.0.1:8000&quot;. Protocols, domains, and ports must match.

+CONSOLE MESSAGE: line 38: Blocked a frame with origin &quot;http://localhost:8000&quot; from accessing a frame with origin &quot;http://127.0.0.1:8000&quot;. Protocols, domains, and ports must match.

</ins><span class="cx"> CONSOLE MESSAGE: line 40: Blocked a frame with origin &quot;http://localhost:8000&quot; from accessing a frame with origin &quot;http://127.0.0.1:8000&quot;. Protocols, domains, and ports must match.

<span class="cx"> CONSOLE MESSAGE: line 40: Blocked a frame with origin &quot;http://localhost:8000&quot; from accessing a frame with origin &quot;http://127.0.0.1:8000&quot;. Protocols, domains, and ports must match.

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit212SourceWebCoreChangeLog"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog (197338 => 197339)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog        2016-02-29 11:17:55 UTC (rev 197338)

+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog        2016-02-29 11:19:35 UTC (rev 197339)

</span><span class="lines">@@ -1,3 +1,22 @@

</span><ins>+2016-02-27  Chris Dumez  &lt;cdumez@apple.com&gt;

+

+        Prevent cross-origin access to Location.assign() / Location.reload()

+        https://bugs.webkit.org/show_bug.cgi?id=154779

+

+        Reviewed by Darin Adler.

+

+        Prevent cross-origin access to Location.assign() / Location.reload()

+        to match the latest specification:

+        - https://html.spec.whatwg.org/multipage/browsers.html#crossoriginproperties-(-o-)

+

+        Firefox and Chrome already prevent this but WebKit allowed it.

+

+        No new tests, already covered by existing tests.

+

+        * bindings/js/JSLocationCustom.cpp:

+        (WebCore::JSLocation::getOwnPropertySlotDelegate):

+        (WebCore::JSLocation::putDelegate): Deleted.

+

</ins><span class="cx"> 2016-02-26  Carlos Garcia Campos  &lt;cgarcia@igalia.com&gt;

</span><span class="cx"> 

</span><span class="cx">         Network cache: old pages returned by disk cache on history navigation after session is restored

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit212SourceWebCorebindingsjsJSLocationCustomcpp"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/bindings/js/JSLocationCustom.cpp (197338 => 197339)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/WebCore/bindings/js/JSLocationCustom.cpp        2016-02-29 11:17:55 UTC (rev 197338)

+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/bindings/js/JSLocationCustom.cpp        2016-02-29 11:19:35 UTC (rev 197339)

</span><span class="lines">@@ -47,25 +47,13 @@

</span><span class="cx">     if (shouldAllowAccessToFrame(exec, frame, message))

</span><span class="cx">         return false;

</span><span class="cx"> 

<del>-    // Check for the few functions that we allow, even when called cross-domain.

-    // Make these read-only / non-configurable to prevent writes via defineProperty.

</del><ins>+    // We only allow access to Location.replace() cross origin.

+    // Make it read-only / non-configurable to prevent writes via defineProperty.

</ins><span class="cx">     if (propertyName == exec-&gt;propertyNames().replace) {

</span><span class="cx">         slot.setCustom(this, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter&lt;jsLocationInstanceFunctionReplace, 1&gt;);

</span><span class="cx">         return true;

</span><span class="cx">     }

</span><del>-    if (propertyName == exec-&gt;propertyNames().reload) {

-        slot.setCustom(this, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter&lt;jsLocationInstanceFunctionReload, 0&gt;);

-        return true;

-    }

-    if (propertyName == exec-&gt;propertyNames().assign) {

-        slot.setCustom(this, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter&lt;jsLocationInstanceFunctionAssign, 1&gt;);

-        return true;

-    }

</del><span class="cx"> 

</span><del>-    // FIXME: Other implementers of the Window cross-domain scheme (Window, History) allow toString,

-    // but for now we have decided not to, partly because it seems silly to return &quot;[Object Location]&quot; in

-    // such cases when normally the string form of Location would be the URL.

-

</del><span class="cx">     printErrorMessageForFrame(frame, message);

</span><span class="cx">     slot.setUndefined();

</span><span class="cx">     return true;

</span></span></pre>

</div>

</div>

</body>

</html>