<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[204923] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/204923">204923</a></dd>
<dt>Author</dt> <dd>cdumez@apple.com</dd>
<dt>Date</dt> <dd>2016-08-24 12:52:07 -0700 (Wed, 24 Aug 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>It should not be possible to access Location attributes cross origin
https://bugs.webkit.org/show_bug.cgi?id=161125
<rdar://problem/27982472>
Reviewed by Brent Fulgham.
Source/WebCore:
It should not be possible to access Location attributes cross origin:
- https://html.spec.whatwg.org/#crossoriginproperties-(-o-)
We allow access to replace() as per the specification and consistently
with Firefox. The specification seems to indicate we should allow access
to 'href' but Firefox does not and we previously did not so I am not
allowing it in this patch.
Test: http/tests/security/location-cross-origin.html
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateImplementation):
* page/Location.idl:
LayoutTests:
Add layout test coverage.
* http/tests/security/location-cross-origin-expected.txt: Added.
* http/tests/security/location-cross-origin.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptsCodeGeneratorJSpm">trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm</a></li>
<li><a href="#trunkSourceWebCorepageLocationidl">trunk/Source/WebCore/page/Location.idl</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecuritylocationcrossoriginexpectedtxt">trunk/LayoutTests/http/tests/security/location-cross-origin-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritylocationcrossoriginhtml">trunk/LayoutTests/http/tests/security/location-cross-origin.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (204922 => 204923)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-08-24 19:38:45 UTC (rev 204922)
+++ trunk/LayoutTests/ChangeLog 2016-08-24 19:52:07 UTC (rev 204923)
</span><span class="lines">@@ -1,3 +1,16 @@
</span><ins>+2016-08-24 Chris Dumez <cdumez@apple.com>
+
+ It should not be possible to access Location attributes cross origin
+ https://bugs.webkit.org/show_bug.cgi?id=161125
+ <rdar://problem/27982472>
+
+ Reviewed by Brent Fulgham.
+
+ Add layout test coverage.
+
+ * http/tests/security/location-cross-origin-expected.txt: Added.
+ * http/tests/security/location-cross-origin.html: Added.
+
</ins><span class="cx"> 2016-08-24 Jonathan Bedard <jbedard@apple.com>
</span><span class="cx">
</span><span class="cx"> WebKit2 needs layoutTestController.setDeferMainResourceDataLoad
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritylocationcrossoriginexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/location-cross-origin-expected.txt (0 => 204923)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/location-cross-origin-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/location-cross-origin-expected.txt 2016-08-24 19:52:07 UTC (rev 204923)
</span><span class="lines">@@ -0,0 +1,57 @@
</span><ins>+CONSOLE MESSAGE: line 526: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 526: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 526: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 526: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 526: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 526: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 526: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 526: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 526: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 600: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 600: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 600: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 526: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+Test security checking for access to Location.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS frames[0].location.protocol is undefined.
+PASS frames[0].location.host is undefined.
+PASS frames[0].location.hostname is undefined.
+PASS frames[0].location.port is undefined.
+PASS frames[0].location.pathname is undefined.
+PASS frames[0].location.search is undefined.
+PASS frames[0].location.hash is undefined.
+PASS frames[0].location.origin is undefined.
+PASS frames[0].location.ancestorOrigins is undefined.
+PASS frames[0].location.toString() threw exception TypeError: frames[0].location.toString is not a function. (In 'frames[0].location.toString()', 'frames[0].location.toString' is undefined).
+PASS frames[0].location.reload() threw exception TypeError: frames[0].location.reload is not a function. (In 'frames[0].location.reload()', 'frames[0].location.reload' is undefined).
+PASS frames[0].location.assign('about:blank') threw exception TypeError: frames[0].location.assign is not a function. (In 'frames[0].location.assign('about:blank')', 'frames[0].location.assign' is undefined).
+PASS frames[0].location.href is undefined.
+PASS Object.getOwnPropertyDescriptor(window.location, 'protocol').get.call(frames[0].location) is undefined.
+PASS Object.getOwnPropertyDescriptor(window.location, 'host').get.call(frames[0].location) is undefined.
+PASS Object.getOwnPropertyDescriptor(window.location, 'hostname').get.call(frames[0].location) is undefined.
+PASS Object.getOwnPropertyDescriptor(window.location, 'port').get.call(frames[0].location) is undefined.
+PASS Object.getOwnPropertyDescriptor(window.location, 'pathname').get.call(frames[0].location) is undefined.
+PASS Object.getOwnPropertyDescriptor(window.location, 'search').get.call(frames[0].location) is undefined.
+PASS Object.getOwnPropertyDescriptor(window.location, 'hash').get.call(frames[0].location) is undefined.
+PASS Object.getOwnPropertyDescriptor(window.location, 'origin').get.call(frames[0].location) is undefined.
+PASS Object.getOwnPropertyDescriptor(window.location, 'ancestorOrigins').get.call(frames[0].location) is undefined.
+PASS Object.getOwnPropertyDescriptor(window.location, 'toString').value.call(frames[0].location) is undefined.
+PASS Object.getOwnPropertyDescriptor(window.location, 'href').get.call(frames[0].location) is undefined.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritylocationcrossoriginhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/location-cross-origin.html (0 => 204923)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/location-cross-origin.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/location-cross-origin.html 2016-08-24 19:52:07 UTC (rev 204923)
</span><span class="lines">@@ -0,0 +1,44 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<body>
+<script src="../../../resources/js-test-pre.js"></script>
+<iframe src="http://localhost:8000/security/resources/iframe-with-element.html"></iframe>
+<script>
+description("Test security checking for access to Location.");
+jsTestIsAsync = true;
+
+onload = function() {
+ shouldBeUndefined("frames[0].location.protocol");
+ shouldBeUndefined("frames[0].location.host");
+ shouldBeUndefined("frames[0].location.hostname");
+ shouldBeUndefined("frames[0].location.port");
+ shouldBeUndefined("frames[0].location.pathname");
+ shouldBeUndefined("frames[0].location.search");
+ shouldBeUndefined("frames[0].location.hash");
+ shouldBeUndefined("frames[0].location.origin");
+ shouldBeUndefined("frames[0].location.ancestorOrigins");
+ shouldThrow("frames[0].location.toString()");
+ shouldThrow("frames[0].location.reload()");
+ shouldThrow("frames[0].location.assign('about:blank')");
+ // The specification seems to allow access to href but Firefox does not.
+ shouldBeUndefined("frames[0].location.href");
+
+ shouldBeUndefined("Object.getOwnPropertyDescriptor(window.location, 'protocol').get.call(frames[0].location)");
+ shouldBeUndefined("Object.getOwnPropertyDescriptor(window.location, 'host').get.call(frames[0].location)");
+ shouldBeUndefined("Object.getOwnPropertyDescriptor(window.location, 'hostname').get.call(frames[0].location)");
+ shouldBeUndefined("Object.getOwnPropertyDescriptor(window.location, 'port').get.call(frames[0].location)");
+ shouldBeUndefined("Object.getOwnPropertyDescriptor(window.location, 'pathname').get.call(frames[0].location)");
+ shouldBeUndefined("Object.getOwnPropertyDescriptor(window.location, 'search').get.call(frames[0].location)");
+ shouldBeUndefined("Object.getOwnPropertyDescriptor(window.location, 'hash').get.call(frames[0].location)");
+ shouldBeUndefined("Object.getOwnPropertyDescriptor(window.location, 'origin').get.call(frames[0].location)");
+ shouldBeUndefined("Object.getOwnPropertyDescriptor(window.location, 'ancestorOrigins').get.call(frames[0].location)");
+ shouldBeUndefined("Object.getOwnPropertyDescriptor(window.location, 'toString').value.call(frames[0].location)");
+ // The specification seems to allow access to href but Firefox does not.
+ shouldBeUndefined("Object.getOwnPropertyDescriptor(window.location, 'href').get.call(frames[0].location)");
+
+ finishJSTest();
+};
+</script>
+<script src="../../../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (204922 => 204923)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-08-24 19:38:45 UTC (rev 204922)
+++ trunk/Source/WebCore/ChangeLog 2016-08-24 19:52:07 UTC (rev 204923)
</span><span class="lines">@@ -1,3 +1,25 @@
</span><ins>+2016-08-24 Chris Dumez <cdumez@apple.com>
+
+ It should not be possible to access Location attributes cross origin
+ https://bugs.webkit.org/show_bug.cgi?id=161125
+ <rdar://problem/27982472>
+
+ Reviewed by Brent Fulgham.
+
+ It should not be possible to access Location attributes cross origin:
+ - https://html.spec.whatwg.org/#crossoriginproperties-(-o-)
+
+ We allow access to replace() as per the specification and consistently
+ with Firefox. The specification seems to indicate we should allow access
+ to 'href' but Firefox does not and we previously did not so I am not
+ allowing it in this patch.
+
+ Test: http/tests/security/location-cross-origin.html
+
+ * bindings/scripts/CodeGeneratorJS.pm:
+ (GenerateImplementation):
+ * page/Location.idl:
+
</ins><span class="cx"> 2016-08-24 Joseph Pecoraro <pecoraro@apple.com>
</span><span class="cx">
</span><span class="cx"> Add User Timing to the feature status page
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptsCodeGeneratorJSpm"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (204922 => 204923)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2016-08-24 19:38:45 UTC (rev 204922)
+++ trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2016-08-24 19:52:07 UTC (rev 204923)
</span><span class="lines">@@ -2830,7 +2830,11 @@
</span><span class="cx"> if ($interface->extendedAttributes->{"CheckSecurity"} &&
</span><span class="cx"> !$attribute->signature->extendedAttributes->{"DoNotCheckSecurity"} &&
</span><span class="cx"> !$attribute->signature->extendedAttributes->{"DoNotCheckSecurityOnGetter"}) {
</span><del>- push(@implContent, " if (!BindingSecurity::shouldAllowAccessToDOMWindow(state, castedThis->wrapped()))\n");
</del><ins>+ if ($interfaceName eq "DOMWindow") {
+ push(@implContent, " if (!BindingSecurity::shouldAllowAccessToDOMWindow(state, castedThis->wrapped()))\n");
+ } else {
+ push(@implContent, " if (!shouldAllowAccessToFrame(state, castedThis->wrapped().frame()))\n");
+ }
</ins><span class="cx"> push(@implContent, " return JSValue::encode(jsUndefined());\n");
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -3387,9 +3391,12 @@
</span><span class="cx"> } else {
</span><span class="cx"> GenerateFunctionCastedThis($interface, $className, $function);
</span><span class="cx">
</span><del>- if ($interface->extendedAttributes->{"CheckSecurity"} and
- !$function->signature->extendedAttributes->{"DoNotCheckSecurity"}) {
- push(@implContent, " if (!BindingSecurity::shouldAllowAccessToDOMWindow(state, castedThis->wrapped()))\n");
</del><ins>+ if ($interface->extendedAttributes->{"CheckSecurity"} and !$function->signature->extendedAttributes->{"DoNotCheckSecurity"}) {
+ if ($interfaceName eq "DOMWindow") {
+ push(@implContent, " if (!BindingSecurity::shouldAllowAccessToDOMWindow(state, castedThis->wrapped()))\n");
+ } else {
+ push(@implContent, " if (!shouldAllowAccessToFrame(state, castedThis->wrapped().frame()))\n");
+ }
</ins><span class="cx"> push(@implContent, " return JSValue::encode(jsUndefined());\n");
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorepageLocationidl"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/Location.idl (204922 => 204923)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/Location.idl 2016-08-24 19:38:45 UTC (rev 204922)
+++ trunk/Source/WebCore/page/Location.idl 2016-08-24 19:52:07 UTC (rev 204923)
</span><span class="lines">@@ -27,6 +27,7 @@
</span><span class="cx"> */
</span><span class="cx">
</span><span class="cx"> [
</span><ins>+ CheckSecurity,
</ins><span class="cx"> CustomDeleteProperty,
</span><span class="cx"> CustomEnumerateProperty,
</span><span class="cx"> CustomNamedSetter,
</span><span class="lines">@@ -40,7 +41,7 @@
</span><span class="cx"> [SetterCallWith=ActiveWindow&FirstWindow] attribute USVString href;
</span><span class="cx">
</span><span class="cx"> [CallWith=ActiveWindow&FirstWindow, ForwardDeclareInHeader] void assign(USVString url);
</span><del>- [CallWith=ActiveWindow&FirstWindow, ForwardDeclareInHeader] void replace(USVString url);
</del><ins>+ [DoNotCheckSecurity, CallWith=ActiveWindow&FirstWindow, ForwardDeclareInHeader] void replace(USVString url);
</ins><span class="cx"> [CallWith=ActiveWindow, ForwardDeclareInHeader] void reload();
</span><span class="cx">
</span><span class="cx"> // URI decomposition attributes
</span></span></pre>
</div>
</div>
</body>
</html>