[webkit-reviews] review requested: [Bug 20651] svgElement.className.baseValue does not work : [Attachment 24168] WebCore:

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Oct 7 19:13:38 PDT 2008

Eric Seidel <eric at webkit.org> has asked  for review:
Bug 20651: svgElement.className.baseValue does not work

Attachment 24168: WebCore:

------- Additional Comments from Eric Seidel <eric at webkit.org>

	Reviewed by Sam Weinig

	Fixes: http://bugs.webkit.org/show_bug.cgi?id=16523

	When a frame is created with the URL "about:blank" or "", it should
	inherit its SecurityOrigin from its opener.  However, once it has
	decided on that SecurityOrigin, it should not change its mind.
	Prior to this patch, several events could induce the frame to change
	its SecurityOrigin, permitting an attacker to inject script into an
	arbitrary SecurityOrigin.

	This patch makes several changes:

	1) Documents refuse to change from one SecurityOrigin to another
	   unless explicitly instructed to do so.

	2) Navigating to a JavaScript URL that produces a value
	   preserves the current SecurityOrigin explicitly instead of
	   relying on the URL to preserve the origin (which fails for
	   about:blank URLs and SecurityOrigins with document.domain set).

	   Ideally, we should not preserve the URL at all.  Instead, the
	   frame's URL should be the JavaScript URL, as in Firefox, but this
	   would require changes that are too risky for this patch.  I'll
	   file this as a separate issue.

	3) Various methods of navigating to JavaScript URLs were not
	   properly handling JavaScript that returned a value (and should
	   therefore replace the current document).  This patch unifies
	   those code paths with the path that works.

	   There are still a handful of bugs relating to the handling of
	   JavaScript URLs, but I'll file those as separate issues.


	* dom/Document.cpp:
	* dom/Document.h:
	* loader/FrameLoader.cpp:
	* loader/FrameLoader.h:
	* platform/SecurityOrigin.cpp:
	* platform/SecurityOrigin.h:


	Reviewed by Sam Weinig.

	Fixes: http://bugs.webkit.org/show_bug.cgi?id=16523

	Adds new LayoutTests for scripting from about:blank windows.  These
	windows should inherit its SecurityOrigin from its opener and should
	refuse to change their origins when their opener changes exogenously
	(the navigate-opener tests) or explicitly (the set-opener test).

	* http/tests/security/aboutBlank: Added.
ed.txt: Added.
ed.txt: Added.
	* http/tests/security/aboutBlank/xss-DENIED-set-opener-expected.txt:
	* http/tests/security/aboutBlank/xss-DENIED-set-opener.html: Added.
	* http/tests/security/resources/innocent-victim-with-notify.html:
	* http/tests/security/resources/innocent-victim.html: Added.
	* http/tests/security/resources/libwrapjs.js: Added.
	* http/tests/security/resources/open-window.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@29266
 LayoutTests/ChangeLog				    |	23 ++++
 ...IED-navigate-opener-document-write-expected.txt |	17 +++
 .../xss-DENIED-navigate-opener-document-write.html |  105 +++++++++++++++++++
 ...IED-navigate-opener-javascript-url-expected.txt |	17 +++
 .../xss-DENIED-navigate-opener-javascript-url.html |  106 ++++++++++++++++++++
 .../aboutBlank/xss-DENIED-set-opener-expected.txt  |	20 ++++
 .../security/aboutBlank/xss-DENIED-set-opener.html |	76 ++++++++++++++
 .../resources/innocent-victim-with-notify.html     |	14 +++
 .../tests/security/resources/innocent-victim.html  |	 5 +
 .../http/tests/security/resources/libwrapjs.js     |	62 ++++++++++++
 .../http/tests/security/resources/open-window.html |	22 ++++
 LayoutTests/platform/win/Skipped		    |	 3 +
 WebCore/ChangeLog				    |	58 +++++++++++
 WebCore/dom/Document.cpp			    |	 3 +
 WebCore/dom/Document.h 			    |	 5 +
 WebCore/loader/FrameLoader.cpp 		    |	53 +++++-----
 WebCore/loader/FrameLoader.h			    |	 8 +-
 WebCore/platform/SecurityOrigin.cpp		    |	55 ++++------
 WebCore/platform/SecurityOrigin.h		    |	 7 +-
 19 files changed, 592 insertions(+), 67 deletions(-)

More information about the webkit-reviews mailing list