Skip to content
Find file Blame History Permalink
  • commit-queue@webkit.org's avatar
    [JSC] Don't sanitize window.onerror information on crossorigin-enabled scripts · 0941e884
    commit-queue@webkit.org authored 
    https://bugs.webkit.org/show_bug.cgi?id=70574

Patch by Pablo Flouret <pablof@motorola.com> on 2012-11-16
Reviewed by Geoffrey Garen.

Source/WebCore:

For scripts that use CORS (via the crossorigin attribute in this case),
don't sanitize the information passed to the window's onerror handler (i.e.
message, url, and line number). Useful for scripts hosted on CDNs.

Tests: http/tests/security/script-crossorigin-onerror-information.html
       http/tests/security/script-no-crossorigin-onerror-should-be-sanitized.html

* WebCore.exp.in:
* WebCore.order:

* bindings/js/JSDOMBinding.cpp:
(WebCore::reportException):
* bindings/js/JSDOMBinding.h:
(WebCore):
* bindings/js/ScriptController.cpp:
(WebCore::ScriptController::evaluateInWorld):
* bindings/js/ScriptSourceCode.h:
(WebCore::ScriptSourceCode::ScriptSourceCode):
(WebCore::ScriptSourceCode::cachedScript):
(ScriptSourceCode):
* bindings/js/WorkerScriptController.cpp:
(WebCore::WorkerScriptController::evaluate):
    Keep a reference to the cached script in the ScriptSourceCode, so
    that it can be passed around and be available when reporting the
    exception.

* dom/ScriptExecutionContext.cpp:
(WebCore::ScriptExecutionContext::sanitizeScriptError):
(WebCore::ScriptExecutionContext::reportException):
(WebCore::ScriptExecutionContext::dispatchErrorEvent):
* dom/ScriptExecutionContext.h:
(WebCore):
(ScriptExecutionContext):
    Check if the script passes the access control checks, and if so,
    don't sanitize the error information.

* html/parser/HTMLPreloadScanner.cpp:
(WebCore::PreloadTask::processAttributes):
(WebCore::PreloadTask::preload):
(PreloadTask):
(WebCore::PreloadTask::crossOriginModeAllowsCookies):
    When preloading script elements, check for the crossorigin attribute
    and adjust the request's allowCookies value accordingly. Otherwise
    when the script is loaded from the cache later on, the cross origin mode
    (anonymous/use-credentials) will be effectively ignored.

LayoutTests:

* http/tests/security/resources/cors-script.php:
* http/tests/security/script-crossorigin-onerror-information-expected.txt: Added.
* http/tests/security/script-crossorigin-onerror-information.html: Added.
* http/tests/security/script-no-crossorigin-onerror-should-be-sanitized-expected.txt: Added.
* http/tests/security/script-no-crossorigin-onerror-should-be-sanitized.html: Added.

* platform/chromium/TestExpectations:
    This patch only deals with JSC right now, skip the new tests.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@135009 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    0941e884