Skip to content
  • weinig@apple.com's avatar
    WebCore: · 796309ca
    weinig@apple.com authored
    2008-05-01  Sam Weinig  <sam@webkit.org>
    
            Reviewed by Geoffrey Garen.
    
            Fixes:
              - https://bugs.webkit.org/show_bug.cgi?id=17249
                Incorrect lexical scope after navigation leads to UXSS
                <rdar://problem/5738497>
    
              - https://bugs.webkit.org/show_bug.cgi?id=16824
                Script authorization should follow lexical (not dynamic) scope
                <rdar://problem/5683032>
    
            This patch changes us to perform same-origin checks based on the lexical global object) 
            rather than dynamic global object, which is now possible we don't re-use the window on 
            navigations, but rather switch in a new one and re-use the outer shell.  This is both
            more secure and conforms with the HTML5 specification.  Now that all the checks are
            done based on the lexical global object, we can remove the SecurityOrigin::Reason
            concept, as it was only around to work around an ebay.com bug that required the check to
            be done that way.
    
            An important thing to note is that we currently implement a stricter than necessary policy
            and perform the same-origin check based on the currently active global object to avoid leaking
            the document in cases when the target frame is navigated before access.  This will be fixed in
            an upcoming patch.
    
            * bindings/js/JSDOMWindowBase.cpp:
            (WebCore::JSDOMWindowBase::allowsAccessFrom):
            (WebCore::JSDOMWindowBase::allowsAccessFromNoErrorMessage):
            (WebCore::JSDOMWindowBase::allowsAccessFromPrivate):
            (WebCore::JSDOMWindowBase::crossDomainAccessErrorMessage):
            (WebCore::JSDOMWindowBase::printErrorMessage):
            (WebCore::asJSDOMWindow):
            * bindings/js/JSDOMWindowBase.h:
            * html/CanvasRenderingContext2D.cpp:
            (WebCore::CanvasRenderingContext2D::checkOrigin):
            (WebCore::CanvasRenderingContext2D::createPattern):
            * loader/FrameLoader.cpp:
            (WebCore::FrameLoader::begin):
            (WebCore::FrameLoader::write):
            (WebCore::FrameLoader::setOpener):
            (WebCore::FrameLoader::shouldAllowNavigation):
            * page/DOMWindow.h:
            (WebCore::DOMWindow::setSecurityOrigin):
            (WebCore::DOMWindow::securityOrigin):
            (WebCore::DOMWindow::setURL):
            (WebCore::DOMWindow::url):
            * platform/SecurityOrigin.cpp:
            (WebCore::SecurityOrigin::canAccess):
            (WebCore::SecurityOrigin::isSecureTransitionTo):
            * platform/SecurityOrigin.h:
    
    LayoutTests:
    
    2008-05-01  Sam Weinig  <sam@webkit.org>
    
            Reviewed by Geoffrey Garen.
    
            * http/tests/security/listener/xss-JSTargetNode-onclick-addEventListener-expected.txt:
            * http/tests/security/listener/xss-JSTargetNode-onclick-shortcut-expected.txt:
            * http/tests/security/listener/xss-XMLHttpRequest-addEventListener-expected.txt:
            * http/tests/security/listener/xss-XMLHttpRequest-shortcut-expected.txt:
            * http/tests/security/listener/xss-window-onclick-addEventListener-expected.txt:
            * http/tests/security/listener/xss-window-onclick-shortcut-expected.txt:
            * http/tests/security/xss-eval-expected.txt:
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@32791 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    796309ca