Skip to content
Find file Blame History Permalink
  • tsepez@chromium.org's avatar
    Framesniffing defense is too aggressive. · 8d3c2c18
    tsepez@chromium.org authored 
    https://bugs.webkit.org/show_bug.cgi?id=83721

Reviewed by James Robinson.

Source/WebCore:

The RenderLayer code currently propagates scroll position to parent frames
without any cross-origin checks.  This gives it a quick origin boundary check
that is set by FrameLoader only when performing a fragment navigation.  This
allows us to safely relax the restriction on not scrolling at load time in
FrameLoader since the safe thing will happen later on at scroll time.

Test: http/tests/navigation/anchor-frames-same-origin.html

* dom/Document.cpp:
(WebCore::Document::findUnsafeParentScrollPropagationBoundary):
* dom/Document.h:
(Document):
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::finishedParsing):
(WebCore::FrameLoader::loadInSameDocument):
(WebCore::FrameLoader::scrollToFragmentWithParentBoundary):
* loader/FrameLoader.h:
(FrameLoader):
* page/FrameView.cpp:
(WebCore::FrameView::FrameView):
(WebCore::FrameView::reset):
* page/FrameView.h:
(WebCore::FrameView::safeToPropagateScrollToParent):
(WebCore::FrameView::setSafeToPropagateScrollToParent):
(FrameView):
* rendering/RenderLayer.cpp:
(WebCore::RenderLayer::scrollRectToVisible):

LayoutTests:

* http/tests/inspector/resource-parameters-expected.txt:
* http/tests/navigation/anchor-frames-cross-origin-expected.txt:
* http/tests/navigation/anchor-frames-cross-origin.html:
* http/tests/navigation/anchor-frames-same-origin-expected.txt: Added.
* http/tests/navigation/anchor-frames-same-origin.html: Added.
* http/tests/navigation/resources/frame-with-anchor-cross-origin.html:
* http/tests/navigation/resources/frame-with-anchor-same-origin.html: Added.
* http/tests/navigation/resources/grandchild-with-anchor.html: Added.
* http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt:
* http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-expected.txt:
* http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char-expected.txt:
* http/tests/security/xssAuditor/anchor-url-dom-write-location-javascript-URL-expected.txt:
* http/tests/security/xssAuditor/anchor-url-dom-write-location2-expected.txt:
* http/tests/security/xssAuditor/dom-write-location-inline-event-expected.txt:


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@114406 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    8d3c2c18