-
abarth@webkit.org authored
https://bugs.webkit.org/show_bug.cgi?id=81020 Reviewed by Eric Seidel. Source/WebCore: The vast majority of security checks in the browser should use a ScriptExecutionContext (aka a Document) to designate "who" is attempting to perform a given action. Unfortunately, shouldAllowNavigation was using a Frame to designate "who" is attempting the navigation. In cases when the executing script is "inactive" (i.e., belongs to a document that is not currently displayed in a Frame), using the Frame can cause us to grant the script the privileges of the document that's currently displayed in the Frame rather than the one that contains the script. This patch moves shouldAllowNavigation from FrameLoader to Document (and renames it to canNavigate), effectively change the context object from a Frame to a Document. Test: http/tests/security/frameNavigation/inactive-function-in-popup-navigate-child.html * bindings/generic/BindingSecurity.h: (BindingSecurity): (WebCore): * bindings/v8/V8Utilities.cpp: (WebCore): * bindings/v8/V8Utilities.h: (WebCore): - Deletes unused code. * dom/Document.cpp: (WebCore::canAccessAncestor): (WebCore): (WebCore::Document::canNavigate): - canNavigate is copied from FrameLoader::shouldAllowNavigation. I've added a null-check bailout if the document is inactive. * dom/Document.h: (Document): * loader/FormState.cpp: (WebCore::FormState::FormState): (WebCore::FormState::create): * loader/FormState.h: (WebCore): (FormState): (WebCore::FormState::sourceDocument): * loader/FormSubmission.cpp: (WebCore::FormSubmission::create): - Changes the context object from Frame to Document. * loader/FrameLoader.cpp: (WebCore::FrameLoader::submitForm): (WebCore::FrameLoader::loadFrameRequest): (WebCore): (WebCore::FrameLoader::findFrameForNavigation): - FrameLoader::findFrameForNavigation still incorrectly uses Frame as the context object, but that's a bug for another patch. (WebCore::createWindow): * loader/FrameLoader.h: (FrameLoader): * loader/NavigationScheduler.cpp: (WebCore::ScheduledFormSubmission::fire): * page/DOMWindow.cpp: (WebCore::DOMWindow::close): (WebCore::DOMWindow::setLocation): (WebCore::DOMWindow::open): * page/History.cpp: (WebCore::History::go): Source/WebKit/mac: Update call site to new function name. * WebCoreSupport/WebFrameLoaderClient.mm: (WebFrameLoaderClient::dispatchWillSubmitForm): Source/WebKit/win: Update call site to new function name. * WebFrame.cpp: (WebFrame::dispatchWillSubmitForm): Source/WebKit2: Update call site to new function name. * WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp: (WebKit::WebFrameLoaderClient::dispatchWillSubmitForm): LayoutTests: Test that a script from an inactive document doesn't inherit the navigation privileges of the document that currently occupies the frame. * http/tests/security/frameNavigation/inactive-function-in-popup-navigate-child-expected.txt: Added. * http/tests/security/frameNavigation/inactive-function-in-popup-navigate-child.html: Added. * http/tests/security/frameNavigation/resources/fail.html: Added. * http/tests/security/frameNavigation/resources/iframe-with-inner-frame-on-foreign-domain.html: * http/tests/security/frameNavigation/resources/popup-ready-to-navigate-child.html: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@112184 268f45cc-cd09-0410-ab3c-d52691b4dbfc
a9da3b0b