Skip to content
  • abarth@webkit.org's avatar
    FrameLoader::shouldAllowNavigation uses Frame for context rather than Document · a9da3b0b
    abarth@webkit.org authored
    https://bugs.webkit.org/show_bug.cgi?id=81020
    
    Reviewed by Eric Seidel.
    
    Source/WebCore:
    
    The vast majority of security checks in the browser should use a
    ScriptExecutionContext (aka a Document) to designate "who" is
    attempting to perform a given action.  Unfortunately,
    shouldAllowNavigation was using a Frame to designate "who" is
    attempting the navigation.
    
    In cases when the executing script is "inactive" (i.e., belongs to a
    document that is not currently displayed in a Frame), using the Frame
    can cause us to grant the script the privileges of the document that's
    currently displayed in the Frame rather than the one that contains the
    script.
    
    This patch moves shouldAllowNavigation from FrameLoader to Document
    (and renames it to canNavigate), effectively change the context object
    from a Frame to a Document.
    
    Test: http/tests/security/frameNavigation/inactive-function-in-popup-navigate-child.html
    
    * bindings/generic/BindingSecurity.h:
    (BindingSecurity):
    (WebCore):
    * bindings/v8/V8Utilities.cpp:
    (WebCore):
    * bindings/v8/V8Utilities.h:
    (WebCore):
        - Deletes unused code.
    * dom/Document.cpp:
    (WebCore::canAccessAncestor):
    (WebCore):
    (WebCore::Document::canNavigate):
        - canNavigate is copied from FrameLoader::shouldAllowNavigation.
          I've added a null-check bailout if the document is inactive.
    * dom/Document.h:
    (Document):
    * loader/FormState.cpp:
    (WebCore::FormState::FormState):
    (WebCore::FormState::create):
    * loader/FormState.h:
    (WebCore):
    (FormState):
    (WebCore::FormState::sourceDocument):
    * loader/FormSubmission.cpp:
    (WebCore::FormSubmission::create):
        - Changes the context object from Frame to Document.
    * loader/FrameLoader.cpp:
    (WebCore::FrameLoader::submitForm):
    (WebCore::FrameLoader::loadFrameRequest):
    (WebCore):
    (WebCore::FrameLoader::findFrameForNavigation):
        - FrameLoader::findFrameForNavigation still incorrectly uses Frame
          as the context object, but that's a bug for another patch.
    (WebCore::createWindow):
    * loader/FrameLoader.h:
    (FrameLoader):
    * loader/NavigationScheduler.cpp:
    (WebCore::ScheduledFormSubmission::fire):
    * page/DOMWindow.cpp:
    (WebCore::DOMWindow::close):
    (WebCore::DOMWindow::setLocation):
    (WebCore::DOMWindow::open):
    * page/History.cpp:
    (WebCore::History::go):
    
    Source/WebKit/mac:
    
    Update call site to new function name.
    
    * WebCoreSupport/WebFrameLoaderClient.mm:
    (WebFrameLoaderClient::dispatchWillSubmitForm):
    
    Source/WebKit/win:
    
    Update call site to new function name.
    
    * WebFrame.cpp:
    (WebFrame::dispatchWillSubmitForm):
    
    Source/WebKit2:
    
    Update call site to new function name.
    
    * WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
    (WebKit::WebFrameLoaderClient::dispatchWillSubmitForm):
    
    LayoutTests:
    
    Test that a script from an inactive document doesn't inherit the
    navigation privileges of the document that currently occupies the
    frame.
    
    * http/tests/security/frameNavigation/inactive-function-in-popup-navigate-child-expected.txt: Added.
    * http/tests/security/frameNavigation/inactive-function-in-popup-navigate-child.html: Added.
    * http/tests/security/frameNavigation/resources/fail.html: Added.
    * http/tests/security/frameNavigation/resources/iframe-with-inner-frame-on-foreign-domain.html:
    * http/tests/security/frameNavigation/resources/popup-ready-to-navigate-child.html: Added.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@112184 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    a9da3b0b