• abarth@webkit.org's avatar
    2009-12-01 Patrik Persson <patrik.j.persson@ericsson.com> · b8a10552
    abarth@webkit.org authored
            Reviewed by Darin Adler.
    
            Implement HTML5 sandbox attribute for iframes.
            http://www.w3.org/TR/html5/text-level-semantics.html#attr-iframe-sandbox
            https://bugs.webkit.org/show_bug.cgi?id=21288
    
            * fast/frames/resources/non-sandboxed-iframe-navigation.html: Added.
            * fast/frames/resources/sandboxed-iframe-attribute-parsing-allowed.html: Added.
            * fast/frames/resources/sandboxed-iframe-attribute-parsing-disallowed.html: Added.
            * fast/frames/resources/sandboxed-iframe-form-allowed.html: Added.
            * fast/frames/resources/sandboxed-iframe-form-disallowed.html: Added.
            * fast/frames/resources/sandboxed-iframe-navigated.html: Added.
            * fast/frames/resources/sandboxed-iframe-navigation-child.html: Added.
            * fast/frames/resources/sandboxed-iframe-navigation-navigated.html: Added.
            * fast/frames/resources/sandboxed-iframe-navigation-parent.html: Added.
            * fast/frames/resources/sandboxed-iframe-navigation-source.html: Added.
            * fast/frames/resources/sandboxed-iframe-navigation-targetlink.html: Added.
            * fast/frames/resources/sandboxed-iframe-navigation-windowopen.html: Added.
            * fast/frames/resources/sandboxed-iframe-plugins-frame-applet.html: Added.
            * fast/frames/resources/sandboxed-iframe-plugins-frame-embed.html: Added.
            * fast/frames/resources/sandboxed-iframe-plugins-frame-object.html: Added.
            * fast/frames/resources/sandboxed-iframe-script-dynamic.html: Added.
            * fast/frames/resources/sandboxed-iframe-storage-allowed.html: Added.
            * fast/frames/resources/sandboxed-iframe-storage-disallowed.html: Added.
            * fast/frames/sandboxed-iframe-attribute-parsing-expected.txt: Added.
            * fast/frames/sandboxed-iframe-attribute-parsing.html: Added.
            * fast/frames/sandboxed-iframe-forms-expected.txt: Added.
            * fast/frames/sandboxed-iframe-forms.html: Added.
            * fast/frames/sandboxed-iframe-navigation-allowed-expected.txt: Added.
            * fast/frames/sandboxed-iframe-navigation-allowed.html: Added.
            * fast/frames/sandboxed-iframe-navigation-parent-expected.txt: Added.
            * fast/frames/sandboxed-iframe-navigation-parent.html: Added.
            * fast/frames/sandboxed-iframe-navigation-targetlink-expected.txt: Added.
            * fast/frames/sandboxed-iframe-navigation-targetlink.html: Added.
            * fast/frames/sandboxed-iframe-navigation-windowopen-expected.txt: Added.
            * fast/frames/sandboxed-iframe-navigation-windowopen.html: Added.
            * fast/frames/sandboxed-iframe-plugins-expected.txt: Added.
            * fast/frames/sandboxed-iframe-plugins.html: Added.
            * fast/frames/sandboxed-iframe-scripting-expected.txt: Added.
            * fast/frames/sandboxed-iframe-scripting.html: Added.
            * fast/frames/sandboxed-iframe-storage-expected.txt: Added.
            * fast/frames/sandboxed-iframe-storage.html: Added.
            * http/tests/security/resources/sandboxed-iframe-document-cookie-read-denied.html: Added.
            * http/tests/security/resources/sandboxed-iframe-modify-self.html: Added.
            * http/tests/security/resources/xss-DENIED-sandboxed-iframe-attacker.html: Added.
            * http/tests/security/sandboxed-iframe-document-cookie-expected.txt: Added.
            * http/tests/security/sandboxed-iframe-document-cookie.html: Added.
            * http/tests/security/sandboxed-iframe-modify-self-expected.txt: Added.
            * http/tests/security/sandboxed-iframe-modify-self.html: Added.
            * http/tests/security/xss-DENIED-sandboxed-iframe-expected.txt: Added.
            * http/tests/security/xss-DENIED-sandboxed-iframe.html: Added.
            * http/tests/xmlhttprequest/access-control-sandboxed-iframe-allow-expected.txt: Added.
            * http/tests/xmlhttprequest/access-control-sandboxed-iframe-allow.html: Added.
            * http/tests/xmlhttprequest/access-control-sandboxed-iframe-denied-expected.txt: Added.
            * http/tests/xmlhttprequest/access-control-sandboxed-iframe-denied-without-wildcard-expected.txt: Added.
            * http/tests/xmlhttprequest/access-control-sandboxed-iframe-denied-without-wildcard.html: Added.
            * http/tests/xmlhttprequest/access-control-sandboxed-iframe-denied.html: Added.
            * http/tests/xmlhttprequest/resources/access-control-sandboxed-iframe-allow-iframe.html: Added.
            * http/tests/xmlhttprequest/resources/access-control-sandboxed-iframe-allow.cgi: Added.
            * http/tests/xmlhttprequest/resources/access-control-sandboxed-iframe-denied-iframe.html: Added.
            * http/tests/xmlhttprequest/resources/access-control-sandboxed-iframe-denied-without-wildcard-iframe.html: Added.
            * http/tests/xmlhttprequest/resources/access-control-sandboxed-iframe-denied-without-wildcard.cgi: Added.
            * http/tests/xmlhttprequest/resources/access-control-sandboxed-iframe-denied.cgi: Added.
    2009-12-01  Patrik Persson  <patrik.j.persson@ericsson.com>
    
            Reviewed by Darin Adler.
    
            Implement HTML5 sandbox attribute for iframes.
            http://www.w3.org/TR/html5/text-level-semantics.html#attr-iframe-sandbox
            https://bugs.webkit.org/show_bug.cgi?id=21288
    
            Tests: fast/frames/sandboxed-iframe-attribute-parsing.html
                   fast/frames/sandboxed-iframe-forms.html
                   fast/frames/sandboxed-iframe-navigation-allowed.html
                   fast/frames/sandboxed-iframe-navigation-parent.html
                   fast/frames/sandboxed-iframe-navigation-targetlink.html
                   fast/frames/sandboxed-iframe-navigation-windowopen.html
                   fast/frames/sandboxed-iframe-plugins.html
                   fast/frames/sandboxed-iframe-scripting.html
                   fast/frames/sandboxed-iframe-storage.html
                   http/tests/security/sandboxed-iframe-document-cookie.html
                   http/tests/security/sandboxed-iframe-modify-self.html
                   http/tests/security/xss-DENIED-sandboxed-iframe.html
                   http/tests/xmlhttprequest/access-control-sandboxed-iframe-allow.html
                   http/tests/xmlhttprequest/access-control-sandboxed-iframe-denied-without-wildcard.html
                   http/tests/xmlhttprequest/access-control-sandboxed-iframe-denied.html
    
            * bindings/js/JSDOMWindowCustom.cpp: sandboxing navigation
            (WebCore::createWindow):
            * bindings/js/ScriptController.cpp: sandboxing scripts
            (WebCore::ScriptController::isEnabled):
            * dom/Document.cpp:
            (WebCore::Document::processHttpEquiv):
            (WebCore::Document::cookie): raise exception when accessed from sandbox
            (WebCore::Document::setCookie): raise exception when accessed from sandbox
            (WebCore::Document::initSecurityContext): updae sandbox status
            (WebCore::Document::updateSandboxFlags):
            * dom/Document.h:
            * dom/Document.idl:
            * html/HTMLAppletElement.cpp: sandboxing applets
            (WebCore::HTMLAppletElement::createRenderer):
            (WebCore::HTMLAppletElement::renderWidgetForJSBindings):
            (WebCore::HTMLAppletElement::canEmbedJava):
            * html/HTMLAppletElement.h:
            * html/HTMLAttributeNames.in:
            * html/HTMLFrameOwnerElement.cpp: management of sandbox flags as stated in attribute
            (WebCore::HTMLFrameOwnerElement::HTMLFrameOwnerElement):
            (WebCore::HTMLFrameOwnerElement::setSandboxFlags):
            * html/HTMLFrameOwnerElement.h:
            (WebCore::HTMLFrameOwnerElement::sandboxFlags):
            * html/HTMLIFrameElement.cpp: sandbox attribute parsing
            (WebCore::parseSandboxAttribute):
            (WebCore::HTMLIFrameElement::parseMappedAttribute):
            * html/HTMLIFrameElement.idl:
            * inspector/InspectorController.cpp:
            (WebCore::InspectorController::getCookies):
            * loader/CrossOriginAccessControl.cpp:
            (WebCore::passesAccessControlCheck):
            * loader/FrameLoader.cpp:
            (WebCore::FrameLoader::FrameLoader):
            (WebCore::FrameLoader::init):
            (WebCore::FrameLoader::submitForm): sandboxing forms
            (WebCore::FrameLoader::requestObject): sandboxing plugins
            (WebCore::FrameLoader::shouldAllowNavigation): sandboxing navigation
            (WebCore::FrameLoader::updateSandboxFlags): propagation of sandbox flags
            * loader/FrameLoader.h:
            (WebCore::FrameLoader::ownerElementSandboxFlagsChanged):
            (WebCore::FrameLoader::isSandboxed):
            (WebCore::FrameLoader::sandboxFlags):
            * loader/FrameLoaderTypes.h:
            (WebCore::):
            * page/DOMWindow.cpp: disable storage and databases in sandboxed frames
            (WebCore::DOMWindow::sessionStorage):
            (WebCore::DOMWindow::localStorage):
            (WebCore::DOMWindow::openDatabase):
            * page/SecurityOrigin.cpp: added sandboxing status
            (WebCore::SecurityOrigin::SecurityOrigin):
            (WebCore::SecurityOrigin::canAccess):
            (WebCore::SecurityOrigin::canRequest):
            (WebCore::SecurityOrigin::toString):
            * page/SecurityOrigin.h:
            (WebCore::SecurityOrigin::setSandboxFlags):
            (WebCore::SecurityOrigin::isSandboxed):
            (WebCore::SecurityOrigin::canAccessDatabase):
            (WebCore::SecurityOrigin::canAccessStorage):
            * websockets/WebSocketChannel.cpp:
            (WebCore::WebSocketChannel::didReceiveData):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@51577 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    b8a10552
ChangeLog 1.19 MB
The source could not be displayed because it is larger than 1 MB. You can load it anyway or download it instead.