Commit 14e08540 authored by abarth@webkit.org's avatar abarth@webkit.org

2011-01-01 Adam Barth <abarth@webkit.org>

        Reviewed by Eric Seidel.

        sandbox iframes have access to top.history methods
        https://bugs.webkit.org/show_bug.cgi?id=38152

        To enforce the sandbox restrictions on History, we need to pass the
        ScriptExecutionContext to WebCore.  This patch leaves the original
        History methods in place because they are used directly by folks who
        don't care about security checks.

        Test: fast/frames/sandboxed-iframe-history-denied.html

        * page/History.cpp:
        (WebCore::History::back):
        (WebCore::History::forward):
        (WebCore::History::go):
        * page/History.h:
        * page/History.idl:
2011-01-01  Justin Schuh  <jschuh@chromium.org>

        Reviewed by Eric Seidel.

        sandbox iframes have access to top.history methods
        https://bugs.webkit.org/show_bug.cgi?id=38152

        Test that sandboxed iframes cannot use history to navigate the top
        frame.  This test is less than ideal, as described in the test itself.
        If I was really on top of things, I'd add a test for successful use of
        the history API when allow-top-navigation is set, but that test would
        be complicated and I'm lazy (enough to copy directly from abarth).

        * fast/frames/sandboxed-iframe-history-denied-expected.txt: Added.
        * fast/frames/sandboxed-iframe-history-denied.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@74853 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent c2a176a3
2011-01-01 Justin Schuh <jschuh@chromium.org>
Reviewed by Eric Seidel.
sandbox iframes have access to top.history methods
https://bugs.webkit.org/show_bug.cgi?id=38152
Test that sandboxed iframes cannot use history to navigate the top
frame. This test is less than ideal, as described in the test itself.
If I was really on top of things, I'd add a test for successful use of
the history API when allow-top-navigation is set, but that test would
be complicated and I'm lazy (enough to copy directly from abarth).
* fast/frames/sandboxed-iframe-history-denied-expected.txt: Added.
* fast/frames/sandboxed-iframe-history-denied.html: Added.
2011-01-01 Kent Tamura <tkent@chromium.org> 2011-01-01 Kent Tamura <tkent@chromium.org>
Unreviewed, test expectation update. Unreviewed, test expectation update.
......
ALERT: PASS
This test verifies that a sandboxed IFrame cannot navigate the top-level frame using the history API.
<html>
<head>
<script>
if (window.layoutTestController) {
layoutTestController.dumpAsText();
layoutTestController.waitUntilDone();
}
window.unload = function() {
alert("FAIL");
}
window.onload = function() {
// There's no way to write a test that determinstically fails because the
// history API is asynchronous. There's no way to know whether the
// asynchronous haven't yet happened or never will. Consequently, we just
// wait for a bit.
setTimeout(function() {
alert("PASS");
if (window.layoutTestController)
layoutTestController.notifyDone();
}, 20);
}
</script>
</head>
<body>
<p>This test verifies that a sandboxed IFrame cannot navigate the top-level frame using the history API.</p>
<iframe sandbox="allow-scripts" src="data:text/html,<script>top.history.back()</script>">
<iframe sandbox="allow-scripts" src="data:text/html,<script>top.history.forward()</script>">
<iframe sandbox="allow-scripts" src="data:text/html,<script>top.history.go(-1)</script>">
</body>
</html>
2011-01-01 Adam Barth <abarth@webkit.org>
Reviewed by Eric Seidel.
sandbox iframes have access to top.history methods
https://bugs.webkit.org/show_bug.cgi?id=38152
To enforce the sandbox restrictions on History, we need to pass the
ScriptExecutionContext to WebCore. This patch leaves the original
History methods in place because they are used directly by folks who
don't care about security checks.
Test: fast/frames/sandboxed-iframe-history-denied.html
* page/History.cpp:
(WebCore::History::back):
(WebCore::History::forward):
(WebCore::History::go):
* page/History.h:
* page/History.idl:
2011-01-01 Adam Barth <abarth@webkit.org> 2011-01-01 Adam Barth <abarth@webkit.org>
Remove empty file. Remove empty file.
......
...@@ -27,6 +27,7 @@ ...@@ -27,6 +27,7 @@
#include "History.h" #include "History.h"
#include "BackForwardController.h" #include "BackForwardController.h"
#include "Document.h"
#include "ExceptionCode.h" #include "ExceptionCode.h"
#include "Frame.h" #include "Frame.h"
#include "FrameLoader.h" #include "FrameLoader.h"
...@@ -62,22 +63,45 @@ unsigned History::length() const ...@@ -62,22 +63,45 @@ unsigned History::length() const
void History::back() void History::back()
{ {
if (!m_frame) go(-1);
return; }
m_frame->navigationScheduler()->scheduleHistoryNavigation(-1);
void History::back(ScriptExecutionContext* context)
{
go(context, -1);
} }
void History::forward() void History::forward()
{
go(1);
}
void History::forward(ScriptExecutionContext* context)
{
go(context, 1);
}
void History::go(int distance)
{ {
if (!m_frame) if (!m_frame)
return; return;
m_frame->navigationScheduler()->scheduleHistoryNavigation(1);
m_frame->navigationScheduler()->scheduleHistoryNavigation(distance);
} }
void History::go(int distance) void History::go(ScriptExecutionContext* context, int distance)
{ {
if (!m_frame) if (!m_frame)
return; return;
ASSERT(WTF::isMainThread());
Frame* activeFrame = static_cast<Document*>(context)->frame();
if (!activeFrame)
return;
if (!activeFrame->loader()->shouldAllowNavigation(m_frame))
return;
m_frame->navigationScheduler()->scheduleHistoryNavigation(distance); m_frame->navigationScheduler()->scheduleHistoryNavigation(distance);
} }
......
...@@ -34,6 +34,7 @@ ...@@ -34,6 +34,7 @@
namespace WebCore { namespace WebCore {
class Frame; class Frame;
class ScriptExecutionContext;
class SerializedScriptValue; class SerializedScriptValue;
typedef int ExceptionCode; typedef int ExceptionCode;
...@@ -49,6 +50,10 @@ public: ...@@ -49,6 +50,10 @@ public:
void forward(); void forward();
void go(int distance); void go(int distance);
void back(ScriptExecutionContext*);
void forward(ScriptExecutionContext*);
void go(ScriptExecutionContext*, int distance);
enum StateObjectType { enum StateObjectType {
StateObjectPush, StateObjectPush,
StateObjectReplace StateObjectReplace
......
...@@ -37,9 +37,9 @@ module window { ...@@ -37,9 +37,9 @@ module window {
] History { ] History {
readonly attribute unsigned long length; readonly attribute unsigned long length;
[DoNotCheckDomainSecurity] void back(); [DoNotCheckDomainSecurity, CallWith=ScriptExecutionContext] void back();
[DoNotCheckDomainSecurity] void forward(); [DoNotCheckDomainSecurity, CallWith=ScriptExecutionContext] void forward();
[DoNotCheckDomainSecurity] void go(in long distance); [DoNotCheckDomainSecurity, CallWith=ScriptExecutionContext] void go(in long distance);
[Custom, EnabledAtRuntime] void pushState(in any data, in DOMString title, in optional DOMString url) [Custom, EnabledAtRuntime] void pushState(in any data, in DOMString title, in optional DOMString url)
raises(DOMException); raises(DOMException);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment