Commit 3a2486e3 authored by abarth@webkit.org's avatar abarth@webkit.org

2011-01-21 Yury Semikhatsky <yurys@chromium.org>

        Reviewed by Adam Barth.

        Regression: new window.onerror() implementation leaks cross-origin Javascript errors
        https://bugs.webkit.org/show_bug.cgi?id=52903

        In case of an exception in a script from different domain only generic message
        will be passed to window.onerror hander.

        Tests: http/tests/security/cross-origin-script-window-onerror-redirected.html
               http/tests/security/cross-origin-script-window-onerror.html

        * bindings/js/CachedScriptSourceProvider.h: use URL from the resource response to make sure we do all
        cross origin checks agains real script URL, not the original URL which may have resulted in a sequence
        of redirects to different domains.
        (WebCore::CachedScriptSourceProvider::CachedScriptSourceProvider):
        * bindings/v8/ScriptSourceCode.h: same for v8.
        (WebCore::ScriptSourceCode::url):
        * dom/ScriptExecutionContext.cpp:
        (WebCore::ScriptExecutionContext::dispatchErrorEvent): in case the error occurred in a script we cannot
        access provide concise "Script error." message without any information about the error source. This is
        what Firefox does in this case.
2011-01-21  Yury Semikhatsky  <yurys@chromium.org>

        Reviewed by Adam Barth.

        Regression: new window.onerror() implementation leaks cross-origin Javascript errors
        https://bugs.webkit.org/show_bug.cgi?id=52903

        A couple of tests to check that window.onerror won't reveal any content of the resource
        from a different domain if the latter is referenced via <script src=...>

        * http/tests/security/cross-origin-script-window-onerror-expected.txt: Added.
        * http/tests/security/cross-origin-script-window-onerror-redirected-expected.txt: Added.
        * http/tests/security/cross-origin-script-window-onerror-redirected.html: Added.
        * http/tests/security/cross-origin-script-window-onerror.html: Added.
        * http/tests/security/resources/cross-origin-script.txt: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@76429 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 1c5f9e4f
2011-01-21 Yury Semikhatsky <yurys@chromium.org>
Reviewed by Adam Barth.
Regression: new window.onerror() implementation leaks cross-origin Javascript errors
https://bugs.webkit.org/show_bug.cgi?id=52903
A couple of tests to check that window.onerror won't reveal any content of the resource
from a different domain if the latter is referenced via <script src=...>
* http/tests/security/cross-origin-script-window-onerror-expected.txt: Added.
* http/tests/security/cross-origin-script-window-onerror-redirected-expected.txt: Added.
* http/tests/security/cross-origin-script-window-onerror-redirected.html: Added.
* http/tests/security/cross-origin-script-window-onerror.html: Added.
* http/tests/security/resources/cross-origin-script.txt: Added.
2011-01-21 Maciej Stachowiak <mjs@apple.com>
Reviewed by Geoffrey Garen.
......
Test that window.onerror won't reveal any potentially sensitive script content if the latter is loaded from a different domain. The test passes if you don't see any data from the linked resource. Bug 52903.
window.onerror message: Script error. at : 0
Test that window.onerror won't reveal any potentially sensitive script content if the latter is loaded from a different domain after a redirect. The test passes if you don't see any data from the linked resource. Bug 52903.
window.onerror message: Script error. at : 0
<html>
<body>
<p>
Test that window.onerror won't reveal any potentially sensitive script content if the latter is loaded from a different domain after a redirect. The test passes if you don't see any data from the linked resource. <a href="https://bugs.webkit.org/show_bug.cgi?id=52903">Bug 52903.</a>
</p>
<div id="result"></div>
<script>
if (window.layoutTestController) {
layoutTestController.waitUntilDone();
layoutTestController.dumpAsText();
}
window.onerror = function(message, url, line) {
document.getElementById("result").textContent = "window.onerror message: " + message + " at " + url + ": " + line;
if (window.layoutTestController)
layoutTestController.notifyDone();
return false;
}
</script>
<script src="resources/redir.php?url=http://localhost:8000/security/resources/cross-origin-script.txt">
</script>
</body>
</html>
<html>
<body>
<p>
Test that window.onerror won't reveal any potentially sensitive script content if the latter is loaded from a different domain. The test passes if you don't see any data from the linked resource. <a href="https://bugs.webkit.org/show_bug.cgi?id=52903">Bug 52903.</a>
</p>
</p>
<div id="result"></div>
<script>
if (window.layoutTestController) {
layoutTestController.waitUntilDone();
layoutTestController.dumpAsText();
}
window.onerror = function(message, url, line) {
document.getElementById("result").textContent = "window.onerror message: " + message + " at " + url + ": " + line;
if (window.layoutTestController)
layoutTestController.notifyDone();
return false;
}
</script>
<script src="http://localhost:8000/security/resources/cross-origin-script.txt">
</script>
</body>
</html>
FAIL: some sensitive user data the test should not be able to see.
2011-01-21 Yury Semikhatsky <yurys@chromium.org>
Reviewed by Adam Barth.
Regression: new window.onerror() implementation leaks cross-origin Javascript errors
https://bugs.webkit.org/show_bug.cgi?id=52903
In case of an exception in a script from different domain only generic message
will be passed to window.onerror hander.
Tests: http/tests/security/cross-origin-script-window-onerror-redirected.html
http/tests/security/cross-origin-script-window-onerror.html
* bindings/js/CachedScriptSourceProvider.h: use URL from the resource response to make sure we do all
cross origin checks agains real script URL, not the original URL which may have resulted in a sequence
of redirects to different domains.
(WebCore::CachedScriptSourceProvider::CachedScriptSourceProvider):
* bindings/v8/ScriptSourceCode.h: same for v8.
(WebCore::ScriptSourceCode::url):
* dom/ScriptExecutionContext.cpp:
(WebCore::ScriptExecutionContext::dispatchErrorEvent): in case the error occurred in a script we cannot
access provide concise "Script error." message without any information about the error source. This is
what Firefox does in this case.
2011-01-21 Andreas Kling <kling@webkit.org>
Reviewed by Kenneth Rohde Christiansen.
......@@ -57,7 +57,7 @@ namespace WebCore {
private:
CachedScriptSourceProvider(CachedScript* cachedScript)
: ScriptSourceProvider(stringToUString(cachedScript->url()), cachedScript->sourceProviderCache())
: ScriptSourceProvider(stringToUString(cachedScript->response().url()), cachedScript->sourceProviderCache())
, m_cachedScript(cachedScript)
{
m_cachedScript->addClient(this);
......
......@@ -63,7 +63,12 @@ public:
const String& source() const { return m_source; }
CachedScript* cachedScript() const { return m_cachedScript.get(); }
const KURL& url() const { return m_url; }
const KURL& url() const
{
if (m_cachedScript)
return m_cachedScript->response().url();
return m_url;
}
int startLine() const { return m_startPosition.m_line.oneBasedInt(); }
const TextPosition1& startPosition() const { return m_startPosition; }
......
......@@ -294,9 +294,23 @@ bool ScriptExecutionContext::dispatchErrorEvent(const String& errorMessage, int
if (!target)
return false;
String message;
int line;
String sourceName;
KURL targetUrl = completeURL(sourceURL);
if (securityOrigin()->canRequest(targetUrl)) {
message = errorMessage;
line = lineNumber;
sourceName = sourceURL;
} else {
message = "Script error.";
sourceName = String();
line = 0;
}
ASSERT(!m_inDispatchErrorEvent);
m_inDispatchErrorEvent = true;
RefPtr<ErrorEvent> errorEvent = ErrorEvent::create(errorMessage, sourceURL, lineNumber);
RefPtr<ErrorEvent> errorEvent = ErrorEvent::create(message, sourceName, line);
target->dispatchEvent(errorEvent);
m_inDispatchErrorEvent = false;
return errorEvent->defaultPrevented();
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment