Commit 59632a7c authored by jochen@chromium.org's avatar jochen@chromium.org

Source/WebCore: Disallow access to DOM storage from detached frames.

https://bugs.webkit.org/show_bug.cgi?id=61326

Reviewed by Adam Barth.

* storage/StorageAreaImpl.cpp:
(WebCore::StorageAreaImpl::disabledByPrivateBrowsingInFrame):

Source/WebKit/chromium: Check whether a WebView exists before accessing it in StorageAreaProxy. This is not necessarily the case, e.g. for detached iframes.
https://bugs.webkit.org/show_bug.cgi?id=61326

Reviewed by Adam Barth.

* src/StorageAreaProxy.cpp:
(WebCore::StorageAreaProxy::canAccessStorage):

LayoutTests: Unskip fast/storage/storage-detached-iframe.html on chromium
https://bugs.webkit.org/show_bug.cgi?id=61326

Reviewed by Adam Barth.

* fast/storage/storage-detached-iframe-expected.txt:
* fast/storage/storage-detached-iframe.html:
* platform/chromium/test_expectations.txt:


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@104257 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent fa087160
2012-01-05 Jochen Eisinger <jochen@chromium.org>
Unskip fast/storage/storage-detached-iframe.html on chromium
https://bugs.webkit.org/show_bug.cgi?id=61326
Reviewed by Adam Barth.
* fast/storage/storage-detached-iframe-expected.txt:
* fast/storage/storage-detached-iframe.html:
* platform/chromium/test_expectations.txt:
2012-01-05 David Grogan <dgrogan@chromium.org> 2012-01-05 David Grogan <dgrogan@chromium.org>
IndexedDB: fix cursor prefetch crash IndexedDB: fix cursor prefetch crash
CONSOLE MESSAGE: line 25: Expected exception caught.
Bug: https://bugs.webkit.org/show_bug.cgi?id=57140 Bug: https://bugs.webkit.org/show_bug.cgi?id=57140
Description: Crash from null pointer dereference below WebCore::StorageAreaImpl::setItem() Description: Crash from null pointer dereference below WebCore::StorageAreaImpl::setItem()
......
...@@ -19,7 +19,11 @@ ...@@ -19,7 +19,11 @@
first_attr = t1.attributes.item(undefined, undefined, undefined, undefined); first_attr = t1.attributes.item(undefined, undefined, undefined, undefined);
first_attr_value_replaced = first_attr.firstChild.replaceWholeText(undefined, undefined, undefined, undefined); first_attr_value_replaced = first_attr.firstChild.replaceWholeText(undefined, undefined, undefined, undefined);
first_attr_value_replaced.DOCUMENT_FRAGMENT_NODE = a; first_attr_value_replaced.DOCUMENT_FRAGMENT_NODE = a;
first_attr.firstChild.DOCUMENT_FRAGMENT_NODE.localStorage.fuzz3_visited="test"; try {
first_attr.firstChild.DOCUMENT_FRAGMENT_NODE.localStorage.fuzz3_visited="test";
} catch (e) {
console.log("Expected exception caught.");
}
} }
function runTestOuterText() { function runTestOuterText() {
......
...@@ -3311,8 +3311,6 @@ BUGWK64003 DEBUG : media/video-delay-load-event.html = PASS TEXT ...@@ -3311,8 +3311,6 @@ BUGWK64003 DEBUG : media/video-delay-load-event.html = PASS TEXT
BUGCR88588 : fast/lists/inlineBoxWrapperNullCheck.html = PASS TEXT BUGCR88588 : fast/lists/inlineBoxWrapperNullCheck.html = PASS TEXT
BUGWK61326 : fast/storage/storage-detached-iframe.html = CRASH TIMEOUT
BUGCR88894 SLOW WIN : http/tests/cache/subresource-expiration-1.html = PASS BUGCR88894 SLOW WIN : http/tests/cache/subresource-expiration-1.html = PASS
BUGCR88894 SLOW WIN : http/tests/cache/subresource-expiration-2.html = PASS BUGCR88894 SLOW WIN : http/tests/cache/subresource-expiration-2.html = PASS
......
2012-01-05 Jochen Eisinger <jochen@chromium.org>
Disallow access to DOM storage from detached frames.
https://bugs.webkit.org/show_bug.cgi?id=61326
Reviewed by Adam Barth.
* storage/StorageAreaImpl.cpp:
(WebCore::StorageAreaImpl::disabledByPrivateBrowsingInFrame):
2012-01-05 No'am Rosenthal <noam.rosenthal@nokia.com> 2012-01-05 No'am Rosenthal <noam.rosenthal@nokia.com>
[Qt][Texmap] Convert shaders in TextureMapperGL to use a macro [Qt][Texmap] Convert shaders in TextureMapperGL to use a macro
...@@ -109,7 +109,9 @@ bool StorageAreaImpl::disabledByPrivateBrowsingInFrame(const Frame* frame) const ...@@ -109,7 +109,9 @@ bool StorageAreaImpl::disabledByPrivateBrowsingInFrame(const Frame* frame) const
ASSERT(!frame); ASSERT(!frame);
return false; return false;
#else #else
if (!frame->page() || !frame->page()->settings()->privateBrowsingEnabled()) if (!frame->page())
return true;
if (!frame->page()->settings()->privateBrowsingEnabled())
return false; return false;
if (m_storageType != LocalStorage) if (m_storageType != LocalStorage)
return true; return true;
......
2012-01-05 Jochen Eisinger <jochen@chromium.org>
Check whether a WebView exists before accessing it in StorageAreaProxy. This is not necessarily the case, e.g. for detached iframes.
https://bugs.webkit.org/show_bug.cgi?id=61326
Reviewed by Adam Barth.
* src/StorageAreaProxy.cpp:
(WebCore::StorageAreaProxy::canAccessStorage):
2012-01-04 James Robinson <jamesr@chromium.org> 2012-01-04 James Robinson <jamesr@chromium.org>
[chromium] Route all animate calls through CCLayerTreeHost in composited mode to simplify rate limiting logic [chromium] Route all animate calls through CCLayerTreeHost in composited mode to simplify rate limiting logic
......
...@@ -167,6 +167,8 @@ void StorageAreaProxy::storageEvent(const String& key, const String& oldValue, c ...@@ -167,6 +167,8 @@ void StorageAreaProxy::storageEvent(const String& key, const String& oldValue, c
bool StorageAreaProxy::canAccessStorage(Frame* frame) const bool StorageAreaProxy::canAccessStorage(Frame* frame) const
{ {
if (!frame->page())
return false;
WebKit::WebFrameImpl* webFrame = WebKit::WebFrameImpl::fromFrame(frame); WebKit::WebFrameImpl* webFrame = WebKit::WebFrameImpl::fromFrame(frame);
WebKit::WebViewImpl* webView = webFrame->viewImpl(); WebKit::WebViewImpl* webView = webFrame->viewImpl();
return !webView->permissionClient() || webView->permissionClient()->allowStorage(webFrame, m_storageType == LocalStorage); return !webView->permissionClient() || webView->permissionClient()->allowStorage(webFrame, m_storageType == LocalStorage);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment