From 5fa0b77a56bcda4fcb4571ecc714a29834a43704 Mon Sep 17 00:00:00 2001 From: "commit-queue@webkit.org" Date: Tue, 4 Sep 2012 18:58:19 +0000 Subject: [PATCH] Automatic features should work in sandboxed iframes if "allow-scripts" flag is set https://bugs.webkit.org/show_bug.cgi?id=93961 Patch by Christophe Dumez on 2012-09-04 Reviewed by Adam Barth. Source/WebCore: Allow automatic features (video autoplay and form control autofocus) in a sandboxed iframe that has "allow-scripts" flag set. This behavior is according to the latest specification at: http://dev.w3.org/html5/spec/browsers.html#attr-iframe-sandbox-allow-same-origin This sandboxed automatic features browsing context flag is relaxed by the same keyword as scripts, because when scripts are enabled these features are trivially possible anyway, and it would be unfortunate to force authors to use script to do them when sandboxed rather than allowing them to use the declarative features. Tests: fast/forms/autofocus-in-sandbox-with-allow-scripts.html media/auto-play-in-sandbox-with-allow-scripts.html * dom/SecurityContext.cpp: (WebCore::SecurityContext::parseSandboxPolicy): LayoutTests: Add layout tests to check that automatic features (video autoplay and form control autofocus) are allowed / working in sandboxed iframes if the "allow-scripts" flag is set. This behavior is according to the latest specification at: http://dev.w3.org/html5/spec/browsers.html#attr-iframe-sandbox-allow-same-origin The tests to check that automatic features are blocked in sandboxed iframes have been removed since they relied on the "allow-scripts" flag to work. * fast/forms/autofocus-in-sandbox-with-allow-scripts-expected.txt: Added. * fast/forms/autofocus-in-sandbox-with-allow-scripts.html: Renamed from LayoutTests/fast/forms/no-autofocus-in-sandbox.html. * fast/forms/no-autofocus-in-sandbox-expected.txt: Removed. * media/auto-play-in-sandbox-with-allow-scripts-expected.txt: Added. * media/auto-play-in-sandbox-with-allow-scripts.html: Renamed from LayoutTests/media/no-auto-play-in-sandbox.html. * media/no-auto-play-in-sandbox-expected.txt: Removed. * media/resources/auto-play-in-sandbox-with-allow-scripts-iframe.html: Added. * media/resources/no-auto-play-in-sandbox-iframe.html: Removed. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127481 268f45cc-cd09-0410-ab3c-d52691b4dbfc --- LayoutTests/ChangeLog | 26 +++++++++++++++++++ ...in-sandbox-with-allow-scripts-expected.txt | 2 ++ ...ofocus-in-sandbox-with-allow-scripts.html} | 4 +-- .../no-autofocus-in-sandbox-expected.txt | 2 -- ...in-sandbox-with-allow-scripts-expected.txt | 12 +++++++++ ...o-play-in-sandbox-with-allow-scripts.html} | 2 +- .../no-auto-play-in-sandbox-expected.txt | 12 --------- ...-in-sandbox-with-allow-scripts-iframe.html | 15 +++++++++++ .../no-auto-play-in-sandbox-iframe.html | 22 ---------------- Source/WebCore/ChangeLog | 26 +++++++++++++++++++ Source/WebCore/dom/SecurityContext.cpp | 5 ++-- 11 files changed, 87 insertions(+), 41 deletions(-) create mode 100644 LayoutTests/fast/forms/autofocus-in-sandbox-with-allow-scripts-expected.txt rename LayoutTests/fast/forms/{no-autofocus-in-sandbox.html => autofocus-in-sandbox-with-allow-scripts.html} (55%) delete mode 100644 LayoutTests/fast/forms/no-autofocus-in-sandbox-expected.txt create mode 100644 LayoutTests/media/auto-play-in-sandbox-with-allow-scripts-expected.txt rename LayoutTests/media/{no-auto-play-in-sandbox.html => auto-play-in-sandbox-with-allow-scripts.html} (71%) delete mode 100644 LayoutTests/media/no-auto-play-in-sandbox-expected.txt create mode 100644 LayoutTests/media/resources/auto-play-in-sandbox-with-allow-scripts-iframe.html delete mode 100644 LayoutTests/media/resources/no-auto-play-in-sandbox-iframe.html diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog index 5076d329983..cbe77283a46 100644 --- a/LayoutTests/ChangeLog +++ b/LayoutTests/ChangeLog @@ -1,3 +1,29 @@ +2012-09-04 Christophe Dumez + + Automatic features should work in sandboxed iframes if "allow-scripts" flag is set + https://bugs.webkit.org/show_bug.cgi?id=93961 + + Reviewed by Adam Barth. + + Add layout tests to check that automatic features (video + autoplay and form control autofocus) are allowed / working + in sandboxed iframes if the "allow-scripts" flag is set. + This behavior is according to the latest specification at: + http://dev.w3.org/html5/spec/browsers.html#attr-iframe-sandbox-allow-same-origin + + The tests to check that automatic features are blocked in + sandboxed iframes have been removed since they relied on + the "allow-scripts" flag to work. + + * fast/forms/autofocus-in-sandbox-with-allow-scripts-expected.txt: Added. + * fast/forms/autofocus-in-sandbox-with-allow-scripts.html: Renamed from LayoutTests/fast/forms/no-autofocus-in-sandbox.html. + * fast/forms/no-autofocus-in-sandbox-expected.txt: Removed. + * media/auto-play-in-sandbox-with-allow-scripts-expected.txt: Added. + * media/auto-play-in-sandbox-with-allow-scripts.html: Renamed from LayoutTests/media/no-auto-play-in-sandbox.html. + * media/no-auto-play-in-sandbox-expected.txt: Removed. + * media/resources/auto-play-in-sandbox-with-allow-scripts-iframe.html: Added. + * media/resources/no-auto-play-in-sandbox-iframe.html: Removed. + 2012-09-04 Tim Horton ASSERTion failure when SVG element is removed from document and readded diff --git a/LayoutTests/fast/forms/autofocus-in-sandbox-with-allow-scripts-expected.txt b/LayoutTests/fast/forms/autofocus-in-sandbox-with-allow-scripts-expected.txt new file mode 100644 index 00000000000..bd7368b6e03 --- /dev/null +++ b/LayoutTests/fast/forms/autofocus-in-sandbox-with-allow-scripts-expected.txt @@ -0,0 +1,2 @@ +ALERT: INPUT +This test passes if the activeElement is the input element rather than the body (which it would be if the sandbox didn't allow autofocus although allow-scripts flag is set). diff --git a/LayoutTests/fast/forms/no-autofocus-in-sandbox.html b/LayoutTests/fast/forms/autofocus-in-sandbox-with-allow-scripts.html similarity index 55% rename from LayoutTests/fast/forms/no-autofocus-in-sandbox.html rename to LayoutTests/fast/forms/autofocus-in-sandbox-with-allow-scripts.html index 68af8e54bde..8ad1c7eefdb 100644 --- a/LayoutTests/fast/forms/no-autofocus-in-sandbox.html +++ b/LayoutTests/fast/forms/autofocus-in-sandbox-with-allow-scripts.html @@ -2,7 +2,7 @@ if (window.testRunner) testRunner.dumpAsText(); -This test passes if the activeElement is the body rather than the input element -(which it would be if the sandbox didn't succeed in blocking autofocus). +This test passes if the activeElement is the input element rather than the body +(which it would be if the sandbox didn't allow autofocus although allow-scripts flag is set). diff --git a/LayoutTests/fast/forms/no-autofocus-in-sandbox-expected.txt b/LayoutTests/fast/forms/no-autofocus-in-sandbox-expected.txt deleted file mode 100644 index ffcc1778741..00000000000 --- a/LayoutTests/fast/forms/no-autofocus-in-sandbox-expected.txt +++ /dev/null @@ -1,2 +0,0 @@ -ALERT: BODY -This test passes if the activeElement is the body rather than the input element (which it would be if the sandbox didn't succeed in blocking autofocus). diff --git a/LayoutTests/media/auto-play-in-sandbox-with-allow-scripts-expected.txt b/LayoutTests/media/auto-play-in-sandbox-with-allow-scripts-expected.txt new file mode 100644 index 00000000000..c8bd32e5d0d --- /dev/null +++ b/LayoutTests/media/auto-play-in-sandbox-with-allow-scripts-expected.txt @@ -0,0 +1,12 @@ + + +-------- +Frame: '-->' +-------- +Test that play event fires when "src" set with an autoplay attribute in a sandbox with allows-scripts. + +EXPECTED (video.paused == 'true') OK +EVENT(play) +PLAY fired OK +END OF TEST + diff --git a/LayoutTests/media/no-auto-play-in-sandbox.html b/LayoutTests/media/auto-play-in-sandbox-with-allow-scripts.html similarity index 71% rename from LayoutTests/media/no-auto-play-in-sandbox.html rename to LayoutTests/media/auto-play-in-sandbox-with-allow-scripts.html index b3c7f6e8014..292795453e4 100644 --- a/LayoutTests/media/no-auto-play-in-sandbox.html +++ b/LayoutTests/media/auto-play-in-sandbox-with-allow-scripts.html @@ -7,4 +7,4 @@ if (window.testRunner) { + src="resources/auto-play-in-sandbox-with-allow-scripts-iframe.html"> diff --git a/LayoutTests/media/no-auto-play-in-sandbox-expected.txt b/LayoutTests/media/no-auto-play-in-sandbox-expected.txt deleted file mode 100644 index f6acad2e27a..00000000000 --- a/LayoutTests/media/no-auto-play-in-sandbox-expected.txt +++ /dev/null @@ -1,12 +0,0 @@ - - --------- -Frame: '-->' --------- -Test that play event does not fire when "src" set with an autoplay attribute in a sandbox. - -EXPECTED (video.paused == 'true') OK -EVENT(canplaythrough) -EXPECTED (video.paused == 'true') OK -END OF TEST - diff --git a/LayoutTests/media/resources/auto-play-in-sandbox-with-allow-scripts-iframe.html b/LayoutTests/media/resources/auto-play-in-sandbox-with-allow-scripts-iframe.html new file mode 100644 index 00000000000..05b8e27edad --- /dev/null +++ b/LayoutTests/media/resources/auto-play-in-sandbox-with-allow-scripts-iframe.html @@ -0,0 +1,15 @@ + + +

Test that play event fires when "src" set with an autoplay attribute in a sandbox with allows-scripts.

+ + + diff --git a/LayoutTests/media/resources/no-auto-play-in-sandbox-iframe.html b/LayoutTests/media/resources/no-auto-play-in-sandbox-iframe.html deleted file mode 100644 index 3709bb29908..00000000000 --- a/LayoutTests/media/resources/no-auto-play-in-sandbox-iframe.html +++ /dev/null @@ -1,22 +0,0 @@ - - -

Test that play event does not fire when "src" set with an autoplay attribute in a sandbox.

- - - diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog index 6d06ff5082e..4785e2dd2c1 100644 --- a/Source/WebCore/ChangeLog +++ b/Source/WebCore/ChangeLog @@ -1,3 +1,29 @@ +2012-09-04 Christophe Dumez + + Automatic features should work in sandboxed iframes if "allow-scripts" flag is set + https://bugs.webkit.org/show_bug.cgi?id=93961 + + Reviewed by Adam Barth. + + Allow automatic features (video autoplay and form control + autofocus) in a sandboxed iframe that has "allow-scripts" + flag set. This behavior is according to the latest + specification at: + http://dev.w3.org/html5/spec/browsers.html#attr-iframe-sandbox-allow-same-origin + + This sandboxed automatic features browsing context flag is + relaxed by the same keyword as scripts, because when + scripts are enabled these features are trivially possible + anyway, and it would be unfortunate to force authors to + use script to do them when sandboxed rather than allowing + them to use the declarative features. + + Tests: fast/forms/autofocus-in-sandbox-with-allow-scripts.html + media/auto-play-in-sandbox-with-allow-scripts.html + + * dom/SecurityContext.cpp: + (WebCore::SecurityContext::parseSandboxPolicy): + 2012-09-04 Sami Kyostila Register scrolling layers with ScrollingCoordinator diff --git a/Source/WebCore/dom/SecurityContext.cpp b/Source/WebCore/dom/SecurityContext.cpp index d32ab798f7c..7e9f83920bc 100644 --- a/Source/WebCore/dom/SecurityContext.cpp +++ b/Source/WebCore/dom/SecurityContext.cpp @@ -106,9 +106,10 @@ SandboxFlags SecurityContext::parseSandboxPolicy(const String& policy) flags &= ~SandboxOrigin; else if (equalIgnoringCase(sandboxToken, "allow-forms")) flags &= ~SandboxForms; - else if (equalIgnoringCase(sandboxToken, "allow-scripts")) + else if (equalIgnoringCase(sandboxToken, "allow-scripts")) { flags &= ~SandboxScripts; - else if (equalIgnoringCase(sandboxToken, "allow-top-navigation")) + flags &= ~SandboxAutomaticFeatures; + } else if (equalIgnoringCase(sandboxToken, "allow-top-navigation")) flags &= ~SandboxTopNavigation; else if (equalIgnoringCase(sandboxToken, "allow-popups")) flags &= ~SandboxPopups; -- GitLab