Commit 78200f54 authored by cwzwarich@webkit.org's avatar cwzwarich@webkit.org
Browse files

2009-03-19 Cameron Zwarich <cwzwarich@uwaterloo.ca>

        Reviewed by Oliver Hunt.

        Bug 24596: ASSERT in JSC::PropertySlot::slotBase @ iGoogle homepage
        <https://bugs.webkit.org/show_bug.cgi?id=24596>
        <rdar://problem/6686493>

        JSDOMWindow::customGetOwnPropertySlot() does an access check after calling
        JSGlobalObject::getOwnPropertySlot(). This causes the PropertySlot to be
        set twice, once to the value that is illegal to access, and then to undefined
        This causes an assertion failure in property access caching code.

        The fix is to do the access check before calling JSGlobalObject::getOwnPropertySlot().

        WebCore:

        * bindings/js/JSDOMWindowCustom.h:
        (WebCore::JSDOMWindow::customGetOwnPropertySlot):

        LayoutTests:

        * http/tests/security/cross-frame-access-get-custom-property-cached-expected.txt: Added.
        * http/tests/security/cross-frame-access-get-custom-property-cached.html: Added.
        * http/tests/security/resources/cross-frame-access-get-custom-property-cached-iframe.html: Added.
        * http/tests/security/resources/cross-frame-access.js:
        (shouldBeUndefined):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@41826 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent ba1b1f92
2009-03-19 Cameron Zwarich <cwzwarich@uwaterloo.ca>
Reviewed by Oliver Hunt.
Add test for bug 24596: ASSERT in JSC::PropertySlot::slotBase @ iGoogle homepage
<https://bugs.webkit.org/show_bug.cgi?id=24596>
<rdar://problem/6686493>
* http/tests/security/cross-frame-access-get-custom-property-cached-expected.txt: Added.
* http/tests/security/cross-frame-access-get-custom-property-cached.html: Added.
* http/tests/security/resources/cross-frame-access-get-custom-property-cached-iframe.html: Added.
* http/tests/security/resources/cross-frame-access.js:
(shouldBeUndefined):
2009-03-18 Alexey Proskuryakov <ap@webkit.org>
 
Reviewed by Sam Weinig.
......
CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-access-get-custom-property-cached-iframe.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-get-custom-property-cached.html. Domains, protocols and ports must match.
CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-access-get-custom-property-cached-iframe.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-get-custom-property-cached.html. Domains, protocols and ports must match.
CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-access-get-custom-property-cached-iframe.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-get-custom-property-cached.html. Domains, protocols and ports must match.
This test checks that caching of property accesses doesn't allow for illegal cross-frame access of a custom property. It also checks for an assertion failure that once occurred in this situation.
PASS: getCustomProperty(targetWindow) should be 'undefined' and is.
PASS: getCustomProperty(targetWindow) should be 'undefined' and is.
PASS: getCustomProperty(targetWindow) should be 'undefined' and is.
<html>
<head>
<script src="resources/cross-frame-access.js"></script>
<script>
window.onload = function()
{
if (window.layoutTestController) {
layoutTestController.dumpAsText();
layoutTestController.waitUntilDone();
}
if (window.layoutTestController) {
setTimeout(pollForTest, 1);
} else {
log("To run the test, click the button below when the opened window finishes loading.");
var button = document.createElement("button");
button.appendChild(document.createTextNode("Run Test"));
button.onclick = runTest;
document.body.appendChild(button);
}
}
pollForTest = function()
{
if (!layoutTestController.globalFlag) {
setTimeout(pollForTest, 1);
return;
}
runTest();
layoutTestController.notifyDone();
}
function getCustomProperty(o)
{
return o.customProperty;
}
runTest = function()
{
window.targetWindow = frames[0];
shouldBeUndefined("getCustomProperty(targetWindow)");
shouldBeUndefined("getCustomProperty(targetWindow)");
shouldBeUndefined("getCustomProperty(targetWindow)");
}
</script>
</head>
<body>
<p>This test checks that caching of property accesses doesn't allow for illegal cross-frame access of a custom property. It also checks for an assertion failure that once occurred in this situation.</p>
<iframe src="http://localhost:8000/security/resources/cross-frame-access-get-custom-property-cached-iframe.html" style=""></iframe>
<pre id="console"></pre>
</body>
</html>
<html>
<head>
<script>
window.customProperty = 1;
window.onload = function()
{
if (window.layoutTestController)
layoutTestController.globalFlag = true;
}
</script>
</head>
<body>
</body>
</html>
......@@ -44,6 +44,11 @@ function shouldBeFalse(b)
shouldBe(b, "false");
}
function shouldBeUndefined(b)
{
shouldBe(b, "undefined");
}
function canGet(keyPath)
{
try {
......
2009-03-19 Cameron Zwarich <cwzwarich@uwaterloo.ca>
Reviewed by Oliver Hunt.
Bug 24596: ASSERT in JSC::PropertySlot::slotBase @ iGoogle homepage
<https://bugs.webkit.org/show_bug.cgi?id=24596>
<rdar://problem/6686493>
JSDOMWindow::customGetOwnPropertySlot() does an access check after calling
JSGlobalObject::getOwnPropertySlot(). This causes the PropertySlot to be
set twice, once to the value that is illegal to access, and then to undefined
This causes an assertion failure in property access caching code.
The fix is to do the access check before calling JSGlobalObject::getOwnPropertySlot().
* bindings/js/JSDOMWindowCustom.h:
(WebCore::JSDOMWindow::customGetOwnPropertySlot):
2009-03-18 Alexey Proskuryakov <ap@webkit.org>
 
Reviewed by Sam Weinig.
......@@ -74,12 +74,10 @@ ALWAYS_INLINE bool JSDOMWindow::customGetOwnPropertySlot(JSC::ExecState* exec, c
// is allowed.
bool allowsAccess = allowsAccessFromNoErrorMessage(exec);
// Look for overrides before looking at any of our own properties.
if (JSGlobalObject::getOwnPropertySlot(exec, propertyName, slot)) {
// But ignore overrides completely if this is cross-domain access.
if (allowsAccess)
return true;
}
// Look for overrides before looking at any of our own properties, but ignore overrides completely
// if this is cross-domain access.
if (allowsAccess && JSGlobalObject::getOwnPropertySlot(exec, propertyName, slot))
return true;
// We need this code here because otherwise JSC::Window will stop the search before we even get to the
// prototype due to the blanket same origin (allowsAccessFrom) check at the end of getOwnPropertySlot.
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment