Commit df0c4676 authored by jnd@chromium.org's avatar jnd@chromium.org

2011-01-28 Johnny Ding <jnd@chromium.org>

        Reviewed by Adam Barth.

        Gesture API, disallow popup bypass with using iframe src.
        https://bugs.webkit.org/show_bug.cgi?id=53244

        * fast/events/popup-blocked-from-iframe-src-expected.txt: Added.
        * fast/events/popup-blocked-from-iframe-src.html: Added.
2011-01-28  Johnny Ding  <jnd@chromium.org>

        Reviewed by Adam Barth.

        Gesture API: Don't use current gesture status to set "forceUserGesture" parameter when calling ScriptController::executeScript.
        The "forceUserGesture" parameter should be only set when you are definitely sure that the running script is from a hyper-link.
        https://bugs.webkit.org/show_bug.cgi?id=53244

        Test: fast/events/popup-blocked-from-iframe-src.html

        * bindings/ScriptControllerBase.cpp:
        (WebCore::ScriptController::executeIfJavaScriptURL):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77049 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 39917629
2011-01-28 Johnny Ding <jnd@chromium.org>
Reviewed by Adam Barth.
Gesture API, disallow popup bypass with using iframe src.
https://bugs.webkit.org/show_bug.cgi?id=53244
* fast/events/popup-blocked-from-iframe-src-expected.txt: Added.
* fast/events/popup-blocked-from-iframe-src.html: Added.
2011-01-28 Ryosuke Niwa <rniwa@webkit.org>
Unreviewed; removed Chromium test expectations for tests that have been steadily passing.
When running script to open a window without user gesture from SRC of the enclosing iframe, webkit should test out that the opening is not initiated by user. This is a test case for bug https://bugs.webkit.org/show_bug.cgi?id=53244.
PASSED
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>
<head>
<script>
if (window.layoutTestController) {
layoutTestController.dumpAsText();
layoutTestController.setCanOpenWindows();
layoutTestController.setPopupBlockingEnabled(true);
layoutTestController.setCloseRemainingWindowsWhenComplete(true);
layoutTestController.waitUntilDone();
// Record current window count.
window.windowCount = window.layoutTestController.windowCount();
}
function test() {
if (!window.layoutTestController)
return;
if (layoutTestController.windowCount() == window.windowCount)
document.getElementById("console").innerText = "PASSED";
layoutTestController.notifyDone();
}
</script>
</head>
<body onload="test();">
<iframe src="javascript:window.open('about:blank','_blank', 'height=600,width=720')">popup</iframe><br>
When running script to open a window without user gesture from SRC of the enclosing iframe, webkit should test out that the opening is not initiated by user. This is a test case for bug https://bugs.webkit.org/show_bug.cgi?id=53244.
<div id="console">FAILED</div>
</body>
</html>
2011-01-28 Johnny Ding <jnd@chromium.org>
Reviewed by Adam Barth.
Gesture API: Don't use current gesture status to set "forceUserGesture" parameter when calling ScriptController::executeScript.
The "forceUserGesture" parameter should be only set when you are definitely sure that the running script is from a hyper-link.
https://bugs.webkit.org/show_bug.cgi?id=53244
Test: fast/events/popup-blocked-from-iframe-src.html
* bindings/ScriptControllerBase.cpp:
(WebCore::ScriptController::executeIfJavaScriptURL):
2011-01-28 Simon Fraser <simon.fraser@apple.com>
Reviewed by Gavin Barraclough.
......@@ -90,7 +90,7 @@ bool ScriptController::executeIfJavaScriptURL(const KURL& url, ShouldReplaceDocu
String decodedURL = decodeURLEscapeSequences(url.string());
ScriptValue result;
if (xssAuditor()->canEvaluateJavaScriptURL(decodedURL))
result = executeScript(decodedURL.substring(javascriptSchemeLength), processingUserGesture(), AllowXSS);
result = executeScript(decodedURL.substring(javascriptSchemeLength), false, AllowXSS);
// If executing script caused this frame to be removed from the page, we
// don't want to try to replace its document!
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment