webkitFullscreenElement, webkitCurrentFullScreenElement,...

webkitFullscreenElement, webkitCurrentFullScreenElement, webkitPointerLockElement block cross origin access.
https://bugs.webkit.org/show_bug.cgi?id=91892

Reviewed by Adam Barth.

Source/WebCore:

PointerLockElement only returned when requested from the document that owns it.

Tests: http/tests/fullscreen/fullscreenelement-different-origin.html
       http/tests/fullscreen/fullscreenelement-same-origin.html
       http/tests/pointer-lock/pointerlockelement-different-origin.html
       http/tests/pointer-lock/pointerlockelement-same-origin.html

* dom/Document.cpp:
(WebCore::Document::webkitPointerLockElement):

LayoutTests:

Tests verifying the behavior of accessing
webkitFullscreenElement, webkitCurrentFullScreenElement, webkitPointerLockElement
from different origins.

* http/tests/fullscreen/fullscreenelement-different-origin-expected.txt: Added.
* http/tests/fullscreen/fullscreenelement-different-origin.html: Added.
* http/tests/fullscreen/fullscreenelement-same-origin-expected.txt: Added.
* http/tests/fullscreen/fullscreenelement-same-origin.html: Added.
* http/tests/pointer-lock/pointerlockelement-different-origin-expected.txt: Added.
* http/tests/pointer-lock/pointerlockelement-different-origin.html: Added.
* http/tests/pointer-lock/pointerlockelement-same-origin-expected.txt: Added.
* http/tests/pointer-lock/pointerlockelement-same-origin.html: Added.
* http/tests/resources/pointer-lock/iframe-common.js: Added.
(thisFileName):
(window.onmessage):
* http/tests/resources/pointer-lock/inner-iframe.html: Added.
* http/tests/resources/pointer-lock/pointer-lock-test-harness.js:
(runOnKeyPress.keypressHandler):
* pointer-lock/locked-element-iframe-removed-from-dom-expected.txt:
* pointer-lock/locked-element-iframe-removed-from-dom.html:
* pointer-lock/locked-element-removed-from-dom-expected.txt:
* pointer-lock/locked-element-removed-from-dom.html:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@123343 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog

+2012-07-21  Vincent Scheib  <scheib@chromium.org>
+
+        webkitFullscreenElement, webkitCurrentFullScreenElement, webkitPointerLockElement block cross origin access.
+        https://bugs.webkit.org/show_bug.cgi?id=91892
+
+        Reviewed by Adam Barth.
+
+        Tests verifying the behavior of accessing
+        webkitFullscreenElement, webkitCurrentFullScreenElement, webkitPointerLockElement
+        from different origins.
+
+        * http/tests/fullscreen/fullscreenelement-different-origin-expected.txt: Added.
+        * http/tests/fullscreen/fullscreenelement-different-origin.html: Added.
+        * http/tests/fullscreen/fullscreenelement-same-origin-expected.txt: Added.
+        * http/tests/fullscreen/fullscreenelement-same-origin.html: Added.
+        * http/tests/pointer-lock/pointerlockelement-different-origin-expected.txt: Added.
+        * http/tests/pointer-lock/pointerlockelement-different-origin.html: Added.
+        * http/tests/pointer-lock/pointerlockelement-same-origin-expected.txt: Added.
+        * http/tests/pointer-lock/pointerlockelement-same-origin.html: Added.
+        * http/tests/resources/pointer-lock/iframe-common.js: Added.
+        (thisFileName):
+        (window.onmessage):
+        * http/tests/resources/pointer-lock/inner-iframe.html: Added.
+        * http/tests/resources/pointer-lock/pointer-lock-test-harness.js:
+        (runOnKeyPress.keypressHandler):
+        * pointer-lock/locked-element-iframe-removed-from-dom-expected.txt:
+        * pointer-lock/locked-element-iframe-removed-from-dom.html:
+        * pointer-lock/locked-element-removed-from-dom-expected.txt:
+        * pointer-lock/locked-element-removed-from-dom.html:
+
 2012-07-23  Zan Dobersek  <zandobersek@gmail.com>
 
         Unreviewed GTK gardening, adding the WONTFIX modifier to a few more tests,

LayoutTests/http/tests/fullscreen/fullscreenelement-different-origin-expected.txt

+Test iframe from different origin can not access webkitFullscreenElement.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS document.webkitFullscreenElement is targetDiv1
+PASS document.webkitCurrentFullScreenElement is targetDiv1
+PASS message is "inner-iframe.html document.webkitFullscreenElement = null"
+PASS message is "inner-iframe.html document.webkitCurrentFullScreenElement = null"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

LayoutTests/http/tests/fullscreen/fullscreenelement-different-origin.html

+<!DOCTYPE HTML>
+<html>
+<head>
+<script src="../resources/js-test-pre.js"></script>
+<script src="../resources/pointer-lock/pointer-lock-test-harness.js"></script>
+</head>
+<body>
+<div>
+  <div id="target1"></div>
+  <iframe src="http://localhost:8080/resources/pointer-lock/inner-iframe.html" onload="doNextStepWithUserGesture()"></iframe>
+</div>
+<script>
+    description("Test iframe from different origin can not access webkitFullscreenElement.")
+    window.jsTestIsAsync = true;
+
+    targetDiv1 = document.getElementById("target1");
+    iframe = document.getElementsByTagName("iframe")[0];
+
+    todo = [
+      function () {
+          document.onwebkitfullscreenchange = function () { doNextStep(); document.onwebkitfullscreenchange = null; }
+          targetDiv1.webkitRequestFullscreen();
+      },
+      function () {
+          shouldBe("document.webkitFullscreenElement", "targetDiv1");
+          shouldBe("document.webkitCurrentFullScreenElement", "targetDiv1");
+          doNextStep();
+      },
+      function () {
+          iframe.contentWindow.postMessage(["eval", 'parent.postMessage(thisFileName() + " document.webkitFullscreenElement = " + document.webkitFullscreenElement, "*")'], "*");
+          window.onmessage = function (messageEvent) {
+              message = messageEvent.data;
+              shouldBeEqualToString("message", "inner-iframe.html document.webkitFullscreenElement = null");
+              window.onmessage = null;
+              doNextStep();
+          }
+      },
+      function () {
+          iframe.contentWindow.postMessage(["eval", 'parent.postMessage(thisFileName() + " document.webkitCurrentFullScreenElement = " + document.webkitCurrentFullScreenElement, "*")'], "*");
+          window.onmessage = function (messageEvent) {
+              message = messageEvent.data;
+              shouldBeEqualToString("message", "inner-iframe.html document.webkitCurrentFullScreenElement = null");
+              window.onmessage = null;
+              doNextStep();
+          }
+      },
+    ];
+    // doNextStep() called by iframe onload handler.
+</script>
+<script src="../resources/js-test-post.js"></script>
+</body>
+</html>

LayoutTests/http/tests/fullscreen/fullscreenelement-same-origin-expected.txt

+Test iframe from same origin can not access webkitFullscreenElement.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS document.webkitFullscreenElement is targetDiv1
+PASS document.webkitCurrentFullScreenElement is targetDiv1
+PASS message is "inner-iframe.html document.webkitFullscreenElement = null"
+PASS message is "inner-iframe.html document.webkitCurrentFullScreenElement = null"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

LayoutTests/http/tests/fullscreen/fullscreenelement-same-origin.html

+<!DOCTYPE HTML>
+<html>
+<head>
+<script src="../resources/js-test-pre.js"></script>
+<script src="../resources/pointer-lock/pointer-lock-test-harness.js"></script>
+</head>
+<body>
+<div>
+  <div id="target1"></div>
+  <iframe src="../resources/pointer-lock/inner-iframe.html" onload="doNextStepWithUserGesture()"></iframe>
+</div>
+<script>
+    description("Test iframe from same origin can not access webkitFullscreenElement.")
+    window.jsTestIsAsync = true;
+
+    targetDiv1 = document.getElementById("target1");
+    iframe = document.getElementsByTagName("iframe")[0];
+
+    todo = [
+      function () {
+          document.onwebkitfullscreenchange = function () { doNextStep(); document.onwebkitfullscreenchange = null; }
+          targetDiv1.webkitRequestFullscreen();
+      },
+      function () {
+          shouldBe("document.webkitFullscreenElement", "targetDiv1");
+          shouldBe("document.webkitCurrentFullScreenElement", "targetDiv1");
+          doNextStep();
+      },
+      function () {
+          iframe.contentWindow.postMessage(["eval", 'parent.postMessage(thisFileName() + " document.webkitFullscreenElement = " + document.webkitFullscreenElement, "*")'], "*");
+          window.onmessage = function (messageEvent) {
+              message = messageEvent.data;
+              shouldBeEqualToString("message", "inner-iframe.html document.webkitFullscreenElement = null");
+              window.onmessage = null;
+              doNextStep();
+          }
+      },
+      function () {
+          iframe.contentWindow.postMessage(["eval", 'parent.postMessage(thisFileName() + " document.webkitCurrentFullScreenElement = " + document.webkitCurrentFullScreenElement, "*")'], "*");
+          window.onmessage = function (messageEvent) {
+              message = messageEvent.data;
+              shouldBeEqualToString("message", "inner-iframe.html document.webkitCurrentFullScreenElement = null");
+              window.onmessage = null;
+              doNextStep();
+          }
+      },
+    ];
+    // doNextStep() called by iframe onload handler.
+</script>
+<script src="../resources/js-test-post.js"></script>
+</body>
+</html>

LayoutTests/http/tests/pointer-lock/pointerlockelement-different-origin-expected.txt

+Test iframe from different origin can not access webkitPointerLockElement.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+     Lock targetDiv1.
+PASS onwebkitpointerlockchange received after: Lock targetDiv1.
+PASS document.webkitPointerLockElement is targetDiv1
+PASS message is "inner-iframe.html document.webkitPointerLockElement = null"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

LayoutTests/http/tests/pointer-lock/pointerlockelement-different-origin.html

+<!DOCTYPE HTML>
+<html>
+<head>
+<script src="../resources/js-test-pre.js"></script>
+<script src="../resources/pointer-lock/pointer-lock-test-harness.js"></script>
+</head>
+<body>
+<div>
+  <div id="target1"></div>
+  <iframe src="http://localhost:8080/resources/pointer-lock/inner-iframe.html" onload="doNextStepWithUserGesture()"></iframe>
+</div>
+<script>
+    description("Test iframe from different origin can not access webkitPointerLockElement.")
+    window.jsTestIsAsync = true;
+
+    targetDiv1 = document.getElementById("target1");
+    iframe = document.getElementsByTagName("iframe")[0];
+
+    todo = [
+      function () {
+          expectOnlyChangeEvent("Lock targetDiv1.");
+          targetDiv1.webkitRequestPointerLock();
+          // doNextStep called by event handler.
+      },
+      function () {
+          shouldBe("document.webkitPointerLockElement", "targetDiv1");
+          doNextStep();
+      },
+      function () {
+          iframe.contentWindow.postMessage(["eval", 'parent.postMessage(thisFileName() + " document.webkitPointerLockElement = " + document.webkitPointerLockElement, "*")'], "*");
+          window.onmessage = function (messageEvent) {
+              message = messageEvent.data;
+              shouldBeEqualToString("message", "inner-iframe.html document.webkitPointerLockElement = null");
+              window.onmessage = null;
+              doNextStep();
+          }
+      },
+    ];
+    // doNextStep() called by iframe onload handler.
+</script>
+<script src="../resources/js-test-post.js"></script>
+</body>
+</html>

LayoutTests/http/tests/pointer-lock/pointerlockelement-same-origin-expected.txt

+Test iframe from same origin can not access webkitPointerLockElement.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+     Lock targetDiv1.
+PASS onwebkitpointerlockchange received after: Lock targetDiv1.
+PASS document.webkitPointerLockElement is targetDiv1
+PASS message is "inner-iframe.html document.webkitPointerLockElement = null"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

LayoutTests/http/tests/pointer-lock/pointerlockelement-same-origin.html

+<!DOCTYPE HTML>
+<html>
+<head>
+<script src="../resources/js-test-pre.js"></script>
+<script src="../resources/pointer-lock/pointer-lock-test-harness.js"></script>
+</head>
+<body>
+<div>
+  <div id="target1"></div>
+  <iframe src="../resources/pointer-lock/inner-iframe.html" onload="doNextStepWithUserGesture()"></iframe>
+</div>
+<script>
+    description("Test iframe from same origin can not access webkitPointerLockElement.")
+    window.jsTestIsAsync = true;
+
+    targetDiv1 = document.getElementById("target1");
+    iframe = document.getElementsByTagName("iframe")[0];
+
+    todo = [
+      function () {
+          expectOnlyChangeEvent("Lock targetDiv1.");
+          targetDiv1.webkitRequestPointerLock();
+          // doNextStep called by event handler.
+      },
+      function () {
+          shouldBe("document.webkitPointerLockElement", "targetDiv1");
+          doNextStep();
+      },
+      function () {
+          iframe.contentWindow.postMessage(["eval", 'parent.postMessage(thisFileName() + " document.webkitPointerLockElement = " + document.webkitPointerLockElement, "*")'], "*");
+          window.onmessage = function (messageEvent) {
+              message = messageEvent.data;
+              shouldBeEqualToString("message", "inner-iframe.html document.webkitPointerLockElement = null");
+              window.onmessage = null;
+              doNextStep();
+          }
+      },
+    ];
+    // doNextStep() called by iframe onload handler.
+</script>
+<script src="../resources/js-test-post.js"></script>
+</body>
+</html>

LayoutTests/http/tests/resources/pointer-lock/iframe-common.js

+function thisFileName()
+{
+    return window.location.href.split("/").pop();
+}
+
+window.onmessage = function (messageEvent) {
+    switch (messageEvent.data[0]) {
+    case "eval":
+        eval(messageEvent.data[1]);
+        break;
+    }
+}
+

LayoutTests/http/tests/resources/pointer-lock/inner-iframe.html

+<!DOCTYPE HTML>
+<html>
+<head>
+<script src="iframe-common.js"></script>
+</head>
+<body>
+    inner-iframe.html
+</body>
+</html>

LayoutTests/http/tests/resources/pointer-lock/pointer-lock-test-harness.js

 // Automatically add doNextStepButton to document for manual tests.
 if (!window.testRunner) {
     setTimeout(function () {
+        if (window.doNextStepButtonDisabled)
+            return;
         doNextStepButton = document.body.insertBefore(document.createElement("button"), document.body.firstChild);
         doNextStepButton.onclick = doNextStep;
         doNextStepButton.innerText = "doNextStep button for manual testing. Use keyboard to select button and press (TAB, then SPACE).";
     }, 0);
 }
 
-function doNextStep()
+function runOnKeyPress(fn)
 {
+    function keypressHandler() {
+        document.removeEventListener('keypress', keypressHandler, false);
+        fn();
+    }
+    document.addEventListener('keypress', keypressHandler, false);
+
+    if (window.testRunner)
+        eventSender.keyDown(" ", []);
+}
+
+function doNextStep(args)
+{
+    args = args || {};
+    if (!window.testRunner && args.withUserGesture)
+      return; // Wait for human to press doNextStep button.
+
     if (typeof(currentStep) == "undefined")
         currentStep = 0;
 
     setTimeout(function () {
         var thisStep = currentStep++;
         if (thisStep < todo.length)
-            todo[thisStep]();
+            if (args.withUserGesture)
+                runOnKeyPress(todo[thisStep]);
+            else
+                todo[thisStep]();
         else if (thisStep == todo.length)
             setTimeout(function () { finishJSTest(); }, 0); // Deferred so that excessive doNextStep calls will be observed.
         else
@@ -25,9 +46,7 @@ function doNextStep()
 
 function doNextStepWithUserGesture()
 {
-    if (!window.testRunner)
-        return; // Wait for human to press doNextStep button.
-    doNextStep();
+    doNextStep({withUserGesture: true});
 }
 
 function eventExpected(eventHandlerName, message, expectedCalls, targetHanderNode)

LayoutTests/pointer-lock/locked-element-iframe-removed-from-dom-expected.txt

@@ -6,7 +6,7 @@ On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE
      Lock target in iframe. (main document handler)
      Lock target in iframe. (iframe handler)
 PASS onwebkitpointerlockchange received after: Lock target in iframe. (iframe handler)
-PASS document.webkitPointerLockElement is targetDiv1
+PASS targetIframe1.contentDocument.webkitPointerLockElement is targetDiv1
 PASS targetDiv1.parentElement.parentElement is targetIframe1.contentDocument.body
      Remove iframe & immediately lock target2. (main document handler)
      Remove iframe & immediately lock target2. (iframe handler)

LayoutTests/pointer-lock/locked-element-iframe-removed-from-dom.html

@@ -32,7 +32,7 @@
             // doNextStep called by event handler.
         },
         function () {
-            shouldBe("document.webkitPointerLockElement", "targetDiv1");
+            shouldBe("targetIframe1.contentDocument.webkitPointerLockElement", "targetDiv1");
             shouldBe("targetDiv1.parentElement.parentElement", "targetIframe1.contentDocument.body");
             expectOnlyChangeEvent("Remove iframe & immediately lock target2. (main document handler)");
             expectNoEvents("Remove iframe & immediately lock target2. (iframe handler)", targetIframe1.contentDocument);

LayoutTests/pointer-lock/locked-element-removed-from-dom-expected.txt

@@ -6,7 +6,7 @@ On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE
      Lock target in iframe. (main document handler).
      Lock target in iframe. (iframe handler)
 PASS onwebkitpointerlockchange received after: Lock target in iframe. (iframe handler)
-PASS document.webkitPointerLockElement is targetDiv1
+PASS targetIframe1.contentDocument.webkitPointerLockElement is targetDiv1
 PASS targetDiv1.parentElement.parentElement is targetIframe1.contentDocument.body
      Remove targetDiv1's parent from iframe & immediately lock target2. (main document handler)
      Remove targetDiv1's parent from iframe & immediately lock target2. (iframe handler)

LayoutTests/pointer-lock/locked-element-removed-from-dom.html

@@ -32,7 +32,7 @@
             // doNextStep called by event handler.
         },
         function () {
-            shouldBe("document.webkitPointerLockElement", "targetDiv1");
+            shouldBe("targetIframe1.contentDocument.webkitPointerLockElement", "targetDiv1");
             shouldBe("targetDiv1.parentElement.parentElement", "targetIframe1.contentDocument.body");
             expectOnlyErrorEvent("Remove targetDiv1's parent from iframe & immediately lock target2. (main document handler)");
             expectOnlyChangeEvent("Remove targetDiv1's parent from iframe & immediately lock target2. (iframe handler)", targetIframe1.contentDocument);

Source/WebCore/ChangeLog

+2012-07-21  Vincent Scheib  <scheib@chromium.org>
+
+        webkitFullscreenElement, webkitCurrentFullScreenElement, webkitPointerLockElement block cross origin access.
+        https://bugs.webkit.org/show_bug.cgi?id=91892
+
+        Reviewed by Adam Barth.
+
+        PointerLockElement only returned when requested from the document that owns it.
+
+        Tests: http/tests/fullscreen/fullscreenelement-different-origin.html
+               http/tests/fullscreen/fullscreenelement-same-origin.html
+               http/tests/pointer-lock/pointerlockelement-different-origin.html
+               http/tests/pointer-lock/pointerlockelement-same-origin.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::webkitPointerLockElement):
+
 2012-07-23  Philippe Normand  <pnormand@igalia.com>
 
         [GTK][jhbuild] Switch to GStreamer 0.11 build

Source/WebCore/dom/Document.cpp

@@ -5821,7 +5821,13 @@ void Document::webkitExitPointerLock()
 
 Element* Document::webkitPointerLockElement() const
 {
-    return page() ? page()->pointerLockController()->element() : 0;
+    if (!page())
+        return 0;
+    if (Element* element = page()->pointerLockController()->element()) {
+        if (element->document() == this)
+            return element;
+    }
+    return 0;
 }
 #endif