Diff
Modified: trunk/LayoutTests/ChangeLog (96259 => 96260)
--- trunk/LayoutTests/ChangeLog 2011-09-28 20:59:24 UTC (rev 96259)
+++ trunk/LayoutTests/ChangeLog 2011-09-28 21:01:37 UTC (rev 96260)
@@ -1,3 +1,14 @@
+2011-09-28 Sergey Glazunov <[email protected]>
+
+ _javascript_ generated documents don't inherit the cookie URL
+ https://bugs.webkit.org/show_bug.cgi?id=69003
+
+ Reviewed by Adam Barth.
+
+ * http/tests/security/cookies/cookie-theft-with-_javascript_-doc-expected.txt: Added.
+ * http/tests/security/cookies/cookie-theft-with-_javascript_-doc.html: Added.
+ * http/tests/security/cookies/resources/innocent-victim-with-cookies.html: Added.
+
2011-09-28 Dimitri Glazkov <[email protected]>
REGRESSION(r95573): Crash when loading SVG documents in a flattened frame or any SVG document in Chromium/Mac.
Added: trunk/LayoutTests/http/tests/security/cookies/cookie-theft-with-_javascript_-doc-expected.txt (0 => 96260)
--- trunk/LayoutTests/http/tests/security/cookies/cookie-theft-with-_javascript_-doc-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/cookies/cookie-theft-with-_javascript_-doc-expected.txt 2011-09-28 21:01:37 UTC (rev 96260)
@@ -0,0 +1 @@
+SUCCESS
Added: trunk/LayoutTests/http/tests/security/cookies/cookie-theft-with-_javascript_-doc.html (0 => 96260)
--- trunk/LayoutTests/http/tests/security/cookies/cookie-theft-with-_javascript_-doc.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/cookies/cookie-theft-with-_javascript_-doc.html 2011-09-28 21:01:37 UTC (rev 96260)
@@ -0,0 +1,38 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+ layoutTestController.setCanOpenWindows();
+ layoutTestController.setCloseRemainingWindowsWhenComplete(true);
+}
+
+window._onload_ = function()
+{
+ frame = document.body.appendChild(document.createElement("iframe"));
+ frame.src = ""
+ frame._onload_ = function() {
+ frame._onload_ = null;
+
+ wnd = frame.contentWindow.open();
+ frame.src = ""
+ window._onmessage_ = function(e) {
+ key = e.data;
+ wnd.location = "_javascript_:('bar')";
+ setTimeout(finishTest, 0);
+ }
+ }
+}
+
+function finishTest()
+{
+ document.body.textContent = wnd.document.cookie.indexOf(key) != -1 ? "FAILURE" : "SUCCESS";
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+</script>
+</head>
+<body>
+</body>
+</html>
\ No newline at end of file
Added: trunk/LayoutTests/http/tests/security/cookies/resources/innocent-victim-with-cookies.html (0 => 96260)
--- trunk/LayoutTests/http/tests/security/cookies/resources/innocent-victim-with-cookies.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/cookies/resources/innocent-victim-with-cookies.html 2011-09-28 21:01:37 UTC (rev 96260)
@@ -0,0 +1,9 @@
+<html>
+<body>
+<script>
+k = Math.floor(Math.random() * 1000000);
+document.cookie = "secretcookie=" + k + ";path=/";
+parent.postMessage(k, "*");
+</script>
+</body>
+</html>
\ No newline at end of file
Modified: trunk/Source/WebCore/ChangeLog (96259 => 96260)
--- trunk/Source/WebCore/ChangeLog 2011-09-28 20:59:24 UTC (rev 96259)
+++ trunk/Source/WebCore/ChangeLog 2011-09-28 21:01:37 UTC (rev 96260)
@@ -1,3 +1,19 @@
+2011-09-28 Sergey Glazunov <[email protected]>
+
+ _javascript_ generated documents don't inherit the cookie URL
+ https://bugs.webkit.org/show_bug.cgi?id=69003
+
+ Reviewed by Adam Barth.
+
+ Test: http/tests/security/cookies/cookie-theft-with-_javascript_-doc.html
+
+ * dom/Document.h:
+ (WebCore::Document::setCookieURL):
+ * loader/DocumentWriter.cpp:
+ (WebCore::DocumentWriter::replaceDocument):
+ (WebCore::DocumentWriter::begin):
+ * loader/DocumentWriter.h:
+
2011-09-27 Dimitri Glazkov <[email protected]>
REGRESSION(r95573): Crash when loading SVG documents in a flattened frame or any SVG document in Chromium/Mac.
Modified: trunk/Source/WebCore/dom/Document.h (96259 => 96260)
--- trunk/Source/WebCore/dom/Document.h 2011-09-28 20:59:24 UTC (rev 96259)
+++ trunk/Source/WebCore/dom/Document.h 2011-09-28 21:01:37 UTC (rev 96260)
@@ -823,6 +823,7 @@
// inherits its cookieURL but not its URL.
//
const KURL& cookieURL() const { return m_cookieURL; }
+ void setCookieURL(const KURL& url) { m_cookieURL = url; }
// The firstPartyForCookies is used to compute whether this document
// appears in a "third-party" context for the purpose of third-party
Modified: trunk/Source/WebCore/loader/DocumentWriter.cpp (96259 => 96260)
--- trunk/Source/WebCore/loader/DocumentWriter.cpp 2011-09-28 20:59:24 UTC (rev 96259)
+++ trunk/Source/WebCore/loader/DocumentWriter.cpp 2011-09-28 21:01:37 UTC (rev 96260)
@@ -67,7 +67,7 @@
void DocumentWriter::replaceDocument(const String& source)
{
m_frame->loader()->stopAllLoaders();
- begin(m_frame->document()->url(), true, m_frame->document()->securityOrigin());
+ begin(m_frame->document()->url(), true, InheritSecurityOrigin);
if (!source.isNull()) {
if (!m_hasReceivedSomeData) {
@@ -106,11 +106,9 @@
return DOMImplementation::createDocument(m_mimeType, m_frame, url, m_frame->inViewSourceMode());
}
-void DocumentWriter::begin(const KURL& urlReference, bool dispatch, SecurityOrigin* origin)
+void DocumentWriter::begin(const KURL& urlReference, bool dispatch, SecurityOriginSource originSource)
{
- // We need to take a reference to the security origin because |clear|
- // might destroy the document that owns it.
- RefPtr<SecurityOrigin> forcedSecurityOrigin = origin;
+ RefPtr<Document> oldDocument = m_frame->document();
// We grab a local copy of the URL because it's easy for callers to supply
// a URL that will be deallocated during the execution of this function.
@@ -139,8 +137,10 @@
if (m_decoder)
document->setDecoder(m_decoder.get());
- if (forcedSecurityOrigin)
- document->setSecurityOrigin(forcedSecurityOrigin.get());
+ if (originSource == InheritSecurityOrigin) {
+ document->setCookieURL(oldDocument->cookieURL());
+ document->setSecurityOrigin(oldDocument->securityOrigin());
+ }
m_frame->domWindow()->setURL(document->url());
m_frame->domWindow()->setSecurityOrigin(document->securityOrigin());
Modified: trunk/Source/WebCore/loader/DocumentWriter.h (96259 => 96260)
--- trunk/Source/WebCore/loader/DocumentWriter.h 2011-09-28 20:59:24 UTC (rev 96259)
+++ trunk/Source/WebCore/loader/DocumentWriter.h 2011-09-28 21:01:37 UTC (rev 96260)
@@ -49,8 +49,10 @@
// and always contains the result of evaluating a _javascript_: url.
void replaceDocument(const String&);
+ enum SecurityOriginSource { CreateNewSecurityOrigin, InheritSecurityOrigin };
+
void begin();
- void begin(const KURL&, bool dispatchWindowObjectAvailable = true, SecurityOrigin* forcedSecurityOrigin = 0);
+ void begin(const KURL&, bool dispatchWindowObjectAvailable = true, SecurityOriginSource = CreateNewSecurityOrigin);
void addData(const char* bytes, size_t length);
void end();
void endIfNotLoadingMainResource();
