Diff
Modified: trunk/LayoutTests/ChangeLog (111097 => 111098)
--- trunk/LayoutTests/ChangeLog 2012-03-17 00:29:38 UTC (rev 111097)
+++ trunk/LayoutTests/ChangeLog 2012-03-17 00:31:22 UTC (rev 111098)
@@ -1,3 +1,18 @@
+2012-03-16 Tom Sepez <[email protected]>
+
+ Make V8 window.open.call(), window.open.showModalDialog() results more closely match JSC.
+ https://bugs.webkit.org/show_bug.cgi?id=81260
+ https://bugs.webkit.org/show_bug.cgi?id=39897
+
+ Reviewed by Adam Barth.
+
+ * http/tests/security/cross-frame-access-call-expected.txt:
+ * http/tests/security/cross-frame-access-call.html:
+ * http/tests/security/cross-frame-access-get-expected.txt:
+ * http/tests/security/cross-frame-access-get.html:
+ * platform/chromium/http/tests/security/aboutBlank/xss-DENIED-set-opener-expected.txt:
+ * platform/chromium/http/tests/security/cross-frame-access-call-expected.txt:
+
2012-03-16 Tony Chang <[email protected]>
flex-item-align: stretch should only grow, never shrink
Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-call-expected.txt (111097 => 111098)
--- trunk/LayoutTests/http/tests/security/cross-frame-access-call-expected.txt 2012-03-17 00:29:38 UTC (rev 111097)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-call-expected.txt 2012-03-17 00:31:22 UTC (rev 111098)
@@ -52,8 +52,10 @@
CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+
----- tests for calling methods of another frame using Function.call -----
PASS: window.setTimeout.call(targetWindow, 'void(0);', 0) should be 'undefined' and is.
@@ -82,5 +84,7 @@
PASS: window.moveTo.call(targetWindow, 0, 0); should be 'undefined' and is.
PASS: window.resizeBy.call(targetWindow, 0, 0); should be 'undefined' and is.
PASS: window.resizeTo.call(targetWindow, 0, 0); should be 'undefined' and is.
+PASS: window.showModalDialog.call(targetWindow); should be 'undefined' and is.
+PASS: window.eval.call(targetWindow, '1+2'); should be 'EvalError: The "this" value passed to eval must be the global object from which eval originated' and is.
PASS: window.location.toString.call(targetWindow.location) should be 'undefined' and is.
Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-call.html (111097 => 111098)
--- trunk/LayoutTests/http/tests/security/cross-frame-access-call.html 2012-03-17 00:29:38 UTC (rev 111097)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-call.html 2012-03-17 00:31:22 UTC (rev 111098)
@@ -54,10 +54,10 @@
shouldBe("window.moveTo.call(targetWindow, 0, 0);", "undefined");
shouldBe("window.resizeBy.call(targetWindow, 0, 0);", "undefined");
shouldBe("window.resizeTo.call(targetWindow, 0, 0);", "undefined");
+ shouldBe("window.showModalDialog.call(targetWindow);", "undefined");
- // FIXME: showModalDialog now works on DRT and thus breaks this test. Will uncomment after adding a separate test for Mac for showModalDialog - Bug #39897
- // Throws a TypeError and logs to the error console
- // shouldBe("window.showModalDialog.call(targetWindow);", '"TypeError: Result of _expression_ \'window.showModalDialog\' [undefined] is not an object."');
+ // Throws an EvalError and logs to the error console
+ shouldBe("window.eval.call(targetWindow, '1+2');", '"EvalError: The \\"this\\" value passed to eval must be the global object from which eval originated"');
// - Tests for the Location object -
// undefined value indicates failure
Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-get-expected.txt (111097 => 111098)
--- trunk/LayoutTests/http/tests/security/cross-frame-access-get-expected.txt 2012-03-17 00:29:38 UTC (rev 111097)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-get-expected.txt 2012-03-17 00:31:22 UTC (rev 111098)
@@ -376,6 +376,8 @@
CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-get.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-get.html. Domains, protocols and ports must match.
+
This test checks cross-frame access security (rdar://problem/5251309).
@@ -536,6 +538,7 @@
PASS: canGet('targetWindow.scrollTo') should be 'false' and is.
PASS: canGet('targetWindow.setInterval') should be 'false' and is.
PASS: canGet('targetWindow.setTimeout') should be 'false' and is.
+PASS: canGet('targetWindow.showModalDialog') should be 'false' and is.
PASS: canGet('targetWindow.stop') should be 'false' and is.
----- tests for getting of not allowed Attributes -----
Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-get.html (111097 => 111098)
--- trunk/LayoutTests/http/tests/security/cross-frame-access-get.html 2012-03-17 00:29:38 UTC (rev 111097)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-get.html 2012-03-17 00:31:22 UTC (rev 111098)
@@ -133,9 +133,7 @@
"scrollTo",
"setInterval",
"setTimeout",
- // FIXME: This function is now implemented on mac and hence the expected output changes. Uncomment after adding a
- // mac specific test for showModalDialog. Bug# 39897
- // "showModalDialog",
+ "showModalDialog",
"stop"
];
Modified: trunk/LayoutTests/platform/chromium/http/tests/security/aboutBlank/xss-DENIED-set-opener-expected.txt (111097 => 111098)
--- trunk/LayoutTests/platform/chromium/http/tests/security/aboutBlank/xss-DENIED-set-opener-expected.txt 2012-03-17 00:29:38 UTC (rev 111097)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/aboutBlank/xss-DENIED-set-opener-expected.txt 2012-03-17 00:31:22 UTC (rev 111098)
@@ -1,5 +1,7 @@
CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/aboutBlank/xss-DENIED-set-opener.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/aboutBlank/xss-DENIED-set-opener.html. Domains, protocols and ports must match.
+
CONSOLE MESSAGE: line 1: Uncaught TypeError: Cannot read property 'body' of undefined
This page opens a window to "", injects malicious code, and then uses window.open.call to set its opener to the victim. The opened window then tries to scripts its opener.
Code injected into window:
Modified: trunk/LayoutTests/platform/chromium/http/tests/security/cross-frame-access-call-expected.txt (111097 => 111098)
--- trunk/LayoutTests/platform/chromium/http/tests/security/cross-frame-access-call-expected.txt 2012-03-17 00:29:38 UTC (rev 111097)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/cross-frame-access-call-expected.txt 2012-03-17 00:31:22 UTC (rev 111098)
@@ -20,7 +20,7 @@
CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
-CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL about:blank from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
@@ -52,8 +52,10 @@
CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe _javascript_ attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-call.html. Domains, protocols and ports must match.
+
----- tests for calling methods of another frame using Function.call -----
PASS: window.setTimeout.call(targetWindow, 'void(0);', 0) should be 'undefined' and is.
@@ -67,7 +69,7 @@
PASS: window.openDatabase.call(targetWindow, 'name', '1.0', 'description', 0) should be 'undefined' and is.
PASS: window.atob.call(targetWindow, 'string') should be 'undefined' and is.
PASS: window.btoa.call(targetWindow, 'string') should be 'undefined' and is.
-*** FAIL: window.open.call(targetWindow, '') should be 'undefined' but instead is [object Window]. ***
+PASS: window.open.call(targetWindow, '') should be 'undefined' and is.
PASS: window.addEventListener.call(targetWindow, 'load', null, false); should be 'undefined' and is.
PASS: window.removeEventListener.call(targetWindow, 'load', null, false); should be 'undefined' and is.
PASS: window.clearTimeout.call(targetWindow, 0); should be 'undefined' and is.
@@ -82,5 +84,7 @@
PASS: window.moveTo.call(targetWindow, 0, 0); should be 'undefined' and is.
PASS: window.resizeBy.call(targetWindow, 0, 0); should be 'undefined' and is.
PASS: window.resizeTo.call(targetWindow, 0, 0); should be 'undefined' and is.
+PASS: window.showModalDialog.call(targetWindow); should be 'undefined' and is.
+*** FAIL: window.eval.call(targetWindow, '1+2'); should be 'EvalError: The "this" value passed to eval must be the global object from which eval originated' but instead is 3. ***
PASS: window.location.toString.call(targetWindow.location) should be 'undefined' and is.
Modified: trunk/Source/WebCore/ChangeLog (111097 => 111098)
--- trunk/Source/WebCore/ChangeLog 2012-03-17 00:29:38 UTC (rev 111097)
+++ trunk/Source/WebCore/ChangeLog 2012-03-17 00:31:22 UTC (rev 111098)
@@ -1,3 +1,17 @@
+2012-03-16 Tom Sepez <[email protected]>
+
+ Make V8 window.open.call(), window.open.showModalDialog() results more closely match JSC.
+ https://bugs.webkit.org/show_bug.cgi?id=81260
+ https://bugs.webkit.org/show_bug.cgi?id=39897
+
+ Reviewed by Adam Barth.
+
+ Tested via http/tests/security/cross-frame-access-call.htm
+
+ * bindings/v8/custom/V8DOMWindowCustom.cpp:
+ (WebCore::V8DOMWindow::showModalDialogCallback):
+ (WebCore::V8DOMWindow::openCallback):
+
2012-03-16 Matt Lilek <[email protected]>
Use modern NSNumberFormatter API in LocalizedNumberMac.mm
Modified: trunk/Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp (111097 => 111098)
--- trunk/Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp 2012-03-17 00:29:38 UTC (rev 111097)
+++ trunk/Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp 2012-03-17 00:31:22 UTC (rev 111098)
@@ -426,18 +426,17 @@
{
INC_STATS("DOM.DOMWindow.showModalDialog()");
DOMWindow* impl = V8DOMWindow::toNative(args.Holder());
-
V8BindingState* state = V8BindingState::Only();
+ if (!V8BindingSecurity::canAccessFrame(state, impl->frame(), true))
+ return v8::Undefined();
- DOMWindow* activeWindow = state->activeWindow();
- DOMWindow* firstWindow = state->firstWindow();
-
// FIXME: Handle exceptions properly.
String urlString = toWebCoreStringWithNullOrUndefinedCheck(args[0]);
+ DialogHandler handler(args[1]);
String dialogFeaturesString = toWebCoreStringWithNullOrUndefinedCheck(args[2]);
- DialogHandler handler(args[1]);
-
+ DOMWindow* activeWindow = state->activeWindow();
+ DOMWindow* firstWindow = state->firstWindow();
impl->showModalDialog(urlString, dialogFeaturesString, activeWindow, firstWindow, setUpDialog, &handler);
return handler.returnValue();
@@ -447,20 +446,21 @@
{
INC_STATS("DOM.DOMWindow.open()");
DOMWindow* impl = V8DOMWindow::toNative(args.Holder());
-
V8BindingState* state = V8BindingState::Only();
+ if (!V8BindingSecurity::canAccessFrame(state, impl->frame(), true))
+ return v8::Undefined();
- DOMWindow* activeWindow = state->activeWindow();
- DOMWindow* firstWindow = state->firstWindow();
-
// FIXME: Handle exceptions properly.
String urlString = toWebCoreStringWithNullOrUndefinedCheck(args[0]);
AtomicString frameName = (args[1]->IsUndefined() || args[1]->IsNull()) ? "_blank" : AtomicString(toWebCoreString(args[1]));
String windowFeaturesString = toWebCoreStringWithNullOrUndefinedCheck(args[2]);
+ DOMWindow* activeWindow = state->activeWindow();
+ DOMWindow* firstWindow = state->firstWindow();
RefPtr<DOMWindow> openedWindow = impl->open(urlString, frameName, windowFeaturesString, activeWindow, firstWindow);
if (!openedWindow)
return v8::Undefined();
+
return toV8(openedWindow.release());
}
