Update cross-origin SecurityError messages to not include the target origin
authorcdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 20 Apr 2018 23:24:48 +0000 (23:24 +0000)
committercdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 20 Apr 2018 23:24:48 +0000 (23:24 +0000)
commit07fc2dba1902f31bfceb66d72bfcaafdd14f5011
treeae49455188e8fe8f09aa105408ad4d47e5983b60
parent2d2fd6d7f03dde61f292b9fb11cabdfdb6239c52
Update cross-origin SecurityError messages to not include the target origin
https://bugs.webkit.org/show_bug.cgi?id=184803
<rdar://problem/39547724>

Reviewed by Sam Weinig.

Source/WebCore:

No new tests, rebaselined existing tests.

* bindings/js/JSDOMBindingSecurity.cpp:
(WebCore::canAccessDocument):
(WebCore::BindingSecurity::shouldAllowAccessToFrame):
(WebCore::BindingSecurity::shouldAllowAccessToDOMWindow):
* page/DOMWindow.cpp:
(WebCore::DOMWindow::crossDomainAccessErrorMessage):
(WebCore::DOMWindow::isInsecureScriptAccess):
* page/DOMWindow.h:
* page/Location.cpp:
(WebCore::Location::reload):

LayoutTests:

* http/tests/history/cross-origin-replace-history-object-child-expected.txt:
* http/tests/history/cross-origin-replace-history-object-expected.txt:
* http/tests/plugins/cross-frame-object-access-expected.txt:
* http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt:
* http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny-expected.txt:
* http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt:
* http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt:
* http/tests/security/aboutBlank/xss-DENIED-navigate-opener-document-write-expected.txt:
* http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url-expected.txt:
* http/tests/security/aboutBlank/xss-DENIED-set-opener-expected.txt:
* http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-expected.txt:
* http/tests/security/cross-frame-access-call-expected.txt:
* http/tests/security/cross-frame-access-callback-explicit-domain-DENY-expected.txt:
* http/tests/security/cross-frame-access-child-explicit-domain-expected.txt:
* http/tests/security/cross-frame-access-custom-expected.txt:
* http/tests/security/cross-frame-access-delete-expected.txt:
* http/tests/security/cross-frame-access-first-time-expected.txt:
* http/tests/security/cross-frame-access-get-custom-property-cached-expected.txt:
* http/tests/security/cross-frame-access-get-expected.txt:
* http/tests/security/cross-frame-access-getOwnPropertyDescriptor-expected.txt:
* http/tests/security/cross-frame-access-history-get-expected.txt:
* http/tests/security/cross-frame-access-history-get-override-expected.txt:
* http/tests/security/cross-frame-access-history-prototype-expected.txt:
* http/tests/security/cross-frame-access-location-get-expected.txt:
* http/tests/security/cross-frame-access-location-get-override-expected.txt:
* http/tests/security/cross-frame-access-location-put-expected.txt:
* http/tests/security/cross-frame-access-name-getter-expected.txt:
* http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt:
* http/tests/security/cross-frame-access-object-prototype-expected.txt:
* http/tests/security/cross-frame-access-parent-explicit-domain-expected.txt:
* http/tests/security/cross-frame-access-port-expected.txt:
* http/tests/security/cross-frame-access-protocol-expected.txt:
* http/tests/security/cross-frame-access-protocol-explicit-domain-expected.txt:
* http/tests/security/cross-frame-access-put-expected.txt:
* http/tests/security/cross-frame-access-selection-expected.txt:
* http/tests/security/cross-origin-reified-window-property-access-expected.txt:
* http/tests/security/cross-origin-window-property-access-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-to-data-url-sub-frame-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-data-url-to-data-url-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-javascript-url-window-open-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-from-data-url-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-location-change-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-window-open-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-uppercase-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-window-open-expected.txt:
* http/tests/security/document-all-expected.txt:
* http/tests/security/javascriptURL/xss-DENIED-from-javascript-url-in-foreign-domain-subframe-expected.txt:
* http/tests/security/javascriptURL/xss-DENIED-from-javascript-url-in-foreign-domain-window-open-expected.txt:
* http/tests/security/javascriptURL/xss-DENIED-to-javascript-url-in-foreign-domain-subframe-expected.txt:
* http/tests/security/javascriptURL/xss-DENIED-to-javascript-url-in-foreign-domain-window-open-expected.txt:
* http/tests/security/listener/xss-JSTargetNode-onclick-addEventListener-expected.txt:
* http/tests/security/listener/xss-JSTargetNode-onclick-shortcut-expected.txt:
* http/tests/security/listener/xss-XMLHttpRequest-addEventListener-expected.txt:
* http/tests/security/listener/xss-XMLHttpRequest-shortcut-expected.txt:
* http/tests/security/listener/xss-window-onclick-addEventListener-expected.txt:
* http/tests/security/listener/xss-window-onclick-shortcut-expected.txt:
* http/tests/security/location-cross-origin-expected.txt:
* http/tests/security/sandboxed-iframe-blocks-access-from-parent-expected.txt:
* http/tests/security/sandboxed-iframe-modify-self-expected.txt:
* http/tests/security/sandboxed-iframe-origin-add-expected.txt:
* http/tests/security/sandboxed-iframe-origin-remove-expected.txt:
* http/tests/security/srcdoc-in-sandbox-cannot-access-parent-expected.txt:
* http/tests/security/symbols-cross-origin-expected.txt:
* http/tests/security/window-defineProperty-crossOrigin-expected.txt:
* http/tests/security/xss-DENIED-assign-location-hash-expected.txt:
* http/tests/security/xss-DENIED-assign-location-host-expected.txt:
* http/tests/security/xss-DENIED-assign-location-hostname-expected.txt:
* http/tests/security/xss-DENIED-assign-location-nonstandardProperty-expected.txt:
* http/tests/security/xss-DENIED-assign-location-pathname-expected.txt:
* http/tests/security/xss-DENIED-assign-location-protocol-expected.txt:
* http/tests/security/xss-DENIED-assign-location-reload-expected.txt:
* http/tests/security/xss-DENIED-assign-location-search-expected.txt:
* http/tests/security/xss-DENIED-defineProperty-expected.txt:
* http/tests/security/xss-DENIED-frame-name-expected.txt:
* http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto-expected.txt:
* http/tests/security/xss-DENIED-method-with-iframe-proto-expected.txt:
* http/tests/security/xss-DENIED-named-window-property-from-cross-origin-inactive-document-expected.txt:
* http/tests/security/xss-DENIED-sandboxed-iframe-expected.txt:
* http/tests/security/xss-DENIED-synchronous-form-expected.txt:
* http/tests/security/xss-DENIED-window-name-navigator-expected.txt:
* http/tests/security/xss-DENIED-xsl-document-securityOrigin-expected.txt:
* http/tests/security/xssAuditor/block-does-not-leak-location-expected.txt:
* http/tests/security/xssAuditor/full-block-script-tag-cross-domain-expected.txt:
* platform/wk2/http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt:
* platform/wk2/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny-expected.txt:
* platform/wk2/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt:
* platform/wk2/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230864 268f45cc-cd09-0410-ab3c-d52691b4dbfc
100 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/history/cross-origin-replace-history-object-child-expected.txt
LayoutTests/http/tests/history/cross-origin-replace-history-object-expected.txt
LayoutTests/http/tests/plugins/cross-frame-object-access-expected.txt
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny-expected.txt
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt
LayoutTests/http/tests/security/aboutBlank/xss-DENIED-navigate-opener-document-write-expected.txt
LayoutTests/http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url-expected.txt
LayoutTests/http/tests/security/aboutBlank/xss-DENIED-set-opener-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-expected.txt
LayoutTests/http/tests/security/cross-frame-access-call-expected.txt
LayoutTests/http/tests/security/cross-frame-access-callback-explicit-domain-DENY-expected.txt
LayoutTests/http/tests/security/cross-frame-access-child-explicit-domain-expected.txt
LayoutTests/http/tests/security/cross-frame-access-custom-expected.txt
LayoutTests/http/tests/security/cross-frame-access-delete-expected.txt
LayoutTests/http/tests/security/cross-frame-access-first-time-expected.txt
LayoutTests/http/tests/security/cross-frame-access-get-custom-property-cached-expected.txt
LayoutTests/http/tests/security/cross-frame-access-get-expected.txt
LayoutTests/http/tests/security/cross-frame-access-getOwnPropertyDescriptor-expected.txt
LayoutTests/http/tests/security/cross-frame-access-history-get-expected.txt
LayoutTests/http/tests/security/cross-frame-access-history-get-override-expected.txt
LayoutTests/http/tests/security/cross-frame-access-history-prototype-expected.txt
LayoutTests/http/tests/security/cross-frame-access-location-get-expected.txt
LayoutTests/http/tests/security/cross-frame-access-location-get-override-expected.txt
LayoutTests/http/tests/security/cross-frame-access-location-put-expected.txt
LayoutTests/http/tests/security/cross-frame-access-name-getter-expected.txt
LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt
LayoutTests/http/tests/security/cross-frame-access-object-prototype-expected.txt
LayoutTests/http/tests/security/cross-frame-access-parent-explicit-domain-expected.txt
LayoutTests/http/tests/security/cross-frame-access-port-expected.txt
LayoutTests/http/tests/security/cross-frame-access-protocol-expected.txt
LayoutTests/http/tests/security/cross-frame-access-protocol-explicit-domain-expected.txt
LayoutTests/http/tests/security/cross-frame-access-put-expected.txt
LayoutTests/http/tests/security/cross-frame-access-selection-expected.txt
LayoutTests/http/tests/security/cross-origin-reified-window-property-access-expected.txt
LayoutTests/http/tests/security/cross-origin-window-property-access-expected.txt
LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt
LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt
LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level-expected.txt
LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-expected.txt
LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-to-data-url-sub-frame-expected.txt
LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-to-data-url-expected.txt
LayoutTests/http/tests/security/dataURL/xss-DENIED-from-javascript-url-window-open-expected.txt
LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-from-data-url-expected.txt
LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-expected.txt
LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-location-change-expected.txt
LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-window-open-expected.txt
LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level-expected.txt
LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-expected.txt
LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-uppercase-expected.txt
LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-window-open-expected.txt
LayoutTests/http/tests/security/document-all-expected.txt
LayoutTests/http/tests/security/javascriptURL/xss-DENIED-from-javascript-url-in-foreign-domain-subframe-expected.txt
LayoutTests/http/tests/security/javascriptURL/xss-DENIED-from-javascript-url-in-foreign-domain-window-open-expected.txt
LayoutTests/http/tests/security/javascriptURL/xss-DENIED-to-javascript-url-in-foreign-domain-subframe-expected.txt
LayoutTests/http/tests/security/javascriptURL/xss-DENIED-to-javascript-url-in-foreign-domain-window-open-expected.txt
LayoutTests/http/tests/security/listener/xss-JSTargetNode-onclick-addEventListener-expected.txt
LayoutTests/http/tests/security/listener/xss-JSTargetNode-onclick-shortcut-expected.txt
LayoutTests/http/tests/security/listener/xss-XMLHttpRequest-addEventListener-expected.txt
LayoutTests/http/tests/security/listener/xss-XMLHttpRequest-shortcut-expected.txt
LayoutTests/http/tests/security/listener/xss-window-onclick-addEventListener-expected.txt
LayoutTests/http/tests/security/listener/xss-window-onclick-shortcut-expected.txt
LayoutTests/http/tests/security/location-cross-origin-expected.txt
LayoutTests/http/tests/security/sandboxed-iframe-blocks-access-from-parent-expected.txt
LayoutTests/http/tests/security/sandboxed-iframe-modify-self-expected.txt
LayoutTests/http/tests/security/sandboxed-iframe-origin-add-expected.txt
LayoutTests/http/tests/security/sandboxed-iframe-origin-remove-expected.txt
LayoutTests/http/tests/security/srcdoc-in-sandbox-cannot-access-parent-expected.txt
LayoutTests/http/tests/security/symbols-cross-origin-expected.txt
LayoutTests/http/tests/security/window-defineProperty-crossOrigin-expected.txt
LayoutTests/http/tests/security/xss-DENIED-assign-location-hash-expected.txt
LayoutTests/http/tests/security/xss-DENIED-assign-location-host-expected.txt
LayoutTests/http/tests/security/xss-DENIED-assign-location-hostname-expected.txt
LayoutTests/http/tests/security/xss-DENIED-assign-location-nonstandardProperty-expected.txt
LayoutTests/http/tests/security/xss-DENIED-assign-location-pathname-expected.txt
LayoutTests/http/tests/security/xss-DENIED-assign-location-protocol-expected.txt
LayoutTests/http/tests/security/xss-DENIED-assign-location-reload-expected.txt
LayoutTests/http/tests/security/xss-DENIED-assign-location-search-expected.txt
LayoutTests/http/tests/security/xss-DENIED-defineProperty-expected.txt
LayoutTests/http/tests/security/xss-DENIED-frame-name-expected.txt
LayoutTests/http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto-expected.txt
LayoutTests/http/tests/security/xss-DENIED-method-with-iframe-proto-expected.txt
LayoutTests/http/tests/security/xss-DENIED-named-window-property-from-cross-origin-inactive-document-expected.txt
LayoutTests/http/tests/security/xss-DENIED-sandboxed-iframe-expected.txt
LayoutTests/http/tests/security/xss-DENIED-synchronous-form-expected.txt
LayoutTests/http/tests/security/xss-DENIED-window-name-navigator-expected.txt
LayoutTests/http/tests/security/xss-DENIED-xsl-document-securityOrigin-expected.txt
LayoutTests/http/tests/security/xssAuditor/block-does-not-leak-location-expected.txt
LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-cross-domain-expected.txt
LayoutTests/platform/wk2/http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt
LayoutTests/platform/wk2/http/tests/security/XFrameOptions/x-frame-options-ignore-deny-meta-tag-parent-same-origin-deny-expected.txt
LayoutTests/platform/wk2/http/tests/security/XFrameOptions/x-frame-options-multiple-headers-sameorigin-deny-expected.txt
LayoutTests/platform/wk2/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt
Source/WebCore/ChangeLog
Source/WebCore/bindings/js/JSDOMBindingSecurity.cpp
Source/WebCore/page/DOMWindow.cpp
Source/WebCore/page/DOMWindow.h
Source/WebCore/page/Location.cpp