WebCore:
authorweinig@apple.com <weinig@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 11 Jan 2008 00:23:13 +0000 (00:23 +0000)
committerweinig@apple.com <weinig@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 11 Jan 2008 00:23:13 +0000 (00:23 +0000)
commit16e2631cce2a0234b4c8fca86103593314aaedd5
tree8574e7bb20acf8a6c5b3892b4617ab7d1e72d973
parent69da46c742dc52bd8000fb53b81f60f64733f55a
WebCore:

        Reviewed by Sam Weinig and Anders Carlsson.

        Fixes: http://bugs.webkit.org/show_bug.cgi?id=16522
        <rdar://problem/5657355>

        This patch makes two changes:

        1) Java calls FrameLoader::load in a slightly different way than
           JavaScript, which previously let a malicious web site bypass the
           shouldAllowNavigation check.  This patch adds that check to that
           code path.

        2) FrameLoader now wraps calls to m_frame->tree()->find(name) with
           findFrameForNavigation, which calls shouldAllowNavigation.  This
           treats disallowed frame navigations as if the named frame did not
           exist, resulting in a popup window when appropriate.

        Tests: http/tests/security/frameNavigation/xss-DENIED-plugin-navigation.html
               http/tests/security/frameNavigation/xss-DENIED-targeted-link-navigation.html

        * WebCore.base.exp:
        * bindings/js/kjs_window.cpp:
        (KJS::WindowProtoFuncOpen::callAsFunction):
        * loader/FrameLoader.cpp:
        (WebCore::FrameLoader::createWindow):
        (WebCore::FrameLoader::load):
        (WebCore::FrameLoader::post):
        (WebCore::FrameLoader::findFrameForNavigation):
        * loader/FrameLoader.h:

WebKit/mac:

        Reviewed by Anders Carlsson.

        Fixes: http://bugs.webkit.org/show_bug.cgi?id=16522
        <rdar://problem/5657355>

        * Plugins/WebBaseNetscapePluginView.mm:
        (-[WebBaseNetscapePluginView loadPluginRequest:]): call findFrameForNavigation
        to ensure the shouldAllowNavigation check is made.

WebKitTools:

        Reviewed by Anders Carlsson.

        Make DRT track open windows instead of allocated windows so that
        we can avoid ASSERTION due to late deallocs out of our control.

        * DumpRenderTree/mac/DumpRenderTree.mm:
        (dumpBackForwardListForAllWindows):
        (runTest):
        * DumpRenderTree/mac/DumpRenderTreeMac.h:
        * DumpRenderTree/mac/DumpRenderTreeWindow.h:
        * DumpRenderTree/mac/DumpRenderTreeWindow.mm:
        (+[DumpRenderTreeWindow openWindows]):
        (-[DumpRenderTreeWindow initWithContentRect:styleMask:backing:defer:]):
        (-[DumpRenderTreeWindow close]):
        * DumpRenderTree/mac/LayoutTestControllerMac.mm:
        (LayoutTestController::windowCount):

LayoutTests:

        Reviewed by Anders Carlsson.

        Tests for http://bugs.webkit.org/show_bug.cgi?id=16522
        <rdar://problem/5657355>

        * http/tests/security/frameNavigation/resources/frame-with-link-to-navigate.html: Added.
        * http/tests/security/frameNavigation/resources/frame-with-plugin-to-navigate.html: Added.
        * http/tests/security/frameNavigation/resources/navigation-happened.html: Added.
        * http/tests/security/frameNavigation/xss-DENIED-plugin-navigation-expected.txt: Added.
        * http/tests/security/frameNavigation/xss-DENIED-plugin-navigation.html: Added.
        * http/tests/security/frameNavigation/xss-DENIED-targeted-link-navigation-expected.txt: Added.
        * http/tests/security/frameNavigation/xss-DENIED-targeted-link-navigation.html: Added.
        * platform/win/Skipped:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@29380 268f45cc-cd09-0410-ab3c-d52691b4dbfc
22 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/security/frameNavigation/resources/frame-with-link-to-navigate.html [new file with mode: 0644]
LayoutTests/http/tests/security/frameNavigation/resources/frame-with-plugin-to-navigate.html [new file with mode: 0644]
LayoutTests/http/tests/security/frameNavigation/resources/navigation-happened.html [new file with mode: 0644]
LayoutTests/http/tests/security/frameNavigation/xss-DENIED-plugin-navigation-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/frameNavigation/xss-DENIED-plugin-navigation.html [new file with mode: 0644]
LayoutTests/http/tests/security/frameNavigation/xss-DENIED-targeted-link-navigation-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/frameNavigation/xss-DENIED-targeted-link-navigation.html [new file with mode: 0644]
LayoutTests/platform/win/Skipped
WebCore/ChangeLog
WebCore/WebCore.base.exp
WebCore/bindings/js/kjs_window.cpp
WebCore/loader/FrameLoader.cpp
WebCore/loader/FrameLoader.h
WebKit/mac/ChangeLog
WebKit/mac/Plugins/WebBaseNetscapePluginView.mm
WebKitTools/ChangeLog
WebKitTools/DumpRenderTree/mac/DumpRenderTree.mm
WebKitTools/DumpRenderTree/mac/DumpRenderTreeMac.h
WebKitTools/DumpRenderTree/mac/DumpRenderTreeWindow.h
WebKitTools/DumpRenderTree/mac/DumpRenderTreeWindow.mm
WebKitTools/DumpRenderTree/mac/LayoutTestControllerMac.mm