window.name leaks information across domains
authoraestes@apple.com <aestes@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 29 Nov 2016 18:40:55 +0000 (18:40 +0000)
committeraestes@apple.com <aestes@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 29 Nov 2016 18:40:55 +0000 (18:40 +0000)
commit23f38b65fdb62aa29106b99a556f7dcd8d98fbf6
treebbe1c33749f4813b2ef0e78c9c2b24a22c625239
parentbb19e86afc06480797af746587a06a54a8d77ba5
window.name leaks information across domains
https://bugs.webkit.org/show_bug.cgi?id=158216
<rdar://problem/14548481>

Reviewed by Brent Fulgham.

Source/WebCore:

When updating the history after a cross-origin navigation, the HTML Standard says:

"If the browsing context is a top-level browsing context, but not an auxiliary browsing
context, then set the browsing context's name to the empty string."

https://html.spec.whatwg.org/multipage/browsers.html#resetBCName

Tests: http/tests/security/window-name-after-cross-origin-aux-frame-navigation.html
       http/tests/security/window-name-after-cross-origin-main-frame-navigation.html
       http/tests/security/window-name-after-cross-origin-sub-frame-navigation.html
       http/tests/security/window-name-after-same-origin-aux-frame-navigation.html
       http/tests/security/window-name-after-same-origin-main-frame-navigation.html
       http/tests/security/window-name-after-same-origin-sub-frame-navigation.html

* loader/FrameLoader.cpp:
(WebCore::shouldClearWindowName): Returns true if frame is a main frame with no opener and
newDocument does not have the same origin as the frame's current document.
(WebCore::FrameLoader::clear): Changed to set m_frame's name to nullAtom if
clearWindowProperties and shouldClearWindowName() are true.
* page/SecurityOrigin.cpp:
(WebCore::SecurityOrigin::canAccessStorage): Changed to call isSameOriginAs() and check
m_universalAccess.
(WebCore::SecurityOrigin::isSameOriginAs): Renamed from isThirdParty(); removed the check
for m_universalAccess.
(WebCore::SecurityOrigin::isThirdParty): Renamed to isSameOriginAs().
* page/SecurityOrigin.h: Renamed isThirdParty() to isSameOriginAs() and made it public.

LayoutTests:

* fast/events/pageshow-pagehide-on-back-uncached-expected.txt: Updated to account for the
main frame no longer having a name.
* fast/events/pageshow-pagehide-on-back-uncached.html: Updated to use the History API
instead of relying on window.name being retained after a cross-origin navigation.
* fast/events/script-tests/onunload-back-to-page-cache.js:
(onpageshow): Ditto.
* http/tests/security/resources/log-window-name.html: Added.
* http/tests/security/resources/window-name-test.html: Added.
* http/tests/security/window-name-after-cross-origin-aux-frame-navigation-expected.txt: Added.
* http/tests/security/window-name-after-cross-origin-aux-frame-navigation.html: Added.
* http/tests/security/window-name-after-cross-origin-main-frame-navigation-expected.txt: Added.
* http/tests/security/window-name-after-cross-origin-main-frame-navigation.html: Added.
* http/tests/security/window-name-after-cross-origin-sub-frame-navigation-expected.txt: Added.
* http/tests/security/window-name-after-cross-origin-sub-frame-navigation.html: Added.
* http/tests/security/window-name-after-same-origin-aux-frame-navigation-expected.txt: Added.
* http/tests/security/window-name-after-same-origin-aux-frame-navigation.html: Added.
* http/tests/security/window-name-after-same-origin-main-frame-navigation-expected.txt: Added.
* http/tests/security/window-name-after-same-origin-main-frame-navigation.html: Added.
* http/tests/security/window-name-after-same-origin-sub-frame-navigation-expected.txt: Added.
* http/tests/security/window-name-after-same-origin-sub-frame-navigation.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@209076 268f45cc-cd09-0410-ab3c-d52691b4dbfc
22 files changed:
LayoutTests/ChangeLog
LayoutTests/fast/events/pageshow-pagehide-on-back-uncached-expected.txt
LayoutTests/fast/events/pageshow-pagehide-on-back-uncached.html
LayoutTests/fast/events/script-tests/onunload-back-to-page-cache.js
LayoutTests/http/tests/security/resources/log-window-name.html [new file with mode: 0644]
LayoutTests/http/tests/security/resources/window-name-test.html [new file with mode: 0644]
LayoutTests/http/tests/security/window-name-after-cross-origin-aux-frame-navigation-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/window-name-after-cross-origin-aux-frame-navigation.html [new file with mode: 0644]
LayoutTests/http/tests/security/window-name-after-cross-origin-main-frame-navigation-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/window-name-after-cross-origin-main-frame-navigation.html [new file with mode: 0644]
LayoutTests/http/tests/security/window-name-after-cross-origin-sub-frame-navigation-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/window-name-after-cross-origin-sub-frame-navigation.html [new file with mode: 0644]
LayoutTests/http/tests/security/window-name-after-same-origin-aux-frame-navigation-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/window-name-after-same-origin-aux-frame-navigation.html [new file with mode: 0644]
LayoutTests/http/tests/security/window-name-after-same-origin-main-frame-navigation-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/window-name-after-same-origin-main-frame-navigation.html [new file with mode: 0644]
LayoutTests/http/tests/security/window-name-after-same-origin-sub-frame-navigation-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/window-name-after-same-origin-sub-frame-navigation.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/loader/FrameLoader.cpp
Source/WebCore/page/SecurityOrigin.cpp
Source/WebCore/page/SecurityOrigin.h