Device motion and orientation should only be visible from the main frame's security...
authordino@apple.com <dino@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 13 Oct 2015 21:46:10 +0000 (21:46 +0000)
committerdino@apple.com <dino@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 13 Oct 2015 21:46:10 +0000 (21:46 +0000)
commitf1e93175ebc4dcdaec28bbca269b7aaa46600294
treeca9216d2239302899d9b2f57b74238faa1638c47
parent15f0f9a4e0169f7b1850cb5c7ee7d2100e6f994d
Device motion and orientation should only be visible from the main frame's security origin
https://bugs.webkit.org/show_bug.cgi?id=150072
<rdar://problem/23082036>

Reviewed by Brent Fulgham.

.:

Add a manual test for cross-origin device orientation events, while
we're waiting on the mock client to be supported everywhere.

* ManualTests/deviceorientation-child-frame.html: Added.
* ManualTests/deviceorientation-main-frame-only.html: Added.

Source/WebCore:

There are reports that gyroscope and accelerometer information can
be used to detect keyboard entry. One initial step to reduce the
risk is to forbid device motion and orientation events from
being fired in frames that are a different security origin from the main page.

Manual test: deviceorientation-main-frame-only.html

* page/DOMWindow.cpp:
(WebCore::DOMWindow::isSameSecurityOriginAsMainFrame): New helper function.
(WebCore::DOMWindow::addEventListener): Check if we are the main frame, or the
same security origin as the main frame. If not, don't add the event
listeners.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@191008 268f45cc-cd09-0410-ab3c-d52691b4dbfc
ChangeLog
ManualTests/deviceorientation-child-frame.html [new file with mode: 0644]
ManualTests/deviceorientation-main-frame-only.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/page/DOMWindow.cpp
Source/WebCore/page/DOMWindow.h