FrameLoader::shouldAllowNavigation uses Frame for context rather than Document
authorabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 27 Mar 2012 01:09:43 +0000 (01:09 +0000)
committerabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 27 Mar 2012 01:09:43 +0000 (01:09 +0000)
commitfb635904904c81daccfd89c670900d389447eda5
tree00fe7775eac457c15a77863e33c1ae47bd46248b
parenta3b08903cb6204ff29a25b5a43cb49d89cb0d53a
FrameLoader::shouldAllowNavigation uses Frame for context rather than Document
https://bugs.webkit.org/show_bug.cgi?id=81020

Reviewed by Eric Seidel.

Source/WebCore:

The vast majority of security checks in the browser should use a
ScriptExecutionContext (aka a Document) to designate "who" is
attempting to perform a given action.  Unfortunately,
shouldAllowNavigation was using a Frame to designate "who" is
attempting the navigation.

In cases when the executing script is "inactive" (i.e., belongs to a
document that is not currently displayed in a Frame), using the Frame
can cause us to grant the script the privileges of the document that's
currently displayed in the Frame rather than the one that contains the
script.

This patch moves shouldAllowNavigation from FrameLoader to Document
(and renames it to canNavigate), effectively change the context object
from a Frame to a Document.

Test: http/tests/security/frameNavigation/inactive-function-in-popup-navigate-child.html

* bindings/generic/BindingSecurity.h:
(BindingSecurity):
(WebCore):
* bindings/v8/V8Utilities.cpp:
(WebCore):
* bindings/v8/V8Utilities.h:
(WebCore):
    - Deletes unused code.
* dom/Document.cpp:
(WebCore::canAccessAncestor):
(WebCore):
(WebCore::Document::canNavigate):
    - canNavigate is copied from FrameLoader::shouldAllowNavigation.
      I've added a null-check bailout if the document is inactive.
* dom/Document.h:
(Document):
* loader/FormState.cpp:
(WebCore::FormState::FormState):
(WebCore::FormState::create):
* loader/FormState.h:
(WebCore):
(FormState):
(WebCore::FormState::sourceDocument):
* loader/FormSubmission.cpp:
(WebCore::FormSubmission::create):
    - Changes the context object from Frame to Document.
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::submitForm):
(WebCore::FrameLoader::loadFrameRequest):
(WebCore):
(WebCore::FrameLoader::findFrameForNavigation):
    - FrameLoader::findFrameForNavigation still incorrectly uses Frame
      as the context object, but that's a bug for another patch.
(WebCore::createWindow):
* loader/FrameLoader.h:
(FrameLoader):
* loader/NavigationScheduler.cpp:
(WebCore::ScheduledFormSubmission::fire):
* page/DOMWindow.cpp:
(WebCore::DOMWindow::close):
(WebCore::DOMWindow::setLocation):
(WebCore::DOMWindow::open):
* page/History.cpp:
(WebCore::History::go):

Source/WebKit/mac:

Update call site to new function name.

* WebCoreSupport/WebFrameLoaderClient.mm:
(WebFrameLoaderClient::dispatchWillSubmitForm):

Source/WebKit/win:

Update call site to new function name.

* WebFrame.cpp:
(WebFrame::dispatchWillSubmitForm):

Source/WebKit2:

Update call site to new function name.

* WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
(WebKit::WebFrameLoaderClient::dispatchWillSubmitForm):

LayoutTests:

Test that a script from an inactive document doesn't inherit the
navigation privileges of the document that currently occupies the
frame.

* http/tests/security/frameNavigation/inactive-function-in-popup-navigate-child-expected.txt: Added.
* http/tests/security/frameNavigation/inactive-function-in-popup-navigate-child.html: Added.
* http/tests/security/frameNavigation/resources/fail.html: Added.
* http/tests/security/frameNavigation/resources/iframe-with-inner-frame-on-foreign-domain.html:
* http/tests/security/frameNavigation/resources/popup-ready-to-navigate-child.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@112184 268f45cc-cd09-0410-ab3c-d52691b4dbfc
26 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/security/frameNavigation/inactive-function-in-popup-navigate-child-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/frameNavigation/inactive-function-in-popup-navigate-child.html [new file with mode: 0644]
LayoutTests/http/tests/security/frameNavigation/resources/fail.html [new file with mode: 0644]
LayoutTests/http/tests/security/frameNavigation/resources/iframe-with-inner-frame-on-foreign-domain.html
LayoutTests/http/tests/security/frameNavigation/resources/popup-ready-to-navigate-child.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/bindings/generic/BindingSecurity.h
Source/WebCore/bindings/v8/V8Utilities.cpp
Source/WebCore/bindings/v8/V8Utilities.h
Source/WebCore/dom/Document.cpp
Source/WebCore/dom/Document.h
Source/WebCore/loader/FormState.cpp
Source/WebCore/loader/FormState.h
Source/WebCore/loader/FormSubmission.cpp
Source/WebCore/loader/FrameLoader.cpp
Source/WebCore/loader/FrameLoader.h
Source/WebCore/loader/NavigationScheduler.cpp
Source/WebCore/page/DOMWindow.cpp
Source/WebCore/page/History.cpp
Source/WebKit/mac/ChangeLog
Source/WebKit/mac/WebCoreSupport/WebFrameLoaderClient.mm
Source/WebKit/win/ChangeLog
Source/WebKit/win/WebFrame.cpp
Source/WebKit2/ChangeLog
Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp