DOMWindow::open performs a security check on a wrong window
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 16 Jul 2011 20:12:51 +0000 (20:12 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 16 Jul 2011 20:12:51 +0000 (20:12 +0000)
https://bugs.webkit.org/show_bug.cgi?id=64651

Patch by Sergey Glazunov <serg.glazunov@gmail.com> on 2011-07-16
Reviewed by Adam Barth.

Source/WebCore:

Test: http/tests/security/xss-DENIED-window-open-parent.html

* page/DOMWindow.cpp:
(WebCore::DOMWindow::open):

LayoutTests:

* http/tests/security/resources/xss-DENIED-window-open-parent-attacker.html: Added.
* http/tests/security/xss-DENIED-window-open-parent-expected.txt: Added.
* http/tests/security/xss-DENIED-window-open-parent.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@91152 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/security/resources/xss-DENIED-window-open-parent-attacker.html [new file with mode: 0644]
LayoutTests/http/tests/security/xss-DENIED-window-open-parent-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xss-DENIED-window-open-parent.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/page/DOMWindow.cpp

index 5b02161..c9a2de3 100644 (file)
@@ -1,3 +1,14 @@
+2011-07-16  Sergey Glazunov  <serg.glazunov@gmail.com>
+
+        DOMWindow::open performs a security check on a wrong window
+        https://bugs.webkit.org/show_bug.cgi?id=64651
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/resources/xss-DENIED-window-open-parent-attacker.html: Added.
+        * http/tests/security/xss-DENIED-window-open-parent-expected.txt: Added.
+        * http/tests/security/xss-DENIED-window-open-parent.html: Added.
+
 2011-07-16  Sam Weinig  <sam@webkit.org>
 
         Attribute selectors don't handle glob namespaces (e.g. *|E)
diff --git a/LayoutTests/http/tests/security/resources/xss-DENIED-window-open-parent-attacker.html b/LayoutTests/http/tests/security/resources/xss-DENIED-window-open-parent-attacker.html
new file mode 100644 (file)
index 0000000..d85453b
--- /dev/null
@@ -0,0 +1,4 @@
+<script>
+open("javascript:alert('failed')", "_top");
+parent.postMessage("", "*");
+</script>
diff --git a/LayoutTests/http/tests/security/xss-DENIED-window-open-parent-expected.txt b/LayoutTests/http/tests/security/xss-DENIED-window-open-parent-expected.txt
new file mode 100644 (file)
index 0000000..55abbb3
--- /dev/null
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/xss-DENIED-window-open-parent.html from frame with URL http://localhost:8080/security/resources/xss-DENIED-window-open-parent-attacker.html. Domains, protocols and ports must match.
+
+This test passes if there is no alert dialog.
+
diff --git a/LayoutTests/http/tests/security/xss-DENIED-window-open-parent.html b/LayoutTests/http/tests/security/xss-DENIED-window-open-parent.html
new file mode 100644 (file)
index 0000000..f241a83
--- /dev/null
@@ -0,0 +1,21 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+
+window.onmessage = function()
+{
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+</script>
+</head>
+<body>
+This test passes if there is no alert dialog.<br>
+<iframe src="http://localhost:8080/security/resources/xss-DENIED-window-open-parent-attacker.html"></iframe> 
+</body>
+</html>
index ad9b02b..0329377 100644 (file)
@@ -1,3 +1,15 @@
+2011-07-16  Sergey Glazunov  <serg.glazunov@gmail.com>
+
+        DOMWindow::open performs a security check on a wrong window
+        https://bugs.webkit.org/show_bug.cgi?id=64651
+
+        Reviewed by Adam Barth.
+
+        Test: http/tests/security/xss-DENIED-window-open-parent.html
+
+        * page/DOMWindow.cpp:
+        (WebCore::DOMWindow::open):
+
 2011-07-16  Sam Weinig  <sam@webkit.org>
 
         Attribute selectors don't handle glob namespaces (e.g. *|E)
index da78596..ddd3649 100644 (file)
@@ -1807,7 +1807,7 @@ PassRefPtr<DOMWindow> DOMWindow::open(const String& urlString, const AtomicStrin
         if (!activeFrame->loader()->shouldAllowNavigation(targetFrame))
             return 0;
 
-        if (isInsecureScriptAccess(activeWindow, urlString))
+        if (targetFrame->domWindow()->isInsecureScriptAccess(activeWindow, urlString))
             return targetFrame->domWindow();
 
         if (urlString.isEmpty())