iframe sandbox treats vertical tab as a valid delimiter
authorabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 7 Nov 2011 21:05:06 +0000 (21:05 +0000)
committerabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 7 Nov 2011 21:05:06 +0000 (21:05 +0000)
https://bugs.webkit.org/show_bug.cgi?id=71704

Reviewed by Eric Seidel.

Source/WebCore:

This patch adjusts our parser slightly to match the HTML5 spec.  The
only difference is in how we handle vertical tabs.  Previously, we
treated them as a delimiter, but we're not supposed to do that.

Test: fast/frames/sandboxed-iframe-parsing-space-characters.html

* page/SecurityOrigin.cpp:
(WebCore::SecurityOrigin::parseSandboxPolicy):

LayoutTests:

Test which space-like charaters are treating as delimiters.

* fast/frames/sandboxed-iframe-parsing-space-characters-expected.txt: Added.
* fast/frames/sandboxed-iframe-parsing-space-characters.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@99466 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/frames/sandboxed-iframe-parsing-space-characters-expected.txt [new file with mode: 0644]
LayoutTests/fast/frames/sandboxed-iframe-parsing-space-characters.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/page/SecurityOrigin.cpp

index 7be0cf6..b9594b2 100755 (executable)
@@ -1,3 +1,15 @@
+2011-11-07  Adam Barth  <abarth@webkit.org>
+
+        iframe sandbox treats vertical tab as a valid delimiter
+        https://bugs.webkit.org/show_bug.cgi?id=71704
+
+        Reviewed by Eric Seidel.
+
+        Test which space-like charaters are treating as delimiters.
+
+        * fast/frames/sandboxed-iframe-parsing-space-characters-expected.txt: Added.
+        * fast/frames/sandboxed-iframe-parsing-space-characters.html: Added.
+
 2011-11-07  Ken Buchanan <kenrb@chromium.org>
 
         Crash due to mixed direction text runs
diff --git a/LayoutTests/fast/frames/sandboxed-iframe-parsing-space-characters-expected.txt b/LayoutTests/fast/frames/sandboxed-iframe-parsing-space-characters-expected.txt
new file mode 100644 (file)
index 0000000..28177e7
--- /dev/null
@@ -0,0 +1,7 @@
+ALERT: PASS: Form feed is a delimiter.
+ALERT: PASS: Newline is a delimiter.
+ALERT: PASS: Return is a delimiter.
+ALERT: PASS: Tab is a delimiter.
+ALERT: PASS: Space is a delimiter character.
+This tests whether we correct parse various space characters in the sandbox attribute.
diff --git a/LayoutTests/fast/frames/sandboxed-iframe-parsing-space-characters.html b/LayoutTests/fast/frames/sandboxed-iframe-parsing-space-characters.html
new file mode 100644 (file)
index 0000000..c5372e8
--- /dev/null
@@ -0,0 +1,40 @@
+This tests whether we correct parse various space characters in the sandbox attribute.<br>
+<script>
+var testCases = [
+    [' ', 'PASS: Space is a delimiter character.'],
+    ['\t', 'PASS: Tab is a delimiter.'],
+    ['x', 'FAIL: x is not a delimiter.'],
+    ['\r', 'PASS: Return is a delimiter.'],
+    ['\n', 'PASS: Newline is a delimiter.'],
+    ['\v', 'FAIL: Vertical tab is not a delimiter.'],
+    ['\f', 'PASS: Form feed is a delimiter.'],
+]
+
+function next() {
+    if (testCases.length) {
+        var testCase = testCases.pop();
+        testCharacter.apply(null, testCase);
+        return;
+    }
+
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+
+function testCharacter(possibleDelimiter, message) {
+    var policy = "allow-scripts" + possibleDelimiter + "allow-forms";
+    var iframe = document.createElement('iframe');
+    iframe.sandbox = policy;
+    iframe.src = "data:text/html,<script>alert('" + message + "');<\/script>";
+    iframe.onload = next;
+    document.body.appendChild(iframe);
+}
+
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+next();
+
+</script>
index df992de..bd17824 100755 (executable)
@@ -1,5 +1,21 @@
 2011-11-07  Adam Barth  <abarth@webkit.org>
 
+        iframe sandbox treats vertical tab as a valid delimiter
+        https://bugs.webkit.org/show_bug.cgi?id=71704
+
+        Reviewed by Eric Seidel.
+
+        This patch adjusts our parser slightly to match the HTML5 spec.  The
+        only difference is in how we handle vertical tabs.  Previously, we
+        treated them as a delimiter, but we're not supposed to do that.
+
+        Test: fast/frames/sandboxed-iframe-parsing-space-characters.html
+
+        * page/SecurityOrigin.cpp:
+        (WebCore::SecurityOrigin::parseSandboxPolicy):
+
+2011-11-07  Adam Barth  <abarth@webkit.org>
+
         Factor SecurityContext out of ScriptExecutionContext
         https://bugs.webkit.org/show_bug.cgi?id=71721
 
index 906b9e5..53ca54d 100644 (file)
@@ -32,6 +32,7 @@
 #include "BlobURL.h"
 #include "Document.h"
 #include "FileSystem.h"
+#include "HTMLParserIdioms.h"
 #include "KURL.h"
 #include "OriginAccessEntry.h"
 #include "SchemeRegistry.h"
@@ -551,12 +552,12 @@ SandboxFlags SecurityOrigin::parseSandboxPolicy(const String& policy)
     unsigned length = policy.length();
     unsigned start = 0;
     while (true) {
-        while (start < length && isASCIISpace(characters[start]))
+        while (start < length && isHTMLSpace(characters[start]))
             ++start;
         if (start >= length)
             break;
         unsigned end = start + 1;
-        while (end < length && !isASCIISpace(characters[end]))
+        while (end < length && !isHTMLSpace(characters[end]))
             ++end;
 
         // Turn off the corresponding sandbox flag if it's set as "allowed".