Popups opened from a sandboxed iframe should themselves be sandboxed
authorwilander@apple.com <wilander@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 5 Aug 2016 16:51:05 +0000 (16:51 +0000)
committerwilander@apple.com <wilander@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 5 Aug 2016 16:51:05 +0000 (16:51 +0000)
https://bugs.webkit.org/show_bug.cgi?id=134850
<rdar://problem/27375388>

Reviewed by Brent Fulgham.

Source/WebCore:

This replicates the behavior in Chrome, Firefox, and according to the reporter
also in Internet Explorer. See the Mozilla bug report:
https://bugzilla.mozilla.org/show_bug.cgi?id=1037381#c1

Test: http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html

* page/Chrome.cpp:
(WebCore::Chrome::createWindow):
    Now copies the opener's frame loader effective sandbox flags to the new
    frame loader.

LayoutTests:

* http/tests/security/resources/anchor-tag-with-blank-target.html: Added.
* http/tests/security/resources/page-executing-javascript.html: Added.
* http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox-expected.txt: Added.
* http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@204174 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/security/resources/anchor-tag-with-blank-target.html [new file with mode: 0644]
LayoutTests/http/tests/security/resources/page-executing-javascript.html [new file with mode: 0644]
LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/page/Chrome.cpp

index 1382fb7..c6d2735 100644 (file)
@@ -1,3 +1,16 @@
+2016-08-05  John Wilander  <wilander@apple.com>
+
+        Popups opened from a sandboxed iframe should themselves be sandboxed
+        https://bugs.webkit.org/show_bug.cgi?id=134850
+        <rdar://problem/27375388>
+
+        Reviewed by Brent Fulgham.
+
+        * http/tests/security/resources/anchor-tag-with-blank-target.html: Added.
+        * http/tests/security/resources/page-executing-javascript.html: Added.
+        * http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox-expected.txt: Added.
+        * http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html: Added.
+
 2016-08-05  Commit Queue  <commit-queue@webkit.org>
 
         Unreviewed, rolling out r203935.
diff --git a/LayoutTests/http/tests/security/resources/anchor-tag-with-blank-target.html b/LayoutTests/http/tests/security/resources/anchor-tag-with-blank-target.html
new file mode 100644 (file)
index 0000000..4933e5e
--- /dev/null
@@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<html>
+<head>
+</head>
+<body>
+    <a id="theLink" target="_blank" href="./page-executing-javascript.html">_blank page that executes JavaScript</a>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/resources/page-executing-javascript.html b/LayoutTests/http/tests/security/resources/page-executing-javascript.html
new file mode 100644 (file)
index 0000000..d74d004
--- /dev/null
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<body>
+<noscript>Pass: JavaScript was not allowed to execute.</noscript>
+<p id="output"></p>
+<script>
+    document.getElementById("output").innerHTML = "Fail: JavaScript was allowed to execute.";
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox-expected.txt b/LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox-expected.txt
new file mode 100644 (file)
index 0000000..828cf43
--- /dev/null
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: Blocked script execution in 'http://127.0.0.1:8000/security/resources/page-executing-javascript.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
+
diff --git a/LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html b/LayoutTests/http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html
new file mode 100644 (file)
index 0000000..a678263
--- /dev/null
@@ -0,0 +1,48 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <title>Tests that windows created from a sandboxed context inherit the same sandbox</title>
+    <script src="../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script>
+    if (window.testRunner) {
+        testRunner.setCanOpenWindows();
+        testRunner.waitUntilDone();
+        testRunner.setPopupBlockingEnabled(false);
+        testRunner.dumpAsText();
+    }
+
+    function wrapUp () {
+        finishJSTest();
+        if (window.testRunner) {
+            testRunner.notifyDone();
+        }
+    }
+
+    function run() {
+        var iframeContentDocument = document.getElementById("theIframe").contentDocument;
+        if (!iframeContentDocument) {
+            testFailed("Can't get iframeElement.contentDocument");
+            finishJSTest();
+            testRunner.notifyDone();
+        } else {
+            var theLink = iframeContentDocument.getElementById("theLink");
+            if (!theLink) {
+                testFailed("Can't get iframeElement.contentDocument.getElementById('theLink')");
+                finishJSTest();
+                testRunner.notifyDone();
+            } else {
+                var clickEvent = document.createEvent("HTMLEvents");
+                clickEvent.initEvent("click", true, true);
+                theLink.dispatchEvent(clickEvent);
+
+                setTimeout(wrapUp, 500);
+            }
+        }
+    }
+</script>
+<iframe onload="run()" id="theIframe" sandbox="allow-same-origin allow-popups" src="resources/anchor-tag-with-blank-target.html"></iframe>
+</body>
+</html>
index 6f58a85..6e2d138 100644 (file)
@@ -1,3 +1,22 @@
+2016-08-05  John Wilander  <wilander@apple.com>
+
+        Popups opened from a sandboxed iframe should themselves be sandboxed
+        https://bugs.webkit.org/show_bug.cgi?id=134850
+        <rdar://problem/27375388>
+
+        Reviewed by Brent Fulgham.
+
+        This replicates the behavior in Chrome, Firefox, and according to the reporter
+        also in Internet Explorer. See the Mozilla bug report:
+        https://bugzilla.mozilla.org/show_bug.cgi?id=1037381#c1
+
+        Test: http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html
+
+        * page/Chrome.cpp:
+        (WebCore::Chrome::createWindow):
+            Now copies the opener's frame loader effective sandbox flags to the new
+            frame loader.
+
 2016-08-05  Darin Adler  <darin@apple.com>
 
         * DerivedSources.make: Fix all places that were using tabs instead of spaces outside
index 58f6c58..7be46bb 100644 (file)
@@ -195,10 +195,13 @@ void Chrome::focusedFrameChanged(Frame* frame) const
 
 Page* Chrome::createWindow(Frame* frame, const FrameLoadRequest& request, const WindowFeatures& features, const NavigationAction& action) const
 {
+    ASSERT(frame);
     Page* newPage = m_client.createWindow(frame, request, features, action);
     if (!newPage)
         return 0;
 
+    newPage->mainFrame().loader().forceSandboxFlags(frame->loader().effectiveSandboxFlags());
+
     if (StorageNamespace* oldSessionStorage = m_page.sessionStorage(false))
         newPage->setSessionStorage(oldSessionStorage->copy(newPage));