showModalDialog code runs with “first window” set to wrong window
authordarin@apple.com <darin@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 23 Mar 2016 04:16:44 +0000 (04:16 +0000)
committerdarin@apple.com <darin@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 23 Mar 2016 04:16:44 +0000 (04:16 +0000)
https://bugs.webkit.org/show_bug.cgi?id=155710

Source/WebCore:

Reviewed by Brent Fulgham.

Test: http/tests/security/cross-origin-modal-dialog-base.html

* page/Chrome.cpp:
(WebCore::Chrome::runModal): Null out entryScope so that the "first window"
checks inside the modal dialog won't run in the context of the original window
that presented the dialog.

LayoutTests:

Test by John Wilander.

Reviewed by Brent Fulgham.

* http/tests/security/cross-origin-modal-dialog-base-expected.txt: Added.
* http/tests/security/cross-origin-modal-dialog-base.html: Added.
* http/tests/security/resources/cross-origin-modal-dialog-base-1.html: Added.
* http/tests/security/resources/cross-origin-modal-dialog-base-2.html: Added.
* platform/wk2/TestExpectations: Skip test until we get better showModalDialog support.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@198575 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/security/cross-origin-modal-dialog-base-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/cross-origin-modal-dialog-base.html [new file with mode: 0644]
LayoutTests/http/tests/security/resources/cross-origin-modal-dialog-base-1.html [new file with mode: 0644]
LayoutTests/http/tests/security/resources/cross-origin-modal-dialog-base-2.html [new file with mode: 0644]
LayoutTests/platform/wk2/TestExpectations
Source/WebCore/ChangeLog
Source/WebCore/page/Chrome.cpp

index d6631c0..92e30ef 100644 (file)
@@ -1,3 +1,18 @@
+2016-03-22  Darin Adler  <darin@apple.com>
+
+        showModalDialog code runs with “first window” set to wrong window
+        https://bugs.webkit.org/show_bug.cgi?id=155710
+
+        Test by John Wilander.
+
+        Reviewed by Brent Fulgham.
+
+        * http/tests/security/cross-origin-modal-dialog-base-expected.txt: Added.
+        * http/tests/security/cross-origin-modal-dialog-base.html: Added.
+        * http/tests/security/resources/cross-origin-modal-dialog-base-1.html: Added.
+        * http/tests/security/resources/cross-origin-modal-dialog-base-2.html: Added.
+        * platform/wk2/TestExpectations: Skip test until we get better showModalDialog support.
+
 2016-03-22  Said Abou-Hallawa  <sabouhallawa@apple.com>
 
         userSpaceOnUse patterns are not stroked for empty object bounding box elements
diff --git a/LayoutTests/http/tests/security/cross-origin-modal-dialog-base-expected.txt b/LayoutTests/http/tests/security/cross-origin-modal-dialog-base-expected.txt
new file mode 100644 (file)
index 0000000..ede4cc6
--- /dev/null
@@ -0,0 +1,14 @@
+CONSOLE MESSAGE: line 9: document.location.origin before setting location to a relative path: http://localhost:8000
+CONSOLE MESSAGE: line 18: document.location.origin after setting location to a relative path: http://localhost:8000
+Tests that a modal dialog doesn't fall back to its openers origin when document.location is set to a relative path.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Showing modal dialog.
+Returned from modal dialog.
+If test passed, console messages above should both show the same document.location.origin, .
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/security/cross-origin-modal-dialog-base.html b/LayoutTests/http/tests/security/cross-origin-modal-dialog-base.html
new file mode 100644 (file)
index 0000000..6ba4e35
--- /dev/null
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html lang="en">
+<script src="../../../resources/js-test-pre.js"></script>
+<body>
+<script>
+    if (window.testRunner)
+        testRunner.setCanOpenWindows();
+
+    description("Tests that a modal dialog doesn't fall back to its openers origin when document.location is set to a relative path.");
+
+    var triggeredCaptureListener = false;
+    var triggeredBubbleListener = false;
+
+    onload = function () {
+        debug('Showing modal dialog.');
+        showModalDialog('http://localhost:8000/security/resources/cross-origin-modal-dialog-base-1.html');
+        debug('Returned from modal dialog.');
+        debug('If test passed, console messages above should both show the same document.location.origin, <http://localhost:8000>.');
+        finishJSTest();
+    };
+
+    var jsTestIsAsync = true;
+</script>
+<script src="../../../resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/resources/cross-origin-modal-dialog-base-1.html b/LayoutTests/http/tests/security/resources/cross-origin-modal-dialog-base-1.html
new file mode 100644 (file)
index 0000000..2f323ac
--- /dev/null
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <title>Dialog Content, Step 1</title>
+</head>
+<body>
+<script>
+    console.log("document.location.origin before setting location to a relative path: " + document.location.origin);
+    document.location = "/security/resources/cross-origin-modal-dialog-base-2.html";
+</script>
+This is a modal dialog.
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/resources/cross-origin-modal-dialog-base-2.html b/LayoutTests/http/tests/security/resources/cross-origin-modal-dialog-base-2.html
new file mode 100644 (file)
index 0000000..33bea0c
--- /dev/null
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <title>Dialog Content, Step 2</title>
+    <script>
+        function closeWindow()
+        {
+            if (window.testRunner) {
+                testRunner.abortModal();
+            }
+            close();
+        }
+    </script>
+</head>
+<body onload="closeWindow()">
+<script>
+    console.log("document.location.origin after setting location to a relative path: " + document.location.origin);
+</script>
+This is a modal dialog.
+</body>
+</html>
index f66456a..2133c89 100644 (file)
@@ -323,6 +323,7 @@ http/tests/loading/cross-origin-XHR-willLoadRequest.html
 # WebKit2 needs showModalDialog
 fast/events/scroll-event-during-modal-dialog.html
 fast/harness/show-modal-dialog.html
+http/tests/security/cross-origin-modal-dialog-base.html [ Skip ]
 
 # WebKit2 needs to support synchronous creation of about:blank/data:url frames
 fast/dom/HTMLDocument/hasFocus.html
index bf68259..b361a5b 100644 (file)
@@ -1,3 +1,17 @@
+2016-03-22  Darin Adler  <darin@apple.com>
+
+        showModalDialog code runs with “first window” set to wrong window
+        https://bugs.webkit.org/show_bug.cgi?id=155710
+
+        Reviewed by Brent Fulgham.
+
+        Test: http/tests/security/cross-origin-modal-dialog-base.html
+
+        * page/Chrome.cpp:
+        (WebCore::Chrome::runModal): Null out entryScope so that the "first window"
+        checks inside the modal dialog won't run in the context of the original window
+        that presented the dialog.
+
 2016-03-22  Said Abou-Hallawa  <sabouhallawa@apple.com>
 
         userSpaceOnUse patterns are not stroked for empty object bounding box elements
index 8182b91..58f6c58 100644 (file)
 #include "Settings.h"
 #include "StorageNamespace.h"
 #include "WindowFeatures.h"
+#include <runtime/VM.h>
 #include <wtf/PassRefPtr.h>
 #include <wtf/RefPtr.h>
+#include <wtf/TemporaryChange.h>
 #include <wtf/Vector.h>
 #include <wtf/text/StringBuilder.h>
 
@@ -219,6 +221,10 @@ void Chrome::runModal() const
     // in a way that could interact with this view.
     PageGroupLoadDeferrer deferrer(m_page, false);
 
+    // JavaScript that runs within the nested event loop must not be run in the context of the
+    // script that called showModalDialog. Null out entryScope to break the connection.
+    TemporaryChange<JSC::VMEntryScope*> entryScopeNullifier { m_page.mainFrame().document()->vm().entryScope, nullptr };
+
     TimerBase::fireTimersInNestedEventLoop();
     m_client.runModal();
 }