Local file restrictions should not block sessionStorage access
authorbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 18 Mar 2016 19:46:38 +0000 (19:46 +0000)
committerbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 18 Mar 2016 19:46:38 +0000 (19:46 +0000)
https://bugs.webkit.org/show_bug.cgi?id=155609
<rdar://problem/25229461>

Reviewed by Andy Estes.

Source/WebCore:

Use of 'sesssionStorage' is governed by SecurityOrigin with third party access
set to 'ShouldAllowFromThirdParty::AlwaysAllowFromThirdParty'. We should not
reject local files for this combination of arguments.

Test: storage/domstorage/sessionstorage/blocked-file-access.html

* page/SecurityOrigin.cpp:
(WebCore::SecurityOrigin::canAccessStorage): For the case of sessionStorage,
allow local file access.

LayoutTests:

* storage/domstorage/sessionstorage/blocked-file-access-expected.txt: Added.
* storage/domstorage/sessionstorage/blocked-file-access.html: Added.
* storage/domstorage/sessionstorage/resources/blocked-example.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@198439 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/storage/domstorage/sessionstorage/blocked-file-access-expected.txt [new file with mode: 0644]
LayoutTests/storage/domstorage/sessionstorage/blocked-file-access.html [new file with mode: 0644]
LayoutTests/storage/domstorage/sessionstorage/resources/blocked-example.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/page/SecurityOrigin.cpp

index 2db0127..03d4e3f 100644 (file)
@@ -1,3 +1,15 @@
+2016-03-18  Brent Fulgham  <bfulgham@apple.com>
+
+        Local file restrictions should not block sessionStorage access
+        https://bugs.webkit.org/show_bug.cgi?id=155609
+        <rdar://problem/25229461>
+
+        Reviewed by Andy Estes.
+
+        * storage/domstorage/sessionstorage/blocked-file-access-expected.txt: Added.
+        * storage/domstorage/sessionstorage/blocked-file-access.html: Added.
+        * storage/domstorage/sessionstorage/resources/blocked-example.html: Added.
+
 2016-03-18  Ryan Haddad  <ryanhaddad@apple.com>
 
         Rebaseline inspector/model/remote-object.html for mac after r198435
diff --git a/LayoutTests/storage/domstorage/sessionstorage/blocked-file-access-expected.txt b/LayoutTests/storage/domstorage/sessionstorage/blocked-file-access-expected.txt
new file mode 100644 (file)
index 0000000..2a5a203
--- /dev/null
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: line 10: PASS: window.sessionStorage was accessible
+
+Test that we are permitted access to sessionStorage from a file URL if universal access is turned off.
diff --git a/LayoutTests/storage/domstorage/sessionstorage/blocked-file-access.html b/LayoutTests/storage/domstorage/sessionstorage/blocked-file-access.html
new file mode 100644 (file)
index 0000000..7f3645d
--- /dev/null
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.setAllowUniversalAccessFromFileURLs(false);
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<iframe src="resources/blocked-example.html"></iframe>
+<div id="results"></div>
+Test that we are permitted access to sessionStorage from a file URL if universal access is turned off.
+</body>
+</html>
diff --git a/LayoutTests/storage/domstorage/sessionstorage/resources/blocked-example.html b/LayoutTests/storage/domstorage/sessionstorage/resources/blocked-example.html
new file mode 100644 (file)
index 0000000..8fbcc66
--- /dev/null
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/clearSessionStorage.js"></script>
+<script>
+function runTest()
+{
+    try {
+        if (window.sessionStorage)
+            console.log("PASS: window.sessionStorage was accessible");
+    } catch (e) {
+        console.log("FAIL: window.sessionStorage was not accessible");
+        console.log("Exception: " + e.message);
+    }
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+</script>
+</head>
+<body onload="runTest();">
+</body>
+</html>
index 7cc3093..b95a696 100644 (file)
@@ -1,3 +1,21 @@
+2016-03-18  Brent Fulgham  <bfulgham@apple.com>
+
+        Local file restrictions should not block sessionStorage access
+        https://bugs.webkit.org/show_bug.cgi?id=155609
+        <rdar://problem/25229461>
+
+        Reviewed by Andy Estes.
+
+        Use of 'sesssionStorage' is governed by SecurityOrigin with third party access
+        set to 'ShouldAllowFromThirdParty::AlwaysAllowFromThirdParty'. We should not
+        reject local files for this combination of arguments.
+
+        Test: storage/domstorage/sessionstorage/blocked-file-access.html
+
+        * page/SecurityOrigin.cpp:
+        (WebCore::SecurityOrigin::canAccessStorage): For the case of sessionStorage,
+        allow local file access.
+
 2016-03-18  Jer Noble  <jer.noble@apple.com>
 
         CachedResource::MediaResource types shouldn't be blocked due to mixed-content.
index 20f75b7..1ae7b9f 100644 (file)
@@ -375,7 +375,7 @@ bool SecurityOrigin::canAccessStorage(const SecurityOrigin* topOrigin, ShouldAll
     if (m_storageBlockingPolicy == BlockAllStorage)
         return false;
 
-    if (isLocal() && !m_universalAccess)
+    if (isLocal() && !m_universalAccess && shouldAllowFromThirdParty != AlwaysAllowFromThirdParty)
         return false;
 
     // FIXME: This check should be replaced with an ASSERT once we can guarantee that topOrigin is not null.