Sandbox flags do not support document.domain control
authorbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 8 Aug 2017 23:27:08 +0000 (23:27 +0000)
committerbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 8 Aug 2017 23:27:08 +0000 (23:27 +0000)
https://bugs.webkit.org/show_bug.cgi?id=175281
<rdar://problem/33778936>

Reviewed by Chris Dumez.

Source/WebCore:

Update the 'setDomain' logic to honor the sandbox properties as defined in the current
HTML5 specification. This brings us in line with how Chrome and other browsers have
worked for some time.

Test: fast/frames/sandboxed-iframe-domain.html

* dom/Document.cpp:
(WebCore::Document::setDomain): Add check for sandbox flag (with appropriate error message)
* dom/SecurityContext.h:

LayoutTests:

* fast/frames/resources/sandboxed-iframe-set-domain.html: Added.
* fast/frames/sandboxed-iframe-domain.html: Added.
* fast/frames/sandboxed-iframe-domain-expected.txt: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@220427 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/frames/resources/sandboxed-iframe-set-domain.html [new file with mode: 0644]
LayoutTests/fast/frames/sandboxed-iframe-domain-expected.txt [new file with mode: 0644]
LayoutTests/fast/frames/sandboxed-iframe-domain.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/Document.cpp
Source/WebCore/dom/SecurityContext.h

index d2b0150..612d008 100644 (file)
@@ -1,3 +1,15 @@
+2017-08-08  Brent Fulgham  <bfulgham@apple.com>
+
+        Sandbox flags do not support document.domain control
+        https://bugs.webkit.org/show_bug.cgi?id=175281
+        <rdar://problem/33778936>
+
+        Reviewed by Chris Dumez.
+
+        * fast/frames/resources/sandboxed-iframe-set-domain.html: Added.
+        * fast/frames/sandboxed-iframe-domain.html: Added.
+        * fast/frames/sandboxed-iframe-domain-expected.txt: Added.
+
 2017-08-08  Matt Lewis  <jlewis3@apple.com>
 
         Skipping imported/w3c/IndexedDB-private-browsing/idbfactory_open12.html
diff --git a/LayoutTests/fast/frames/resources/sandboxed-iframe-set-domain.html b/LayoutTests/fast/frames/resources/sandboxed-iframe-set-domain.html
new file mode 100644 (file)
index 0000000..00ee059
--- /dev/null
@@ -0,0 +1,14 @@
+<script>
+function runTest()
+{
+    try {
+        document.domain = 'localhost';
+        window.top.performedDomainChange("Allowed to set document.domain", true);
+    } catch (e) {
+        window.top.performedDomainChange("Denied: " + e.message, false);
+    }
+}
+</script>
+<body onload="runTest();">
+    TEST CONTENT
+</body>
diff --git a/LayoutTests/fast/frames/sandboxed-iframe-domain-expected.txt b/LayoutTests/fast/frames/sandboxed-iframe-domain-expected.txt
new file mode 100644 (file)
index 0000000..d19aaa4
--- /dev/null
@@ -0,0 +1,11 @@
+This test verifies that a sandboxed iframe does not have permission to modify the document.domain property.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Denied: Assignment is forbidden for sandboxed iframes.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
+PASS
diff --git a/LayoutTests/fast/frames/sandboxed-iframe-domain.html b/LayoutTests/fast/frames/sandboxed-iframe-domain.html
new file mode 100644 (file)
index 0000000..ec33e78
--- /dev/null
@@ -0,0 +1,19 @@
+<html>
+<head>
+<script src="../../resources/js-test.js"></script>
+<script>
+description("This test verifies that a sandboxed iframe does not have permission to modify the document.domain property.");
+
+function performedDomainChange(message, allowed)
+{
+    debug(message);
+    document.getElementById("test_status").innerHTML = (allowed ? "FAIL" : "PASS");
+    finishJSTest();
+}
+</script>
+</head>
+<body>
+    <iframe sandbox="allow-scripts allow-same-origin" src="resources/sandboxed-iframe-set-domain.html"></iframe>
+    <p id='test_status'>FAIL: Script didn't run</p>
+</body>
+</html>
index 0475c4c..d483fe9 100644 (file)
@@ -1,3 +1,21 @@
+2017-08-08  Brent Fulgham  <bfulgham@apple.com>
+
+        Sandbox flags do not support document.domain control
+        https://bugs.webkit.org/show_bug.cgi?id=175281
+        <rdar://problem/33778936>
+
+        Reviewed by Chris Dumez.
+
+        Update the 'setDomain' logic to honor the sandbox properties as defined in the current
+        HTML5 specification. This brings us in line with how Chrome and other browsers have
+        worked for some time.
+
+        Test: fast/frames/sandboxed-iframe-domain.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::setDomain): Add check for sandbox flag (with appropriate error message)
+        * dom/SecurityContext.h:
+
 2017-08-08  Jeremy Jones  <jeremyj@apple.com>
 
         Change fast seek logic to prevent ping-ponging.
index c893bcd..96d3383 100644 (file)
@@ -4487,11 +4487,12 @@ ExceptionOr<void> Document::setDomain(const String& newDomain)
     if (!frame())
         return Exception { SecurityError, "A browsing context is required to set a domain." };
 
+    if (isSandboxed(SandboxDocumentDomain))
+        return Exception { SecurityError, "Assignment is forbidden for sandboxed iframes." };
+
     if (SchemeRegistry::isDomainRelaxationForbiddenForURLScheme(securityOrigin().protocol()))
         return Exception { SecurityError };
 
-    // FIXME(175281): Check for 'document.domain' sandbox flag and return an exception if present.
-
     // FIXME: We should add logging indicating why a domain was not allowed.
 
     const String& effectiveDomain = domain();
index a46f985..06ebd42 100644 (file)
@@ -51,6 +51,7 @@ enum SandboxFlag {
     SandboxPointerLock          = 1 << 8,
     SandboxPropagatesToAuxiliaryBrowsingContexts = 1 << 9,
     SandboxTopNavigationByUserActivation = 1 << 10,
+    SandboxDocumentDomain       = 1 << 11,
     SandboxAll                  = -1 // Mask with all bits set to 1.
 };