Clean up access checks in JSHistoryCustom.cpp
authorap@apple.com <ap@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 2 Apr 2015 19:50:13 +0000 (19:50 +0000)
committerap@apple.com <ap@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 2 Apr 2015 19:50:13 +0000 (19:50 +0000)
https://bugs.webkit.org/show_bug.cgi?id=143227

Reviewed by Sam Weinig.

Source/WebCore:

* bindings/js/JSHistoryCustom.cpp:
(WebCore::JSHistory::putDelegate):
(WebCore::JSHistory::deleteProperty):
(WebCore::JSHistory::deletePropertyByIndex):
(WebCore::JSHistory::getOwnPropertyNames):
(WebCore::JSHistory::pushState):
(WebCore::JSHistory::replaceState):

LayoutTests:

* http/tests/security/cross-frame-access-call-expected.txt:
* http/tests/security/cross-frame-access-call.html:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@182284 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/security/cross-frame-access-call-expected.txt
LayoutTests/http/tests/security/cross-frame-access-call.html
Source/WebCore/ChangeLog
Source/WebCore/bindings/js/JSHistoryCustom.cpp

index a307508..4bd3f9c 100644 (file)
@@ -1,5 +1,15 @@
 2015-04-02  Alexey Proskuryakov  <ap@apple.com>
 
+        Clean up access checks in JSHistoryCustom.cpp
+        https://bugs.webkit.org/show_bug.cgi?id=143227
+
+        Reviewed by Sam Weinig.
+
+        * http/tests/security/cross-frame-access-call-expected.txt:
+        * http/tests/security/cross-frame-access-call.html:
+
+2015-04-02  Alexey Proskuryakov  <ap@apple.com>
+
         media/track/track-forced-subtitles-in-band.html times out
 
         * platform/mac/TestExpectations: Update the expectations - the test doens't only fail
index 780f1ca..7387be3 100644 (file)
@@ -59,4 +59,6 @@ PASS: window.resizeTo.call(targetWindow, 0, 0); should be 'undefined' and is.
 PASS: window.showModalDialog.call(targetWindow); should be 'undefined' and is.
 PASS: window.eval.call(targetWindow, '1+2'); should be '3' and is.
 PASS: window.location.toString.call(targetWindow.location) should be 'undefined' and is.
+PASS: history.pushState.call(targetWindow.history, {}, '', 'http://localhost:8000/foobar') should be 'undefined' and is.
+PASS: history.replaceState.call(targetWindow.history, {}, '', 'http://localhost:8000/foobar') should be 'undefined' and is.
 
index bbff3fd..67d56ef 100644 (file)
@@ -63,6 +63,10 @@ window.onload = function()
     // undefined value indicates failure
     shouldBe("window.location.toString.call(targetWindow.location)", "undefined");
 
+    // - Tests for the History object -
+    shouldBe("history.pushState.call(targetWindow.history, {}, '', 'http://localhost:8000/foobar')", "undefined"), 
+    shouldBe("history.replaceState.call(targetWindow.history, {}, '', 'http://localhost:8000/foobar')", "undefined"), 
+
     // Work around DRT bug that causes subsequent tests to fail.
     window.stop();
 }
index 7da0840..f97a11e 100644 (file)
@@ -1,3 +1,18 @@
+2015-04-02  Alexey Proskuryakov  <ap@apple.com>
+
+        Clean up access checks in JSHistoryCustom.cpp
+        https://bugs.webkit.org/show_bug.cgi?id=143227
+
+        Reviewed by Sam Weinig.
+
+        * bindings/js/JSHistoryCustom.cpp:
+        (WebCore::JSHistory::putDelegate):
+        (WebCore::JSHistory::deleteProperty):
+        (WebCore::JSHistory::deletePropertyByIndex):
+        (WebCore::JSHistory::getOwnPropertyNames):
+        (WebCore::JSHistory::pushState):
+        (WebCore::JSHistory::replaceState):
+
 2015-04-02  Alex Christensen  <achristensen@webkit.org>
 
         [Content Extensions] Only add unique universal action locations.
index 8258270..d407351 100644 (file)
@@ -76,7 +76,6 @@ bool JSHistory::getOwnPropertySlotDelegate(ExecState* exec, PropertyName propert
 
 bool JSHistory::putDelegate(ExecState* exec, PropertyName, JSValue, PutPropertySlot&)
 {
-    // Only allow putting by frames in the same origin.
     if (!shouldAllowAccessToFrame(exec, impl().frame()))
         return true;
     return false;
@@ -85,7 +84,6 @@ bool JSHistory::putDelegate(ExecState* exec, PropertyName, JSValue, PutPropertyS
 bool JSHistory::deleteProperty(JSCell* cell, ExecState* exec, PropertyName propertyName)
 {
     JSHistory* thisObject = jsCast<JSHistory*>(cell);
-    // Only allow deleting by frames in the same origin.
     if (!shouldAllowAccessToFrame(exec, thisObject->impl().frame()))
         return false;
     return Base::deleteProperty(thisObject, exec, propertyName);
@@ -94,7 +92,6 @@ bool JSHistory::deleteProperty(JSCell* cell, ExecState* exec, PropertyName prope
 bool JSHistory::deletePropertyByIndex(JSCell* cell, ExecState* exec, unsigned propertyName)
 {
     JSHistory* thisObject = jsCast<JSHistory*>(cell);
-    // Only allow deleting by frames in the same origin.
     if (!shouldAllowAccessToFrame(exec, thisObject->impl().frame()))
         return false;
     return Base::deletePropertyByIndex(thisObject, exec, propertyName);
@@ -103,7 +100,6 @@ bool JSHistory::deletePropertyByIndex(JSCell* cell, ExecState* exec, unsigned pr
 void JSHistory::getOwnPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
 {
     JSHistory* thisObject = jsCast<JSHistory*>(object);
-    // Only allow the history object to enumerated by frames in the same origin.
     if (!shouldAllowAccessToFrame(exec, thisObject->impl().frame()))
         return;
     Base::getOwnPropertyNames(thisObject, exec, propertyNames, mode);
@@ -125,6 +121,9 @@ JSValue JSHistory::state(ExecState *exec) const
 
 JSValue JSHistory::pushState(ExecState* exec)
 {
+    if (!shouldAllowAccessToFrame(exec, impl().frame()))
+        return jsUndefined();
+
     RefPtr<SerializedScriptValue> historyState = SerializedScriptValue::create(exec, exec->argument(0), 0, 0);
     if (exec->hadException())
         return jsUndefined();
@@ -151,6 +150,9 @@ JSValue JSHistory::pushState(ExecState* exec)
 
 JSValue JSHistory::replaceState(ExecState* exec)
 {
+    if (!shouldAllowAccessToFrame(exec, impl().frame()))
+        return jsUndefined();
+
     RefPtr<SerializedScriptValue> historyState = SerializedScriptValue::create(exec, exec->argument(0), 0, 0);
     if (exec->hadException())
         return jsUndefined();