X-Frame-Options: Blocked resources should fire load events.
authormkwst@chromium.org <mkwst@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 28 Mar 2013 21:56:07 +0000 (21:56 +0000)
committermkwst@chromium.org <mkwst@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 28 Mar 2013 21:56:07 +0000 (21:56 +0000)
https://bugs.webkit.org/show_bug.cgi?id=113192

Reviewed by Nate Chapin.

Source/WebCore:

* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::responseReceived):
    Fire a load event on the frame's owner element when denying access
    due to X-Frame-Options header content. This brings us in-line with
    Gecko and IE, which both trigger load events currently.

LayoutTests:

* http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt:
* http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt:
* http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html:
* http/tests/security/XFrameOptions/x-frame-options-deny-multiple-clients-expected.txt:
* http/tests/security/XFrameOptions/x-frame-options-deny-multiple-clients.html:
* http/tests/security/XFrameOptions/x-frame-options-deny.html:
* http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt:
* http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html:
* platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt:
* platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt:
* platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-multiple-clients-expected.txt:
* platform/chromium/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt:
    Add some expectations around the 'load' event to ensure it's fired.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@147164 268f45cc-cd09-0410-ab3c-d52691b4dbfc

15 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-multiple-clients-expected.txt
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-multiple-clients.html
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny.html
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html
LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt
LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt
LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-multiple-clients-expected.txt
LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt
Source/WebCore/ChangeLog
Source/WebCore/loader/DocumentLoader.cpp

index 13df10a..560f5bb 100644 (file)
@@ -1,3 +1,24 @@
+2013-03-28  Mike West  <mkwst@chromium.org>
+
+        X-Frame-Options: Blocked resources should fire load events.
+        https://bugs.webkit.org/show_bug.cgi?id=113192
+
+        Reviewed by Nate Chapin.
+
+        * http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt:
+        * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt:
+        * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html:
+        * http/tests/security/XFrameOptions/x-frame-options-deny-multiple-clients-expected.txt:
+        * http/tests/security/XFrameOptions/x-frame-options-deny-multiple-clients.html:
+        * http/tests/security/XFrameOptions/x-frame-options-deny.html:
+        * http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt:
+        * http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html:
+        * platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt:
+        * platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt:
+        * platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-multiple-clients-expected.txt:
+        * platform/chromium/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt:
+            Add some expectations around the 'load' event to ensure it's fired.
+
 2013-03-28  Levi Weintraub  <leviw@chromium.org>
 
         Disable font measurement optimization for Chromium-mac when there are font-feature-settings.
index 0228326..4626684 100644 (file)
@@ -1,6 +1,7 @@
 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny.html, http method GET> redirectResponse (null)
 <unknown> - didFinishLoading
 CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi' in a frame because it set 'X-Frame-Options' to 'deny'.
+ALERT: PASS: onload fired.
 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi">
 There should be no content in the iframe below
 
index 1d25226..b893324 100644 (file)
@@ -1,6 +1,7 @@
 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html, http method GET> redirectResponse (null)
 <unknown> - didFinishLoading
 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html, http status code 200>
+ALERT: PASS: onload fired.
 There should be content in the iframe below
 
 
index bbce42b..faad148 100644 (file)
@@ -7,4 +7,4 @@
 </script>
 
 <p>There should be content in the iframe below</p>
-<iframe style="width:500px; height:500px" src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html"></iframe>
+<iframe style="width:500px; height:500px" src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html" onload="alert('PASS: onload fired.');"></iframe>
index c3529ca..573f720 100644 (file)
@@ -1,2 +1,3 @@
 CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi' in a frame because it set 'X-Frame-Options' to 'deny'.
+ALERT: PASS: onload fired.
 Test that two main resources pointing to the same url that are canceled within didReceiveResponse() don't cause us to crash.  
index 87afcaa..05be6d7 100644 (file)
@@ -8,7 +8,7 @@ if (window.testRunner)
 <body>
 Test that two main resources pointing to the same url that are canceled within didReceiveResponse() don't cause us to crash.
 
-<iframe src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi"></iframe>
-<iframe src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi"></iframe>
+<iframe src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi" onload="alert('PASS: onload fired.');"></iframe>
+<iframe src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi" onload="alert('PASS: onload fired.');"></iframe>
 </body>
 </html>
index 3b486a2..2c41f46 100644 (file)
@@ -7,4 +7,4 @@
 </script>
 
 <p>There should be no content in the iframe below</p>
-<iframe style="width:500px; height:500px" src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi"></iframe>
+<iframe style="width:500px; height:500px" src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi" onload="alert('PASS: onload fired.');"></iframe>
index ad6e39f..3b7c242 100644 (file)
@@ -1,6 +1,7 @@
 http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi - willSendRequest <NSURLRequest URL http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html, http method GET> redirectResponse (null)
 <unknown> - didFinishLoading
 CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
+ALERT: PASS: onload fired.
 http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi">
 There should be no content in the iframe below
 
index 0c3e2af..ee369df 100644 (file)
@@ -7,4 +7,4 @@
 </script>
 
 <p>There should be no content in the iframe below</p>
-<iframe style="width:500px; height:500px" src="http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi"></iframe>
+<iframe style="width:500px; height:500px" src="http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi" onload="alert('PASS: onload fired.');"></iframe>
index 123ffd2..90f453c 100644 (file)
@@ -1,5 +1,6 @@
 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny.html, http method GET> redirectResponse (null)
 CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi' in a frame because it set 'X-Frame-Options' to 'deny'.
+ALERT: PASS: onload fired.
 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi">
 There should be no content in the iframe below
 
index b0e3e55..ac55dfe 100644 (file)
@@ -1,6 +1,7 @@
 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html, http method GET> redirectResponse (null)
 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html, http status code 200>
 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html - didFinishLoading
+ALERT: PASS: onload fired.
 There should be content in the iframe below
 
 
index 8b26eb9..c57fdd6 100644 (file)
@@ -1,3 +1,5 @@
 CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi' in a frame because it set 'X-Frame-Options' to 'deny'.
+ALERT: PASS: onload fired.
 CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi' in a frame because it set 'X-Frame-Options' to 'deny'.
+ALERT: PASS: onload fired.
 Test that two main resources pointing to the same url that are canceled within didReceiveResponse() don't cause us to crash.  
index 85baf06..868fce8 100644 (file)
@@ -1,5 +1,6 @@
 http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi - willSendRequest <NSURLRequest URL http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html, http method GET> redirectResponse (null)
 CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
+ALERT: PASS: onload fired.
 http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi">
 There should be no content in the iframe below
 
index 2d1c104..40e474d 100644 (file)
@@ -1,3 +1,16 @@
+2013-03-28  Mike West  <mkwst@chromium.org>
+
+        X-Frame-Options: Blocked resources should fire load events.
+        https://bugs.webkit.org/show_bug.cgi?id=113192
+
+        Reviewed by Nate Chapin.
+
+        * loader/DocumentLoader.cpp:
+        (WebCore::DocumentLoader::responseReceived):
+            Fire a load event on the frame's owner element when denying access
+            due to X-Frame-Options header content. This brings us in-line with
+            Gecko and IE, which both trigger load events currently.
+
 2013-03-28  Tien-Ren Chen  <trchen@chromium.org>
 
         Support bottom-right anchored fixed-position elements during a pinch gesture
index 2d514ad..010b066 100644 (file)
@@ -45,6 +45,7 @@
 #include "FrameLoaderClient.h"
 #include "FrameTree.h"
 #include "HTMLFormElement.h"
+#include "HTMLFrameOwnerElement.h"
 #include "HistoryItem.h"
 #include "InspectorInstrumentation.h"
 #include "Logging.h"
@@ -588,6 +589,8 @@ void DocumentLoader::responseReceived(CachedResource* resource, const ResourceRe
             InspectorInstrumentation::continueAfterXFrameOptionsDenied(m_frame, this, identifier, response);
             String message = "Refused to display '" + response.url().elidedString() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'.";
             frame()->document()->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, message, identifier);
+            if (HTMLFrameOwnerElement* ownerElement = frame()->ownerElement())
+                ownerElement->dispatchEvent(Event::create(eventNames().loadEvent, false, false));
             cancelMainResourceLoad(frameLoader()->cancelledError(m_request));
             return;
         }