LayoutTests:
authormjs <mjs@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 13 Aug 2007 03:25:11 +0000 (03:25 +0000)
committermjs <mjs@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 13 Aug 2007 03:25:11 +0000 (03:25 +0000)
        Reviewed by Darin and Sam.

        - test cases for <rdar://problem/5395213> cross-domain access to individual components of location object should be denied.

        * http/tests/security/cross-frame-access-location-expected.txt: This test's results changed, there are more debug messages due to access being legitimately denied.

        The remainder are new tests and support:

        * http/tests/security/resources/xss-DENIED-assign-location-hash-attacker.html: Added.
        * http/tests/security/resources/xss-DENIED-assign-location-host-attacker.html: Added.
        * http/tests/security/resources/xss-DENIED-assign-location-host-failure.html: Added.
        * http/tests/security/resources/xss-DENIED-assign-location-hostname-attacker.html: Added.
        * http/tests/security/resources/xss-DENIED-assign-location-hostname-failure.html: Added.
        * http/tests/security/resources/xss-DENIED-assign-location-nonstandardProperty-attacker.html: Added.
        * http/tests/security/resources/xss-DENIED-assign-location-pathname-attacker.html: Added.
        * http/tests/security/resources/xss-DENIED-assign-location-pathname-failure.html: Added.
        * http/tests/security/resources/xss-DENIED-assign-location-protocol-attacker.html: Added.
        * http/tests/security/resources/xss-DENIED-assign-location-protocol-failure.html: Added.
        * http/tests/security/resources/xss-DENIED-assign-location-reload-attacker.html: Added.
        * http/tests/security/resources/xss-DENIED-assign-location-search-attacker.html: Added.
        * http/tests/security/xss-DENIED-assign-location-hash-expected.txt: Added.
        * http/tests/security/xss-DENIED-assign-location-hash.html: Added.
        * http/tests/security/xss-DENIED-assign-location-host-expected.txt: Added.
        * http/tests/security/xss-DENIED-assign-location-host.html: Added.
        * http/tests/security/xss-DENIED-assign-location-hostname-expected.txt: Added.
        * http/tests/security/xss-DENIED-assign-location-hostname.html: Added.
        * http/tests/security/xss-DENIED-assign-location-nonstandardProperty-expected.txt: Added.
        * http/tests/security/xss-DENIED-assign-location-nonstandardProperty.html: Added.
        * http/tests/security/xss-DENIED-assign-location-pathname-expected.txt: Added.
        * http/tests/security/xss-DENIED-assign-location-pathname.html: Added.
        * http/tests/security/xss-DENIED-assign-location-protocol-expected.txt: Added.
        * http/tests/security/xss-DENIED-assign-location-protocol.html: Added.
        * http/tests/security/xss-DENIED-assign-location-reload-expected.txt: Added.
        * http/tests/security/xss-DENIED-assign-location-reload.html: Added.
        * http/tests/security/xss-DENIED-assign-location-search-expected.txt: Added.
        * http/tests/security/xss-DENIED-assign-location-search.html: Added.

WebCore:

        Reviewed by Darin and Sam.

        <rdar://problem/5395213> cross-domain access to individual components of location object should be denied.

        * bindings/js/kjs_window.cpp:
        (KJS::Location::put): Add the appropriate cross-domain access checks.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@25028 268f45cc-cd09-0410-ab3c-d52691b4dbfc

32 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/security/cross-frame-access-location-expected.txt
LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-hash-attacker.html [new file with mode: 0644]
LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-host-attacker.html [new file with mode: 0644]
LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-host-failure.html [new file with mode: 0644]
LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-hostname-attacker.html [new file with mode: 0644]
LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-hostname-failure.html [new file with mode: 0644]
LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-nonstandardProperty-attacker.html [new file with mode: 0644]
LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-pathname-attacker.html [new file with mode: 0644]
LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-pathname-failure.html [new file with mode: 0644]
LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-protocol-attacker.html [new file with mode: 0644]
LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-protocol-failure.html [new file with mode: 0644]
LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-reload-attacker.html [new file with mode: 0644]
LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-search-attacker.html [new file with mode: 0644]
LayoutTests/http/tests/security/xss-DENIED-assign-location-hash-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xss-DENIED-assign-location-hash.html [new file with mode: 0644]
LayoutTests/http/tests/security/xss-DENIED-assign-location-host-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xss-DENIED-assign-location-host.html [new file with mode: 0644]
LayoutTests/http/tests/security/xss-DENIED-assign-location-hostname-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xss-DENIED-assign-location-hostname.html [new file with mode: 0644]
LayoutTests/http/tests/security/xss-DENIED-assign-location-nonstandardProperty-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xss-DENIED-assign-location-nonstandardProperty.html [new file with mode: 0644]
LayoutTests/http/tests/security/xss-DENIED-assign-location-pathname-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xss-DENIED-assign-location-pathname.html [new file with mode: 0644]
LayoutTests/http/tests/security/xss-DENIED-assign-location-protocol-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xss-DENIED-assign-location-protocol.html [new file with mode: 0644]
LayoutTests/http/tests/security/xss-DENIED-assign-location-reload-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xss-DENIED-assign-location-reload.html [new file with mode: 0644]
LayoutTests/http/tests/security/xss-DENIED-assign-location-search-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xss-DENIED-assign-location-search.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/bindings/js/kjs_window.cpp

index c78aa98..f14f09e 100644 (file)
@@ -1,3 +1,42 @@
+2007-08-12  Maciej Stachowiak  <mjs@apple.com>
+
+        Reviewed by Darin and Sam.
+        
+        - test cases for <rdar://problem/5395213> cross-domain access to individual components of location object should be denied.
+
+        * http/tests/security/cross-frame-access-location-expected.txt: This test's results changed, there are more debug messages due to access being legitimately denied.
+        
+        The remainder are new tests and support:
+
+        * http/tests/security/resources/xss-DENIED-assign-location-hash-attacker.html: Added.
+        * http/tests/security/resources/xss-DENIED-assign-location-host-attacker.html: Added.
+        * http/tests/security/resources/xss-DENIED-assign-location-host-failure.html: Added.
+        * http/tests/security/resources/xss-DENIED-assign-location-hostname-attacker.html: Added.
+        * http/tests/security/resources/xss-DENIED-assign-location-hostname-failure.html: Added.
+        * http/tests/security/resources/xss-DENIED-assign-location-nonstandardProperty-attacker.html: Added.
+        * http/tests/security/resources/xss-DENIED-assign-location-pathname-attacker.html: Added.
+        * http/tests/security/resources/xss-DENIED-assign-location-pathname-failure.html: Added.
+        * http/tests/security/resources/xss-DENIED-assign-location-protocol-attacker.html: Added.
+        * http/tests/security/resources/xss-DENIED-assign-location-protocol-failure.html: Added.
+        * http/tests/security/resources/xss-DENIED-assign-location-reload-attacker.html: Added.
+        * http/tests/security/resources/xss-DENIED-assign-location-search-attacker.html: Added.
+        * http/tests/security/xss-DENIED-assign-location-hash-expected.txt: Added.
+        * http/tests/security/xss-DENIED-assign-location-hash.html: Added.
+        * http/tests/security/xss-DENIED-assign-location-host-expected.txt: Added.
+        * http/tests/security/xss-DENIED-assign-location-host.html: Added.
+        * http/tests/security/xss-DENIED-assign-location-hostname-expected.txt: Added.
+        * http/tests/security/xss-DENIED-assign-location-hostname.html: Added.
+        * http/tests/security/xss-DENIED-assign-location-nonstandardProperty-expected.txt: Added.
+        * http/tests/security/xss-DENIED-assign-location-nonstandardProperty.html: Added.
+        * http/tests/security/xss-DENIED-assign-location-pathname-expected.txt: Added.
+        * http/tests/security/xss-DENIED-assign-location-pathname.html: Added.
+        * http/tests/security/xss-DENIED-assign-location-protocol-expected.txt: Added.
+        * http/tests/security/xss-DENIED-assign-location-protocol.html: Added.
+        * http/tests/security/xss-DENIED-assign-location-reload-expected.txt: Added.
+        * http/tests/security/xss-DENIED-assign-location-reload.html: Added.
+        * http/tests/security/xss-DENIED-assign-location-search-expected.txt: Added.
+        * http/tests/security/xss-DENIED-assign-location-search.html: Added.
+
 2007-08-12  Darin Adler  <darin@apple.com>
 
         Reviewed by Maciej.
index 1920c3c..ad213ec 100644 (file)
@@ -42,6 +42,24 @@ CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http
 
 CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-location.html. Domains, protocols and ports must match.
 
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-location.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-location.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-location.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-location.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-location.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-location.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-location.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-location.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-get-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-location.html. Domains, protocols and ports must match.
+
 
 
 ----- tests for getting/setting window.location and its properties -----
diff --git a/LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-hash-attacker.html b/LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-hash-attacker.html
new file mode 100644 (file)
index 0000000..b3e8e4a
--- /dev/null
@@ -0,0 +1,5 @@
+<script>
+var victim = parent;
+
+victim.location.hash = "hax0red";
+</script>
diff --git a/LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-host-attacker.html b/LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-host-attacker.html
new file mode 100644 (file)
index 0000000..0cb5e6f
--- /dev/null
@@ -0,0 +1,5 @@
+<script>
+var victim = parent;
+
+victim.location.host = "localhost:8000/security/resources/xss-DENIED-assign-location-host-failure.html?";
+</script>
diff --git a/LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-host-failure.html b/LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-host-failure.html
new file mode 100644 (file)
index 0000000..92d0604
--- /dev/null
@@ -0,0 +1,6 @@
+<script>
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+</script>
+
+FAIL: cross-site assignment of location.host was allowed.
diff --git a/LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-hostname-attacker.html b/LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-hostname-attacker.html
new file mode 100644 (file)
index 0000000..6b58fcb
--- /dev/null
@@ -0,0 +1,5 @@
+<script>
+var victim = parent;
+
+victim.location.hostname = "localhost:8000/security/resources/xss-DENIED-assign-location-hostname-failure.html?";
+</script>
diff --git a/LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-hostname-failure.html b/LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-hostname-failure.html
new file mode 100644 (file)
index 0000000..7b4df34
--- /dev/null
@@ -0,0 +1,6 @@
+<script>
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+</script>
+
+FAIL: cross-site assignment of location.hostname was allowed.
diff --git a/LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-nonstandardProperty-attacker.html b/LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-nonstandardProperty-attacker.html
new file mode 100644 (file)
index 0000000..44472aa
--- /dev/null
@@ -0,0 +1,5 @@
+<script>
+var victim = parent;
+
+victim.location.nonstandardProperty = "hax0red";
+</script>
diff --git a/LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-pathname-attacker.html b/LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-pathname-attacker.html
new file mode 100644 (file)
index 0000000..537f630
--- /dev/null
@@ -0,0 +1,5 @@
+<script>
+var victim = parent;
+
+victim.location.pathname = "/security/resources/xss-DENIED-assign-location-pathname-failure.html";
+</script>
diff --git a/LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-pathname-failure.html b/LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-pathname-failure.html
new file mode 100644 (file)
index 0000000..77edbf3
--- /dev/null
@@ -0,0 +1,6 @@
+<script>
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+</script>
+
+FAIL: cross-site assignment of location.pathname was allowed.
diff --git a/LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-protocol-attacker.html b/LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-protocol-attacker.html
new file mode 100644 (file)
index 0000000..a80c340
--- /dev/null
@@ -0,0 +1,5 @@
+<script>
+var victim = parent;
+
+victim.location.protocol = "http://localhost:8000/security/resources/xss-DENIED-assign-location-protocol-failure.html?";
+</script>
diff --git a/LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-protocol-failure.html b/LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-protocol-failure.html
new file mode 100644 (file)
index 0000000..d8ef311
--- /dev/null
@@ -0,0 +1,6 @@
+<script>
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+</script>
+
+FAIL: cross-site assignment of location.protocol was allowed.
diff --git a/LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-reload-attacker.html b/LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-reload-attacker.html
new file mode 100644 (file)
index 0000000..6789d9d
--- /dev/null
@@ -0,0 +1,5 @@
+<script>
+var victim = parent;
+
+victim.location.replace = "hax0red";
+</script>
diff --git a/LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-search-attacker.html b/LayoutTests/http/tests/security/resources/xss-DENIED-assign-location-search-attacker.html
new file mode 100644 (file)
index 0000000..e366e83
--- /dev/null
@@ -0,0 +1,5 @@
+<script>
+var victim = parent;
+
+victim.location.search = "?hax0red";
+</script>
diff --git a/LayoutTests/http/tests/security/xss-DENIED-assign-location-hash-expected.txt b/LayoutTests/http/tests/security/xss-DENIED-assign-location-hash-expected.txt
new file mode 100644 (file)
index 0000000..d45cc3d
--- /dev/null
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/xss-DENIED-assign-location-hash.html from frame with URL http://localhost:8000/security/resources/xss-DENIED-assign-location-hash-attacker.html. Domains, protocols and ports must match.
+
+
+PASS: cross-site assignment of location.hash not allowed
diff --git a/LayoutTests/http/tests/security/xss-DENIED-assign-location-hash.html b/LayoutTests/http/tests/security/xss-DENIED-assign-location-hash.html
new file mode 100644 (file)
index 0000000..88cfdec
--- /dev/null
@@ -0,0 +1,25 @@
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function finish()
+{
+    if (location.hash.length == 0)
+        document.getElementById("console").innerHTML = "PASS: cross-site assignment of location.hash not allowed";
+    else
+        document.getElementById("console").innerHTML = "FAIL: cross-site assignment of location.hash was allowed!";
+
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+</script>
+
+<body onload="finish()">
+
+    <iframe src="http://localhost:8000/security/resources/xss-DENIED-assign-location-hash-attacker.html"></iframe>
+
+<div id="console"></div>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xss-DENIED-assign-location-host-expected.txt b/LayoutTests/http/tests/security/xss-DENIED-assign-location-host-expected.txt
new file mode 100644 (file)
index 0000000..eb42fdf
--- /dev/null
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/xss-DENIED-assign-location-host.html from frame with URL http://localhost:8000/security/resources/xss-DENIED-assign-location-host-attacker.html. Domains, protocols and ports must match.
+
+
+PASS: cross-site assignment of location.host not allowed
diff --git a/LayoutTests/http/tests/security/xss-DENIED-assign-location-host.html b/LayoutTests/http/tests/security/xss-DENIED-assign-location-host.html
new file mode 100644 (file)
index 0000000..6aa1cd1
--- /dev/null
@@ -0,0 +1,21 @@
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function success()
+{
+    document.getElementById("console").innerHTML = "PASS: cross-site assignment of location.host not allowed";
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+</script>
+
+<body onload="success()">
+
+    <iframe src="http://localhost:8000/security/resources/xss-DENIED-assign-location-host-attacker.html"></iframe>
+
+<div id="console"></div>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xss-DENIED-assign-location-hostname-expected.txt b/LayoutTests/http/tests/security/xss-DENIED-assign-location-hostname-expected.txt
new file mode 100644 (file)
index 0000000..889ce8c
--- /dev/null
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/xss-DENIED-assign-location-hostname.html from frame with URL http://localhost:8000/security/resources/xss-DENIED-assign-location-hostname-attacker.html. Domains, protocols and ports must match.
+
+
+PASS: cross-site assignment of location.hostname not allowed
diff --git a/LayoutTests/http/tests/security/xss-DENIED-assign-location-hostname.html b/LayoutTests/http/tests/security/xss-DENIED-assign-location-hostname.html
new file mode 100644 (file)
index 0000000..9d1175a
--- /dev/null
@@ -0,0 +1,21 @@
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function success()
+{
+    document.getElementById("console").innerHTML = "PASS: cross-site assignment of location.hostname not allowed";
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+</script>
+
+<body onload="success()">
+
+    <iframe src="http://localhost:8000/security/resources/xss-DENIED-assign-location-hostname-attacker.html"></iframe>
+
+<div id="console"></div>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xss-DENIED-assign-location-nonstandardProperty-expected.txt b/LayoutTests/http/tests/security/xss-DENIED-assign-location-nonstandardProperty-expected.txt
new file mode 100644 (file)
index 0000000..51abc21
--- /dev/null
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/xss-DENIED-assign-location-nonstandardProperty.html from frame with URL http://localhost:8000/security/resources/xss-DENIED-assign-location-nonstandardProperty-attacker.html. Domains, protocols and ports must match.
+
+
+PASS: cross-site assignment of location.nonstandardProperty not allowed
diff --git a/LayoutTests/http/tests/security/xss-DENIED-assign-location-nonstandardProperty.html b/LayoutTests/http/tests/security/xss-DENIED-assign-location-nonstandardProperty.html
new file mode 100644 (file)
index 0000000..a55124f
--- /dev/null
@@ -0,0 +1,25 @@
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function finish()
+{
+    if (location.nonstandardProperty != "hax0red")
+        document.getElementById("console").innerHTML = "PASS: cross-site assignment of location.nonstandardProperty not allowed";
+    else
+        document.getElementById("console").innerHTML = "FAIL: cross-site assignment of location.nonstandardProperty was allowed!";
+
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+</script>
+
+<body onload="finish()">
+
+    <iframe src="http://localhost:8000/security/resources/xss-DENIED-assign-location-nonstandardProperty-attacker.html"></iframe>
+
+<div id="console"></div>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xss-DENIED-assign-location-pathname-expected.txt b/LayoutTests/http/tests/security/xss-DENIED-assign-location-pathname-expected.txt
new file mode 100644 (file)
index 0000000..218325d
--- /dev/null
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/xss-DENIED-assign-location-pathname.html from frame with URL http://localhost:8000/security/resources/xss-DENIED-assign-location-pathname-attacker.html. Domains, protocols and ports must match.
+
+
+PASS: cross-site assignment of location.pathname not allowed
diff --git a/LayoutTests/http/tests/security/xss-DENIED-assign-location-pathname.html b/LayoutTests/http/tests/security/xss-DENIED-assign-location-pathname.html
new file mode 100644 (file)
index 0000000..80c2f15
--- /dev/null
@@ -0,0 +1,21 @@
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function success()
+{
+    document.getElementById("console").innerHTML = "PASS: cross-site assignment of location.pathname not allowed";
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+</script>
+
+<body onload="success()">
+
+    <iframe src="http://localhost:8000/security/resources/xss-DENIED-assign-location-pathname-attacker.html"></iframe>
+
+<div id="console"></div>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xss-DENIED-assign-location-protocol-expected.txt b/LayoutTests/http/tests/security/xss-DENIED-assign-location-protocol-expected.txt
new file mode 100644 (file)
index 0000000..97bf138
--- /dev/null
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/xss-DENIED-assign-location-protocol.html from frame with URL http://localhost:8000/security/resources/xss-DENIED-assign-location-protocol-attacker.html. Domains, protocols and ports must match.
+
+
+PASS: cross-site assignment of location.protocol not allowed
diff --git a/LayoutTests/http/tests/security/xss-DENIED-assign-location-protocol.html b/LayoutTests/http/tests/security/xss-DENIED-assign-location-protocol.html
new file mode 100644 (file)
index 0000000..0f200c2
--- /dev/null
@@ -0,0 +1,21 @@
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function success()
+{
+    document.getElementById("console").innerHTML = "PASS: cross-site assignment of location.protocol not allowed";
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+</script>
+
+<body onload="success()">
+
+    <iframe src="http://localhost:8000/security/resources/xss-DENIED-assign-location-protocol-attacker.html"></iframe>
+
+<div id="console"></div>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xss-DENIED-assign-location-reload-expected.txt b/LayoutTests/http/tests/security/xss-DENIED-assign-location-reload-expected.txt
new file mode 100644 (file)
index 0000000..1a96a2f
--- /dev/null
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/xss-DENIED-assign-location-reload.html from frame with URL http://localhost:8000/security/resources/xss-DENIED-assign-location-reload-attacker.html. Domains, protocols and ports must match.
+
+
+PASS: cross-site assignment of location.replace not allowed
diff --git a/LayoutTests/http/tests/security/xss-DENIED-assign-location-reload.html b/LayoutTests/http/tests/security/xss-DENIED-assign-location-reload.html
new file mode 100644 (file)
index 0000000..3883482
--- /dev/null
@@ -0,0 +1,25 @@
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function finish()
+{
+    if (location.reload != "hax0red")
+        document.getElementById("console").innerHTML = "PASS: cross-site assignment of location.replace not allowed";
+    else
+        document.getElementById("console").innerHTML = "FAIL: cross-site assignment of location.replace was allowed!";
+
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+</script>
+
+<body onload="finish()">
+
+    <iframe src="http://localhost:8000/security/resources/xss-DENIED-assign-location-reload-attacker.html"></iframe>
+
+<div id="console"></div>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xss-DENIED-assign-location-search-expected.txt b/LayoutTests/http/tests/security/xss-DENIED-assign-location-search-expected.txt
new file mode 100644 (file)
index 0000000..80bb92e
--- /dev/null
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/xss-DENIED-assign-location-search.html from frame with URL http://localhost:8000/security/resources/xss-DENIED-assign-location-search-attacker.html. Domains, protocols and ports must match.
+
+
+PASS: cross-site assignment of location.search not allowed
diff --git a/LayoutTests/http/tests/security/xss-DENIED-assign-location-search.html b/LayoutTests/http/tests/security/xss-DENIED-assign-location-search.html
new file mode 100644 (file)
index 0000000..56285dd
--- /dev/null
@@ -0,0 +1,29 @@
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function finish()
+{
+    if (location.search.length == 0)
+        document.getElementById("console").innerHTML = "PASS: cross-site assignment of location.search not allowed";
+    else
+        document.getElementById("console").innerHTML = "FAIL: cross-site assignment of location.search was allowed!";
+
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+</script>
+
+<body onload="finish()">
+
+<script>
+if (location.search == 0) {
+    document.write('<iframe src="http://localhost:8000/security/resources/xss-DENIED-assign-location-search-attacker.html"></iframe>');
+}
+</script>
+
+<div id="console"></div>
+</body>
+</html>
index ec3d171..d3b5547 100644 (file)
@@ -1,3 +1,12 @@
+2007-08-12  Maciej Stachowiak  <mjs@apple.com>
+
+        Reviewed by Darin and Sam.
+        
+        <rdar://problem/5395213> cross-domain access to individual components of location object should be denied.
+
+        * bindings/js/kjs_window.cpp:
+        (KJS::Location::put): Add the appropriate cross-domain access checks.
+
 2007-08-12  Darin Adler  <darin@apple.com>
 
         Reviewed by John Sullivan.
index fd2da64..eacb403 100644 (file)
@@ -1722,59 +1722,69 @@ void Location::put(ExecState *exec, const Identifier &p, JSValue *v, int attr)
 
   DeprecatedString str = v->toString(exec);
   KURL url = m_frame->loader()->url();
+  const Window* window = Window::retrieveWindow(m_frame);
+  bool sameDomainAccess = window && window->isSafeScript(exec);
+
   const HashEntry *entry = Lookup::findEntry(&LocationTable, p);
-  if (entry)
-    switch (entry->value) {
-    case Href: {
-      Frame* p = Window::retrieveActive(exec)->impl()->frame();
-      if ( p )
-        url = p->loader()->completeURL(str).url();
-      else
-        url = str;
-      break;
-    }
-    case Hash: {
-      if (str.startsWith("#"))
-        str = str.mid(1);
 
-      if (url.ref() == str)
+  if (entry) {
+      // cross-domain access to the location is allowed when assigning the whole location,
+      // but not when assigning the individual pieces, since that might inadvertently
+      // disclose other parts of the original location.
+      if (entry->value != Href && !sameDomainAccess)
           return;
 
-      url.setRef(str);
-      break;
-    }
-    case Host: {
-      url.setHostAndPort(str);
-      break;
-    }
-    case Hostname:
-      url.setHost(str);
-      break;
-    case Pathname:
-      url.setPath(str);
-      break;
-    case Port:
-      url.setPort(str.toUInt());
-      break;
-    case Protocol:
-      url.setProtocol(str);
-      break;
-    case Search:
-      url.setQuery(str);
-      break;
-    default:
-      // Disallow changing other properties in LocationTable. e.g., "window.location.toString = ...".
-      // <http://bugs.webkit.org/show_bug.cgi?id=12720>
+      switch (entry->value) {
+      case Href: {
+          Frame* frame = Window::retrieveActive(exec)->impl()->frame();
+          if (frame)
+              url = frame->loader()->completeURL(str).url();
+          else
+              url = str;
+          break;
+      } 
+      case Hash: {
+          if (str.startsWith("#"))
+              str = str.mid(1);
+          
+          if (url.ref() == str)
+              return;
+
+          url.setRef(str);
+          break;
+      }
+      case Host: {
+          url.setHostAndPort(str);
+          break;
+      }
+      case Hostname:
+          url.setHost(str);
+          break;
+      case Pathname:
+          url.setPath(str);
+          break;
+      case Port:
+          url.setPort(str.toUInt());
+          break;
+      case Protocol:
+          url.setProtocol(str);
+          break;
+      case Search:
+          url.setQuery(str);
+          break;
+      default:
+          // Disallow changing other properties in LocationTable. e.g., "window.location.toString = ...".
+          // <http://bugs.webkit.org/show_bug.cgi?id=12720>
+          return;
+      }
+  } else {
+      if (sameDomainAccess)
+          JSObject::put(exec, p, v, attr);
       return;
-    }
-  else {
-    JSObject::put(exec, p, v, attr);
-    return;
   }
 
-  const Window* window = Window::retrieveWindow(m_frame);
   Frame* activeFrame = Window::retrieveActive(exec)->impl()->frame();
-  if (!url.url().startsWith("javascript:", false) || (window && window->isSafeScript(exec))) {
+  if (!url.url().startsWith("javascript:", false) || sameDomainAccess) {
     bool userGesture = static_cast<ScriptInterpreter *>(exec->dynamicInterpreter())->wasRunByUserGesture();
     m_frame->loader()->scheduleLocationChange(url.url(), activeFrame->loader()->outgoingReferrer(), false, userGesture);
   }