Handle Storage Access API calls in the absence of an attached frame
authorbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 7 Jun 2018 16:46:47 +0000 (16:46 +0000)
committerbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 7 Jun 2018 16:46:47 +0000 (16:46 +0000)
https://bugs.webkit.org/show_bug.cgi?id=186373
<rdar://problem/40028265>

Reviewed by Daniel Bates.

Source/WebCore:

Tests: http/tests/storageAccess/has-storage-access-crash.html
       http/tests/storageAccess/request-storage-access-crash.html

The new frame-specific storage access checks were done without confirming a
frame was present, although the frame state was validated in other parts of
the same method.

This patch checks for a non-null frame before making frame-specific calls.

* dom/Document.cpp:
(WebCore::Document::hasStorageAccess):
(WebCore::Document::requestStorageAccess):

LayoutTests:

* http/tests/storageAccess/has-storage-access-crash-expected.txt: Added.
* http/tests/storageAccess/has-storage-access-crash.html: Added.
* http/tests/storageAccess/request-storage-access-crash-expected.txt: Added.
* http/tests/storageAccess/request-storage-access-crash.html: Added.
* platform/mac-wk2/TestExpectations: Add the two new tests for HighSierra+

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@232584 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/storageAccess/has-storage-access-crash-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/storageAccess/has-storage-access-crash.html [new file with mode: 0644]
LayoutTests/http/tests/storageAccess/request-storage-access-crash-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/storageAccess/request-storage-access-crash.html [new file with mode: 0644]
LayoutTests/platform/mac-wk2/TestExpectations
Source/WebCore/ChangeLog
Source/WebCore/dom/Document.cpp

index 832cf6b..9e57066 100644 (file)
@@ -1,3 +1,17 @@
+2018-06-07  Brent Fulgham  <bfulgham@apple.com>
+
+        Handle Storage Access API calls in the absence of an attached frame
+        https://bugs.webkit.org/show_bug.cgi?id=186373
+        <rdar://problem/40028265>
+
+        Reviewed by Daniel Bates.
+
+        * http/tests/storageAccess/has-storage-access-crash-expected.txt: Added.
+        * http/tests/storageAccess/has-storage-access-crash.html: Added.
+        * http/tests/storageAccess/request-storage-access-crash-expected.txt: Added.
+        * http/tests/storageAccess/request-storage-access-crash.html: Added.
+        * platform/mac-wk2/TestExpectations: Add the two new tests for HighSierra+
+
 2018-06-06  Youenn Fablet  <youenn@apple.com>
 
         HTTP Header values validation is too strict
diff --git a/LayoutTests/http/tests/storageAccess/has-storage-access-crash-expected.txt b/LayoutTests/http/tests/storageAccess/has-storage-access-crash-expected.txt
new file mode 100644 (file)
index 0000000..4595baa
--- /dev/null
@@ -0,0 +1,5 @@
+Test that querying storage access API on a detached frame doesn't crash.
+
+[object HTMLDocument]
+SUCCESS: Did not crash.
+
diff --git a/LayoutTests/http/tests/storageAccess/has-storage-access-crash.html b/LayoutTests/http/tests/storageAccess/has-storage-access-crash.html
new file mode 100644 (file)
index 0000000..bd93158
--- /dev/null
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script>
+    function debug(str) {
+        var c = document.getElementById("console")
+        c.innerHTML += (str + "<br>")
+    }
+
+    if (window.testRunner) {
+        testRunner.dumpAsText();
+        testRunner.waitUntilDone();
+    }
+
+    function runTest() {
+        var testDiv = document.getElementById("test");
+        var testFrame = document.createElement("iframe");
+        testDiv.appendChild(testFrame);
+        var testFrameDocument = testFrame.contentDocument;
+        testFrame.outerHTML = testFrameDocument;
+
+        testFrameDocument.hasStorageAccess();
+
+        debug("SUCCESS: Did not crash.")
+        if (window.testRunner)
+            testRunner.notifyDone();
+    }
+    </script>
+</head>
+<body onload="runTest()">
+    <div id="test">
+        <p>Test that querying storage access API on a detached frame doesn't crash.</p>
+    </div>
+    <pre id="console"></pre>
+</body>
+</html>
\ No newline at end of file
diff --git a/LayoutTests/http/tests/storageAccess/request-storage-access-crash-expected.txt b/LayoutTests/http/tests/storageAccess/request-storage-access-crash-expected.txt
new file mode 100644 (file)
index 0000000..b7d9903
--- /dev/null
@@ -0,0 +1,5 @@
+Test that requesting storage access API on a detached frame doesn't crash.
+
+[object HTMLDocument]
+SUCCESS: Did not crash.
+
diff --git a/LayoutTests/http/tests/storageAccess/request-storage-access-crash.html b/LayoutTests/http/tests/storageAccess/request-storage-access-crash.html
new file mode 100644 (file)
index 0000000..87862a4
--- /dev/null
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script>
+    function debug(str) {
+        var c = document.getElementById("console")
+        c.innerHTML += (str + "<br>")
+    }
+
+    if (window.testRunner) {
+        testRunner.dumpAsText();
+        testRunner.waitUntilDone();
+    }
+
+    function runTest() {
+        var testDiv = document.getElementById("test");
+        var testFrame = document.createElement("iframe");
+        testDiv.appendChild(testFrame);
+        var testFrameDocument = testFrame.contentDocument;
+        testFrame.outerHTML = testFrameDocument;
+
+        testFrameDocument.requestStorageAccess();
+
+        debug("SUCCESS: Did not crash.")
+        if (window.testRunner)
+            testRunner.notifyDone();
+    }
+    </script>
+</head>
+<body onload="runTest()">
+    <div id="test">
+        <p>Test that requesting storage access API on a detached frame doesn't crash.</p>
+    </div>
+    <pre id="console"></pre>
+</body>
+</html>
\ No newline at end of file
index 5b063bc..eaf091c 100644 (file)
@@ -721,8 +721,11 @@ webkit.org/b/172397 legacy-animation-engine/animations/needs-layout.html [ Pass
 # Touch events are not available on open source bots, thus only tested on Mac.
 http/tests/resourceLoadStatistics/user-interaction-in-cross-origin-sub-frame.html [ Pass ]
 http/tests/resourceLoadStatistics/user-interaction-reported-after-website-data-removal.html [ Pass ]
+
+[ HighSierra+ ] http/tests/storageAccess/has-storage-access-crash.html [ Pass ]
 [ HighSierra+ ] http/tests/storageAccess/request-and-grant-storage-access-cross-origin-non-sandboxed-iframe.html [ Pass ]
 [ HighSierra+ ] http/tests/storageAccess/request-and-grant-storage-access-cross-origin-sandboxed-iframe.html [ Pass ]
+[ HighSierra+ ] http/tests/storageAccess/request-storage-access-crash.html [ Pass ]
 [ HighSierra+ ] http/tests/storageAccess/request-storage-access-cross-origin-sandboxed-iframe-with-unique-origin.html [ Pass ]
 [ HighSierra+ ] http/tests/storageAccess/request-storage-access-cross-origin-sandboxed-iframe-without-allow-token.html [ Pass ]
 [ HighSierra+ ] http/tests/storageAccess/request-storage-access-same-origin-iframe.html [ Pass ]
index 824dd7c..2bd0949 100644 (file)
@@ -1,3 +1,24 @@
+2018-06-07  Brent Fulgham  <bfulgham@apple.com>
+
+        Handle Storage Access API calls in the absence of an attached frame
+        https://bugs.webkit.org/show_bug.cgi?id=186373
+        <rdar://problem/40028265>
+
+        Reviewed by Daniel Bates.
+
+        Tests: http/tests/storageAccess/has-storage-access-crash.html
+               http/tests/storageAccess/request-storage-access-crash.html
+
+        The new frame-specific storage access checks were done without confirming a
+        frame was present, although the frame state was validated in other parts of
+        the same method.
+        
+        This patch checks for a non-null frame before making frame-specific calls.
+
+        * dom/Document.cpp:
+        (WebCore::Document::hasStorageAccess):
+        (WebCore::Document::requestStorageAccess):
+
 2018-06-07  Zalan Bujtas  <zalan@apple.com>
 
         [LFC] Merge height and vertical margin computation
index 50ddc9a..3b8d419 100644 (file)
@@ -7527,7 +7527,7 @@ void Document::hasStorageAccess(Ref<DeferredPromise>&& promise)
     ASSERT(settings().storageAccessAPIEnabled());
 
 #if HAVE(CFNETWORK_STORAGE_PARTITIONING)
-    if (hasFrameSpecificStorageAccess()) {
+    if (m_frame && hasFrameSpecificStorageAccess()) {
         promise->resolve<IDLBoolean>(true);
         return;
     }
@@ -7578,7 +7578,7 @@ void Document::requestStorageAccess(Ref<DeferredPromise>&& promise)
     ASSERT(settings().storageAccessAPIEnabled());
     
 #if HAVE(CFNETWORK_STORAGE_PARTITIONING)
-    if (hasFrameSpecificStorageAccess()) {
+    if (m_frame && hasFrameSpecificStorageAccess()) {
         promise->resolve();
         return;
     }