2011-01-21 Yury Semikhatsky <yurys@chromium.org>
authorabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 22 Jan 2011 06:41:45 +0000 (06:41 +0000)
committerabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 22 Jan 2011 06:41:45 +0000 (06:41 +0000)
        Reviewed by Adam Barth.

        Regression: new window.onerror() implementation leaks cross-origin Javascript errors
        https://bugs.webkit.org/show_bug.cgi?id=52903

        In case of an exception in a script from different domain only generic message
        will be passed to window.onerror hander.

        Tests: http/tests/security/cross-origin-script-window-onerror-redirected.html
               http/tests/security/cross-origin-script-window-onerror.html

        * bindings/js/CachedScriptSourceProvider.h: use URL from the resource response to make sure we do all
        cross origin checks agains real script URL, not the original URL which may have resulted in a sequence
        of redirects to different domains.
        (WebCore::CachedScriptSourceProvider::CachedScriptSourceProvider):
        * bindings/v8/ScriptSourceCode.h: same for v8.
        (WebCore::ScriptSourceCode::url):
        * dom/ScriptExecutionContext.cpp:
        (WebCore::ScriptExecutionContext::dispatchErrorEvent): in case the error occurred in a script we cannot
        access provide concise "Script error." message without any information about the error source. This is
        what Firefox does in this case.
2011-01-21  Yury Semikhatsky  <yurys@chromium.org>

        Reviewed by Adam Barth.

        Regression: new window.onerror() implementation leaks cross-origin Javascript errors
        https://bugs.webkit.org/show_bug.cgi?id=52903

        A couple of tests to check that window.onerror won't reveal any content of the resource
        from a different domain if the latter is referenced via <script src=...>

        * http/tests/security/cross-origin-script-window-onerror-expected.txt: Added.
        * http/tests/security/cross-origin-script-window-onerror-redirected-expected.txt: Added.
        * http/tests/security/cross-origin-script-window-onerror-redirected.html: Added.
        * http/tests/security/cross-origin-script-window-onerror.html: Added.
        * http/tests/security/resources/cross-origin-script.txt: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@76429 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/security/cross-origin-script-window-onerror-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/cross-origin-script-window-onerror-redirected-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/cross-origin-script-window-onerror-redirected.html [new file with mode: 0755]
LayoutTests/http/tests/security/cross-origin-script-window-onerror.html [new file with mode: 0755]
LayoutTests/http/tests/security/resources/cross-origin-script.txt [new file with mode: 0755]
Source/WebCore/ChangeLog
Source/WebCore/bindings/js/CachedScriptSourceProvider.h
Source/WebCore/bindings/v8/ScriptSourceCode.h
Source/WebCore/dom/ScriptExecutionContext.cpp

index f77efbc..38c6e86 100644 (file)
@@ -1,3 +1,19 @@
+2011-01-21  Yury Semikhatsky  <yurys@chromium.org>
+
+        Reviewed by Adam Barth.
+
+        Regression: new window.onerror() implementation leaks cross-origin Javascript errors
+        https://bugs.webkit.org/show_bug.cgi?id=52903
+
+        A couple of tests to check that window.onerror won't reveal any content of the resource
+        from a different domain if the latter is referenced via <script src=...>
+
+        * http/tests/security/cross-origin-script-window-onerror-expected.txt: Added.
+        * http/tests/security/cross-origin-script-window-onerror-redirected-expected.txt: Added.
+        * http/tests/security/cross-origin-script-window-onerror-redirected.html: Added.
+        * http/tests/security/cross-origin-script-window-onerror.html: Added.
+        * http/tests/security/resources/cross-origin-script.txt: Added.
+
 2011-01-21  Maciej Stachowiak  <mjs@apple.com>
 
         Reviewed by Geoffrey Garen.
diff --git a/LayoutTests/http/tests/security/cross-origin-script-window-onerror-expected.txt b/LayoutTests/http/tests/security/cross-origin-script-window-onerror-expected.txt
new file mode 100644 (file)
index 0000000..e09f02d
--- /dev/null
@@ -0,0 +1,3 @@
+Test that window.onerror won't reveal any potentially sensitive script content if the latter is loaded from a different domain. The test passes if you don't see any data from the linked resource. Bug 52903.
+
+window.onerror message: Script error. at : 0
diff --git a/LayoutTests/http/tests/security/cross-origin-script-window-onerror-redirected-expected.txt b/LayoutTests/http/tests/security/cross-origin-script-window-onerror-redirected-expected.txt
new file mode 100644 (file)
index 0000000..260d8d3
--- /dev/null
@@ -0,0 +1,3 @@
+Test that window.onerror won't reveal any potentially sensitive script content if the latter is loaded from a different domain after a redirect. The test passes if you don't see any data from the linked resource. Bug 52903.
+
+window.onerror message: Script error. at : 0
diff --git a/LayoutTests/http/tests/security/cross-origin-script-window-onerror-redirected.html b/LayoutTests/http/tests/security/cross-origin-script-window-onerror-redirected.html
new file mode 100755 (executable)
index 0000000..b6a09c5
--- /dev/null
@@ -0,0 +1,23 @@
+<html>
+<body>
+<p>
+Test that window.onerror won't reveal any potentially sensitive script content if the latter is loaded from a different domain after a redirect. The test passes if you don't see any data from the linked resource. <a href="https://bugs.webkit.org/show_bug.cgi?id=52903">Bug 52903.</a>
+</p>
+<div id="result"></div>
+<script>
+if (window.layoutTestController) {
+  layoutTestController.waitUntilDone();
+  layoutTestController.dumpAsText();
+}
+
+window.onerror = function(message, url, line) {
+  document.getElementById("result").textContent = "window.onerror message: " + message + " at " + url + ": " + line;
+  if (window.layoutTestController)
+    layoutTestController.notifyDone();
+  return false;
+}
+</script>
+<script src="resources/redir.php?url=http://localhost:8000/security/resources/cross-origin-script.txt">
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/cross-origin-script-window-onerror.html b/LayoutTests/http/tests/security/cross-origin-script-window-onerror.html
new file mode 100755 (executable)
index 0000000..9d35114
--- /dev/null
@@ -0,0 +1,25 @@
+<html>
+<body>
+<p>
+Test that window.onerror won't reveal any potentially sensitive script content if the latter is loaded from a different domain. The test passes if you don't see any data from the linked resource. <a href="https://bugs.webkit.org/show_bug.cgi?id=52903">Bug 52903.</a>
+</p>
+
+</p>
+<div id="result"></div>
+<script>
+if (window.layoutTestController) {
+  layoutTestController.waitUntilDone();
+  layoutTestController.dumpAsText();
+}
+
+window.onerror = function(message, url, line) {
+  document.getElementById("result").textContent = "window.onerror message: " + message + " at " + url + ": " + line;
+  if (window.layoutTestController)
+    layoutTestController.notifyDone();
+  return false;
+}
+</script>
+<script src="http://localhost:8000/security/resources/cross-origin-script.txt">
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/resources/cross-origin-script.txt b/LayoutTests/http/tests/security/resources/cross-origin-script.txt
new file mode 100755 (executable)
index 0000000..dad0cf6
--- /dev/null
@@ -0,0 +1 @@
+FAIL: some sensitive user data the test should not be able to see.
index 3cded15..c9a6896 100644 (file)
@@ -1,3 +1,27 @@
+2011-01-21  Yury Semikhatsky  <yurys@chromium.org>
+
+        Reviewed by Adam Barth.
+
+        Regression: new window.onerror() implementation leaks cross-origin Javascript errors
+        https://bugs.webkit.org/show_bug.cgi?id=52903
+
+        In case of an exception in a script from different domain only generic message
+        will be passed to window.onerror hander.
+
+        Tests: http/tests/security/cross-origin-script-window-onerror-redirected.html
+               http/tests/security/cross-origin-script-window-onerror.html
+
+        * bindings/js/CachedScriptSourceProvider.h: use URL from the resource response to make sure we do all
+        cross origin checks agains real script URL, not the original URL which may have resulted in a sequence
+        of redirects to different domains.
+        (WebCore::CachedScriptSourceProvider::CachedScriptSourceProvider):
+        * bindings/v8/ScriptSourceCode.h: same for v8.
+        (WebCore::ScriptSourceCode::url):
+        * dom/ScriptExecutionContext.cpp:
+        (WebCore::ScriptExecutionContext::dispatchErrorEvent): in case the error occurred in a script we cannot
+        access provide concise "Script error." message without any information about the error source. This is
+        what Firefox does in this case.
+
 2011-01-21  Andreas Kling  <kling@webkit.org>
 
         Reviewed by Kenneth Rohde Christiansen.
index 9bae8ca..8f63a69 100644 (file)
@@ -57,7 +57,7 @@ namespace WebCore {
 
     private:
         CachedScriptSourceProvider(CachedScript* cachedScript)
-            : ScriptSourceProvider(stringToUString(cachedScript->url()), cachedScript->sourceProviderCache())
+            : ScriptSourceProvider(stringToUString(cachedScript->response().url()), cachedScript->sourceProviderCache())
             , m_cachedScript(cachedScript)
         {
             m_cachedScript->addClient(this);
index 2478151..d7d1510 100644 (file)
@@ -63,7 +63,12 @@ public:
 
     const String& source() const { return m_source; }
     CachedScript* cachedScript() const { return m_cachedScript.get(); }
-    const KURL& url() const { return m_url; }
+    const KURL& url() const
+    {
+        if (m_cachedScript)
+            return m_cachedScript->response().url();
+        return m_url;
+    }
     int startLine() const { return m_startPosition.m_line.oneBasedInt(); }
     const TextPosition1& startPosition() const { return m_startPosition; }
 
index 9fdf85e..8f4ca07 100644 (file)
@@ -294,9 +294,23 @@ bool ScriptExecutionContext::dispatchErrorEvent(const String& errorMessage, int
     if (!target)
         return false;
 
+    String message;
+    int line;
+    String sourceName;
+    KURL targetUrl = completeURL(sourceURL);
+    if (securityOrigin()->canRequest(targetUrl)) {
+        message = errorMessage;
+        line = lineNumber;
+        sourceName = sourceURL;
+    } else {
+        message = "Script error.";
+        sourceName = String();
+        line = 0;
+    }
+
     ASSERT(!m_inDispatchErrorEvent);
     m_inDispatchErrorEvent = true;
-    RefPtr<ErrorEvent> errorEvent = ErrorEvent::create(errorMessage, sourceURL, lineNumber);
+    RefPtr<ErrorEvent> errorEvent = ErrorEvent::create(message, sourceName, line);
     target->dispatchEvent(errorEvent);
     m_inDispatchErrorEvent = false;
     return errorEvent->defaultPrevented();