We should throw a SecurityError when denying access to cross-origin Window properties
https://bugs.webkit.org/show_bug.cgi?id=161316
Reviewed by Darin Adler.
LayoutTests/imported/w3c:
Rebaseline existing tests to reflect behavior change.
* web-platform-tests/domparsing/innerhtml-05-expected.txt:
* web-platform-tests/html/semantics/forms/form-submission-0/getactionurl-expected.txt:
Source/WebCore:
We should throw a SecurityError when denying access to cross-origin Window properties:
- https://html.spec.whatwg.org/#crossorigingetownpropertyhelper-(-o,-p-)
- https://html.spec.whatwg.org/#crossoriginproperties-(-o-)
Firefox and Chrome already throw.
No new tests, updated existing tests.
* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::jsDOMWindowGetOwnPropertySlotRestrictedAccess):
LayoutTests:
Update / rebaselined existing tests to reflect behavior change.
* fast/frames/sandboxed-iframe-history-denied-expected.txt:
* fast/xmlhttprequest/xmlhttprequest-no-file-access-expected.txt:
* fast/xmlhttprequest/xmlhttprequest-no-file-access.html:
* http/tests/dom/window-open-about-webkit-org-and-access-document-expected.txt:
* http/tests/dom/window-open-about-webkit-org-and-access-document.html:
* http/tests/history/cross-origin-replace-history-object-child-expected.txt:
* http/tests/history/cross-origin-replace-history-object-child.html:
* http/tests/plugins/cross-frame-object-access-expected.txt:
* http/tests/security/aboutBlank/xss-DENIED-navigate-opener-document-write-expected.txt:
* http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url-expected.txt:
* http/tests/security/aboutBlank/xss-DENIED-set-opener-expected.txt:
* http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-expected.txt:
* http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header.html:
* http/tests/security/cross-frame-access-call-expected.txt:
* http/tests/security/cross-frame-access-call.html:
* http/tests/security/cross-frame-access-child-explicit-domain-expected.txt:
* http/tests/security/cross-frame-access-custom-expected.txt:
* http/tests/security/cross-frame-access-first-time-expected.txt:
* http/tests/security/cross-frame-access-first-time.html:
* http/tests/security/cross-frame-access-get-custom-property-cached-expected.txt:
* http/tests/security/cross-frame-access-get-custom-property-cached.html:
* http/tests/security/cross-frame-access-get-expected.txt:
* http/tests/security/cross-frame-access-getOwnPropertyDescriptor-expected.txt:
* http/tests/security/cross-frame-access-getOwnPropertyDescriptor.html:
* http/tests/security/cross-frame-access-history-get-expected.txt:
* http/tests/security/cross-frame-access-history-get-override-expected.txt:
* http/tests/security/cross-frame-access-history-prototype-expected.txt:
* http/tests/security/cross-frame-access-name-getter-expected.txt:
* http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt:
* http/tests/security/cross-frame-access-object-getPrototypeOf.html:
* http/tests/security/cross-frame-access-object-prototype-expected.txt:
* http/tests/security/cross-frame-access-object-prototype.html:
* http/tests/security/cross-frame-access-parent-explicit-domain-expected.txt:
* http/tests/security/cross-frame-access-port-expected.txt:
* http/tests/security/cross-frame-access-protocol-expected.txt:
* http/tests/security/cross-frame-access-protocol-explicit-domain-expected.txt:
* http/tests/security/cross-frame-access-selection-expected.txt:
* http/tests/security/cross-frame-access-selection.html:
* http/tests/security/cross-origin-reified-window-property-access-expected.txt:
* http/tests/security/cross-origin-window-property-access-expected.txt:
* http/tests/security/dataURL/resources/foreign-domain-data-url-accessor-iframe.html:
* http/tests/security/dataURL/resources/foreign-domain-data-url-accessor-opened-frame.html:
* http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level.html:
* http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-to-data-url-sub-frame-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-to-data-url-sub-frame.html:
* http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame.html:
* http/tests/security/dataURL/xss-DENIED-from-data-url-to-data-url-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-data-url-to-data-url.html:
* http/tests/security/dataURL/xss-DENIED-from-javascript-url-window-open-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-javascript-url-window-open.html:
* http/tests/security/dataURL/xss-DENIED-to-data-url-from-data-url-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-from-data-url.html:
* http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-location-change-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-location-change.html:
* http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe.html:
* http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-window-open-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-window-open.html:
* http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level.html:
* http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-uppercase-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-window-open-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-window-open.html:
* http/tests/security/document-all-expected.txt:
* http/tests/security/document-all.html:
* http/tests/security/javascriptURL/resources/foreign-domain-javascript-url-accessor-iframe.html:
* http/tests/security/javascriptURL/resources/foreign-domain-javascript-url-accessor-opened-frame.html:
* http/tests/security/javascriptURL/xss-DENIED-from-javascript-url-in-foreign-domain-subframe-expected.txt:
* http/tests/security/javascriptURL/xss-DENIED-from-javascript-url-in-foreign-domain-window-open-expected.txt:
* http/tests/security/javascriptURL/xss-DENIED-to-javascript-url-in-foreign-domain-subframe-expected.txt:
* http/tests/security/javascriptURL/xss-DENIED-to-javascript-url-in-foreign-domain-subframe.html:
* http/tests/security/javascriptURL/xss-DENIED-to-javascript-url-in-foreign-domain-window-open-expected.txt:
* http/tests/security/javascriptURL/xss-DENIED-to-javascript-url-in-foreign-domain-window-open.html:
* http/tests/security/listener/resources/targetChild-JSTargetNode-onclick-addEventListener.html:
* http/tests/security/listener/resources/targetChild-JSTargetNode-onclick-shortcut.html:
* http/tests/security/listener/resources/targetChild-XMLHttpRequest-addEventListener.html:
* http/tests/security/listener/resources/targetChild-XMLHttpRequest-shortcut.html:
* http/tests/security/listener/resources/targetChild-window-onclick-addEventListener.html:
* http/tests/security/listener/resources/targetChild-window-onclick-shortcut.html:
* http/tests/security/listener/xss-JSTargetNode-onclick-addEventListener-expected.txt:
* http/tests/security/listener/xss-JSTargetNode-onclick-shortcut-expected.txt:
* http/tests/security/listener/xss-XMLHttpRequest-addEventListener-expected.txt:
* http/tests/security/listener/xss-XMLHttpRequest-shortcut-expected.txt:
* http/tests/security/listener/xss-window-onclick-addEventListener-expected.txt:
* http/tests/security/listener/xss-window-onclick-shortcut-expected.txt:
* http/tests/security/resources/cross-frame-access.js:
(test):
(cannotAccessFrame):
* http/tests/security/resources/cross-frame-history-prototype-iframe.html:
* http/tests/security/resources/iframe-for-synchronous-form.html:
* http/tests/security/resources/sandboxed-iframe-origin-add-step1.html:
* http/tests/security/resources/sandboxed-iframe-origin-remove-step2.html:
* http/tests/security/sandboxed-iframe-modify-self-expected.txt:
* http/tests/security/sandboxed-iframe-origin-add-expected.txt:
* http/tests/security/sandboxed-iframe-origin-remove-expected.txt:
* http/tests/security/srcdoc-in-sandbox-cannot-access-parent-expected.txt:
* http/tests/security/xss-DENIED-defineProperty-expected.txt:
* http/tests/security/xss-DENIED-frame-name-expected.txt:
* http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto-expected.txt:
* http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto.html:
* http/tests/security/xss-DENIED-invalid-domain-change-expected.txt:
* http/tests/security/xss-DENIED-invalid-domain-change.html:
* http/tests/security/xss-DENIED-method-with-iframe-proto-expected.txt:
* http/tests/security/xss-DENIED-sandboxed-iframe-expected.txt:
* http/tests/security/xss-DENIED-synchronous-form-expected.txt:
* http/tests/security/xss-DENIED-window-name-navigator-expected.txt:
* http/tests/security/xss-DENIED-xsl-document-securityOrigin-expected.txt:
* http/tests/security/xss-DENIED-xsl-document-securityOrigin.xml:
* http/tests/security/xss-eval-expected.txt:
* http/tests/security/xss-eval.html:
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@205136
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
git://git.webkit.org / WebKit-https.git / commit