+2007-11-26 Feng Qian <ian.eng.webkit@gmail.com>
+
+ Reviewed by Sam Weinig.
+
+ Tests for http://bugs.webkit.org/show_bug.cgi?id=16073
+
+ * http/tests/security/resources/iframe-invalid-domain-change.html: Added.
+ * http/tests/security/xss-DENIED-invalid-domain-change-expected.txt: Added.
+ * http/tests/security/xss-DENIED-invalid-domain-change.html: Added.
+
2007-11-26 Darin Adler <darin@apple.com>
Reviewed by Mitz.
--- /dev/null
+<html>
+<body>
+<iframe name='aFrame' src='http://localhost:8000/security/resources/iframe-invalid-domain-change.html'></iframe>
+
+<div id="console"></div>
+</body>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+try {
+ // change own domain to an invalid one
+ document.domain = 'apple.com';
+} catch (e) {
+}
+
+window.onload = cross_frame_access;
+
+function cross_frame_access() {
+ var aframe = window.frames[0];
+ try {
+ if (typeof aframe.document == 'undefined') throw 1;
+ document.getElementById("console").innerHTML = "FAIL: cross-site access allowed";
+ } catch (e) {
+ document.getElementById("console").innerHTML = "PASS: cross-site not access allowed";
+ }
+
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+</script>
+</html>
+2007-11-26 Feng Qian <ian.eng.webkit@gmail.com>
+
+ Reviewed and touched up by Sam Weinig.
+
+ Fix for http://bugs.webkit.org/show_bug.cgi?id=16073
+
+ Test: http/tests/security/xss-DENIED-invalid-domain-change.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::setDomain): Don't set the securityOrigin policy unless
+ the set succeeds. Adds some early returns as well.
+
2007-11-26 Steve Falkenburg <sfalken@apple.com>
Build fix.
// Both NS and IE specify that changing the domain is only allowed when
// the new domain is a suffix of the old domain.
- // FIXME: We should add logging indicating why a domain was not allowed.
+ // FIXME: We should add logging indicating why a domain was not allowed.
+
+ // If the new domain is the same as the old domain, still call
+ // m_securityOrigin.setDomainForDOM. This will change the
+ // security check behavior. For example, if a page loaded on port 8000
+ // assigns its current domain using document.domain, the page will
+ // allow other pages loaded on different ports in the same domain that
+ // have also assigned to access this page.
+ if (equalIgnoringCase(m_domain, newDomain)) {
+ m_securityOrigin.setDomainFromDOM(newDomain);
+ return;
+ }
int oldLength = m_domain.length();
int newLength = newDomain.length();
- // e.g. newDomain=kde.org (7) and m_domain=www.kde.org (11)
- if (newLength < oldLength) {
- String test = m_domain.copy();
- // Check that it's a subdomain, not e.g. "de.org"
- if (test[oldLength - newLength - 1] == '.') {
- // Now test is "kde.org" from m_domain
- // and we check that it's the same thing as newDomain
- test.remove(0, oldLength - newLength);
- if (test == newDomain)
- m_domain = newDomain;
- }
- }
+ // e.g. newDomain = webkit.org (10) and m_domain = www.webkit.org (14)
+ if (newLength >= oldLength)
+ return;
+ String test = m_domain.copy();
+ // Check that it's a subdomain, not e.g. "ebkit.org"
+ if (test[oldLength - newLength - 1] != '.')
+ return;
+
+ // Now test is "webkit.org" from m_domain
+ // and we check that it's the same thing as newDomain
+ test.remove(0, oldLength - newLength);
+ if (test != newDomain)
+ return;
+
+ m_domain = newDomain;
m_securityOrigin.setDomainFromDOM(newDomain);
}