WebCore:
authorweinig@apple.com <weinig@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 27 Nov 2007 01:52:43 +0000 (01:52 +0000)
committerweinig@apple.com <weinig@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 27 Nov 2007 01:52:43 +0000 (01:52 +0000)
        Reviewed and touched up by Sam Weinig.

        Fix for http://bugs.webkit.org/show_bug.cgi?id=16073

        Test: http/tests/security/xss-DENIED-invalid-domain-change.html

        * dom/Document.cpp:
        (WebCore::Document::setDomain): Don't set the securityOrigin policy unless
        the set succeeds.  Adds some early returns as well.

LayoutTests:

        Reviewed by Sam Weinig.

        Tests for http://bugs.webkit.org/show_bug.cgi?id=16073

        * http/tests/security/resources/iframe-invalid-domain-change.html: Added.
        * http/tests/security/xss-DENIED-invalid-domain-change-expected.txt: Added.
        * http/tests/security/xss-DENIED-invalid-domain-change.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@28062 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/security/resources/iframe-invalid-domain-change.html [new file with mode: 0644]
LayoutTests/http/tests/security/xss-DENIED-invalid-domain-change-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xss-DENIED-invalid-domain-change.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/dom/Document.cpp

index 8395eea4465d58be9f2db63f43f51a34ad20f9d2..abde75bdcd29382731e85e3d0f2ccca7d76e2fbe 100644 (file)
@@ -1,3 +1,13 @@
+2007-11-26  Feng Qian <ian.eng.webkit@gmail.com>
+
+        Reviewed by Sam Weinig.
+
+        Tests for http://bugs.webkit.org/show_bug.cgi?id=16073
+
+        * http/tests/security/resources/iframe-invalid-domain-change.html: Added.
+        * http/tests/security/xss-DENIED-invalid-domain-change-expected.txt: Added.
+        * http/tests/security/xss-DENIED-invalid-domain-change.html: Added.
+
 2007-11-26  Darin Adler  <darin@apple.com>
 
         Reviewed by Mitz.
 2007-11-26  Darin Adler  <darin@apple.com>
 
         Reviewed by Mitz.
diff --git a/LayoutTests/http/tests/security/resources/iframe-invalid-domain-change.html b/LayoutTests/http/tests/security/resources/iframe-invalid-domain-change.html
new file mode 100644 (file)
index 0000000..55b6316
--- /dev/null
@@ -0,0 +1,11 @@
+<body>
+Some text here.
+<script>
+// Should not change the domain.
+try {
+  document.domain = 'apple.com';
+} catch (e) {
+}
+
+</script>
+</body>
diff --git a/LayoutTests/http/tests/security/xss-DENIED-invalid-domain-change-expected.txt b/LayoutTests/http/tests/security/xss-DENIED-invalid-domain-change-expected.txt
new file mode 100644 (file)
index 0000000..0f721c2
--- /dev/null
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/iframe-invalid-domain-change.html from frame with URL http://127.0.0.1:8000/security/xss-DENIED-invalid-domain-change.html. Domains, protocols and ports must match.
+
+
+PASS: cross-site not access allowed
diff --git a/LayoutTests/http/tests/security/xss-DENIED-invalid-domain-change.html b/LayoutTests/http/tests/security/xss-DENIED-invalid-domain-change.html
new file mode 100644 (file)
index 0000000..2ed5bbc
--- /dev/null
@@ -0,0 +1,34 @@
+<html>
+<body>
+<iframe name='aFrame' src='http://localhost:8000/security/resources/iframe-invalid-domain-change.html'></iframe>
+
+<div id="console"></div>
+</body>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+try {
+  // change own domain to an invalid one
+  document.domain = 'apple.com';
+} catch (e) {
+}
+
+window.onload = cross_frame_access;
+
+function cross_frame_access() {
+  var aframe = window.frames[0];
+  try {
+    if (typeof aframe.document == 'undefined') throw 1;
+    document.getElementById("console").innerHTML = "FAIL: cross-site access allowed";
+  } catch (e) {
+    document.getElementById("console").innerHTML = "PASS: cross-site not access allowed";
+  }
+
+  if (window.layoutTestController)
+    layoutTestController.notifyDone();
+}
+</script>
+</html>
index b17e13de654be138ff1465b526da6bc070b9c1b9..a9907e5098c5c53580b46d718e29d116f6bf1a13 100644 (file)
@@ -1,3 +1,15 @@
+2007-11-26  Feng Qian <ian.eng.webkit@gmail.com>
+
+        Reviewed and touched up by Sam Weinig.
+
+        Fix for http://bugs.webkit.org/show_bug.cgi?id=16073
+
+        Test: http/tests/security/xss-DENIED-invalid-domain-change.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::setDomain): Don't set the securityOrigin policy unless
+        the set succeeds.  Adds some early returns as well.
+
 2007-11-26  Steve Falkenburg  <sfalken@apple.com>
 
         Build fix.
 2007-11-26  Steve Falkenburg  <sfalken@apple.com>
 
         Build fix.
index d0828e5be0f78a728595d24c108b9f573db6fc83..6f31d89e9d659a776043fb0159e091878c7d7587 100644 (file)
@@ -2617,23 +2617,37 @@ void Document::setDomain(const String& newDomain)
     // Both NS and IE specify that changing the domain is only allowed when
     // the new domain is a suffix of the old domain.
 
     // Both NS and IE specify that changing the domain is only allowed when
     // the new domain is a suffix of the old domain.
 
-    // FIXME: We should add logging indicating why a domain was not allowed. 
+    // FIXME: We should add logging indicating why a domain was not allowed.
+
+    // If the new domain is the same as the old domain, still call
+    // m_securityOrigin.setDomainForDOM. This will change the
+    // security check behavior. For example, if a page loaded on port 8000
+    // assigns its current domain using document.domain, the page will
+    // allow other pages loaded on different ports in the same domain that
+    // have also assigned to access this page.
+    if (equalIgnoringCase(m_domain, newDomain)) {
+        m_securityOrigin.setDomainFromDOM(newDomain);
+        return;
+    }
 
     int oldLength = m_domain.length();
     int newLength = newDomain.length();
 
     int oldLength = m_domain.length();
     int newLength = newDomain.length();
-    // e.g. newDomain=kde.org (7) and m_domain=www.kde.org (11)
-    if (newLength < oldLength) {
-        String test = m_domain.copy();
-        // Check that it's a subdomain, not e.g. "de.org"
-        if (test[oldLength - newLength - 1] == '.') {
-            // Now test is "kde.org" from m_domain
-            // and we check that it's the same thing as newDomain
-            test.remove(0, oldLength - newLength);
-            if (test == newDomain)
-                m_domain = newDomain;
-        }
-    }
+    // e.g. newDomain = webkit.org (10) and m_domain = www.webkit.org (14)
+    if (newLength >= oldLength)
+        return;
 
 
+    String test = m_domain.copy();
+    // Check that it's a subdomain, not e.g. "ebkit.org"
+    if (test[oldLength - newLength - 1] != '.')
+        return;
+
+    // Now test is "webkit.org" from m_domain
+    // and we check that it's the same thing as newDomain
+    test.remove(0, oldLength - newLength);
+    if (test != newDomain)
+        return;
+
+    m_domain = newDomain;
     m_securityOrigin.setDomainFromDOM(newDomain);
 }
 
     m_securityOrigin.setDomainFromDOM(newDomain);
 }