WebCore:

        Reviewed by Oliver Hunt.

        Fix for http://bugs.webkit.org/show_bug.cgi?id=16387
        Variable names can be enumerated across domains
        <rdar://problem/5640454>

        Test: http/tests/security/cross-frame-access-enumeration.html

        * bindings/js/kjs_window.cpp:
        (KJS::Window::getPropertyNames): Override method to test same-origin policy.
        * bindings/js/kjs_window.h:

LayoutTests:

        Reviewed by Oliver Hunt.

        Test for http://bugs.webkit.org/show_bug.cgi?id=16387

        * http/tests/security/cross-frame-access-enumeration-expected.txt: Added.
        * http/tests/security/cross-frame-access-enumeration.html: Added.
        * http/tests/security/resources/cross-frame-iframe-for-enumeration-test.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@29044 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 95df5a6515d288915d23ca1e542289340ae9d886..7fb4f673219a57f96d763202236f15b69b89a20c 100644 (file)
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2007-12-30  Sam Weinig  <sam@webkit.org>
+
+        Reviewed by Oliver Hunt.
+
+        Test for http://bugs.webkit.org/show_bug.cgi?id=16387
+
+        * http/tests/security/cross-frame-access-enumeration-expected.txt: Added.
+        * http/tests/security/cross-frame-access-enumeration.html: Added.
+        * http/tests/security/resources/cross-frame-iframe-for-enumeration-test.html: Added.
+
 2007-12-30  Darin Adler  <darin@apple.com>
 
         - added missing results file

diff --git a/LayoutTests/http/tests/security/cross-frame-access-enumeration-expected.txt b/LayoutTests/http/tests/security/cross-frame-access-enumeration-expected.txt
new file mode 100644 (file)
index 0000000..c59096d
--- /dev/null
+++ b/LayoutTests/http/tests/security/cross-frame-access-enumeration-expected.txt
@@ -0,0 +1,7 @@
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-enumeration-test from frame with URL http://127.0.0.1:8000/security/cross-frame-access-enumeration.html. Domains, protocols and ports must match.
+
+This tests that variable names can't be enumerated cross domain (see http://bugs.webkit.org/show_bug.cgi?id=16387)
+
+
+PASS: Cross frame access by enumerating the window object was denied.
+

diff --git a/LayoutTests/http/tests/security/cross-frame-access-enumeration.html b/LayoutTests/http/tests/security/cross-frame-access-enumeration.html
new file mode 100644 (file)
index 0000000..f433395
--- /dev/null
+++ b/LayoutTests/http/tests/security/cross-frame-access-enumeration.html
@@ -0,0 +1,54 @@
+<html>
+<head>
+    <script src="resources/cross-frame-access.js"></script>
+    <script>
+        window.onload = function()
+        {
+            if (window.layoutTestController) {
+                layoutTestController.dumpAsText();
+                layoutTestController.waitUntilDone();
+            }
+
+            if (window.layoutTestController) {
+                setTimeout(pollForTest, 1);
+            } else {
+                log("To run the test, click the button below when the frame finishes loading.");
+                var button = document.createElement("button");
+                button.appendChild(document.createTextNode("Run Test"));
+                button.onclick = runTest;
+                document.body.appendChild(button);
+            }
+        }
+    
+        pollForTest = function()
+        {
+            if (!layoutTestController.globalFlag) {
+                setTimeout(pollForTest, 1);
+                return;
+            }
+            runTest();
+            layoutTestController.notifyDone();
+        }
+
+        runTest = function()
+        {
+            var b_win = document.getElementsByTagName("iframe")[0].contentWindow;
+            try {
+                for (var k in b_win) {
+                    if (k == "customProperty") {
+                        log("FAIL: Cross frame access by enumerating the window object was allowed.");
+                        return;
+                    }
+                }
+            } catch (e) {
+            }
+            log("PASS: Cross frame access by enumerating the window object was denied.");
+        }
+    </script>
+</head>
+<body>
+    <p>This tests that variable names can't be enumerated cross domain (see http://bugs.webkit.org/show_bug.cgi?id=16387)</p>
+    <iframe src="http://localhost:8000/security/resources/cross-frame-iframe-for-enumeration-test"></iframe>
+    <pre id="console"></pre>
+</body>
+</html>

diff --git a/LayoutTests/http/tests/security/resources/cross-frame-iframe-for-enumeration-test.html b/LayoutTests/http/tests/security/resources/cross-frame-iframe-for-enumeration-test.html
new file mode 100644 (file)
index 0000000..3a6d770
--- /dev/null
+++ b/LayoutTests/http/tests/security/resources/cross-frame-iframe-for-enumeration-test.html
@@ -0,0 +1,9 @@
+<script>
+    window.customProperty = 1;
+
+    window.onload = function()
+    {
+        if (window.layoutTestController)
+            layoutTestController.globalFlag = true;
+    }
+</script>

diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index a11bbfca7a38302269e77773e254bb5217f440f5..206fc4bf884113a1cdce270c732b56399a3ea16c 100644 (file)
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,17 @@
+2007-12-30  Sam Weinig  <sam@webkit.org>
+
+        Reviewed by Oliver Hunt.
+
+        Fix for http://bugs.webkit.org/show_bug.cgi?id=16387
+        Variable names can be enumerated across domains
+        <rdar://problem/5640454>
+
+        Test: http/tests/security/cross-frame-access-enumeration.html
+
+        * bindings/js/kjs_window.cpp:
+        (KJS::Window::getPropertyNames): Override method to test same-origin policy.
+        * bindings/js/kjs_window.h:
+
 2007-12-30  Sam Weinig  <sam@webkit.org>
 
         Reviewed by Oliver Hunt.

diff --git a/WebCore/bindings/js/kjs_window.cpp b/WebCore/bindings/js/kjs_window.cpp
index d1a573265fd6a6575d495556247ca9d83984eede..d29d0ef68aeda80417506a9b6d6cb4db9864e092 100644 (file)
--- a/WebCore/bindings/js/kjs_window.cpp
+++ b/WebCore/bindings/js/kjs_window.cpp
@@ -865,6 +865,13 @@ bool Window::shouldInterruptScript() const
     return page->chrome()->shouldInterruptJavaScript();
 }
 
+void Window::getPropertyNames(ExecState* exec, PropertyNameArray& propertyNames)
+{
+    if (!allowsAccessFrom(exec))
+        return;
+    Base::getPropertyNames(exec, propertyNames);
+}
+
 void Window::setListener(ExecState* exec, const AtomicString& eventType, JSValue* func)
 {
     ASSERT(impl()->frame());

diff --git a/WebCore/bindings/js/kjs_window.h b/WebCore/bindings/js/kjs_window.h
index 5b38d3af3b519a19b9325d55b8bbdd3faa89f51d..499ba81ccd1e26b4fc6da16c02bd50baefe6ae7b 100644 (file)
--- a/WebCore/bindings/js/kjs_window.h
+++ b/WebCore/bindings/js/kjs_window.h
@@ -128,6 +128,8 @@ namespace KJS {
     virtual bool allowsAccessFrom(const JSGlobalObject*) const;
     bool allowsAccessFrom(ExecState* exec) const { return allowsAccessFrom(exec->dynamicGlobalObject()); }
 
+    virtual void getPropertyNames(ExecState*, PropertyNameArray&);
+
     enum {
         // Attributes
         Crypto, Event_, Location_, Navigator_,