Reviewed by Oliver Hunt.
Fix for http://bugs.webkit.org/show_bug.cgi?id=16387
Variable names can be enumerated across domains
<rdar://problem/
5640454>
Test: http/tests/security/cross-frame-access-enumeration.html
* bindings/js/kjs_window.cpp:
(KJS::Window::getPropertyNames): Override method to test same-origin policy.
* bindings/js/kjs_window.h:
LayoutTests:
Reviewed by Oliver Hunt.
Test for http://bugs.webkit.org/show_bug.cgi?id=16387
* http/tests/security/cross-frame-access-enumeration-expected.txt: Added.
* http/tests/security/cross-frame-access-enumeration.html: Added.
* http/tests/security/resources/cross-frame-iframe-for-enumeration-test.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@29044
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2007-12-30 Sam Weinig <sam@webkit.org>
+
+ Reviewed by Oliver Hunt.
+
+ Test for http://bugs.webkit.org/show_bug.cgi?id=16387
+
+ * http/tests/security/cross-frame-access-enumeration-expected.txt: Added.
+ * http/tests/security/cross-frame-access-enumeration.html: Added.
+ * http/tests/security/resources/cross-frame-iframe-for-enumeration-test.html: Added.
+
2007-12-30 Darin Adler <darin@apple.com>
- added missing results file
--- /dev/null
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/security/resources/cross-frame-iframe-for-enumeration-test from frame with URL http://127.0.0.1:8000/security/cross-frame-access-enumeration.html. Domains, protocols and ports must match.
+
+This tests that variable names can't be enumerated cross domain (see http://bugs.webkit.org/show_bug.cgi?id=16387)
+
+
+PASS: Cross frame access by enumerating the window object was denied.
+
--- /dev/null
+<html>
+<head>
+ <script src="resources/cross-frame-access.js"></script>
+ <script>
+ window.onload = function()
+ {
+ if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+ }
+
+ if (window.layoutTestController) {
+ setTimeout(pollForTest, 1);
+ } else {
+ log("To run the test, click the button below when the frame finishes loading.");
+ var button = document.createElement("button");
+ button.appendChild(document.createTextNode("Run Test"));
+ button.onclick = runTest;
+ document.body.appendChild(button);
+ }
+ }
+
+ pollForTest = function()
+ {
+ if (!layoutTestController.globalFlag) {
+ setTimeout(pollForTest, 1);
+ return;
+ }
+ runTest();
+ layoutTestController.notifyDone();
+ }
+
+ runTest = function()
+ {
+ var b_win = document.getElementsByTagName("iframe")[0].contentWindow;
+ try {
+ for (var k in b_win) {
+ if (k == "customProperty") {
+ log("FAIL: Cross frame access by enumerating the window object was allowed.");
+ return;
+ }
+ }
+ } catch (e) {
+ }
+ log("PASS: Cross frame access by enumerating the window object was denied.");
+ }
+ </script>
+</head>
+<body>
+ <p>This tests that variable names can't be enumerated cross domain (see http://bugs.webkit.org/show_bug.cgi?id=16387)</p>
+ <iframe src="http://localhost:8000/security/resources/cross-frame-iframe-for-enumeration-test"></iframe>
+ <pre id="console"></pre>
+</body>
+</html>
--- /dev/null
+<script>
+ window.customProperty = 1;
+
+ window.onload = function()
+ {
+ if (window.layoutTestController)
+ layoutTestController.globalFlag = true;
+ }
+</script>
+2007-12-30 Sam Weinig <sam@webkit.org>
+
+ Reviewed by Oliver Hunt.
+
+ Fix for http://bugs.webkit.org/show_bug.cgi?id=16387
+ Variable names can be enumerated across domains
+ <rdar://problem/5640454>
+
+ Test: http/tests/security/cross-frame-access-enumeration.html
+
+ * bindings/js/kjs_window.cpp:
+ (KJS::Window::getPropertyNames): Override method to test same-origin policy.
+ * bindings/js/kjs_window.h:
+
2007-12-30 Sam Weinig <sam@webkit.org>
Reviewed by Oliver Hunt.
return page->chrome()->shouldInterruptJavaScript();
}
+void Window::getPropertyNames(ExecState* exec, PropertyNameArray& propertyNames)
+{
+ if (!allowsAccessFrom(exec))
+ return;
+ Base::getPropertyNames(exec, propertyNames);
+}
+
void Window::setListener(ExecState* exec, const AtomicString& eventType, JSValue* func)
{
ASSERT(impl()->frame());
virtual bool allowsAccessFrom(const JSGlobalObject*) const;
bool allowsAccessFrom(ExecState* exec) const { return allowsAccessFrom(exec->dynamicGlobalObject()); }
+ virtual void getPropertyNames(ExecState*, PropertyNameArray&);
+
enum {
// Attributes
Crypto, Event_, Location_, Navigator_,