ScriptController::executeIfJavaScriptURL gets confused by synchronous frame loads

https://bugs.webkit.org/show_bug.cgi?id=69777

Patch by Sergey Glazunov <serg.glazunov@gmail.com> on 2011-11-16
Reviewed by Adam Barth.

* http/tests/security/xss-DENIED-synchronous-frame-load-in-javascript-url-expected.txt: Added.
* http/tests/security/xss-DENIED-synchronous-frame-load-in-javascript-url.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@100471 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 3a29e1f1d925e7162ea17d23565f0f8ce85aa925..d98a74ca828670489b0e6da7f7bebbe9cacd610f 100644 (file)
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2011-11-16  Sergey Glazunov  <serg.glazunov@gmail.com>
+
+        ScriptController::executeIfJavaScriptURL gets confused by synchronous frame loads
+        https://bugs.webkit.org/show_bug.cgi?id=69777
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/xss-DENIED-synchronous-frame-load-in-javascript-url-expected.txt: Added.
+        * http/tests/security/xss-DENIED-synchronous-frame-load-in-javascript-url.html: Added.
+
 2011-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>
 
         String new RegExp('\n').toString() returns is invalid RegularExpressionLiteral

diff --git a/LayoutTests/http/tests/security/xss-DENIED-synchronous-frame-load-in-javascript-url-expected.txt b/LayoutTests/http/tests/security/xss-DENIED-synchronous-frame-load-in-javascript-url-expected.txt
new file mode 100644 (file)
index 0000000..7b9a281
--- /dev/null
+++ b/LayoutTests/http/tests/security/xss-DENIED-synchronous-frame-load-in-javascript-url-expected.txt
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL about:blank. Domains, protocols and ports must match.
+
+This test passes if there's no alert dialog.  

diff --git a/LayoutTests/http/tests/security/xss-DENIED-synchronous-frame-load-in-javascript-url.html b/LayoutTests/http/tests/security/xss-DENIED-synchronous-frame-load-in-javascript-url.html
new file mode 100644 (file)
index 0000000..668fdd3
--- /dev/null
+++ b/LayoutTests/http/tests/security/xss-DENIED-synchronous-frame-load-in-javascript-url.html
@@ -0,0 +1,42 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+       layoutTestController.dumpAsText();
+       layoutTestController.waitUntilDone();
+       layoutTestController.setCanOpenWindows();
+       layoutTestController.setCloseRemainingWindowsWhenComplete(true);
+}
+
+window.onload = function()
+{
+       victim = document.body.appendChild(document.createElement("iframe"));
+       wnd = victim.contentWindow.open();
+       victim.src = "http://localhost:8080/security/resources/innocent-victim.html";
+       victim.onload = function() {
+               victim.onload = null;
+
+               wnd.eval("(" + function() {
+                       location = "javascript:(" + function() {
+                               a = document.createElement("a");
+                               a.href = "about:blank";
+                               e = document.createEvent("MouseEvent");
+                               e.initMouseEvent("click");
+                               a.dispatchEvent(e);
+
+                               return "<script>(" + function() {
+                                       opener.location = "javascript:alert(document.body.innerHTML)";
+
+                                       if (window.layoutTestController)
+                                               setTimeout("layoutTestController.notifyDone()", 0);
+                               } + ")()<\/script>";
+                       } + ")()";
+               } + ")()");
+       }
+}
+</script>
+</head>
+<body>
+This test passes if there's no alert dialog.
+</body>
+</html>