https://bugs.webkit.org/show_bug.cgi?id=134850
<rdar://problem/
27375388>
Reviewed by Brent Fulgham.
Source/WebCore:
This replicates the behavior in Chrome, Firefox, and according to the reporter
also in Internet Explorer. See the Mozilla bug report:
https://bugzilla.mozilla.org/show_bug.cgi?id=1037381#c1
Test: http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html
* page/Chrome.cpp:
(WebCore::Chrome::createWindow):
Now copies the opener's frame loader effective sandbox flags to the new
frame loader.
LayoutTests:
* http/tests/security/resources/anchor-tag-with-blank-target.html: Added.
* http/tests/security/resources/page-executing-javascript.html: Added.
* http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox-expected.txt: Added.
* http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@204174
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2016-08-05 John Wilander <wilander@apple.com>
+
+ Popups opened from a sandboxed iframe should themselves be sandboxed
+ https://bugs.webkit.org/show_bug.cgi?id=134850
+ <rdar://problem/27375388>
+
+ Reviewed by Brent Fulgham.
+
+ * http/tests/security/resources/anchor-tag-with-blank-target.html: Added.
+ * http/tests/security/resources/page-executing-javascript.html: Added.
+ * http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox-expected.txt: Added.
+ * http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html: Added.
+
2016-08-05 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r203935.
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+</head>
+<body>
+ <a id="theLink" target="_blank" href="./page-executing-javascript.html">_blank page that executes JavaScript</a>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html>
+<html>
+<body>
+<noscript>Pass: JavaScript was not allowed to execute.</noscript>
+<p id="output"></p>
+<script>
+ document.getElementById("output").innerHTML = "Fail: JavaScript was allowed to execute.";
+</script>
+</body>
+</html>
--- /dev/null
+CONSOLE MESSAGE: Blocked script execution in 'http://127.0.0.1:8000/security/resources/page-executing-javascript.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="UTF-8">
+ <title>Tests that windows created from a sandboxed context inherit the same sandbox</title>
+ <script src="../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script>
+ if (window.testRunner) {
+ testRunner.setCanOpenWindows();
+ testRunner.waitUntilDone();
+ testRunner.setPopupBlockingEnabled(false);
+ testRunner.dumpAsText();
+ }
+
+ function wrapUp () {
+ finishJSTest();
+ if (window.testRunner) {
+ testRunner.notifyDone();
+ }
+ }
+
+ function run() {
+ var iframeContentDocument = document.getElementById("theIframe").contentDocument;
+ if (!iframeContentDocument) {
+ testFailed("Can't get iframeElement.contentDocument");
+ finishJSTest();
+ testRunner.notifyDone();
+ } else {
+ var theLink = iframeContentDocument.getElementById("theLink");
+ if (!theLink) {
+ testFailed("Can't get iframeElement.contentDocument.getElementById('theLink')");
+ finishJSTest();
+ testRunner.notifyDone();
+ } else {
+ var clickEvent = document.createEvent("HTMLEvents");
+ clickEvent.initEvent("click", true, true);
+ theLink.dispatchEvent(clickEvent);
+
+ setTimeout(wrapUp, 500);
+ }
+ }
+ }
+</script>
+<iframe onload="run()" id="theIframe" sandbox="allow-same-origin allow-popups" src="resources/anchor-tag-with-blank-target.html"></iframe>
+</body>
+</html>
+2016-08-05 John Wilander <wilander@apple.com>
+
+ Popups opened from a sandboxed iframe should themselves be sandboxed
+ https://bugs.webkit.org/show_bug.cgi?id=134850
+ <rdar://problem/27375388>
+
+ Reviewed by Brent Fulgham.
+
+ This replicates the behavior in Chrome, Firefox, and according to the reporter
+ also in Internet Explorer. See the Mozilla bug report:
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1037381#c1
+
+ Test: http/tests/security/window-opened-from-sandboxed-iframe-should-inherit-sandbox.html
+
+ * page/Chrome.cpp:
+ (WebCore::Chrome::createWindow):
+ Now copies the opener's frame loader effective sandbox flags to the new
+ frame loader.
+
2016-08-05 Darin Adler <darin@apple.com>
* DerivedSources.make: Fix all places that were using tabs instead of spaces outside
Page* Chrome::createWindow(Frame* frame, const FrameLoadRequest& request, const WindowFeatures& features, const NavigationAction& action) const
{
+ ASSERT(frame);
Page* newPage = m_client.createWindow(frame, request, features, action);
if (!newPage)
return 0;
+ newPage->mainFrame().loader().forceSandboxFlags(frame->loader().effectiveSandboxFlags());
+
if (StorageNamespace* oldSessionStorage = m_page.sessionStorage(false))
newPage->setSessionStorage(oldSessionStorage->copy(newPage));
git://git.webkit.org / WebKit-https.git / commitdiff