Reviewed by Adam Barth.
Updates the test to make sure it is disabling universal access for
file:/// URLs (if the API is supported). This is required to do
effective intra-file:/// access tests.
Note that Safari only passes by virtual of supporting no directory
listings at all.
* fast/xmlhttprequest/resources/xmlhttprequest-nonexistent-file-real.html: Added.
* fast/xmlhttprequest/xmlhttprequest-nonexistent-file-expected.txt:
* fast/xmlhttprequest/xmlhttprequest-nonexistent-file.html:
Disable universal access for file:/// URLs (if API available).
Run the real test in an iframe without universal access.
2009-11-22 Chris Evans <cevans@chromium.org>
Reviewed by Adam Barth.
Deny access to directory listings. This needs doing in WebKit for
WebKit clients that do permit top-level navigation to file:///dir.
This matches Firefox, plus the existing Safari implementation (which
does not support any directory access at all). It will fix the
LayoutTest named below for Chromium.
Test: fast/xmlhttprequest/xmlhttprequest-nonexistent-file.html
* page/SecurityOrigin.cpp: Deny access to directory listings.
(WebCore::SecurityOrigin::SecurityOrigin):
(WebCore::SecurityOrigin::canRequest):
2009-11-22 Chris Evans <cevans@chromium.org>
Reviewed by Adam Barth.
Implemented setAllowUniversalAccessFromFileURLs to support testing of
file URL security.
* DumpRenderTree/LayoutTestController.cpp:
(setAllowUniversalAccessFromFileURLsCallback):
(LayoutTestController::staticFunctions):
* DumpRenderTree/LayoutTestController.h:
* DumpRenderTree/gtk/LayoutTestControllerGtk.cpp:
(LayoutTestController::setAllowUniversalAccessFromFileURLs):
* DumpRenderTree/mac/LayoutTestControllerMac.mm:
(LayoutTestController::setAllowUniversalAccessFromFileURLs):
* DumpRenderTree/win/LayoutTestControllerWin.cpp:
(LayoutTestController::setAllowUniversalAccessFromFileURLs):
* DumpRenderTree/wx/LayoutTestControllerWx.cpp:
(LayoutTestController::setAllowUniversalAccessFromFileURLs):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@51294
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2009-11-22 Chris Evans <cevans@chromium.org>
+
+ Reviewed by Adam Barth.
+
+ Updates the test to make sure it is disabling universal access for
+ file:/// URLs (if the API is supported). This is required to do
+ effective intra-file:/// access tests.
+ Note that Safari only passes by virtual of supporting no directory
+ listings at all.
+
+ * fast/xmlhttprequest/resources/xmlhttprequest-nonexistent-file-real.html: Added.
+ * fast/xmlhttprequest/xmlhttprequest-nonexistent-file-expected.txt:
+ * fast/xmlhttprequest/xmlhttprequest-nonexistent-file.html:
+ Disable universal access for file:/// URLs (if API available).
+ Run the real test in an iframe without universal access.
+
2009-11-21 Simon Fraser <simon.fraser@apple.com>
Reviewed by Dan Bernstein.
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+ "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+ <script>
+ function log(message)
+ {
+ var console = document.getElementById('console');
+ console.appendChild(document.createTextNode(message));
+ console.appendChild(document.createElement('br'));
+ }
+
+ function errorHandler()
+ {
+ log("Error handler: readyState = " + xhr.readyState);
+ var results = window.top.document.getElementById('results');
+ results.innerHTML = document.body.innerHTML;
+ }
+
+ function readyStateHandlerDirectory()
+ {
+ log("ReadyState handler: readyState = " + xhr.readyState);
+ if (xhr.readyState == 4 && window.layoutTestController) {
+ setTimeout("layoutTestController.notifyDone()", 0);
+ }
+ }
+
+ function testXHRDirectory()
+ {
+ log("");
+ log("Doing an XHR to a directory.");
+ xhr = new XMLHttpRequest();
+ xhr.onerror = errorHandler;
+ xhr.onreadystatechange = readyStateHandlerDirectory;
+
+ try {
+ xhr.open("GET", "../resources/", false);
+ xhr.send("");
+ } catch(e) {
+ log("Exception: " + e.message);
+ }
+ }
+
+ function readyStateHandlerNonExistent()
+ {
+ log("ReadyState handler: readyState = " + xhr.readyState);
+ if (xhr.readyState == 4)
+ setTimeout("testXHRDirectory()", 0);
+ }
+
+ function testXHRNonExistentFile()
+ {
+ log("Doing an XHR to a nonexistent file.");
+ xhr = new XMLHttpRequest();
+ xhr.onerror = errorHandler;
+ xhr.onreadystatechange = readyStateHandlerNonExistent;
+
+ try {
+ xhr.open("GET", "nonexistent.html", true);
+ xhr.send("");
+ } catch(e) {
+ log("Exception: " + e.message);
+ testXHRDirectory();
+ }
+ }
+ </script>
+ </head>
+ <body onload="testXHRNonExistentFile()">
+ <p> Bug <a href="https://bugs.webkit.org/show_bug.cgi?id=22475">22475</a>: REGRESSION: Async XMLHttpRequest never finishes on nonexistent files anymore </p>
+ <p> In both cases, readyState 4 should be reached, and error handler should be invoked. </p>
+ <div id="console"/>
+ </body>
+</html>
+
Bug 22475: REGRESSION: Async XMLHttpRequest never finishes on nonexistent files anymore
In both cases, readyState 4 should be reached, and error handler should be invoked.
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
- "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
- <script>
- function log(message)
- {
- var console = document.getElementById('console');
- console.appendChild(document.createTextNode(message));
- console.appendChild(document.createElement('br'));
- }
-
- function errorHandler()
- {
- log("Error handler: readyState = " + xhr.readyState);
- }
-
- function readyStateHandlerDirectory()
- {
- log("ReadyState handler: readyState = " + xhr.readyState);
- if (xhr.readyState == 4 && window.layoutTestController) {
- setTimeout("layoutTestController.notifyDone()", 0);
- }
- }
-
- function testXHRDirectory()
- {
- log("");
- log("Doing an XHR to a directory.");
- xhr = new XMLHttpRequest();
- xhr.onerror = errorHandler;
- xhr.onreadystatechange = readyStateHandlerDirectory;
-
- try {
- xhr.open("GET", "resources", true);
- xhr.send("");
- } catch(e) {
- log("Exception: " + e.message);
- }
- }
-
- function readyStateHandlerNonExistent()
- {
- log("ReadyState handler: readyState = " + xhr.readyState);
- if (xhr.readyState == 4)
- setTimeout("testXHRDirectory()", 0);
- }
-
- function testXHRNonExistentFile()
- {
- if (window.layoutTestController) {
- layoutTestController.dumpAsText();
- layoutTestController.waitUntilDone();
- }
-
- log("Doing an XHR to a nonexistent file.");
- xhr = new XMLHttpRequest();
- xhr.onerror = errorHandler;
- xhr.onreadystatechange = readyStateHandlerNonExistent;
-
- try {
- xhr.open("GET", "nonexistent.html", true);
- xhr.send("");
- } catch(e) {
- log("Exception: " + e.message);
- testXHRDirectory();
- }
- }
- </script>
- </head>
- <body onload="testXHRNonExistentFile()">
- <p> Bug <a href="https://bugs.webkit.org/show_bug.cgi?id=22475">22475</a>: REGRESSION: Async XMLHttpRequest never finishes on nonexistent files anymore </p>
- <p> In both cases, readyState 4 should be reached, and error handler should be invoked. </p>
- <div id="console"/>
- </body>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+ layoutTestController.setAllowUniversalAccessFromFileURLs(false);
+}
+</script>
+</head>
+<body>
+<iframe src="resources/xmlhttprequest-nonexistent-file-real.html"></iframe>
+<div id="results"></div>
+</body>
</html>
+2009-11-22 Chris Evans <cevans@chromium.org>
+
+ Reviewed by Adam Barth.
+
+ Deny access to directory listings. This needs doing in WebKit for
+ WebKit clients that do permit top-level navigation to file:///dir.
+ This matches Firefox, plus the existing Safari implementation (which
+ does not support any directory access at all). It will fix the
+ LayoutTest named below for Chromium.
+
+ Test: fast/xmlhttprequest/xmlhttprequest-nonexistent-file.html
+
+ * page/SecurityOrigin.cpp: Deny access to directory listings.
+ (WebCore::SecurityOrigin::SecurityOrigin):
+ (WebCore::SecurityOrigin::canRequest):
+
2009-11-20 Joseph Pecoraro <joepeck@webkit.org>
Reviewed by Timothy Hatcher.
// By default, only local SecurityOrigins can load local resources.
m_canLoadLocalResources = isLocal();
+ if (m_canLoadLocalResources) {
+ // Directories should never be readable.
+ if (!url.hasPath() || url.path().endsWith("/"))
+ m_noAccess = true;
+ }
if (isDefaultPortForProtocol(m_port, m_protocol))
m_port = 0;
return false;
RefPtr<SecurityOrigin> targetOrigin = SecurityOrigin::create(url);
+ if (targetOrigin->m_noAccess)
+ return false;
// We call isSameSchemeHostPort here instead of canAccess because we want
// to ignore document.domain effects.
+2009-11-22 Chris Evans <cevans@chromium.org>
+
+ Reviewed by Adam Barth.
+
+ Implemented setAllowUniversalAccessFromFileURLs to support testing of
+ file URL security.
+
+ * DumpRenderTree/LayoutTestController.cpp:
+ (setAllowUniversalAccessFromFileURLsCallback):
+ (LayoutTestController::staticFunctions):
+ * DumpRenderTree/LayoutTestController.h:
+ * DumpRenderTree/gtk/LayoutTestControllerGtk.cpp:
+ (LayoutTestController::setAllowUniversalAccessFromFileURLs):
+ * DumpRenderTree/mac/LayoutTestControllerMac.mm:
+ (LayoutTestController::setAllowUniversalAccessFromFileURLs):
+ * DumpRenderTree/win/LayoutTestControllerWin.cpp:
+ (LayoutTestController::setAllowUniversalAccessFromFileURLs):
+ * DumpRenderTree/wx/LayoutTestControllerWx.cpp:
+ (LayoutTestController::setAllowUniversalAccessFromFileURLs):
+
2009-11-22 Jakub Wieczorek <faw217@gmail.com>
Reviewed by Kenneth Rohde Christiansen.
return JSValueMakeUndefined(context);
}
+static JSValueRef setAllowUniversalAccessFromFileURLsCallback(JSContextRef context, JSObjectRef function, JSObjectRef thisObject, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception)
+{
+ // Has mac & windows implementation
+ if (argumentCount < 1)
+ return JSValueMakeUndefined(context);
+
+ LayoutTestController* controller = static_cast<LayoutTestController*>(JSObjectGetPrivate(thisObject));
+ controller->setAllowUniversalAccessFromFileURLs(JSValueToBoolean(context, arguments[0]));
+
+ return JSValueMakeUndefined(context);
+}
+
static JSValueRef setTabKeyCyclesThroughElementsCallback(JSContextRef context, JSObjectRef function, JSObjectRef thisObject, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception)
{
// Has mac & windows implementation
{ "removeAllVisitedLinks", removeAllVisitedLinksCallback, kJSPropertyAttributeReadOnly | kJSPropertyAttributeDontDelete },
{ "repaintSweepHorizontally", repaintSweepHorizontallyCallback, kJSPropertyAttributeReadOnly | kJSPropertyAttributeDontDelete },
{ "setAcceptsEditing", setAcceptsEditingCallback, kJSPropertyAttributeReadOnly | kJSPropertyAttributeDontDelete },
+ { "setAllowUniversalAccessFromFileURLs", setAllowUniversalAccessFromFileURLsCallback, kJSPropertyAttributeReadOnly | kJSPropertyAttributeDontDelete },
{ "setAlwaysAcceptCookies", setAlwaysAcceptCookiesCallback, kJSPropertyAttributeReadOnly | kJSPropertyAttributeDontDelete },
{ "setAppCacheMaximumSize", setAppCacheMaximumSizeCallback, kJSPropertyAttributeReadOnly | kJSPropertyAttributeDontDelete },
{ "setAuthenticationPassword", setAuthenticationPasswordCallback, kJSPropertyAttributeReadOnly | kJSPropertyAttributeDontDelete },
void removeAllVisitedLinks();
void setAcceptsEditing(bool acceptsEditing);
void setAppCacheMaximumSize(unsigned long long quota);
+ void setAllowUniversalAccessFromFileURLs(bool);
void setAuthorAndUserStylesEnabled(bool);
void setCacheModel(int);
void setCustomPolicyDelegate(bool setDelegate, bool permissive);
g_object_set(G_OBJECT(settings), "enable-xss-auditor", flag, NULL);
}
+void LayoutTestController::setAllowUniversalAccessFromFileURLs(bool flag)
+{
+ // FIXME: implement
+}
+
void LayoutTestController::setAuthorAndUserStylesEnabled(bool flag)
{
// FIXME: implement
[[[mainFrame webView] preferences] setXSSAuditorEnabled:enabled];
}
+void LayoutTestController::setAllowUniversalAccessFromFileURLs(bool enabled)
+{
+ [[[mainFrame webView] preferences] setAllowUniversalAccessFromFileURLs:enabled];
+}
+
void LayoutTestController::setPopupBlockingEnabled(bool popupBlockingEnabled)
{
[[[mainFrame webView] preferences] setJavaScriptCanOpenWindowsAutomatically:!popupBlockingEnabled];
prefsPrivate->setXSSAuditorEnabled(enabled);
}
+void LayoutTestController::setAllowUniversalAccessFromFileURLs(bool enabled)
+{
+ COMPtr<IWebView> webView;
+ if (FAILED(frame->webView(&webView)))
+ return;
+
+ COMPtr<IWebPreferences> preferences;
+ if (FAILED(webView->preferences(&preferences)))
+ return;
+
+ COMPtr<IWebPreferencesPrivate> prefsPrivate(Query, preferences);
+ if (!prefsPrivate)
+ return;
+
+ prefsPrivate->setAllowUniversalAccessFromFileURLs(enabled);
+}
+
void LayoutTestController::setPopupBlockingEnabled(bool enabled)
{
COMPtr<IWebView> webView;
// FIXME: implement
}
+void LayoutTestController::setAllowUniversalAccessFromFileURLs(bool enabled)
+{
+ // FIXME: implement
+}
+
void LayoutTestController::setAuthorAndUserStylesEnabled(bool flag)
{
// FIXME: implement