- Test that cross frame access to a window on a different port is denied.
- Adds test for out behavior of the above if document.domain is explicitly
set to the same domain for both frames. We currently fail this test and
a radar has been filed.
- Clean up cross-frame-access-protocol.html to work in FireFox as well.
* http/conf/apache2-httpd.conf: Listen on port 8080 now as well
* http/conf/cygwin-httpd.conf: Listen on port 8080 now as well
* http/conf/httpd.conf: Listen on port 8080 now as well
* http/tests/security/cross-frame-access-port-domain-expected.txt: Added.
* http/tests/security/cross-frame-access-port-domain.html: Added.
* http/tests/security/cross-frame-access-port-expected.txt: Added.
* http/tests/security/cross-frame-access-port.html: Added.
* http/tests/security/cross-frame-access-protocol.html:
* http/tests/security/resources/cross-frame-iframe-for-port-domain-test.html: Added.
* http/tests/security/resources/cross-frame-iframe-for-port-test.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@24746
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2007-07-27 Sam Weinig <sam@webkit.org>
+
+ Reviewed by Geoff Garen.
+
+ - Test that cross frame access to a window on a different port is denied.
+ - Adds test for out behavior of the above if document.domain is explicitly
+ set to the same domain for both frames. We currently fail this test and
+ a radar has been filed.
+ - Clean up cross-frame-access-protocol.html to work in FireFox as well.
+
+ * http/conf/apache2-httpd.conf: Listen on port 8080 now as well
+ * http/conf/cygwin-httpd.conf: Listen on port 8080 now as well
+ * http/conf/httpd.conf: Listen on port 8080 now as well
+ * http/tests/security/cross-frame-access-port-domain-expected.txt: Added.
+ * http/tests/security/cross-frame-access-port-domain.html: Added.
+ * http/tests/security/cross-frame-access-port-expected.txt: Added.
+ * http/tests/security/cross-frame-access-port.html: Added.
+ * http/tests/security/cross-frame-access-protocol.html:
+ * http/tests/security/resources/cross-frame-iframe-for-port-domain-test.html: Added.
+ * http/tests/security/resources/cross-frame-iframe-for-port-test.html: Added.
+
2007-07-27 Sam Weinig <sam@webkit.org>
Reviewed by Adam Roben.
# Port 8443 is hard-coded as it is needed for the HTTPS configuration later on.
#
#Listen 3000
-#Listen 127.0.0.1:8000
+Listen 127.0.0.1:8080
Listen 127.0.0.1:8443
#
# Configured from the httpd command line for WebKit layout tests.
#
#Listen 3000
-#Listen 127.0.0.1:8000
+Listen 127.0.0.1:8080
#
# Dynamic Shared Object (DSO) Support
# Port 8443 is hard-coded as it is needed for the HTTPS configuration later on.
#
#Listen 3000
-#Listen 127.0.0.1:8000
+Listen 127.0.0.1:8080
Listen 127.0.0.1:8443
#
--- /dev/null
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8080/security/resources/cross-frame-iframe-for-port-domain-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-port-domain.html. Domains, protocols and ports must match.
+
+This test currently fails because we check the port and protocol even if document.domain is explicitly set (rdar://problem/5366437).
+
+
+Fail: Cross frame access to different port after after explicitly setting document.domain was denied!
+
--- /dev/null
+<html>
+<p>This test currently fails because we check the port and protocol even if document.domain is explicitly set (rdar://problem/5366437).</p>
+<iframe id="aFrame"></iframe>
+<pre id="console"></pre>
+<script>
+ function log(s)
+ {
+ document.getElementById("console").appendChild(document.createTextNode(s + "\n"));
+ }
+
+ if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+ }
+
+ document.domain = "127.0.0.1";
+
+ var targetWindow = frames[0];
+ if (!targetWindow.document.body)
+ log("FAIL: targetWindow started with no document, we won't know if the test passed or failed.");
+
+ var iframe = document.getElementById('aFrame');
+ iframe.src = "http://127.0.0.1:8080/security/resources/cross-frame-iframe-for-port-domain-test.html";
+
+ var testDone = false;
+
+ setTimeout(test, 1);
+
+ setTimeout(function() {
+ targetWindow.document.getElementById('accessMe').innerHTML = "PASS: Access allowed from frame with different port after explicitly setting document.domain.";
+ if (!testDone) {
+ log("Pass: Cross frame access to a different port was allowed.");
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ }
+ }, 5000);
+
+ function test() {
+ try {
+ if (targetWindow.document.body) {
+ setTimeout(test, 1);
+ return;
+ }
+ } catch (e) {
+ }
+
+ log("Fail: Cross frame access to different port after after explicitly setting document.domain was denied!");
+ testDone = true;
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ }
+</script>
+</html>
--- /dev/null
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8080/security/resources/cross-frame-iframe-for-port-test.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-port.html. Domains, protocols and ports must match.
+
+
+PASS: Cross frame access to different port was denied!
+
--- /dev/null
+<html>
+<iframe id="aFrame"></iframe>
+<pre id="console"></pre>
+<script>
+ function log(s)
+ {
+ document.getElementById("console").appendChild(document.createTextNode(s + "\n"));
+ }
+
+ if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+ }
+
+ var targetWindow = frames[0];
+ if (!targetWindow.document.body)
+ log("FAIL: targetWindow started with no document, we won't know if the test passed or failed.");
+
+ var iframe = document.getElementById('aFrame');
+ iframe.src = "http://127.0.0.1:8080/security/resources/cross-frame-iframe-for-port-test.html";
+
+ var testDone = false;
+
+ setTimeout(test, 1);
+
+ setTimeout(function() {
+ if (!testDone) {
+ log("FAIL: Cross frame access to a different port was allowed.");
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ }
+ }, 5000);
+
+ function test() {
+ try {
+ if (targetWindow.document.body) {
+ setTimeout(test, 1);
+ return;
+ }
+ } catch (e) {
+ }
+
+ log("PASS: Cross frame access to different port was denied!");
+ testDone = true;
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ }
+</script>
+</html>
}
var targetWindow = frames[0];
- if (!targetWindow.document)
+ if (!targetWindow.document.body)
log("FAIL: targetWindow started with no document, we won't know if the test passed or failed.");
var iframe = document.getElementById('aFrame');
iframe.src = "https://127.0.0.1:8443/ssl/resources/cross-frame-access-protocol-iframe.html";
+ var testDone = false;
+
setTimeout(test, 1);
setTimeout(function() {
- log("FAIL: Cross frame access to https from http was allowed.");
- if (window.layoutTestController)
- layoutTestController.notifyDone();
+ if (!testDone) {
+ log("FAIL: Cross frame access to https from http was allowed.");
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ }
}, 5000);
function test() {
- if (targetWindow.document) {
- setTimeout(test, 1);
- return;
+ try {
+ if (targetWindow.document.body) {
+ setTimeout(test, 1);
+ return;
+ }
+ } catch (e) {
}
log("PASS: Cross frame access to https from http was denied!");
+ testDone = true;
if (window.layoutTestController)
layoutTestController.notifyDone();
}
--- /dev/null
+<html>
+<head>
+ <script>
+ document.domain = "127.0.0.1";
+ </script>
+</head>
+<body>
+ <p>This document (cross-frame-iframe-for-port-domain-test.html) was load over on port 8080.</p>
+</body>
+</html>
--- /dev/null
+<html>
+<body>
+ <p>This document (cross-frame-iframe-for-port-test.html) was load over on port 8080.</p>
+</body>
+</html>