https://bugs.webkit.org/show_bug.cgi?id=175281
<rdar://problem/
33778936>
Reviewed by Chris Dumez.
Source/WebCore:
Update the 'setDomain' logic to honor the sandbox properties as defined in the current
HTML5 specification. This brings us in line with how Chrome and other browsers have
worked for some time.
Test: fast/frames/sandboxed-iframe-domain.html
* dom/Document.cpp:
(WebCore::Document::setDomain): Add check for sandbox flag (with appropriate error message)
* dom/SecurityContext.h:
LayoutTests:
* fast/frames/resources/sandboxed-iframe-set-domain.html: Added.
* fast/frames/sandboxed-iframe-domain.html: Added.
* fast/frames/sandboxed-iframe-domain-expected.txt: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@220427
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2017-08-08 Brent Fulgham <bfulgham@apple.com>
+
+ Sandbox flags do not support document.domain control
+ https://bugs.webkit.org/show_bug.cgi?id=175281
+ <rdar://problem/33778936>
+
+ Reviewed by Chris Dumez.
+
+ * fast/frames/resources/sandboxed-iframe-set-domain.html: Added.
+ * fast/frames/sandboxed-iframe-domain.html: Added.
+ * fast/frames/sandboxed-iframe-domain-expected.txt: Added.
+
2017-08-08 Matt Lewis <jlewis3@apple.com>
Skipping imported/w3c/IndexedDB-private-browsing/idbfactory_open12.html
--- /dev/null
+<script>
+function runTest()
+{
+ try {
+ document.domain = 'localhost';
+ window.top.performedDomainChange("Allowed to set document.domain", true);
+ } catch (e) {
+ window.top.performedDomainChange("Denied: " + e.message, false);
+ }
+}
+</script>
+<body onload="runTest();">
+ TEST CONTENT
+</body>
--- /dev/null
+This test verifies that a sandboxed iframe does not have permission to modify the document.domain property.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Denied: Assignment is forbidden for sandboxed iframes.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
+PASS
--- /dev/null
+<html>
+<head>
+<script src="../../resources/js-test.js"></script>
+<script>
+description("This test verifies that a sandboxed iframe does not have permission to modify the document.domain property.");
+
+function performedDomainChange(message, allowed)
+{
+ debug(message);
+ document.getElementById("test_status").innerHTML = (allowed ? "FAIL" : "PASS");
+ finishJSTest();
+}
+</script>
+</head>
+<body>
+ <iframe sandbox="allow-scripts allow-same-origin" src="resources/sandboxed-iframe-set-domain.html"></iframe>
+ <p id='test_status'>FAIL: Script didn't run</p>
+</body>
+</html>
+2017-08-08 Brent Fulgham <bfulgham@apple.com>
+
+ Sandbox flags do not support document.domain control
+ https://bugs.webkit.org/show_bug.cgi?id=175281
+ <rdar://problem/33778936>
+
+ Reviewed by Chris Dumez.
+
+ Update the 'setDomain' logic to honor the sandbox properties as defined in the current
+ HTML5 specification. This brings us in line with how Chrome and other browsers have
+ worked for some time.
+
+ Test: fast/frames/sandboxed-iframe-domain.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::setDomain): Add check for sandbox flag (with appropriate error message)
+ * dom/SecurityContext.h:
+
2017-08-08 Jeremy Jones <jeremyj@apple.com>
Change fast seek logic to prevent ping-ponging.
if (!frame())
return Exception { SecurityError, "A browsing context is required to set a domain." };
+ if (isSandboxed(SandboxDocumentDomain))
+ return Exception { SecurityError, "Assignment is forbidden for sandboxed iframes." };
+
if (SchemeRegistry::isDomainRelaxationForbiddenForURLScheme(securityOrigin().protocol()))
return Exception { SecurityError };
- // FIXME(175281): Check for 'document.domain' sandbox flag and return an exception if present.
-
// FIXME: We should add logging indicating why a domain was not allowed.
const String& effectiveDomain = domain();
SandboxPointerLock = 1 << 8,
SandboxPropagatesToAuxiliaryBrowsingContexts = 1 << 9,
SandboxTopNavigationByUserActivation = 1 << 10,
+ SandboxDocumentDomain = 1 << 11,
SandboxAll = -1 // Mask with all bits set to 1.
};