Sandbox flags do not support document.domain control
authorbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 8 Aug 2017 23:27:08 +0000 (23:27 +0000)
committerbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 8 Aug 2017 23:27:08 +0000 (23:27 +0000)
https://bugs.webkit.org/show_bug.cgi?id=175281
<rdar://problem/33778936>

Reviewed by Chris Dumez.

Source/WebCore:

Update the 'setDomain' logic to honor the sandbox properties as defined in the current
HTML5 specification. This brings us in line with how Chrome and other browsers have
worked for some time.

Test: fast/frames/sandboxed-iframe-domain.html

* dom/Document.cpp:
(WebCore::Document::setDomain): Add check for sandbox flag (with appropriate error message)
* dom/SecurityContext.h:

LayoutTests:

* fast/frames/resources/sandboxed-iframe-set-domain.html: Added.
* fast/frames/sandboxed-iframe-domain.html: Added.
* fast/frames/sandboxed-iframe-domain-expected.txt: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@220427 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/frames/resources/sandboxed-iframe-set-domain.html [new file with mode: 0644]
LayoutTests/fast/frames/sandboxed-iframe-domain-expected.txt [new file with mode: 0644]
LayoutTests/fast/frames/sandboxed-iframe-domain.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/Document.cpp
Source/WebCore/dom/SecurityContext.h

index d2b01505cfd1c1f8227406a27b2b525e0ee4ced0..612d008d186c959a4c84fbf0f929ea9858610902 100644 (file)
@@ -1,3 +1,15 @@
+2017-08-08  Brent Fulgham  <bfulgham@apple.com>
+
+        Sandbox flags do not support document.domain control
+        https://bugs.webkit.org/show_bug.cgi?id=175281
+        <rdar://problem/33778936>
+
+        Reviewed by Chris Dumez.
+
+        * fast/frames/resources/sandboxed-iframe-set-domain.html: Added.
+        * fast/frames/sandboxed-iframe-domain.html: Added.
+        * fast/frames/sandboxed-iframe-domain-expected.txt: Added.
+
 2017-08-08  Matt Lewis  <jlewis3@apple.com>
 
         Skipping imported/w3c/IndexedDB-private-browsing/idbfactory_open12.html
diff --git a/LayoutTests/fast/frames/resources/sandboxed-iframe-set-domain.html b/LayoutTests/fast/frames/resources/sandboxed-iframe-set-domain.html
new file mode 100644 (file)
index 0000000..00ee059
--- /dev/null
@@ -0,0 +1,14 @@
+<script>
+function runTest()
+{
+    try {
+        document.domain = 'localhost';
+        window.top.performedDomainChange("Allowed to set document.domain", true);
+    } catch (e) {
+        window.top.performedDomainChange("Denied: " + e.message, false);
+    }
+}
+</script>
+<body onload="runTest();">
+    TEST CONTENT
+</body>
diff --git a/LayoutTests/fast/frames/sandboxed-iframe-domain-expected.txt b/LayoutTests/fast/frames/sandboxed-iframe-domain-expected.txt
new file mode 100644 (file)
index 0000000..d19aaa4
--- /dev/null
@@ -0,0 +1,11 @@
+This test verifies that a sandboxed iframe does not have permission to modify the document.domain property.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Denied: Assignment is forbidden for sandboxed iframes.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
+PASS
diff --git a/LayoutTests/fast/frames/sandboxed-iframe-domain.html b/LayoutTests/fast/frames/sandboxed-iframe-domain.html
new file mode 100644 (file)
index 0000000..ec33e78
--- /dev/null
@@ -0,0 +1,19 @@
+<html>
+<head>
+<script src="../../resources/js-test.js"></script>
+<script>
+description("This test verifies that a sandboxed iframe does not have permission to modify the document.domain property.");
+
+function performedDomainChange(message, allowed)
+{
+    debug(message);
+    document.getElementById("test_status").innerHTML = (allowed ? "FAIL" : "PASS");
+    finishJSTest();
+}
+</script>
+</head>
+<body>
+    <iframe sandbox="allow-scripts allow-same-origin" src="resources/sandboxed-iframe-set-domain.html"></iframe>
+    <p id='test_status'>FAIL: Script didn't run</p>
+</body>
+</html>
index 0475c4c686711be8141c6f0f0ed7ea6f35961ecf..d483fe902df5810ee94bc49acc1dd0777b6d0a2a 100644 (file)
@@ -1,3 +1,21 @@
+2017-08-08  Brent Fulgham  <bfulgham@apple.com>
+
+        Sandbox flags do not support document.domain control
+        https://bugs.webkit.org/show_bug.cgi?id=175281
+        <rdar://problem/33778936>
+
+        Reviewed by Chris Dumez.
+
+        Update the 'setDomain' logic to honor the sandbox properties as defined in the current
+        HTML5 specification. This brings us in line with how Chrome and other browsers have
+        worked for some time.
+
+        Test: fast/frames/sandboxed-iframe-domain.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::setDomain): Add check for sandbox flag (with appropriate error message)
+        * dom/SecurityContext.h:
+
 2017-08-08  Jeremy Jones  <jeremyj@apple.com>
 
         Change fast seek logic to prevent ping-ponging.
index c893bcd1bfeceee162c253983d99192c71f18e04..96d338378384e98e65ae47dec9d432b05b531c1b 100644 (file)
@@ -4487,11 +4487,12 @@ ExceptionOr<void> Document::setDomain(const String& newDomain)
     if (!frame())
         return Exception { SecurityError, "A browsing context is required to set a domain." };
 
+    if (isSandboxed(SandboxDocumentDomain))
+        return Exception { SecurityError, "Assignment is forbidden for sandboxed iframes." };
+
     if (SchemeRegistry::isDomainRelaxationForbiddenForURLScheme(securityOrigin().protocol()))
         return Exception { SecurityError };
 
-    // FIXME(175281): Check for 'document.domain' sandbox flag and return an exception if present.
-
     // FIXME: We should add logging indicating why a domain was not allowed.
 
     const String& effectiveDomain = domain();
index a46f985cde73537df9c06581b44aaa3ee6a03194..06ebd424b35cb30330c609d9154ce7167139149b 100644 (file)
@@ -51,6 +51,7 @@ enum SandboxFlag {
     SandboxPointerLock          = 1 << 8,
     SandboxPropagatesToAuxiliaryBrowsingContexts = 1 << 9,
     SandboxTopNavigationByUserActivation = 1 << 10,
+    SandboxDocumentDomain       = 1 << 11,
     SandboxAll                  = -1 // Mask with all bits set to 1.
 };