X-Frame-Options: Blocked resources should fire load events.
authormkwst@chromium.org <mkwst@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 28 Mar 2013 21:56:07 +0000 (21:56 +0000)
committermkwst@chromium.org <mkwst@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 28 Mar 2013 21:56:07 +0000 (21:56 +0000)
https://bugs.webkit.org/show_bug.cgi?id=113192

Reviewed by Nate Chapin.

Source/WebCore:

* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::responseReceived):
    Fire a load event on the frame's owner element when denying access
    due to X-Frame-Options header content. This brings us in-line with
    Gecko and IE, which both trigger load events currently.

LayoutTests:

* http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt:
* http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt:
* http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html:
* http/tests/security/XFrameOptions/x-frame-options-deny-multiple-clients-expected.txt:
* http/tests/security/XFrameOptions/x-frame-options-deny-multiple-clients.html:
* http/tests/security/XFrameOptions/x-frame-options-deny.html:
* http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt:
* http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html:
* platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt:
* platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt:
* platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-multiple-clients-expected.txt:
* platform/chromium/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt:
    Add some expectations around the 'load' event to ensure it's fired.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@147164 268f45cc-cd09-0410-ab3c-d52691b4dbfc

15 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-multiple-clients-expected.txt
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-multiple-clients.html
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny.html
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt
LayoutTests/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html
LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt
LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt
LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-multiple-clients-expected.txt
LayoutTests/platform/chromium/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt
Source/WebCore/ChangeLog
Source/WebCore/loader/DocumentLoader.cpp

index 13df10a6cddf2eab06dbe54337b3547571e441a6..560f5bba9a93e12b74cacc7ae7ce81cdc499fa60 100644 (file)
@@ -1,3 +1,24 @@
+2013-03-28  Mike West  <mkwst@chromium.org>
+
+        X-Frame-Options: Blocked resources should fire load events.
+        https://bugs.webkit.org/show_bug.cgi?id=113192
+
+        Reviewed by Nate Chapin.
+
+        * http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt:
+        * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt:
+        * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html:
+        * http/tests/security/XFrameOptions/x-frame-options-deny-multiple-clients-expected.txt:
+        * http/tests/security/XFrameOptions/x-frame-options-deny-multiple-clients.html:
+        * http/tests/security/XFrameOptions/x-frame-options-deny.html:
+        * http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt:
+        * http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html:
+        * platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt:
+        * platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt:
+        * platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-multiple-clients-expected.txt:
+        * platform/chromium/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt:
+            Add some expectations around the 'load' event to ensure it's fired.
+
 2013-03-28  Levi Weintraub  <leviw@chromium.org>
 
         Disable font measurement optimization for Chromium-mac when there are font-feature-settings.
index 0228326fdf4790ad002c4747cadb3b504461ff7c..4626684420c3da3cd768df3e2ae41811ebd39a69 100644 (file)
@@ -1,6 +1,7 @@
 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny.html, http method GET> redirectResponse (null)
 <unknown> - didFinishLoading
 CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi' in a frame because it set 'X-Frame-Options' to 'deny'.
+ALERT: PASS: onload fired.
 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi">
 There should be no content in the iframe below
 
index 1d25226b244babb5e6384b381f7bb4116ac13f3d..b89332464db943342f3f8e80e3657c7e5f5a0baf 100644 (file)
@@ -1,6 +1,7 @@
 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html, http method GET> redirectResponse (null)
 <unknown> - didFinishLoading
 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html, http status code 200>
+ALERT: PASS: onload fired.
 There should be content in the iframe below
 
 
index bbce42b7178cd87734ef674b432a9805071642d4..faad1485eb569a7531e8642471af344ee41b862f 100644 (file)
@@ -7,4 +7,4 @@
 </script>
 
 <p>There should be content in the iframe below</p>
-<iframe style="width:500px; height:500px" src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html"></iframe>
+<iframe style="width:500px; height:500px" src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html" onload="alert('PASS: onload fired.');"></iframe>
index c3529cad94e97f909558fe9d68cabb568f9cc924..573f72079ec6c00840dc0f52066d7c9bed152878 100644 (file)
@@ -1,2 +1,3 @@
 CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi' in a frame because it set 'X-Frame-Options' to 'deny'.
+ALERT: PASS: onload fired.
 Test that two main resources pointing to the same url that are canceled within didReceiveResponse() don't cause us to crash.  
index 87afcaa69ac5f5011c994324a8b5572a224b9ea0..05be6d79c3bcdb421526449105c9eb40db882764 100644 (file)
@@ -8,7 +8,7 @@ if (window.testRunner)
 <body>
 Test that two main resources pointing to the same url that are canceled within didReceiveResponse() don't cause us to crash.
 
-<iframe src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi"></iframe>
-<iframe src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi"></iframe>
+<iframe src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi" onload="alert('PASS: onload fired.');"></iframe>
+<iframe src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi" onload="alert('PASS: onload fired.');"></iframe>
 </body>
 </html>
index 3b486a2c22ffae1351b5da720295993cfc5c87c7..2c41f460ff3acd6e9be6aa18bd8a1583b87d07c0 100644 (file)
@@ -7,4 +7,4 @@
 </script>
 
 <p>There should be no content in the iframe below</p>
-<iframe style="width:500px; height:500px" src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi"></iframe>
+<iframe style="width:500px; height:500px" src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi" onload="alert('PASS: onload fired.');"></iframe>
index ad6e39f5eb27972617ec7e66f1927ab913139c54..3b7c242942a57df4a8a9223ff9105cec14e734f0 100644 (file)
@@ -1,6 +1,7 @@
 http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi - willSendRequest <NSURLRequest URL http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html, http method GET> redirectResponse (null)
 <unknown> - didFinishLoading
 CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
+ALERT: PASS: onload fired.
 http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi">
 There should be no content in the iframe below
 
index 0c3e2af98766bf1fe1c08138a98f1bd59d1edb08..ee369df6a6c18495a4ee15e696001450626e673c 100644 (file)
@@ -7,4 +7,4 @@
 </script>
 
 <p>There should be no content in the iframe below</p>
-<iframe style="width:500px; height:500px" src="http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi"></iframe>
+<iframe style="width:500px; height:500px" src="http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi" onload="alert('PASS: onload fired.');"></iframe>
index 123ffd2b590de4e150bbd27e2e6d036fa3d84c8b..90f453c392b684bd3bab64db2748f4ff54871b00 100644 (file)
@@ -1,5 +1,6 @@
 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny.html, http method GET> redirectResponse (null)
 CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi' in a frame because it set 'X-Frame-Options' to 'deny'.
+ALERT: PASS: onload fired.
 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi">
 There should be no content in the iframe below
 
index b0e3e551eb37f9095b137626b8a1492cd06b1fea..ac55dfe93e58e58300b8b2afc9d9e8b77bacf4cc 100644 (file)
@@ -1,6 +1,7 @@
 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html, http method GET> redirectResponse (null)
 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html, http status code 200>
 http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html - didFinishLoading
+ALERT: PASS: onload fired.
 There should be content in the iframe below
 
 
index 8b26eb927098a28d66a64e9d36c332cae5860ab1..c57fdd644f8cb15bdc8828152d726aadd126dd01 100644 (file)
@@ -1,3 +1,5 @@
 CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi' in a frame because it set 'X-Frame-Options' to 'deny'.
+ALERT: PASS: onload fired.
 CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi' in a frame because it set 'X-Frame-Options' to 'deny'.
+ALERT: PASS: onload fired.
 Test that two main resources pointing to the same url that are canceled within didReceiveResponse() don't cause us to crash.  
index 85baf06b82f65df16b5816c423489c0ff88dfb3d..868fce80a276bc659f3385e296109d8b48f52924 100644 (file)
@@ -1,5 +1,6 @@
 http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi - willSendRequest <NSURLRequest URL http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html, http method GET> redirectResponse (null)
 CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
+ALERT: PASS: onload fired.
 http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi">
 There should be no content in the iframe below
 
index 2d1c1045d55f937afe5d0c507bdbdf3ac83dbcf5..40e474d8c04177314ad4e7ae71204f803dd00397 100644 (file)
@@ -1,3 +1,16 @@
+2013-03-28  Mike West  <mkwst@chromium.org>
+
+        X-Frame-Options: Blocked resources should fire load events.
+        https://bugs.webkit.org/show_bug.cgi?id=113192
+
+        Reviewed by Nate Chapin.
+
+        * loader/DocumentLoader.cpp:
+        (WebCore::DocumentLoader::responseReceived):
+            Fire a load event on the frame's owner element when denying access
+            due to X-Frame-Options header content. This brings us in-line with
+            Gecko and IE, which both trigger load events currently.
+
 2013-03-28  Tien-Ren Chen  <trchen@chromium.org>
 
         Support bottom-right anchored fixed-position elements during a pinch gesture
index 2d514ada267237bdbf6536e9423620085d87ea2e..010b06658ce0104d7fa5d54916dcf79a8a062ca5 100644 (file)
@@ -45,6 +45,7 @@
 #include "FrameLoaderClient.h"
 #include "FrameTree.h"
 #include "HTMLFormElement.h"
+#include "HTMLFrameOwnerElement.h"
 #include "HistoryItem.h"
 #include "InspectorInstrumentation.h"
 #include "Logging.h"
@@ -588,6 +589,8 @@ void DocumentLoader::responseReceived(CachedResource* resource, const ResourceRe
             InspectorInstrumentation::continueAfterXFrameOptionsDenied(m_frame, this, identifier, response);
             String message = "Refused to display '" + response.url().elidedString() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'.";
             frame()->document()->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, message, identifier);
+            if (HTMLFrameOwnerElement* ownerElement = frame()->ownerElement())
+                ownerElement->dispatchEvent(Event::create(eventNames().loadEvent, false, false));
             cancelMainResourceLoad(frameLoader()->cancelledError(m_request));
             return;
         }