https://bugs.webkit.org/show_bug.cgi?id=113192
Reviewed by Nate Chapin.
Source/WebCore:
* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::responseReceived):
Fire a load event on the frame's owner element when denying access
due to X-Frame-Options header content. This brings us in-line with
Gecko and IE, which both trigger load events currently.
LayoutTests:
* http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt:
* http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt:
* http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html:
* http/tests/security/XFrameOptions/x-frame-options-deny-multiple-clients-expected.txt:
* http/tests/security/XFrameOptions/x-frame-options-deny-multiple-clients.html:
* http/tests/security/XFrameOptions/x-frame-options-deny.html:
* http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt:
* http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html:
* platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt:
* platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt:
* platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-multiple-clients-expected.txt:
* platform/chromium/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt:
Add some expectations around the 'load' event to ensure it's fired.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@147164
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2013-03-28 Mike West <mkwst@chromium.org>
+
+ X-Frame-Options: Blocked resources should fire load events.
+ https://bugs.webkit.org/show_bug.cgi?id=113192
+
+ Reviewed by Nate Chapin.
+
+ * http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt:
+ * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt:
+ * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html:
+ * http/tests/security/XFrameOptions/x-frame-options-deny-multiple-clients-expected.txt:
+ * http/tests/security/XFrameOptions/x-frame-options-deny-multiple-clients.html:
+ * http/tests/security/XFrameOptions/x-frame-options-deny.html:
+ * http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt:
+ * http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html:
+ * platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt:
+ * platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt:
+ * platform/chromium/http/tests/security/XFrameOptions/x-frame-options-deny-multiple-clients-expected.txt:
+ * platform/chromium/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt:
+ Add some expectations around the 'load' event to ensure it's fired.
+
2013-03-28 Levi Weintraub <leviw@chromium.org>
Disable font measurement optimization for Chromium-mac when there are font-feature-settings.
http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny.html, http method GET> redirectResponse (null)
<unknown> - didFinishLoading
CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi' in a frame because it set 'X-Frame-Options' to 'deny'.
+ALERT: PASS: onload fired.
http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi">
There should be no content in the iframe below
http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html, http method GET> redirectResponse (null)
<unknown> - didFinishLoading
http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html, http status code 200>
+ALERT: PASS: onload fired.
There should be content in the iframe below
</script>
<p>There should be content in the iframe below</p>
-<iframe style="width:500px; height:500px" src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html"></iframe>
+<iframe style="width:500px; height:500px" src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html" onload="alert('PASS: onload fired.');"></iframe>
CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi' in a frame because it set 'X-Frame-Options' to 'deny'.
+ALERT: PASS: onload fired.
Test that two main resources pointing to the same url that are canceled within didReceiveResponse() don't cause us to crash.
<body>
Test that two main resources pointing to the same url that are canceled within didReceiveResponse() don't cause us to crash.
-<iframe src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi"></iframe>
-<iframe src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi"></iframe>
+<iframe src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi" onload="alert('PASS: onload fired.');"></iframe>
+<iframe src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi" onload="alert('PASS: onload fired.');"></iframe>
</body>
</html>
</script>
<p>There should be no content in the iframe below</p>
-<iframe style="width:500px; height:500px" src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi"></iframe>
+<iframe style="width:500px; height:500px" src="http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi" onload="alert('PASS: onload fired.');"></iframe>
http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi - willSendRequest <NSURLRequest URL http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html, http method GET> redirectResponse (null)
<unknown> - didFinishLoading
CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
+ALERT: PASS: onload fired.
http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi">
There should be no content in the iframe below
</script>
<p>There should be no content in the iframe below</p>
-<iframe style="width:500px; height:500px" src="http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi"></iframe>
+<iframe style="width:500px; height:500px" src="http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi" onload="alert('PASS: onload fired.');"></iframe>
http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny.html, http method GET> redirectResponse (null)
CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi' in a frame because it set 'X-Frame-Options' to 'deny'.
+ALERT: PASS: onload fired.
http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi">
There should be no content in the iframe below
http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html - willSendRequest <NSURLRequest URL http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html, http method GET> redirectResponse (null)
http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html - didReceiveResponse <NSURLResponse http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html, http status code 200>
http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html - didFinishLoading
+ALERT: PASS: onload fired.
There should be content in the iframe below
CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi' in a frame because it set 'X-Frame-Options' to 'deny'.
+ALERT: PASS: onload fired.
CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi' in a frame because it set 'X-Frame-Options' to 'deny'.
+ALERT: PASS: onload fired.
Test that two main resources pointing to the same url that are canceled within didReceiveResponse() don't cause us to crash.
http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi - willSendRequest <NSURLRequest URL http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi, main document URL http://127.0.0.1:8000/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html, http method GET> redirectResponse (null)
CONSOLE MESSAGE: Refused to display 'http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
+ALERT: PASS: onload fired.
http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi - didFailLoadingWithError: <NSError domain NSURLErrorDomain, code -999, failing URL "http://localhost:8000/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi">
There should be no content in the iframe below
+2013-03-28 Mike West <mkwst@chromium.org>
+
+ X-Frame-Options: Blocked resources should fire load events.
+ https://bugs.webkit.org/show_bug.cgi?id=113192
+
+ Reviewed by Nate Chapin.
+
+ * loader/DocumentLoader.cpp:
+ (WebCore::DocumentLoader::responseReceived):
+ Fire a load event on the frame's owner element when denying access
+ due to X-Frame-Options header content. This brings us in-line with
+ Gecko and IE, which both trigger load events currently.
+
2013-03-28 Tien-Ren Chen <trchen@chromium.org>
Support bottom-right anchored fixed-position elements during a pinch gesture
#include "FrameLoaderClient.h"
#include "FrameTree.h"
#include "HTMLFormElement.h"
+#include "HTMLFrameOwnerElement.h"
#include "HistoryItem.h"
#include "InspectorInstrumentation.h"
#include "Logging.h"
InspectorInstrumentation::continueAfterXFrameOptionsDenied(m_frame, this, identifier, response);
String message = "Refused to display '" + response.url().elidedString() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'.";
frame()->document()->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, message, identifier);
+ if (HTMLFrameOwnerElement* ownerElement = frame()->ownerElement())
+ ownerElement->dispatchEvent(Event::create(eventNames().loadEvent, false, false));
cancelMainResourceLoad(frameLoader()->cancelledError(m_request));
return;
}