Evaluating window named element may return wrong result
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 18 May 2017 19:40:48 +0000 (19:40 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 18 May 2017 19:40:48 +0000 (19:40 +0000)
https://bugs.webkit.org/show_bug.cgi?id=166792
<rdar://problem/29801059>

Reviewed by Chris Dumez.

Add tests to ensure we do not regress evaluation of window named elements.

* http/tests/security/named-window-property-from-same-origin-inactive-document-expected.txt: Added.
* http/tests/security/named-window-property-from-same-origin-inactive-document.html: Added.
* http/tests/security/resources/innocent-victim-with-named-elements.html: Added.
* http/tests/security/xss-DENIED-named-window-property-from-cross-origin-inactive-document-expected.txt: Added.
* http/tests/security/xss-DENIED-named-window-property-from-cross-origin-inactive-document.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@217061 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/security/named-window-property-from-same-origin-inactive-document-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/named-window-property-from-same-origin-inactive-document.html [new file with mode: 0644]
LayoutTests/http/tests/security/resources/innocent-victim-with-named-elements.html [new file with mode: 0644]
LayoutTests/http/tests/security/xss-DENIED-named-window-property-from-cross-origin-inactive-document-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xss-DENIED-named-window-property-from-cross-origin-inactive-document.html [new file with mode: 0644]

index f70961b..bde6c7f 100644 (file)
@@ -1,3 +1,19 @@
+2017-05-18  Daniel Bates  <dabates@apple.com>
+
+        Evaluating window named element may return wrong result
+        https://bugs.webkit.org/show_bug.cgi?id=166792
+        <rdar://problem/29801059>
+
+        Reviewed by Chris Dumez.
+
+        Add tests to ensure we do not regress evaluation of window named elements.
+
+        * http/tests/security/named-window-property-from-same-origin-inactive-document-expected.txt: Added.
+        * http/tests/security/named-window-property-from-same-origin-inactive-document.html: Added.
+        * http/tests/security/resources/innocent-victim-with-named-elements.html: Added.
+        * http/tests/security/xss-DENIED-named-window-property-from-cross-origin-inactive-document-expected.txt: Added.
+        * http/tests/security/xss-DENIED-named-window-property-from-cross-origin-inactive-document.html: Added.
+
 2017-05-18  Andy Estes  <aestes@apple.com>
 
         Add "countryCode" to ApplePayErrorContactField
diff --git a/LayoutTests/http/tests/security/named-window-property-from-same-origin-inactive-document-expected.txt b/LayoutTests/http/tests/security/named-window-property-from-same-origin-inactive-document-expected.txt
new file mode 100644 (file)
index 0000000..0718ad5
--- /dev/null
@@ -0,0 +1,15 @@
+This tests that an inactive document can access a named element in a same-origin active document.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Lookup named element whose name corresponds to an element in the initial about:blank document:
+PASS frame.contentDocument.getElementById('A') is not elementAInInactiveDocument
+PASS elementAInActiveDocumentFunction() is frame.contentDocument.getElementById('A')
+
+Lookup named element whose name does not correspond to an element in the initial about:blank document:
+PASS elementBInActiveDocumentFunction() is frame.contentDocument.getElementById('B')
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/security/named-window-property-from-same-origin-inactive-document.html b/LayoutTests/http/tests/security/named-window-property-from-same-origin-inactive-document.html
new file mode 100644 (file)
index 0000000..e7e4b61
--- /dev/null
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="/js-test-resources/js-test-pre.js"></script>
+<script>
+window.jsTestIsAsync = true;
+</script>
+</head>
+<body>
+<script>
+description("This tests that an inactive document can access a named element in a same-origin active document.");
+
+var frame = document.body.appendChild(document.createElement("iframe")); // Loads about:blank
+
+var frameDocument = frame.contentDocument;
+var elementAInInactiveDocument = frameDocument.createElement("div");
+elementAInInactiveDocument.id = "A";
+frameDocument.body.appendChild(elementAInInactiveDocument);
+
+var elementAInActiveDocumentFunction = frame.contentWindow.Function("return A;");
+var elementBInActiveDocumentFunction = frame.contentWindow.Function("return B;");
+
+frame.onload = function ()
+{
+    debug("Lookup named element whose name corresponds to an element in the initial about:blank document:");
+    shouldNotBe("frame.contentDocument.getElementById('A')", "elementAInInactiveDocument");
+    shouldBe("elementAInActiveDocumentFunction()", "frame.contentDocument.getElementById('A')");
+
+    debug("<br>Lookup named element whose name does not correspond to an element in the initial about:blank document:");
+    shouldBe("elementBInActiveDocumentFunction()", "frame.contentDocument.getElementById('B')");
+
+    finishJSTest();
+}
+
+frame.src = "http://127.0.0.1:8000/security/resources/innocent-victim-with-named-elements.html"; // about:blank becomes the inactive document
+</script>
+<script src="/js-test-resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/resources/innocent-victim-with-named-elements.html b/LayoutTests/http/tests/security/resources/innocent-victim-with-named-elements.html
new file mode 100644 (file)
index 0000000..a1e3085
--- /dev/null
@@ -0,0 +1,7 @@
+<html>
+<body>
+This page doesn't do anything special except have some named elements.<br>
+<div id="A"></div>
+<div id="B"></div>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xss-DENIED-named-window-property-from-cross-origin-inactive-document-expected.txt b/LayoutTests/http/tests/security/xss-DENIED-named-window-property-from-cross-origin-inactive-document-expected.txt
new file mode 100644 (file)
index 0000000..e109116
--- /dev/null
@@ -0,0 +1,14 @@
+This tests that an inactive document cannot access a named element in a cross-origin active document.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Lookup named element whose name corresponds to an element in the initial about:blank document:
+PASS elementAInActiveDocumentFunction() threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+
+Lookup named element whose name does not correspond to an element in the initial about:blank document:
+PASS elementBInActiveDocumentFunction() threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/security/xss-DENIED-named-window-property-from-cross-origin-inactive-document.html b/LayoutTests/http/tests/security/xss-DENIED-named-window-property-from-cross-origin-inactive-document.html
new file mode 100644 (file)
index 0000000..df372a0
--- /dev/null
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="/js-test-resources/js-test-pre.js"></script>
+<script>
+window.jsTestIsAsync = true;
+</script>
+</head>
+<body>
+<script>
+description("This tests that an inactive document cannot access a named element in a cross-origin active document.");
+
+var frame = document.body.appendChild(document.createElement("iframe")); // Loads about:blank
+
+var frameDocument = frame.contentDocument;
+var elementAInInactiveDocument = frameDocument.createElement("div");
+elementAInInactiveDocument.id = "A";
+frameDocument.body.appendChild(elementAInInactiveDocument);
+
+var elementAInActiveDocumentFunction = frame.contentWindow.Function("return A;");
+var elementBInActiveDocumentFunction = frame.contentWindow.Function("return B;");
+
+frame.onload = function ()
+{
+    debug("Lookup named element whose name corresponds to an element in the initial about:blank document:")
+    shouldThrow("elementAInActiveDocumentFunction()", '"SecurityError (DOM Exception 18): Blocked a frame with origin \\"http://127.0.0.1:8000\\" from accessing a frame with origin \\"http://localhost:8000\\". Protocols, domains, and ports must match."');
+
+    debug("<br>Lookup named element whose name does not correspond to an element in the initial about:blank document:");
+    shouldThrow("elementBInActiveDocumentFunction()", '"SecurityError (DOM Exception 18): Blocked a frame with origin \\"http://127.0.0.1:8000\\" from accessing a frame with origin \\"http://localhost:8000\\". Protocols, domains, and ports must match."');
+
+    finishJSTest();
+}
+
+frame.src = "http://localhost:8000/security/resources/innocent-victim-with-named-elements.html"; // about:blank becomes the inactive document
+</script>
+<script src="/js-test-resources/js-test-post.js"></script>
+</body>
+</html>