2011-01-01 Adam Barth <abarth@webkit.org>

abarth@webkit.org · abarth@webkit.org · commit 14e0854013ad · 2011-01-02T02:28:41.000Z
Reviewed by Eric Seidel. sandbox iframes have access to top.history methods https://bugs.webkit.org/show_bug.cgi?id=38152 To enforce the sandbox restrictions on History, we need to pass the ScriptExecutionContext to WebCore. This patch leaves the original History methods in place because they are used directly by folks who don't care about security checks. Test: fast/frames/sandboxed-iframe-history-denied.html * page/History.cpp: (WebCore::History::back): (WebCore::History::forward): (WebCore::History::go): * page/History.h: * page/History.idl: 2011-01-01 Justin Schuh <jschuh@chromium.org> Reviewed by Eric Seidel. sandbox iframes have access to top.history methods https://bugs.webkit.org/show_bug.cgi?id=38152 Test that sandboxed iframes cannot use history to navigate the top frame. This test is less than ideal, as described in the test itself. If I was really on top of things, I'd add a test for successful use of the history API when allow-top-navigation is set, but that test would be complicated and I'm lazy (enough to copy directly from abarth). * fast/frames/sandboxed-iframe-history-denied-expected.txt: Added. * fast/frames/sandboxed-iframe-history-denied.html: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@74853 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
@@ -1,3 +1,19 @@
+2011-01-01  Justin Schuh  <jschuh@chromium.org>
+
+        Reviewed by Eric Seidel.
+
+        sandbox iframes have access to top.history methods
+        https://bugs.webkit.org/show_bug.cgi?id=38152
+
+        Test that sandboxed iframes cannot use history to navigate the top
+        frame.  This test is less than ideal, as described in the test itself.
+        If I was really on top of things, I'd add a test for successful use of
+        the history API when allow-top-navigation is set, but that test would
+        be complicated and I'm lazy (enough to copy directly from abarth).
+
+        * fast/frames/sandboxed-iframe-history-denied-expected.txt: Added.
+        * fast/frames/sandboxed-iframe-history-denied.html: Added.
+
 2011-01-01  Kent Tamura  <tkent@chromium.org>
 
         Unreviewed, test expectation update.
diff --git a/LayoutTests/fast/frames/sandboxed-iframe-history-denied-expected.txt b/LayoutTests/fast/frames/sandboxed-iframe-history-denied-expected.txt
@@ -0,0 +1,4 @@
+ALERT: PASS
+This test verifies that a sandboxed IFrame cannot navigate the top-level frame using the history API.
+
+
diff --git a/LayoutTests/fast/frames/sandboxed-iframe-history-denied.html b/LayoutTests/fast/frames/sandboxed-iframe-history-denied.html
@@ -0,0 +1,32 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+window.unload = function() {
+    alert("FAIL");
+}
+
+window.onload = function() {
+    // There's no way to write a test that determinstically fails because the
+    // history API is asynchronous.  There's no way to know whether the
+    // asynchronous haven't yet happened or never will.  Consequently, we just
+    // wait for a bit.
+    setTimeout(function() {
+        alert("PASS");
+        if (window.layoutTestController)
+            layoutTestController.notifyDone();
+    }, 20);
+}
+</script>
+</head>
+<body>
+<p>This test verifies that a sandboxed IFrame cannot navigate the top-level frame using the history API.</p>
+<iframe sandbox="allow-scripts" src="data:text/html,<script>top.history.back()</script>">
+<iframe sandbox="allow-scripts" src="data:text/html,<script>top.history.forward()</script>">
+<iframe sandbox="allow-scripts" src="data:text/html,<script>top.history.go(-1)</script>">
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
@@ -1,3 +1,24 @@
+2011-01-01  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        sandbox iframes have access to top.history methods
+        https://bugs.webkit.org/show_bug.cgi?id=38152
+
+        To enforce the sandbox restrictions on History, we need to pass the
+        ScriptExecutionContext to WebCore.  This patch leaves the original
+        History methods in place because they are used directly by folks who
+        don't care about security checks.
+
+        Test: fast/frames/sandboxed-iframe-history-denied.html
+
+        * page/History.cpp:
+        (WebCore::History::back):
+        (WebCore::History::forward):
+        (WebCore::History::go):
+        * page/History.h:
+        * page/History.idl:
+
 2011-01-01  Adam Barth  <abarth@webkit.org>
 
         Remove empty file.
diff --git a/WebCore/page/History.cpp b/WebCore/page/History.cpp
@@ -27,6 +27,7 @@
 #include "History.h"
 
 #include "BackForwardController.h"
+#include "Document.h"
 #include "ExceptionCode.h"
 #include "Frame.h"
 #include "FrameLoader.h"
@@ -62,22 +63,45 @@ unsigned History::length() const
 
 void History::back()
 {
-    if (!m_frame)
-        return;
-    m_frame->navigationScheduler()->scheduleHistoryNavigation(-1);
+    go(-1);
+}
+
+void History::back(ScriptExecutionContext* context)
+{
+    go(context, -1);
 }
 
 void History::forward()
+{
+    go(1);
+}
+
+void History::forward(ScriptExecutionContext* context)
+{
+    go(context, 1);
+}
+
+void History::go(int distance)
 {
     if (!m_frame)
         return;
-    m_frame->navigationScheduler()->scheduleHistoryNavigation(1);
+
+    m_frame->navigationScheduler()->scheduleHistoryNavigation(distance);
 }
 
-void History::go(int distance)
+void History::go(ScriptExecutionContext* context, int distance)
 {
     if (!m_frame)
         return;
+
+    ASSERT(WTF::isMainThread());
+    Frame* activeFrame = static_cast<Document*>(context)->frame();
+    if (!activeFrame)
+        return;
+
+    if (!activeFrame->loader()->shouldAllowNavigation(m_frame))
+        return;
+
     m_frame->navigationScheduler()->scheduleHistoryNavigation(distance);
 }
 
diff --git a/WebCore/page/History.h b/WebCore/page/History.h
@@ -34,6 +34,7 @@
 namespace WebCore {
 
 class Frame;
+class ScriptExecutionContext;
 class SerializedScriptValue;
 typedef int ExceptionCode;
 
@@ -49,6 +50,10 @@ class History : public RefCounted<History> {
     void forward();
     void go(int distance);
 
+    void back(ScriptExecutionContext*);
+    void forward(ScriptExecutionContext*);
+    void go(ScriptExecutionContext*, int distance);
+
     enum StateObjectType {
         StateObjectPush,
         StateObjectReplace
diff --git a/WebCore/page/History.idl b/WebCore/page/History.idl
@@ -37,9 +37,9 @@ module window {
     ] History {
         readonly attribute unsigned long length;
 
-        [DoNotCheckDomainSecurity] void back();
-        [DoNotCheckDomainSecurity] void forward();
-        [DoNotCheckDomainSecurity] void go(in long distance);
+        [DoNotCheckDomainSecurity, CallWith=ScriptExecutionContext] void back();
+        [DoNotCheckDomainSecurity, CallWith=ScriptExecutionContext] void forward();
+        [DoNotCheckDomainSecurity, CallWith=ScriptExecutionContext] void go(in long distance);
         
         [Custom, EnabledAtRuntime] void pushState(in any data, in DOMString title, in optional DOMString url)
             raises(DOMException);

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +ALERT: PASS
 +This test verifies that a sandboxed IFrame cannot navigate the top-level frame using the history API.
++
++