2011-01-01 Adam Barth <[email protected]>

        Reviewed by Eric Seidel.

        forbid sandboxed frames to call top.close() when allow-same-origin is not setted
        https://bugs.webkit.org/show_bug.cgi?id=38340

        We now pass the ScriptExecutionContext to window.close so it can find
        the Frame and check whether navigation is allowed.  This check will
        almost always pass because you can only close top-level frames, but the
        check will fail when the calling script is sandboxed.

        Tests: fast/frames/sandboxed-iframe-close-top-noclose.html
               fast/frames/sandboxed-iframe-close-top.html

        * page/DOMWindow.cpp:
        (WebCore::DOMWindow::close):
        * page/DOMWindow.h:
        * page/DOMWindow.idl:
2011-01-01  Adam Barth  <[email protected]>

        Reviewed by Eric Seidel.

        forbid sandboxed frames to call top.close() when allow-same-origin is not setted
        https://bugs.webkit.org/show_bug.cgi?id=38340

        Test the interaction between the HTML5 sandbox and window.close.

        * fast/frames/resources/close-top.html: Added.
        * fast/frames/resources/sandboxed-iframe-close-top-does-close.html: Added.
        * fast/frames/resources/sandboxed-iframe-close-top-does-not-close.html: Added.
        * fast/frames/sandboxed-iframe-close-top-expected.txt: Added.
        * fast/frames/sandboxed-iframe-close-top-noclose-expected.txt: Added.
        * fast/frames/sandboxed-iframe-close-top-noclose.html: Added.
        * fast/frames/sandboxed-iframe-close-top.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@74854 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Author: [email protected]

LayoutTests/ChangeLog

@@ -1,3 +1,20 @@
+2011-01-01  Adam Barth  <[email protected]>
+
+        Reviewed by Eric Seidel.
+
+        forbid sandboxed frames to call top.close() when allow-same-origin is not setted
+        https://bugs.webkit.org/show_bug.cgi?id=38340
+
+        Test the interaction between the HTML5 sandbox and window.close.
+
+        * fast/frames/resources/close-top.html: Added.
+        * fast/frames/resources/sandboxed-iframe-close-top-does-close.html: Added.
+        * fast/frames/resources/sandboxed-iframe-close-top-does-not-close.html: Added.
+        * fast/frames/sandboxed-iframe-close-top-expected.txt: Added.
+        * fast/frames/sandboxed-iframe-close-top-noclose-expected.txt: Added.
+        * fast/frames/sandboxed-iframe-close-top-noclose.html: Added.
+        * fast/frames/sandboxed-iframe-close-top.html: Added.
+
 2011-01-01  Justin Schuh  <[email protected]>
 
         Reviewed by Eric Seidel.

LayoutTests/fast/frames/resources/close-top.html

@@ -0,0 +1,3 @@
+<script>
+top.close()
+</script>

LayoutTests/fast/frames/resources/sandboxed-iframe-close-top-does-close.html

@@ -0,0 +1,12 @@
+<script>
+var haveCalledDone = false;
+window.addEventListener('beforeunload', function() { 
+    if (!haveCalledDone) {
+        haveCalledDone = true;
+        opener.done();
+    }
+}, false);
+</script>
+<iframe sandbox="allow-scripts allow-top-navigation"
+        src="close-top.html">
+</iframe>

LayoutTests/fast/frames/resources/sandboxed-iframe-close-top-does-not-close.html

@@ -0,0 +1,19 @@
+<script>
+var waitingForClose = true;
+window.addEventListener('beforeunload', function() {
+    if (waitingForClose)
+        alert("FAIL");
+}, false);
+
+window.onload = function() {
+    // There's no real way to know whether the iframe's attempt to close us
+    // actually failed because it would succeed asynchronously and there is no
+    // failure event.  The best we can do is wait around for a while.  The one
+    // saving grace is that this test is deterministic when it passes.
+    window.setTimeout(function() {
+        waitingForClose = false;
+        opener.done();
+    }, 100);
+}
+</script>
+<iframe sandbox="allow-scripts" src="close-top.html"></iframe>

LayoutTests/fast/frames/sandboxed-iframe-close-top-expected.txt

@@ -0,0 +1,4 @@
+ALERT: PASS
+This test verifies that a sandboxed IFrame can close a top-level frame with allow-top-navigation.
+
+Start Test

LayoutTests/fast/frames/sandboxed-iframe-close-top-noclose-expected.txt

@@ -0,0 +1,3 @@
+This test verifies that a sandboxed IFrame can close a top-level frame with allow-top-navigation.
+
+Start Test

LayoutTests/fast/frames/sandboxed-iframe-close-top-noclose.html

@@ -0,0 +1,30 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+    layoutTestController.setCanOpenWindows();
+    layoutTestController.setCloseRemainingWindowsWhenComplete(true);
+}
+</script>
+</head>
+<body>
+<p>This test verifies that a sandboxed IFrame can close a top-level frame
+with allow-top-navigation.</p>
+<button onclick="start()">Start Test</button>
+<script>
+function start() {
+    window.wnd = window.open("resources/sandboxed-iframe-close-top-does-not-close.html");
+}
+
+function done() {
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+
+// In LayoutTests mode we can start automagically.
+start();
+</script>
+</body>
+</html>

LayoutTests/fast/frames/sandboxed-iframe-close-top.html

@@ -0,0 +1,35 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+    layoutTestController.setCanOpenWindows();
+    layoutTestController.setCloseRemainingWindowsWhenComplete(true);
+}
+</script>
+</head>
+<body>
+<p>This test verifies that a sandboxed IFrame can close a top-level frame
+with allow-top-navigation.</p>
+<button onclick="start()">Start Test</button>
+<script>
+function start() {
+    window.wnd = window.open("resources/sandboxed-iframe-close-top-does-close.html");
+}
+
+function done() {
+    alert("PASS");
+    // We end the test asynchronously becaues this function is being called
+    // from a strange callstack.
+    window.setTimeout(function () {
+        if (window.layoutTestController)
+            layoutTestController.notifyDone();
+    }, 0);
+}
+
+// In LayoutTests mode we can start automagically.
+start();
+</script>
+</body>
+</html>

WebCore/ChangeLog

@@ -1,3 +1,23 @@
+2011-01-01  Adam Barth  <[email protected]>
+
+        Reviewed by Eric Seidel.
+
+        forbid sandboxed frames to call top.close() when allow-same-origin is not setted
+        https://bugs.webkit.org/show_bug.cgi?id=38340
+
+        We now pass the ScriptExecutionContext to window.close so it can find
+        the Frame and check whether navigation is allowed.  This check will
+        almost always pass because you can only close top-level frames, but the
+        check will fail when the calling script is sandboxed.
+
+        Tests: fast/frames/sandboxed-iframe-close-top-noclose.html
+               fast/frames/sandboxed-iframe-close-top.html
+
+        * page/DOMWindow.cpp:
+        (WebCore::DOMWindow::close):
+        * page/DOMWindow.h:
+        * page/DOMWindow.idl:
+
 2011-01-01  Adam Barth  <[email protected]>
 
         Reviewed by Eric Seidel.

WebCore/page/DOMWindow.cpp

@@ -860,7 +860,7 @@ void DOMWindow::blur()
     page->chrome()->unfocus();
 }
 
-void DOMWindow::close()
+void DOMWindow::close(ScriptExecutionContext* context)
 {
     if (!m_frame)
         return;
@@ -872,6 +872,16 @@ void DOMWindow::close()
     if (m_frame != page->mainFrame())
         return;
 
+    if (context) {
+        ASSERT(WTF::isMainThread());
+        Frame* activeFrame = static_cast<Document*>(context)->frame();
+        if (!activeFrame)
+            return;
+
+        if (!activeFrame->loader()->shouldAllowNavigation(m_frame))
+            return;
+    }
+
     Settings* settings = m_frame->settings();
     bool allowScriptsToCloseWindows = settings && settings->allowScriptsToCloseWindows();