WebKit Bugzilla
Attachment 340526 Details for
Bug 185681
: Cross-Origin-Options: deny/allow-postmessage should prevent getting navigated by cross-origin scripts
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-185681-20180516145148.patch (text/plain), 30.75 KB, created by
Chris Dumez
on 2018-05-16 14:51:49 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Chris Dumez
Created:
2018-05-16 14:51:49 PDT
Size:
30.75 KB
patch
obsolete
>Subversion Revision: 231849 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index 1adef6425cb6f8bf058ae5f9b2d00a707cd1ca8a..43254266ca124438c9accfe831cc5c1c9ef38c07 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,27 @@ >+2018-05-16 Chris Dumez <cdumez@apple.com> >+ >+ Cross-Origin-Options: deny/allow-postmessage should prevent getting navigated by cross-origin scripts >+ https://bugs.webkit.org/show_bug.cgi?id=185681 >+ <rdar://problem/40296313> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Update our canNavigation() implementation [1] to take into account the Cross-Origin-Options header. >+ If the window being navigated or the window trigerring the navigation have a Cross-Origin-Options >+ header value different than 'allow', then the attempt to navigate will be blocked. >+ >+ Note that it was already not possible to navigate via setting window.location since trying to set >+ it would throw a SecurityError with 'Cross-Origin-Options: deny/allow-postmessage'. However, it was >+ possible to trigger a "targetted" navigation via <a target="foo"> or open(url, "foo"). >+ >+ [1] https://html.spec.whatwg.org/#allowed-to-navigate >+ >+ Tests: http/wpt/cross-origin-options/navigation-from-opener-via-open-target.html >+ http/wpt/cross-origin-options/navigation-from-subframe-via-anchor-target.html >+ >+ * dom/Document.cpp: >+ (WebCore::Document::canNavigate): >+ > 2018-05-16 Chris Nardi <cnardi@chromium.org> > > Remove Document#selectedStylesheetSet/preferredStylesheetSet >diff --git a/Source/WebCore/dom/Document.cpp b/Source/WebCore/dom/Document.cpp >index ce96ae1d3eeb0827f052549f29d29e3d0d7536f9..56d49239e5671ea257dccc8fa3be9dbeb69ba16c 100644 >--- a/Source/WebCore/dom/Document.cpp >+++ b/Source/WebCore/dom/Document.cpp >@@ -3172,6 +3172,17 @@ bool Document::canNavigate(Frame* targetFrame) > if (!targetFrame) > return true; > >+ if (m_frame != targetFrame) { >+ auto sourceCrossOriginOptions = m_frame->window() ? m_frame->window()->crossOriginOptions() : CrossOriginOptions::Allow; >+ auto destinationCrossOriginOptions = targetFrame->window() ? targetFrame->window()->crossOriginOptions() : CrossOriginOptions::Allow; >+ if (sourceCrossOriginOptions != CrossOriginOptions::Allow || destinationCrossOriginOptions != CrossOriginOptions::Allow) { >+ if (m_frame->document() && targetFrame->document() && !m_frame->document()->securityOrigin().canAccess(targetFrame->document()->securityOrigin())) { >+ printNavigationErrorMessage(targetFrame, url(), ASCIILiteral("Navigation was not allowed due to Cross-Origin-Options header.")); >+ return false; >+ } >+ } >+ } >+ > // Cases (i), (ii) and (iii) pass the tests from the specifications but might not pass the "security origin" tests. > > // i. A frame can navigate its top ancestor when its 'allow-top-navigation' flag is set (sometimes known as 'frame-busting'). >diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog >index a6c15b8b7a27d001780540b48b336fbca6010b0c..dd59b483af8d8218a638488600cf96e6eea6cab8 100644 >--- a/LayoutTests/ChangeLog >+++ b/LayoutTests/ChangeLog >@@ -1,3 +1,23 @@ >+2018-05-16 Chris Dumez <cdumez@apple.com> >+ >+ Cross-Origin-Options: deny/allow-postmessage should prevent getting navigated by cross-origin scripts >+ https://bugs.webkit.org/show_bug.cgi?id=185681 >+ <rdar://problem/40296313> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Add layout test coverage. >+ >+ * http/wpt/cross-origin-options/navigation-from-opener-via-open-target-expected.txt: Added. >+ * http/wpt/cross-origin-options/navigation-from-opener-via-open-target.html: Added. >+ * http/wpt/cross-origin-options/navigation-from-subframe-via-anchor-target-expected.txt: Added. >+ * http/wpt/cross-origin-options/navigation-from-subframe-via-anchor-target.html: Added. >+ * http/wpt/cross-origin-options/resources/destination.html: Added. >+ * http/wpt/cross-origin-options/resources/navigate-parent-via-anchor.html: Added. >+ * http/wpt/cross-origin-options/resources/navigation-from-subframe-frame.py: Added. >+ (main): >+ * http/wpt/cross-origin-options/resources/utils.js: >+ > 2018-05-16 Chris Nardi <cnardi@chromium.org> > > Remove Document#selectedStylesheetSet/preferredStylesheetSet >diff --git a/LayoutTests/http/wpt/cross-origin-options/navigation-from-opener-via-open-target-expected.txt b/LayoutTests/http/wpt/cross-origin-options/navigation-from-opener-via-open-target-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..b38f90007ae400e6f4e739aa7ef30fb1b2213909 >--- /dev/null >+++ b/LayoutTests/http/wpt/cross-origin-options/navigation-from-opener-via-open-target-expected.txt >@@ -0,0 +1,9 @@ >+CONSOLE MESSAGE: line 23: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/serve-cross-origin-options-header.py?value=deny' from frame with URL 'http://localhost:8800/WebKit/cross-origin-options/navigation-from-opener-via-open-target.html'. Navigation was not allowed due to Cross-Origin-Options header. >+ >+CONSOLE MESSAGE: line 44: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/serve-cross-origin-options-header.py?value=allow-postmessage' from frame with URL 'http://localhost:8800/WebKit/cross-origin-options/navigation-from-opener-via-open-target.html'. Navigation was not allowed due to Cross-Origin-Options header. >+ >+ >+PASS 'Cross-Origin-Options: deny' prevents navigation from opener via open() target >+PASS 'Cross-Origin-Options: allow-postmessage' prevents navigation from opener via open() target >+PASS 'Cross-Origin-Options: allow' does not prevent navigation from opener via open() target >+ >diff --git a/LayoutTests/http/wpt/cross-origin-options/navigation-from-opener-via-open-target.html b/LayoutTests/http/wpt/cross-origin-options/navigation-from-opener-via-open-target.html >new file mode 100644 >index 0000000000000000000000000000000000000000..4e83bd74f75a024e9b013a5855ed9fc9293c21c0 >--- /dev/null >+++ b/LayoutTests/http/wpt/cross-origin-options/navigation-from-opener-via-open-target.html >@@ -0,0 +1,73 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<meta charset="utf-8"> >+<title>Tests that 'Cross-Origin-Options: deny / allow-postmessage' prevents a cross-origin opener from navigating us</title> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script src="/common/utils.js"></script> >+<script src="/common/get-host-info.sub.js"></script> >+<script src="resources/utils.js"></script> >+</head> >+<body> >+<script> >+ >+promise_test(t => { >+ return withPopup("serve-cross-origin-options-header.py?value=deny", true /* isCrossOrigin */, "foo1").then((result) => { >+ return new Promise((resolve) => { >+ window.onmessage = (msg) => { >+ assert_not_equals(msg.source, result.window, "Existing window should not navigate"); >+ } >+ >+ let destinationURL = get_host_info().HTTP_ORIGIN + "/WebKit/cross-origin-options/resources/destination.html"; >+ w = open(destinationURL, "foo1"); >+ // If a window with the given name is found but cannot be navigated, a new one is created, as if we could >+ // not find the given window. >+ assert_not_equals(w, result.window, "open() should a new window"); >+ >+ t.step_timeout(() => { >+ window.onmessage = null; >+ resolve(); >+ }, 200); >+ }); >+ }); >+}, "'Cross-Origin-Options: deny' prevents navigation from opener via open() target"); >+ >+promise_test(t => { >+ return withPopup("serve-cross-origin-options-header.py?value=allow-postmessage", true /* isCrossOrigin */, "foo2").then((result) => { >+ return new Promise((resolve) => { >+ window.onmessage = (msg) => { >+ assert_not_equals(msg.source, result.window, "Existing window should not navigate"); >+ } >+ >+ let destinationURL = get_host_info().HTTP_ORIGIN + "/WebKit/cross-origin-options/resources/destination.html"; >+ w = open(destinationURL, "foo2"); >+ // If a window with the given name is found but cannot be navigated, a new one is created, as if we could >+ // not find the given window. >+ assert_not_equals(w, result.window, "open() should a new window"); >+ >+ t.step_timeout(() => { >+ window.onmessage = null; >+ resolve(); >+ }, 200); >+ }); >+ }); >+}, "'Cross-Origin-Options: allow-postmessage' prevents navigation from opener via open() target"); >+ >+promise_test(t => { >+ return withPopup("serve-cross-origin-options-header.py?value=allow", true /* isCrossOrigin */, "foo3").then((result) => { >+ return new Promise((resolve) => { >+ window.onmessage = () => { >+ window.onmessage = null; >+ resolve(); >+ } >+ >+ let destinationURL = get_host_info().HTTP_ORIGIN + "/WebKit/cross-origin-options/resources/destination.html"; >+ w = open(destinationURL, "foo3"); >+ assert_equals(w, result.window, "open() should return the same window"); >+ }); >+ }); >+}, "'Cross-Origin-Options: allow' does not prevent navigation from opener via open() target"); >+</script> >+</body> >+</html> >diff --git a/LayoutTests/http/wpt/cross-origin-options/navigation-from-subframe-via-anchor-target-expected.txt b/LayoutTests/http/wpt/cross-origin-options/navigation-from-subframe-via-anchor-target-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..79b49043b737ea1ef72b63507782dc09398bba93 >--- /dev/null >+++ b/LayoutTests/http/wpt/cross-origin-options/navigation-from-subframe-via-anchor-target-expected.txt >@@ -0,0 +1,35 @@ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=deny&target=_top' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_top'. Navigation was not allowed due to Cross-Origin-Options header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=deny&target=_top' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_top'. Navigation was not allowed due to Cross-Origin-Options header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=_top' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_top'. Navigation was not allowed due to Cross-Origin-Options header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=_top' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_top'. Navigation was not allowed due to Cross-Origin-Options header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=deny&target=_parent' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_parent'. Navigation was not allowed due to Cross-Origin-Options header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=deny&target=_parent' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_parent'. Navigation was not allowed due to Cross-Origin-Options header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=_parent' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_parent'. Navigation was not allowed due to Cross-Origin-Options header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=_parent' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_parent'. Navigation was not allowed due to Cross-Origin-Options header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=deny&target=foo1' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=foo1'. Navigation was not allowed due to Cross-Origin-Options header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=deny&target=foo1' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=foo1'. Navigation was not allowed due to Cross-Origin-Options header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=foo2' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=foo2'. Navigation was not allowed due to Cross-Origin-Options header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=foo2' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=foo2'. Navigation was not allowed due to Cross-Origin-Options header. >+ >+ >+PASS 'Cross-Origin-Options: deny' prevents navigation from cross-origin sub-frame (using <a target=_top>) >+PASS 'Cross-Origin-Options: allow-postmessage' prevents navigation from cross-origin sub-frame (using <a target=_top>) >+PASS 'Cross-Origin-Options: allow' does not prevent navigation from cross-origin sub-frame (using <a target=_top>) >+PASS 'Cross-Origin-Options: deny' prevents navigation from cross-origin sub-frame (using <a target=_parent>) >+PASS 'Cross-Origin-Options: allow-postmessage' prevents navigation from cross-origin sub-frame (using <a target=_parent>) >+PASS 'Cross-Origin-Options: allow' does not prevent navigation from cross-origin sub-frame (using <a target=_parent>) >+PASS 'Cross-Origin-Options: deny' prevents navigation from cross-origin sub-frame (using <a target=windowName) >+PASS 'Cross-Origin-Options: allow-postmessage' prevents navigation from cross-origin sub-frame (using <a target=windowName) >+PASS 'Cross-Origin-Options: allow' does not prevent navigation from cross-origin sub-frame (using <a target=windowName>) >+ >diff --git a/LayoutTests/http/wpt/cross-origin-options/navigation-from-subframe-via-anchor-target.html b/LayoutTests/http/wpt/cross-origin-options/navigation-from-subframe-via-anchor-target.html >new file mode 100644 >index 0000000000000000000000000000000000000000..23ce5605ba154236ecb9607dd665358a3a31851f >--- /dev/null >+++ b/LayoutTests/http/wpt/cross-origin-options/navigation-from-subframe-via-anchor-target.html >@@ -0,0 +1,119 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<meta charset="utf-8"> >+<title>Tests that 'Cross-Origin-Options: deny / allow-postmessage' prevents a cross-origin iframe from navigating us</title> >+<script src="/resources/testharness.js"></script> >+<script src="/resources/testharnessreport.js"></script> >+<script src="/common/utils.js"></script> >+<script src="/common/get-host-info.sub.js"></script> >+<script src="resources/utils.js"></script> >+</head> >+<body> >+<script> >+ >+promise_test(t => { >+ return withPopup("navigation-from-subframe-frame.py?value=deny&target=_top", false /* isCrossOrigin */).then((result) => { >+ return new Promise((resolve) => { >+ window.onmessage = t.unreached_func("Should not have navigated"); >+ t.step_timeout(() => { >+ window.onmessage = null; >+ resolve(); >+ }, 200); >+ }); >+ }); >+}, "'Cross-Origin-Options: deny' prevents navigation from cross-origin sub-frame (using <a target=_top>)"); >+ >+promise_test(t => { >+ return withPopup("navigation-from-subframe-frame.py?value=allow-postmessage&target=_top", false /* isCrossOrigin */).then((result) => { >+ return new Promise((resolve) => { >+ window.onmessage = t.unreached_func("Should not have navigated"); >+ t.step_timeout(() => { >+ window.onmessage = null; >+ resolve(); >+ }, 200); >+ }); >+ }); >+}, "'Cross-Origin-Options: allow-postmessage' prevents navigation from cross-origin sub-frame (using <a target=_top>)"); >+ >+promise_test(t => { >+ return withPopup("navigation-from-subframe-frame.py?value=allow&target=_top", false /* isCrossOrigin */).then((result) => { >+ return new Promise((resolve) => { >+ window.onmessage = () => { >+ resolve(); >+ }; >+ }); >+ }); >+}, "'Cross-Origin-Options: allow' does not prevent navigation from cross-origin sub-frame (using <a target=_top>)"); >+ >+promise_test(t => { >+ return withPopup("navigation-from-subframe-frame.py?value=deny&target=_parent", false /* isCrossOrigin */).then((result) => { >+ return new Promise((resolve) => { >+ window.onmessage = t.unreached_func("Should not have navigated"); >+ t.step_timeout(() => { >+ window.onmessage = null; >+ resolve(); >+ }, 200); >+ }); >+ }); >+}, "'Cross-Origin-Options: deny' prevents navigation from cross-origin sub-frame (using <a target=_parent>)"); >+ >+promise_test(t => { >+ return withPopup("navigation-from-subframe-frame.py?value=allow-postmessage&target=_parent", false /* isCrossOrigin */).then((result) => { >+ return new Promise((resolve) => { >+ window.onmessage = t.unreached_func("Should not have navigated"); >+ t.step_timeout(() => { >+ window.onmessage = null; >+ resolve(); >+ }, 200); >+ }); >+ }); >+}, "'Cross-Origin-Options: allow-postmessage' prevents navigation from cross-origin sub-frame (using <a target=_parent>)"); >+ >+promise_test(t => { >+ return withPopup("navigation-from-subframe-frame.py?value=allow&target=_parent", false /* isCrossOrigin */).then((result) => { >+ return new Promise((resolve) => { >+ window.onmessage = () => { >+ resolve(); >+ }; >+ }); >+ }); >+}, "'Cross-Origin-Options: allow' does not prevent navigation from cross-origin sub-frame (using <a target=_parent>)"); >+ >+promise_test(t => { >+ return withPopup("navigation-from-subframe-frame.py?value=deny&target=foo1", false /* isCrossOrigin */, "foo1").then((result) => { >+ return new Promise((resolve) => { >+ window.onmessage = t.unreached_func("Should not have navigated"); >+ t.step_timeout(() => { >+ window.onmessage = null; >+ resolve(); >+ }, 200); >+ }); >+ }); >+}, "'Cross-Origin-Options: deny' prevents navigation from cross-origin sub-frame (using <a target=windowName)"); >+ >+promise_test(t => { >+ return withPopup("navigation-from-subframe-frame.py?value=allow-postmessage&target=foo2", false /* isCrossOrigin */, "foo2").then((result) => { >+ return new Promise((resolve) => { >+ window.onmessage = t.unreached_func("Should not have navigated"); >+ t.step_timeout(() => { >+ window.onmessage = null; >+ resolve(); >+ }, 200); >+ }); >+ }); >+}, "'Cross-Origin-Options: allow-postmessage' prevents navigation from cross-origin sub-frame (using <a target=windowName)"); >+ >+promise_test(t => { >+ return withPopup("navigation-from-subframe-frame.py?value=allow&target=foo3", false /* isCrossOrigin */, "foo3").then((result) => { >+ return new Promise((resolve) => { >+ window.onmessage = () => { >+ resolve(); >+ }; >+ }); >+ }); >+}, "'Cross-Origin-Options: allow' does not prevent navigation from cross-origin sub-frame (using <a target=windowName>)"); >+ >+</script> >+</body> >+</html> >diff --git a/LayoutTests/http/wpt/cross-origin-options/resources/destination.html b/LayoutTests/http/wpt/cross-origin-options/resources/destination.html >new file mode 100644 >index 0000000000000000000000000000000000000000..1516877b449aecabe5f80f1c4bbb68602bba31e4 >--- /dev/null >+++ b/LayoutTests/http/wpt/cross-origin-options/resources/destination.html >@@ -0,0 +1,7 @@ >+<body> >+DESTINATION >+<script> >+if (window.opener) >+ window.opener.postMessage("navigated", "*"); >+</script> >+</body> >diff --git a/LayoutTests/http/wpt/cross-origin-options/resources/navigate-parent-via-anchor.html b/LayoutTests/http/wpt/cross-origin-options/resources/navigate-parent-via-anchor.html >new file mode 100644 >index 0000000000000000000000000000000000000000..940399bf868efe455151cb79c0c819f5c001bfb3 >--- /dev/null >+++ b/LayoutTests/http/wpt/cross-origin-options/resources/navigate-parent-via-anchor.html >@@ -0,0 +1,18 @@ >+<!DOCTYPE html> >+<html> >+<head> >+<script src="/common/get-host-info.sub.js"></script> >+</head> >+<body> >+<a id="testAnchor">Click me</a> >+<script> >+const RESOURCES_DIR = "/WebKit/cross-origin-options/resources/"; >+onload = () => { >+ let params = new URLSearchParams(location.search); >+ testAnchor.target= params.get('target') >+ testAnchor.href = get_host_info().HTTP_ORIGIN + RESOURCES_DIR + "destination.html"; >+ testAnchor.click(); >+} >+</script> >+</body> >+</html> >diff --git a/LayoutTests/http/wpt/cross-origin-options/resources/navigation-from-subframe-frame.py b/LayoutTests/http/wpt/cross-origin-options/resources/navigation-from-subframe-frame.py >new file mode 100644 >index 0000000000000000000000000000000000000000..5854c5900df04ec8d9aa9d6b1322e832bcc8b832 >--- /dev/null >+++ b/LayoutTests/http/wpt/cross-origin-options/resources/navigation-from-subframe-frame.py >@@ -0,0 +1,17 @@ >+def main(request, response): >+ headers = [("Content-Type", "text/html"), >+ ("Cross-Origin-Options", request.GET['value']),] >+ return 200, headers, """<!DOCTYPE html> >+<html> >+<head> >+<script src="/common/get-host-info.sub.js"></script> >+</head> >+<body> >+<script> >+const RESOURCES_DIR = "/WebKit/cross-origin-options/resources/"; >+let f = document.createElement("iframe"); >+f.src = get_host_info().HTTP_REMOTE_ORIGIN + RESOURCES_DIR + "navigate-parent-via-anchor.html?target=%s"; >+document.body.prepend(f); >+</script> >+</body> >+</html>""" % request.GET['target'] >diff --git a/LayoutTests/http/wpt/cross-origin-options/resources/utils.js b/LayoutTests/http/wpt/cross-origin-options/resources/utils.js >index 3d31672839005d83fb047c722e8f14e9d651df9b..bdfd66e75dac143224db979b1392efd69861cb57 100644 >--- a/LayoutTests/http/wpt/cross-origin-options/resources/utils.js >+++ b/LayoutTests/http/wpt/cross-origin-options/resources/utils.js >@@ -54,14 +54,14 @@ async function withIframe(resourceFile, crossOrigin) > }); > } > >-async function withPopup(resourceFile, crossOrigin) >+async function withPopup(resourceFile, crossOrigin, windowName) > { > return new Promise((resolve) => { > let resourceURL = crossOrigin ? get_host_info().HTTP_REMOTE_ORIGIN : get_host_info().HTTP_ORIGIN; > resourceURL += RESOURCES_DIR; > resourceURL += resourceFile; > >- let w = open(resourceURL); >+ let w = open(resourceURL, windowName); > if (crossOrigin) { > waitForCrossOriginLoad(w).then(() => { > resolve({ 'window': w }); >diff --git a/LayoutTests/platform/wk2/http/wpt/cross-origin-options/navigation-from-subframe-via-anchor-target-expected.txt b/LayoutTests/platform/wk2/http/wpt/cross-origin-options/navigation-from-subframe-via-anchor-target-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..df4ff4ef44d67d2ddca5a3314755bfadb892b2bf >--- /dev/null >+++ b/LayoutTests/platform/wk2/http/wpt/cross-origin-options/navigation-from-subframe-via-anchor-target-expected.txt >@@ -0,0 +1,35 @@ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=deny&target=_top' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_top'. Navigation was not allowed due to Cross-Origin-Options header. >+ >+CONSOLE MESSAGE: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=deny&target=_top' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_top'. Navigation was not allowed due to Cross-Origin-Options header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=_top' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_top'. Navigation was not allowed due to Cross-Origin-Options header. >+ >+CONSOLE MESSAGE: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=_top' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_top'. Navigation was not allowed due to Cross-Origin-Options header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=deny&target=_parent' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_parent'. Navigation was not allowed due to Cross-Origin-Options header. >+ >+CONSOLE MESSAGE: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=deny&target=_parent' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_parent'. Navigation was not allowed due to Cross-Origin-Options header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=_parent' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_parent'. Navigation was not allowed due to Cross-Origin-Options header. >+ >+CONSOLE MESSAGE: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=_parent' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=_parent'. Navigation was not allowed due to Cross-Origin-Options header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=deny&target=foo1' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=foo1'. Navigation was not allowed due to Cross-Origin-Options header. >+ >+CONSOLE MESSAGE: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=deny&target=foo1' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=foo1'. Navigation was not allowed due to Cross-Origin-Options header. >+ >+CONSOLE MESSAGE: line 14: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=foo2' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=foo2'. Navigation was not allowed due to Cross-Origin-Options header. >+ >+CONSOLE MESSAGE: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://localhost:8800/WebKit/cross-origin-options/resources/navigation-from-subframe-frame.py?value=allow-postmessage&target=foo2' from frame with URL 'http://127.0.0.1:8800/WebKit/cross-origin-options/resources/navigate-parent-via-anchor.html?target=foo2'. Navigation was not allowed due to Cross-Origin-Options header. >+ >+ >+PASS 'Cross-Origin-Options: deny' prevents navigation from cross-origin sub-frame (using <a target=_top>) >+PASS 'Cross-Origin-Options: allow-postmessage' prevents navigation from cross-origin sub-frame (using <a target=_top>) >+PASS 'Cross-Origin-Options: allow' does not prevent navigation from cross-origin sub-frame (using <a target=_top>) >+PASS 'Cross-Origin-Options: deny' prevents navigation from cross-origin sub-frame (using <a target=_parent>) >+PASS 'Cross-Origin-Options: allow-postmessage' prevents navigation from cross-origin sub-frame (using <a target=_parent>) >+PASS 'Cross-Origin-Options: allow' does not prevent navigation from cross-origin sub-frame (using <a target=_parent>) >+PASS 'Cross-Origin-Options: deny' prevents navigation from cross-origin sub-frame (using <a target=windowName) >+PASS 'Cross-Origin-Options: allow-postmessage' prevents navigation from cross-origin sub-frame (using <a target=windowName) >+PASS 'Cross-Origin-Options: allow' does not prevent navigation from cross-origin sub-frame (using <a target=windowName>) >+
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=340526">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 185681
:
340526
|
340597