Bug 73339

Summary: Add an internal targetOrigin member to MessageEvent
Product: WebKit Reporter: Karl Koscher <supersat>
Component: UI EventsAssignee: Karl Koscher <supersat>
Status: RESOLVED WONTFIX    
Severity: Normal CC: abarth, ap, creis, dglazkov, fishd, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 73337    
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

Karl Koscher
Reported 2011-11-29 11:12:10 PST
To support cross-process postMessage in Chromium (bug 73337), we need to be able to check the postMessage's target origin in Chromium to avoid time-of-check-to-time-of-use security bugs. However, the MessageEvent generated by WebKit doesn't contain the target origin, so the event listeners in Chromium currently can't get this information. We need to add a targetOrigin member to track this. This change will not affect the MessageEvent IDL, so none of the bindings will be aware of this change.
Attachments
Patch (7.61 KB, patch)
2011-11-29 11:25 PST, Karl Koscher 		no flags
DetailsFormatted DiffDiff
Patch (7.63 KB, patch)
2011-12-01 11:39 PST, Karl Koscher 		no flags
DetailsFormatted DiffDiff
Patch (7.81 KB, patch)
2011-12-01 13:05 PST, Karl Koscher 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Karl Koscher
Comment 1 2011-11-29 11:25:35 PST
Created attachment 117007 [details] Patch
WebKit Review Bot
Comment 2 2011-11-30 00:53:30 PST
Comment on attachment 117007 [details] Patch Attachment 117007 [details] did not pass chromium-ews (chromium-xvfb): Output: http://queues.webkit.org/results/10695048 New failing tests: http/tests/inspector/extensions-headers.html http/tests/appcache/offline-access.html http/tests/appcache/main-resource-hash.html http/tests/appcache/deferred-events-delete-while-raising.html http/tests/appcache/reload.html http/tests/messaging/cross-domain-message-event-dispatch.html http/tests/appcache/cyrillic-uri.html http/tests/appcache/top-frame-4.html http/tests/appcache/xhr-foreign-resource.html http/tests/inspector/extensions-network-redirect.html http/tests/inspector-enabled/console-log-before-frame-navigation.html http/tests/inspector/extensions-ignore-cache.html http/tests/appcache/top-frame-3.html http/tests/appcache/remove-cache.html http/tests/appcache/top-frame-1.html http/tests/cache/history-only-cached-subresource-loads-max-age-https.html http/tests/inspector/extensions-useragent.html http/tests/cache/history-only-cached-subresource-loads.html http/tests/history/cross-origin-replace-history-object.html http/tests/messaging/cross-domain-message-send.html
Adam Barth
Comment 3 2011-11-30 01:01:29 PST
That looks like an unlikely list of failing tests.
Alexey Proskuryakov
Comment 4 2011-11-30 10:40:51 PST
Most or all of these tests should be using postMessage, so it seems quite possible that they are genuinely broken by this patch.
Karl Koscher
Comment 5 2011-12-01 11:39:29 PST
Created attachment 117451 [details] Patch
Darin Adler
Comment 6 2011-12-01 11:42:00 PST
Comment on attachment 117451 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=117451&action=review > Source/WebCore/dom/MessageEvent.cpp:87 > , m_origin("") > , m_lastEventId("") > + , m_targetOrigin("") Passing "" is unnecessarily inefficient. We should use emptyString() instead. > Source/WebCore/dom/MessageEvent.h:138 > + // For internal use only -- not exposed to any bindings I think this is a confusing comment. There are many data members in many classes with this property. A more helpful comment would explain the purpose of this, why it exists, and that might make it clear why it would not be exposed. Generally, comments should say “why” rather than “what”.
Karl Koscher
Comment 7 2011-12-01 13:05:06 PST
Created attachment 117467 [details] Patch
Karl Koscher
Comment 8 2011-12-02 11:00:19 PST
Comment on attachment 117467 [details] Patch Marking this patch as potentially obsolete. If we're not using native event handlers (see bug 73359 for a discussion of that), we can probably just pass the target origin directly.
Karl Koscher
Comment 9 2011-12-05 17:40:32 PST
We're now going to ask the embedder if it wants to deliver the postMessage, making this bug obsolete.
Note You need to log in before you can comment on or make changes to this bug.