Bug 161270 - Update generated bindings to throw a SecurityError when denying cross-origin access to properties
Summary: Update generated bindings to throw a SecurityError when denying cross-origin ...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Bindings (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Chris Dumez
URL:
Keywords: WebExposed
Depends on:
Blocks:
 
Reported: 2016-08-26 15:12 PDT by Chris Dumez
Modified: 2016-08-29 10:56 PDT (History)
8 users (show)

See Also:

Attachments
Patch (184.78 KB, patch)
2016-08-26 15:24 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
Patch (184.07 KB, patch)
2016-08-26 15:30 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
Archive of layout-test-results from ews116 for mac-yosemite (1.80 MB, application/zip)
2016-08-26 16:42 PDT, Build Bot 		no flags Details
Patch (53.55 KB, patch)
2016-08-27 19:59 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
Patch (55.06 KB, patch)
2016-08-27 20:01 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
Show Obsolete (4) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Dumez 2016-08-26 15:12:33 PDT 
Update generated bindings to throw a SecurityError when denying cross-origin access to properties:
- https://html.spec.whatwg.org/#crossorigingetownpropertyhelper-(-o,-p-)
- https://html.spec.whatwg.org/#crossoriginproperties-(-o-)
Comment 1 Chris Dumez 2016-08-26 15:24:45 PDT 
Created attachment 287160 [details]
Patch
Comment 2 Chris Dumez 2016-08-26 15:30:05 PDT 
Created attachment 287162 [details]
Patch
Comment 3 Build Bot 2016-08-26 16:42:56 PDT 
Comment on attachment 287162 [details]
Patch

Attachment 287162 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/1949998

New failing tests:
http/tests/security/cross-frame-access-enumeration.html
http/tests/security/cross-frame-access-object-setPrototypeOf.html
http/tests/security/detached-sandboxed-frame-access.html
http/tests/security/xss-DENIED-assign-location-href-javascript.html
http/tests/security/cross-frame-access-object-getPrototypeOf.html
Comment 4 Build Bot 2016-08-26 16:42:58 PDT 
Created attachment 287174 [details]
Archive of layout-test-results from ews116 for mac-yosemite

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews116  Port: mac-yosemite  Platform: Mac OS X 10.10.5
Comment 5 Chris Dumez 2016-08-27 19:59:30 PDT 
Created attachment 287218 [details]
Patch
Comment 6 Chris Dumez 2016-08-27 20:01:28 PDT 
Created attachment 287219 [details]
Patch
Comment 7 Darin Adler 2016-08-27 22:08:29 PDT 
Comment on attachment 287219 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=287219&action=review

> Source/WebCore/bindings/js/JSDOMBinding.h:302
> +    LogSecurityError, // Legacy behavior.

I’m not sure this is an important comment.

> Source/WebCore/bindings/js/JSDOMBinding.h:310
> +    static bool shouldAllowAccessToDOMWindow(JSC::ExecState*, DOMWindow&, SecurityReportingOption = LogSecurityError);
> +    static bool shouldAllowAccessToFrame(JSC::ExecState*, Frame*, SecurityReportingOption = LogSecurityError);

How many call sites are still taking advantage of this default? Do you think we eventually will be able to get rid of the default at least?
Comment 8 Chris Dumez 2016-08-27 22:13:18 PDT 
(In reply to comment #7)
> Comment on attachment 287219 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=287219&action=review
> 
> > Source/WebCore/bindings/js/JSDOMBinding.h:302
> > +    LogSecurityError, // Legacy behavior.
> 
> I’m not sure this is an important comment.
> 
> > Source/WebCore/bindings/js/JSDOMBinding.h:310
> > +    static bool shouldAllowAccessToDOMWindow(JSC::ExecState*, DOMWindow&, SecurityReportingOption = LogSecurityError);
> > +    static bool shouldAllowAccessToFrame(JSC::ExecState*, Frame*, SecurityReportingOption = LogSecurityError);
> 
> How many call sites are still taking advantage of this default? Do you think
> we eventually will be able to get rid of the default at least?

It needs a bit more work but we should be able to get rid of the default value, yes.
Comment 9 WebKit Commit Bot 2016-08-27 22:30:53 PDT 
Comment on attachment 287219 [details]
Patch

Clearing flags on attachment: 287219

Committed r205096: <http://trac.webkit.org/changeset/205096>
Comment 10 WebKit Commit Bot 2016-08-27 22:30:59 PDT 
All reviewed patches have been landed.  Closing bug.