Update generated bindings to throw a SecurityError when denying cross-origin access to properties: - https://html.spec.whatwg.org/#crossorigingetownpropertyhelper-(-o,-p-) - https://html.spec.whatwg.org/#crossoriginproperties-(-o-)
Created attachment 287160 [details] Patch
Created attachment 287162 [details] Patch
Comment on attachment 287162 [details] Patch Attachment 287162 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/1949998 New failing tests: http/tests/security/cross-frame-access-enumeration.html http/tests/security/cross-frame-access-object-setPrototypeOf.html http/tests/security/detached-sandboxed-frame-access.html http/tests/security/xss-DENIED-assign-location-href-javascript.html http/tests/security/cross-frame-access-object-getPrototypeOf.html
Created attachment 287174 [details] Archive of layout-test-results from ews116 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews116 Port: mac-yosemite Platform: Mac OS X 10.10.5
Created attachment 287218 [details] Patch
Created attachment 287219 [details] Patch
Comment on attachment 287219 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=287219&action=review > Source/WebCore/bindings/js/JSDOMBinding.h:302 > + LogSecurityError, // Legacy behavior. I’m not sure this is an important comment. > Source/WebCore/bindings/js/JSDOMBinding.h:310 > + static bool shouldAllowAccessToDOMWindow(JSC::ExecState*, DOMWindow&, SecurityReportingOption = LogSecurityError); > + static bool shouldAllowAccessToFrame(JSC::ExecState*, Frame*, SecurityReportingOption = LogSecurityError); How many call sites are still taking advantage of this default? Do you think we eventually will be able to get rid of the default at least?
(In reply to comment #7) > Comment on attachment 287219 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=287219&action=review > > > Source/WebCore/bindings/js/JSDOMBinding.h:302 > > + LogSecurityError, // Legacy behavior. > > I’m not sure this is an important comment. > > > Source/WebCore/bindings/js/JSDOMBinding.h:310 > > + static bool shouldAllowAccessToDOMWindow(JSC::ExecState*, DOMWindow&, SecurityReportingOption = LogSecurityError); > > + static bool shouldAllowAccessToFrame(JSC::ExecState*, Frame*, SecurityReportingOption = LogSecurityError); > > How many call sites are still taking advantage of this default? Do you think > we eventually will be able to get rid of the default at least? It needs a bit more work but we should be able to get rid of the default value, yes.
Comment on attachment 287219 [details] Patch Clearing flags on attachment: 287219 Committed r205096: <http://trac.webkit.org/changeset/205096>
All reviewed patches have been landed. Closing bug.