RESOLVED FIXED 161270
Update generated bindings to throw a SecurityError when denying cross-origin access to properties 
https://bugs.webkit.org/show_bug.cgi?id=161270
Summary Update generated bindings to throw a SecurityError when denying cross-origin ...
Chris Dumez
Reported 2016-08-26 15:12:33 PDT
Update generated bindings to throw a SecurityError when denying cross-origin access to properties: - https://html.spec.whatwg.org/#crossorigingetownpropertyhelper-(-o,-p-) - https://html.spec.whatwg.org/#crossoriginproperties-(-o-)
Attachments
Patch (184.78 KB, patch)
2016-08-26 15:24 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (184.07 KB, patch)
2016-08-26 15:30 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews116 for mac-yosemite (1.80 MB, application/zip)
2016-08-26 16:42 PDT, Build Bot 		no flags
Details
Patch (53.55 KB, patch)
2016-08-27 19:59 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (55.06 KB, patch)
2016-08-27 20:01 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2016-08-26 15:24:45 PDT
Created attachment 287160 [details] Patch
Chris Dumez
Comment 2 2016-08-26 15:30:05 PDT
Created attachment 287162 [details] Patch
Build Bot
Comment 3 2016-08-26 16:42:56 PDT
Comment on attachment 287162 [details] Patch Attachment 287162 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/1949998 New failing tests: http/tests/security/cross-frame-access-enumeration.html http/tests/security/cross-frame-access-object-setPrototypeOf.html http/tests/security/detached-sandboxed-frame-access.html http/tests/security/xss-DENIED-assign-location-href-javascript.html http/tests/security/cross-frame-access-object-getPrototypeOf.html
Build Bot
Comment 4 2016-08-26 16:42:58 PDT
Created attachment 287174 [details] Archive of layout-test-results from ews116 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews116 Port: mac-yosemite Platform: Mac OS X 10.10.5
Chris Dumez
Comment 5 2016-08-27 19:59:30 PDT
Created attachment 287218 [details] Patch
Chris Dumez
Comment 6 2016-08-27 20:01:28 PDT
Created attachment 287219 [details] Patch
Darin Adler
Comment 7 2016-08-27 22:08:29 PDT
Comment on attachment 287219 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=287219&action=review > Source/WebCore/bindings/js/JSDOMBinding.h:302 > + LogSecurityError, // Legacy behavior. I’m not sure this is an important comment. > Source/WebCore/bindings/js/JSDOMBinding.h:310 > + static bool shouldAllowAccessToDOMWindow(JSC::ExecState*, DOMWindow&, SecurityReportingOption = LogSecurityError); > + static bool shouldAllowAccessToFrame(JSC::ExecState*, Frame*, SecurityReportingOption = LogSecurityError); How many call sites are still taking advantage of this default? Do you think we eventually will be able to get rid of the default at least?
Chris Dumez
Comment 8 2016-08-27 22:13:18 PDT
(In reply to comment #7) > Comment on attachment 287219 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=287219&action=review > > > Source/WebCore/bindings/js/JSDOMBinding.h:302 > > + LogSecurityError, // Legacy behavior. > > I’m not sure this is an important comment. > > > Source/WebCore/bindings/js/JSDOMBinding.h:310 > > + static bool shouldAllowAccessToDOMWindow(JSC::ExecState*, DOMWindow&, SecurityReportingOption = LogSecurityError); > > + static bool shouldAllowAccessToFrame(JSC::ExecState*, Frame*, SecurityReportingOption = LogSecurityError); > > How many call sites are still taking advantage of this default? Do you think > we eventually will be able to get rid of the default at least? It needs a bit more work but we should be able to get rid of the default value, yes.
WebKit Commit Bot
Comment 9 2016-08-27 22:30:53 PDT
Comment on attachment 287219 [details] Patch Clearing flags on attachment: 287219 Committed r205096: <http://trac.webkit.org/changeset/205096>
WebKit Commit Bot
Comment 10 2016-08-27 22:30:59 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.