Bug 28688 - REGRESSION(r24994): Cannot create a frame with a javascript URL
Summary: REGRESSION(r24994): Cannot create a frame with a javascript URL
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore JavaScript (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Alexey Proskuryakov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-08-24 15:01 PDT by Alexey Proskuryakov
Modified: 2009-08-24 17:08 PDT (History)
2 users (show)

See Also:

Attachments
proposed fix (4.07 KB, patch)
2009-08-24 15:03 PDT, Alexey Proskuryakov 		sam: review-
Details | Formatted Diff | Diff
fix more copy/paste checks (8.51 KB, patch)
2009-08-24 16:26 PDT, Alexey Proskuryakov 		no flags Details | Formatted Diff | Diff
remove unrelated changes (7.39 KB, patch)
2009-08-24 16:29 PDT, Alexey Proskuryakov 		darin: review+
Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey Proskuryakov 2009-08-24 15:01:59 PDT 
The following works in other engines, but doesn't work in WebKit:

    var ifr = document.createElement("iframe");
    ifr.setAttribute("src", "javascript:'PASS'");
    document.body.appendChild(ifr);

This regressed in <http://trac.webkit.org/changeset/24994>.
Comment 1 Alexey Proskuryakov 2009-08-24 15:03:52 PDT 
Created attachment 38501 [details]
proposed fix
Comment 2 Sam Weinig 2009-08-24 15:14:44 PDT 
Comment on attachment 38501 [details]
proposed fix

There are a few more case this probably needs to patch.  See JSHTMLIFrameElementCustom.cpp, JSHTMLFrameElementCustom.cpp and JSAttrCustom.cpp.  There may be more I am missing, so it is probably best to go back to the initial checkin and see what we did.
Comment 3 Adam Barth 2009-08-24 15:28:03 PDT 
Why isn't checkNodeSecurity passing?  If it's a blank document, it should inherit its SecurityOrigin from its parent...  Maybe the issue is that it isn't attached yet?

We should test document.writing into the detached blank frame as well.
Comment 4 Alexey Proskuryakov 2009-08-24 16:26:09 PDT 
Created attachment 38505 [details]
fix more copy/paste checks
Comment 5 Alexey Proskuryakov 2009-08-24 16:29:49 PDT 
Created attachment 38507 [details]
remove unrelated changes
Comment 6 Darin Adler 2009-08-24 16:37:31 PDT 
Comment on attachment 38507 [details]
remove unrelated changes

> -            if (!checkNodeSecurity(exec, static_cast<HTMLFrameElementBase*>(ownerElement)->contentDocument()))
> +            HTMLFrameElementBase* frameElement = static_cast<HTMLFrameElementBase*>(ownerElement);
> +            if (frameElement->contentDocument() && !checkNodeSecurity(exec, frameElement->contentDocument()))
>                  return;

I think it would be better to put the contentDocument into a local variable instead of the frame.

>          HTMLFrameElementBase* frame = static_cast<HTMLFrameElementBase*>(element);
> -        if (!checkNodeSecurity(exec, frame->contentDocument()))
> +        if (frame->contentDocument() && !checkNodeSecurity(exec, frame->contentDocument()))
>              return false;

Ditto.

> -        if (!checkNodeSecurity(exec, imp->contentDocument()))
> +        if (imp->contentDocument() && !checkNodeSecurity(exec, imp->contentDocument()))
>              return false;

I think this might read slightly better if the contentDocument was in a local variable. I had trouble seeing the relationship between the two.

> -        if (!checkNodeSecurity(exec, imp->contentDocument()))
> +        if (imp->contentDocument() && !checkNodeSecurity(exec, imp->contentDocument()))
>              return;

Ditto.

It would be better if there was some shared code rather than this null check having to be everywhere. Maybe a checkDocumentSecurity function that takes a HTMLFrameElementBase* or Document*?

r=me
Comment 7 Alexey Proskuryakov 2009-08-24 16:43:15 PDT 
(In reply to comment #3)
> Why isn't checkNodeSecurity passing?  If it's a blank document, it should
> inherit its SecurityOrigin from its parent...

There is no document in this case yet (hence the added null checks). Sam actually wonders if "node &&" in checkNodeSecurity() is doing what it's supposed to do.

> We should test document.writing into the detached blank frame as well.

This sounds like something that's at best tangentially related to this bug to me (I'm also not sure what to document.write).
Comment 8 Sam Weinig 2009-08-24 16:47:30 PDT 
Comment on attachment 38507 [details]
remove unrelated changes

This seems fine, but we really should come back to this at some point to address the horribly named checkNodeSecurity (My first attempt at a better name is allowsAccessForNode, which kind of still sucks). It is unclear why the current implementation returns false for null nodes, but I am concerned of the ramifications of changing that without more thought. r=me, but please look into Adam's concern about document.write() if you are able to.
Comment 9 Sam Weinig 2009-08-24 16:48:36 PDT 
Comment on attachment 38507 [details]
remove unrelated changes

This seems fine, but we really should come back to this at some point to address the horribly named checkNodeSecurity (My first attempt at a better name is allowsAccessForNode, which kind of still sucks). It is unclear why the current implementation returns false for null nodes, but I am concerned of the ramifications of changing that without more thought. r=me, but please look into Adam's concern about document.write() if you are able to.
Comment 10 Sam Weinig 2009-08-24 16:49:08 PDT 
I also want to note that the test probably doesn't need to be in http
Comment 11 Adam Barth 2009-08-24 16:51:53 PDT 
(In reply to comment #7)
> There is no document in this case yet (hence the added null checks). Sam
> actually wonders if "node &&" in checkNodeSecurity() is doing what it's
> supposed to do.

I see.  I think you're right that this is secure, but reasoning that out is
quite complicated.  I need to spend some more time thinking about the security
model of detached frames.  For example, do they have window objects?  Can their
window objects become visible to other origins?

I don't think we need to answer those questions before moving forward with this
patch though.

> This sounds like something that's at best tangentially related to this bug to
> me (I'm also not sure what to document.write).

I think it's fine to look into this in another bug.
Comment 12 Alexey Proskuryakov 2009-08-24 17:08:37 PDT 
Committed revision 47734.

> I think it would be better to put the contentDocument into a local variable
> instead of the frame.

Fixed.

> I also want to note that the test probably doesn't need to be in http

The rest of javaScriptURL tests (as landed in r24994) are in http/security, I just wanted to have this next to them.

> I need to spend some more time thinking about the security
> model of detached frames.  For example, do they have window objects?

I think I see what you're saying now. My understanding is that they have both window and document objects, so this patch shouldn't have the behavior for them.

My reason to make this patch was to fix layout test in bug 28374, so I want to be done with it quickly. It indeed seems that more thought is required to verify whether checkNodeSecurity is doing the right thing - maybe a better fix would be to correct that instead.