third_party/WebKit/Source/core/html/HTMLFrameElementBase.cpp - Issue 2502783004: Don't skip security checks for javascript: URLs when the JS stack is empty.

Side by Side Diff: third_party/WebKit/Source/core/html/HTMLFrameElementBase.cpp

Issue 2502783004: Don't skip security checks for javascript: URLs when the JS stack is empty. (Closed)

Patch Set: Created 4 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 /*	1 /*

2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)	2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)

3 * (C) 1999 Antti Koivisto (koivisto@kde.org)	3 * (C) 1999 Antti Koivisto (koivisto@kde.org)

4 * (C) 2000 Simon Hausmann (hausmann@kde.org)	4 * (C) 2000 Simon Hausmann (hausmann@kde.org)

5 * (C) 2001 Dirk Mueller (mueller@kde.org)	5 * (C) 2001 Dirk Mueller (mueller@kde.org)

6 * Copyright (C) 2004, 2006, 2008, 2009 Apple Inc. All rights reserved.	6 * Copyright (C) 2004, 2006, 2008, 2009 Apple Inc. All rights reserved.

7 *	7 *

8 * This library is free software; you can redistribute it and/or	8 * This library is free software; you can redistribute it and/or

9 * modify it under the terms of the GNU Library General Public	9 * modify it under the terms of the GNU Library General Public

10 * License as published by the Free Software Foundation; either	10 * License as published by the Free Software Foundation; either

11 * version 2 of the License, or (at your option) any later version.	11 * version 2 of the License, or (at your option) any later version.

12 *	12 *

13 * This library is distributed in the hope that it will be useful,	13 * This library is distributed in the hope that it will be useful,

14 * but WITHOUT ANY WARRANTY; without even the implied warranty of	14 * but WITHOUT ANY WARRANTY; without even the implied warranty of

15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU	15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU

16 * Library General Public License for more details.	16 * Library General Public License for more details.

17 *	17 *

18 * You should have received a copy of the GNU Library General Public License	18 * You should have received a copy of the GNU Library General Public License

19 * along with this library; see the file COPYING.LIB. If not, write to	19 * along with this library; see the file COPYING.LIB. If not, write to

20 * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,	20 * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,

21 * Boston, MA 02110-1301, USA.	21 * Boston, MA 02110-1301, USA.

22 */	22 */

23	23

24 #include "core/html/HTMLFrameElementBase.h"	24 #include "core/html/HTMLFrameElementBase.h"

25	25

	26 #include "bindings/core/v8/BindingSecurity.h"

26 #include "bindings/core/v8/ScriptController.h"	27 #include "bindings/core/v8/ScriptController.h"

27 #include "bindings/core/v8/ScriptEventListener.h"	28 #include "bindings/core/v8/ScriptEventListener.h"

28 #include "core/HTMLNames.h"	29 #include "core/HTMLNames.h"

29 #include "core/dom/Attribute.h"	30 #include "core/dom/Attribute.h"

30 #include "core/dom/Document.h"	31 #include "core/dom/Document.h"

31 #include "core/frame/FrameView.h"	32 #include "core/frame/FrameView.h"

32 #include "core/frame/LocalFrame.h"	33 #include "core/frame/LocalFrame.h"

33 #include "core/frame/RemoteFrame.h"	34 #include "core/frame/RemoteFrame.h"

34 #include "core/frame/RemoteFrameView.h"	35 #include "core/frame/RemoteFrameView.h"

35 #include "core/html/parser/HTMLParserIdioms.h"	36 #include "core/html/parser/HTMLParserIdioms.h"

36 #include "core/loader/FrameLoader.h"	37 #include "core/loader/FrameLoader.h"

37 #include "core/loader/FrameLoaderClient.h"	38 #include "core/loader/FrameLoaderClient.h"

38 #include "core/page/FocusController.h"	39 #include "core/page/FocusController.h"

39 #include "core/page/Page.h"	40 #include "core/page/Page.h"

40	41

41 namespace blink {	42 namespace blink {

42	43

43 using namespace HTMLNames;	44 using namespace HTMLNames;

44	45

45 HTMLFrameElementBase::HTMLFrameElementBase(const QualifiedName& tagName,	46 HTMLFrameElementBase::HTMLFrameElementBase(const QualifiedName& tagName,

46 Document& document)	47 Document& document)

47 : HTMLFrameOwnerElement(tagName, document),	48 : HTMLFrameOwnerElement(tagName, document),

48 m_scrollingMode(ScrollbarAuto),	49 m_scrollingMode(ScrollbarAuto),

49 m_marginWidth(-1),	50 m_marginWidth(-1),

50 m_marginHeight(-1) {}	51 m_marginHeight(-1) {}

51	52

52 bool HTMLFrameElementBase::isURLAllowed() const {	53 bool HTMLFrameElementBase::isURLAllowed(bool fromLayout) const {
	esprehn 2016/11/15 08:27:12 This check is named wrong, you set that bool insid This check is named wrong, you set that bool inside the layout object creation check which is inside style recalc. All returning false there does is make the iframe display none, it doesn't control if the frame is loaded or not, and it isn't from layout. I guess what you're trying to do is keep the tests passing that display that frame but it's not at all clear to me why we make iframes for urls that are not allowed display none. Why shouldn't the iframe display a border at least? What do other browsers do here? If we want to keep this behavior we should split this function and have some shared checks and one method for if the layout object is needed and another for is we should load the URL.
53 if (m_URL.isEmpty())	54 if (m_URL.isEmpty())

54 return true;	55 return true;

55	56

56 const KURL& completeURL = document().completeURL(m_URL);	57 const KURL& completeURL = document().completeURL(m_URL);

57	58

58 if (protocolIsJavaScript(completeURL)) {	59 if (contentFrame() && protocolIsJavaScript(completeURL)) {

59 if (contentFrame() &&	60 v8::Isolate* isolate = toIsolate(&document());

60 !ScriptController::canAccessFromCurrentOrigin(toIsolate(&document()),	61 if (isolate->InContext()) {
	haraken 2016/11/15 08:44:24 In the first place, would you help me understand w In the first place, would you help me understand why we need to check a different thing depending on whether we have JavaScript on stack or not? dcheng 2016/11/15 08:55:07 Here is my understanding: If there is no current Show quoted text On 2016/11/15 08:44:24, haraken wrote: > > In the first place, would you help me understand why we need to check a > different thing depending on whether we have JavaScript on stack or not? Here is my understanding: If there is no current context, the javascript: URL must come from the parser. If it is coming from the parser, it must have been specified like this: <iframe src="javascript:..."></iframe> Since the iframe must be same-origin, it is always safe to execute the javascript: URL, so we can skip the security checks. If there is a current context, then the javascript: URL could have been set by script like this: window[0].location = 'javascript:...'; In this case, we must make sure that the current context is same-origin with the target frame; otherwise, the javascript: URL will be executing in a cross-origin context. However, the problem is with the "if there is no context, always allow" branch. In theory, this should be true. However, if there is a Blink bug that causes a frame that already has a cross-origin document to be re-inserted from the parser, the security check gets skipped since there is no current context. (I don't quite understand the last part: the calls that move nodes around in the DOM are coming from JS, so I'm not sure why there's no current context. See https://crbug.com/456518, which hints this to be the case)
61 contentFrame()))	62 if (!BindingSecurity::shouldAllowAccessToFrame(

62 return false;	63 currentDOMWindow(isolate), contentFrame(),

	64 BindingSecurity::ErrorReportOption::Report))

	65 return false;

	66 } else {

	67 if (!fromLayout && !document().getSecurityOrigin()->canAccess(
	dcheng 2016/11/15 08:14:21 How come we need to skip this block if we're in la How come we need to skip this block if we're in layout? If we didn't have this, we could (in theory) combine this into: LocalDOMWindow* accessingWindow = isolate->InContext() ? currentDOMWindow(isolate) : document()->window(); if (!BindingSecurity::shouldAllowAccessToFrame(...)) (I would be OK investigating this in a followup though, there is some risk here: if there's a contentFrame(), the containing document() should be active, but there's no asserts that document that, and who knows what strange corner cases are out there)
	68 contentFrame()->securityContext()->getSecurityOrigin()))

	69 return false;

	70 }

63 }	71 }

64	72

65 LocalFrame* parentFrame = document().frame();	73 LocalFrame* parentFrame = document().frame();

66 if (parentFrame)	74 if (parentFrame)

67 return parentFrame->isURLAllowed(completeURL);	75 return parentFrame->isURLAllowed(completeURL);

68	76

69 return true;	77 return true;

70 }	78 }

71	79

72 void HTMLFrameElementBase::openURL(bool replaceCurrentItem) {	80 void HTMLFrameElementBase::openURL(bool replaceCurrentItem) {

(...skipping 173 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
246 m_marginWidth = marginWidth;	254 m_marginWidth = marginWidth;

247 frameOwnerPropertiesChanged();	255 frameOwnerPropertiesChanged();

248 }	256 }

249	257

250 void HTMLFrameElementBase::setMarginHeight(int marginHeight) {	258 void HTMLFrameElementBase::setMarginHeight(int marginHeight) {

251 m_marginHeight = marginHeight;	259 m_marginHeight = marginHeight;

252 frameOwnerPropertiesChanged();	260 frameOwnerPropertiesChanged();

253 }	261 }

254	262

255 } // namespace blink	263 } // namespace blink

OLD	NEW