diff options
| author | ager@chromium.org <ager@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-05-07 07:59:39 +0000 |
|---|---|---|
| committer | ager@chromium.org <ager@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-05-07 07:59:39 +0000 |
| commit | a0e7634de65a1b81c5c35a12718052bc69cd7d8d (patch) | |
| tree | 4aa9e93965c7994bc7a53c09737a5a58a34123c3 /webkit | |
| parent | 6ef354a78a27001cc16f21cdbed717829a12647a (diff) | |
| download | chromium_src-a0e7634de65a1b81c5c35a12718052bc69cd7d8d.zip chromium_src-a0e7634de65a1b81c5c35a12718052bc69cd7d8d.tar.gz chromium_src-a0e7634de65a1b81c5c35a12718052bc69cd7d8d.tar.bz2 | |
Fix regression in security checks introduced by WebKit merge
42932:42994.
Do not allow cross-frame access to a frame whose document is
unavailable.
See http://trac.webkit.org/changeset/42983 for details. The rest of the changes from that change set will follow as a separate changelist.
BUG=11178
Review URL: http://codereview.chromium.org/113093
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@15536 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'webkit')
| -rw-r--r-- | webkit/port/bindings/v8/v8_proxy.cpp | 6 | ||||
| -rw-r--r-- | webkit/tools/layout_tests/test_expectations.txt | 8 |
2 files changed, 0 insertions, 14 deletions
diff --git a/webkit/port/bindings/v8/v8_proxy.cpp b/webkit/port/bindings/v8/v8_proxy.cpp index bed4ec4..5b8b478 100644 --- a/webkit/port/bindings/v8/v8_proxy.cpp +++ b/webkit/port/bindings/v8/v8_proxy.cpp @@ -1901,12 +1901,6 @@ bool V8Proxy::CanAccessPrivate(DOMWindow* target_window) if (!origin_window) return false; - // JS may be attempting to access the "window" object, which should be - // valid, even if the document hasn't been constructed yet. - // If the document doesn't exist yet allow JS to access the window object. - if (!origin_window->document()) - return true; - const SecurityOrigin* active_security_origin = origin_window->securityOrigin(); const SecurityOrigin* target_security_origin = target_window->securityOrigin(); diff --git a/webkit/tools/layout_tests/test_expectations.txt b/webkit/tools/layout_tests/test_expectations.txt index 0702c5f..0ea43ed 100644 --- a/webkit/tools/layout_tests/test_expectations.txt +++ b/webkit/tools/layout_tests/test_expectations.txt @@ -2339,14 +2339,6 @@ BUG11176 MAC : LayoutTests/fast/css/first-child-pseudo-class.html = FAIL PASS BUG11176 LINUX MAC WIN : LayoutTests/fast/forms/input-align-image.html = FAIL PASS // New failures from WebKit Merge 42932:42994 -BUG11178 : LayoutTests/http/tests/security/listener/xss-JSTargetNode-onclick-addEventListener.html = FAIL -BUG11178 : LayoutTests/http/tests/security/listener/xss-JSTargetNode-onclick-shortcut.html = FAIL -BUG11178 : LayoutTests/http/tests/security/listener/xss-XMLHttpRequest-addEventListener.html = FAIL -BUG11178 : LayoutTests/http/tests/security/listener/xss-XMLHttpRequest-shortcut.html = FAIL -BUG11178 : LayoutTests/http/tests/security/listener/xss-window-onclick-addEventListener.html = FAIL -BUG11178 : LayoutTests/http/tests/security/listener/xss-window-onclick-shortcut.html = FAIL -BUG11178 : chrome/http/tests/security/listener/xss-inactive-closure.html = FAIL -BUG11178 WIN MAC : LayoutTests/http/tests/security/xss-eval.html = FAIL BUG11178 DEBUG WIN : LayoutTests/transitions/repeated-firing-background-color.html = FAIL PASS BUG11178 MAC : LayoutTests/fast/dom/Document/open-with-pending-load.html = CRASH |