Attachment #178376 for bug #104365

View Details Raw Unified Return to Bug 104365

| Differences between



2012-12-08  Mike West  <mkwst@chromium.org>

        Log to console when script is blocked by sandbox attributes.
        https://bugs.webkit.org/show_bug.cgi?id=104365

        Reviewed by Ojan Vafai.

        Adds a console message to cover script execution blocked within the
        context of a sandboxed frame which lacks the 'allow-scripts' permission.

        * bindings/ScriptControllerBase.cpp:
        (WebCore::ScriptController::canExecuteScripts):
            Log a warning when sandboxing flags block script execution.

2012-12-08  Gustavo Noronha Silva  <gns@gnome.org>

        Reviewed by Martin Robinson.

Lines 38-45 namespace WebCore { a/Source/WebCore/bindings/ScriptControllerBase.cpp_sec1
- a/Source/WebCore/bindings/ScriptControllerBase.cpp -1 / +5 lines
38		38
39	bool ScriptController::canExecuteScripts(ReasonForCallingCanExecuteScripts reason)	39	bool ScriptController::canExecuteScripts(ReasonForCallingCanExecuteScripts reason)
40	{	40	{
41	if (m_frame->document() && m_frame->document()->isSandboxed(SandboxScripts))	41	if (m_frame->document() && m_frame->document()->isSandboxed(SandboxScripts)) {
		42	// FIXME: This message should be moved off the console once a solution to https://bugs.webkit.org/show_bug.cgi?id=103274 exists.
		43	if (reason == AboutToExecuteScript)
		44	m_frame->document()->addConsoleMessage(HTMLMessageSource, LogMessageType, ErrorMessageLevel, "Blocked script execution in '" + m_frame->document()->url().string() + "' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.");
42	return false;	45	return false;
		46	}
43		47
44	if (m_frame->document() && m_frame->document()->isViewSource()) {	48	if (m_frame->document() && m_frame->document()->isViewSource()) {
45	ASSERT(m_frame->document()->securityOrigin()->isUnique());	49	ASSERT(m_frame->document()->securityOrigin()->isUnique());



2012-12-08  Mike West  <mkwst@chromium.org>

        Log to console when script is blocked by sandbox attributes.
        https://bugs.webkit.org/show_bug.cgi?id=104365

        Reviewed by Ojan Vafai.

        * fast/frames/sandboxed-iframe-attribute-parsing-expected.txt:
        * fast/frames/sandboxed-iframe-autofocus-denied-expected.txt:
        * fast/frames/sandboxed-iframe-parsing-space-characters-expected.txt:
        * fast/frames/sandboxed-iframe-scripting-expected.txt:
        * http/tests/security/contentSecurityPolicy/sandbox-empty-expected.txt:
        * http/tests/security/contentSecurityPolicy/sandbox-empty-subframe-expected.txt:
        * http/tests/security/contentSecurityPolicy/sandbox-in-http-header-control-expected.txt:
        * http/tests/security/contentSecurityPolicy/sandbox-in-http-header-expected.txt:
        * http/tests/security/contentSecurityPolicy/sandbox-invalid-header-expected.txt:
        * http/tests/security/isolatedWorld/sandboxed-iframe-expected.txt:
        * http/tests/security/sandbox-inherit-to-initial-document-2-expected.txt:
        * media/video-controls-no-scripting-expected.txt:
            Rebaselining tests with new expectations.

2012-12-08  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r137006.

Lines 11-16 CONSOLE MESSAGE: Blocked form submission to 'javascript:top.disallowedFormSubmit a/LayoutTests/fast/frames/sandboxed-iframe-attribute-parsing-expected.txt_sec1
- a/LayoutTests/fast/frames/sandboxed-iframe-attribute-parsing-expected.txt +8 lines
11	CONSOLE MESSAGE: Blocked form submission to 'javascript:top.disallowedFormSubmitted();' because the form's frame is sandboxed and the 'allow-forms' permission is not set.	11	CONSOLE MESSAGE: Blocked form submission to 'javascript:top.disallowedFormSubmitted();' because the form's frame is sandboxed and the 'allow-forms' permission is not set.
12	CONSOLE MESSAGE: Blocked form submission to 'javascript:top.disallowedFormSubmitted();' because the form's frame is sandboxed and the 'allow-forms' permission is not set.	12	CONSOLE MESSAGE: Blocked form submission to 'javascript:top.disallowedFormSubmitted();' because the form's frame is sandboxed and the 'allow-forms' permission is not set.
13	CONSOLE MESSAGE: Blocked form submission to 'javascript:top.disallowedFormSubmitted();' because the form's frame is sandboxed and the 'allow-forms' permission is not set.	13	CONSOLE MESSAGE: Blocked form submission to 'javascript:top.disallowedFormSubmitted();' because the form's frame is sandboxed and the 'allow-forms' permission is not set.
		14	CONSOLE MESSAGE: Blocked script execution in 'sandboxed-iframe-attribute-parsing-disallowed.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
		15	CONSOLE MESSAGE: Blocked script execution in 'sandboxed-iframe-attribute-parsing-disallowed.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
		16	CONSOLE MESSAGE: Blocked script execution in 'sandboxed-iframe-attribute-parsing-disallowed.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
		17	CONSOLE MESSAGE: Blocked script execution in 'sandboxed-iframe-attribute-parsing-disallowed.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
		18	CONSOLE MESSAGE: Blocked script execution in 'sandboxed-iframe-attribute-parsing-disallowed.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
		19	CONSOLE MESSAGE: Blocked script execution in 'sandboxed-iframe-attribute-parsing-disallowed.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
		20	CONSOLE MESSAGE: Blocked script execution in 'sandboxed-iframe-attribute-parsing-disallowed.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
		21	CONSOLE MESSAGE: Blocked script execution in 'sandboxed-iframe-attribute-parsing-disallowed.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
14	This test case verifies the parsing of the iframe sandbox attribute. Two sets of iframes are used: one where scripting is allowed, and another one where it is disallowed. The test verifies that the allowed frames execute scripts (but other sandboxed properties still apply -- specifically, forms are disabled), and the disallowed ones do not. If successful the test prints "PASS".	22	This test case verifies the parsing of the iframe sandbox attribute. Two sets of iframes are used: one where scripting is allowed, and another one where it is disallowed. The test verifies that the allowed frames execute scripts (but other sandboxed properties still apply -- specifically, forms are disabled), and the disallowed ones do not. If successful the test prints "PASS".
15		23
16		24

Lines 1-3 a/LayoutTests/fast/frames/sandboxed-iframe-autofocus-denied-expected.txt_sec1
- a/LayoutTests/fast/frames/sandboxed-iframe-autofocus-denied-expected.txt +1 lines
		1	CONSOLE MESSAGE: line 1: Blocked script execution in 'about:srcdoc' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
1	CONSOLE MESSAGE: line 1: Blocked autofocusing on a form control because the form's frame is sandboxed and the 'allow-scripts' permission is not set.	2	CONSOLE MESSAGE: line 1: Blocked autofocusing on a form control because the form's frame is sandboxed and the 'allow-scripts' permission is not set.
2	CONSOLE MESSAGE: line 13: PASS: The input element is not focused.	3	CONSOLE MESSAGE: line 13: PASS: The input element is not focused.
3	This test passes if the input element in the sandboxed frame is not automatically focused upon, as it should be blocked by the sandboxed scripts flag. A console warning to that effect should also be present.	4	This test passes if the input element in the sandboxed frame is not automatically focused upon, as it should be blocked by the sandboxed scripts flag. A console warning to that effect should also be present.



ALERT: PASS: Form feed is a delimiter.
CONSOLE MESSAGE: Error while parsing the 'sandbox' attribute: 'allow-scriptsallow-forms' is an invalid sandbox flag.
CONSOLE MESSAGE: Blocked script execution in 'data:text/html,<script>alert('FAIL: Vertical tab is not a delimiter.');</script>' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
ALERT: PASS: Newline is a delimiter.
ALERT: PASS: Return is a delimiter.
CONSOLE MESSAGE: Error while parsing the 'sandbox' attribute: 'allow-scriptsxallow-forms' is an invalid sandbox flag.
CONSOLE MESSAGE: Blocked script execution in 'data:text/html,<script>alert('FAIL: x is not a delimiter.');</script>' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
ALERT: PASS: Tab is a delimiter.
ALERT: PASS: Space is a delimiter character.
This tests whether we correct parse various space characters in the sandbox attribute.

Lines 1-4 a/LayoutTests/fast/frames/sandboxed-iframe-scripting-expected.txt_sec1
- a/LayoutTests/fast/frames/sandboxed-iframe-scripting-expected.txt +2 lines
		1	CONSOLE MESSAGE: Blocked script execution in 'about:blank' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
1	ALERT: PASS: Executed script in data URL	2	ALERT: PASS: Executed script in data URL
		3	CONSOLE MESSAGE: Blocked script execution in 'data:text/html,<script> alert('FAIL: Executed script without allow-scripts in data URL'); </script>' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
2	Verify that sandboxed frames with sandbox="allow-scripts" can execute scripts, but other sandboxed frames cannot. Also verify that adding a sandbox attribute at runtime does not effect the current state of the iframe.	4	Verify that sandboxed frames with sandbox="allow-scripts" can execute scripts, but other sandboxed frames cannot. Also verify that adding a sandbox attribute at runtime does not effect the current state of the iframe.
3		5
4	On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".	6	On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".

- a/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-expected.txt +1 lines

Line 1 a/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-expected.txt_sec1

CONSOLE MESSAGE: Blocked script execution in 'http://127.0.0.1:8000/security/contentSecurityPolicy/sandbox-empty.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.

This test passes if it doesn't alert fail.

This test passes if it doesn't alert fail.

- a/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-subframe-expected.txt +1 lines

Line 1 a/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-subframe-expected.txt_sec1

CONSOLE MESSAGE: Blocked script execution in 'data:text/html,<script>alert('FAIL');</script>' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.

This test passes if it doesn't alert fail.

This test passes if it doesn't alert fail.

Lines 1-2 a/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-in-http-header-control-expected.txt_sec1
- a/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-in-http-header-control-expected.txt +1 lines
		1	CONSOLE MESSAGE: Blocked script execution in 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/sandbox.php?sandbox=allow-top-navigation%20allow-same-origin' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
1	ALERT: PASS: Iframe was not in a unique origin	2	ALERT: PASS: Iframe was not in a unique origin
2		3

Lines 1-3 a/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-in-http-header-expected.txt_sec1
- a/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-in-http-header-expected.txt +1 lines
		1	CONSOLE MESSAGE: Blocked script execution in 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/sandbox.php?sandbox=allow-top-navigation' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
1	CONSOLE MESSAGE: Sandbox access violation: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/resources/sandbox.php?sandbox=allow-top-navigation from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/sandbox-in-http-header.html. The frame being accessed is sandboxed into a unique origin.	2	CONSOLE MESSAGE: Sandbox access violation: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/resources/sandbox.php?sandbox=allow-top-navigation from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/sandbox-in-http-header.html. The frame being accessed is sandboxed into a unique origin.
2		3
3	ALERT: PASS: Iframe was in a unique origin	4	ALERT: PASS: Iframe was in a unique origin

Lines 1-2 a/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-invalid-header-expected.txt_sec1
- a/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-invalid-header-expected.txt +1 lines
1	CONSOLE MESSAGE: Error while parsing the 'sandbox' Content Security Policy directive: 'allowScript' is an invalid sandbox flag.	1	CONSOLE MESSAGE: Error while parsing the 'sandbox' Content Security Policy directive: 'allowScript' is an invalid sandbox flag.
		2	CONSOLE MESSAGE: Blocked script execution in 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/sandbox.php?sandbox=allowScript' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
2		3

Lines 1-3 a/LayoutTests/http/tests/security/isolatedWorld/sandboxed-iframe-expected.txt_sec1
- a/LayoutTests/http/tests/security/isolatedWorld/sandboxed-iframe-expected.txt +1 lines
		1	CONSOLE MESSAGE: Blocked script execution in 'http://127.0.0.1:8000/security/isolatedWorld/resources/fail.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
1	ALERT: PASS	2	ALERT: PASS
2	Test that executing scripts in an isolated world works even inside sandboxed iframes. The test passes, if an alert with the text "PASS" is shown.	3	Test that executing scripts in an isolated world works even inside sandboxed iframes. The test passes, if an alert with the text "PASS" is shown.
3		4

Lines 1-3 a/LayoutTests/http/tests/security/sandbox-inherit-to-initial-document-2-expected.txt_sec1
- a/LayoutTests/http/tests/security/sandbox-inherit-to-initial-document-2-expected.txt +1 lines
		1	CONSOLE MESSAGE: Blocked script execution in 'about:blank' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
1	Test how sandbox flags get inherited to initial document in subframe.	2	Test how sandbox flags get inherited to initial document in subframe.
2		3
3	PASS	4	PASS

Lines 1-3 a/LayoutTests/media/video-controls-no-scripting-expected.txt_sec1
- a/LayoutTests/media/video-controls-no-scripting-expected.txt +2 lines
		1	CONSOLE MESSAGE: Blocked script execution in 'video-controls-no-scripting-iframe.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
		2	CONSOLE MESSAGE: line 13: Blocked script execution in 'video-controls-no-scripting-iframe.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
1		3
2	Tests that the built-in controls are always enabled when JavaScript is disabled.	4	Tests that the built-in controls are always enabled when JavaScript is disabled.
3		5

Return to Bug 104365

Lines 1-3 a/Source/WebCore/ChangeLog_sec1
- a/Source/WebCore/ChangeLog +14 lines
		1	2012-12-08 Mike West <mkwst@chromium.org>
		2
		3	Log to console when script is blocked by sandbox attributes.
		4	https://bugs.webkit.org/show_bug.cgi?id=104365
		5
		6	Reviewed by Ojan Vafai.
		7
		8	Adds a console message to cover script execution blocked within the
		9	context of a sandboxed frame which lacks the 'allow-scripts' permission.
		10
		11	* bindings/ScriptControllerBase.cpp:
		12	(WebCore::ScriptController::canExecuteScripts):
		13	Log a warning when sandboxing flags block script execution.
		14
1	2012-12-08 Gustavo Noronha Silva <gns@gnome.org>	15	2012-12-08 Gustavo Noronha Silva <gns@gnome.org>
2		16
3	Reviewed by Martin Robinson.	17	Reviewed by Martin Robinson.

Lines 1-3 a/LayoutTests/ChangeLog_sec1
- a/LayoutTests/ChangeLog +21 lines
		1	2012-12-08 Mike West <mkwst@chromium.org>
		2
		3	Log to console when script is blocked by sandbox attributes.
		4	https://bugs.webkit.org/show_bug.cgi?id=104365
		5
		6	Reviewed by Ojan Vafai.
		7
		8	* fast/frames/sandboxed-iframe-attribute-parsing-expected.txt:
		9	* fast/frames/sandboxed-iframe-autofocus-denied-expected.txt:
		10	* fast/frames/sandboxed-iframe-parsing-space-characters-expected.txt:
		11	* fast/frames/sandboxed-iframe-scripting-expected.txt:
		12	* http/tests/security/contentSecurityPolicy/sandbox-empty-expected.txt:
		13	* http/tests/security/contentSecurityPolicy/sandbox-empty-subframe-expected.txt:
		14	* http/tests/security/contentSecurityPolicy/sandbox-in-http-header-control-expected.txt:
		15	* http/tests/security/contentSecurityPolicy/sandbox-in-http-header-expected.txt:
		16	* http/tests/security/contentSecurityPolicy/sandbox-invalid-header-expected.txt:
		17	* http/tests/security/isolatedWorld/sandboxed-iframe-expected.txt:
		18	* http/tests/security/sandbox-inherit-to-initial-document-2-expected.txt:
		19	* media/video-controls-no-scripting-expected.txt:
		20	Rebaselining tests with new expectations.
		21
1	2012-12-08 Sheriff Bot <webkit.review.bot@gmail.com>	22	2012-12-08 Sheriff Bot <webkit.review.bot@gmail.com>
2		23
3	Unreviewed, rolling out r137006.	24	Unreviewed, rolling out r137006.

Lines 1-8 a/LayoutTests/fast/frames/sandboxed-iframe-parsing-space-characters-expected.txt_sec1
- a/LayoutTests/fast/frames/sandboxed-iframe-parsing-space-characters-expected.txt +2 lines
1	ALERT: PASS: Form feed is a delimiter.	1	ALERT: PASS: Form feed is a delimiter.
2	CONSOLE MESSAGE: Error while parsing the 'sandbox' attribute: 'allow-scriptsallow-forms' is an invalid sandbox flag.	2	CONSOLE MESSAGE: Error while parsing the 'sandbox' attribute: 'allow-scriptsallow-forms' is an invalid sandbox flag.
		3	CONSOLE MESSAGE: Blocked script execution in 'data:text/html,<script>alert('FAIL: Vertical tab is not a delimiter.');</script>' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
3	ALERT: PASS: Newline is a delimiter.	4	ALERT: PASS: Newline is a delimiter.
4	ALERT: PASS: Return is a delimiter.	5	ALERT: PASS: Return is a delimiter.
5	CONSOLE MESSAGE: Error while parsing the 'sandbox' attribute: 'allow-scriptsxallow-forms' is an invalid sandbox flag.	6	CONSOLE MESSAGE: Error while parsing the 'sandbox' attribute: 'allow-scriptsxallow-forms' is an invalid sandbox flag.
		7	CONSOLE MESSAGE: Blocked script execution in 'data:text/html,<script>alert('FAIL: x is not a delimiter.');</script>' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
6	ALERT: PASS: Tab is a delimiter.	8	ALERT: PASS: Tab is a delimiter.
7	ALERT: PASS: Space is a delimiter character.	9	ALERT: PASS: Space is a delimiter character.
8	This tests whether we correct parse various space characters in the sandbox attribute.	10	This tests whether we correct parse various space characters in the sandbox attribute.