commit b8a105525324fca860e05b8484f1cd3ed0e29fa0
author abarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Wed Dec 02 02:40:35 2009 +0000
committer abarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Wed Dec 02 02:40:35 2009 +0000
tree a5475f32754577ec8940962e5ad40ca489b6f0bc
parent bd43f07d7333f400d5ddfeb0df2d0eb57840f7ac

2009-12-01  Patrik Persson  <patrik.j.persson@ericsson.com>

        Reviewed by Darin Adler.

        Implement HTML5 sandbox attribute for iframes.
        http://www.w3.org/TR/html5/text-level-semantics.html#attr-iframe-sandbox
        https://bugs.webkit.org/show_bug.cgi?id=21288

        * fast/frames/resources/non-sandboxed-iframe-navigation.html: Added.
        * fast/frames/resources/sandboxed-iframe-attribute-parsing-allowed.html: Added.
        * fast/frames/resources/sandboxed-iframe-attribute-parsing-disallowed.html: Added.
        * fast/frames/resources/sandboxed-iframe-form-allowed.html: Added.
        * fast/frames/resources/sandboxed-iframe-form-disallowed.html: Added.
        * fast/frames/resources/sandboxed-iframe-navigated.html: Added.
        * fast/frames/resources/sandboxed-iframe-navigation-child.html: Added.
        * fast/frames/resources/sandboxed-iframe-navigation-navigated.html: Added.
        * fast/frames/resources/sandboxed-iframe-navigation-parent.html: Added.
        * fast/frames/resources/sandboxed-iframe-navigation-source.html: Added.
        * fast/frames/resources/sandboxed-iframe-navigation-targetlink.html: Added.
        * fast/frames/resources/sandboxed-iframe-navigation-windowopen.html: Added.
        * fast/frames/resources/sandboxed-iframe-plugins-frame-applet.html: Added.
        * fast/frames/resources/sandboxed-iframe-plugins-frame-embed.html: Added.
        * fast/frames/resources/sandboxed-iframe-plugins-frame-object.html: Added.
        * fast/frames/resources/sandboxed-iframe-script-dynamic.html: Added.
        * fast/frames/resources/sandboxed-iframe-storage-allowed.html: Added.
        * fast/frames/resources/sandboxed-iframe-storage-disallowed.html: Added.
        * fast/frames/sandboxed-iframe-attribute-parsing-expected.txt: Added.
        * fast/frames/sandboxed-iframe-attribute-parsing.html: Added.
        * fast/frames/sandboxed-iframe-forms-expected.txt: Added.
        * fast/frames/sandboxed-iframe-forms.html: Added.
        * fast/frames/sandboxed-iframe-navigation-allowed-expected.txt: Added.
        * fast/frames/sandboxed-iframe-navigation-allowed.html: Added.
        * fast/frames/sandboxed-iframe-navigation-parent-expected.txt: Added.
        * fast/frames/sandboxed-iframe-navigation-parent.html: Added.
        * fast/frames/sandboxed-iframe-navigation-targetlink-expected.txt: Added.
        * fast/frames/sandboxed-iframe-navigation-targetlink.html: Added.
        * fast/frames/sandboxed-iframe-navigation-windowopen-expected.txt: Added.
        * fast/frames/sandboxed-iframe-navigation-windowopen.html: Added.
        * fast/frames/sandboxed-iframe-plugins-expected.txt: Added.
        * fast/frames/sandboxed-iframe-plugins.html: Added.
        * fast/frames/sandboxed-iframe-scripting-expected.txt: Added.
        * fast/frames/sandboxed-iframe-scripting.html: Added.
        * fast/frames/sandboxed-iframe-storage-expected.txt: Added.
        * fast/frames/sandboxed-iframe-storage.html: Added.
        * http/tests/security/resources/sandboxed-iframe-document-cookie-read-denied.html: Added.
        * http/tests/security/resources/sandboxed-iframe-modify-self.html: Added.
        * http/tests/security/resources/xss-DENIED-sandboxed-iframe-attacker.html: Added.
        * http/tests/security/sandboxed-iframe-document-cookie-expected.txt: Added.
        * http/tests/security/sandboxed-iframe-document-cookie.html: Added.
        * http/tests/security/sandboxed-iframe-modify-self-expected.txt: Added.
        * http/tests/security/sandboxed-iframe-modify-self.html: Added.
        * http/tests/security/xss-DENIED-sandboxed-iframe-expected.txt: Added.
        * http/tests/security/xss-DENIED-sandboxed-iframe.html: Added.
        * http/tests/xmlhttprequest/access-control-sandboxed-iframe-allow-expected.txt: Added.
        * http/tests/xmlhttprequest/access-control-sandboxed-iframe-allow.html: Added.
        * http/tests/xmlhttprequest/access-control-sandboxed-iframe-denied-expected.txt: Added.
        * http/tests/xmlhttprequest/access-control-sandboxed-iframe-denied-without-wildcard-expected.txt: Added.
        * http/tests/xmlhttprequest/access-control-sandboxed-iframe-denied-without-wildcard.html: Added.
        * http/tests/xmlhttprequest/access-control-sandboxed-iframe-denied.html: Added.
        * http/tests/xmlhttprequest/resources/access-control-sandboxed-iframe-allow-iframe.html: Added.
        * http/tests/xmlhttprequest/resources/access-control-sandboxed-iframe-allow.cgi: Added.
        * http/tests/xmlhttprequest/resources/access-control-sandboxed-iframe-denied-iframe.html: Added.
        * http/tests/xmlhttprequest/resources/access-control-sandboxed-iframe-denied-without-wildcard-iframe.html: Added.
        * http/tests/xmlhttprequest/resources/access-control-sandboxed-iframe-denied-without-wildcard.cgi: Added.
        * http/tests/xmlhttprequest/resources/access-control-sandboxed-iframe-denied.cgi: Added.
2009-12-01  Patrik Persson  <patrik.j.persson@ericsson.com>

        Reviewed by Darin Adler.

        Implement HTML5 sandbox attribute for iframes.
        http://www.w3.org/TR/html5/text-level-semantics.html#attr-iframe-sandbox
        https://bugs.webkit.org/show_bug.cgi?id=21288

        Tests: fast/frames/sandboxed-iframe-attribute-parsing.html
               fast/frames/sandboxed-iframe-forms.html
               fast/frames/sandboxed-iframe-navigation-allowed.html
               fast/frames/sandboxed-iframe-navigation-parent.html
               fast/frames/sandboxed-iframe-navigation-targetlink.html
               fast/frames/sandboxed-iframe-navigation-windowopen.html
               fast/frames/sandboxed-iframe-plugins.html
               fast/frames/sandboxed-iframe-scripting.html
               fast/frames/sandboxed-iframe-storage.html
               http/tests/security/sandboxed-iframe-document-cookie.html
               http/tests/security/sandboxed-iframe-modify-self.html
               http/tests/security/xss-DENIED-sandboxed-iframe.html
               http/tests/xmlhttprequest/access-control-sandboxed-iframe-allow.html
               http/tests/xmlhttprequest/access-control-sandboxed-iframe-denied-without-wildcard.html
               http/tests/xmlhttprequest/access-control-sandboxed-iframe-denied.html

        * bindings/js/JSDOMWindowCustom.cpp: sandboxing navigation
        (WebCore::createWindow):
        * bindings/js/ScriptController.cpp: sandboxing scripts
        (WebCore::ScriptController::isEnabled):
        * dom/Document.cpp:
        (WebCore::Document::processHttpEquiv):
        (WebCore::Document::cookie): raise exception when accessed from sandbox
        (WebCore::Document::setCookie): raise exception when accessed from sandbox
        (WebCore::Document::initSecurityContext): updae sandbox status
        (WebCore::Document::updateSandboxFlags):
        * dom/Document.h:
        * dom/Document.idl:
        * html/HTMLAppletElement.cpp: sandboxing applets
        (WebCore::HTMLAppletElement::createRenderer):
        (WebCore::HTMLAppletElement::renderWidgetForJSBindings):
        (WebCore::HTMLAppletElement::canEmbedJava):
        * html/HTMLAppletElement.h:
        * html/HTMLAttributeNames.in:
        * html/HTMLFrameOwnerElement.cpp: management of sandbox flags as stated in attribute
        (WebCore::HTMLFrameOwnerElement::HTMLFrameOwnerElement):
        (WebCore::HTMLFrameOwnerElement::setSandboxFlags):
        * html/HTMLFrameOwnerElement.h:
        (WebCore::HTMLFrameOwnerElement::sandboxFlags):
        * html/HTMLIFrameElement.cpp: sandbox attribute parsing
        (WebCore::parseSandboxAttribute):
        (WebCore::HTMLIFrameElement::parseMappedAttribute):
        * html/HTMLIFrameElement.idl:
        * inspector/InspectorController.cpp:
        (WebCore::InspectorController::getCookies):
        * loader/CrossOriginAccessControl.cpp:
        (WebCore::passesAccessControlCheck):
        * loader/FrameLoader.cpp:
        (WebCore::FrameLoader::FrameLoader):
        (WebCore::FrameLoader::init):
        (WebCore::FrameLoader::submitForm): sandboxing forms
        (WebCore::FrameLoader::requestObject): sandboxing plugins
        (WebCore::FrameLoader::shouldAllowNavigation): sandboxing navigation
        (WebCore::FrameLoader::updateSandboxFlags): propagation of sandbox flags
        * loader/FrameLoader.h:
        (WebCore::FrameLoader::ownerElementSandboxFlagsChanged):
        (WebCore::FrameLoader::isSandboxed):
        (WebCore::FrameLoader::sandboxFlags):
        * loader/FrameLoaderTypes.h:
        (WebCore::):
        * page/DOMWindow.cpp: disable storage and databases in sandboxed frames
        (WebCore::DOMWindow::sessionStorage):
        (WebCore::DOMWindow::localStorage):
        (WebCore::DOMWindow::openDatabase):
        * page/SecurityOrigin.cpp: added sandboxing status
        (WebCore::SecurityOrigin::SecurityOrigin):
        (WebCore::SecurityOrigin::canAccess):
        (WebCore::SecurityOrigin::canRequest):
        (WebCore::SecurityOrigin::toString):
        * page/SecurityOrigin.h:
        (WebCore::SecurityOrigin::setSandboxFlags):
        (WebCore::SecurityOrigin::isSandboxed):
        (WebCore::SecurityOrigin::canAccessDatabase):
        (WebCore::SecurityOrigin::canAccessStorage):
        * websockets/WebSocketChannel.cpp:
        (WebCore::WebSocketChannel::didReceiveData):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@51577 268f45cc-cd09-0410-ab3c-d52691b4dbfc