From 02562e330f8e7ea166e31dc63596d3ae1070a591 Mon Sep 17 00:00:00 2001 From: "cdumez@apple.com" Date: Tue, 9 Feb 2021 21:21:26 +0000 Subject: [PATCH] Disallow alert/confirm/prompt in cross-origin-domain subframes https://bugs.webkit.org/show_bug.cgi?id=221568 Reviewed by Geoff Garen. Source/WebCore: Disallow alert/confirm/prompt in cross-origin-domain subframes as per the latest HTML specification: - https://github.com/whatwg/html/pull/6297 Tests: http/tests/security/cross-origin-js-prompt-forbidden.html http/tests/security/same-origin-different-domain-js-prompt-forbidden.html * page/DOMWindow.cpp: (WebCore::DOMWindow::alert): (WebCore::DOMWindow::confirmForBindings): (WebCore::DOMWindow::prompt): * page/SecurityOrigin.cpp: * page/SecurityOrigin.h: LayoutTests: Add layout test coverage and update existing tests to stop using alert() in cross-origin iframes. * fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt: * fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame.html: * fast/events/popup-when-select-change-expected.txt: * fast/events/popup-when-select-change.html: * fast/events/resize-subframe-expected.txt: * fast/events/resize-subframe.html: * fast/forms/autofocus-in-sandbox-with-allow-scripts-expected.txt: * fast/forms/autofocus-in-sandbox-with-allow-scripts.html: * fast/frames/resources/navigate-top-by-name-to-fail.html: * fast/frames/sandboxed-iframe-navigation-top-by-name-denied-expected.txt: * http/tests/cookies/resources/third-party-cookie-relaxing-iframe.html: * http/tests/cookies/third-party-cookie-relaxing-expected.txt: * http/tests/history/cross-origin-replace-history-object-child-expected.txt: * http/tests/history/cross-origin-replace-history-object-expected.txt: * http/tests/history/resources/cross-origin-replaces-history-object-child-iframe.html: * http/tests/history/resources/cross-origin-replaces-history-object-iframe.html: * http/tests/plugins/resources/third-party-cookie-accept-policy-iframe.html: * http/tests/plugins/third-party-cookie-accept-policy-expected.txt: * http/tests/security/contentSecurityPolicy/embed-redirect-allowed-expected.txt: * http/tests/security/contentSecurityPolicy/embed-redirect-allowed2-expected.txt: * http/tests/security/contentSecurityPolicy/frame-src-cross-origin-load-expected.txt: * http/tests/security/contentSecurityPolicy/iframe-allowed-when-loaded-via-javascript-url-expected.txt: * http/tests/security/contentSecurityPolicy/iframe-inside-csp-expected.txt: * http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src-expected.txt: * http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2-expected.txt: * http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src-expected.txt: * http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2-expected.txt: * http/tests/security/contentSecurityPolicy/object-redirect-allowed-expected.txt: * http/tests/security/contentSecurityPolicy/object-redirect-allowed2-expected.txt: * http/tests/security/contentSecurityPolicy/resources/alert-fail.html: * http/tests/security/contentSecurityPolicy/resources/alert-fail.js: (catch): * http/tests/security/contentSecurityPolicy/resources/alert-pass.html: * http/tests/security/contentSecurityPolicy/resources/alert-pass.js: (catch): * http/tests/security/contentSecurityPolicy/resources/sandbox.php: * http/tests/security/contentSecurityPolicy/resources/sandboxed-eval.php: * http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-control-expected.txt: * http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-expected.txt: * http/tests/security/contentSecurityPolicy/sandbox-report-only-expected.txt: * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt: * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content-expected.txt: * http/tests/security/cross-origin-js-prompt-forbidden-expected.txt: Added. * http/tests/security/cross-origin-js-prompt-forbidden.html: Added. * http/tests/security/dataURL/resources/foreign-domain-data-url-accessor-iframe.html: * http/tests/security/dataURL/resources/foreign-domain-data-url-accessor-opened-frame.html: * http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt: * http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt: * http/tests/security/mixedContent/resources/frame-with-insecure-websocket.html: * http/tests/security/mixedContent/websocket/insecure-websocket-in-iframe-expected.txt: * http/tests/security/resources/cross-origin-js-prompt-forbidden.html: Added. * http/tests/security/same-origin-different-domain-js-prompt-forbidden-expected.txt: Added. * http/tests/security/same-origin-different-domain-js-prompt-forbidden.html: Added. * http/tests/security/xssAuditor/base-href-control-char-expected.txt: * http/tests/security/xssAuditor/base-href-direct-expected.txt: * http/tests/security/xssAuditor/base-href-expected.txt: * http/tests/security/xssAuditor/base-href-null-char-expected.txt: * http/tests/security/xssAuditor/base-href-safe-expected.txt: * http/tests/security/xssAuditor/base-href-safe2-expected.txt: * http/tests/security/xssAuditor/base-href-safe3-expected.txt: * http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt: * http/tests/security/xssAuditor/cached-frame-expected.txt: * http/tests/security/xssAuditor/cached-frame.html: * http/tests/security/xssAuditor/cookie-injection-expected.txt: * http/tests/security/xssAuditor/data-urls-work-expected.txt: * http/tests/security/xssAuditor/data-urls-work.html: * http/tests/security/xssAuditor/dom-write-innerHTML-expected.txt: * http/tests/security/xssAuditor/dom-write-innerHTML.html: * http/tests/security/xssAuditor/form-action-expected.txt: * http/tests/security/xssAuditor/formaction-on-button-expected.txt: * http/tests/security/xssAuditor/formaction-on-input-expected.txt: * http/tests/security/xssAuditor/javascript-link-safe-expected.txt: * http/tests/security/xssAuditor/javascript-link-safe.html: * http/tests/security/xssAuditor/property-escape-noquotes-expected.txt: * http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars-expected.txt: * http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars.html: * http/tests/security/xssAuditor/property-escape-noquotes.html: * http/tests/security/xssAuditor/property-inject-expected.txt: * http/tests/security/xssAuditor/property-inject.html: * http/tests/security/xssAuditor/resources/base-href/really-safe-script.js: * http/tests/security/xssAuditor/resources/base-href/safe-script.js: * http/tests/security/xssAuditor/resources/echo-intertag.pl: * http/tests/security/xssAuditor/resources/javascript-link-safe.html: * http/tests/security/xssAuditor/resources/nph-cached.pl: * http/tests/security/xssAuditor/resources/safe-script-noquotes.js: * http/tests/security/xssAuditor/resources/safe-script.js: * http/tests/security/xssAuditor/resources/script-tag-safe2.html: * http/tests/security/xssAuditor/script-tag-near-start-expected.txt: * http/tests/security/xssAuditor/script-tag-near-start.html: * http/tests/security/xssAuditor/script-tag-safe2-expected.txt: * http/tests/security/xssAuditor/script-tag-safe2.html: * http/tests/security/xssAuditor/script-tag-safe3-expected.txt: * http/tests/security/xssAuditor/script-tag-safe3.html: * http/tests/security/xssAuditor/script-tag-src-redirect-safe-expected.txt: * http/tests/security/xssAuditor/script-tag-with-injected-comment-expected.txt: * http/tests/security/xssAuditor/script-tag-with-injected-comment.html: * http/tests/security/xssAuditor/script-tag-with-source-same-host-expected.txt: * platform/wk2/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt: git-svn-id: http://svn.webkit.org/repository/webkit/trunk@272607 268f45cc-cd09-0410-ab3c-d52691b4dbfc --- LayoutTests/ChangeLog | 108 +++++ ...ndow-open-named-sibling-frame-expected.txt | 4 +- ...e-via-window-open-named-sibling-frame.html | 2 +- .../popup-when-select-change-expected.txt | 2 +- .../fast/events/popup-when-select-change.html | 2 +- .../fast/events/resize-subframe-expected.txt | 2 +- LayoutTests/fast/events/resize-subframe.html | 2 +- ...in-sandbox-with-allow-scripts-expected.txt | 2 +- ...tofocus-in-sandbox-with-allow-scripts.html | 2 +- .../navigate-top-by-name-to-fail.html | 10 +- ...navigation-top-by-name-denied-expected.txt | 2 +- ...rame-parsing-space-characters-expected.txt | 14 +- ...boxed-iframe-parsing-space-characters.html | 2 +- ...sandboxed-iframe-scripting-02-expected.txt | 2 +- .../frames/sandboxed-iframe-scripting-02.html | 2 +- .../third-party-cookie-relaxing-iframe.html | 10 +- .../third-party-cookie-relaxing-expected.txt | 60 +-- ...-replace-history-object-child-expected.txt | 4 +- ...origin-replace-history-object-expected.txt | 2 +- ...-replaces-history-object-child-iframe.html | 6 +- ...origin-replaces-history-object-iframe.html | 4 +- ...-default-enc-different-domain-expected.txt | 2 +- ...frame-default-enc-same-domain-expected.txt | 2 +- .../resources/frame-default-enc-frame.html | 2 +- ...ird-party-cookie-accept-policy-iframe.html | 6 +- ...rd-party-cookie-accept-policy-expected.txt | 6 +- .../embed-redirect-allowed-expected.txt | 2 +- .../embed-redirect-allowed2-expected.txt | 2 +- .../frame-src-cross-origin-load-expected.txt | 2 +- ...hen-loaded-via-javascript-url-expected.txt | 2 +- .../iframe-inside-csp-expected.txt | 4 +- ...redirect-allowed-by-child-src-expected.txt | 2 +- ...edirect-allowed-by-child-src2-expected.txt | 2 +- ...redirect-allowed-by-frame-src-expected.txt | 2 +- ...edirect-allowed-by-frame-src2-expected.txt | 2 +- .../object-redirect-allowed-expected.txt | 2 +- .../object-redirect-allowed2-expected.txt | 2 +- ...ect-src-does-not-affect-child-expected.txt | 2 +- .../resources/alert-fail.html | 7 +- .../resources/alert-fail.js | 9 +- .../resources/alert-pass.html | 7 +- .../resources/alert-pass.js | 9 +- .../resources/sandbox.php | 2 +- .../resources/sandboxed-eval.php | 4 +- ...cripts-in-http-header-control-expected.txt | 2 +- ...-allow-scripts-in-http-header-expected.txt | 2 +- .../sandbox-report-only-expected.txt | 2 +- .../proper-nested-upgrades-expected.txt | 6 +- .../upgrades-mixed-content-expected.txt | 2 +- .../cross-frame-access-put-expected.txt | 370 +++++++++--------- ...ss-origin-js-prompt-forbidden-expected.txt | 14 + .../cross-origin-js-prompt-forbidden.html | 18 + .../security/data-url-inline.css-expected.txt | 2 +- .../tests/security/data-url-inline.css.html | 2 +- ...reign-domain-data-url-accessor-iframe.html | 4 +- ...domain-data-url-accessor-opened-frame.html | 4 +- ...rl-in-foreign-domain-subframe-expected.txt | 2 +- ...in-foreign-domain-window-open-expected.txt | 2 +- .../drag-drop-different-origin-expected.txt | 2 +- .../drag-drop-local-file-expected.txt | 2 +- .../drag-drop-same-unique-origin-expected.txt | 2 +- .../frame-with-insecure-websocket.html | 8 +- .../insecure-websocket-in-iframe-expected.txt | 2 +- ...ecure-websocket-in-main-frame-expected.txt | 2 +- .../no-indexeddb-from-sandbox-expected.txt | 2 +- .../security/no-indexeddb-from-sandbox.html | 6 +- .../no-popup-from-sandbox-expected.txt | 2 +- .../no-popup-from-sandbox-top-expected.txt | 4 +- .../security/no-popup-from-sandbox-top.html | 2 +- .../tests/security/no-popup-from-sandbox.html | 2 +- ...lowed-by-sandbox-when-allowed-expected.txt | 2 +- ...popup-allowed-by-sandbox-when-allowed.html | 2 +- .../cross-frame-iframe-for-put-test.html | 10 +- .../cross-origin-js-prompt-forbidden.html | 23 ++ .../security/resources/drag-drop-allowed.html | 4 +- .../tests/security/resources/drag-drop.html | 4 +- ...andboxed-iframe-ALLOWED-modals-iframe.html | 7 + ...nt-domain-js-prompt-forbidden-expected.txt | 14 + ...-different-domain-js-prompt-forbidden.html | 22 ++ .../sandboxed-iframe-ALLOWED-modals.html | 21 +- ...ss-DENIED-window-index-assign-expected.txt | 2 +- .../xss-DENIED-window-index-assign.html | 4 +- .../xss-DENIED-window-name-alert-expected.txt | 2 +- .../xss-DENIED-window-name-alert.html | 2 +- .../base-href-control-char-expected.txt | 2 +- .../xssAuditor/base-href-direct-expected.txt | 2 +- .../xssAuditor/base-href-expected.txt | 2 +- .../base-href-null-char-expected.txt | 2 +- .../xssAuditor/base-href-safe-expected.txt | 2 +- .../xssAuditor/base-href-safe2-expected.txt | 2 +- .../xssAuditor/base-href-safe3-expected.txt | 2 +- .../base-href-scheme-relative-expected.txt | 2 +- .../xssAuditor/cached-frame-expected.txt | 4 +- .../security/xssAuditor/cached-frame.html | 2 +- .../xssAuditor/cookie-injection-expected.txt | 2 +- .../xssAuditor/data-urls-work-expected.txt | 2 +- .../security/xssAuditor/data-urls-work.html | 2 +- .../dom-write-innerHTML-expected.txt | 2 +- .../xssAuditor/dom-write-innerHTML.html | 2 +- .../xssAuditor/form-action-expected.txt | 2 +- .../formaction-on-button-expected.txt | 2 +- .../formaction-on-input-expected.txt | 2 +- .../javascript-link-safe-expected.txt | 2 +- .../xssAuditor/javascript-link-safe.html | 2 +- .../property-escape-noquotes-expected.txt | 2 +- ...cape-noquotes-tab-slash-chars-expected.txt | 2 +- ...perty-escape-noquotes-tab-slash-chars.html | 2 +- .../xssAuditor/property-escape-noquotes.html | 2 +- .../xssAuditor/property-inject-expected.txt | 2 +- .../security/xssAuditor/property-inject.html | 2 +- .../resources/base-href/really-safe-script.js | 2 +- .../resources/base-href/safe-script.js | 2 +- .../xssAuditor/resources/echo-intertag.pl | 8 +- .../resources/javascript-link-safe.html | 2 +- .../xssAuditor/resources/nph-cached.pl | 2 +- .../resources/safe-script-noquotes.js | 2 +- .../xssAuditor/resources/safe-script.js | 2 +- .../resources/script-tag-safe2.html | 2 +- .../script-tag-near-start-expected.txt | 2 +- .../xssAuditor/script-tag-near-start.html | 2 +- .../xssAuditor/script-tag-safe2-expected.txt | 2 +- .../security/xssAuditor/script-tag-safe2.html | 2 +- .../xssAuditor/script-tag-safe3-expected.txt | 2 +- .../security/xssAuditor/script-tag-safe3.html | 2 +- .../script-tag-src-redirect-safe-expected.txt | 2 +- ...ipt-tag-with-injected-comment-expected.txt | 2 +- .../script-tag-with-injected-comment.html | 2 +- ...ipt-tag-with-source-same-host-expected.txt | 2 +- ...ol-preflight-credential-async-expected.txt | 4 +- ...rol-preflight-credential-sync-expected.txt | 4 +- .../proper-nested-upgrades-expected.txt | 6 +- ...ullscreen-plugins-dont-reload-expected.txt | 2 +- .../plugin-document-back-forward-expected.txt | 4 +- Source/WebCore/ChangeLog | 20 + Source/WebCore/page/DOMWindow.cpp | 15 + Source/WebCore/page/SecurityOrigin.h | 2 + .../TestNetscapePlugIn/main.cpp | 2 +- 137 files changed, 658 insertions(+), 410 deletions(-) create mode 100644 LayoutTests/http/tests/security/cross-origin-js-prompt-forbidden-expected.txt create mode 100644 LayoutTests/http/tests/security/cross-origin-js-prompt-forbidden.html create mode 100644 LayoutTests/http/tests/security/resources/cross-origin-js-prompt-forbidden.html create mode 100644 LayoutTests/http/tests/security/resources/sandboxed-iframe-ALLOWED-modals-iframe.html create mode 100644 LayoutTests/http/tests/security/same-origin-different-domain-js-prompt-forbidden-expected.txt create mode 100644 LayoutTests/http/tests/security/same-origin-different-domain-js-prompt-forbidden.html diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog index 58dceaa218316..812387e3a66eb 100644 --- a/LayoutTests/ChangeLog +++ b/LayoutTests/ChangeLog @@ -1,3 +1,111 @@ +2021-02-09 Chris Dumez + + Disallow alert/confirm/prompt in cross-origin-domain subframes + https://bugs.webkit.org/show_bug.cgi?id=221568 + + Reviewed by Geoff Garen. + + Add layout test coverage and update existing tests to stop using alert() in cross-origin iframes. + + * fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt: + * fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame.html: + * fast/events/popup-when-select-change-expected.txt: + * fast/events/popup-when-select-change.html: + * fast/events/resize-subframe-expected.txt: + * fast/events/resize-subframe.html: + * fast/forms/autofocus-in-sandbox-with-allow-scripts-expected.txt: + * fast/forms/autofocus-in-sandbox-with-allow-scripts.html: + * fast/frames/resources/navigate-top-by-name-to-fail.html: + * fast/frames/sandboxed-iframe-navigation-top-by-name-denied-expected.txt: + * http/tests/cookies/resources/third-party-cookie-relaxing-iframe.html: + * http/tests/cookies/third-party-cookie-relaxing-expected.txt: + * http/tests/history/cross-origin-replace-history-object-child-expected.txt: + * http/tests/history/cross-origin-replace-history-object-expected.txt: + * http/tests/history/resources/cross-origin-replaces-history-object-child-iframe.html: + * http/tests/history/resources/cross-origin-replaces-history-object-iframe.html: + * http/tests/plugins/resources/third-party-cookie-accept-policy-iframe.html: + * http/tests/plugins/third-party-cookie-accept-policy-expected.txt: + * http/tests/security/contentSecurityPolicy/embed-redirect-allowed-expected.txt: + * http/tests/security/contentSecurityPolicy/embed-redirect-allowed2-expected.txt: + * http/tests/security/contentSecurityPolicy/frame-src-cross-origin-load-expected.txt: + * http/tests/security/contentSecurityPolicy/iframe-allowed-when-loaded-via-javascript-url-expected.txt: + * http/tests/security/contentSecurityPolicy/iframe-inside-csp-expected.txt: + * http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src-expected.txt: + * http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2-expected.txt: + * http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src-expected.txt: + * http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2-expected.txt: + * http/tests/security/contentSecurityPolicy/object-redirect-allowed-expected.txt: + * http/tests/security/contentSecurityPolicy/object-redirect-allowed2-expected.txt: + * http/tests/security/contentSecurityPolicy/resources/alert-fail.html: + * http/tests/security/contentSecurityPolicy/resources/alert-fail.js: + (catch): + * http/tests/security/contentSecurityPolicy/resources/alert-pass.html: + * http/tests/security/contentSecurityPolicy/resources/alert-pass.js: + (catch): + * http/tests/security/contentSecurityPolicy/resources/sandbox.php: + * http/tests/security/contentSecurityPolicy/resources/sandboxed-eval.php: + * http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-control-expected.txt: + * http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-expected.txt: + * http/tests/security/contentSecurityPolicy/sandbox-report-only-expected.txt: + * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt: + * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content-expected.txt: + * http/tests/security/cross-origin-js-prompt-forbidden-expected.txt: Added. + * http/tests/security/cross-origin-js-prompt-forbidden.html: Added. + * http/tests/security/dataURL/resources/foreign-domain-data-url-accessor-iframe.html: + * http/tests/security/dataURL/resources/foreign-domain-data-url-accessor-opened-frame.html: + * http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt: + * http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt: + * http/tests/security/mixedContent/resources/frame-with-insecure-websocket.html: + * http/tests/security/mixedContent/websocket/insecure-websocket-in-iframe-expected.txt: + * http/tests/security/resources/cross-origin-js-prompt-forbidden.html: Added. + * http/tests/security/same-origin-different-domain-js-prompt-forbidden-expected.txt: Added. + * http/tests/security/same-origin-different-domain-js-prompt-forbidden.html: Added. + * http/tests/security/xssAuditor/base-href-control-char-expected.txt: + * http/tests/security/xssAuditor/base-href-direct-expected.txt: + * http/tests/security/xssAuditor/base-href-expected.txt: + * http/tests/security/xssAuditor/base-href-null-char-expected.txt: + * http/tests/security/xssAuditor/base-href-safe-expected.txt: + * http/tests/security/xssAuditor/base-href-safe2-expected.txt: + * http/tests/security/xssAuditor/base-href-safe3-expected.txt: + * http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt: + * http/tests/security/xssAuditor/cached-frame-expected.txt: + * http/tests/security/xssAuditor/cached-frame.html: + * http/tests/security/xssAuditor/cookie-injection-expected.txt: + * http/tests/security/xssAuditor/data-urls-work-expected.txt: + * http/tests/security/xssAuditor/data-urls-work.html: + * http/tests/security/xssAuditor/dom-write-innerHTML-expected.txt: + * http/tests/security/xssAuditor/dom-write-innerHTML.html: + * http/tests/security/xssAuditor/form-action-expected.txt: + * http/tests/security/xssAuditor/formaction-on-button-expected.txt: + * http/tests/security/xssAuditor/formaction-on-input-expected.txt: + * http/tests/security/xssAuditor/javascript-link-safe-expected.txt: + * http/tests/security/xssAuditor/javascript-link-safe.html: + * http/tests/security/xssAuditor/property-escape-noquotes-expected.txt: + * http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars-expected.txt: + * http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars.html: + * http/tests/security/xssAuditor/property-escape-noquotes.html: + * http/tests/security/xssAuditor/property-inject-expected.txt: + * http/tests/security/xssAuditor/property-inject.html: + * http/tests/security/xssAuditor/resources/base-href/really-safe-script.js: + * http/tests/security/xssAuditor/resources/base-href/safe-script.js: + * http/tests/security/xssAuditor/resources/echo-intertag.pl: + * http/tests/security/xssAuditor/resources/javascript-link-safe.html: + * http/tests/security/xssAuditor/resources/nph-cached.pl: + * http/tests/security/xssAuditor/resources/safe-script-noquotes.js: + * http/tests/security/xssAuditor/resources/safe-script.js: + * http/tests/security/xssAuditor/resources/script-tag-safe2.html: + * http/tests/security/xssAuditor/script-tag-near-start-expected.txt: + * http/tests/security/xssAuditor/script-tag-near-start.html: + * http/tests/security/xssAuditor/script-tag-safe2-expected.txt: + * http/tests/security/xssAuditor/script-tag-safe2.html: + * http/tests/security/xssAuditor/script-tag-safe3-expected.txt: + * http/tests/security/xssAuditor/script-tag-safe3.html: + * http/tests/security/xssAuditor/script-tag-src-redirect-safe-expected.txt: + * http/tests/security/xssAuditor/script-tag-with-injected-comment-expected.txt: + * http/tests/security/xssAuditor/script-tag-with-injected-comment.html: + * http/tests/security/xssAuditor/script-tag-with-source-same-host-expected.txt: + * platform/wk2/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt: + 2021-02-09 Peng Liu [GPUP] Test media/track/audio-track-add-remove.html crashes on debug bots diff --git a/LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt b/LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt index 7caf4b6465b02..1616034dcbaf8 100644 --- a/LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt +++ b/LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt @@ -1,4 +1,4 @@ -CONSOLE MESSAGE: Unsafe JavaScript attempt to initiate navigation for frame with URL 'about:blank' from frame with URL 'data:text/html,"> + diff --git a/LayoutTests/fast/events/popup-when-select-change-expected.txt b/LayoutTests/fast/events/popup-when-select-change-expected.txt index 09fb73d0c82fd..9c9f13e2b77b0 100644 --- a/LayoutTests/fast/events/popup-when-select-change-expected.txt +++ b/LayoutTests/fast/events/popup-when-select-change-expected.txt @@ -1,4 +1,4 @@ -ALERT: PASSED +CONSOLE MESSAGE: PASSED If the pop-up was not blocked then there will be an PASS message. Otherwise, the test fails. diff --git a/LayoutTests/fast/events/popup-when-select-change.html b/LayoutTests/fast/events/popup-when-select-change.html index 30c3db9c71abb..69a00ccd1773e 100644 --- a/LayoutTests/fast/events/popup-when-select-change.html +++ b/LayoutTests/fast/events/popup-when-select-change.html @@ -38,7 +38,7 @@ If the pop-up was not blocked then there will be an PASS message. Otherwise, the test fails. -
+
diff --git a/LayoutTests/fast/events/resize-subframe-expected.txt b/LayoutTests/fast/events/resize-subframe-expected.txt index 9c703211889a8..c225c224e53af 100644 --- a/LayoutTests/fast/events/resize-subframe-expected.txt +++ b/LayoutTests/fast/events/resize-subframe-expected.txt @@ -1,2 +1,2 @@ -ALERT: PASS +CONSOLE MESSAGE: PASS diff --git a/LayoutTests/fast/events/resize-subframe.html b/LayoutTests/fast/events/resize-subframe.html index de6a4bfd2a083..7bc4ee79a38b8 100644 --- a/LayoutTests/fast/events/resize-subframe.html +++ b/LayoutTests/fast/events/resize-subframe.html @@ -18,7 +18,7 @@ { if (window.testRunner) { - alert('PASS'); + console.log('PASS'); testRunner.notifyDone(); } else diff --git a/LayoutTests/fast/forms/autofocus-in-sandbox-with-allow-scripts-expected.txt b/LayoutTests/fast/forms/autofocus-in-sandbox-with-allow-scripts-expected.txt index 693f629cbdbba..cf86fb4c5ea69 100644 --- a/LayoutTests/fast/forms/autofocus-in-sandbox-with-allow-scripts-expected.txt +++ b/LayoutTests/fast/forms/autofocus-in-sandbox-with-allow-scripts-expected.txt @@ -1,2 +1,2 @@ -ALERT: INPUT +CONSOLE MESSAGE: INPUT This test passes if the activeElement is the input element rather than the body (which it would be if the sandbox didn't allow autofocus although allow-scripts flag is set). diff --git a/LayoutTests/fast/forms/autofocus-in-sandbox-with-allow-scripts.html b/LayoutTests/fast/forms/autofocus-in-sandbox-with-allow-scripts.html index b9b4d2bf93cba..4f223868fd7e6 100644 --- a/LayoutTests/fast/forms/autofocus-in-sandbox-with-allow-scripts.html +++ b/LayoutTests/fast/forms/autofocus-in-sandbox-with-allow-scripts.html @@ -5,4 +5,4 @@ This test passes if the activeElement is the input element rather than the body (which it would be if the sandbox didn't allow autofocus although allow-scripts flag is set). + src="data:text/html,"> diff --git a/LayoutTests/fast/frames/resources/navigate-top-by-name-to-fail.html b/LayoutTests/fast/frames/resources/navigate-top-by-name-to-fail.html index a7d2f274ec2d5..40754e7848526 100644 --- a/LayoutTests/fast/frames/resources/navigate-top-by-name-to-fail.html +++ b/LayoutTests/fast/frames/resources/navigate-top-by-name-to-fail.html @@ -1,11 +1,11 @@ diff --git a/LayoutTests/fast/frames/sandboxed-iframe-navigation-top-by-name-denied-expected.txt b/LayoutTests/fast/frames/sandboxed-iframe-navigation-top-by-name-denied-expected.txt index 050c4da24d852..6f3f300f54e9b 100644 --- a/LayoutTests/fast/frames/sandboxed-iframe-navigation-top-by-name-denied-expected.txt +++ b/LayoutTests/fast/frames/sandboxed-iframe-navigation-top-by-name-denied-expected.txt @@ -6,7 +6,7 @@ CONSOLE MESSAGE: Unsafe JavaScript attempt to initiate navigation for frame with CONSOLE MESSAGE: Unsafe JavaScript attempt to initiate navigation for frame with URL 'navigate-top-by-name-to-fail.html'. The frame attempting navigation of the top-level window is sandboxed, but the 'allow-top-navigation' flag is not set. CONSOLE MESSAGE: Blocked opening 'fail-and-notify-done.html' in a new window because the request was made in a sandboxed frame whose 'allow-popups' permission is not set. -ALERT: PASS +CONSOLE MESSAGE: PASS This test verifies that a sandboxed IFrame cannot navigate the top-level frame without allow-top-navigation. This test passes if the navigation does not occur. diff --git a/LayoutTests/fast/frames/sandboxed-iframe-parsing-space-characters-expected.txt b/LayoutTests/fast/frames/sandboxed-iframe-parsing-space-characters-expected.txt index 4776711da00cd..282dac7d15b1c 100644 --- a/LayoutTests/fast/frames/sandboxed-iframe-parsing-space-characters-expected.txt +++ b/LayoutTests/fast/frames/sandboxed-iframe-parsing-space-characters-expected.txt @@ -1,11 +1,11 @@ -ALERT: PASS: Form feed is a delimiter. +CONSOLE MESSAGE: PASS: Form feed is a delimiter. CONSOLE MESSAGE: Error while parsing the 'sandbox' attribute: 'allow-scripts allow-forms' is an invalid sandbox flag. -CONSOLE MESSAGE: Blocked script execution in 'data:text/html,' because the document's frame is sandboxed and the 'allow-scripts' permission is not set. -ALERT: PASS: Newline is a delimiter. -ALERT: PASS: Return is a delimiter. +CONSOLE MESSAGE: Blocked script execution in 'data:text/html,' because the document's frame is sandboxed and the 'allow-scripts' permission is not set. +CONSOLE MESSAGE: PASS: Newline is a delimiter. +CONSOLE MESSAGE: PASS: Return is a delimiter. CONSOLE MESSAGE: Error while parsing the 'sandbox' attribute: 'allow-scriptsxallow-forms' is an invalid sandbox flag. -CONSOLE MESSAGE: Blocked script execution in 'data:text/html,' because the document's frame is sandboxed and the 'allow-scripts' permission is not set. -ALERT: PASS: Tab is a delimiter. -ALERT: PASS: Space is a delimiter character. +CONSOLE MESSAGE: Blocked script execution in 'data:text/html,' because the document's frame is sandboxed and the 'allow-scripts' permission is not set. +CONSOLE MESSAGE: PASS: Tab is a delimiter. +CONSOLE MESSAGE: PASS: Space is a delimiter character. This tests whether we correct parse various space characters in the sandbox attribute. diff --git a/LayoutTests/fast/frames/sandboxed-iframe-parsing-space-characters.html b/LayoutTests/fast/frames/sandboxed-iframe-parsing-space-characters.html index d9445dd474f45..c05c1aafd0148 100644 --- a/LayoutTests/fast/frames/sandboxed-iframe-parsing-space-characters.html +++ b/LayoutTests/fast/frames/sandboxed-iframe-parsing-space-characters.html @@ -25,7 +25,7 @@ var policy = "allow-modals allow-scripts" + possibleDelimiter + "allow-forms"; var iframe = document.createElement('iframe'); iframe.sandbox = policy; - iframe.src = "data:text/html,"> + src="data:text/html,"> diff --git a/LayoutTests/http/tests/plugins/resources/third-party-cookie-accept-policy-iframe.html b/LayoutTests/http/tests/plugins/resources/third-party-cookie-accept-policy-iframe.html index c5703b1a3bec8..199c2735830da 100644 --- a/LayoutTests/http/tests/plugins/resources/third-party-cookie-accept-policy-iframe.html +++ b/LayoutTests/http/tests/plugins/resources/third-party-cookie-accept-policy-iframe.html @@ -22,8 +22,8 @@ function trySetCookie() { - alert("Cookies should be clear, and are: '" + document.cookie + "'"); - alert("About to set a cookie, but on localhost instead of 127.0.0.1, which is our main document domain - This should fail."); + console.log("Cookies should be clear, and are: '" + document.cookie + "'"); + console.log("About to set a cookie, but on localhost instead of 127.0.0.1, which is our main document domain - This should fail."); if (window.testRunner) testRunner.setAlwaysAcceptCookies(false); plugin.getURLNotify("http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=setFooCookie", null, "completeTest"); @@ -31,7 +31,7 @@ function completeTest() { - alert("Cookies should still be clear, and are: '" + document.cookie + "'"); + console.log("Cookies should still be clear, and are: '" + document.cookie + "'"); resetCookies(); if (window.testRunner) testRunner.notifyDone(); diff --git a/LayoutTests/http/tests/plugins/third-party-cookie-accept-policy-expected.txt b/LayoutTests/http/tests/plugins/third-party-cookie-accept-policy-expected.txt index e083f8c1c0438..61918ac185477 100644 --- a/LayoutTests/http/tests/plugins/third-party-cookie-accept-policy-expected.txt +++ b/LayoutTests/http/tests/plugins/third-party-cookie-accept-policy-expected.txt @@ -1,5 +1,5 @@ -ALERT: Cookies should be clear, and are: '' -ALERT: About to set a cookie, but on localhost instead of 127.0.0.1, which is our main document domain - This should fail. -ALERT: Cookies should still be clear, and are: '' +CONSOLE MESSAGE: Cookies should be clear, and are: '' +CONSOLE MESSAGE: About to set a cookie, but on localhost instead of 127.0.0.1, which is our main document domain - This should fail. +CONSOLE MESSAGE: Cookies should still be clear, and are: '' This tests that plug-ins cannot set cookies in violation of the 3rd party cookie policy. diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed-expected.txt index 9c703211889a8..c225c224e53af 100644 --- a/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed-expected.txt +++ b/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed-expected.txt @@ -1,2 +1,2 @@ -ALERT: PASS +CONSOLE MESSAGE: PASS diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed2-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed2-expected.txt index 9c703211889a8..c225c224e53af 100644 --- a/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed2-expected.txt +++ b/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed2-expected.txt @@ -1,2 +1,2 @@ -ALERT: PASS +CONSOLE MESSAGE: PASS diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-cross-origin-load-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-cross-origin-load-expected.txt index 52c496931df9d..7160548f6c7a2 100644 --- a/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-cross-origin-load-expected.txt +++ b/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-cross-origin-load-expected.txt @@ -1,6 +1,6 @@ CONSOLE MESSAGE: Refused to load https://localhost:8443/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the frame-src directive of the Content Security Policy. ALERT: PASS -ALERT: PASS +CONSOLE MESSAGE: PASS IFrames blocked by CSP should generate a 'load' event, regardless of blocked state. This means they appear to be normal cross-origin loads, thereby not leaking URL information directly to JS. On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-allowed-when-loaded-via-javascript-url-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-allowed-when-loaded-via-javascript-url-expected.txt index 889df3ba1fb22..9ee8b553287cc 100644 --- a/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-allowed-when-loaded-via-javascript-url-expected.txt +++ b/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-allowed-when-loaded-via-javascript-url-expected.txt @@ -1,4 +1,4 @@ -ALERT: PASS +CONSOLE MESSAGE: PASS -------- diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-inside-csp-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-inside-csp-expected.txt index a86e99325c7ae..b944825039e3a 100644 --- a/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-inside-csp-expected.txt +++ b/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-inside-csp-expected.txt @@ -1,3 +1,3 @@ -ALERT: PASS (1/2): Script can execute -ALERT: PASS (2/2): Eval works +CONSOLE MESSAGE: PASS (1/2): Script can execute +CONSOLE MESSAGE: PASS (2/2): Eval works diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src-expected.txt index 9c703211889a8..c225c224e53af 100644 --- a/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src-expected.txt +++ b/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src-expected.txt @@ -1,2 +1,2 @@ -ALERT: PASS +CONSOLE MESSAGE: PASS diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2-expected.txt index 9c703211889a8..c225c224e53af 100644 --- a/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2-expected.txt +++ b/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2-expected.txt @@ -1,2 +1,2 @@ -ALERT: PASS +CONSOLE MESSAGE: PASS diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src-expected.txt index 9c703211889a8..c225c224e53af 100644 --- a/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src-expected.txt +++ b/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src-expected.txt @@ -1,2 +1,2 @@ -ALERT: PASS +CONSOLE MESSAGE: PASS diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2-expected.txt index 9c703211889a8..c225c224e53af 100644 --- a/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2-expected.txt +++ b/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2-expected.txt @@ -1,2 +1,2 @@ -ALERT: PASS +CONSOLE MESSAGE: PASS diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed-expected.txt index 9c703211889a8..c225c224e53af 100644 --- a/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed-expected.txt +++ b/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed-expected.txt @@ -1,2 +1,2 @@ -ALERT: PASS +CONSOLE MESSAGE: PASS diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed2-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed2-expected.txt index 9c703211889a8..c225c224e53af 100644 --- a/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed2-expected.txt +++ b/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed2-expected.txt @@ -1,2 +1,2 @@ -ALERT: PASS +CONSOLE MESSAGE: PASS diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-does-not-affect-child-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-does-not-affect-child-expected.txt index 16f8a5011153c..d156eac7532e5 100644 --- a/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-does-not-affect-child-expected.txt +++ b/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-does-not-affect-child-expected.txt @@ -1,4 +1,4 @@ -ALERT: Plugin Loaded! +CONSOLE MESSAGE: Plugin Loaded! This tests that an object-src directive on a top-level page is not inherited by a PluginDocument embedded in an iframe on the page. This test passes if an alert pops up saying that the plugin loaded. diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-fail.html b/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-fail.html index ec215a36f5200..a4e479c9809a4 100644 --- a/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-fail.html +++ b/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-fail.html @@ -1,3 +1,8 @@ diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-fail.js b/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-fail.js index 2462b4b004fec..e7ad7bc4aed5d 100644 --- a/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-fail.js +++ b/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-fail.js @@ -1 +1,8 @@ -alert('FAIL'); +{ +let isSameOrigin = true; +try { top.name } catch (e) { isSameOrigin = false; } +if (isSameOrigin) + alert("FAIL"); +else + console.log("FAIL"); +} diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.html b/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.html index f5bcadb7ac982..e6f1acab2c323 100644 --- a/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.html +++ b/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.html @@ -1,5 +1,10 @@ diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/resources/sandboxed-eval.php b/LayoutTests/http/tests/security/contentSecurityPolicy/resources/sandboxed-eval.php index b5231e99eebc8..1cbb65d65447c 100644 --- a/LayoutTests/http/tests/security/contentSecurityPolicy/resources/sandboxed-eval.php +++ b/LayoutTests/http/tests/security/contentSecurityPolicy/resources/sandboxed-eval.php @@ -2,9 +2,9 @@ header("Content-Security-Policy: sandbox allow-scripts allow-modals"); ?> Done. diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-control-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-control-expected.txt index 2c64206149b2d..e07a0efb5ee58 100644 --- a/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-control-expected.txt +++ b/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-control-expected.txt @@ -1,3 +1,3 @@ -ALERT: Script executed in iframe. +CONSOLE MESSAGE: Script executed in iframe. ALERT: PASS: Iframe was not in a unique origin diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-expected.txt index 73aa1c45aac9b..97915843d1c48 100644 --- a/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-expected.txt +++ b/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-expected.txt @@ -1,4 +1,4 @@ -ALERT: Script executed in iframe. +CONSOLE MESSAGE: Script executed in iframe. CONSOLE MESSAGE: SecurityError: Sandbox access violation: Blocked a frame at "http://127.0.0.1:8000" from accessing a cross-origin frame. The frame being accessed is sandboxed and lacks the "allow-same-origin" flag. ALERT: PASS: Iframe was in a unique origin diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-report-only-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-report-only-expected.txt index 0ba220bc621bd..3badafc3efb67 100644 --- a/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-report-only-expected.txt +++ b/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-report-only-expected.txt @@ -1,5 +1,5 @@ CONSOLE MESSAGE: The Content Security Policy directive 'sandbox' is ignored when delivered in a report-only policy. CONSOLE MESSAGE: The Content Security Policy 'sandbox' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header. -ALERT: Script executed in iframe. +CONSOLE MESSAGE: Script executed in iframe. ALERT: PASS: Iframe was not in a unique origin diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt index 255530829f6e8..2abe25ecab4f2 100644 --- a/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt +++ b/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt @@ -1,12 +1,12 @@ frame "" - didStartProvisionalLoadForFrame main frame - didFinishDocumentLoadForFrame frame "" - didCommitLoadForFrame -ALERT: PASS +CONSOLE MESSAGE: PASS frame "" - didStartProvisionalLoadForFrame frame "" - didFinishDocumentLoadForFrame frame "" - didCommitLoadForFrame -ALERT: PASS -ALERT: PASS +CONSOLE MESSAGE: PASS +CONSOLE MESSAGE: PASS frame "" - didFinishDocumentLoadForFrame frame "" - didHandleOnloadEventsForFrame frame "" - didHandleOnloadEventsForFrame diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content-expected.txt index 4e7e713237917..0d071b1fd01e9 100644 --- a/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content-expected.txt +++ b/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content-expected.txt @@ -1,2 +1,2 @@ -ALERT: PASS +CONSOLE MESSAGE: PASS This page should alert "PASS" and not generate any mixed content warnings in the console. diff --git a/LayoutTests/http/tests/security/cross-frame-access-put-expected.txt b/LayoutTests/http/tests/security/cross-frame-access-put-expected.txt index 5a858c03c063f..2703789ef71ec 100644 --- a/LayoutTests/http/tests/security/cross-frame-access-put-expected.txt +++ b/LayoutTests/http/tests/security/cross-frame-access-put-expected.txt @@ -1,190 +1,190 @@ CONSOLE MESSAGE: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match. -ALERT: PASS: window.Attr should be 'function Attr() { [native code]}' and is. -ALERT: PASS: window.CDATASection should be 'function CDATASection() { [native code]}' and is. -ALERT: PASS: window.CharacterData should be 'function CharacterData() { [native code]}' and is. -ALERT: PASS: window.Comment should be 'function Comment() { [native code]}' and is. -ALERT: PASS: window.CSSPrimitiveValue should be 'function CSSPrimitiveValue() { [native code]}' and is. -ALERT: PASS: window.CSSRule should be 'function CSSRule() { [native code]}' and is. -ALERT: PASS: window.CSSStyleDeclaration should be 'function CSSStyleDeclaration() { [native code]}' and is. -ALERT: PASS: window.CSSValue should be 'function CSSValue() { [native code]}' and is. -ALERT: PASS: window.Document should be 'function Document() { [native code]}' and is. -ALERT: PASS: window.DocumentFragment should be 'function DocumentFragment() { [native code]}' and is. -ALERT: PASS: window.DocumentType should be 'function DocumentType() { [native code]}' and is. -ALERT: PASS: window.DOMException should be 'function DOMException() { [native code]}' and is. -ALERT: PASS: window.DOMImplementation should be 'function DOMImplementation() { [native code]}' and is. -ALERT: PASS: window.DOMParser should be 'function DOMParser() { [native code]}' and is. -ALERT: PASS: window.Element should be 'function Element() { [native code]}' and is. -ALERT: PASS: window.EvalError should be 'function EvalError() { [native code]}' and is. -ALERT: PASS: window.Event should be 'function Event() { [native code]}' and is. -ALERT: PASS: window.HTMLAnchorElement should be 'function HTMLAnchorElement() { [native code]}' and is. -ALERT: PASS: window.HTMLAppletElement should be 'undefined' and is. -ALERT: PASS: window.HTMLAreaElement should be 'function HTMLAreaElement() { [native code]}' and is. -ALERT: PASS: window.HTMLBaseElement should be 'function HTMLBaseElement() { [native code]}' and is. -ALERT: PASS: window.HTMLBodyElement should be 'function HTMLBodyElement() { [native code]}' and is. -ALERT: PASS: window.HTMLBRElement should be 'function HTMLBRElement() { [native code]}' and is. -ALERT: PASS: window.HTMLButtonElement should be 'function HTMLButtonElement() { [native code]}' and is. -ALERT: PASS: window.HTMLCanvasElement should be 'function HTMLCanvasElement() { [native code]}' and is. -ALERT: PASS: window.HTMLDirectoryElement should be 'function HTMLDirectoryElement() { [native code]}' and is. -ALERT: PASS: window.HTMLDivElement should be 'function HTMLDivElement() { [native code]}' and is. -ALERT: PASS: window.HTMLDListElement should be 'function HTMLDListElement() { [native code]}' and is. -ALERT: PASS: window.HTMLDocument should be 'function HTMLDocument() { [native code]}' and is. -ALERT: PASS: window.HTMLElement should be 'function HTMLElement() { [native code]}' and is. -ALERT: PASS: window.HTMLFieldSetElement should be 'function HTMLFieldSetElement() { [native code]}' and is. -ALERT: PASS: window.HTMLFontElement should be 'function HTMLFontElement() { [native code]}' and is. -ALERT: PASS: window.HTMLFormElement should be 'function HTMLFormElement() { [native code]}' and is. -ALERT: PASS: window.HTMLFrameElement should be 'function HTMLFrameElement() { [native code]}' and is. -ALERT: PASS: window.HTMLFrameSetElement should be 'function HTMLFrameSetElement() { [native code]}' and is. -ALERT: PASS: window.HTMLHeadElement should be 'function HTMLHeadElement() { [native code]}' and is. -ALERT: PASS: window.HTMLHeadingElement should be 'function HTMLHeadingElement() { [native code]}' and is. -ALERT: PASS: window.HTMLHRElement should be 'function HTMLHRElement() { [native code]}' and is. -ALERT: PASS: window.HTMLHtmlElement should be 'function HTMLHtmlElement() { [native code]}' and is. -ALERT: PASS: window.HTMLIFrameElement should be 'function HTMLIFrameElement() { [native code]}' and is. -ALERT: PASS: window.HTMLImageElement should be 'function HTMLImageElement() { [native code]}' and is. -ALERT: PASS: window.HTMLInputElement should be 'function HTMLInputElement() { [native code]}' and is. -ALERT: PASS: window.HTMLIsIndexElement should be 'undefined' and is. -ALERT: PASS: window.HTMLLabelElement should be 'function HTMLLabelElement() { [native code]}' and is. -ALERT: PASS: window.HTMLLegendElement should be 'function HTMLLegendElement() { [native code]}' and is. -ALERT: PASS: window.HTMLLIElement should be 'function HTMLLIElement() { [native code]}' and is. -ALERT: PASS: window.HTMLLinkElement should be 'function HTMLLinkElement() { [native code]}' and is. -ALERT: PASS: window.HTMLMapElement should be 'function HTMLMapElement() { [native code]}' and is. -ALERT: PASS: window.HTMLMarqueeElement should be 'function HTMLMarqueeElement() { [native code]}' and is. -ALERT: PASS: window.HTMLMenuElement should be 'function HTMLMenuElement() { [native code]}' and is. -ALERT: PASS: window.HTMLMetaElement should be 'function HTMLMetaElement() { [native code]}' and is. -ALERT: PASS: window.HTMLModElement should be 'function HTMLModElement() { [native code]}' and is. -ALERT: PASS: window.HTMLOListElement should be 'function HTMLOListElement() { [native code]}' and is. -ALERT: PASS: window.HTMLOptGroupElement should be 'function HTMLOptGroupElement() { [native code]}' and is. -ALERT: PASS: window.HTMLOptionElement should be 'function HTMLOptionElement() { [native code]}' and is. -ALERT: PASS: window.HTMLParagraphElement should be 'function HTMLParagraphElement() { [native code]}' and is. -ALERT: PASS: window.HTMLParamElement should be 'function HTMLParamElement() { [native code]}' and is. -ALERT: PASS: window.HTMLPreElement should be 'function HTMLPreElement() { [native code]}' and is. -ALERT: PASS: window.HTMLQuoteElement should be 'function HTMLQuoteElement() { [native code]}' and is. -ALERT: PASS: window.HTMLScriptElement should be 'function HTMLScriptElement() { [native code]}' and is. -ALERT: PASS: window.HTMLSelectElement should be 'function HTMLSelectElement() { [native code]}' and is. -ALERT: PASS: window.HTMLStyleElement should be 'function HTMLStyleElement() { [native code]}' and is. -ALERT: PASS: window.HTMLTableCaptionElement should be 'function HTMLTableCaptionElement() { [native code]}' and is. -ALERT: PASS: window.HTMLTableCellElement should be 'function HTMLTableCellElement() { [native code]}' and is. -ALERT: PASS: window.HTMLTableColElement should be 'function HTMLTableColElement() { [native code]}' and is. -ALERT: PASS: window.HTMLTableElement should be 'function HTMLTableElement() { [native code]}' and is. -ALERT: PASS: window.HTMLTableRowElement should be 'function HTMLTableRowElement() { [native code]}' and is. -ALERT: PASS: window.HTMLTableSectionElement should be 'function HTMLTableSectionElement() { [native code]}' and is. -ALERT: PASS: window.HTMLTextAreaElement should be 'function HTMLTextAreaElement() { [native code]}' and is. -ALERT: PASS: window.HTMLTitleElement should be 'function HTMLTitleElement() { [native code]}' and is. -ALERT: PASS: window.HTMLUListElement should be 'function HTMLUListElement() { [native code]}' and is. -ALERT: PASS: window.MutationEvent should be 'function MutationEvent() { [native code]}' and is. -ALERT: PASS: window.Node should be 'function Node() { [native code]}' and is. -ALERT: PASS: window.NodeFilter should be 'function NodeFilter() { [native code]}' and is. -ALERT: PASS: window.ProcessingInstruction should be 'function ProcessingInstruction() { [native code]}' and is. -ALERT: PASS: window.Range should be 'function Range() { [native code]}' and is. -ALERT: PASS: window.RangeError should be 'function RangeError() { [native code]}' and is. -ALERT: PASS: window.RangeException should be 'undefined' and is. -ALERT: PASS: window.ReferenceError should be 'function ReferenceError() { [native code]}' and is. -ALERT: PASS: window.SyntaxError should be 'function SyntaxError() { [native code]}' and is. -ALERT: PASS: window.Text should be 'function Text() { [native code]}' and is. -ALERT: PASS: window.TypeError should be 'function TypeError() { [native code]}' and is. -ALERT: PASS: window.URIError should be 'function URIError() { [native code]}' and is. -ALERT: PASS: window.XMLDocument should be 'function XMLDocument() { [native code]}' and is. -ALERT: PASS: window.XMLSerializer should be 'function XMLSerializer() { [native code]}' and is. -ALERT: PASS: window.XPathEvaluator should be 'function XPathEvaluator() { [native code]}' and is. -ALERT: PASS: window.XPathResult should be 'function XPathResult() { [native code]}' and is. -ALERT: PASS: window.clientInformation should be '[object Navigator]' and is. -ALERT: PASS: window.closed should be 'false' and is. -ALERT: PASS: window.console should be '[object console]' and is. -ALERT: PASS: window.crypto should be '[object Crypto]' and is. -ALERT: PASS: window.defaultStatus should be '' and is. -ALERT: PASS: window.defaultstatus should be '' and is. -ALERT: PASS: window.devicePixelRatio should be '1' and is. -ALERT: PASS: window.document should be '[object HTMLDocument]' and is. -ALERT: PASS: window.embeds should be 'undefined' and is. -ALERT: PASS: window.event should be 'undefined' and is. +CONSOLE MESSAGE: PASS: window.Attr should be 'function Attr() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.CDATASection should be 'function CDATASection() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.CharacterData should be 'function CharacterData() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.Comment should be 'function Comment() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.CSSPrimitiveValue should be 'function CSSPrimitiveValue() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.CSSRule should be 'function CSSRule() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.CSSStyleDeclaration should be 'function CSSStyleDeclaration() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.CSSValue should be 'function CSSValue() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.Document should be 'function Document() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.DocumentFragment should be 'function DocumentFragment() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.DocumentType should be 'function DocumentType() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.DOMException should be 'function DOMException() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.DOMImplementation should be 'function DOMImplementation() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.DOMParser should be 'function DOMParser() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.Element should be 'function Element() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.EvalError should be 'function EvalError() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.Event should be 'function Event() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLAnchorElement should be 'function HTMLAnchorElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLAppletElement should be 'undefined' and is. +CONSOLE MESSAGE: PASS: window.HTMLAreaElement should be 'function HTMLAreaElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLBaseElement should be 'function HTMLBaseElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLBodyElement should be 'function HTMLBodyElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLBRElement should be 'function HTMLBRElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLButtonElement should be 'function HTMLButtonElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLCanvasElement should be 'function HTMLCanvasElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLDirectoryElement should be 'function HTMLDirectoryElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLDivElement should be 'function HTMLDivElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLDListElement should be 'function HTMLDListElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLDocument should be 'function HTMLDocument() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLElement should be 'function HTMLElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLFieldSetElement should be 'function HTMLFieldSetElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLFontElement should be 'function HTMLFontElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLFormElement should be 'function HTMLFormElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLFrameElement should be 'function HTMLFrameElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLFrameSetElement should be 'function HTMLFrameSetElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLHeadElement should be 'function HTMLHeadElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLHeadingElement should be 'function HTMLHeadingElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLHRElement should be 'function HTMLHRElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLHtmlElement should be 'function HTMLHtmlElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLIFrameElement should be 'function HTMLIFrameElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLImageElement should be 'function HTMLImageElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLInputElement should be 'function HTMLInputElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLIsIndexElement should be 'undefined' and is. +CONSOLE MESSAGE: PASS: window.HTMLLabelElement should be 'function HTMLLabelElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLLegendElement should be 'function HTMLLegendElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLLIElement should be 'function HTMLLIElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLLinkElement should be 'function HTMLLinkElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLMapElement should be 'function HTMLMapElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLMarqueeElement should be 'function HTMLMarqueeElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLMenuElement should be 'function HTMLMenuElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLMetaElement should be 'function HTMLMetaElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLModElement should be 'function HTMLModElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLOListElement should be 'function HTMLOListElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLOptGroupElement should be 'function HTMLOptGroupElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLOptionElement should be 'function HTMLOptionElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLParagraphElement should be 'function HTMLParagraphElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLParamElement should be 'function HTMLParamElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLPreElement should be 'function HTMLPreElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLQuoteElement should be 'function HTMLQuoteElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLScriptElement should be 'function HTMLScriptElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLSelectElement should be 'function HTMLSelectElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLStyleElement should be 'function HTMLStyleElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLTableCaptionElement should be 'function HTMLTableCaptionElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLTableCellElement should be 'function HTMLTableCellElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLTableColElement should be 'function HTMLTableColElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLTableElement should be 'function HTMLTableElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLTableRowElement should be 'function HTMLTableRowElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLTableSectionElement should be 'function HTMLTableSectionElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLTextAreaElement should be 'function HTMLTextAreaElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLTitleElement should be 'function HTMLTitleElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.HTMLUListElement should be 'function HTMLUListElement() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.MutationEvent should be 'function MutationEvent() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.Node should be 'function Node() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.NodeFilter should be 'function NodeFilter() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.ProcessingInstruction should be 'function ProcessingInstruction() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.Range should be 'function Range() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.RangeError should be 'function RangeError() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.RangeException should be 'undefined' and is. +CONSOLE MESSAGE: PASS: window.ReferenceError should be 'function ReferenceError() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.SyntaxError should be 'function SyntaxError() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.Text should be 'function Text() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.TypeError should be 'function TypeError() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.URIError should be 'function URIError() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.XMLDocument should be 'function XMLDocument() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.XMLSerializer should be 'function XMLSerializer() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.XPathEvaluator should be 'function XPathEvaluator() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.XPathResult should be 'function XPathResult() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.clientInformation should be '[object Navigator]' and is. +CONSOLE MESSAGE: PASS: window.closed should be 'false' and is. +CONSOLE MESSAGE: PASS: window.console should be '[object console]' and is. +CONSOLE MESSAGE: PASS: window.crypto should be '[object Crypto]' and is. +CONSOLE MESSAGE: PASS: window.defaultStatus should be '' and is. +CONSOLE MESSAGE: PASS: window.defaultstatus should be '' and is. +CONSOLE MESSAGE: PASS: window.devicePixelRatio should be '1' and is. +CONSOLE MESSAGE: PASS: window.document should be '[object HTMLDocument]' and is. +CONSOLE MESSAGE: PASS: window.embeds should be 'undefined' and is. +CONSOLE MESSAGE: PASS: window.event should be 'undefined' and is. CONSOLE MESSAGE: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match. -ALERT: PASS: window.frameElement should be 'null' and is. -ALERT: PASS: window.frames should be '[object Window]' and is. -ALERT: PASS: window.history should be '[object History]' and is. -ALERT: PASS: window.images should be 'undefined' and is. -ALERT: PASS: window.innerHeight should be '150' and is. -ALERT: PASS: window.innerWidth should be '300' and is. -ALERT: PASS: window.length should be '0' and is. -ALERT: PASS: window.locationbar should be '[object BarProp]' and is. -ALERT: PASS: window.menubar should be '[object BarProp]' and is. -ALERT: PASS: window.name should be '' and is. -ALERT: PASS: window.navigator should be '[object Navigator]' and is. -ALERT: PASS: window.offscreenBuffering should be 'true' and is. -ALERT: PASS: window.onabort should be 'null' and is. -ALERT: PASS: window.onbeforeunload should be 'null' and is. -ALERT: PASS: window.onblur should be 'null' and is. -ALERT: PASS: window.onchange should be 'null' and is. -ALERT: PASS: window.onclick should be 'null' and is. -ALERT: PASS: window.ondblclick should be 'null' and is. -ALERT: PASS: window.onerror should be 'null' and is. -ALERT: PASS: window.onfocus should be 'null' and is. -ALERT: PASS: window.onkeydown should be 'null' and is. -ALERT: PASS: window.onkeypress should be 'null' and is. -ALERT: PASS: window.onkeyup should be 'null' and is. -ALERT: PASS: window.onload should be 'null' and is. -ALERT: PASS: window.onmousedown should be 'null' and is. -ALERT: PASS: window.onmousemove should be 'null' and is. -ALERT: PASS: window.onmouseout should be 'null' and is. -ALERT: PASS: window.onmouseover should be 'null' and is. -ALERT: PASS: window.onmouseup should be 'null' and is. -ALERT: PASS: window.onmousewheel should be 'null' and is. -ALERT: PASS: window.onreset should be 'null' and is. -ALERT: PASS: window.onresize should be 'null' and is. -ALERT: PASS: window.onscroll should be 'null' and is. -ALERT: PASS: window.onsearch should be 'null' and is. -ALERT: PASS: window.onselect should be 'null' and is. -ALERT: PASS: window.onsubmit should be 'null' and is. -ALERT: PASS: window.onunload should be 'null' and is. -ALERT: PASS: window.opener should be 'null' and is. -ALERT: PASS: window.outerHeight matched the expected value. -ALERT: PASS: window.outerWidth matched the expected value. -ALERT: PASS: window.pageXOffset should be '0' and is. -ALERT: PASS: window.pageYOffset should be '0' and is. -ALERT: PASS: window.personalbar should be '[object BarProp]' and is. -ALERT: PASS: window.plugins should be 'undefined' and is. -ALERT: PASS: window.screen should be '[object Screen]' and is. -ALERT: PASS: window.screenLeft should be '0' and is. -ALERT: PASS: window.screenTop matched the expected value. -ALERT: PASS: window.screenX should be '0' and is. -ALERT: PASS: window.screenY matched the expected value. -ALERT: PASS: window.scrollbars should be '[object BarProp]' and is. -ALERT: PASS: window.scrollX should be '0' and is. -ALERT: PASS: window.scrollY should be '0' and is. -ALERT: PASS: window.self should be '[object Window]' and is. -ALERT: PASS: window.status should be '' and is. -ALERT: PASS: window.statusbar should be '[object BarProp]' and is. -ALERT: PASS: window.toolbar should be '[object BarProp]' and is. -ALERT: PASS: window.window should be '[object Window]' and is. -ALERT: PASS: window.parent should be parentOld and is. -ALERT: PASS: window.top should be topOld and is. -ALERT: PASS: window.addEventListener should be 'function addEventListener() { [native code]}' and is. -ALERT: PASS: window.alert should be 'function alert() { [native code]}' and is. -ALERT: PASS: window.atob should be 'function atob() { [native code]}' and is. -ALERT: PASS: window.btoa should be 'function btoa() { [native code]}' and is. -ALERT: PASS: window.captureEvents should be 'function captureEvents() { [native code]}' and is. -ALERT: PASS: window.clearInterval should be 'function clearInterval() { [native code]}' and is. -ALERT: PASS: window.clearTimeout should be 'function clearTimeout() { [native code]}' and is. -ALERT: PASS: window.confirm should be 'function confirm() { [native code]}' and is. -ALERT: PASS: window.eval should be 'function eval() { [native code]}' and is. -ALERT: PASS: window.find should be 'function find() { [native code]}' and is. -ALERT: PASS: window.getComputedStyle should be 'function getComputedStyle() { [native code]}' and is. -ALERT: PASS: window.getMatchedCSSRules should be 'function getMatchedCSSRules() { [native code]}' and is. -ALERT: PASS: window.getSelection should be 'function getSelection() { [native code]}' and is. -ALERT: PASS: window.moveBy should be 'function moveBy() { [native code]}' and is. -ALERT: PASS: window.moveTo should be 'function moveTo() { [native code]}' and is. -ALERT: PASS: window.open should be 'function open() { [native code]}' and is. -ALERT: PASS: window.print should be 'function print() { [native code]}' and is. -ALERT: PASS: window.prompt should be 'function prompt() { [native code]}' and is. -ALERT: PASS: window.releaseEvents should be 'function releaseEvents() { [native code]}' and is. -ALERT: PASS: window.removeEventListener should be 'function removeEventListener() { [native code]}' and is. -ALERT: PASS: window.resizeBy should be 'function resizeBy() { [native code]}' and is. -ALERT: PASS: window.resizeTo should be 'function resizeTo() { [native code]}' and is. -ALERT: PASS: window.scroll should be 'function scroll() { [native code]}' and is. -ALERT: PASS: window.scrollBy should be 'function scrollBy() { [native code]}' and is. -ALERT: PASS: window.scrollTo should be 'function scrollTo() { [native code]}' and is. -ALERT: PASS: window.setInterval should be 'function setInterval() { [native code]}' and is. -ALERT: PASS: window.setTimeout should be 'function setTimeout() { [native code]}' and is. -ALERT: PASS: window.showModalDialog matched the expected value. -ALERT: PASS: window.stop should be 'function stop() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.frameElement should be 'null' and is. +CONSOLE MESSAGE: PASS: window.frames should be '[object Window]' and is. +CONSOLE MESSAGE: PASS: window.history should be '[object History]' and is. +CONSOLE MESSAGE: PASS: window.images should be 'undefined' and is. +CONSOLE MESSAGE: PASS: window.innerHeight should be '150' and is. +CONSOLE MESSAGE: PASS: window.innerWidth should be '300' and is. +CONSOLE MESSAGE: PASS: window.length should be '0' and is. +CONSOLE MESSAGE: PASS: window.locationbar should be '[object BarProp]' and is. +CONSOLE MESSAGE: PASS: window.menubar should be '[object BarProp]' and is. +CONSOLE MESSAGE: PASS: window.name should be '' and is. +CONSOLE MESSAGE: PASS: window.navigator should be '[object Navigator]' and is. +CONSOLE MESSAGE: PASS: window.offscreenBuffering should be 'true' and is. +CONSOLE MESSAGE: PASS: window.onabort should be 'null' and is. +CONSOLE MESSAGE: PASS: window.onbeforeunload should be 'null' and is. +CONSOLE MESSAGE: PASS: window.onblur should be 'null' and is. +CONSOLE MESSAGE: PASS: window.onchange should be 'null' and is. +CONSOLE MESSAGE: PASS: window.onclick should be 'null' and is. +CONSOLE MESSAGE: PASS: window.ondblclick should be 'null' and is. +CONSOLE MESSAGE: PASS: window.onerror should be 'null' and is. +CONSOLE MESSAGE: PASS: window.onfocus should be 'null' and is. +CONSOLE MESSAGE: PASS: window.onkeydown should be 'null' and is. +CONSOLE MESSAGE: PASS: window.onkeypress should be 'null' and is. +CONSOLE MESSAGE: PASS: window.onkeyup should be 'null' and is. +CONSOLE MESSAGE: PASS: window.onload should be 'null' and is. +CONSOLE MESSAGE: PASS: window.onmousedown should be 'null' and is. +CONSOLE MESSAGE: PASS: window.onmousemove should be 'null' and is. +CONSOLE MESSAGE: PASS: window.onmouseout should be 'null' and is. +CONSOLE MESSAGE: PASS: window.onmouseover should be 'null' and is. +CONSOLE MESSAGE: PASS: window.onmouseup should be 'null' and is. +CONSOLE MESSAGE: PASS: window.onmousewheel should be 'null' and is. +CONSOLE MESSAGE: PASS: window.onreset should be 'null' and is. +CONSOLE MESSAGE: PASS: window.onresize should be 'null' and is. +CONSOLE MESSAGE: PASS: window.onscroll should be 'null' and is. +CONSOLE MESSAGE: PASS: window.onsearch should be 'null' and is. +CONSOLE MESSAGE: PASS: window.onselect should be 'null' and is. +CONSOLE MESSAGE: PASS: window.onsubmit should be 'null' and is. +CONSOLE MESSAGE: PASS: window.onunload should be 'null' and is. +CONSOLE MESSAGE: PASS: window.opener should be 'null' and is. +CONSOLE MESSAGE: PASS: window.outerHeight matched the expected value. +CONSOLE MESSAGE: PASS: window.outerWidth matched the expected value. +CONSOLE MESSAGE: PASS: window.pageXOffset should be '0' and is. +CONSOLE MESSAGE: PASS: window.pageYOffset should be '0' and is. +CONSOLE MESSAGE: PASS: window.personalbar should be '[object BarProp]' and is. +CONSOLE MESSAGE: PASS: window.plugins should be 'undefined' and is. +CONSOLE MESSAGE: PASS: window.screen should be '[object Screen]' and is. +CONSOLE MESSAGE: PASS: window.screenLeft should be '0' and is. +CONSOLE MESSAGE: PASS: window.screenTop matched the expected value. +CONSOLE MESSAGE: PASS: window.screenX should be '0' and is. +CONSOLE MESSAGE: PASS: window.screenY matched the expected value. +CONSOLE MESSAGE: PASS: window.scrollbars should be '[object BarProp]' and is. +CONSOLE MESSAGE: PASS: window.scrollX should be '0' and is. +CONSOLE MESSAGE: PASS: window.scrollY should be '0' and is. +CONSOLE MESSAGE: PASS: window.self should be '[object Window]' and is. +CONSOLE MESSAGE: PASS: window.status should be '' and is. +CONSOLE MESSAGE: PASS: window.statusbar should be '[object BarProp]' and is. +CONSOLE MESSAGE: PASS: window.toolbar should be '[object BarProp]' and is. +CONSOLE MESSAGE: PASS: window.window should be '[object Window]' and is. +CONSOLE MESSAGE: PASS: window.parent should be parentOld and is. +CONSOLE MESSAGE: PASS: window.top should be topOld and is. +CONSOLE MESSAGE: PASS: window.addEventListener should be 'function addEventListener() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.alert should be 'function alert() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.atob should be 'function atob() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.btoa should be 'function btoa() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.captureEvents should be 'function captureEvents() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.clearInterval should be 'function clearInterval() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.clearTimeout should be 'function clearTimeout() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.confirm should be 'function confirm() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.eval should be 'function eval() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.find should be 'function find() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.getComputedStyle should be 'function getComputedStyle() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.getMatchedCSSRules should be 'function getMatchedCSSRules() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.getSelection should be 'function getSelection() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.moveBy should be 'function moveBy() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.moveTo should be 'function moveTo() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.open should be 'function open() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.print should be 'function print() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.prompt should be 'function prompt() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.releaseEvents should be 'function releaseEvents() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.removeEventListener should be 'function removeEventListener() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.resizeBy should be 'function resizeBy() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.resizeTo should be 'function resizeTo() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.scroll should be 'function scroll() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.scrollBy should be 'function scrollBy() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.scrollTo should be 'function scrollTo() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.setInterval should be 'function setInterval() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.setTimeout should be 'function setTimeout() { [native code]}' and is. +CONSOLE MESSAGE: PASS: window.showModalDialog matched the expected value. +CONSOLE MESSAGE: PASS: window.stop should be 'function stop() { [native code]}' and is. ALERT: continue test in parent frame This test checks cross-frame access security of window attribute setters (rdar://problem/5326791). diff --git a/LayoutTests/http/tests/security/cross-origin-js-prompt-forbidden-expected.txt b/LayoutTests/http/tests/security/cross-origin-js-prompt-forbidden-expected.txt new file mode 100644 index 0000000000000..951214b2e400f --- /dev/null +++ b/LayoutTests/http/tests/security/cross-origin-js-prompt-forbidden-expected.txt @@ -0,0 +1,14 @@ +CONSOLE MESSAGE: Use of window.prompt is not allowed in different origin-domain iframes. +CONSOLE MESSAGE: Use of window.confirm is not allowed in different origin-domain iframes. +CONSOLE MESSAGE: Use of window.alert is not allowed in different origin-domain iframes. +Tests that JS prompts are forbidden in cross-origin frames + +On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". + + +PASS: window.prompt() returned null +PASS: window.confirm() returned false +PASS successfullyParsed is true + +TEST COMPLETE + diff --git a/LayoutTests/http/tests/security/cross-origin-js-prompt-forbidden.html b/LayoutTests/http/tests/security/cross-origin-js-prompt-forbidden.html new file mode 100644 index 0000000000000..820ab58aa94f3 --- /dev/null +++ b/LayoutTests/http/tests/security/cross-origin-js-prompt-forbidden.html @@ -0,0 +1,18 @@ + + + + + + + + diff --git a/LayoutTests/http/tests/security/data-url-inline.css-expected.txt b/LayoutTests/http/tests/security/data-url-inline.css-expected.txt index bcfaf8899c414..9436881bd10e0 100644 --- a/LayoutTests/http/tests/security/data-url-inline.css-expected.txt +++ b/LayoutTests/http/tests/security/data-url-inline.css-expected.txt @@ -1,4 +1,4 @@ -ALERT: 1 rules found +CONSOLE MESSAGE: 1 rules found This test ensures that a data URL can access its own inline style sheets. Sorry for the obscurity of the test case, but it's the repro from Bug 32309, which has an "unobfuscated" version of the code. This test passes if it alerts that it found 1 rule. diff --git a/LayoutTests/http/tests/security/data-url-inline.css.html b/LayoutTests/http/tests/security/data-url-inline.css.html index c8ae1e2e9ce53..f4d3e992298b8 100644 --- a/LayoutTests/http/tests/security/data-url-inline.css.html +++ b/LayoutTests/http/tests/security/data-url-inline.css.html @@ -7,4 +7,4 @@ Bug 32309, which has an "unobfuscated" version of the code.

This test passes if it alerts that it found 1 rule.

- + diff --git a/LayoutTests/http/tests/security/dataURL/resources/foreign-domain-data-url-accessor-iframe.html b/LayoutTests/http/tests/security/dataURL/resources/foreign-domain-data-url-accessor-iframe.html index 057d39b0fd68f..9942ff0093c16 100644 --- a/LayoutTests/http/tests/security/dataURL/resources/foreign-domain-data-url-accessor-iframe.html +++ b/LayoutTests/http/tests/security/dataURL/resources/foreign-domain-data-url-accessor-iframe.html @@ -11,10 +11,10 @@ + "{" + "try {" + "top.document.getElementById('accessMe').innerHTML = 'FAIL: Cross frame access from a data: URL on a different domain was allowed';" - + "alert('FAIL: No exception thrown.');" + + "console.log('FAIL: No exception thrown.');" + "} catch (e) {" + "console.log(e);" - + "alert('PASS: Exception thrown successfully.');" + + "console.log('PASS: Exception thrown successfully.');" + "}" + "if (window.testRunner)" + "testRunner.notifyDone();" diff --git a/LayoutTests/http/tests/security/dataURL/resources/foreign-domain-data-url-accessor-opened-frame.html b/LayoutTests/http/tests/security/dataURL/resources/foreign-domain-data-url-accessor-opened-frame.html index a8f5b5d324f8c..9b1687522aa49 100644 --- a/LayoutTests/http/tests/security/dataURL/resources/foreign-domain-data-url-accessor-opened-frame.html +++ b/LayoutTests/http/tests/security/dataURL/resources/foreign-domain-data-url-accessor-opened-frame.html @@ -10,10 +10,10 @@ + "{" + "try {" + "parent.opener.document.getElementById('accessMe').innerHTML = 'FAIL: Cross frame access from a data: URL on a different domain was allowed';" - + "alert('FAIL: No exception thrown.');" + + "console.log('FAIL: No exception thrown.');" + "} catch (e) {" + "console.log(e);" - + "alert('PASS: Exception thrown successfully.');" + + "console.log('PASS: Exception thrown successfully.');" + "}" + "if (window.testRunner)" + "testRunner.globalFlag = true;" diff --git a/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt b/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt index b7896a7874544..8f621c44455fd 100644 --- a/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt +++ b/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt @@ -1,5 +1,5 @@ CONSOLE MESSAGE: SecurityError: Blocked a frame with origin "null" from accessing a cross-origin frame. Protocols, domains, and ports must match. -ALERT: PASS: Exception thrown successfully. +CONSOLE MESSAGE: PASS: Exception thrown successfully. The scenario for this test is that you have an iframe with content from a foreign domain. In that foreign content is an iframe which loads a data: URL. This tests that the data: URL loaded iframe does not have access to the main frame using top.document. Pass: Cross frame access from a data: URL on a different domain was denied. diff --git a/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt b/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt index 726ada875c2d8..93ccb9fc15501 100644 --- a/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt +++ b/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt @@ -1,5 +1,5 @@ CONSOLE MESSAGE: SecurityError: Blocked a frame with origin "null" from accessing a cross-origin frame. Protocols, domains, and ports must match. -ALERT: PASS: Exception thrown successfully. +CONSOLE MESSAGE: PASS: Exception thrown successfully. Opener Frame Pass: Cross frame access from a data: URL on a different domain was denied. diff --git a/LayoutTests/http/tests/security/drag-drop-different-origin-expected.txt b/LayoutTests/http/tests/security/drag-drop-different-origin-expected.txt index 6850ad74cdeb5..21e56921434a8 100644 --- a/LayoutTests/http/tests/security/drag-drop-different-origin-expected.txt +++ b/LayoutTests/http/tests/security/drag-drop-different-origin-expected.txt @@ -1,2 +1,2 @@ -ALERT: PASS +CONSOLE MESSAGE: PASS Dragme diff --git a/LayoutTests/http/tests/security/drag-drop-local-file-expected.txt b/LayoutTests/http/tests/security/drag-drop-local-file-expected.txt index 3c896dae70986..6d34f210aec50 100644 --- a/LayoutTests/http/tests/security/drag-drop-local-file-expected.txt +++ b/LayoutTests/http/tests/security/drag-drop-local-file-expected.txt @@ -1,3 +1,3 @@ CONSOLE MESSAGE: Not allowed to drag local resource: foobar -ALERT: PASS +CONSOLE MESSAGE: PASS Dragme diff --git a/LayoutTests/http/tests/security/drag-drop-same-unique-origin-expected.txt b/LayoutTests/http/tests/security/drag-drop-same-unique-origin-expected.txt index 9c703211889a8..c225c224e53af 100644 --- a/LayoutTests/http/tests/security/drag-drop-same-unique-origin-expected.txt +++ b/LayoutTests/http/tests/security/drag-drop-same-unique-origin-expected.txt @@ -1,2 +1,2 @@ -ALERT: PASS +CONSOLE MESSAGE: PASS diff --git a/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-websocket.html b/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-websocket.html index bd46f08dbc7f6..b24c3f1b6e215 100644 --- a/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-websocket.html +++ b/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-websocket.html @@ -5,18 +5,18 @@ var ws; function onSocketOpened() { - alert("WebSocket connection opened."); + console.log("WebSocket connection opened."); finishJSTest(); } function onSocketError() { - alert("WebSocket connection failed."); + console.log("WebSocket connection failed."); ws.close(); finishJSTest(); } function onSocketClosed() { - alert("WebSocket closed."); + console.log("WebSocket closed."); finishJSTest(); } @@ -26,7 +26,7 @@ ws.onerror = onSocketError; ws.onclose = onSocketClosed; } catch (e) { - alert("Test failed: exception thrown"); + console.log("Test failed: exception thrown"); finishJSTest(); } diff --git a/LayoutTests/http/tests/security/mixedContent/websocket/insecure-websocket-in-iframe-expected.txt b/LayoutTests/http/tests/security/mixedContent/websocket/insecure-websocket-in-iframe-expected.txt index b6cf3ea511541..17e0d0fc22f26 100644 --- a/LayoutTests/http/tests/security/mixedContent/websocket/insecure-websocket-in-iframe-expected.txt +++ b/LayoutTests/http/tests/security/mixedContent/websocket/insecure-websocket-in-iframe-expected.txt @@ -1,6 +1,6 @@ CONSOLE MESSAGE: [blocked] The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-websocket.html was not allowed to run insecure content from ws://127.0.0.1:8880/websocket/tests/hybi/echo. -ALERT: WebSocket connection failed. +CONSOLE MESSAGE: WebSocket connection failed. CONSOLE MESSAGE: WebSocket connection failed: WebSocket is closed before the connection is established. This test loads an iframe that creates an insecure WebSocket connection. We should block the connection and trigger a mixed content callback because the main frame is HTTPS, but the data sent over the socket could be recorded or controlled by an attacker. diff --git a/LayoutTests/http/tests/security/mixedContent/websocket/insecure-websocket-in-main-frame-expected.txt b/LayoutTests/http/tests/security/mixedContent/websocket/insecure-websocket-in-main-frame-expected.txt index 9d02a37c8ff0a..aca7186b69f51 100644 --- a/LayoutTests/http/tests/security/mixedContent/websocket/insecure-websocket-in-main-frame-expected.txt +++ b/LayoutTests/http/tests/security/mixedContent/websocket/insecure-websocket-in-main-frame-expected.txt @@ -1,5 +1,5 @@ CONSOLE MESSAGE: [blocked] The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-websocket.html was not allowed to run insecure content from ws://127.0.0.1:8880/websocket/tests/hybi/echo. -ALERT: WebSocket connection failed. +CONSOLE MESSAGE: WebSocket connection failed. CONSOLE MESSAGE: WebSocket connection failed: WebSocket is closed before the connection is established. This test opens a window that connects to an insecure ws:// WebSocket. We should block the connection and trigger a mixed content callback because the main frame is HTTPS, but the data sent over the socket could be recorded or controlled by an attacker. diff --git a/LayoutTests/http/tests/security/no-indexeddb-from-sandbox-expected.txt b/LayoutTests/http/tests/security/no-indexeddb-from-sandbox-expected.txt index 55cfa131b4049..6e6354e930605 100644 --- a/LayoutTests/http/tests/security/no-indexeddb-from-sandbox-expected.txt +++ b/LayoutTests/http/tests/security/no-indexeddb-from-sandbox-expected.txt @@ -1,2 +1,2 @@ -ALERT: PASS: db.open() threw a SECURITY_ERR! +CONSOLE MESSAGE: PASS: db.open() threw a SECURITY_ERR! diff --git a/LayoutTests/http/tests/security/no-indexeddb-from-sandbox.html b/LayoutTests/http/tests/security/no-indexeddb-from-sandbox.html index 3ab6994d70fa5..b3336e4989691 100644 --- a/LayoutTests/http/tests/security/no-indexeddb-from-sandbox.html +++ b/LayoutTests/http/tests/security/no-indexeddb-from-sandbox.html @@ -8,12 +8,12 @@ var db = window.webkitIndexedDB; try { db.open('test'); - alert('FAIL: db.open() should throw a SECURITY_ERR in a sandbox.'); + console.log('FAIL: db.open() should throw a SECURITY_ERR in a sandbox.'); } catch (e) { if (e.code === DOMException.SECURITY_ERR) - alert('PASS: db.open() threw a SECURITY_ERR!'); + console.log('PASS: db.open() threw a SECURITY_ERR!'); else - alert('FAIL: db.open() threw a ' + e.name); + console.log('FAIL: db.open() threw a ' + e.name); } " > diff --git a/LayoutTests/http/tests/security/no-popup-from-sandbox-expected.txt b/LayoutTests/http/tests/security/no-popup-from-sandbox-expected.txt index 835d6158ec339..5ea39b55dd06b 100644 --- a/LayoutTests/http/tests/security/no-popup-from-sandbox-expected.txt +++ b/LayoutTests/http/tests/security/no-popup-from-sandbox-expected.txt @@ -1,5 +1,5 @@ CONSOLE MESSAGE: Blocked opening 'about:blank' in a new window because the request was made in a sandboxed frame whose 'allow-popups' permission is not set. -ALERT: PASS +CONSOLE MESSAGE: PASS To run this test outside of DumpRenderTree, please disable your popup blocker! diff --git a/LayoutTests/http/tests/security/no-popup-from-sandbox-top-expected.txt b/LayoutTests/http/tests/security/no-popup-from-sandbox-top-expected.txt index 487526122ae81..505092b126ca6 100644 --- a/LayoutTests/http/tests/security/no-popup-from-sandbox-top-expected.txt +++ b/LayoutTests/http/tests/security/no-popup-from-sandbox-top-expected.txt @@ -1,6 +1,6 @@ -CONSOLE MESSAGE: Unsafe JavaScript attempt to initiate navigation for frame with URL 'http://127.0.0.1:8000/security/no-popup-from-sandbox-top.html' from frame with URL 'data:text/html, " > diff --git a/LayoutTests/http/tests/security/no-popup-from-sandbox.html b/LayoutTests/http/tests/security/no-popup-from-sandbox.html index 9f572147bc7f2..ce9902bcdf82d 100644 --- a/LayoutTests/http/tests/security/no-popup-from-sandbox.html +++ b/LayoutTests/http/tests/security/no-popup-from-sandbox.html @@ -9,6 +9,6 @@ src="data:text/html, " > diff --git a/LayoutTests/http/tests/security/popup-allowed-by-sandbox-when-allowed-expected.txt b/LayoutTests/http/tests/security/popup-allowed-by-sandbox-when-allowed-expected.txt index c78917d7be0d0..174bc1b4c5b65 100644 --- a/LayoutTests/http/tests/security/popup-allowed-by-sandbox-when-allowed-expected.txt +++ b/LayoutTests/http/tests/security/popup-allowed-by-sandbox-when-allowed-expected.txt @@ -1,4 +1,4 @@ -ALERT: PASS +CONSOLE MESSAGE: PASS To run this test outside of DumpRenderTree, please disable your popup blocker! diff --git a/LayoutTests/http/tests/security/popup-allowed-by-sandbox-when-allowed.html b/LayoutTests/http/tests/security/popup-allowed-by-sandbox-when-allowed.html index b4da5fe014b02..7175f8fe5d4f7 100644 --- a/LayoutTests/http/tests/security/popup-allowed-by-sandbox-when-allowed.html +++ b/LayoutTests/http/tests/security/popup-allowed-by-sandbox-when-allowed.html @@ -11,6 +11,6 @@ src="data:text/html, " > diff --git a/LayoutTests/http/tests/security/resources/cross-frame-iframe-for-put-test.html b/LayoutTests/http/tests/security/resources/cross-frame-iframe-for-put-test.html index be07ad9f749e3..c11d845b74dbf 100644 --- a/LayoutTests/http/tests/security/resources/cross-frame-iframe-for-put-test.html +++ b/LayoutTests/http/tests/security/resources/cross-frame-iframe-for-put-test.html @@ -31,7 +31,7 @@ message = String(message).replace(/\n/g, ""); if (window.testRunner) { - alert(message); + console.log(message); } else { log(message); } @@ -408,15 +408,15 @@ // Using shouldBe for parent and top causes extraneous warnings due to cross-orgin toString'ing. if (window.parent === parentOld) { - alert("PASS: window.parent should be parentOld and is."); + console.log("PASS: window.parent should be parentOld and is."); } else { - alert("*** FAIL: window.parent should be parentOld but instead is " + window.parent + ". ***"); + console.log("*** FAIL: window.parent should be parentOld but instead is " + window.parent + ". ***"); } if (window.top === topOld) { - alert("PASS: window.top should be topOld and is."); + console.log("PASS: window.top should be topOld and is."); } else { - alert("*** FAIL: window.top should be topOld but instead is " + window.top + ". ***"); + console.log("*** FAIL: window.top should be topOld but instead is " + window.top + ". ***"); } // Functions diff --git a/LayoutTests/http/tests/security/resources/cross-origin-js-prompt-forbidden.html b/LayoutTests/http/tests/security/resources/cross-origin-js-prompt-forbidden.html new file mode 100644 index 0000000000000..31e19d2913d6c --- /dev/null +++ b/LayoutTests/http/tests/security/resources/cross-origin-js-prompt-forbidden.html @@ -0,0 +1,23 @@ + + + + + + diff --git a/LayoutTests/http/tests/security/resources/drag-drop-allowed.html b/LayoutTests/http/tests/security/resources/drag-drop-allowed.html index 8bfa7e828b4d2..c3f39543cecb0 100644 --- a/LayoutTests/http/tests/security/resources/drag-drop-allowed.html +++ b/LayoutTests/http/tests/security/resources/drag-drop-allowed.html @@ -19,9 +19,9 @@ eventSender.mouseUp(); if (document.getElementById("dragme").parentNode.tagName == "SPAN" && document.getElementById("dragme").src.length > 10) - alert("PASS"); + console.log("PASS"); else - alert("FAIL"); + console.log("FAIL"); testRunner.notifyDone(); } diff --git a/LayoutTests/http/tests/security/resources/drag-drop.html b/LayoutTests/http/tests/security/resources/drag-drop.html index 8f728a72727d1..1168dfe6b165e 100644 --- a/LayoutTests/http/tests/security/resources/drag-drop.html +++ b/LayoutTests/http/tests/security/resources/drag-drop.html @@ -4,9 +4,9 @@ function receiveMessage(event) { if (document.body.innerHTML.match(/Dragme/i)) - alert("FAIL"); + console.log("FAIL"); else - alert("PASS"); + console.log("PASS"); if (window.testRunner) testRunner.notifyDone(); diff --git a/LayoutTests/http/tests/security/resources/sandboxed-iframe-ALLOWED-modals-iframe.html b/LayoutTests/http/tests/security/resources/sandboxed-iframe-ALLOWED-modals-iframe.html new file mode 100644 index 0000000000000..1811e650ecb14 --- /dev/null +++ b/LayoutTests/http/tests/security/resources/sandboxed-iframe-ALLOWED-modals-iframe.html @@ -0,0 +1,7 @@ + diff --git a/LayoutTests/http/tests/security/same-origin-different-domain-js-prompt-forbidden-expected.txt b/LayoutTests/http/tests/security/same-origin-different-domain-js-prompt-forbidden-expected.txt new file mode 100644 index 0000000000000..b23c0bb252ed4 --- /dev/null +++ b/LayoutTests/http/tests/security/same-origin-different-domain-js-prompt-forbidden-expected.txt @@ -0,0 +1,14 @@ +CONSOLE MESSAGE: Use of window.prompt is not allowed in different origin-domain iframes. +CONSOLE MESSAGE: Use of window.confirm is not allowed in different origin-domain iframes. +CONSOLE MESSAGE: Use of window.alert is not allowed in different origin-domain iframes. +Tests that JS prompts are forbidden in same-origin but different-domain iframes + +On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". + + +PASS: window.prompt() returned null +PASS: window.confirm() returned false +PASS successfullyParsed is true + +TEST COMPLETE + diff --git a/LayoutTests/http/tests/security/same-origin-different-domain-js-prompt-forbidden.html b/LayoutTests/http/tests/security/same-origin-different-domain-js-prompt-forbidden.html new file mode 100644 index 0000000000000..c2c69f5f32430 --- /dev/null +++ b/LayoutTests/http/tests/security/same-origin-different-domain-js-prompt-forbidden.html @@ -0,0 +1,22 @@ + + + + + + + + diff --git a/LayoutTests/http/tests/security/sandboxed-iframe-ALLOWED-modals.html b/LayoutTests/http/tests/security/sandboxed-iframe-ALLOWED-modals.html index b4734626ca33d..eebc10a08bdd1 100644 --- a/LayoutTests/http/tests/security/sandboxed-iframe-ALLOWED-modals.html +++ b/LayoutTests/http/tests/security/sandboxed-iframe-ALLOWED-modals.html @@ -3,23 +3,4 @@ testRunner.dumpAsText();

This test passes if opening modal dialogs is allowed and no error message is logged in the console.

- - - - - + diff --git a/LayoutTests/http/tests/security/xss-DENIED-window-index-assign-expected.txt b/LayoutTests/http/tests/security/xss-DENIED-window-index-assign-expected.txt index fda9c8df42609..092f7b0245755 100644 --- a/LayoutTests/http/tests/security/xss-DENIED-window-index-assign-expected.txt +++ b/LayoutTests/http/tests/security/xss-DENIED-window-index-assign-expected.txt @@ -1,4 +1,4 @@ -ALERT: undefined +CONSOLE MESSAGE: undefined CONSOLE MESSAGE: TypeError: parent[0].f is not a function. (In 'parent[0].f()', 'parent[0].f' is undefined) This test passes if the access is forbidden. diff --git a/LayoutTests/http/tests/security/xss-DENIED-window-index-assign.html b/LayoutTests/http/tests/security/xss-DENIED-window-index-assign.html index a6b54a1fe164a..c16d16e641f27 100644 --- a/LayoutTests/http/tests/security/xss-DENIED-window-index-assign.html +++ b/LayoutTests/http/tests/security/xss-DENIED-window-index-assign.html @@ -5,9 +5,9 @@ window[0] = { a: "1", f: function() { - alert("FAIL: Child called parent.f()"); + console.log("FAIL: Child called parent.f()"); } }; -
+
This test passes if the access is forbidden. diff --git a/LayoutTests/http/tests/security/xss-DENIED-window-name-alert-expected.txt b/LayoutTests/http/tests/security/xss-DENIED-window-name-alert-expected.txt index 9c703211889a8..c225c224e53af 100644 --- a/LayoutTests/http/tests/security/xss-DENIED-window-name-alert-expected.txt +++ b/LayoutTests/http/tests/security/xss-DENIED-window-name-alert-expected.txt @@ -1,2 +1,2 @@ -ALERT: PASS +CONSOLE MESSAGE: PASS diff --git a/LayoutTests/http/tests/security/xss-DENIED-window-name-alert.html b/LayoutTests/http/tests/security/xss-DENIED-window-name-alert.html index f3a55338f087d..1feefb8c56a35 100644 --- a/LayoutTests/http/tests/security/xss-DENIED-window-name-alert.html +++ b/LayoutTests/http/tests/security/xss-DENIED-window-name-alert.html @@ -5,5 +5,5 @@ diff --git a/LayoutTests/http/tests/security/xssAuditor/base-href-control-char-expected.txt b/LayoutTests/http/tests/security/xssAuditor/base-href-control-char-expected.txt index fdfe9d96c3974..4bb0dce289d83 100644 --- a/LayoutTests/http/tests/security/xssAuditor/base-href-control-char-expected.txt +++ b/LayoutTests/http/tests/security/xssAuditor/base-href-control-char-expected.txt @@ -1,3 +1,3 @@ CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href=%27http://127.0.0.1:8000/sec%01urity/xssAuditor/resources/base-href/%27%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header. -ALERT: This is a safe script. +CONSOLE MESSAGE: This is a safe script. diff --git a/LayoutTests/http/tests/security/xssAuditor/base-href-direct-expected.txt b/LayoutTests/http/tests/security/xssAuditor/base-href-direct-expected.txt index 8ada282e652aa..86d6274e0dc9b 100644 --- a/LayoutTests/http/tests/security/xssAuditor/base-href-direct-expected.txt +++ b/LayoutTests/http/tests/security/xssAuditor/base-href-direct-expected.txt @@ -1,4 +1,4 @@ -ALERT: /XSS/ +CONSOLE MESSAGE: /XSS/ We allow direct injections into base tags to reduce false positives. diff --git a/LayoutTests/http/tests/security/xssAuditor/base-href-expected.txt b/LayoutTests/http/tests/security/xssAuditor/base-href-expected.txt index 23d6fad5dd818..d1387251517f5 100644 --- a/LayoutTests/http/tests/security/xssAuditor/base-href-expected.txt +++ b/LayoutTests/http/tests/security/xssAuditor/base-href-expected.txt @@ -1,3 +1,3 @@ CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href=%27http://127.0.0.1:8000/security/xssAuditor/resources/base-href/%27%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header. -ALERT: This is a safe script. +CONSOLE MESSAGE: This is a safe script. diff --git a/LayoutTests/http/tests/security/xssAuditor/base-href-null-char-expected.txt b/LayoutTests/http/tests/security/xssAuditor/base-href-null-char-expected.txt index 203ddf806c9c2..7ac863ec90031 100644 --- a/LayoutTests/http/tests/security/xssAuditor/base-href-null-char-expected.txt +++ b/LayoutTests/http/tests/security/xssAuditor/base-href-null-char-expected.txt @@ -1,3 +1,3 @@ CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href=%27http://127.0.0.1:8000/sec%00urity/xssAuditor/resources/base-href/%27%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header. -ALERT: This is a safe script. +CONSOLE MESSAGE: This is a safe script. diff --git a/LayoutTests/http/tests/security/xssAuditor/base-href-safe-expected.txt b/LayoutTests/http/tests/security/xssAuditor/base-href-safe-expected.txt index 0088a05ec6925..d7123aed49142 100644 --- a/LayoutTests/http/tests/security/xssAuditor/base-href-safe-expected.txt +++ b/LayoutTests/http/tests/security/xssAuditor/base-href-safe-expected.txt @@ -1,2 +1,2 @@ -ALERT: This is a safe script. +CONSOLE MESSAGE: This is a safe script. diff --git a/LayoutTests/http/tests/security/xssAuditor/base-href-safe2-expected.txt b/LayoutTests/http/tests/security/xssAuditor/base-href-safe2-expected.txt index 0088a05ec6925..d7123aed49142 100644 --- a/LayoutTests/http/tests/security/xssAuditor/base-href-safe2-expected.txt +++ b/LayoutTests/http/tests/security/xssAuditor/base-href-safe2-expected.txt @@ -1,2 +1,2 @@ -ALERT: This is a safe script. +CONSOLE MESSAGE: This is a safe script. diff --git a/LayoutTests/http/tests/security/xssAuditor/base-href-safe3-expected.txt b/LayoutTests/http/tests/security/xssAuditor/base-href-safe3-expected.txt index 0088a05ec6925..d7123aed49142 100644 --- a/LayoutTests/http/tests/security/xssAuditor/base-href-safe3-expected.txt +++ b/LayoutTests/http/tests/security/xssAuditor/base-href-safe3-expected.txt @@ -1,2 +1,2 @@ -ALERT: This is a safe script. +CONSOLE MESSAGE: This is a safe script. diff --git a/LayoutTests/http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt b/LayoutTests/http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt index 6b478736c90d5..6a2a7fb48c724 100644 --- a/LayoutTests/http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt +++ b/LayoutTests/http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt @@ -1,3 +1,3 @@ CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-head-base-href.pl?q=%3Cbase%20href=%27//127.0.0.1:8000/security/xssAuditor/resources/base-href/%27%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header. -ALERT: This is a safe script. +CONSOLE MESSAGE: This is a safe script. diff --git a/LayoutTests/http/tests/security/xssAuditor/cached-frame-expected.txt b/LayoutTests/http/tests/security/xssAuditor/cached-frame-expected.txt index 44331dc924d3a..d9fd9520e7b01 100644 --- a/LayoutTests/http/tests/security/xssAuditor/cached-frame-expected.txt +++ b/LayoutTests/http/tests/security/xssAuditor/cached-frame-expected.txt @@ -1,5 +1,5 @@ -CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/nph-cached.pl?q=%3cscript%3ealert(/XSS/);%3c/script%3e' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior. -CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/nph-cached.pl?q=%3cscript%3ealert(/XSS/);%3c/script%3e' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior. +CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/nph-cached.pl?q=%3cscript%3econsole.log(/XSS/);%3c/script%3e' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior. +CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://127.0.0.1:8000/security/xssAuditor/resources/nph-cached.pl?q=%3cscript%3econsole.log(/XSS/);%3c/script%3e' because its source code was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior. Check that an X-XSS-Protection header added by a 304 response does not override one from the original request. On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". diff --git a/LayoutTests/http/tests/security/xssAuditor/cached-frame.html b/LayoutTests/http/tests/security/xssAuditor/cached-frame.html index 3498b46e97602..49c5903a92c2f 100644 --- a/LayoutTests/http/tests/security/xssAuditor/cached-frame.html +++ b/LayoutTests/http/tests/security/xssAuditor/cached-frame.html @@ -28,6 +28,6 @@ - + diff --git a/LayoutTests/http/tests/security/xssAuditor/cookie-injection-expected.txt b/LayoutTests/http/tests/security/xssAuditor/cookie-injection-expected.txt index 03b40fc9404ef..3eab747ff501d 100644 --- a/LayoutTests/http/tests/security/xssAuditor/cookie-injection-expected.txt +++ b/LayoutTests/http/tests/security/xssAuditor/cookie-injection-expected.txt @@ -1,3 +1,3 @@ CONSOLE MESSAGE: The Set-Cookie meta tag is obsolete and was ignored. Use the HTTP header Set-Cookie or document.cookie instead. -ALERT: PASS +CONSOLE MESSAGE: PASS diff --git a/LayoutTests/http/tests/security/xssAuditor/data-urls-work-expected.txt b/LayoutTests/http/tests/security/xssAuditor/data-urls-work-expected.txt index 9c703211889a8..c225c224e53af 100644 --- a/LayoutTests/http/tests/security/xssAuditor/data-urls-work-expected.txt +++ b/LayoutTests/http/tests/security/xssAuditor/data-urls-work-expected.txt @@ -1,2 +1,2 @@ -ALERT: PASS +CONSOLE MESSAGE: PASS diff --git a/LayoutTests/http/tests/security/xssAuditor/data-urls-work.html b/LayoutTests/http/tests/security/xssAuditor/data-urls-work.html index 9606f687aa96c..54d77376c72e2 100644 --- a/LayoutTests/http/tests/security/xssAuditor/data-urls-work.html +++ b/LayoutTests/http/tests/security/xssAuditor/data-urls-work.html @@ -8,6 +8,6 @@ - + diff --git a/LayoutTests/http/tests/security/xssAuditor/dom-write-innerHTML-expected.txt b/LayoutTests/http/tests/security/xssAuditor/dom-write-innerHTML-expected.txt index d8b851917f393..257f7930f7855 100644 --- a/LayoutTests/http/tests/security/xssAuditor/dom-write-innerHTML-expected.txt +++ b/LayoutTests/http/tests/security/xssAuditor/dom-write-innerHTML-expected.txt @@ -1,2 +1,2 @@ -ALERT: XSS +CONSOLE MESSAGE: XSS diff --git a/LayoutTests/http/tests/security/xssAuditor/dom-write-innerHTML.html b/LayoutTests/http/tests/security/xssAuditor/dom-write-innerHTML.html index 7faa1e37eb6ca..0a2da0a6d01c3 100644 --- a/LayoutTests/http/tests/security/xssAuditor/dom-write-innerHTML.html +++ b/LayoutTests/http/tests/security/xssAuditor/dom-write-innerHTML.html @@ -14,7 +14,7 @@ - diff --git a/LayoutTests/http/tests/security/xssAuditor/form-action-expected.txt b/LayoutTests/http/tests/security/xssAuditor/form-action-expected.txt index ecedb20cf55dc..a7796a7a183bc 100644 --- a/LayoutTests/http/tests/security/xssAuditor/form-action-expected.txt +++ b/LayoutTests/http/tests/security/xssAuditor/form-action-expected.txt @@ -1,3 +1,3 @@ CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/form-action.html&q=%3Cform%20action=http://127.0.0.1:8000/%20method=x%3E%3Cinput%20type=submit%3E%3Cinput%20name=x%20value=%27Please%20type%20your%20PIN.%27%3E¬ifyDone=1&showAction=1' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header. -ALERT: Form action set to about:blank +CONSOLE MESSAGE: Form action set to about:blank diff --git a/LayoutTests/http/tests/security/xssAuditor/formaction-on-button-expected.txt b/LayoutTests/http/tests/security/xssAuditor/formaction-on-button-expected.txt index 512ad8472a523..ae16ce932b5ef 100644 --- a/LayoutTests/http/tests/security/xssAuditor/formaction-on-button-expected.txt +++ b/LayoutTests/http/tests/security/xssAuditor/formaction-on-button-expected.txt @@ -1,3 +1,3 @@ CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/formaction-on-button.html&q=%3Cform%3E%3Cbutton%20formaction=%27http://example.com/%27%3E¬ifyDone=1&showFormaction=1' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header. -ALERT: formaction present on BUTTON with value of about:blank +CONSOLE MESSAGE: formaction present on BUTTON with value of about:blank diff --git a/LayoutTests/http/tests/security/xssAuditor/formaction-on-input-expected.txt b/LayoutTests/http/tests/security/xssAuditor/formaction-on-input-expected.txt index f30b4719118c3..c0b0a351ac7b1 100644 --- a/LayoutTests/http/tests/security/xssAuditor/formaction-on-input-expected.txt +++ b/LayoutTests/http/tests/security/xssAuditor/formaction-on-input-expected.txt @@ -1,3 +1,3 @@ CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/formaction-on-input.html&q=%3Cform%3E%3Cinput%20formaction=%27http://example.com/%27%3E¬ifyDone=1&showFormaction=1' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header. -ALERT: formaction present on INPUT with value of about:blank +CONSOLE MESSAGE: formaction present on INPUT with value of about:blank diff --git a/LayoutTests/http/tests/security/xssAuditor/javascript-link-safe-expected.txt b/LayoutTests/http/tests/security/xssAuditor/javascript-link-safe-expected.txt index 0088a05ec6925..d7123aed49142 100644 --- a/LayoutTests/http/tests/security/xssAuditor/javascript-link-safe-expected.txt +++ b/LayoutTests/http/tests/security/xssAuditor/javascript-link-safe-expected.txt @@ -1,2 +1,2 @@ -ALERT: This is a safe script. +CONSOLE MESSAGE: This is a safe script. diff --git a/LayoutTests/http/tests/security/xssAuditor/javascript-link-safe.html b/LayoutTests/http/tests/security/xssAuditor/javascript-link-safe.html index 21cd4ec4c306b..f48405cc27a56 100644 --- a/LayoutTests/http/tests/security/xssAuditor/javascript-link-safe.html +++ b/LayoutTests/http/tests/security/xssAuditor/javascript-link-safe.html @@ -9,7 +9,7 @@ - diff --git a/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-expected.txt b/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-expected.txt index b795675d41903..934df67592360 100644 --- a/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-expected.txt +++ b/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-expected.txt @@ -1,4 +1,4 @@ -ALERT: XSS +CONSOLE MESSAGE: XSS This test fails because the XSSAuditor allows requests that do not contain illegal URI characters. Thus, the XSSAuditor does not detect breaking out of an unquoted property. A future update may reinstate this functionality. diff --git a/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars-expected.txt b/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars-expected.txt index b795675d41903..934df67592360 100644 --- a/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars-expected.txt +++ b/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars-expected.txt @@ -1,4 +1,4 @@ -ALERT: XSS +CONSOLE MESSAGE: XSS This test fails because the XSSAuditor allows requests that do not contain illegal URI characters. Thus, the XSSAuditor does not detect breaking out of an unquoted property. A future update may reinstate this functionality. diff --git a/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars.html b/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars.html index b1aa746fcb082..d6a7c090cd7b7 100644 --- a/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars.html +++ b/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars.html @@ -11,7 +11,7 @@

This test fails because the XSSAuditor allows requests that do not contain illegal URI characters. Thus, the XSSAuditor does not detect breaking out of an unquoted property. A future update may reinstate this functionality.

- diff --git a/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes.html b/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes.html index 57fee62e17121..799553b5f170d 100644 --- a/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes.html +++ b/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes.html @@ -11,7 +11,7 @@

This test fails because the XSSAuditor allows requests that do not contain illegal URI characters. Thus, the XSSAuditor does not detect breaking out of an unquoted property. A future update may reinstate this functionality.

- diff --git a/LayoutTests/http/tests/security/xssAuditor/property-inject-expected.txt b/LayoutTests/http/tests/security/xssAuditor/property-inject-expected.txt index 9e0cd34239a15..4ec6e4be65f12 100644 --- a/LayoutTests/http/tests/security/xssAuditor/property-inject-expected.txt +++ b/LayoutTests/http/tests/security/xssAuditor/property-inject-expected.txt @@ -1,4 +1,4 @@ -ALERT: XSS +CONSOLE MESSAGE: XSS This test fails because the XSSAuditor allows requests that do not contain illegal URI characters. Thus, the XSSAuditor does not detect the injection of an inline event handler within a tag. A future update may reinstate this functionality. diff --git a/LayoutTests/http/tests/security/xssAuditor/property-inject.html b/LayoutTests/http/tests/security/xssAuditor/property-inject.html index 3fbd36779c433..fc79ccc18cfda 100644 --- a/LayoutTests/http/tests/security/xssAuditor/property-inject.html +++ b/LayoutTests/http/tests/security/xssAuditor/property-inject.html @@ -11,7 +11,7 @@

This test fails because the XSSAuditor allows requests that do not contain illegal URI characters. Thus, the XSSAuditor does not detect the injection of an inline event handler within a tag. A future update may reinstate this functionality.

- diff --git a/LayoutTests/http/tests/security/xssAuditor/resources/base-href/really-safe-script.js b/LayoutTests/http/tests/security/xssAuditor/resources/base-href/really-safe-script.js index c9d89e01fb5a3..7247369e0711e 100644 --- a/LayoutTests/http/tests/security/xssAuditor/resources/base-href/really-safe-script.js +++ b/LayoutTests/http/tests/security/xssAuditor/resources/base-href/really-safe-script.js @@ -1 +1 @@ -alert('This is a safe script.'); +console.log('This is a safe script.'); diff --git a/LayoutTests/http/tests/security/xssAuditor/resources/base-href/safe-script.js b/LayoutTests/http/tests/security/xssAuditor/resources/base-href/safe-script.js index 6372476b3a824..48700155f5c68 100644 --- a/LayoutTests/http/tests/security/xssAuditor/resources/base-href/safe-script.js +++ b/LayoutTests/http/tests/security/xssAuditor/resources/base-href/safe-script.js @@ -1 +1 @@ -alert(/XSS/); +console.log(/XSS/); diff --git a/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl b/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl index 93cd556cc7cd9..6cb008754de22 100755 --- a/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl +++ b/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl @@ -105,14 +105,14 @@ } if ($cgi->param('showAction')) { print "\n"; } if ($cgi->param('showFormaction')) { print "\n"; } if ($cgi->param('dumpElementBySelector')) { @@ -126,7 +126,7 @@ print " }\n"; print " document.getElementById('console').innerText = log;\n"; print " } else\n"; - print " alert('No element matched the given selector.');\n"; + print " console.log('No element matched the given selector.');\n"; print "\n"; } if ($cgi->param('notifyDone')) { @@ -139,7 +139,7 @@ print "

If you see this message then the test FAILED.

\n"; } if ($cgi->param('alert-cookie')) { - print "\n"; + print "\n"; } if ($cgi->param('echo-report')) { print "\n"; diff --git a/LayoutTests/http/tests/security/xssAuditor/resources/javascript-link-safe.html b/LayoutTests/http/tests/security/xssAuditor/resources/javascript-link-safe.html index 31be7a758c2d9..d126da46e944a 100644 --- a/LayoutTests/http/tests/security/xssAuditor/resources/javascript-link-safe.html +++ b/LayoutTests/http/tests/security/xssAuditor/resources/javascript-link-safe.html @@ -3,7 +3,7 @@ -test +test \r\n"; +print "\r\n"; print "\r\n"; print "\r\n"; diff --git a/LayoutTests/http/tests/security/xssAuditor/resources/safe-script-noquotes.js b/LayoutTests/http/tests/security/xssAuditor/resources/safe-script-noquotes.js index 7e685e446144b..2ea3bb2d0f814 100644 --- a/LayoutTests/http/tests/security/xssAuditor/resources/safe-script-noquotes.js +++ b/LayoutTests/http/tests/security/xssAuditor/resources/safe-script-noquotes.js @@ -1 +1 @@ -alert(/This is a safe script./); +console.log(/This is a safe script./); diff --git a/LayoutTests/http/tests/security/xssAuditor/resources/safe-script.js b/LayoutTests/http/tests/security/xssAuditor/resources/safe-script.js index c9d89e01fb5a3..7247369e0711e 100644 --- a/LayoutTests/http/tests/security/xssAuditor/resources/safe-script.js +++ b/LayoutTests/http/tests/security/xssAuditor/resources/safe-script.js @@ -1 +1 @@ -alert('This is a safe script.'); +console.log('This is a safe script.'); diff --git a/LayoutTests/http/tests/security/xssAuditor/resources/script-tag-safe2.html b/LayoutTests/http/tests/security/xssAuditor/resources/script-tag-safe2.html index 20a11e10028d8..f95a906c3b9f9 100644 --- a/LayoutTests/http/tests/security/xssAuditor/resources/script-tag-safe2.html +++ b/LayoutTests/http/tests/security/xssAuditor/resources/script-tag-safe2.html @@ -1,7 +1,7 @@ - + diff --git a/LayoutTests/http/tests/security/xssAuditor/script-tag-near-start-expected.txt b/LayoutTests/http/tests/security/xssAuditor/script-tag-near-start-expected.txt index a2a3905705224..b3f9c2ad9526b 100644 --- a/LayoutTests/http/tests/security/xssAuditor/script-tag-near-start-expected.txt +++ b/LayoutTests/http/tests/security/xssAuditor/script-tag-near-start-expected.txt @@ -1,2 +1,2 @@ -CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-near-start.html&script-expression-follows=1&q=%3Cscript%3E%22%3Cscript%3E%22-alert(/XSS/)' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header. +CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/script-tag-near-start.html&script-expression-follows=1&q=%3Cscript%3E%22%3Cscript%3E%22-console.log(/XSS/)' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header. diff --git a/LayoutTests/http/tests/security/xssAuditor/script-tag-near-start.html b/LayoutTests/http/tests/security/xssAuditor/script-tag-near-start.html index 33ffb1771f039..2125b20d3d743 100644 --- a/LayoutTests/http/tests/security/xssAuditor/script-tag-near-start.html +++ b/LayoutTests/http/tests/security/xssAuditor/script-tag-near-start.html @@ -8,7 +8,7 @@ - diff --git a/LayoutTests/http/tests/security/xssAuditor/script-tag-safe2-expected.txt b/LayoutTests/http/tests/security/xssAuditor/script-tag-safe2-expected.txt index e29af0288e323..eaf7c8f9dee46 100644 --- a/LayoutTests/http/tests/security/xssAuditor/script-tag-safe2-expected.txt +++ b/LayoutTests/http/tests/security/xssAuditor/script-tag-safe2-expected.txt @@ -1,2 +1,2 @@ -ALERT: /This is a safe script./ +CONSOLE MESSAGE: /This is a safe script./ diff --git a/LayoutTests/http/tests/security/xssAuditor/script-tag-safe2.html b/LayoutTests/http/tests/security/xssAuditor/script-tag-safe2.html index b4105330cd035..f27c3b52760e1 100644 --- a/LayoutTests/http/tests/security/xssAuditor/script-tag-safe2.html +++ b/LayoutTests/http/tests/security/xssAuditor/script-tag-safe2.html @@ -8,7 +8,7 @@ - diff --git a/LayoutTests/http/tests/security/xssAuditor/script-tag-safe3-expected.txt b/LayoutTests/http/tests/security/xssAuditor/script-tag-safe3-expected.txt index e29af0288e323..eaf7c8f9dee46 100644 --- a/LayoutTests/http/tests/security/xssAuditor/script-tag-safe3-expected.txt +++ b/LayoutTests/http/tests/security/xssAuditor/script-tag-safe3-expected.txt @@ -1,2 +1,2 @@ -ALERT: /This is a safe script./ +CONSOLE MESSAGE: /This is a safe script./ diff --git a/LayoutTests/http/tests/security/xssAuditor/script-tag-safe3.html b/LayoutTests/http/tests/security/xssAuditor/script-tag-safe3.html index 1788a21d53712..f9cfb9cdda3b4 100644 --- a/LayoutTests/http/tests/security/xssAuditor/script-tag-safe3.html +++ b/LayoutTests/http/tests/security/xssAuditor/script-tag-safe3.html @@ -8,7 +8,7 @@ - diff --git a/LayoutTests/http/tests/security/xssAuditor/script-tag-src-redirect-safe-expected.txt b/LayoutTests/http/tests/security/xssAuditor/script-tag-src-redirect-safe-expected.txt index 0088a05ec6925..d7123aed49142 100644 --- a/LayoutTests/http/tests/security/xssAuditor/script-tag-src-redirect-safe-expected.txt +++ b/LayoutTests/http/tests/security/xssAuditor/script-tag-src-redirect-safe-expected.txt @@ -1,2 +1,2 @@ -ALERT: This is a safe script. +CONSOLE MESSAGE: This is a safe script. diff --git a/LayoutTests/http/tests/security/xssAuditor/script-tag-with-injected-comment-expected.txt b/LayoutTests/http/tests/security/xssAuditor/script-tag-with-injected-comment-expected.txt index b41002fd864f7..02a6cdec54967 100644 --- a/LayoutTests/http/tests/security/xssAuditor/script-tag-with-injected-comment-expected.txt +++ b/LayoutTests/http/tests/security/xssAuditor/script-tag-with-injected-comment-expected.txt @@ -1,2 +1,2 @@ -CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=/*]]%3E*/&q=%3Cscript%3E/*%3C!CDATA[*/alert(/XSS/)&q2=%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header. +CONSOLE MESSAGE: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?clutter=/*]]%3E*/&q=%3Cscript%3E/*%3C!CDATA[*/console.log(/XSS/)&q2=%3C/script%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header. diff --git a/LayoutTests/http/tests/security/xssAuditor/script-tag-with-injected-comment.html b/LayoutTests/http/tests/security/xssAuditor/script-tag-with-injected-comment.html index 8e93c74346c3f..9acf9f6ca7b53 100644 --- a/LayoutTests/http/tests/security/xssAuditor/script-tag-with-injected-comment.html +++ b/LayoutTests/http/tests/security/xssAuditor/script-tag-with-injected-comment.html @@ -8,7 +8,7 @@ - diff --git a/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-expected.txt b/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-expected.txt index 0088a05ec6925..d7123aed49142 100644 --- a/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-expected.txt +++ b/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-expected.txt @@ -1,2 +1,2 @@ -ALERT: This is a safe script. +CONSOLE MESSAGE: This is a safe script. diff --git a/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-credential-async-expected.txt b/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-credential-async-expected.txt index 43a1f3c224ab3..1dd1ac4fdb697 100644 --- a/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-credential-async-expected.txt +++ b/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-credential-async-expected.txt @@ -1,5 +1,5 @@ -ALERT: http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=setFooCookie -ALERT: XHR response - Set the foo cookie +CONSOLE MESSAGE: http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=setFooCookie +CONSOLE MESSAGE: XHR response - Set the foo cookie Test case for bug 37781: [XHR] Cross-Origin asynchronous request with credential raises NETWORK_ERR PASSED diff --git a/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-credential-sync-expected.txt b/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-credential-sync-expected.txt index 54d4543eb1fe3..43a7a7b310304 100644 --- a/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-credential-sync-expected.txt +++ b/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-credential-sync-expected.txt @@ -1,5 +1,5 @@ -ALERT: http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=setFooCookie -ALERT: XHR response - Set the foo cookie +CONSOLE MESSAGE: http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=setFooCookie +CONSOLE MESSAGE: XHR response - Set the foo cookie Test case for bug 37781: [XHR] Cross-Origin synchronous request with credential raises NETWORK_ERR PASSED diff --git a/LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt b/LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt index 26a8a381056a6..8b4e4d1a029df 100644 --- a/LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt +++ b/LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt @@ -1,12 +1,12 @@ main frame - didFinishDocumentLoadForFrame frame "" - didStartProvisionalLoadForFrame frame "" - didCommitLoadForFrame -ALERT: PASS +CONSOLE MESSAGE: PASS frame "" - didFinishDocumentLoadForFrame frame "" - didStartProvisionalLoadForFrame frame "" - didCommitLoadForFrame -ALERT: PASS -ALERT: PASS +CONSOLE MESSAGE: PASS +CONSOLE MESSAGE: PASS frame "" - didFinishDocumentLoadForFrame frame "" - didHandleOnloadEventsForFrame frame "" - didHandleOnloadEventsForFrame diff --git a/LayoutTests/plugins/fullscreen-plugins-dont-reload-expected.txt b/LayoutTests/plugins/fullscreen-plugins-dont-reload-expected.txt index 60dec7e959ee0..af86c6b39e8b9 100644 --- a/LayoutTests/plugins/fullscreen-plugins-dont-reload-expected.txt +++ b/LayoutTests/plugins/fullscreen-plugins-dont-reload-expected.txt @@ -1,4 +1,4 @@ -ALERT: Plugin Loaded! +CONSOLE MESSAGE: Plugin Loaded! go fullscreen There should only be one ALERT. If there were two, the plugin was reloaded during the transition to fullscreen. diff --git a/LayoutTests/plugins/plugin-document-back-forward-expected.txt b/LayoutTests/plugins/plugin-document-back-forward-expected.txt index 641d6d06784c5..6e582df0e6ce7 100644 --- a/LayoutTests/plugins/plugin-document-back-forward-expected.txt +++ b/LayoutTests/plugins/plugin-document-back-forward-expected.txt @@ -1,3 +1,3 @@ -ALERT: Plugin Loaded! -ALERT: Plugin Loaded! +CONSOLE MESSAGE: Plugin Loaded! +CONSOLE MESSAGE: Plugin Loaded! diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog index b63d19925a435..6fad8e5d7b3fa 100644 --- a/Source/WebCore/ChangeLog +++ b/Source/WebCore/ChangeLog @@ -1,3 +1,23 @@ +2021-02-09 Chris Dumez + + Disallow alert/confirm/prompt in cross-origin-domain subframes + https://bugs.webkit.org/show_bug.cgi?id=221568 + + Reviewed by Geoff Garen. + + Disallow alert/confirm/prompt in cross-origin-domain subframes as per the latest HTML specification: + - https://github.com/whatwg/html/pull/6297 + + Tests: http/tests/security/cross-origin-js-prompt-forbidden.html + http/tests/security/same-origin-different-domain-js-prompt-forbidden.html + + * page/DOMWindow.cpp: + (WebCore::DOMWindow::alert): + (WebCore::DOMWindow::confirmForBindings): + (WebCore::DOMWindow::prompt): + * page/SecurityOrigin.cpp: + * page/SecurityOrigin.h: + 2021-02-09 Alex Christensen Synthesize range responses if needed in WebCoreNSURLSession diff --git a/Source/WebCore/page/DOMWindow.cpp b/Source/WebCore/page/DOMWindow.cpp index 63db627aab5c7..3f16e7c4e29a6 100644 --- a/Source/WebCore/page/DOMWindow.cpp +++ b/Source/WebCore/page/DOMWindow.cpp @@ -1112,6 +1112,11 @@ void DOMWindow::alert(const String& message) return; } + if (!document()->securityOrigin().canAccess(document()->topDocument().securityOrigin())) { + printErrorMessage("Use of window.alert is not allowed in different origin-domain iframes."); + return; + } + frame->document()->updateStyleIfNeeded(); #if ENABLE(POINTER_LOCK) page->pointerLockController().requestPointerUnlock(); @@ -1140,6 +1145,11 @@ bool DOMWindow::confirmForBindings(const String& message) return false; } + if (!document()->securityOrigin().canAccess(document()->topDocument().securityOrigin())) { + printErrorMessage("Use of window.confirm is not allowed in different origin-domain iframes."); + return false; + } + frame->document()->updateStyleIfNeeded(); #if ENABLE(POINTER_LOCK) page->pointerLockController().requestPointerUnlock(); @@ -1168,6 +1178,11 @@ String DOMWindow::prompt(const String& message, const String& defaultValue) return String(); } + if (!document()->securityOrigin().canAccess(document()->topDocument().securityOrigin())) { + printErrorMessage("Use of window.prompt is not allowed in different origin-domain iframes."); + return String(); + } + frame->document()->updateStyleIfNeeded(); #if ENABLE(POINTER_LOCK) page->pointerLockController().requestPointerUnlock(); diff --git a/Source/WebCore/page/SecurityOrigin.h b/Source/WebCore/page/SecurityOrigin.h index 563ba6529224f..4002c501dae08 100644 --- a/Source/WebCore/page/SecurityOrigin.h +++ b/Source/WebCore/page/SecurityOrigin.h @@ -95,6 +95,8 @@ class SecurityOrigin : public ThreadSafeRefCounted { // SecurityOrigin. For example, call this function before allowing // script from one security origin to read or write objects from // another SecurityOrigin. + // This method implements the "same origin-domain" algorithm from the HTML Standard: + // https://html.spec.whatwg.org/#same-origin-domain WEBCORE_EXPORT bool canAccess(const SecurityOrigin&) const; // Returns true if this SecurityOrigin can read content retrieved from diff --git a/Tools/DumpRenderTree/TestNetscapePlugIn/main.cpp b/Tools/DumpRenderTree/TestNetscapePlugIn/main.cpp index 4e514fd562dda..c70e4502b190e 100644 --- a/Tools/DumpRenderTree/TestNetscapePlugIn/main.cpp +++ b/Tools/DumpRenderTree/TestNetscapePlugIn/main.cpp @@ -180,7 +180,7 @@ NPError NPP_New(NPMIMEType pluginType, NPP instance, uint16_t mode, int16_t argc obj->returnErrorFromNewStream = TRUE; else if (strcasecmp(argn[i], "src") == 0 && strcasecmp(argv[i], "data:application/x-webkit-test-netscape,alertwhenloaded") == 0) - executeScript(obj, "alert('Plugin Loaded!')"); + executeScript(obj, "console.log('Plugin Loaded!')"); else if (strcasecmp(argn[i], "src") == 0 && strcasecmp(argv[i], "data:application/x-webkit-test-netscape,logifloaded") == 0) { for (int j = 0; j < argc; j++) {