https://bugs.webkit.org/show_bug.cgi?id=73099
Reviewed by Pavel Feldman.
Source/WebCore:
Test: http/tests/inspector/console-cross-origin-iframe-logging.html
* bindings/v8/V8Proxy.cpp:
(WebCore::V8Proxy::reportUnsafeAccessTo):
* dom/ScriptExecutionContext.cpp:
(WebCore::ScriptExecutionContext::addConsoleMessage):
* dom/ScriptExecutionContext.h:
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::shouldAllowNavigation):
* page/Console.cpp:
(WebCore::Console::addMessage):
* page/Console.h:
* page/DOMWindow.cpp:
(WebCore::PostMessageTimer::PostMessageTimer):
(WebCore::PostMessageTimer::stackTrace):
(WebCore::DOMWindow::postMessage):
(WebCore::DOMWindow::postMessageTimerFired):
(WebCore::DOMWindow::printErrorMessage):
LayoutTests:
* http/tests/inspector/console-cross-origin-iframe-logging-expected.txt: Added.
* http/tests/inspector/console-cross-origin-iframe-logging.html: Added.
* http/tests/inspector/resources/cross-origin-iframe.html: Added.
* platform/chromium/http/tests/inspector/console-cross-origin-iframe-logging-expected.txt: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@105310
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2012-01-18 Vsevolod Vlasov <vsevik@chromium.org>
+
+ Web Inspector: Unsafe cross origin access errors should show stack trace in console.
+ https://bugs.webkit.org/show_bug.cgi?id=73099
+
+ Reviewed by Pavel Feldman.
+
+ * http/tests/inspector/console-cross-origin-iframe-logging-expected.txt: Added.
+ * http/tests/inspector/console-cross-origin-iframe-logging.html: Added.
+ * http/tests/inspector/resources/cross-origin-iframe.html: Added.
+ * platform/chromium/http/tests/inspector/console-cross-origin-iframe-logging-expected.txt: Added.
+
2012-01-18 Alexey Proskuryakov <ap@apple.com>
file:// doesn't work as base URL
--- /dev/null
+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/inspector/resources/cross-origin-iframe.html from frame with URL http://127.0.0.1:8000/inspector/console-cross-origin-iframe-logging.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/inspector/resources/cross-origin-iframe.html from frame with URL http://127.0.0.1:8000/inspector/console-cross-origin-iframe-logging.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: Unable to post message to http://127.0.0.1:8000. Recipient has origin http://localhost:8000.
+
+Tests that cross origin errors are logged with source url and line number.
+
+
+Unsafe JavaScript attempt to access frame with URL http://localhost:8000/inspector/resources/cross-origin-iframe.html from frame with URL http://127.0.0.1:8000/inspector/console-cross-origin-iframe-logging.html. Domains, protocols and ports must match.
+
+Unsafe JavaScript attempt to access frame with URL http://localhost:8000/inspector/resources/cross-origin-iframe.html from frame with URL http://127.0.0.1:8000/inspector/console-cross-origin-iframe-logging.html. Domains, protocols and ports must match.
+
+Unable to post message to http://127.0.0.1:8000. Recipient has origin http://localhost:8000.
+
+
--- /dev/null
+<html>
+<head>
+<script src="inspector-test.js"></script>
+<script src="console-test.js"></script>
+<script>
+function accessFrame()
+{
+ // Should fail.
+ var host = frames[0].location.host;
+
+ // Should fail.
+ frames[0].location.reload();
+
+ // Should fail.
+ frames[0].postMessage("fail", "http://127.0.0.1:8000");
+}
+
+function test()
+{
+ var finishAttemptsLeft = 4;
+ InspectorTest.addConsoleSniffer(maybeFinish, true);
+ ConsoleAgent.setMonitoringXHREnabled(true, step1);
+
+ function step1()
+ {
+ InspectorTest.evaluateInPage("accessFrame()", maybeFinish);
+ }
+
+ function maybeFinish()
+ {
+ --finishAttemptsLeft;
+ if (finishAttemptsLeft)
+ return;
+
+ ConsoleAgent.setMonitoringXHREnabled(false, finish);
+ }
+
+ function finish()
+ {
+ InspectorTest.dumpConsoleMessages();
+ InspectorTest.completeTest();
+ }
+}
+</script>
+</head>
+<body onload="runTest()">
+<p>Tests that cross origin errors are logged with source url and line number.</p>
+<iframe src="http://localhost:8000/inspector/resources/cross-origin-iframe.html"></iframe>
+</body>
+</html>
--- /dev/null
+<html>
+<head>
+</head>
+<body>
+ <p>Cross origin frame.<p>
+</body>
+</html>
--- /dev/null
+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/inspector/resources/cross-origin-iframe.html from frame with URL http://127.0.0.1:8000/inspector/console-cross-origin-iframe-logging.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://localhost:8000/inspector/resources/cross-origin-iframe.html from frame with URL http://127.0.0.1:8000/inspector/console-cross-origin-iframe-logging.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: Unable to post message to http://127.0.0.1:8000. Recipient has origin http://localhost:8000.
+
+Tests that cross origin errors are logged with source url and line number.
+
+
+console-cross-origin-iframe-logging.html:9Unsafe JavaScript attempt to access frame with URL http://localhost:8000/inspector/resources/cross-origin-iframe.html from frame with URL http://127.0.0.1:8000/inspector/console-cross-origin-iframe-logging.html. Domains, protocols and ports must match.
+
+console-cross-origin-iframe-logging.html:12Unsafe JavaScript attempt to access frame with URL http://localhost:8000/inspector/resources/cross-origin-iframe.html from frame with URL http://127.0.0.1:8000/inspector/console-cross-origin-iframe-logging.html. Domains, protocols and ports must match.
+
+console-cross-origin-iframe-logging.html:15Unable to post message to http://127.0.0.1:8000. Recipient has origin http://localhost:8000.
+
+
+2012-01-18 Vsevolod Vlasov <vsevik@chromium.org>
+
+ Web Inspector: Unsafe cross origin access errors should show stack trace in console.
+ https://bugs.webkit.org/show_bug.cgi?id=73099
+
+ Reviewed by Pavel Feldman.
+
+ Test: http/tests/inspector/console-cross-origin-iframe-logging.html
+
+ * bindings/v8/V8Proxy.cpp:
+ (WebCore::V8Proxy::reportUnsafeAccessTo):
+ * dom/ScriptExecutionContext.cpp:
+ (WebCore::ScriptExecutionContext::addConsoleMessage):
+ * dom/ScriptExecutionContext.h:
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::shouldAllowNavigation):
+ * page/Console.cpp:
+ (WebCore::Console::addMessage):
+ * page/Console.h:
+ * page/DOMWindow.cpp:
+ (WebCore::PostMessageTimer::PostMessageTimer):
+ (WebCore::PostMessageTimer::stackTrace):
+ (WebCore::DOMWindow::postMessage):
+ (WebCore::DOMWindow::postMessageTimerFired):
+ (WebCore::DOMWindow::printErrorMessage):
+
2012-01-18 Pablo Flouret <pablof@motorola.com>
Add [CallWith] support for attributes in JSC/V8 idl code generators.
#include "IDBFactoryBackendInterface.h"
#include "InspectorInstrumentation.h"
#include "PlatformSupport.h"
+#include "ScriptCallStack.h"
+#include "ScriptCallStackFactory.h"
#include "ScriptSourceCode.h"
#include "SecurityOrigin.h"
#include "Settings.h"
String str = "Unsafe JavaScript attempt to access frame with URL " + targetDocument->url().string() +
" from frame with URL " + sourceDocument->url().string() + ". Domains, protocols and ports must match.\n";
+ RefPtr<ScriptCallStack> stackTrace = createScriptCallStack(ScriptCallStack::maxCallStackSizeToCapture, true);
+
// NOTE: Safari prints the message in the target page, but it seems like
// it should be in the source page. Even for delayed messages, we put it in
// the source page.
- sourceDocument->addConsoleMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, str);
+ sourceDocument->addConsoleMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, str, stackTrace.release());
}
static void handleFatalErrorInV8()
addMessage(source, type, level, message, sourceURL, lineNumber, callStack);
}
+void ScriptExecutionContext::addConsoleMessage(MessageSource source, MessageType type, MessageLevel level, const String& message, PassRefPtr<ScriptCallStack> callStack)
+{
+ addMessage(source, type, level, message, String(), 0, callStack);
+}
+
+
bool ScriptExecutionContext::dispatchErrorEvent(const String& errorMessage, int lineNumber, const String& sourceURL)
{
EventTarget* target = errorEventTarget();
bool sanitizeScriptError(String& errorMessage, int& lineNumber, String& sourceURL);
void reportException(const String& errorMessage, int lineNumber, const String& sourceURL, PassRefPtr<ScriptCallStack>);
void addConsoleMessage(MessageSource, MessageType, MessageLevel, const String& message, const String& sourceURL = String(), unsigned lineNumber = 0, PassRefPtr<ScriptCallStack> = 0);
+ void addConsoleMessage(MessageSource, MessageType, MessageLevel, const String& message, PassRefPtr<ScriptCallStack>);
// Active objects are not garbage collected even if inaccessible, e.g. because their activity may result in callbacks being invoked.
bool canSuspendActiveDOMObjects();
#include "ResourceHandle.h"
#include "ResourceRequest.h"
#include "SchemeRegistry.h"
-#include "ScrollAnimator.h"
+#include "ScriptCallStack.h"
+#include "ScriptCallStackFactory.h"
#include "ScriptController.h"
#include "ScriptSourceCode.h"
+#include "ScrollAnimator.h"
#include "SecurityOrigin.h"
#include "SecurityPolicy.h"
#include "SegmentedString.h"
if (canAccessAncestor(activeSecurityOrigin, targetFrame))
return true;
- Settings* settings = targetFrame->settings();
- if (settings && !settings->privateBrowsingEnabled()) {
- Document* targetDocument = targetFrame->document();
- // FIXME: this error message should contain more specifics of why the navigation change is not allowed.
- String message = "Unsafe JavaScript attempt to initiate a navigation change for frame with URL " +
- targetDocument->url().string() + " from frame with URL " + activeDocument->url().string() + ".\n";
+ Document* targetDocument = targetFrame->document();
+ // FIXME: this error message should contain more specifics of why the navigation change is not allowed.
+ String message = "Unsafe JavaScript attempt to initiate a navigation change for frame with URL " +
+ targetDocument->url().string() + " from frame with URL " + activeDocument->url().string() + ".\n";
+
+ // FIXME: should we print to the console of the activeFrame as well?
+ targetFrame->domWindow()->printErrorMessage(message);
- // FIXME: should we print to the console of the activeFrame as well?
- targetFrame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message);
- }
-
return false;
}
printf("%s %s:", sourceString, levelString);
}
+void addMessage(MessageSource, MessageType, MessageLevel, const String& message, PassRefPtr<ScriptCallStack>);
+
+void Console::addMessage(MessageSource source, MessageType type, MessageLevel level, const String& message, PassRefPtr<ScriptCallStack> callStack)
+{
+ addMessage(source, type, level, message, String(), 0, callStack);
+}
+
void Console::addMessage(MessageSource source, MessageType type, MessageLevel level, const String& message, const String& sourceURL, unsigned lineNumber, PassRefPtr<ScriptCallStack> callStack)
{
Page* page = this->page();
virtual ~Console();
void addMessage(MessageSource, MessageType, MessageLevel, const String& message, const String& sourceURL = String(), unsigned lineNumber = 0, PassRefPtr<ScriptCallStack> = 0);
+ void addMessage(MessageSource, MessageType, MessageLevel, const String& message, PassRefPtr<ScriptCallStack>);
void debug(PassRefPtr<ScriptArguments>, PassRefPtr<ScriptCallStack>);
void error(PassRefPtr<ScriptArguments>, PassRefPtr<ScriptCallStack>);
#include "PlatformScreen.h"
#include "ScheduledAction.h"
#include "Screen.h"
+#include "ScriptCallStack.h"
+#include "ScriptCallStackFactory.h"
#include "SecurityOrigin.h"
#include "SerializedScriptValue.h"
#include "Settings.h"
class PostMessageTimer : public TimerBase {
public:
- PostMessageTimer(DOMWindow* window, PassRefPtr<SerializedScriptValue> message, const String& sourceOrigin, PassRefPtr<DOMWindow> source, PassOwnPtr<MessagePortChannelArray> channels, SecurityOrigin* targetOrigin)
+ PostMessageTimer(DOMWindow* window, PassRefPtr<SerializedScriptValue> message, const String& sourceOrigin, PassRefPtr<DOMWindow> source, PassOwnPtr<MessagePortChannelArray> channels, SecurityOrigin* targetOrigin, PassRefPtr<ScriptCallStack> stackTrace)
: m_window(window)
, m_message(message)
, m_origin(sourceOrigin)
, m_source(source)
, m_channels(channels)
, m_targetOrigin(targetOrigin)
+ , m_stackTrace(stackTrace)
{
}
return MessageEvent::create(messagePorts.release(), m_message, m_origin, "", m_source);
}
SecurityOrigin* targetOrigin() const { return m_targetOrigin.get(); }
+ ScriptCallStack* stackTrace() const { return m_stackTrace.get(); }
private:
virtual void fired()
RefPtr<DOMWindow> m_source;
OwnPtr<MessagePortChannelArray> m_channels;
RefPtr<SecurityOrigin> m_targetOrigin;
+ RefPtr<ScriptCallStack> m_stackTrace;
};
typedef HashCountedSet<DOMWindow*> DOMWindowSet;
return;
String sourceOrigin = sourceDocument->securityOrigin()->toString();
+ // Capture stack trace only when inspector front-end is loaded as it may be time consuming.
+ RefPtr<ScriptCallStack> stackTrace;
+ if (InspectorInstrumentation::hasFrontends())
+ stackTrace = createScriptCallStack(ScriptCallStack::maxCallStackSizeToCapture, true);
+
// Schedule the message.
- PostMessageTimer* timer = new PostMessageTimer(this, message, sourceOrigin, source, channels.release(), target.get());
+ PostMessageTimer* timer = new PostMessageTimer(this, message, sourceOrigin, source, channels.release(), target.get(), stackTrace.release());
timer->startOneShot(0);
}
if (!timer->targetOrigin()->isSameSchemeHostPort(document()->securityOrigin())) {
String message = "Unable to post message to " + timer->targetOrigin()->toString() +
". Recipient has origin " + document()->securityOrigin()->toString() + ".\n";
- console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message);
+ console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message, timer->stackTrace());
return;
}
}
return;
// FIXME: Add arguments so that we can provide a correct source URL and line number.
- console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message);
+ RefPtr<ScriptCallStack> stackTrace = createScriptCallStack(ScriptCallStack::maxCallStackSizeToCapture, true);
+ console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message, stackTrace.release());
}
String DOMWindow::crossDomainAccessErrorMessage(DOMWindow* activeWindow)