From 9416cdd66c13915532ea6db8fab1ddad6c9cf164 Mon Sep 17 00:00:00 2001
From: "commit-queue@webkit.org"
 <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Wed, 28 Sep 2011 21:01:37 +0000
Subject: [PATCH] JavaScript generated documents don't inherit the cookie URL
 https://bugs.webkit.org/show_bug.cgi?id=69003

Patch by Sergey Glazunov <serg.glazunov@gmail.com> on 2011-09-28
Reviewed by Adam Barth.

Source/WebCore:

Test: http/tests/security/cookies/cookie-theft-with-javascript-doc.html

* dom/Document.h:
(WebCore::Document::setCookieURL):
* loader/DocumentWriter.cpp:
(WebCore::DocumentWriter::replaceDocument):
(WebCore::DocumentWriter::begin):
* loader/DocumentWriter.h:

LayoutTests:

* http/tests/security/cookies/cookie-theft-with-javascript-doc-expected.txt: Added.
* http/tests/security/cookies/cookie-theft-with-javascript-doc.html: Added.
* http/tests/security/cookies/resources/innocent-victim-with-cookies.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@96260 268f45cc-cd09-0410-ab3c-d52691b4dbfc
---
 LayoutTests/ChangeLog                              | 11 +++++++
 .../cookie-theft-with-javascript-doc-expected.txt  |  1 +
 .../cookies/cookie-theft-with-javascript-doc.html  | 38 ++++++++++++++++++++++
 .../resources/innocent-victim-with-cookies.html    |  9 +++++
 Source/WebCore/ChangeLog                           | 16 +++++++++
 Source/WebCore/dom/Document.h                      |  1 +
 Source/WebCore/loader/DocumentWriter.cpp           | 14 ++++----
 Source/WebCore/loader/DocumentWriter.h             |  4 ++-
 8 files changed, 86 insertions(+), 8 deletions(-)
 create mode 100644 LayoutTests/http/tests/security/cookies/cookie-theft-with-javascript-doc-expected.txt
 create mode 100644 LayoutTests/http/tests/security/cookies/cookie-theft-with-javascript-doc.html
 create mode 100644 LayoutTests/http/tests/security/cookies/resources/innocent-victim-with-cookies.html

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 7557ee5..7515bc2 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2011-09-28  Sergey Glazunov  <serg.glazunov@gmail.com>
+
+        JavaScript generated documents don't inherit the cookie URL
+        https://bugs.webkit.org/show_bug.cgi?id=69003
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/cookies/cookie-theft-with-javascript-doc-expected.txt: Added.
+        * http/tests/security/cookies/cookie-theft-with-javascript-doc.html: Added.
+        * http/tests/security/cookies/resources/innocent-victim-with-cookies.html: Added.
+
 2011-09-28  Dimitri Glazkov  <dglazkov@chromium.org>
 
         REGRESSION(r95573): Crash when loading SVG documents in a flattened frame or any SVG document in Chromium/Mac.
diff --git a/LayoutTests/http/tests/security/cookies/cookie-theft-with-javascript-doc-expected.txt b/LayoutTests/http/tests/security/cookies/cookie-theft-with-javascript-doc-expected.txt
new file mode 100644
index 0000000..ff43ca4
--- /dev/null
+++ b/LayoutTests/http/tests/security/cookies/cookie-theft-with-javascript-doc-expected.txt
@@ -0,0 +1 @@
+SUCCESS
diff --git a/LayoutTests/http/tests/security/cookies/cookie-theft-with-javascript-doc.html b/LayoutTests/http/tests/security/cookies/cookie-theft-with-javascript-doc.html
new file mode 100644
index 0000000..26b5c8c
--- /dev/null
+++ b/LayoutTests/http/tests/security/cookies/cookie-theft-with-javascript-doc.html
@@ -0,0 +1,38 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+    layoutTestController.setCanOpenWindows();
+    layoutTestController.setCloseRemainingWindowsWhenComplete(true);
+}
+
+window.onload = function()
+{
+    frame = document.body.appendChild(document.createElement("iframe"));
+    frame.src = "about:blank";
+    frame.onload = function() {
+        frame.onload = null;
+        
+        wnd = frame.contentWindow.open();
+        frame.src = "http://localhost:8080/security/cookies/resources/innocent-victim-with-cookies.html";
+        window.onmessage = function(e) {
+            key = e.data;
+            wnd.location = "javascript:('bar')";
+            setTimeout(finishTest, 0);
+        }
+    }
+}
+
+function finishTest()
+{
+    document.body.textContent = wnd.document.cookie.indexOf(key) != -1 ? "FAILURE" : "SUCCESS";
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+</script>
+</head>
+<body>
+</body>
+</html>
\ No newline at end of file
diff --git a/LayoutTests/http/tests/security/cookies/resources/innocent-victim-with-cookies.html b/LayoutTests/http/tests/security/cookies/resources/innocent-victim-with-cookies.html
new file mode 100644
index 0000000..4e6e5d0
--- /dev/null
+++ b/LayoutTests/http/tests/security/cookies/resources/innocent-victim-with-cookies.html
@@ -0,0 +1,9 @@
+<html>
+<body>
+<script>
+k = Math.floor(Math.random() * 1000000);
+document.cookie = "secretcookie=" + k + ";path=/";
+parent.postMessage(k, "*");
+</script>
+</body>
+</html>
\ No newline at end of file
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 034c4d6..f080c80 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,19 @@
+2011-09-28  Sergey Glazunov  <serg.glazunov@gmail.com>
+
+        JavaScript generated documents don't inherit the cookie URL
+        https://bugs.webkit.org/show_bug.cgi?id=69003
+
+        Reviewed by Adam Barth.
+
+        Test: http/tests/security/cookies/cookie-theft-with-javascript-doc.html
+
+        * dom/Document.h:
+        (WebCore::Document::setCookieURL):
+        * loader/DocumentWriter.cpp:
+        (WebCore::DocumentWriter::replaceDocument):
+        (WebCore::DocumentWriter::begin):
+        * loader/DocumentWriter.h:
+
 2011-09-27  Dimitri Glazkov  <dglazkov@chromium.org>
 
         REGRESSION(r95573): Crash when loading SVG documents in a flattened frame or any SVG document in Chromium/Mac.
diff --git a/Source/WebCore/dom/Document.h b/Source/WebCore/dom/Document.h
index 85fa3a1..e7a9226 100644
--- a/Source/WebCore/dom/Document.h
+++ b/Source/WebCore/dom/Document.h
@@ -823,6 +823,7 @@ public:
     //    inherits its cookieURL but not its URL.
     //
     const KURL& cookieURL() const { return m_cookieURL; }
+    void setCookieURL(const KURL& url) { m_cookieURL = url; }
 
     // The firstPartyForCookies is used to compute whether this document
     // appears in a "third-party" context for the purpose of third-party
diff --git a/Source/WebCore/loader/DocumentWriter.cpp b/Source/WebCore/loader/DocumentWriter.cpp
index a3fcf39..dd77768 100644
--- a/Source/WebCore/loader/DocumentWriter.cpp
+++ b/Source/WebCore/loader/DocumentWriter.cpp
@@ -67,7 +67,7 @@ DocumentWriter::DocumentWriter(Frame* frame)
 void DocumentWriter::replaceDocument(const String& source)
 {
     m_frame->loader()->stopAllLoaders();
-    begin(m_frame->document()->url(), true, m_frame->document()->securityOrigin());
+    begin(m_frame->document()->url(), true, InheritSecurityOrigin);
 
     if (!source.isNull()) {
         if (!m_hasReceivedSomeData) {
@@ -106,11 +106,9 @@ PassRefPtr<Document> DocumentWriter::createDocument(const KURL& url)
     return DOMImplementation::createDocument(m_mimeType, m_frame, url, m_frame->inViewSourceMode());
 }
 
-void DocumentWriter::begin(const KURL& urlReference, bool dispatch, SecurityOrigin* origin)
+void DocumentWriter::begin(const KURL& urlReference, bool dispatch, SecurityOriginSource originSource)
 {
-    // We need to take a reference to the security origin because |clear|
-    // might destroy the document that owns it.
-    RefPtr<SecurityOrigin> forcedSecurityOrigin = origin;
+    RefPtr<Document> oldDocument = m_frame->document();
 
     // We grab a local copy of the URL because it's easy for callers to supply
     // a URL that will be deallocated during the execution of this function.
@@ -139,8 +137,10 @@ void DocumentWriter::begin(const KURL& urlReference, bool dispatch, SecurityOrig
 
     if (m_decoder)
         document->setDecoder(m_decoder.get());
-    if (forcedSecurityOrigin)
-        document->setSecurityOrigin(forcedSecurityOrigin.get());
+    if (originSource == InheritSecurityOrigin) {
+        document->setCookieURL(oldDocument->cookieURL());
+        document->setSecurityOrigin(oldDocument->securityOrigin());
+    }
 
     m_frame->domWindow()->setURL(document->url());
     m_frame->domWindow()->setSecurityOrigin(document->securityOrigin());
diff --git a/Source/WebCore/loader/DocumentWriter.h b/Source/WebCore/loader/DocumentWriter.h
index ef53f21..348794f 100644
--- a/Source/WebCore/loader/DocumentWriter.h
+++ b/Source/WebCore/loader/DocumentWriter.h
@@ -49,8 +49,10 @@ public:
     // and always contains the result of evaluating a javascript: url.
     void replaceDocument(const String&);
 
+    enum SecurityOriginSource { CreateNewSecurityOrigin, InheritSecurityOrigin };
+
     void begin();
-    void begin(const KURL&, bool dispatchWindowObjectAvailable = true, SecurityOrigin* forcedSecurityOrigin = 0);
+    void begin(const KURL&, bool dispatchWindowObjectAvailable = true, SecurityOriginSource = CreateNewSecurityOrigin);
     void addData(const char* bytes, size_t length);
     void end();
     void endIfNotLoadingMainResource();
-- 
2.7.4