Updated WebKit from /home/shausman/src/webkit/trunk to origin/qtwebkit-4.5 ( bd7262be70c02564d655e4f2aaf79cd8302a937f )

Changes in WebKit since the last update: ++ b/JavaScriptCore/ChangeLog 2009-02-02 Darin Adler <darin@apple.com> Reviewed by Dave Hyatt. Bug 23676: Speed up uses of reserveCapacity on new vectors by adding a new reserveInitialCapacity https://bugs.webkit.org/show_bug.cgi?id=23676 * API/JSObjectRef.cpp: (JSObjectCopyPropertyNames): Use reserveInitialCapacity. * parser/Lexer.cpp: (JSC::Lexer::Lexer): Ditto. (JSC::Lexer::clear): Ditto. * wtf/Vector.h: Added reserveInitialCapacity, a more efficient version of reserveCapacity for use when the vector is brand new (still size 0 with no capacity other than the inline capacity). 2009-03-19 Geoffrey Garen <ggaren@apple.com> Reviewed by Oliver Hunt. Fixed <rdar://problem/6033712> -- a little bit of hardening in the Collector. SunSpider reports no change. I also verified in the disassembly that we end up with a single compare to constant. * runtime/Collector.cpp: (JSC::Heap::heapAllocate): ++ b/LayoutTests/ChangeLog 2009-05-21 Geoffrey Garen <ggaren@apple.com> Reviewed by Sam Weinig. Tests for <rdar://problem/6910832> | https://bugs.webkit.org/show_bug.cgi?id=25907 Incorrect URL returned to the DOM while the user drags a file * http/tests/local/drag-over-remote-content-expected.txt: Added. * http/tests/local/drag-over-remote-content.html: Added. * http/tests/security/drag-over-remote-content-iframe-expected.txt: Added. * http/tests/security/drag-over-remote-content-iframe.html: Added. 2009-04-14 Eric Carlson <eric.carlson@apple.com> Reviewed by Alexey Proskuryakov. Fix <rdar://problem/6755724> <audio> and <video> elements can reference local file:/// URLs from remote in Safari Test cases to ensure that local 'src', 'poster', and <source> are not loaded. * http/tests/security/local-video-poster-from-remote-expected.txt: Added. * http/tests/security/local-video-poster-from-remote.html: Added. * http/tests/security/local-video-source-from-remote-expected.txt: Added. * http/tests/security/local-video-source-from-remote.html: Added. * http/tests/security/local-video-src-from-remote-expected.txt: Added. * http/tests/security/local-video-src-from-remote.html: Added. * http/tests/security/resources/load-media.cgi: Added. * http/tests/security/resources/silence.mpg: Added. 2009-04-14 Sam Weinig <sam@webkit.org> Reviewed by Darin Adler. Part of <rdar://problem/6150868> Test for incorrect handling of content that needs to go into the head element once the head element has been removed. * fast/parser/head-content-after-head-removal-expected.txt: Added. * fast/parser/head-content-after-head-removal.html: Added. 2009-04-08 Sam Weinig <sam@webkit.org> Reviewed by Geoffrey "Big Boy" Garen. Tests for <rdar://problem/5745677> Possible to stop load during an unload event * fast/events/resources/pass.html: Added. * fast/events/resources/subframe-stop-load-in-unload-handler-using-document-write.html: Added. * fast/events/resources/subframe-stop-load-in-unload-handler-using-window-stop.html: Added. * fast/events/stop-load-in-unload-handler-using-document-write-expected.txt: Added. * fast/events/stop-load-in-unload-handler-using-document-write.html: Added. * fast/events/stop-load-in-unload-handler-using-window-stop-expected.txt: Added. * fast/events/stop-load-in-unload-handler-using-window-stop.html: Added. 2009-04-08 Sam Weinig <sam@webkit.org> Reviewed by Anders Carlsson. Tests for <rdar://problem/6226200> Implement Microsoft's X-FRAME-OPTIONS anti-framing defense * http/tests/security/XFrameOptions: Added. * http/tests/security/XFrameOptions/resources: Added. * http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-in-body.html: Added. * http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-allow.html: Added. * http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe-parent-same-origin-deny.html: Added. * http/tests/security/XFrameOptions/resources/x-frame-options-deny-meta-tag-subframe.html: Added. * http/tests/security/XFrameOptions/resources/x-frame-options-deny.cgi: Added. * http/tests/security/XFrameOptions/resources/x-frame-options-parent-same-origin-allow.cgi: Added. * http/tests/security/XFrameOptions/resources/x-frame-options-parent-same-origin-deny.cgi: Added. * http/tests/security/XFrameOptions/x-frame-options-deny-expected.txt: Added. * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-expected.txt: Added. * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-expected.txt: Added. * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html: Added. * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow-expected.txt: Added. * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html: Added. * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny-expected.txt: Added. * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html: Added. * http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html: Added. * http/tests/security/XFrameOptions/x-frame-options-deny.html: Added. * http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-allow-expected.txt: Added. * http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-allow.html: Added. * http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt: Added. * http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html: Added. 2009-04-03 Sam Weinig <sam@webkit.org> Reviewed by Darin Adler. Update tests for <rdar://problem/6330929> https://bugs.webkit.org/show_bug.cgi?id=21456 * dom/xhtml/level2/html/HTMLFormElement10-expected.txt: * fast/dom/Window/dom-access-from-closure-iframe-expected.txt: * fast/dom/Window/dom-access-from-closure-window-expected.txt: * http/tests/security/cross-frame-access-document-direct-expected.txt: Added. * http/tests/security/cross-frame-access-document-direct.html: Added. * http/tests/security/resources/cross-frame-iframe-for-document-direct-test-victim.html: Added. * http/tests/security/resources/cross-frame-iframe-for-document-direct-test.html: Added. 2009-04-03 Sam Weinig <sam@webkit.org> Reviewed by Oliver Hunt. Tests for <rdar://problem/6476356> https://bugs.webkit.org/show_bug.cgi?id=23148 Test for using the correct global object for location and history object prototype chain creation. * http/tests/security/cross-frame-access-history-prototype-expected.txt: Added. * http/tests/security/cross-frame-access-history-prototype.html: Added. * http/tests/security/cross-frame-access-location-prototype-expected.txt: Added. * http/tests/security/cross-frame-access-location-prototype.html: Added. * http/tests/security/resources/cross-frame-history-prototype-iframe.html: Added. * http/tests/security/resources/cross-frame-location-prototype-iframe.html: Added. 2009-03-29 Darin Adler <darin@apple.com> Reviewed by Dan Bernstein. <rdar://problem/6015407> attr parsing should allow only identifiers * fast/css/attr-parsing-expected.txt: Added. * fast/css/attr-parsing.html: Added. 2009-03-16 Sam Weinig <sam@webkit.org> Reviewed by Anders Carlsson. Test for <rdar://problem/6320555> Add an upper limit for setting HTMLSelectElement.length. * fast/forms/select-max-length-expected.txt: Added. * fast/forms/select-max-length.html: Added. 2009-02-26 Alexey Proskuryakov <ap@webkit.org> Reviewed by Darin Adler. https://bugs.webkit.org/show_bug.cgi?id=23500 KURL::parse() incorrectly compares its result to original string * fast/loader/url-parse-1-expected.txt: Updated results. Neither old nor new results match Firefox precisely. ++ b/WebCore/ChangeLog 2009-05-21 Geoffrey Garen <ggaren@apple.com> Reviewed by Sam Weinig. Test for <rdar://problem/6910832> | https://bugs.webkit.org/show_bug.cgi?id=25907 Incorrect URL returned to the DOM while the user drags a file * page/DragController.cpp: (WebCore::DragController::dragExited): (WebCore::DragController::tryDHTMLDrag): Don't base our decision on KURL, since that only looks at the text of the document's URL. Do base our decision on the securityOrigin(), which knows more about the document's actual origin. 2009-04-14 Eric Carlson <eric.carlson@apple.com> Reviewed by Alexey Proskuryakov. Fix <rdar://problem/6755724> <audio> and <video> elements can reference local file:/// URLs from remote in Safari Tests: http/tests/security/local-video-poster-from-remote.html http/tests/security/local-video-source-from-remote.html http/tests/security/local-video-src-from-remote.html * html/HTMLMediaElement.cpp: (WebCore::HTMLMediaElement::loadResource): Don't pass url to media engine unless loader->canLoad() says it is OK. 2009-04-14 Sam Weinig <sam@webkit.org> Reviewed by Darin Adler. Part of <rdar://problem/6150868> Fix incorrect handling of content that needs to go into the head element once the head element has been removed. Test: fast/parser/head-content-after-head-removal.html * html/HTMLParser.cpp: (WebCore::HTMLParser::HTMLParser): Remove unneeded initializer of m_head. (WebCore::HTMLParser::handleError): Update since m_head is now a RefPtr. (WebCore::HTMLParser::createHead): Ditto. * html/HTMLParser.h: Make m_head a RefPtr. 2009-04-08 Sam Weinig <sam@webkit.org> Reviewed by Geoffrey "Big Boy" Garen. Fix for <rdar://problem/5745677> Possible to stop load during an unload event Also fixes https://bugs.webkit.org/show_bug.cgi?id=20605 Tests: fast/events/stop-load-in-unload-handler-using-document-write.html fast/events/stop-load-in-unload-handler-using-window-stop.html Don't allow calling methods that would stop the new load inside the unload event. * loader/FrameLoader.cpp: (WebCore::FrameLoader::FrameLoader): (WebCore::FrameLoader::stopLoading): (WebCore::FrameLoader::stopAllLoaders): * loader/FrameLoader.h: 2009-04-08 Sam Weinig <sam@webkit.org> Reviewed by Anders Carlsson. Fix for <rdar://problem/6226200> Implement Microsoft's X-FRAME-OPTIONS anti-framing defense Tests: http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-deny.html http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html http/tests/security/XFrameOptions/x-frame-options-deny.html http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-allow.html http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html * dom/Document.cpp: (WebCore::Document::processHttpEquiv): Stop the current load and redirect to about:blank if an X-FRAME-OPTIONS <meta> tag http-equiq dictates we should. * loader/FrameLoader.cpp: (WebCore::FrameLoader::shouldInterruptLoadForXFrameOptions): Add logic to parse the X-FRAME-OPTIONS parameter. * loader/FrameLoader.h: * loader/MainResourceLoader.cpp: (WebCore::MainResourceLoader::didReceiveResponse): Stop the current load if framed and a X-FRAME-OPTIONS header and its parameter dictate that we should. 2009-04-05 Simon Hausmann <hausmann@webkit.org> Fix the Qt build. * bridge/qt/qt_runtime.h: (JSC::Bindings::QtRuntimeMethod::createPrototype): Take the JSGlobalObject as second argument. 2009-04-03 Sam Weinig <sam@webkit.org> Reviewed by Darin Adler. <rdar://problem/6330929> https://bugs.webkit.org/show_bug.cgi?id=21456 Don't update the document pointer for all inactive windows on navigations. This change causes us to differ slightly from Firefox when accessing the document from within a closure tied to a navigated context, but as all browsers differ on this edge case, I don't foresee compatibility issues. Test: http/tests/security/cross-frame-access-document-direct.html * bindings/js/JSDOMWindowBase.cpp: (WebCore::JSDOMWindowBase::~JSDOMWindowBase): * bindings/js/ScriptController.cpp: (WebCore::ScriptController::clearWindowShell): (WebCore::ScriptController::initScript): (WebCore::ScriptController::updateDocument): * bindings/js/ScriptController.h: 2009-04-03 Sam Weinig <sam@webkit.org> Reviewed by Oliver Hunt. Fix for <rdar://problem/6476356> https://bugs.webkit.org/show_bug.cgi?id=23148 - Use the window object the Location and History objects are directly associated with instead of the lexical global object to pick the object prototype to serve as the base of the their respective prototype chains. - Re-factor as necessary to allow passing the correct global object to the createPrototype functions. Tests: http/tests/security/cross-frame-access-history-prototype.html http/tests/security/cross-frame-access-location-prototype.html * bindings/js/JSAudioConstructor.cpp: (WebCore::JSAudioConstructor::JSAudioConstructor): * bindings/js/JSDOMBinding.cpp: (WebCore::getCachedDOMStructure): (WebCore::cacheDOMStructure): * bindings/js/JSDOMBinding.h: (WebCore::getDOMStructure): (WebCore::getDOMPrototype): * bindings/js/JSDOMWindowCustom.cpp: (WebCore::JSDOMWindow::history): (WebCore::JSDOMWindow::location): * bindings/js/JSDocumentCustom.cpp: (WebCore::JSDocument::location): * bindings/js/JSImageConstructor.cpp: (WebCore::JSImageConstructor::JSImageConstructor): * bindings/js/JSMessageChannelConstructor.cpp: (WebCore::JSMessageChannelConstructor::JSMessageChannelConstructor): * bindings/js/JSNamedNodesCollection.h: (WebCore::JSNamedNodesCollection::createPrototype): * bindings/js/JSOptionConstructor.cpp: (WebCore::JSOptionConstructor::JSOptionConstructor): * bindings/js/JSRGBColor.h: (WebCore::JSRGBColor::createPrototype): * bindings/js/JSWebKitCSSMatrixConstructor.cpp: (WebCore::JSWebKitCSSMatrixConstructor::JSWebKitCSSMatrixConstructor): * bindings/js/JSWebKitPointConstructor.cpp: (WebCore::JSWebKitPointConstructor::JSWebKitPointConstructor): * bindings/js/JSWorkerConstructor.cpp: (WebCore::JSWorkerConstructor::JSWorkerConstructor): * bindings/js/JSXMLHttpRequestConstructor.cpp: (WebCore::JSXMLHttpRequestConstructor::JSXMLHttpRequestConstructor): * bindings/js/JSXSLTProcessorConstructor.cpp: (WebCore::JSXSLTProcessorConstructor::JSXSLTProcessorConstructor): * bindings/scripts/CodeGeneratorJS.pm: * bridge/objc/objc_runtime.h: (JSC::Bindings::ObjcFallbackObjectImp::createPrototype): * bridge/runtime_array.h: (JSC::RuntimeArray::createPrototype): * bridge/runtime_method.h: (JSC::RuntimeMethod::createPrototype): * bridge/runtime_object.h: (JSC::RuntimeObjectImp::createPrototype): * page/DOMWindow.idl: 2009-03-29 Darin Adler <darin@apple.com> Reviewed by Dan Bernstein. <rdar://problem/6015407> attr parsing should allow only identifiers Test: fast/css/attr-parsing.html * css/CSSParser.cpp: (WebCore::CSSParser::parseContent): Allow only CSS_IDENT, and filter out identifiers that start with "-". * css/CSSPrimitiveValue.cpp: (WebCore::CSSPrimitiveValue::cssText): Added a case for CSS_ATTR so the test case works. This has the pleasant side effect of fixing a bug too. 2009-03-16 Sam Weinig <sam@webkit.org> Reviewed by Anders Carlsson. Fix for <rdar://problem/6320555> Add an upper limit for setting HTMLSelectElement.length. Test: fast/forms/select-max-length.html * html/HTMLSelectElement.cpp: (WebCore::HTMLSelectElement::setOption): (WebCore::HTMLSelectElement::setLength): 2009-03-10 Sam Weinig <sam@webkit.org> Reviewed by Geoffrey Garen. Fix for <rdar://problem/6166844> https://bugs.webkit.org/show_bug.cgi?id=24495 Use same rule for loading java applets as we do for images. * html/HTMLAppletElement.cpp: (WebCore::HTMLAppletElement::createRenderer): * loader/FrameLoader.cpp: (WebCore::FrameLoader::loadItem): 2009-02-26 Alexey Proskuryakov <ap@webkit.org> Reviewed by Darin Adler. https://bugs.webkit.org/show_bug.cgi?id=23500 KURL::parse() incorrectly compares its result to original string * platform/KURL.cpp: (WebCore::KURL::parse): Take string length into account.
author: Simon Hausmann <simon.hausmann@nokia.com> 2009-06-19 17:26:02 +0200
committer: Simon Hausmann <simon.hausmann@nokia.com> 2009-06-19 17:27:35 +0200
commit: 96b4fc79fd4a7b4d9cdae924ccec5643e7a49cf0 (patch)
tree: 59adec870878583b5abe4b4b3b9b1bc2c81971ef /dist
parent: a60259b676743f078178185a6c587381bd957d3c (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/dist/changes-4.5.2 b/dist/changes-4.5.2
index 91a7befd5a..163e476de9 100644
--- a/dist/changes-4.5.2
+++ b/dist/changes-4.5.2
@@ -55,6 +55,10 @@ General Improvements
        Plugins (r41346, r43550, r43915, r43917, r43923)
        Clipboard (r41360)
        SVG (r43590, r43795)
+   * Backported various security fixes (r41262, r41568,
+       r41741, r41854, r42081, r42216, r42223, r42333,
+       r42365, r42532, r42533, r44010)
+
 
 - QAbstractItemView
     * [250754] Changing the font of the view did not update the size of the
author	Simon Hausmann <simon.hausmann@nokia.com>	2009-06-19 17:26:02 +0200
committer	Simon Hausmann <simon.hausmann@nokia.com>	2009-06-19 17:27:35 +0200
commit	96b4fc79fd4a7b4d9cdae924ccec5643e7a49cf0 (patch)
tree	59adec870878583b5abe4b4b3b9b1bc2c81971ef /dist
parent	a60259b676743f078178185a6c587381bd957d3c (diff)