subject:"\[webkit\-dev\] Window\:\:isSafeScript\: which URLs to use in the error message"

[webkit-dev] Window::isSafeScript: which URLs to use in the error message

2007-08-31 Thread Anyang Ren

In kjs_window.cpp, Window::isSafeScript(ExecState *exec), we have:

  KURL actURL = activeFrame-loader()-url();
  WebCore::String actDomain = actURL.host();
  ...
  KURL thisURL = frame-loader()-url();
  ...
  WebCore::String thisDomain = thisURL.host();

  if (actDomain == thisDomain  actURL.protocol() ==
thisURL.protocol()  actURL.port() == thisURL.port())
return true;

  if (Interpreter::shouldPrintExceptions()) {
  printf(Unsafe JavaScript attempt to access frame with URL %s
from frame with URL %s. Domains, protocols and ports must match.\n,
 thisDocument-URL().latin1(), actDocument-URL().latin1());
  }
  String message = String::format(Unsafe JavaScript attempt to access
frame with URL %s from frame with URL %s. Domains, protocols and ports
must match.\n,
  thisDocument-URL().latin1(), actDocument-URL().latin1());

Since thisURL and actURL are the URLs used in the test, why are
we using thisDocument-URL() and actDocument-URL() in the
error messages?

In fact, actDocument could be NULL.  Earlier in this function, we have:

  WebCore::Document* actDocument = activeFrame-document();

  if (actDocument) {
if (thisDocument-domainWasSetInDOM()  actDocument-domainWasSetInDOM()) {
  if (thisDocument-domain() == actDocument-domain())
return true;
}
  }

The if (actDocument) test suggests that actDocument could
be NULL.

-- 
Anyang Ren
Open source developer
___
webkit-dev mailing list
webkit-dev@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-dev

Re: [webkit-dev] Window::isSafeScript: which URLs to use in the error message

2007-08-31 Thread Maciej Stachowiak



On Aug 31, 2007, at 2:24 PM, Anyang Ren wrote:


In kjs_window.cpp, Window::isSafeScript(ExecState *exec), we have:

 KURL actURL = activeFrame-loader()-url();
 WebCore::String actDomain = actURL.host();
 ...
 KURL thisURL = frame-loader()-url();
 ...
 WebCore::String thisDomain = thisURL.host();

 if (actDomain == thisDomain  actURL.protocol() ==
thisURL.protocol()  actURL.port() == thisURL.port())
   return true;

 if (Interpreter::shouldPrintExceptions()) {
 printf(Unsafe JavaScript attempt to access frame with URL %s
from frame with URL %s. Domains, protocols and ports must match.\n,
thisDocument-URL().latin1(), actDocument- 
URL().latin1());

 }
 String message = String::format(Unsafe JavaScript attempt to access
frame with URL %s from frame with URL %s. Domains, protocols and ports
must match.\n,
 thisDocument-URL().latin1(), actDocument- 
URL().latin1());


Since thisURL and actURL are the URLs used in the test, why are
we using thisDocument-URL() and actDocument-URL() in the
error messages?


I think perhaps the message should mention both. thisURL and actURL  
(not such great names!) may identify the frame that is considered to  
own this frame in cases like about:blank or javascript: frame source,  
but they are not the true URL of the frame, so may not be very helpful  
in the error message. I think the format should be something like:


Unsafe JavaScript attempt to access frame with URL %s (owned by %s)  
from frame with URL %s (owned by %s). Domains, protocols and ports  
must match.\n


But the owned by part should probably be dropped entirely in the  
common case where the URLs are the same.


We'd take a patch to improve this.

In fact, actDocument could be NULL.  Earlier in this function, we  
have:


 WebCore::Document* actDocument = activeFrame-document();

 if (actDocument) {
   if (thisDocument-domainWasSetInDOM()  actDocument- 
domainWasSetInDOM()) {

 if (thisDocument-domain() == actDocument-domain())
   return true;
   }
 }

The if (actDocument) test suggests that actDocument could
be NULL.


I'm not sure it's possible for a frame to be executing script with a  
null document, so I don't think this is actually possible. In fact, in  
current trunk, I don't think it is ever possible for any frame to have  
a null document.


Regards,
Maciej


___
webkit-dev mailing list
webkit-dev@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-dev

Re: [webkit-dev] Window::isSafeScript: which URLs to use in the error message

2007-08-31 Thread Anyang Ren

Maciej,

Thank you for your reply.  I just checked the current trunk.
The error message has been changed to use thisURL and actURL
in r24900.

-- 
Anyang Ren
Open source developer
___
webkit-dev mailing list
webkit-dev@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-dev

[webkit-dev] Window::isSafeScript: which URLs to use in the error message

Re: [webkit-dev] Window::isSafeScript: which URLs to use in the error message

Re: [webkit-dev] Window::isSafeScript: which URLs to use in the error message

3 matches

Site Navigation

Mail list logo

Footer information