Title: [91685] branches/chromium/782
- Revision
- 91685
- Author
- [email protected]
- Date
- 2011-07-25 11:34:33 -0700 (Mon, 25 Jul 2011)
Log Message
Merge 91611
BUG=90222
Review URL: http://codereview.chromium.org/7499005
Modified Paths
Added Paths
Diff
Copied: branches/chromium/782/LayoutTests/http/tests/security/xss-DENIED-document-baseURI-_javascript_-expected.txt (from rev 91611, trunk/LayoutTests/http/tests/security/xss-DENIED-document-baseURI-_javascript_-expected.txt) (0 => 91685)
--- branches/chromium/782/LayoutTests/http/tests/security/xss-DENIED-document-baseURI-_javascript_-expected.txt (rev 0)
+++ branches/chromium/782/LayoutTests/http/tests/security/xss-DENIED-document-baseURI-_javascript_-expected.txt 2011-07-25 18:34:33 UTC (rev 91685)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: line 1: Unsafe _javascript_ attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/xss-DENIED-document-baseURI-_javascript_.html. Domains, protocols and ports must match.
+
+This test passes if there is no alert dialog
Copied: branches/chromium/782/LayoutTests/http/tests/security/xss-DENIED-document-baseURI-_javascript_.html (from rev 91611, trunk/LayoutTests/http/tests/security/xss-DENIED-document-baseURI-_javascript_.html) (0 => 91685)
--- branches/chromium/782/LayoutTests/http/tests/security/xss-DENIED-document-baseURI-_javascript_.html (rev 0)
+++ branches/chromium/782/LayoutTests/http/tests/security/xss-DENIED-document-baseURI-_javascript_.html 2011-07-25 18:34:33 UTC (rev 91685)
@@ -0,0 +1,34 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+
+window._onload_ = function()
+{
+ document.documentURI = "_javascript_://hostname.com/%0D%0Aalert('FAIL')";
+
+ frame = document.body.appendChild(document.createElement("iframe"));
+ frame.src = ""
+
+ frame._onload_ = function()
+ {
+ frame.contentWindow.location = "";
+ setTimeout(finishTest, 0);
+ }
+}
+
+function finishTest()
+{
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+</script>
+</head>
+<body>
+This test passes if there is no alert dialog
+</body>
+</html>
Modified: branches/chromium/782/Source/WebCore/page/DOMWindow.cpp (91684 => 91685)
--- branches/chromium/782/Source/WebCore/page/DOMWindow.cpp 2011-07-25 18:32:27 UTC (rev 91684)
+++ branches/chromium/782/Source/WebCore/page/DOMWindow.cpp 2011-07-25 18:34:33 UTC (rev 91685)
@@ -1671,7 +1671,7 @@
if (completedURL.isNull())
return;
- if (isInsecureScriptAccess(activeWindow, urlString))
+ if (isInsecureScriptAccess(activeWindow, completedURL))
return;
// We want a new history item if we are processing a user gesture.
@@ -1756,7 +1756,7 @@
newFrame->loader()->setOpener(openerFrame);
newFrame->page()->setOpenedByDOM();
- if (newFrame->domWindow()->isInsecureScriptAccess(activeWindow, urlString))
+ if (newFrame->domWindow()->isInsecureScriptAccess(activeWindow, completedURL))
return newFrame;
if (function)
@@ -1806,7 +1806,9 @@
if (!activeFrame->loader()->shouldAllowNavigation(targetFrame))
return 0;
- if (targetFrame->domWindow()->isInsecureScriptAccess(activeWindow, urlString))
+ KURL completedURL = firstFrame->document()->completeURL(urlString);
+
+ if (targetFrame->domWindow()->isInsecureScriptAccess(activeWindow, completedURL))
return targetFrame->domWindow();
if (urlString.isEmpty())
@@ -1815,7 +1817,7 @@
// For whatever reason, Firefox uses the first window rather than the active window to
// determine the outgoing referrer. We replicate that behavior here.
targetFrame->navigationScheduler()->scheduleLocationChange(activeFrame->document()->securityOrigin(),
- firstFrame->document()->completeURL(urlString).string(),
+ completedURL,
firstFrame->loader()->outgoingReferrer(),
!activeFrame->script()->anyPageIsProcessingUserGesture(), false);
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
