Title: [124695] trunk/Source/WebCore
- Revision
- 124695
- Author
- [email protected]
- Date
- 2012-08-04 01:13:12 -0700 (Sat, 04 Aug 2012)
Log Message
BindingSecurity::shouldAllowAccessToNode shouldn't detour through Frame to find the node's document
https://bugs.webkit.org/show_bug.cgi?id=93140
Reviewed by Eric Seidel.
Previously, shouldAllowAccessToNode took a detour through the Frame to
find the Document associated with a given Node. That's crazy! Nodes
already know their documents. This patch removes the detour.
It's theoretically possible that this patch changes behavior in the
case where the Frame is 0, but I couldn't find any situations in which
we call this function on nodes in inactive documents because the
typical way you find a node worth checking security on is via
a _javascript_ window object.
* bindings/generic/BindingSecurity.cpp:
(WebCore::canAccessDocument):
(WebCore::BindingSecurity::shouldAllowAccessToNode):
(WebCore::BindingSecurity::allowSettingFrameSrcToJavascriptUrl):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (124694 => 124695)
--- trunk/Source/WebCore/ChangeLog 2012-08-04 07:49:38 UTC (rev 124694)
+++ trunk/Source/WebCore/ChangeLog 2012-08-04 08:13:12 UTC (rev 124695)
@@ -1,5 +1,27 @@
2012-08-04 Adam Barth <[email protected]>
+ BindingSecurity::shouldAllowAccessToNode shouldn't detour through Frame to find the node's document
+ https://bugs.webkit.org/show_bug.cgi?id=93140
+
+ Reviewed by Eric Seidel.
+
+ Previously, shouldAllowAccessToNode took a detour through the Frame to
+ find the Document associated with a given Node. That's crazy! Nodes
+ already know their documents. This patch removes the detour.
+
+ It's theoretically possible that this patch changes behavior in the
+ case where the Frame is 0, but I couldn't find any situations in which
+ we call this function on nodes in inactive documents because the
+ typical way you find a node worth checking security on is via
+ a _javascript_ window object.
+
+ * bindings/generic/BindingSecurity.cpp:
+ (WebCore::canAccessDocument):
+ (WebCore::BindingSecurity::shouldAllowAccessToNode):
+ (WebCore::BindingSecurity::allowSettingFrameSrcToJavascriptUrl):
+
+2012-08-04 Adam Barth <[email protected]>
+
[V8] Re-wire "target" half of the same-origin security check through Document rather than DOMWindow
https://bugs.webkit.org/show_bug.cgi?id=93079
Modified: trunk/Source/WebCore/bindings/generic/BindingSecurity.cpp (124694 => 124695)
--- trunk/Source/WebCore/bindings/generic/BindingSecurity.cpp 2012-08-04 07:49:38 UTC (rev 124694)
+++ trunk/Source/WebCore/bindings/generic/BindingSecurity.cpp 2012-08-04 08:13:12 UTC (rev 124695)
@@ -44,7 +44,6 @@
static bool canAccessDocument(BindingState* state, Document* targetDocument, bool reportError)
{
- // We have seen crashes were the target is 0, but we don't have a test case for it.
if (!targetDocument)
return false;
@@ -66,27 +65,14 @@
return target && canAccessDocument(state, target->document(), reportError);
}
-bool BindingSecurity::shouldAllowAccessToNode(BindingState* state, Node* node)
+bool BindingSecurity::shouldAllowAccessToNode(BindingState* state, Node* target)
{
- if (!node)
- return false;
-
- // FIXME: We shouldn't need to go through the frame here because we already have the document.
- Frame* target = node->document()->frame();
- if (!target)
- return false;
-
- return canAccessFrame(state, target, true);
+ return target && canAccessDocument(state, target->document(), true);
}
bool BindingSecurity::allowSettingFrameSrcToJavascriptUrl(BindingState* state, HTMLFrameElementBase* frame, const String& value)
{
- if (protocolIsJavaScript(stripLeadingAndTrailingHTMLSpaces(value))) {
- Node* contentDocument = frame->contentDocument();
- if (contentDocument && !shouldAllowAccessToNode(state, contentDocument))
- return false;
- }
- return true;
+ return !protocolIsJavaScript(stripLeadingAndTrailingHTMLSpaces(value)) || canAccessDocument(state, frame->contentDocument(), true);
}
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
