[webkit-changes] [96951] branches/chromium/874

[inferno]

Title: [96951] branches/chromium/874

Revision

96951

Author

infe...@chromium.org

Date

2011-10-07 09:59:27 -0700 (Fri, 07 Oct 2011)

Log Message

Merge 96826 - Add check for _javascript_ URLs in HTMLPlugInImageElement::allowedToLoadFrameURL

BUG=98053
Review URL: http://codereview.chromium.org/8206005

Modified Paths

• branches/chromium/874/Source/WebCore/html/HTMLPlugInImageElement.cpp

Added Paths

• branches/chromium/874/LayoutTests/http/tests/security/xss-DENIED-object-element-expected.txt
• branches/chromium/874/LayoutTests/http/tests/security/xss-DENIED-object-element.html

Diff

Copied: branches/chromium/874/LayoutTests/http/tests/security/xss-DENIED-object-element-expected.txt (from rev 96826, trunk/LayoutTests/http/tests/security/xss-DENIED-object-element-expected.txt) (0 => 96951)

--- branches/chromium/874/LayoutTests/http/tests/security/xss-DENIED-object-element-expected.txt	                        (rev 0)
+++ branches/chromium/874/LayoutTests/http/tests/security/xss-DENIED-object-element-expected.txt	2011-10-07 16:59:27 UTC (rev 96951)
@@ -0,0 +1 @@
+There should be no alert displayed.  

Copied: branches/chromium/874/LayoutTests/http/tests/security/xss-DENIED-object-element.html (from rev 96826, trunk/LayoutTests/http/tests/security/xss-DENIED-object-element.html) (0 => 96951)

--- branches/chromium/874/LayoutTests/http/tests/security/xss-DENIED-object-element.html	                        (rev 0)
+++ branches/chromium/874/LayoutTests/http/tests/security/xss-DENIED-object-element.html	2011-10-07 16:59:27 UTC (rev 96951)
@@ -0,0 +1,28 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.waitUntilDone();
+    layoutTestController.dumpAsText();
+}
+
+window._onload_ = function()
+{
+    object = document.createElement("object");
+    object.data = ""
+    document.body.appendChild(object);
+    object._onload_ = function() {
+        object._onload_ = null;
+        object.data = ""
+        object.innerHTML = "foo";
+
+        if (window.layoutTestController)
+            setTimeout("layoutTestController.notifyDone()", 50);
+    }
+}
+</script>
+</head>
+<body>
+There should be no alert displayed.
+</body>
+</html>
\ No newline at end of file

Modified: branches/chromium/874/Source/WebCore/html/HTMLPlugInImageElement.cpp (96950 => 96951)

--- branches/chromium/874/Source/WebCore/html/HTMLPlugInImageElement.cpp	2011-10-07 16:45:08 UTC (rev 96950)
+++ branches/chromium/874/Source/WebCore/html/HTMLPlugInImageElement.cpp	2011-10-07 16:59:27 UTC (rev 96951)
@@ -30,6 +30,7 @@
 #include "Page.h"
 #include "RenderEmbeddedObject.h"
 #include "RenderImage.h"
+#include "SecurityOrigin.h"
 
 namespace WebCore {
 
@@ -76,9 +77,14 @@
     if (document()->frame()->page()->frameCount() >= Page::maxNumberOfFrames)
         return false;
 
+    KURL completeURL = document()->completeURL(url);
+    
+    if (contentFrame() && protocolIsJavaScript(completeURL)
+        && !document()->securityOrigin()->canAccess(contentDocument()->securityOrigin()))
+        return false;
+    
     // We allow one level of self-reference because some sites depend on that.
     // But we don't allow more than one.
-    KURL completeURL = document()->completeURL(url);
     bool foundSelfReference = false;
     for (Frame* frame = document()->frame(); frame; frame = frame->tree()->parent()) {
         if (equalIgnoringFragmentIdentifier(frame->document()->url(), completeURL)) {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes