Title: [135900] trunk/Source/WebKit/blackberry
- Revision
- 135900
- Author
- [email protected]
- Date
- 2012-11-27 12:32:13 -0800 (Tue, 27 Nov 2012)
Log Message
[BlackBerry] http:// origins can navigate to privileged local:// origins
https://bugs.webkit.org/show_bug.cgi?id=103437
Patch by Jacky Jiang <[email protected]>.
Reviewed by Yong Li.
PR: 251489
When we aren't allowed to display the destination origin, we shouldn't
even create the window for it. In this way we can block the remote
origins(like http://) window.open local origins(like file:// and
local://) and avoid further security issues.
Chrome and Safari will open a blank window and fail to load. Firefox
will fail to open the window and report a load failure error which has
the same behavior as us. I would prefer this way as the window would
be useless and the calls after that would be harmful to us.
* WebCoreSupport/ChromeClientBlackBerry.cpp:
(WebCore::ChromeClientBlackBerry::createWindow):
Modified Paths
Diff
Modified: trunk/Source/WebKit/blackberry/ChangeLog (135899 => 135900)
--- trunk/Source/WebKit/blackberry/ChangeLog 2012-11-27 20:27:54 UTC (rev 135899)
+++ trunk/Source/WebKit/blackberry/ChangeLog 2012-11-27 20:32:13 UTC (rev 135900)
@@ -1,3 +1,23 @@
+2012-11-27 Jacky Jiang <[email protected]>
+
+ [BlackBerry] http:// origins can navigate to privileged local:// origins
+ https://bugs.webkit.org/show_bug.cgi?id=103437
+
+ Reviewed by Yong Li.
+
+ PR: 251489
+ When we aren't allowed to display the destination origin, we shouldn't
+ even create the window for it. In this way we can block the remote
+ origins(like http://) window.open local origins(like file:// and
+ local://) and avoid further security issues.
+ Chrome and Safari will open a blank window and fail to load. Firefox
+ will fail to open the window and report a load failure error which has
+ the same behavior as us. I would prefer this way as the window would
+ be useless and the calls after that would be harmful to us.
+
+ * WebCoreSupport/ChromeClientBlackBerry.cpp:
+ (WebCore::ChromeClientBlackBerry::createWindow):
+
2012-11-27 Andrew Lo <[email protected]>
[BlackBerry] Remove unnecessary backing store suspension in InputHandler::ensureFocusTextElementVisible
Modified: trunk/Source/WebKit/blackberry/WebCoreSupport/ChromeClientBlackBerry.cpp (135899 => 135900)
--- trunk/Source/WebKit/blackberry/WebCoreSupport/ChromeClientBlackBerry.cpp 2012-11-27 20:27:54 UTC (rev 135899)
+++ trunk/Source/WebKit/blackberry/WebCoreSupport/ChromeClientBlackBerry.cpp 2012-11-27 20:32:13 UTC (rev 135900)
@@ -215,8 +215,17 @@
return !m_webPagePrivate->m_webSettings->isJavaScriptEnabled() && !m_webPagePrivate->m_inputHandler->processingChange();
}
-Page* ChromeClientBlackBerry::createWindow(Frame*, const FrameLoadRequest& request, const WindowFeatures& features, const NavigationAction&)
+Page* ChromeClientBlackBerry::createWindow(Frame* frame, const FrameLoadRequest& request, const WindowFeatures& features, const NavigationAction&)
{
+ // Bail out early when we aren't allowed to display the target origin, otherwise,
+ // it would be harmful and the window would be useless. This is the same check
+ // as the one in FrameLoader::loadFrameRequest().
+ const KURL& url = ""
+ if (!request.requester()->canDisplay(url)) {
+ frame->loader()->reportLocalLoadFailed(frame, url.string());
+ return 0;
+ }
+
#if !defined(PUBLIC_BUILD) || !PUBLIC_BUILD
if (m_webPagePrivate->m_dumpRenderTree && !m_webPagePrivate->m_dumpRenderTree->allowsOpeningWindow())
return 0;
@@ -248,7 +257,7 @@
if (features.dialog)
flags |= WebPageClient::FlagWindowIsDialog;
- WebPage* webPage = m_webPagePrivate->m_client->createWindow(x, y, width, height, flags, request.resourceRequest().url().string(), request.frameName());
+ WebPage* webPage = m_webPagePrivate->m_client->createWindow(x, y, width, height, flags, url.string(), request.frameName());
if (!webPage)
return 0;
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
