Changeset 119883 in webkit
- Timestamp:
- Jun 8, 2012 6:51:27 PM (12 years ago)
- Location:
- trunk
- Files:
-
- 4 added
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r119879 r119883 1 2012-06-08 Mike West <mkwst@chromium.org> 2 3 Excluding blob: and filesystem: schemes from the mixed content check. 4 https://bugs.webkit.org/show_bug.cgi?id=84054 5 6 Reviewed by Adam Barth. 7 8 * http/tests/security/mixedContent/blob-url-in-iframe-expected.txt: Added. 9 * http/tests/security/mixedContent/blob-url-in-iframe.html: Added. 10 * http/tests/security/mixedContent/filesystem-url-in-iframe-expected.txt: Added. 11 * http/tests/security/mixedContent/filesystem-url-in-iframe.html: Added. 12 1 13 2012-06-08 Eli Fidler <efidler@rim.com> 2 14 -
trunk/Source/WebCore/ChangeLog
r119882 r119883 1 2012-06-08 Mike West <mkwst@chromium.org> 2 3 Treat blob: and filesystem: URLs generated via secure origins as secure. 4 https://bugs.webkit.org/show_bug.cgi?id=84054 5 6 Loading a blob: or filesystem: URL into an iframe or image that's 7 contained on an HTTPS page shouldn't generate a mixed content warning. 8 This change adds a SecurityOrigin::isSecure to check both against a 9 URLs protocol, and the protocol of it's so-called "inner URL" if it's 10 the type of URL that has such a thing. These sorts of URLs which are 11 generated from secure sources will themselves be treated as secure. 12 13 Reviewed by Adam Barth. 14 15 Tests: http/tests/security/mixedContent/blob-url-in-iframe.html 16 http/tests/security/mixedContent/filesystem-url-in-iframe.html 17 18 * loader/FrameLoader.cpp: 19 (WebCore::FrameLoader::isMixedContent): 20 * page/SecurityOrigin.cpp: 21 (WebCore): 22 (WebCore::SecurityOrigin::isSecure): 23 * page/SecurityOrigin.h: 24 (SecurityOrigin): 25 1 26 2012-06-08 Martin Robinson <mrobinson@igalia.com> 2 27 -
trunk/Source/WebCore/loader/FrameLoader.cpp
r119225 r119883 870 870 return false; // We only care about HTTPS security origins. 871 871 872 if (!url.isValid() || SchemeRegistry::shouldTreatURLSchemeAsSecure(url.protocol())) 873 return false; // Loading these protocols is secure. 874 875 return true; 872 // We're in a secure context, so |url| is mixed content if it's insecure. 873 return !SecurityOrigin::isSecure(url); 876 874 } 877 875 -
trunk/Source/WebCore/page/SecurityOrigin.cpp
r113143 r119883 208 208 m_domainWasSetInDOM = true; 209 209 m_domain = newDomain.lower(); 210 } 211 212 bool SecurityOrigin::isSecure(const KURL& url) 213 { 214 // Invalid URLs are secure, as are URLs which have a secure protocol. 215 if (!url.isValid() || SchemeRegistry::shouldTreatURLSchemeAsSecure(url.protocol())) 216 return true; 217 218 // URLs that wrap inner URLs are secure if those inner URLs are secure. 219 if (shouldUseInnerURL(url) && SchemeRegistry::shouldTreatURLSchemeAsSecure(extractInnerURL(url).protocol())) 220 return true; 221 222 return false; 210 223 } 211 224 -
trunk/Source/WebCore/page/SecurityOrigin.h
r111476 r119883 68 68 unsigned short port() const { return m_port; } 69 69 70 // Returns true if a given URL is secure, based either directly on its 71 // own protocol, or, when relevant, on the protocol of its "inner URL" 72 // Protocols like blob: and filesystem: fall into this latter category. 73 static bool isSecure(const KURL&); 74 70 75 // Returns true if this SecurityOrigin can script objects in the given 71 76 // SecurityOrigin. For example, call this function before allowing
Note: See TracChangeset
for help on using the changeset viewer.