Changeset 34532 in webkit
- Timestamp:
- Jun 13, 2008 10:39:55 PM (16 years ago)
- Location:
- trunk/WebCore
- Files:
-
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/WebCore/ChangeLog
r34530 r34532 1 2008-06-13 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Darin Adler. 4 5 Fixes <https://bugs.webkit.org/show_bug.cgi?id=15100>: 6 XMLHttpRequest::urlMatchesDocumentDomain raises error if port 7 information does not match exactly 8 9 Refactor our security check for XMLHttpRequest into SecurityOrigin so 10 we can reuse it in other places. This leverages our default port 11 technology in SecurityOrigin. 12 13 I wasn't sure how to write a test for this because the LayoutTests run 14 on non-default ports. 15 16 * platform/SecurityOrigin.cpp: 17 (WebCore::SecurityOrigin::canRequest): 18 * platform/SecurityOrigin.h: 19 * xml/XMLHttpRequest.cpp: 20 (WebCore::XMLHttpRequest::send): 21 (WebCore::XMLHttpRequest::willSendRequest): 22 * xml/XMLHttpRequest.h: 23 1 24 2008-06-13 Adam Barth <abarth@webkit.org> 2 25 -
trunk/WebCore/platform/SecurityOrigin.cpp
r34530 r34532 151 151 } 152 152 153 bool SecurityOrigin::canRequest(const KURL& url) const 154 { 155 if (FrameLoader::shouldTreatSchemeAsLocal(m_protocol)) 156 return true; 157 158 if (m_noAccess) 159 return false; 160 161 RefPtr<SecurityOrigin> targetOrigin = SecurityOrigin::create(url); 162 163 // We call isSameSchemeHostPort here instead of canAccess because we want 164 // to ignore document.domain effects. 165 return isSameSchemeHostPort(targetOrigin.get()); 166 } 167 153 168 bool SecurityOrigin::isSecureTransitionTo(const KURL& url) const 154 169 { -
trunk/WebCore/platform/SecurityOrigin.h
r34530 r34532 55 55 unsigned short port() const { return m_port; } 56 56 57 // Returns true if this SecurityOrigin can script objects in the given 58 // SecurityOrigin. 57 59 bool canAccess(const SecurityOrigin*) const; 60 61 // Returns true if this SecurityOrigin can read content retrieved from 62 // the given URL. For example, call this function before issuing 63 // XMLHttpRequests. 64 bool canRequest(const KURL&) const; 65 58 66 bool isSecureTransitionTo(const KURL&) const; 59 67 -
trunk/WebCore/xml/XMLHttpRequest.cpp
r34504 r34532 318 318 } 319 319 320 bool XMLHttpRequest::urlMatchesDocumentDomain(const KURL& url) const321 {322 // a local file can load anything323 if (m_doc->isAllowedToLoadLocalResources())324 return true;325 326 // but a remote document can only load from the same port on the server327 KURL documentURL(m_doc->url());328 if (documentURL.protocol().lower() == url.protocol().lower()329 && documentURL.host().lower() == url.host().lower()330 && documentURL.port() == url.port())331 return true;332 333 return false;334 }335 336 320 void XMLHttpRequest::open(const String& method, const KURL& url, bool async, ExceptionCode& ec) 337 321 { … … 411 395 m_error = false; 412 396 413 m_sameOriginRequest = urlMatchesDocumentDomain(m_url);397 m_sameOriginRequest = m_doc->securityOrigin()->canRequest(m_url); 414 398 415 399 ResourceRequest request; … … 894 878 { 895 879 // FIXME: This needs to be fixed to follow the redirect correctly even for cross-domain requests. 896 if (! urlMatchesDocumentDomain(request.url()))880 if (!m_doc->securityOrigin()->canRequest(request.url())) 897 881 internalAbort(); 898 882 } -
trunk/WebCore/xml/XMLHttpRequest.h
r34504 r34532 95 95 virtual void derefEventTarget() { deref(); } 96 96 97 bool urlMatchesDocumentDomain(const KURL&) const;98 99 97 virtual void willSendRequest(SubresourceLoader*, ResourceRequest& request, const ResourceResponse& redirectResponse); 100 98 virtual void didReceiveResponse(SubresourceLoader*, const ResourceResponse&);
Note: See TracChangeset
for help on using the changeset viewer.