Changeset 51977 in webkit


Ignore:
Timestamp:
Dec 10, 2009 7:12:04 PM (14 years ago)
Author:
abarth@webkit.org
Message:

2009-12-10 Adam Barth <abarth@webkit.org>

Reviewed by Darin Adler.

Mixed content shouldn't trigger for plug-ins without URLs
https://bugs.webkit.org/show_bug.cgi?id=32384

  • http/tests/security/mixedContent/empty-url-plugin-in-frame-expected.txt: Added.
  • http/tests/security/mixedContent/empty-url-plugin-in-frame.html: Added.
  • http/tests/security/mixedContent/resources/frame-with-empty-url-plugin.html: Added.

2009-12-10 Adam Barth <abarth@webkit.org>

Reviewed by Darin Adler.

Mixed content shouldn't trigger for plug-ins without URLs
https://bugs.webkit.org/show_bug.cgi?id=32384

These plug-ins cannot be controlled by active network attackers, so
there's no reason to trigger a mixed content warning.

Test: http/tests/security/mixedContent/empty-url-plugin-in-frame.html

  • loader/FrameLoader.cpp: (WebCore::FrameLoader::isMixedContent):
Location:
trunk
Files:
3 added
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r51976 r51977  
     12009-12-10  Adam Barth  <abarth@webkit.org>
     2
     3        Reviewed by Darin Adler.
     4
     5        Mixed content shouldn't trigger for plug-ins without URLs
     6        https://bugs.webkit.org/show_bug.cgi?id=32384
     7
     8        * http/tests/security/mixedContent/empty-url-plugin-in-frame-expected.txt: Added.
     9        * http/tests/security/mixedContent/empty-url-plugin-in-frame.html: Added.
     10        * http/tests/security/mixedContent/resources/frame-with-empty-url-plugin.html: Added.
     11
    1122009-12-10  Oliver Hunt  <oliver@apple.com>
    213

  • trunk/WebCore/ChangeLog

    r51973 r51977  
     12009-12-10  Adam Barth  <abarth@webkit.org>
     2
     3        Reviewed by Darin Adler.
     4
     5        Mixed content shouldn't trigger for plug-ins without URLs
     6        https://bugs.webkit.org/show_bug.cgi?id=32384
     7
     8        These plug-ins cannot be controlled by active network attackers, so
     9        there's no reason to trigger a mixed content warning.
     10
     11        Test: http/tests/security/mixedContent/empty-url-plugin-in-frame.html
     12
     13        * loader/FrameLoader.cpp:
     14        (WebCore::FrameLoader::isMixedContent):
     15
    1162009-12-10  Alexey Proskuryakov  <ap@apple.com>
    217

  • trunk/WebCore/loader/FrameLoader.cpp

    r51924 r51977  
    13831383        return false;  // We only care about HTTPS security origins.
    13841384
    1385     if (url.protocolIs("https") || url.protocolIs("about") || url.protocolIs("data"))
     1385    if (!url.isValid() || url.protocolIs("https") || url.protocolIs("about") || url.protocolIs("data"))
    13861386        return false;  // Loading these protocols is secure.
    13871387
Note: See TracChangeset for help on using the changeset viewer.