Changeset 87423 in webkit


Ignore:
Timestamp:
May 26, 2011 12:53:00 PM (13 years ago)
Author:
mihaip@chromium.org
Message:

2011-05-26 Mihai Parparita <mihaip@chromium.org>

Reviewed by Adam Barth.

Support cross-origin XMLHttpRequest in isolated worlds
https://bugs.webkit.org/show_bug.cgi?id=59843

Add test for doing a cross-origin XHR in an isolated world via
setIsolatedWorldSecurityOrigin and addOriginAccessWhitelistEntry.

Skipped on JSC ports.

  • http/tests/security/isolatedWorld/cross-origin-xhr-expected.txt: Added.
  • http/tests/security/isolatedWorld/cross-origin-xhr.html: Added.
  • http/tests/security/isolatedWorld/resources/cross-origin-xhr.txt: Added.
  • platform/gtk/Skipped:
  • platform/mac/Skipped:
  • platform/qt/Skipped:
  • platform/win/Skipped:

2011-05-26 Mihai Parparita <mihaip@chromium.org>

Reviewed by Adam Barth.

Support cross-origin XMLHttpRequest in isolated worlds
https://bugs.webkit.org/show_bug.cgi?id=59843

Allows isolated worlds to be associated with a different SecurityOrigin
(exposed as a setIsolatedWorldSecurityOrigin function in
ScriptController).

The XMLHttpRequest constructor can then check that it's being
instantiated in an isolated world and use its security origin.
XMLHttpRequest, ThreadableLoader and DocumentThreadableLoader had to be
changed to use the copied SecurityOrigin instead of always grabbing the
Document's.

Test: http/tests/security/isolatedWorld/cross-origin-xhr.html

  • bindings/v8/ScriptController.cpp: (WebCore::ScriptController::setIsolatedWorldSecurityOrigin):
  • bindings/v8/ScriptController.h:
  • bindings/v8/V8IsolatedContext.cpp: (WebCore::V8IsolatedContext::setSecurityOrigin):
  • bindings/v8/V8IsolatedContext.h: (WebCore::V8IsolatedContext::securityOrigin):
  • bindings/v8/V8Proxy.cpp: (WebCore::V8Proxy::evaluateInIsolatedWorld): (WebCore::V8Proxy::setIsolatedWorldSecurityOrigin): (WebCore::V8Proxy::resetIsolatedWorlds):
  • bindings/v8/V8Proxy.h:
  • bindings/v8/custom/V8XMLHttpRequestConstructor.cpp: (WebCore::V8XMLHttpRequest::constructorCallback):
  • loader/DocumentThreadableLoader.cpp: (WebCore::DocumentThreadableLoader::DocumentThreadableLoader): (WebCore::DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight): (WebCore::DocumentThreadableLoader::didReceiveResponse): (WebCore::DocumentThreadableLoader::preflightSuccess): (WebCore::DocumentThreadableLoader::isAllowedRedirect): (WebCore::DocumentThreadableLoader::securityOrigin):
  • loader/DocumentThreadableLoader.h:
  • loader/ThreadableLoader.h:
  • xml/XMLHttpRequest.cpp: (WebCore::XMLHttpRequest::create): (WebCore::XMLHttpRequest::XMLHttpRequest): (WebCore::XMLHttpRequest::securityOrigin): (WebCore::XMLHttpRequest::responseXML): (WebCore::XMLHttpRequest::createRequest): (WebCore::XMLHttpRequest::setRequestHeader): (WebCore::XMLHttpRequest::getAllResponseHeaders): (WebCore::XMLHttpRequest::getResponseHeader):
  • xml/XMLHttpRequest.h:

2011-05-26 Mihai Parparita <mihaip@chromium.org>

Reviewed by Adam Barth.

Support cross-origin XMLHttpRequest in isolated worlds
https://bugs.webkit.org/show_bug.cgi?id=59843

Expose setIsolatedWorldSecurityOrigin in the WebFrame API.

  • public/WebFrame.h:
  • src/WebFrameImpl.cpp: (WebKit::WebFrameImpl::setIsolatedWorldSecurityOrigin):
  • src/WebFrameImpl.h:

2011-05-26 Mihai Parparita <mihaip@chromium.org>

Reviewed by Adam Barth.

Support cross-origin XMLHttpRequest in isolated worlds
https://bugs.webkit.org/show_bug.cgi?id=59843

Expose setIsolatedWorldSecurityOrigin in LayoutTestController.

  • DumpRenderTree/chromium/LayoutTestController.cpp: (LayoutTestController::LayoutTestController): (LayoutTestController::setIsolatedWorldSecurityOrigin):
  • DumpRenderTree/chromium/LayoutTestController.h:
Location:
trunk
Files:
3 added
25 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r87418 r87423  
     12011-05-26  Mihai Parparita  <mihaip@chromium.org>
     2
     3        Reviewed by Adam Barth.
     4
     5        Support cross-origin XMLHttpRequest in isolated worlds
     6        https://bugs.webkit.org/show_bug.cgi?id=59843
     7
     8        Add test for doing a cross-origin XHR in an isolated world via
     9        setIsolatedWorldSecurityOrigin and addOriginAccessWhitelistEntry.
     10
     11        Skipped on JSC ports.
     12
     13        * http/tests/security/isolatedWorld/cross-origin-xhr-expected.txt: Added.
     14        * http/tests/security/isolatedWorld/cross-origin-xhr.html: Added.
     15        * http/tests/security/isolatedWorld/resources/cross-origin-xhr.txt: Added.
     16        * platform/gtk/Skipped:
     17        * platform/mac/Skipped:
     18        * platform/qt/Skipped:
     19        * platform/win/Skipped:
     20
    1212011-05-26  Adam Klein  <adamk@chromium.org>
    222

  • trunk/LayoutTests/platform/gtk/Skipped

    r87382 r87423  
    14571457# https://bugs.webkit.org/show_bug.cgi?id=61523
    14581458http/tests/eventsource/workers/eventsource-simple.html
     1459
     1460# JSC does not support setIsolatedWorldSecurityOrigin (http://webkit.org/b/61540)
     1461http/tests/security/isolatedWorld/cross-origin-xhr.html

  • trunk/LayoutTests/platform/mac/Skipped

    r87340 r87423  
    363363# https://bugs.webkit.org/show_bug.cgi?id=61487
    364364http/tests/media/video-cross-site.html
     365
     366# JSC does not support setIsolatedWorldSecurityOrigin (http://webkit.org/b/61540)
     367http/tests/security/isolatedWorld/cross-origin-xhr.html

  • trunk/LayoutTests/platform/qt/Skipped

    r87391 r87423  
    25152515fast/events/selectstart-by-double-triple-clicks.html
    25162516fast/events/selectstart-by-drag.html
     2517
     2518# JSC does not support setIsolatedWorldSecurityOrigin (http://webkit.org/b/61540)
     2519http/tests/security/isolatedWorld/cross-origin-xhr.html

  • trunk/LayoutTests/platform/win/Skipped

    r87274 r87423  
    13061306# Unskip after implementing LayoutTestController::setDefersLoading and ::goBack.
    13071307loader/navigation-while-deferring-loads.html
     1308
     1309# JSC does not support setIsolatedWorldSecurityOrigin (http://webkit.org/b/61540)
     1310http/tests/security/isolatedWorld/cross-origin-xhr.html

  • trunk/Source/WebCore/ChangeLog

    r87419 r87423  
     12011-05-26  Mihai Parparita  <mihaip@chromium.org>
     2
     3        Reviewed by Adam Barth.
     4
     5        Support cross-origin XMLHttpRequest in isolated worlds
     6        https://bugs.webkit.org/show_bug.cgi?id=59843
     7
     8        Allows isolated worlds to be associated with a different SecurityOrigin
     9        (exposed as a setIsolatedWorldSecurityOrigin function in
     10        ScriptController).
     11
     12        The XMLHttpRequest constructor can then check that it's being
     13        instantiated in an isolated world and use its security origin.
     14        XMLHttpRequest, ThreadableLoader and DocumentThreadableLoader had to be
     15        changed to use the copied SecurityOrigin instead of always grabbing the
     16        Document's.
     17
     18        Test: http/tests/security/isolatedWorld/cross-origin-xhr.html
     19
     20        * bindings/v8/ScriptController.cpp:
     21        (WebCore::ScriptController::setIsolatedWorldSecurityOrigin):
     22        * bindings/v8/ScriptController.h:
     23        * bindings/v8/V8IsolatedContext.cpp:
     24        (WebCore::V8IsolatedContext::setSecurityOrigin):
     25        * bindings/v8/V8IsolatedContext.h:
     26        (WebCore::V8IsolatedContext::securityOrigin):
     27        * bindings/v8/V8Proxy.cpp:
     28        (WebCore::V8Proxy::evaluateInIsolatedWorld):
     29        (WebCore::V8Proxy::setIsolatedWorldSecurityOrigin):
     30        (WebCore::V8Proxy::resetIsolatedWorlds):
     31        * bindings/v8/V8Proxy.h:
     32        * bindings/v8/custom/V8XMLHttpRequestConstructor.cpp:
     33        (WebCore::V8XMLHttpRequest::constructorCallback):
     34        * loader/DocumentThreadableLoader.cpp:
     35        (WebCore::DocumentThreadableLoader::DocumentThreadableLoader):
     36        (WebCore::DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight):
     37        (WebCore::DocumentThreadableLoader::didReceiveResponse):
     38        (WebCore::DocumentThreadableLoader::preflightSuccess):
     39        (WebCore::DocumentThreadableLoader::isAllowedRedirect):
     40        (WebCore::DocumentThreadableLoader::securityOrigin):
     41        * loader/DocumentThreadableLoader.h:
     42        * loader/ThreadableLoader.h:
     43        * xml/XMLHttpRequest.cpp:
     44        (WebCore::XMLHttpRequest::create):
     45        (WebCore::XMLHttpRequest::XMLHttpRequest):
     46        (WebCore::XMLHttpRequest::securityOrigin):
     47        (WebCore::XMLHttpRequest::responseXML):
     48        (WebCore::XMLHttpRequest::createRequest):
     49        (WebCore::XMLHttpRequest::setRequestHeader):
     50        (WebCore::XMLHttpRequest::getAllResponseHeaders):
     51        (WebCore::XMLHttpRequest::getResponseHeader):
     52        * xml/XMLHttpRequest.h:
     53
    1542011-05-26  Michael Nordman  <michaeln@google.com>
    255

  • trunk/Source/WebCore/bindings/v8/ScriptController.cpp

    r86949 r87423  
    217217}
    218218
     219void ScriptController::setIsolatedWorldSecurityOrigin(int worldID, PassRefPtr<SecurityOrigin> securityOrigin)
     220{
     221    m_proxy->setIsolatedWorldSecurityOrigin(worldID, securityOrigin);
     222}
     223
    219224// Evaluate a script file in the environment of this proxy.
    220225ScriptValue ScriptController::evaluate(const ScriptSourceCode& sourceCode)

  • trunk/Source/WebCore/bindings/v8/ScriptController.h

    r85388 r87423  
    100100    void evaluateInIsolatedWorld(unsigned worldID, const Vector<ScriptSourceCode>&, int extensionGroup);
    101101
     102    // Associates an isolated world (see above for description) with a security
     103    // origin. XMLHttpRequest instances used in that world will be considered
     104    // to come from that origin, not the frame's.
     105    void setIsolatedWorldSecurityOrigin(int worldId, PassRefPtr<SecurityOrigin>);
     106
    102107    // Masquerade 'this' as the windowShell.
    103108    // This is a bit of a hack, but provides reasonable compatibility

  • trunk/Source/WebCore/bindings/v8/V8IsolatedContext.cpp

    r84371 r87423  
    3535#include "Frame.h"
    3636#include "FrameLoaderClient.h"
    37 #include "HashMap.h"
     37#include "SecurityOrigin.h"
    3838#include "V8DOMWindow.h"
    3939#include "V8HiddenPropertyName.h"
     
    8888}
    8989
     90void V8IsolatedContext::setSecurityOrigin(PassRefPtr<SecurityOrigin> securityOrigin)
     91{
     92    m_securityOrigin = securityOrigin;
     93}
     94
    9095} // namespace WebCore

  • trunk/Source/WebCore/bindings/v8/V8IsolatedContext.h

    r56166 r87423  
    4141namespace WebCore {
    4242
     43class SecurityOrigin;
    4344class V8Proxy;
    4445
     
    5960    // Creates an isolated world. To destroy it, call destroy().
    6061    // This will delete the isolated world when the context it owns is GC'd.
    61     V8IsolatedContext(V8Proxy* proxy, int extensionGroup);
     62    V8IsolatedContext(V8Proxy*, int extensionGroup);
    6263    ~V8IsolatedContext();
    6364
     
    9495    IsolatedWorld* world() const { return m_world.get(); }
    9596
     97    SecurityOrigin* securityOrigin() const { return m_securityOrigin.get(); }
     98    void setSecurityOrigin(PassRefPtr<SecurityOrigin>);
     99
    96100private:
    97101    static v8::Handle<v8::Object> getGlobalObject(v8::Handle<v8::Context> context)
     
    109113
    110114    RefPtr<IsolatedWorld> m_world;
     115
     116    RefPtr<SecurityOrigin> m_securityOrigin;
    111117};
    112118

  • trunk/Source/WebCore/bindings/v8/V8Proxy.cpp

    r86542 r87423  
    4848#include "PlatformBridge.h"
    4949#include "ScriptSourceCode.h"
     50#include "SecurityOrigin.h"
    5051#include "Settings.h"
    5152#include "StorageNamespace.h"
     
    273274            }
    274275        }
     276       
     277        IsolatedWorldSecurityOriginMap::iterator securityOriginIter = m_isolatedWorldSecurityOrigins.find(worldID);
     278        if (securityOriginIter != m_isolatedWorldSecurityOrigins.end())
     279            isolatedContext->setSecurityOrigin(securityOriginIter->second);
    275280    } else {
    276281        isolatedContext = new V8IsolatedContext(this, extensionGroup);
     
    288293    if (worldID == 0)
    289294      isolatedContext->destroy();
     295}
     296
     297void V8Proxy::setIsolatedWorldSecurityOrigin(int worldID, PassRefPtr<SecurityOrigin> prpSecurityOriginIn)
     298{
     299    ASSERT(worldID);
     300    RefPtr<SecurityOrigin> securityOrigin = prpSecurityOriginIn;
     301    m_isolatedWorldSecurityOrigins.set(worldID, securityOrigin);
     302    IsolatedWorldMap::iterator iter = m_isolatedWorlds.find(worldID);
     303    if (iter != m_isolatedWorlds.end())
     304        iter->second->setSecurityOrigin(securityOrigin);
    290305}
    291306
     
    622637    }
    623638    m_isolatedWorlds.clear();
     639    m_isolatedWorldSecurityOrigins.clear();
    624640}
    625641

  • trunk/Source/WebCore/bindings/v8/V8Proxy.h

    r85395 r87423  
    6060    class ScriptExecutionContext;
    6161    class ScriptSourceCode;
     62    class SecurityOrigin;
    6263    class V8EventListener;
    6364    class V8IsolatedContext;
     
    160161        // constructors.
    161162        void evaluateInIsolatedWorld(int worldId, const Vector<ScriptSourceCode>& sources, int extensionGroup);
     163       
     164        void setIsolatedWorldSecurityOrigin(int worldId, PassRefPtr<SecurityOrigin>);
    162165
    163166        // Returns true if the proxy is currently executing a script in V8.
     
    340343        typedef HashMap<int, V8IsolatedContext*> IsolatedWorldMap;
    341344        IsolatedWorldMap m_isolatedWorlds;
     345       
     346        typedef HashMap<int, RefPtr<SecurityOrigin> > IsolatedWorldSecurityOriginMap;
     347        IsolatedWorldSecurityOriginMap m_isolatedWorldSecurityOrigins;
    342348    };
    343349

  • trunk/Source/WebCore/bindings/v8/custom/V8XMLHttpRequestConstructor.cpp

    r55798 r87423  
    3333
    3434#include "Frame.h"
     35#include "OriginAccessEntry.h"
     36#include "SecurityOrigin.h"
    3537#include "V8Binding.h"
     38#include "V8IsolatedContext.h"
    3639#include "V8Proxy.h"
    3740#include "V8Utilities.h"
     
    5356    if (!context)
    5457        return throwError("XMLHttpRequest constructor's associated context is not available", V8Proxy::ReferenceError);
    55     RefPtr<XMLHttpRequest> xmlHttpRequest = XMLHttpRequest::create(context);
     58
     59    RefPtr<SecurityOrigin> securityOrigin;
     60    if (V8IsolatedContext* isolatedContext = V8IsolatedContext::getEntered())
     61        securityOrigin = isolatedContext->securityOrigin();
     62    RefPtr<XMLHttpRequest> xmlHttpRequest = XMLHttpRequest::create(context, securityOrigin);
    5663    V8DOMWrapper::setDOMWrapper(args.Holder(), &info, xmlHttpRequest.get());
    5764

  • trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp

    r86980 r87423  
    6969    , m_options(options)
    7070    , m_optionalOutgoingReferrer(optionalOutgoingReferrer)
    71     , m_sameOriginRequest(document->securityOrigin()->canRequest(request.url()))
     71    , m_sameOriginRequest(securityOrigin()->canRequest(request.url()))
    7272    , m_async(blockingBehavior == LoadAsynchronously)
    7373{
     
    9090
    9191    OwnPtr<ResourceRequest> crossOriginRequest = adoptPtr(new ResourceRequest(request));
    92     updateRequestForAccessControl(*crossOriginRequest, m_document->securityOrigin(), m_options.allowCredentials);
     92    updateRequestForAccessControl(*crossOriginRequest, securityOrigin(), m_options.allowCredentials);
    9393
    9494    if (!m_options.forcePreflight && isSimpleCrossOriginAccessRequest(crossOriginRequest->httpMethod(), crossOriginRequest->httpHeaderFields()))
     
    9797        m_actualRequest = crossOriginRequest.release();
    9898
    99         if (CrossOriginPreflightResultCache::shared().canSkipPreflight(document->securityOrigin()->toString(), m_actualRequest->url(), m_options.allowCredentials, m_actualRequest->httpMethod(), m_actualRequest->httpHeaderFields()))
     99        if (CrossOriginPreflightResultCache::shared().canSkipPreflight(securityOrigin()->toString(), m_actualRequest->url(), m_options.allowCredentials, m_actualRequest->httpMethod(), m_actualRequest->httpHeaderFields()))
    100100            preflightSuccess();
    101101        else
     
    120120void DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight(const ResourceRequest& request)
    121121{
    122     ResourceRequest preflightRequest = createAccessControlPreflightRequest(request, m_document->securityOrigin(), m_options.allowCredentials);
     122    ResourceRequest preflightRequest = createAccessControlPreflightRequest(request, securityOrigin(), m_options.allowCredentials);
    123123    loadRequest(preflightRequest, DoSecurityCheck);
    124124}
     
    177177    String accessControlErrorDescription;
    178178    if (m_actualRequest) {
    179         if (!passesAccessControlCheck(response, m_options.allowCredentials, m_document->securityOrigin(), accessControlErrorDescription)) {
     179        if (!passesAccessControlCheck(response, m_options.allowCredentials, securityOrigin(), accessControlErrorDescription)) {
    180180            preflightFailure(response.url(), accessControlErrorDescription);
    181181            return;
     
    190190        }
    191191
    192         CrossOriginPreflightResultCache::shared().appendEntry(m_document->securityOrigin()->toString(), m_actualRequest->url(), preflightResult.release());
     192        CrossOriginPreflightResultCache::shared().appendEntry(securityOrigin()->toString(), m_actualRequest->url(), preflightResult.release());
    193193    } else {
    194194        if (!m_sameOriginRequest && m_options.crossOriginRequestPolicy == UseAccessControl) {
    195             if (!passesAccessControlCheck(response, m_options.allowCredentials, m_document->securityOrigin(), accessControlErrorDescription)) {
     195            if (!passesAccessControlCheck(response, m_options.allowCredentials, securityOrigin(), accessControlErrorDescription)) {
    196196                m_client->didFail(ResourceError(errorDomainWebKitInternal, 0, response.url().string(), accessControlErrorDescription));
    197197                return;
     
    294294    actualRequest.swap(m_actualRequest);
    295295
    296     actualRequest->setHTTPOrigin(m_document->securityOrigin()->toString());
     296    actualRequest->setHTTPOrigin(securityOrigin()->toString());
    297297
    298298    // It should be ok to skip the security check since we already asked about the preflight request.
     
    369369    // that processes redirects doesn't know about access control and expects a synchronous answer from its client about whether
    370370    // a redirect should proceed.
    371     return m_sameOriginRequest && m_document->securityOrigin()->canRequest(url);
     371    return m_sameOriginRequest && securityOrigin()->canRequest(url);
     372}
     373
     374SecurityOrigin* DocumentThreadableLoader::securityOrigin() const
     375{
     376    return m_options.securityOrigin ? m_options.securityOrigin.get() : m_document->securityOrigin();
    372377}
    373378

  • trunk/Source/WebCore/loader/DocumentThreadableLoader.h

    r84260 r87423  
    4646    class KURL;
    4747    class ResourceRequest;
     48    class SecurityOrigin;
    4849    class ThreadableLoaderClient;
    4950
     
    9596        bool isAllowedRedirect(const KURL&);
    9697
     98        SecurityOrigin* securityOrigin() const;
     99
    97100        RefPtr<SubresourceLoader> m_loader;
    98101        ThreadableLoaderClient* m_client;

  • trunk/Source/WebCore/loader/ThreadableLoader.h

    r86290 r87423  
    3232#define ThreadableLoader_h
    3333
     34#include "SecurityOrigin.h"
    3435#include <wtf/Noncopyable.h>
    3536#include <wtf/PassRefPtr.h>
     37#include <wtf/RefPtr.h>
    3638#include <wtf/Vector.h>
    3739
     
    6365        CrossOriginRequestPolicy crossOriginRequestPolicy;
    6466        bool shouldBufferData;
     67        RefPtr<SecurityOrigin> securityOrigin;
    6568    };
    6669

  • trunk/Source/WebCore/xml/XMLHttpRequest.cpp

    r86251 r87423  
    173173}
    174174
    175 XMLHttpRequest::XMLHttpRequest(ScriptExecutionContext* context)
     175PassRefPtr<XMLHttpRequest> XMLHttpRequest::create(ScriptExecutionContext* context, PassRefPtr<SecurityOrigin> securityOrigin)
     176{
     177    return adoptRef(new XMLHttpRequest(context, securityOrigin));
     178}
     179
     180XMLHttpRequest::XMLHttpRequest(ScriptExecutionContext* context, PassRefPtr<SecurityOrigin> securityOrigin)
    176181    : ActiveDOMObject(context, this)
    177182    , m_async(true)
     
    188193    , m_progressEventThrottle(this)
    189194    , m_responseTypeCode(ResponseTypeDefault)
     195    , m_securityOrigin(securityOrigin)
    190196{
    191197    initializeXMLHttpRequestStaticData();
     
    206212    ASSERT(scriptExecutionContext()->isDocument());
    207213    return static_cast<Document*>(scriptExecutionContext());
     214}
     215
     216SecurityOrigin* XMLHttpRequest::securityOrigin() const
     217{
     218    return m_securityOrigin ? m_securityOrigin.get() : scriptExecutionContext()->securityOrigin();
    208219}
    209220
     
    250261            // FIXME: Set Last-Modified.
    251262            m_responseXML->setContent(m_responseBuilder.toStringPreserveCapacity());
    252             m_responseXML->setSecurityOrigin(document()->securityOrigin());
     263            m_responseXML->setSecurityOrigin(securityOrigin());
    253264            if (!m_responseXML->wellFormed())
    254265                m_responseXML = 0;
     
    618629    }
    619630
    620     m_sameOriginRequest = scriptExecutionContext()->securityOrigin()->canRequest(m_url);
     631    m_sameOriginRequest = securityOrigin()->canRequest(m_url);
    621632
    622633    // We also remember whether upload events should be allowed for this request in case the upload listeners are
     
    642653    options.allowCredentials = m_sameOriginRequest || m_includeCredentials;
    643654    options.crossOriginRequestPolicy = UseAccessControl;
     655    options.securityOrigin = securityOrigin();
    644656
    645657    m_exceptionCode = 0;
     
    824836
    825837    // A privileged script (e.g. a Dashboard widget) can set any headers.
    826     if (!scriptExecutionContext()->securityOrigin()->canLoadLocalResources() && !isSafeRequestHeader(name)) {
     838    if (!securityOrigin()->canLoadLocalResources() && !isSafeRequestHeader(name)) {
    827839        reportUnsafeUsage(scriptExecutionContext(), "Refused to set unsafe header \"" + name + "\"");
    828840        return;
     
    867879        //        know any widely used technique that requires access to them.
    868880        //     3) Firefox has implemented this policy.
    869         if (isSetCookieHeader(it->first) && !scriptExecutionContext()->securityOrigin()->canLoadLocalResources())
     881        if (isSetCookieHeader(it->first) && !securityOrigin()->canLoadLocalResources())
    870882            continue;
    871883
     
    892904
    893905    // See comment in getAllResponseHeaders above.
    894     if (isSetCookieHeader(name) && !scriptExecutionContext()->securityOrigin()->canLoadLocalResources()) {
     906    if (isSetCookieHeader(name) && !securityOrigin()->canLoadLocalResources()) {
    895907        reportUnsafeUsage(scriptExecutionContext(), "Refused to get unsafe header \"" + name + "\"");
    896908        return String();

  • trunk/Source/WebCore/xml/XMLHttpRequest.h

    r84764 r87423  
    4040class DOMFormData;
    4141class ResourceRequest;
     42class SecurityOrigin;
    4243class SharedBuffer;
    4344class TextResourceDecoder;
     
    4748    WTF_MAKE_FAST_ALLOCATED;
    4849public:
    49     static PassRefPtr<XMLHttpRequest> create(ScriptExecutionContext* context) { return adoptRef(new XMLHttpRequest(context)); }
     50    static PassRefPtr<XMLHttpRequest> create(ScriptExecutionContext*, PassRefPtr<SecurityOrigin> = 0);
    5051    ~XMLHttpRequest();
    5152
     
    135136
    136137private:
    137     XMLHttpRequest(ScriptExecutionContext*);
     138    XMLHttpRequest(ScriptExecutionContext*, PassRefPtr<SecurityOrigin>);
    138139
    139140    virtual void refEventTarget() { ref(); }
     
    143144
    144145    Document* document() const;
     146    SecurityOrigin* securityOrigin() const;
    145147
    146148#if ENABLE(DASHBOARD_SUPPORT)
     
    227229    // An enum corresponding to the allowed string values for the responseType attribute.
    228230    ResponseTypeCode m_responseTypeCode;
     231
     232    RefPtr<SecurityOrigin> m_securityOrigin;
    229233};
    230234

  • trunk/Source/WebKit/chromium/ChangeLog

    r87419 r87423  
     12011-05-26  Mihai Parparita  <mihaip@chromium.org>
     2
     3        Reviewed by Adam Barth.
     4
     5        Support cross-origin XMLHttpRequest in isolated worlds
     6        https://bugs.webkit.org/show_bug.cgi?id=59843
     7
     8        Expose setIsolatedWorldSecurityOrigin in the WebFrame API.
     9
     10        * public/WebFrame.h:
     11        * src/WebFrameImpl.cpp:
     12        (WebKit::WebFrameImpl::setIsolatedWorldSecurityOrigin):
     13        * src/WebFrameImpl.h:
     14
    1152011-05-26  Michael Nordman  <michaeln@google.com>
    216

  • trunk/Source/WebKit/chromium/public/WebFrame.h

    r86721 r87423  
    254254        int extensionGroup) = 0;
    255255
     256    // Associates an isolated world (see above for description) with a security
     257    // origin. XMLHttpRequest instances used in that world will be considered
     258    // to come from that origin, not the frame's.
     259    virtual void setIsolatedWorldSecurityOrigin(
     260        int worldId, const WebSecurityOrigin&) = 0;
     261
    256262    // Logs to the console associated with this frame.
    257263    virtual void addMessageToConsole(const WebConsoleMessage&) = 0;

  • trunk/Source/WebKit/chromium/src/WebFrameImpl.cpp

    r87260 r87423  
    790790}
    791791
     792void WebFrameImpl::setIsolatedWorldSecurityOrigin(int worldId, const WebSecurityOrigin& securityOrigin)
     793{
     794    m_frame->script()->setIsolatedWorldSecurityOrigin(worldId, securityOrigin.get());
     795}
     796
    792797void WebFrameImpl::addMessageToConsole(const WebConsoleMessage& message)
    793798{

  • trunk/Source/WebKit/chromium/src/WebFrameImpl.h

    r86721 r87423  
    105105        int worldId, const WebScriptSource* sources, unsigned numSources,
    106106        int extensionGroup);
     107    virtual void setIsolatedWorldSecurityOrigin(int worldId, const WebSecurityOrigin&);
    107108    virtual void addMessageToConsole(const WebConsoleMessage&);
    108109    virtual void collectGarbage();

  • trunk/Tools/ChangeLog

    r87421 r87423  
     12011-05-26  Mihai Parparita  <mihaip@chromium.org>
     2
     3        Reviewed by Adam Barth.
     4
     5        Support cross-origin XMLHttpRequest in isolated worlds
     6        https://bugs.webkit.org/show_bug.cgi?id=59843
     7
     8        Expose setIsolatedWorldSecurityOrigin in LayoutTestController.
     9
     10        * DumpRenderTree/chromium/LayoutTestController.cpp:
     11        (LayoutTestController::LayoutTestController):
     12        (LayoutTestController::setIsolatedWorldSecurityOrigin):
     13        * DumpRenderTree/chromium/LayoutTestController.h:
     14
    1152011-05-25  Brian Weinstein  <bweinstein@apple.com>
    216

  • trunk/Tools/DumpRenderTree/chromium/LayoutTestController.cpp

    r87313 r87423  
    109109    bindMethod("evaluateInWebInspector", &LayoutTestController::evaluateInWebInspector);
    110110    bindMethod("evaluateScriptInIsolatedWorld", &LayoutTestController::evaluateScriptInIsolatedWorld);
     111    bindMethod("setIsolatedWorldSecurityOrigin", &LayoutTestController::setIsolatedWorldSecurityOrigin);
    111112    bindMethod("execCommand", &LayoutTestController::execCommand);
    112113    bindMethod("grantDesktopNotificationPermission", &LayoutTestController::grantDesktopNotificationPermission);
     
    12881289}
    12891290
     1291void LayoutTestController::setIsolatedWorldSecurityOrigin(const CppArgumentList& arguments, CppVariant* result)
     1292{
     1293    result->setNull();
     1294
     1295    if (arguments.size() != 2 || !arguments[0].isNumber() || !arguments[1].isString())
     1296        return;
     1297
     1298    m_shell->webView()->focusedFrame()->setIsolatedWorldSecurityOrigin(
     1299        arguments[0].toInt32(),
     1300        WebSecurityOrigin::createFromString(cppVariantToWebString(arguments[1])));
     1301}
     1302
    12901303void LayoutTestController::setAllowUniversalAccessFromFileURLs(const CppArgumentList& arguments, CppVariant* result)
    12911304{

  • trunk/Tools/DumpRenderTree/chromium/LayoutTestController.h

    r87313 r87423  
    267267    void setJavaScriptCanAccessClipboard(const CppArgumentList&, CppVariant*);
    268268    void setXSSAuditorEnabled(const CppArgumentList&, CppVariant*);
    269     void evaluateScriptInIsolatedWorld(const CppArgumentList&, CppVariant*);
    270269    void overridePreference(const CppArgumentList&, CppVariant*);
    271270    void setAllowUniversalAccessFromFileURLs(const CppArgumentList&, CppVariant*);
     
    273272    void setAllowFileAccessFromFileURLs(const CppArgumentList&, CppVariant*);
    274273    void setAllowRunningOfInsecureContent(const CppArgumentList&, CppVariant*);
     274
     275    void evaluateScriptInIsolatedWorld(const CppArgumentList&, CppVariant*);
     276    void setIsolatedWorldSecurityOrigin(const CppArgumentList&, CppVariant*);
    275277
    276278    void shadowRoot(const CppArgumentList&, CppVariant*);
Note: See TracChangeset for help on using the changeset viewer.