Changeset 96260 in webkit
- Timestamp:
- Sep 28, 2011 2:01:37 PM (13 years ago)
- Location:
- trunk
- Files:
-
- 3 added
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r96258 r96260 1 2011-09-28 Sergey Glazunov <serg.glazunov@gmail.com> 2 3 JavaScript generated documents don't inherit the cookie URL 4 https://bugs.webkit.org/show_bug.cgi?id=69003 5 6 Reviewed by Adam Barth. 7 8 * http/tests/security/cookies/cookie-theft-with-javascript-doc-expected.txt: Added. 9 * http/tests/security/cookies/cookie-theft-with-javascript-doc.html: Added. 10 * http/tests/security/cookies/resources/innocent-victim-with-cookies.html: Added. 11 1 12 2011-09-28 Dimitri Glazkov <dglazkov@chromium.org> 2 13 -
trunk/Source/WebCore/ChangeLog
r96258 r96260 1 2011-09-28 Sergey Glazunov <serg.glazunov@gmail.com> 2 3 JavaScript generated documents don't inherit the cookie URL 4 https://bugs.webkit.org/show_bug.cgi?id=69003 5 6 Reviewed by Adam Barth. 7 8 Test: http/tests/security/cookies/cookie-theft-with-javascript-doc.html 9 10 * dom/Document.h: 11 (WebCore::Document::setCookieURL): 12 * loader/DocumentWriter.cpp: 13 (WebCore::DocumentWriter::replaceDocument): 14 (WebCore::DocumentWriter::begin): 15 * loader/DocumentWriter.h: 16 1 17 2011-09-27 Dimitri Glazkov <dglazkov@chromium.org> 2 18 -
trunk/Source/WebCore/dom/Document.h
r95593 r96260 824 824 // 825 825 const KURL& cookieURL() const { return m_cookieURL; } 826 void setCookieURL(const KURL& url) { m_cookieURL = url; } 826 827 827 828 // The firstPartyForCookies is used to compute whether this document -
trunk/Source/WebCore/loader/DocumentWriter.cpp
r95901 r96260 68 68 { 69 69 m_frame->loader()->stopAllLoaders(); 70 begin(m_frame->document()->url(), true, m_frame->document()->securityOrigin());70 begin(m_frame->document()->url(), true, InheritSecurityOrigin); 71 71 72 72 if (!source.isNull()) { … … 107 107 } 108 108 109 void DocumentWriter::begin(const KURL& urlReference, bool dispatch, SecurityOrigin* origin) 110 { 111 // We need to take a reference to the security origin because |clear| 112 // might destroy the document that owns it. 113 RefPtr<SecurityOrigin> forcedSecurityOrigin = origin; 109 void DocumentWriter::begin(const KURL& urlReference, bool dispatch, SecurityOriginSource originSource) 110 { 111 RefPtr<Document> oldDocument = m_frame->document(); 114 112 115 113 // We grab a local copy of the URL because it's easy for callers to supply … … 140 138 if (m_decoder) 141 139 document->setDecoder(m_decoder.get()); 142 if (forcedSecurityOrigin) 143 document->setSecurityOrigin(forcedSecurityOrigin.get()); 140 if (originSource == InheritSecurityOrigin) { 141 document->setCookieURL(oldDocument->cookieURL()); 142 document->setSecurityOrigin(oldDocument->securityOrigin()); 143 } 144 144 145 145 m_frame->domWindow()->setURL(document->url()); -
trunk/Source/WebCore/loader/DocumentWriter.h
r95901 r96260 50 50 void replaceDocument(const String&); 51 51 52 enum SecurityOriginSource { CreateNewSecurityOrigin, InheritSecurityOrigin }; 53 52 54 void begin(); 53 void begin(const KURL&, bool dispatchWindowObjectAvailable = true, SecurityOrigin * forcedSecurityOrigin = 0);55 void begin(const KURL&, bool dispatchWindowObjectAvailable = true, SecurityOriginSource = CreateNewSecurityOrigin); 54 56 void addData(const char* bytes, size_t length); 55 57 void end();
Note: See TracChangeset
for help on using the changeset viewer.