| Index: Source/core/frame/LocalDOMWindow.cpp
|
| diff --git a/Source/core/frame/LocalDOMWindow.cpp b/Source/core/frame/LocalDOMWindow.cpp
|
| index 6f4e6ec346538fefab490d39a3bed0beb2a49eda..99da6490b4dfbf8f55e76e1c63eb30c09d9aa044 100644
|
| --- a/Source/core/frame/LocalDOMWindow.cpp
|
| +++ b/Source/core/frame/LocalDOMWindow.cpp
|
| @@ -1500,84 +1500,6 @@ void LocalDOMWindow::printErrorMessage(const String& message)
|
| frameConsole()->addMessage(ConsoleMessage::create(JSMessageSource, ErrorMessageLevel, message));
|
| }
|
|
|
| -// FIXME: Once we're throwing exceptions for cross-origin access violations, we will always sanitize the target
|
| -// frame details, so we can safely combine 'crossDomainAccessErrorMessage' with this method after considering
|
| -// exactly which details may be exposed to JavaScript.
|
| -//
|
| -// http://crbug.com/17325
|
| -String LocalDOMWindow::sanitizedCrossDomainAccessErrorMessage(LocalDOMWindow* callingWindow)
|
| -{
|
| - if (!callingWindow || !callingWindow->document())
|
| - return String();
|
| -
|
| - const KURL& callingWindowURL = callingWindow->document()->url();
|
| - if (callingWindowURL.isNull())
|
| - return String();
|
| -
|
| - ASSERT(!callingWindow->document()->securityOrigin()->canAccess(document()->securityOrigin()));
|
| -
|
| - SecurityOrigin* activeOrigin = callingWindow->document()->securityOrigin();
|
| - String message = "Blocked a frame with origin \"" + activeOrigin->toString() + "\" from accessing a cross-origin frame.";
|
| -
|
| - // FIXME: Evaluate which details from 'crossDomainAccessErrorMessage' may safely be reported to JavaScript.
|
| -
|
| - return message;
|
| -}
|
| -
|
| -String LocalDOMWindow::crossDomainAccessErrorMessage(LocalDOMWindow* callingWindow)
|
| -{
|
| - if (!callingWindow || !callingWindow->document())
|
| - return String();
|
| -
|
| - const KURL& callingWindowURL = callingWindow->document()->url();
|
| - if (callingWindowURL.isNull())
|
| - return String();
|
| -
|
| - ASSERT(!callingWindow->document()->securityOrigin()->canAccess(document()->securityOrigin()));
|
| -
|
| - // FIXME: This message, and other console messages, have extra newlines. Should remove them.
|
| - SecurityOrigin* activeOrigin = callingWindow->document()->securityOrigin();
|
| - SecurityOrigin* targetOrigin = document()->securityOrigin();
|
| - String message = "Blocked a frame with origin \"" + activeOrigin->toString() + "\" from accessing a frame with origin \"" + targetOrigin->toString() + "\". ";
|
| -
|
| - // Sandbox errors: Use the origin of the frames' location, rather than their actual origin (since we know that at least one will be "null").
|
| - KURL activeURL = callingWindow->document()->url();
|
| - KURL targetURL = document()->url();
|
| - if (document()->isSandboxed(SandboxOrigin) || callingWindow->document()->isSandboxed(SandboxOrigin)) {
|
| - message = "Blocked a frame at \"" + SecurityOrigin::create(activeURL)->toString() + "\" from accessing a frame at \"" + SecurityOrigin::create(targetURL)->toString() + "\". ";
|
| - if (document()->isSandboxed(SandboxOrigin) && callingWindow->document()->isSandboxed(SandboxOrigin))
|
| - return "Sandbox access violation: " + message + " Both frames are sandboxed and lack the \"allow-same-origin\" flag.";
|
| - if (document()->isSandboxed(SandboxOrigin))
|
| - return "Sandbox access violation: " + message + " The frame being accessed is sandboxed and lacks the \"allow-same-origin\" flag.";
|
| - return "Sandbox access violation: " + message + " The frame requesting access is sandboxed and lacks the \"allow-same-origin\" flag.";
|
| - }
|
| -
|
| - // Protocol errors: Use the URL's protocol rather than the origin's protocol so that we get a useful message for non-heirarchal URLs like 'data:'.
|
| - if (targetOrigin->protocol() != activeOrigin->protocol())
|
| - return message + " The frame requesting access has a protocol of \"" + activeURL.protocol() + "\", the frame being accessed has a protocol of \"" + targetURL.protocol() + "\". Protocols must match.\n";
|
| -
|
| - // 'document.domain' errors.
|
| - if (targetOrigin->domainWasSetInDOM() && activeOrigin->domainWasSetInDOM())
|
| - return message + "The frame requesting access set \"document.domain\" to \"" + activeOrigin->domain() + "\", the frame being accessed set it to \"" + targetOrigin->domain() + "\". Both must set \"document.domain\" to the same value to allow access.";
|
| - if (activeOrigin->domainWasSetInDOM())
|
| - return message + "The frame requesting access set \"document.domain\" to \"" + activeOrigin->domain() + "\", but the frame being accessed did not. Both must set \"document.domain\" to the same value to allow access.";
|
| - if (targetOrigin->domainWasSetInDOM())
|
| - return message + "The frame being accessed set \"document.domain\" to \"" + targetOrigin->domain() + "\", but the frame requesting access did not. Both must set \"document.domain\" to the same value to allow access.";
|
| -
|
| - // Default.
|
| - return message + "Protocols, domains, and ports must match.";
|
| -}
|
| -
|
| -bool LocalDOMWindow::isInsecureScriptAccess(DOMWindow& callingWindow, const String& urlString)
|
| -{
|
| - if (!DOMWindow::isInsecureScriptAccess(callingWindow, urlString))
|
| - return false;
|
| -
|
| - if (callingWindow.isLocalDOMWindow())
|
| - printErrorMessage(crossDomainAccessErrorMessage(static_cast<LocalDOMWindow*>(&callingWindow)));
|
| - return true;
|
| -}
|
| -
|
| PassRefPtrWillBeRawPtr<DOMWindow> LocalDOMWindow::open(const String& urlString, const AtomicString& frameName, const String& windowFeaturesString,
|
| LocalDOMWindow* callingWindow, LocalDOMWindow* enteredWindow)
|
| {
|
|
|
Chromium Code Reviews
Issue 1085973003:
Make error messages for cross-domain access OOPIF-friendly. (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master