Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(329)

Unified Diff: Source/platform/weborigin/SecurityOrigin.h

Issue 1180923003: Add window access checks for Suborigins (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Fix tests on Windows Created 5 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « Source/core/frame/LocalDOMWindow.cpp ('k') | Source/platform/weborigin/SecurityOrigin.cpp » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: Source/platform/weborigin/SecurityOrigin.h
diff --git a/Source/platform/weborigin/SecurityOrigin.h b/Source/platform/weborigin/SecurityOrigin.h
index 030aaf75963966c795a47f6c6b51e542884e2c9e..c8770e1e375eb6aa18bfc8e445bce937ca69954d 100644
--- a/Source/platform/weborigin/SecurityOrigin.h
+++ b/Source/platform/weborigin/SecurityOrigin.h
@@ -93,11 +93,26 @@ public:
// another SecurityOrigin.
bool canAccess(const SecurityOrigin*) const;
+ // Same as canAccess, except that it adds an additional check to make sure
+ // that the SecurityOrigins have the same suborigin name. If you're not
+ // familiar with Suborigins, you probably want canAccess() for now.
+ // Suborigins is a spec in progress, and where it should be enforced is
+ // still in flux. See https://crbug.com/336894 for more details.
+ bool canAccessCheckSuborigins(const SecurityOrigin*) const;
+
// Returns true if this SecurityOrigin can read content retrieved from
// the given URL. For example, call this function before issuing
// XMLHttpRequests.
bool canRequest(const KURL&) const;
+ // Same as canRequest, except that it adds an additional check to make sure
+ // that the SecurityOrigin does not have a suborigin name. Like with
+ // canAccessCheckSuborigins() above, if you're not familiar with
+ // Suborigins, you probably want canRequest() for now. Suborigins is a spec
+ // in progress, and where it should be enforced is still in flux. See
+ // https://crbug.com/336894 for more details.
+ bool canRequestNoSuborigin(const KURL&) const;
+
// Returns true if drawing an image from this URL taints a canvas from
// this security origin. For example, call this function before
// drawing an image onto an HTML canvas element with the drawImage API.
@@ -206,6 +221,7 @@ public:
// This method checks for equality, ignoring the value of document.domain
// (and whether it was set) but considering the host. It is used for postMessage.
bool isSameSchemeHostPort(const SecurityOrigin*) const;
+ bool isSameSchemeHostPortAndSuborigin(const SecurityOrigin*) const;
bool needsDatabaseIdentifierQuirkForFiles() const { return m_needsDatabaseIdentifierQuirkForFiles; }
@@ -228,6 +244,7 @@ private:
friend class SecurityOriginTest;
friend class SecurityOriginTest_Suborigins_Test;
friend class SecurityOriginTest_SuboriginsParsing_Test;
+ friend class SecurityOriginTest_SuboriginsIsSameSchemeHostPortAndSuborigin_Test;
SecurityOrigin();
explicit SecurityOrigin(const KURL&);
« no previous file with comments | « Source/core/frame/LocalDOMWindow.cpp ('k') | Source/platform/weborigin/SecurityOrigin.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698