Chromium Code Reviews Chromium Code Reviews
Issue 1311253005:
Use Document of callingWindow for access check in isInsecureScriptAccess() (Closed)
Base URL: svn://svn.chromium.org/blink/trunk| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "config.h" | 5 #include "config.h" |
| 6 #include "core/frame/DOMWindow.h" | 6 #include "core/frame/DOMWindow.h" |
| 7 | 7 |
| 8 #include "bindings/core/v8/ScriptCallStackFactory.h" | 8 #include "bindings/core/v8/ScriptCallStackFactory.h" |
| 9 #include "core/dom/Document.h" | 9 #include "core/dom/Document.h" |
| 10 #include "core/dom/ExceptionCode.h" | 10 #include "core/dom/ExceptionCode.h" |
| (...skipping 119 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 130 | 130 |
| 131 // If this DOMWindow isn't currently active in the Frame, then there's no | 131 // If this DOMWindow isn't currently active in the Frame, then there's no |
| 132 // way we should allow the access. | 132 // way we should allow the access. |
| 133 if (isCurrentlyDisplayedInFrame()) { | 133 if (isCurrentlyDisplayedInFrame()) { |
| 134 // FIXME: Is there some way to eliminate the need for a separate "callin gWindow == this" check? | 134 // FIXME: Is there some way to eliminate the need for a separate "callin gWindow == this" check? |
| 135 if (&callingWindow == this) | 135 if (&callingWindow == this) |
| 136 return false; | 136 return false; |
| 137 | 137 |
| 138 // FIXME: The name canAccess seems to be a roundabout way to ask "can ex ecute script". | 138 // FIXME: The name canAccess seems to be a roundabout way to ask "can ex ecute script". |
| 139 // Can we name the SecurityOrigin function better to make this more clea r? | 139 // Can we name the SecurityOrigin function better to make this more clea r? |
| 140 if (callingWindow.frame()->securityContext()->securityOrigin()->canAcces sCheckSuborigins(frame()->securityContext()->securityOrigin())) | 140 if (callingWindow.document()->securityOrigin()->canAccessCheckSuborigins (frame()->securityContext()->securityOrigin())) |
|
dcheng
2015/08/24 23:49:44
Sorry for missing this in the original review. I t
| |
| 141 return false; | 141 return false; |
| 142 } | 142 } |
| 143 | 143 |
| 144 callingWindow.printErrorMessage(crossDomainAccessErrorMessage(&callingWindow )); | 144 callingWindow.printErrorMessage(crossDomainAccessErrorMessage(&callingWindow )); |
| 145 return true; | 145 return true; |
| 146 } | 146 } |
| 147 | 147 |
| 148 void DOMWindow::resetLocation() | 148 void DOMWindow::resetLocation() |
| 149 { | 149 { |
| 150 // Location needs to be reset manually because it doesn't inherit from DOMWi ndowProperty. | 150 // Location needs to be reset manually because it doesn't inherit from DOMWi ndowProperty. |
| (...skipping 177 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 328 m_windowIsClosing = true; | 328 m_windowIsClosing = true; |
| 329 } | 329 } |
| 330 | 330 |
| 331 DEFINE_TRACE(DOMWindow) | 331 DEFINE_TRACE(DOMWindow) |
| 332 { | 332 { |
| 333 visitor->trace(m_location); | 333 visitor->trace(m_location); |
| 334 EventTargetWithInlineData::trace(visitor); | 334 EventTargetWithInlineData::trace(visitor); |
| 335 } | 335 } |
| 336 | 336 |
| 337 } // namespace blink | 337 } // namespace blink |
| OLD | NEW |
