third_party/WebKit/Source/core/frame/History.cpp - Issue 1495013002: Check for equality of the URL's origin in replaceState/pushState

Side by Side Diff: third_party/WebKit/Source/core/frame/History.cpp

Issue 1495013002: Check for equality of the URL's origin in replaceState/pushState (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Put all logic in History.cpp, change tests to testharness Created 5 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 /*	1 /*

2 * Copyright (C) 2007 Apple Inc. All rights reserved.	2 * Copyright (C) 2007 Apple Inc. All rights reserved.

3 *	3 *

4 * Redistribution and use in source and binary forms, with or without	4 * Redistribution and use in source and binary forms, with or without

5 * modification, are permitted provided that the following conditions	5 * modification, are permitted provided that the following conditions

6 * are met:	6 * are met:

7 * 1. Redistributions of source code must retain the above copyright	7 * 1. Redistributions of source code must retain the above copyright

8 * notice, this list of conditions and the following disclaimer.	8 * notice, this list of conditions and the following disclaimer.

9 * 2. Redistributions in binary form must reproduce the above copyright	9 * 2. Redistributions in binary form must reproduce the above copyright

10 * notice, this list of conditions and the following disclaimer in the	10 * notice, this list of conditions and the following disclaimer in the

(...skipping 25 matching lines...) Expand all Loading...
36 #include "core/loader/HistoryItem.h"	36 #include "core/loader/HistoryItem.h"

37 #include "core/loader/NavigationScheduler.h"	37 #include "core/loader/NavigationScheduler.h"

38 #include "core/page/Page.h"	38 #include "core/page/Page.h"

39 #include "platform/RuntimeEnabledFeatures.h"	39 #include "platform/RuntimeEnabledFeatures.h"

40 #include "platform/weborigin/KURL.h"	40 #include "platform/weborigin/KURL.h"

41 #include "platform/weborigin/SecurityOrigin.h"	41 #include "platform/weborigin/SecurityOrigin.h"

42 #include "wtf/MainThread.h"	42 #include "wtf/MainThread.h"

43	43

44 namespace blink {	44 namespace blink {

45	45

	46 namespace {

	47

	48 bool equalIgnoringPathQueryAndFragment(const KURL& a, const KURL& b)

	49 {

	50 int aLength = a.pathStart();

	51 int bLength = b.pathStart();

	52

	53 if (aLength != bLength)

	54 return false;

	55

	56 const String& aString = a.string();

	57 const String& bString = b.string();

	58 for (int i = 0; i < aLength; ++i) {

	59 if (aString[i] != bString[i])

	60 return false;

	61 }

	62 return true;

	63 }

	64

	65 } // namespace

	66

46 History::History(LocalFrame* frame)	67 History::History(LocalFrame* frame)

47 : DOMWindowProperty(frame)	68 : DOMWindowProperty(frame)

48 , m_lastStateObjectRequested(nullptr)	69 , m_lastStateObjectRequested(nullptr)

49 {	70 {

50 }	71 }

51	72

52 DEFINE_TRACE(History)	73 DEFINE_TRACE(History)

53 {	74 {

54 DOMWindowProperty::trace(visitor);	75 DOMWindowProperty::trace(visitor);

55 }	76 }

(...skipping 99 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
155 Document* document = m_frame->document();	176 Document* document = m_frame->document();

156	177

157 if (urlString.isNull())	178 if (urlString.isNull())

158 return document->url();	179 return document->url();

159 if (urlString.isEmpty())	180 if (urlString.isEmpty())

160 return document->baseURL();	181 return document->baseURL();

161	182

162 return KURL(document->baseURL(), urlString);	183 return KURL(document->baseURL(), urlString);

163 }	184 }

164	185

	186 bool History::canChangeToUrl(const KURL& url)

	187 {

	188 if (!url.isValid())
	Mike West 2015/12/08 17:34:59 Nit: Can you assert that you have `m_frame` and `m Nit: Can you assert that you have `m_frame` and `m_frame->document()`? robwu 2015/12/08 20:31:47 This is already implied by the existing code. `m_f Show quoted text On 2015/12/08 17:34:59, Mike West wrote: > Nit: Can you assert that you have `m_frame` and `m_frame->document()`? This is already implied by the existing code. `m_frame` is checked at the start of History::stateObjectAdded, and `m_frame->document()` is used in History::urlFor. The assert would be a bit too paranoid / pointless.
	189 return false;

	190

	191 Document* document = m_frame->document();

	192 SecurityOrigin* origin = document->securityOrigin();

	193 if (origin->isGrantedUniversalAccess())

	194 return true;

	195

	196 if (origin->isUnique())

	197 return false;

	198

	199 if (!equalIgnoringPathQueryAndFragment(url, document->url()))

	200 return false;

	201

	202 RefPtr<SecurityOrigin> requestedOrigin = SecurityOrigin::create(url);

	203 if (requestedOrigin->isUnique() \|\| !requestedOrigin->isSameSchemeHostPort(or igin))

	204 return false;

	205

	206 return true;

	207 }

	208

165 void History::stateObjectAdded(PassRefPtr<SerializedScriptValue> data, const Str ing& /* title */, const String& urlString, HistoryScrollRestorationType restorat ionType, FrameLoadType type, ExceptionState& exceptionState)	209 void History::stateObjectAdded(PassRefPtr<SerializedScriptValue> data, const Str ing& /* title */, const String& urlString, HistoryScrollRestorationType restorat ionType, FrameLoadType type, ExceptionState& exceptionState)

166 {	210 {

167 if (!m_frame \|\| !m_frame->page() \|\| !m_frame->loader().documentLoader())	211 if (!m_frame \|\| !m_frame->page() \|\| !m_frame->loader().documentLoader())

168 return;	212 return;

169	213

170 KURL fullURL = urlForState(urlString);	214 KURL fullURL = urlForState(urlString);

171 if (!fullURL.isValid() \|\| !m_frame->document()->securityOrigin()->canRequest (fullURL)) {	215 if (!canChangeToUrl(fullURL)) {

172 // We can safely expose the URL to JavaScript, as a) no redirection take s place: JavaScript already had this URL, b) JavaScript can only access a same-o rigin History object.	216 // We can safely expose the URL to JavaScript, as a) no redirection take s place: JavaScript already had this URL, b) JavaScript can only access a same-o rigin History object.

173 exceptionState.throwSecurityError("A history state object with URL '" + fullURL.elidedString() + "' cannot be created in a document with origin '" + m_f rame->document()->securityOrigin()->toString() + "'.");	217 exceptionState.throwSecurityError("A history state object with URL '" + fullURL.elidedString() + "' cannot be created in a document with origin '" + m_f rame->document()->securityOrigin()->toString() + "' and URL '" + m_frame->docume nt()->url().elidedString() + "'.");

174 return;	218 return;

175 }	219 }

176	220

177 m_frame->loader().updateForSameDocumentNavigation(fullURL, SameDocumentNavig ationHistoryApi, data, restorationType, type);	221 m_frame->loader().updateForSameDocumentNavigation(fullURL, SameDocumentNavig ationHistoryApi, data, restorationType, type);

178 }	222 }

179	223

180 } // namespace blink	224 } // namespace blink

OLD	NEW

« no previous file with comments | « third_party/WebKit/Source/core/frame/History.h ('k') | third_party/WebKit/Source/platform/weborigin/SecurityOrigin.h » ('j') | no next file with comments »