OLD | NEW |
---|---|
1 /* | 1 /* |
2 * Copyright (C) 2009 Google Inc. All rights reserved. | 2 * Copyright (C) 2009 Google Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions are | 5 * modification, are permitted provided that the following conditions are |
6 * met: | 6 * met: |
7 * | 7 * |
8 * * Redistributions of source code must retain the above copyright | 8 * * Redistributions of source code must retain the above copyright |
9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
10 * * Redistributions in binary form must reproduce the above | 10 * * Redistributions in binary form must reproduce the above |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
43 | 43 |
44 static bool isOriginAccessibleFromDOMWindow(const SecurityOrigin* targetOrigin, const LocalDOMWindow* accessingWindow) | 44 static bool isOriginAccessibleFromDOMWindow(const SecurityOrigin* targetOrigin, const LocalDOMWindow* accessingWindow) |
45 { | 45 { |
46 return accessingWindow && accessingWindow->document()->getSecurityOrigin()-> canAccessCheckSuborigins(targetOrigin); | 46 return accessingWindow && accessingWindow->document()->getSecurityOrigin()-> canAccessCheckSuborigins(targetOrigin); |
47 } | 47 } |
48 | 48 |
49 static bool canAccessFrame(v8::Isolate* isolate, const LocalDOMWindow* accessing Window, const SecurityOrigin* targetFrameOrigin, const DOMWindow* targetWindow, ExceptionState& exceptionState) | 49 static bool canAccessFrame(v8::Isolate* isolate, const LocalDOMWindow* accessing Window, const SecurityOrigin* targetFrameOrigin, const DOMWindow* targetWindow, ExceptionState& exceptionState) |
50 { | 50 { |
51 ASSERT_WITH_SECURITY_IMPLICATION(!(targetWindow && targetWindow->frame()) || targetWindow == targetWindow->frame()->domWindow()); | 51 ASSERT_WITH_SECURITY_IMPLICATION(!(targetWindow && targetWindow->frame()) || targetWindow == targetWindow->frame()->domWindow()); |
52 | 52 |
53 if (isOriginAccessibleFromDOMWindow(targetFrameOrigin, accessingWindow)) | 53 // It's important to check that targetWindow is a LocalDOMWindow: it's |
54 // possible for a remote frame and local frame to have the same security | |
55 // origin, depending on the model being used to allocate Frames between | |
56 // processes. See https://crbug.com/601629 | |
Charlie Reis
2016/04/13 16:45:56
nit: End with period, here and below (as you did i
dcheng
2016/04/13 17:13:01
Done.
| |
57 if (targetWindow->isLocalDOMWindow() && isOriginAccessibleFromDOMWindow(targ etFrameOrigin, accessingWindow)) | |
54 return true; | 58 return true; |
55 | 59 |
56 if (targetWindow) | 60 if (targetWindow) |
57 exceptionState.throwSecurityError(targetWindow->sanitizedCrossDomainAcce ssErrorMessage(accessingWindow), targetWindow->crossDomainAccessErrorMessage(acc essingWindow)); | 61 exceptionState.throwSecurityError(targetWindow->sanitizedCrossDomainAcce ssErrorMessage(accessingWindow), targetWindow->crossDomainAccessErrorMessage(acc essingWindow)); |
58 return false; | 62 return false; |
59 } | 63 } |
60 | 64 |
61 static bool canAccessFrame(v8::Isolate* isolate, const LocalDOMWindow* accessing Window, SecurityOrigin* targetFrameOrigin, const DOMWindow* targetWindow, Securi tyReportingOption reportingOption = ReportSecurityError) | 65 static bool canAccessFrame(v8::Isolate* isolate, const LocalDOMWindow* accessing Window, SecurityOrigin* targetFrameOrigin, const DOMWindow* targetWindow, Securi tyReportingOption reportingOption = ReportSecurityError) |
62 { | 66 { |
63 ASSERT_WITH_SECURITY_IMPLICATION(!(targetWindow && targetWindow->frame()) || targetWindow == targetWindow->frame()->domWindow()); | 67 ASSERT_WITH_SECURITY_IMPLICATION(!(targetWindow && targetWindow->frame()) || targetWindow == targetWindow->frame()->domWindow()); |
64 | 68 |
65 if (isOriginAccessibleFromDOMWindow(targetFrameOrigin, accessingWindow)) | 69 // It's important to check that targetWindow is a LocalDOMWindow: it's |
70 // possible for a remote frame and local frame to have the same security | |
71 // origin, depending on the model being used to allocate Frames between | |
72 // processes. See https://crbug.com/601629 | |
73 if (targetWindow->isLocalDOMWindow() && isOriginAccessibleFromDOMWindow(targ etFrameOrigin, accessingWindow)) | |
66 return true; | 74 return true; |
67 | 75 |
68 if (reportingOption == ReportSecurityError && targetWindow) | 76 if (reportingOption == ReportSecurityError && targetWindow) |
69 accessingWindow->printErrorMessage(targetWindow->crossDomainAccessErrorM essage(accessingWindow)); | 77 accessingWindow->printErrorMessage(targetWindow->crossDomainAccessErrorM essage(accessingWindow)); |
70 return false; | 78 return false; |
71 } | 79 } |
72 | 80 |
73 bool BindingSecurity::shouldAllowAccessTo(v8::Isolate* isolate, const LocalDOMWi ndow* accessingWindow, const DOMWindow* target, ExceptionState& exceptionState) | 81 bool BindingSecurity::shouldAllowAccessTo(v8::Isolate* isolate, const LocalDOMWi ndow* accessingWindow, const DOMWindow* target, ExceptionState& exceptionState) |
74 { | 82 { |
75 ASSERT(target); | 83 ASSERT(target); |
(...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
146 } | 154 } |
147 | 155 |
148 bool BindingSecurity::shouldAllowAccessToFrame(v8::Isolate* isolate, const Local DOMWindow* accessingWindow, const Frame* target, SecurityReportingOption reporti ngOption) | 156 bool BindingSecurity::shouldAllowAccessToFrame(v8::Isolate* isolate, const Local DOMWindow* accessingWindow, const Frame* target, SecurityReportingOption reporti ngOption) |
149 { | 157 { |
150 if (!target || !target->securityContext()) | 158 if (!target || !target->securityContext()) |
151 return false; | 159 return false; |
152 return canAccessFrame(isolate, accessingWindow, target->securityContext()->g etSecurityOrigin(), target->domWindow(), reportingOption); | 160 return canAccessFrame(isolate, accessingWindow, target->securityContext()->g etSecurityOrigin(), target->domWindow(), reportingOption); |
153 } | 161 } |
154 | 162 |
155 } // namespace blink | 163 } // namespace blink |
OLD | NEW |