Source/core/html/HTMLAnchorElement.cpp - Issue 197033005: Ignore suggested download filename for cross origin links.

Side by Side Diff: Source/core/html/HTMLAnchorElement.cpp

Issue 197033005: Ignore suggested download filename for cross origin links. (Closed) Base URL: svn://svn.chromium.org/blink/trunk

Patch Set: Created 6 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 /*	1 /*

2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)	2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)

3 * (C) 1999 Antti Koivisto (koivisto@kde.org)	3 * (C) 1999 Antti Koivisto (koivisto@kde.org)

4 * (C) 2000 Simon Hausmann <hausmann@kde.org>	4 * (C) 2000 Simon Hausmann <hausmann@kde.org>

5 * Copyright (C) 2003, 2006, 2007, 2008, 2009, 2010 Apple Inc. All rights reserv ed.	5 * Copyright (C) 2003, 2006, 2007, 2008, 2009, 2010 Apple Inc. All rights reserv ed.

6 * (C) 2006 Graham Dennis (graham.dennis@gmail.com)	6 * (C) 2006 Graham Dennis (graham.dennis@gmail.com)

7 *	7 *

8 * This library is free software; you can redistribute it and/or	8 * This library is free software; you can redistribute it and/or

9 * modify it under the terms of the GNU Library General Public	9 * modify it under the terms of the GNU Library General Public

10 * License as published by the Free Software Foundation; either	10 * License as published by the Free Software Foundation; either

(...skipping 413 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
424 ResourceRequest request(completedURL);	424 ResourceRequest request(completedURL);

425 if (prefetchEventHandler()->hasIssuedPreconnect())	425 if (prefetchEventHandler()->hasIssuedPreconnect())

426 frame->loader().client()->dispatchWillRequestAfterPreconnect(request);	426 frame->loader().client()->dispatchWillRequestAfterPreconnect(request);

427 if (hasAttribute(downloadAttr)) {	427 if (hasAttribute(downloadAttr)) {

428 if (!hasRel(RelationNoReferrer)) {	428 if (!hasRel(RelationNoReferrer)) {

429 String referrer = SecurityPolicy::generateReferrerHeader(document(). referrerPolicy(), completedURL, document().outgoingReferrer());	429 String referrer = SecurityPolicy::generateReferrerHeader(document(). referrerPolicy(), completedURL, document().outgoingReferrer());

430 if (!referrer.isEmpty())	430 if (!referrer.isEmpty())

431 request.setHTTPReferrer(Referrer(referrer, document().referrerPo licy()));	431 request.setHTTPReferrer(Referrer(referrer, document().referrerPo licy()));

432 }	432 }

433	433

434 frame->loader().client()->loadURLExternally(request, NavigationPolicyDow nload, fastGetAttribute(downloadAttr));	434 bool isSameOrigin = document().securityOrigin()->canRequest(completedURL );

	435 const AtomicString& suggestedName = (isSameOrigin ? fastGetAttribute(dow nloadAttr) : nullAtom);

	436

	437 frame->loader().client()->loadURLExternally(request, NavigationPolicyDow nload, suggestedName);
	abarth-chromium 2014/03/17 18:17:48 This check doesn't work. The attacker can use an This check doesn't work. The attacker can use an HTTP redirect to make the initial URL looks same-origin but have the actual content come from an arbitrary URL. You probably need to do this check in the download system after you've followed the whole redirect chain. asanka 2014/03/17 18:50:24 Good point! Thanks. Show quoted text On 2014/03/17 18:17:48, abarth wrote: > This check doesn't work. The attacker can use an HTTP redirect to make the > initial URL looks same-origin but have the actual content come from an arbitrary > URL. > > You probably need to do this check in the download system after you've followed > the whole redirect chain. Good point! Thanks.
435 } else {	438 } else {

436 FrameLoadRequest frameRequest(&document(), request, target());	439 FrameLoadRequest frameRequest(&document(), request, target());

437 frameRequest.setTriggeringEvent(event);	440 frameRequest.setTriggeringEvent(event);

438 if (hasRel(RelationNoReferrer))	441 if (hasRel(RelationNoReferrer))

439 frameRequest.setShouldSendReferrer(NeverSendReferrer);	442 frameRequest.setShouldSendReferrer(NeverSendReferrer);

440 frame->loader().load(frameRequest);	443 frame->loader().load(frameRequest);

441 }	444 }

442 }	445 }

443	446

444 HTMLAnchorElement::EventType HTMLAnchorElement::eventType(Event* event)	447 HTMLAnchorElement::EventType HTMLAnchorElement::eventType(Event* event)

(...skipping 248 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
693 preconnectToURL(url, motivation);	696 preconnectToURL(url, motivation);

694 m_hasIssuedPreconnect = true;	697 m_hasIssuedPreconnect = true;

695 }	698 }

696	699

697 bool HTMLAnchorElement::isInteractiveContent() const	700 bool HTMLAnchorElement::isInteractiveContent() const

698 {	701 {

699 return isLink();	702 return isLink();

700 }	703 }

701	704

702 }	705 }

OLD	NEW

« no previous file with comments | « LayoutTests/http/tests/security/anchor-download-block-crossorigin-expected.txt ('k') | no next file » | no next file with comments »