Allow 'history.pushState' to modify query string for unique and file origins.

third_party/WebKit/Source/core/frame/History.cpp

 /*
  * Copyright (C) 2007 Apple Inc.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 41 matching lines @@
 
     const String& aString = a.getString();
     const String& bString = b.getString();
     for (int i = 0; i < aLength; ++i) {
         if (aString[i] != bString[i])
             return false;
     }
     return true;
 }
 
+bool equalIgnoringQueryAndFragment(const KURL& a, const KURL& b)
+{
+    int aLength = a.getString().length();
+    if (a.parsed().ref.len >= 0)
+        aLength = a.parsed().ref.begin - 1;
+    if (a.parsed().query.len >= 0 && a.parsed().query.begin <= aLength)
+        aLength = a.parsed().query.begin - 1;
+
+    int bLength = b.getString().length();
+    if (b.parsed().ref.len >= 0)
+        bLength = b.parsed().ref.begin - 1;
+    if (b.parsed().query.len >= 0 && b.parsed().query.begin <= bLength)
+        bLength = b.parsed().query.begin - 1;
+
+    if (aLength != bLength)
+        return false;
+
+    const String& aString = a.getString();
+    const String& bString = b.getString();
+    for (int i = 0; i < aLength; ++i) {
+        if (aString[i] != bString[i])
+            return false;
+    }
+    return true;
+}

[Mike West, 2016/06/14 08:44:59]

You can write this more simply by copy/pasting
`equalIgnoringPathQueryAndFragment`'s body, then replacing `pathStart` with
`pathEnd`. :)

+
 }  // namespace
 
 History::History(LocalFrame* frame)
     : DOMWindowProperty(frame)
     , m_lastStateObjectRequested(nullptr)
 {
 }
 
 DEFINE_TRACE(History)
 {
@@ skipping 117 matching lines @@
     if (!url.isValid())
         return false;
 
     if (documentOrigin->isGrantedUniversalAccess())
         return true;
 
     // We allow sandboxed documents, `data:`/`file:` URLs, etc. to use
     // 'pushState'/'replaceState' to modify the URL fragment: see
     // https://crbug.com/528681 for the compatibility concerns.
     if (documentOrigin->isUnique() || documentOrigin->isLocal())
-        return equalIgnoringFragmentIdentifier(url, documentURL);
+        return equalIgnoringQueryAndFragment(url, documentURL);
 
     if (!equalIgnoringPathQueryAndFragment(url, documentURL))
         return false;
 
     RefPtr<SecurityOrigin> requestedOrigin = SecurityOrigin::create(url);
     if (requestedOrigin->isUnique() || !requestedOrigin->isSameSchemeHostPort(documentOrigin))
         return false;
 
     return true;
 }
 
 void History::stateObjectAdded(PassRefPtr<SerializedScriptValue> data, const String& /* title */, const String& urlString, HistoryScrollRestorationType restorationType, FrameLoadType type, ExceptionState& exceptionState)
 {
     if (!m_frame || !m_frame->page() || !m_frame->loader().documentLoader())
         return;
 
     KURL fullURL = urlForState(urlString);
     if (!canChangeToUrl(fullURL, m_frame->document()->getSecurityOrigin(), m_frame->document()->url())) {
         // We can safely expose the URL to JavaScript, as a) no redirection takes place: JavaScript already had this URL, b) JavaScript can only access a same-origin History object.
         exceptionState.throwSecurityError("A history state object with URL '" + fullURL.elidedString() + "' cannot be created in a document with origin '" + m_frame->document()->getSecurityOrigin()->toString() + "' and URL '" + m_frame->document()->url().elidedString() + "'.");
         return;
     }
 
     m_frame->loader().updateForSameDocumentNavigation(fullURL, SameDocumentNavigationHistoryApi, data, restorationType, type, m_frame->document());
 }
 
 } // namespace blink