Chromium Code Reviews Chromium Code Reviews
Issue 2183423002:
Only do security checks on javascript: URLs for frames for loading (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) | 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) |
| 3 * (C) 1999 Antti Koivisto (koivisto@kde.org) | 3 * (C) 1999 Antti Koivisto (koivisto@kde.org) |
| 4 * (C) 2000 Simon Hausmann (hausmann@kde.org) | 4 * (C) 2000 Simon Hausmann (hausmann@kde.org) |
| 5 * (C) 2001 Dirk Mueller (mueller@kde.org) | 5 * (C) 2001 Dirk Mueller (mueller@kde.org) |
| 6 * Copyright (C) 2004, 2006, 2008, 2009 Apple Inc. All rights reserved. | 6 * Copyright (C) 2004, 2006, 2008, 2009 Apple Inc. All rights reserved. |
| 7 * | 7 * |
| 8 * This library is free software; you can redistribute it and/or | 8 * This library is free software; you can redistribute it and/or |
| 9 * modify it under the terms of the GNU Library General Public | 9 * modify it under the terms of the GNU Library General Public |
| 10 * License as published by the Free Software Foundation; either | 10 * License as published by the Free Software Foundation; either |
| (...skipping 29 matching lines...) Expand all Loading... | |
| 40 | 40 |
| 41 namespace blink { | 41 namespace blink { |
| 42 | 42 |
| 43 using namespace HTMLNames; | 43 using namespace HTMLNames; |
| 44 | 44 |
| 45 HTMLFrameElementBase::HTMLFrameElementBase(const QualifiedName& tagName, Documen t& document) | 45 HTMLFrameElementBase::HTMLFrameElementBase(const QualifiedName& tagName, Documen t& document) |
| 46 : HTMLFrameOwnerElement(tagName, document) | 46 : HTMLFrameOwnerElement(tagName, document) |
| 47 , m_scrollingMode(ScrollbarAuto) | 47 , m_scrollingMode(ScrollbarAuto) |
| 48 , m_marginWidth(-1) | 48 , m_marginWidth(-1) |
| 49 , m_marginHeight(-1) | 49 , m_marginHeight(-1) |
| 50 , m_javaScriptURLCanAccessFrame(false) | |
| 50 { | 51 { |
| 51 } | 52 } |
| 52 | 53 |
| 53 bool HTMLFrameElementBase::isURLAllowed() const | 54 bool HTMLFrameElementBase::isURLAllowed() const |
| 54 { | 55 { |
| 55 if (m_URL.isEmpty()) | 56 if (m_URL.isEmpty()) |
| 56 return true; | 57 return true; |
| 57 | 58 |
| 58 const KURL& completeURL = document().completeURL(m_URL); | 59 const KURL& completeURL = document().completeURL(m_URL); |
| 59 | 60 |
| 60 if (protocolIsJavaScript(completeURL)) { | 61 if (protocolIsJavaScript(completeURL) && !m_javaScriptURLCanAccessFrame) |
| 61 if (contentFrame() && !ScriptController::canAccessFromCurrentOrigin(toIs olate(&document()), contentFrame())) | 62 return false; |
| 62 return false; | |
| 63 } | |
| 64 | 63 |
| 65 LocalFrame* parentFrame = document().frame(); | 64 LocalFrame* parentFrame = document().frame(); |
| 66 if (parentFrame) | 65 if (parentFrame) |
| 67 return parentFrame->isURLAllowed(completeURL); | 66 return parentFrame->isURLAllowed(completeURL); |
| 68 | 67 |
| 69 return true; | 68 return true; |
| 70 } | 69 } |
| 71 | 70 |
| 72 void HTMLFrameElementBase::openURL(bool replaceCurrentItem) | 71 void HTMLFrameElementBase::openURL(bool replaceCurrentItem) |
| 73 { | 72 { |
| (...skipping 107 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 181 setWidget(toLocalFrame(frame)->view()); | 180 setWidget(toLocalFrame(frame)->view()); |
| 182 else if (frame->isRemoteFrame()) | 181 else if (frame->isRemoteFrame()) |
| 183 setWidget(toRemoteFrame(frame)->view()); | 182 setWidget(toRemoteFrame(frame)->view()); |
| 184 } | 183 } |
| 185 } | 184 } |
| 186 } | 185 } |
| 187 | 186 |
| 188 void HTMLFrameElementBase::setLocation(const String& str) | 187 void HTMLFrameElementBase::setLocation(const String& str) |
| 189 { | 188 { |
| 190 m_URL = AtomicString(str); | 189 m_URL = AtomicString(str); |
| 190 m_javaScriptURLCanAccessFrame = false; | |
| 191 | |
| 192 if (!m_URL.isEmpty()) { | |
|
dcheng
2016/07/28 08:55:03
OK, so I thought this would be better, but the mor
| |
| 193 const KURL& completeURL = document().completeURL(m_URL); | |
| 194 if (protocolIsJavaScript(completeURL)) { | |
| 195 if (contentFrame()) { | |
| 196 v8::Isolate* isolate = toIsolate(&document()); | |
| 197 SECURITY_CHECK(isolate->InContext()); | |
| 198 if (ScriptController::canAccessFromCurrentOrigin(toIsolate(&docu ment()), contentFrame())) | |
| 199 m_javaScriptURLCanAccessFrame = true; | |
| 200 } else { | |
| 201 m_javaScriptURLCanAccessFrame = true; | |
| 202 } | |
| 203 } | |
| 204 } | |
| 191 | 205 |
| 192 if (isConnected()) | 206 if (isConnected()) |
| 193 openURL(false); | 207 openURL(false); |
| 194 } | 208 } |
| 195 | 209 |
| 196 bool HTMLFrameElementBase::supportsFocus() const | 210 bool HTMLFrameElementBase::supportsFocus() const |
| 197 { | 211 { |
| 198 return true; | 212 return true; |
| 199 } | 213 } |
| 200 | 214 |
| (...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 248 frameOwnerPropertiesChanged(); | 262 frameOwnerPropertiesChanged(); |
| 249 } | 263 } |
| 250 | 264 |
| 251 void HTMLFrameElementBase::setMarginHeight(int marginHeight) | 265 void HTMLFrameElementBase::setMarginHeight(int marginHeight) |
| 252 { | 266 { |
| 253 m_marginHeight = marginHeight; | 267 m_marginHeight = marginHeight; |
| 254 frameOwnerPropertiesChanged(); | 268 frameOwnerPropertiesChanged(); |
| 255 } | 269 } |
| 256 | 270 |
| 257 } // namespace blink | 271 } // namespace blink |
| OLD | NEW |
