third_party/WebKit/Source/core/loader/FrameFetchContext.cpp - Issue 2196983002: Allow doc.written scripts with a matching domain and registry to execute.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: third_party/WebKit/Source/core/loader/FrameFetchContext.cpp

Issue 2196983002: Allow doc.written scripts with a matching domain and registry to execute. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: add test Created 4 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: third_party/WebKit/Source/core/loader/FrameFetchContext.cpp

diff --git a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp b/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp

index f873f582a862959088feae2731098e1add6b3b7e..badde027815f2df2a317cbf685437b71701447b9 100644

--- a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp

+++ b/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp

@@ -64,6 +64,7 @@

#include "platform/Logging.h"

#include "platform/TracedValue.h"

#include "platform/mhtml/MHTMLArchive.h"

+#include "platform/network/NetworkUtils.h"

#include "platform/network/ResourceLoadPriority.h"

#include "platform/network/ResourceTimingInfo.h"

#include "platform/weborigin/SchemeRegistry.h"

@@ -110,7 +111,17 @@ bool shouldDisallowFetchForMainFrameScript(const ResourceRequest& request, Fetch

// Avoid blocking same origin scripts, as they may be used to render main

// page content, whereas cross-origin scripts inserted via document.write

// are likely to be third party content.

- if (request.url().host() == document.getSecurityOrigin()->domain())

+ String requestHost = request.url().host();

+ String documentHost = document.getSecurityOrigin()->domain();

+ if (requestHost == documentHost)

+ return false;

+ // If the hosts didn't match, then see if the domains match. For example, if

+ // a script is served from static.example.com for a document served from

+ // www.example.com, we consider that a first party script and allow it.

+ String requestDomain = NetworkUtils::getDomainAndRegistry(requestHost, true);

+ String documentDomain = NetworkUtils::getDomainAndRegistry(documentHost, true);

+ if (!requestDomain.isEmpty() && !documentDomain.isEmpty() && requestDomain == documentDomain)

Nate Chapin 2016/08/03 21:44:09 Nit: we don't need to call isEmpty() for both stri

Bryan McQuade 2016/08/03 22:05:45 Ah, getDomainAndRegistry can return empty string i

return false;

emitWarningForDocWriteScripts(request.url().getString(), document);

« no previous file with comments | « no previous file | third_party/WebKit/Source/platform/network/NetworkUtils.h » ('j') | third_party/WebKit/Source/platform/network/NetworkUtils.h » ('J')