Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(19)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/page/DOMWindow.cpp

Issue 22829002: Throw an exception when denying access to 'Frame's 'location' setter. (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: Less insecurity. Created 7 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« LayoutTests/http/tests/security/javascriptURL/javascriptURL-execution-context-frame-location-htmldom-expected.txt ('K') | « Source/core/page/DOMWindow.h ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2006, 2007, 2008, 2010 Apple Inc. All rights reserved. 2 * Copyright (C) 2006, 2007, 2008, 2010 Apple Inc. All rights reserved.
3 * Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies) 3 * Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies)
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
7 * are met: 7 * are met:
8 * 1. Redistributions of source code must retain the above copyright 8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer. 9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright 10 * 2. Redistributions in binary form must reproduce the above copyright
(...skipping 1553 matching lines...) Expand 10 before | Expand all | Expand 10 after
1564 } 1564 }
1565 1565
1566 void DOMWindow::printErrorMessage(const String& message) 1566 void DOMWindow::printErrorMessage(const String& message)
1567 { 1567 {
1568 if (message.isEmpty()) 1568 if (message.isEmpty())
1569 return; 1569 return;
1570 1570
1571 pageConsole()->addMessage(JSMessageSource, ErrorMessageLevel, message); 1571 pageConsole()->addMessage(JSMessageSource, ErrorMessageLevel, message);
1572 } 1572 }
1573 1573
1574 // FIXME: Once we're throwing exceptions for cross-origin access violations, we will always sanitize the target
1575 // frame details, so we can safely combine 'crossDomainAccessErrorMessage' with this method after considering
1576 // exactly which details may be exposed to JavaScript.
1577 //
1578 // http://crbug.com/17325
1579 String DOMWindow::sanitizedCrossDomainAccessErrorMessage(DOMWindow* activeWindow )
1580 {
1581 const KURL& activeWindowURL = activeWindow->document()->url();
1582 if (activeWindowURL.isNull())
1583 return String();
1584
1585 ASSERT(!activeWindow->document()->securityOrigin()->canAccess(document()->se curityOrigin()));
1586
1587 SecurityOrigin* activeOrigin = activeWindow->document()->securityOrigin();
1588 String message = "Blocked a frame with origin \"" + activeOrigin->toString() + "\" from accessing a cross-origin frame.";
1589
1590 // FIXME: Evaluate which details from 'crossDomainAccessErrorMessage' may sa fely be reported to JavaScript.
1591
1592 return message;
1593 }
1594
1574 String DOMWindow::crossDomainAccessErrorMessage(DOMWindow* activeWindow) 1595 String DOMWindow::crossDomainAccessErrorMessage(DOMWindow* activeWindow)
1575 { 1596 {
1576 const KURL& activeWindowURL = activeWindow->document()->url(); 1597 const KURL& activeWindowURL = activeWindow->document()->url();
1577 if (activeWindowURL.isNull()) 1598 if (activeWindowURL.isNull())
1578 return String(); 1599 return String();
1579 1600
1580 ASSERT(!activeWindow->document()->securityOrigin()->canAccess(document()->se curityOrigin())); 1601 ASSERT(!activeWindow->document()->securityOrigin()->canAccess(document()->se curityOrigin()));
1581 1602
1582 // FIXME: This message, and other console messages, have extra newlines. Sho uld remove them. 1603 // FIXME: This message, and other console messages, have extra newlines. Sho uld remove them.
1583 SecurityOrigin* activeOrigin = activeWindow->document()->securityOrigin(); 1604 SecurityOrigin* activeOrigin = activeWindow->document()->securityOrigin();
(...skipping 141 matching lines...) Expand 10 before | Expand all | Expand 10 after
1725 1746
1726 Frame* child = frame->tree()->scopedChild(index); 1747 Frame* child = frame->tree()->scopedChild(index);
1727 if (child) 1748 if (child)
1728 return child->domWindow(); 1749 return child->domWindow();
1729 1750
1730 return 0; 1751 return 0;
1731 } 1752 }
1732 1753
1733 1754
1734 } // namespace WebCore 1755 } // namespace WebCore
OLDNEW
« LayoutTests/http/tests/security/javascriptURL/javascriptURL-execution-context-frame-location-htmldom-expected.txt ('K') | « Source/core/page/DOMWindow.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698