| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2009 Google Inc. All rights reserved. | 2 * Copyright (C) 2009 Google Inc. All rights reserved. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
| 5 * modification, are permitted provided that the following conditions are | 5 * modification, are permitted provided that the following conditions are |
| 6 * met: | 6 * met: |
| 7 * | 7 * |
| 8 * * Redistributions of source code must retain the above copyright | 8 * * Redistributions of source code must retain the above copyright |
| 9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
| 10 * * Redistributions in binary form must reproduce the above | 10 * * Redistributions in binary form must reproduce the above |
| (...skipping 236 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 247 // Note that there is no need to call back | 247 // Note that there is no need to call back |
| 248 // FrameLoader::didAccessInitialDocument() because |targetWindow| must be | 248 // FrameLoader::didAccessInitialDocument() because |targetWindow| must be |
| 249 // a child window inside iframe or frame and it doesn't have a URL bar, | 249 // a child window inside iframe or frame and it doesn't have a URL bar, |
| 250 // so there is no need to worry about URL spoofing. | 250 // so there is no need to worry about URL spoofing. |
| 251 | 251 |
| 252 return true; | 252 return true; |
| 253 } | 253 } |
| 254 | 254 |
| 255 void BindingSecurity::failedAccessCheckFor(v8::Isolate* isolate, | 255 void BindingSecurity::failedAccessCheckFor(v8::Isolate* isolate, |
| 256 const Frame* target) { | 256 const Frame* target) { |
| 257 // TODO(dcheng): See if this null check can be removed or hoisted to a | |
| 258 // different location. | |
| 259 if (!target) | |
| 260 return; | |
| 261 | |
| 262 DOMWindow* targetWindow = target->domWindow(); | |
| 263 | |
| 264 // TODO(dcheng): Add ContextType, interface name, and property name as | 257 // TODO(dcheng): Add ContextType, interface name, and property name as |
| 265 // arguments, so the generated exception can be more descriptive. | 258 // arguments, so the generated exception can be more descriptive. |
| 266 ExceptionState exceptionState(isolate, ExceptionState::UnknownContext, | 259 ExceptionState exceptionState(isolate, ExceptionState::UnknownContext, |
| 267 nullptr, nullptr); | 260 nullptr, nullptr); |
| 261 |
| 262 LocalDOMWindow* callingWindow = currentDOMWindow(isolate); |
| 263 if (!target) { |
| 264 const SecurityOrigin* activeOrigin = |
| 265 callingWindow->document()->getSecurityOrigin(); |
| 266 String message = "Blocked a frame with origin \"" + |
| 267 activeOrigin->toString() + |
| 268 "\" from accessing a detached cross-origin frame"; |
| 269 exceptionState.throwSecurityError(message, message); |
| 270 return; |
| 271 } |
| 272 |
| 273 DOMWindow* targetWindow = target->domWindow(); |
| 274 |
| 268 exceptionState.throwSecurityError( | 275 exceptionState.throwSecurityError( |
| 269 targetWindow->sanitizedCrossDomainAccessErrorMessage( | 276 targetWindow->sanitizedCrossDomainAccessErrorMessage(callingWindow), |
| 270 currentDOMWindow(isolate)), | 277 targetWindow->crossDomainAccessErrorMessage(callingWindow)); |
| 271 targetWindow->crossDomainAccessErrorMessage(currentDOMWindow(isolate))); | |
| 272 } | 278 } |
| 273 | 279 |
| 274 } // namespace blink | 280 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2705783004:
Throw security errors for attribute access on detached windows. (Closed)
