| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2009 Google Inc. All rights reserved. | 2 * Copyright (C) 2009 Google Inc. All rights reserved. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
| 5 * modification, are permitted provided that the following conditions are | 5 * modification, are permitted provided that the following conditions are |
| 6 * met: | 6 * met: |
| 7 * | 7 * |
| 8 * * Redistributions of source code must retain the above copyright | 8 * * Redistributions of source code must retain the above copyright |
| 9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
| 10 * * Redistributions in binary form must reproduce the above | 10 * * Redistributions in binary form must reproduce the above |
| (...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 53 | 53 |
| 54 // It's important to check that targetWindow is a LocalDOMWindow: it's | 54 // It's important to check that targetWindow is a LocalDOMWindow: it's |
| 55 // possible for a remote frame and local frame to have the same security | 55 // possible for a remote frame and local frame to have the same security |
| 56 // origin, depending on the model being used to allocate Frames between | 56 // origin, depending on the model being used to allocate Frames between |
| 57 // processes. See https://crbug.com/601629. | 57 // processes. See https://crbug.com/601629. |
| 58 if (!(accessingWindow && targetWindow && targetWindow->isLocalDOMWindow())) | 58 if (!(accessingWindow && targetWindow && targetWindow->isLocalDOMWindow())) |
| 59 return false; | 59 return false; |
| 60 | 60 |
| 61 const SecurityOrigin* accessingOrigin = | 61 const SecurityOrigin* accessingOrigin = |
| 62 accessingWindow->document()->getSecurityOrigin(); | 62 accessingWindow->document()->getSecurityOrigin(); |
| 63 if (!accessingOrigin->canAccessCheckSuborigins(targetFrameOrigin)) | 63 if (!accessingOrigin->canAccess(targetFrameOrigin)) |
| 64 return false; | 64 return false; |
| 65 | 65 |
| 66 // Notify the loader's client if the initial document has been accessed. | 66 // Notify the loader's client if the initial document has been accessed. |
| 67 LocalFrame* targetFrame = toLocalDOMWindow(targetWindow)->frame(); | 67 LocalFrame* targetFrame = toLocalDOMWindow(targetWindow)->frame(); |
| 68 if (targetFrame && | 68 if (targetFrame && |
| 69 targetFrame->loader().stateMachine()->isDisplayingInitialEmptyDocument()) | 69 targetFrame->loader().stateMachine()->isDisplayingInitialEmptyDocument()) |
| 70 targetFrame->loader().didAccessInitialDocument(); | 70 targetFrame->loader().didAccessInitialDocument(); |
| 71 | 71 |
| 72 return true; | 72 return true; |
| 73 } | 73 } |
| (...skipping 160 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 234 accessingFrame->securityContext()->getSecurityOrigin(); | 234 accessingFrame->securityContext()->getSecurityOrigin(); |
| 235 | 235 |
| 236 const Frame* targetFrame = targetWindow->frame(); | 236 const Frame* targetFrame = targetWindow->frame(); |
| 237 DCHECK(targetFrame); | 237 DCHECK(targetFrame); |
| 238 DCHECK(targetFrame->securityContext()); | 238 DCHECK(targetFrame->securityContext()); |
| 239 const SecurityOrigin* targetOrigin = | 239 const SecurityOrigin* targetOrigin = |
| 240 targetFrame->securityContext()->getSecurityOrigin(); | 240 targetFrame->securityContext()->getSecurityOrigin(); |
| 241 SECURITY_CHECK(!(targetWindow && targetWindow->frame()) || | 241 SECURITY_CHECK(!(targetWindow && targetWindow->frame()) || |
| 242 targetWindow == targetWindow->frame()->domWindow()); | 242 targetWindow == targetWindow->frame()->domWindow()); |
| 243 | 243 |
| 244 if (!accessingOrigin->canAccessCheckSuborigins(targetOrigin)) | 244 if (!accessingOrigin->canAccess(targetOrigin)) |
| 245 return false; | 245 return false; |
| 246 | 246 |
| 247 // Note that there is no need to call back | 247 // Note that there is no need to call back |
| 248 // FrameLoader::didAccessInitialDocument() because |targetWindow| must be | 248 // FrameLoader::didAccessInitialDocument() because |targetWindow| must be |
| 249 // a child window inside iframe or frame and it doesn't have a URL bar, | 249 // a child window inside iframe or frame and it doesn't have a URL bar, |
| 250 // so there is no need to worry about URL spoofing. | 250 // so there is no need to worry about URL spoofing. |
| 251 | 251 |
| 252 return true; | 252 return true; |
| 253 } | 253 } |
| 254 | 254 |
| (...skipping 10 matching lines...) Expand all Loading... |
| 265 // arguments, so the generated exception can be more descriptive. | 265 // arguments, so the generated exception can be more descriptive. |
| 266 ExceptionState exceptionState(isolate, ExceptionState::UnknownContext, | 266 ExceptionState exceptionState(isolate, ExceptionState::UnknownContext, |
| 267 nullptr, nullptr); | 267 nullptr, nullptr); |
| 268 exceptionState.throwSecurityError( | 268 exceptionState.throwSecurityError( |
| 269 targetWindow->sanitizedCrossDomainAccessErrorMessage( | 269 targetWindow->sanitizedCrossDomainAccessErrorMessage( |
| 270 currentDOMWindow(isolate)), | 270 currentDOMWindow(isolate)), |
| 271 targetWindow->crossDomainAccessErrorMessage(currentDOMWindow(isolate))); | 271 targetWindow->crossDomainAccessErrorMessage(currentDOMWindow(isolate))); |
| 272 } | 272 } |
| 273 | 273 |
| 274 } // namespace blink | 274 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2805683005:
Merge SecurityOrigin::canAccessCheckSuborigins into canAccess (Closed)
