Chromium Code Reviews Chromium Code Reviews
Issue 392993005:
Custom handlers should throw SecurityError exception if the URL's origin differs from the document'… (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) | 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) |
| 3 * (C) 1999 Antti Koivisto (koivisto@kde.org) | 3 * (C) 1999 Antti Koivisto (koivisto@kde.org) |
| 4 * (C) 2001 Dirk Mueller (mueller@kde.org) | 4 * (C) 2001 Dirk Mueller (mueller@kde.org) |
| 5 * (C) 2006 Alexey Proskuryakov (ap@webkit.org) | 5 * (C) 2006 Alexey Proskuryakov (ap@webkit.org) |
| 6 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2011, 2012 Apple Inc. All r ights reserved. | 6 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2011, 2012 Apple Inc. All r ights reserved. |
| 7 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.t orchmobile.com/) | 7 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.t orchmobile.com/) |
| 8 * Copyright (C) 2008, 2009, 2011, 2012 Google Inc. All rights reserved. | 8 * Copyright (C) 2008, 2009, 2011, 2012 Google Inc. All rights reserved. |
| 9 * Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies) | 9 * Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies) |
| 10 * Copyright (C) Research In Motion Limited 2010-2011. All rights reserved. | 10 * Copyright (C) Research In Motion Limited 2010-2011. All rights reserved. |
| (...skipping 4785 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 4796 // loading URL with a fresh content security policy. | 4796 // loading URL with a fresh content security policy. |
| 4797 m_cookieURL = m_url; | 4797 m_cookieURL = m_url; |
| 4798 enforceSandboxFlags(initializer.sandboxFlags()); | 4798 enforceSandboxFlags(initializer.sandboxFlags()); |
| 4799 setSecurityOrigin(isSandboxed(SandboxOrigin) ? SecurityOrigin::createUnique( ) : SecurityOrigin::create(m_url)); | 4799 setSecurityOrigin(isSandboxed(SandboxOrigin) ? SecurityOrigin::createUnique( ) : SecurityOrigin::create(m_url)); |
| 4800 setContentSecurityPolicy(contentSecurityPolicyFor(this)); | 4800 setContentSecurityPolicy(contentSecurityPolicyFor(this)); |
| 4801 | 4801 |
| 4802 if (Settings* settings = initializer.settings()) { | 4802 if (Settings* settings = initializer.settings()) { |
| 4803 if (!settings->webSecurityEnabled()) { | 4803 if (!settings->webSecurityEnabled()) { |
| 4804 // Web security is turned off. We should let this document access ev ery other document. This is used primary by testing | 4804 // Web security is turned off. We should let this document access ev ery other document. This is used primary by testing |
| 4805 // harnesses for web sites. | 4805 // harnesses for web sites. |
| 4806 securityOrigin()->grantUniversalAccess(); | 4806 securityOrigin()->setUniversalAccess(true); |
|
abarth-chromium
2014/08/06 18:34:55
This doesn't make sense. There's no way to revoke
pals
2014/08/07 14:06:06
This change is not required anymore. Removed.
| |
| 4807 } else if (securityOrigin()->isLocal()) { | 4807 } else if (securityOrigin()->isLocal()) { |
| 4808 if (settings->allowUniversalAccessFromFileURLs()) { | 4808 if (settings->allowUniversalAccessFromFileURLs()) { |
| 4809 // Some clients want local URLs to have universal access, but th at setting is dangerous for other clients. | 4809 // Some clients want local URLs to have universal access, but th at setting is dangerous for other clients. |
| 4810 securityOrigin()->grantUniversalAccess(); | 4810 securityOrigin()->setUniversalAccess(true); |
| 4811 } else if (!settings->allowFileAccessFromFileURLs()) { | 4811 } else if (!settings->allowFileAccessFromFileURLs()) { |
| 4812 // Some clients want local URLs to have even tighter restriction s by default, and not be able to access other local files. | 4812 // Some clients want local URLs to have even tighter restriction s by default, and not be able to access other local files. |
| 4813 // FIXME 81578: The naming of this is confusing. Files with rest ricted access to other local files | 4813 // FIXME 81578: The naming of this is confusing. Files with rest ricted access to other local files |
| 4814 // still can have other privileges that can be remembered, there by not making them unique origins. | 4814 // still can have other privileges that can be remembered, there by not making them unique origins. |
| 4815 securityOrigin()->enforceFilePathSeparation(); | 4815 securityOrigin()->enforceFilePathSeparation(); |
| 4816 } | 4816 } |
| 4817 } | 4817 } |
| 4818 } | 4818 } |
| 4819 | 4819 |
| 4820 if (initializer.shouldTreatURLAsSrcdocDocument()) { | 4820 if (initializer.shouldTreatURLAsSrcdocDocument()) { |
| (...skipping 1066 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 5887 using namespace blink; | 5887 using namespace blink; |
| 5888 void showLiveDocumentInstances() | 5888 void showLiveDocumentInstances() |
| 5889 { | 5889 { |
| 5890 WeakDocumentSet& set = liveDocumentSet(); | 5890 WeakDocumentSet& set = liveDocumentSet(); |
| 5891 fprintf(stderr, "There are %u documents currently alive:\n", set.size()); | 5891 fprintf(stderr, "There are %u documents currently alive:\n", set.size()); |
| 5892 for (WeakDocumentSet::const_iterator it = set.begin(); it != set.end(); ++it ) { | 5892 for (WeakDocumentSet::const_iterator it = set.begin(); it != set.end(); ++it ) { |
| 5893 fprintf(stderr, "- Document %p URL: %s\n", *it, (*it)->url().string().ut f8().data()); | 5893 fprintf(stderr, "- Document %p URL: %s\n", *it, (*it)->url().string().ut f8().data()); |
| 5894 } | 5894 } |
| 5895 } | 5895 } |
| 5896 #endif | 5896 #endif |
| OLD | NEW |
