Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(146)

Unified Diff: Source/WebCore/page/DOMWindow.cpp

Issue 7058060: Merge 88071 (Closed) Base URL: http://svn.webkit.org/repository/webkit/branches/chromium/782/
Patch Set: Created 9 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « LayoutTests/http/tests/security/xss-DENIED-contentWindow-eval-expected.txt ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: Source/WebCore/page/DOMWindow.cpp
===================================================================
--- Source/WebCore/page/DOMWindow.cpp (revision 88085)
+++ Source/WebCore/page/DOMWindow.cpp (working copy)
@@ -1713,14 +1713,21 @@
if (!protocolIsJavaScript(urlString))
return false;
- // FIXME: Is there some way to eliminate the need for a separate "activeWindow == this" check?
- if (activeWindow == this)
- return false;
+ // If m_frame->domWindow() != this, then |this| isn't the DOMWindow that's
+ // currently active in the frame and there's no way we should allow the
+ // access.
+ // FIXME: Remove this check if we're able to disconnect DOMWindow from
+ // Frame on navigation: https://bugs.webkit.org/show_bug.cgi?id=62054
+ if (m_frame->domWindow() == this) {
+ // FIXME: Is there some way to eliminate the need for a separate "activeWindow == this" check?
+ if (activeWindow == this)
+ return false;
- // FIXME: The name canAccess seems to be a roundabout way to ask "can execute script".
- // Can we name the SecurityOrigin function better to make this more clear?
- if (activeWindow->securityOrigin()->canAccess(securityOrigin()))
- return false;
+ // FIXME: The name canAccess seems to be a roundabout way to ask "can execute script".
+ // Can we name the SecurityOrigin function better to make this more clear?
+ if (activeWindow->securityOrigin()->canAccess(securityOrigin()))
+ return false;
+ }
printErrorMessage(crossDomainAccessErrorMessage(activeWindow));
return true;
« no previous file with comments | « LayoutTests/http/tests/security/xss-DENIED-contentWindow-eval-expected.txt ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698