Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(843)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/WebCore/page/SecurityOrigin.cpp

Issue 8198008: Merge 96610 - Resource loader should block HTTP redirects to local resources (Closed) Base URL: http://svn.webkit.org/repository/webkit/branches/chromium/874/
Patch Set: Created 9 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « Source/WebCore/loader/MainResourceLoader.cpp ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2007 Apple Inc. All rights reserved. 2 * Copyright (C) 2007 Apple Inc. All rights reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions 5 * modification, are permitted provided that the following conditions
6 * are met: 6 * are met:
7 * 7 *
8 * 1. Redistributions of source code must retain the above copyright 8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer. 9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright 10 * 2. Redistributions in binary form must reproduce the above copyright
(...skipping 313 matching lines...) Expand 10 before | Expand all | Expand 10 after
324 } 324 }
325 return false; 325 return false;
326 } 326 }
327 327
328 bool SecurityOrigin::isAccessToURLWhiteListed(const KURL& url) const 328 bool SecurityOrigin::isAccessToURLWhiteListed(const KURL& url) const
329 { 329 {
330 RefPtr<SecurityOrigin> targetOrigin = SecurityOrigin::create(url); 330 RefPtr<SecurityOrigin> targetOrigin = SecurityOrigin::create(url);
331 return isAccessWhiteListed(targetOrigin.get()); 331 return isAccessWhiteListed(targetOrigin.get());
332 } 332 }
333 333
334 // This is a hack to allow keep navigation to http/https feeds working. To remov e this
335 // we need to introduce new API akin to registerURLSchemeAsLocal, that registers a
336 // protocols navigation policy.
337 // feed(|s|search): is considered a 'nesting' scheme by embedders that support i t, so it can be
338 // local or remote depending on what is nested. Currently we just check if we ar e nesting
339 // http or https, otherwise we ignore the nesting for the purpose of a security check. We need
340 // a facility for registering nesting schemes, and some generalized logic for th em.
341 // This function should be removed as an outcome of https://bugs.webkit.org/show _bug.cgi?id=69196
342 static bool isFeedWithNestedProtocolInHTTPFamily(const KURL& url)
343 {
344 const String& urlString = url.string();
345 if (!urlString.startsWith("feed", false))
346 return false;
347
348 return urlString.startsWith("feed://", false)
349 || urlString.startsWith("feed:http:", false) || urlString.startsWith("fe ed:https:", false)
350 || urlString.startsWith("feeds:http:", false) || urlString.startsWith("f eeds:https:", false)
351 || urlString.startsWith("feedsearch:http:", false) || urlString.startsWi th("feedsearch:https:", false);
352 }
353
334 bool SecurityOrigin::canDisplay(const KURL& url) const 354 bool SecurityOrigin::canDisplay(const KURL& url) const
335 { 355 {
336 String protocol = url.protocol().lower(); 356 String protocol = url.protocol().lower();
337 357
358 if (isFeedWithNestedProtocolInHTTPFamily(url))
359 return true;
360
338 if (SchemeRegistry::canDisplayOnlyIfCanRequest(protocol)) 361 if (SchemeRegistry::canDisplayOnlyIfCanRequest(protocol))
339 return canRequest(url); 362 return canRequest(url);
340 363
341 if (SchemeRegistry::shouldTreatURLSchemeAsDisplayIsolated(protocol)) 364 if (SchemeRegistry::shouldTreatURLSchemeAsDisplayIsolated(protocol))
342 return m_protocol == protocol || isAccessToURLWhiteListed(url); 365 return m_protocol == protocol || isAccessToURLWhiteListed(url);
343 366
344 if (restrictAccessToLocal() && SchemeRegistry::shouldTreatURLSchemeAsLocal(p rotocol)) 367 if (restrictAccessToLocal() && SchemeRegistry::shouldTreatURLSchemeAsLocal(p rotocol))
345 return canLoadLocalResources() || isAccessToURLWhiteListed(url); 368 return canLoadLocalResources() || isAccessToURLWhiteListed(url);
346 369
347 return true; 370 return true;
(...skipping 231 matching lines...) Expand 10 before | Expand all | Expand 10 after
579 602
580 void SecurityOrigin::resetOriginAccessWhitelists() 603 void SecurityOrigin::resetOriginAccessWhitelists()
581 { 604 {
582 ASSERT(isMainThread()); 605 ASSERT(isMainThread());
583 OriginAccessMap& map = originAccessMap(); 606 OriginAccessMap& map = originAccessMap();
584 deleteAllValues(map); 607 deleteAllValues(map);
585 map.clear(); 608 map.clear();
586 } 609 }
587 610
588 } // namespace WebCore 611 } // namespace WebCore
OLDNEW
« no previous file with comments | « Source/WebCore/loader/MainResourceLoader.cpp ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698