Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(293)

Unified Diff: Source/WebCore/html/HTMLPlugInImageElement.cpp

Issue 8206005: Merge 96826 - Add check for JavaScript URLs in HTMLPlugInImageElement::allowedToLoadFrameURL (Closed) Base URL: http://svn.webkit.org/repository/webkit/branches/chromium/874/
Patch Set: Created 9 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « LayoutTests/http/tests/security/xss-DENIED-object-element-expected.txt ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: Source/WebCore/html/HTMLPlugInImageElement.cpp
===================================================================
--- Source/WebCore/html/HTMLPlugInImageElement.cpp (revision 96950)
+++ Source/WebCore/html/HTMLPlugInImageElement.cpp (working copy)
@@ -30,6 +30,7 @@
#include "Page.h"
#include "RenderEmbeddedObject.h"
#include "RenderImage.h"
+#include "SecurityOrigin.h"
namespace WebCore {
@@ -76,9 +77,14 @@
if (document()->frame()->page()->frameCount() >= Page::maxNumberOfFrames)
return false;
+ KURL completeURL = document()->completeURL(url);
+
+ if (contentFrame() && protocolIsJavaScript(completeURL)
+ && !document()->securityOrigin()->canAccess(contentDocument()->securityOrigin()))
+ return false;
+
// We allow one level of self-reference because some sites depend on that.
// But we don't allow more than one.
- KURL completeURL = document()->completeURL(url);
bool foundSelfReference = false;
for (Frame* frame = document()->frame(); frame; frame = frame->tree()->parent()) {
if (equalIgnoringFragmentIdentifier(frame->document()->url(), completeURL)) {
« no previous file with comments | « LayoutTests/http/tests/security/xss-DENIED-object-element-expected.txt ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698