diff options
author | Ben Murdoch <benm@google.com> | 2014-09-30 15:43:34 +0100 |
---|---|---|
committer | Paul Kocialkowski <contact@paulk.fr> | 2014-10-05 11:07:17 +0200 |
commit | 04ad20732516edd03b98f0181c9e9f17a40f1f2f (patch) | |
tree | 1b1841e355156dfa208970d77d622d04c82dfc22 | |
parent | 6141cdedee0907e68f9b42b755ab24395a2e8ebf (diff) | |
download | external_webkit-replicant-4.2.zip external_webkit-replicant-4.2.tar.gz external_webkit-replicant-4.2.tar.bz2 |
Cherry pick r96826.HEADreplicant-4.2-0004replicant-4.2-0003replicant-4.2
Add check for JavaScript URLs in HTMLPlugInImageElement::allowedToLoadFrameURL
Bug: 17658625
Change-Id: Icb7249526aa5f38dd6f93ad67fe7a21ad713d31b
-rw-r--r-- | Source/WebCore/html/HTMLPlugInImageElement.cpp | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/Source/WebCore/html/HTMLPlugInImageElement.cpp b/Source/WebCore/html/HTMLPlugInImageElement.cpp index f3a99dd..0cc5c58 100644 --- a/Source/WebCore/html/HTMLPlugInImageElement.cpp +++ b/Source/WebCore/html/HTMLPlugInImageElement.cpp @@ -30,6 +30,7 @@ #include "Page.h" #include "RenderEmbeddedObject.h" #include "RenderImage.h" +#include "SecurityOrigin.h" namespace WebCore { @@ -75,9 +76,14 @@ bool HTMLPlugInImageElement::allowedToLoadFrameURL(const String& url) if (document()->frame()->page()->frameCount() >= Page::maxNumberOfFrames) return false; + KURL completeURL = document()->completeURL(url); + + if (contentFrame() && protocolIsJavaScript(completeURL) + && !document()->securityOrigin()->canAccess(contentDocument()->securityOrigin())) + return false; + // We allow one level of self-reference because some sites depend on that. // But we don't allow more than one. - KURL completeURL = document()->completeURL(url); bool foundSelfReference = false; for (Frame* frame = document()->frame(); frame; frame = frame->tree()->parent()) { if (equalIgnoringFragmentIdentifier(frame->document()->url(), completeURL)) { |