summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBen Murdoch <benm@google.com>2014-09-30 15:43:34 +0100
committerPaul Kocialkowski <contact@paulk.fr>2014-10-05 11:07:17 +0200
commit04ad20732516edd03b98f0181c9e9f17a40f1f2f (patch)
tree1b1841e355156dfa208970d77d622d04c82dfc22
parent6141cdedee0907e68f9b42b755ab24395a2e8ebf (diff)
downloadexternal_webkit-d980e5fa73b1e9bc4cca82eed9a548f4af3dc0f2.zip
external_webkit-d980e5fa73b1e9bc4cca82eed9a548f4af3dc0f2.tar.gz
external_webkit-d980e5fa73b1e9bc4cca82eed9a548f4af3dc0f2.tar.bz2
Add check for JavaScript URLs in HTMLPlugInImageElement::allowedToLoadFrameURL Bug: 17658625 Change-Id: Icb7249526aa5f38dd6f93ad67fe7a21ad713d31b
-rw-r--r--Source/WebCore/html/HTMLPlugInImageElement.cpp8
1 files changed, 7 insertions, 1 deletions
diff --git a/Source/WebCore/html/HTMLPlugInImageElement.cpp b/Source/WebCore/html/HTMLPlugInImageElement.cpp
index f3a99dd..0cc5c58 100644
--- a/Source/WebCore/html/HTMLPlugInImageElement.cpp
+++ b/Source/WebCore/html/HTMLPlugInImageElement.cpp
@@ -30,6 +30,7 @@
#include "Page.h"
#include "RenderEmbeddedObject.h"
#include "RenderImage.h"
+#include "SecurityOrigin.h"
namespace WebCore {
@@ -75,9 +76,14 @@ bool HTMLPlugInImageElement::allowedToLoadFrameURL(const String& url)
if (document()->frame()->page()->frameCount() >= Page::maxNumberOfFrames)
return false;
+ KURL completeURL = document()->completeURL(url);
+
+ if (contentFrame() && protocolIsJavaScript(completeURL)
+ && !document()->securityOrigin()->canAccess(contentDocument()->securityOrigin()))
+ return false;
+
// We allow one level of self-reference because some sites depend on that.
// But we don't allow more than one.
- KURL completeURL = document()->completeURL(url);
bool foundSelfReference = false;
for (Frame* frame = document()->frame(); frame; frame = frame->tree()->parent()) {
if (equalIgnoringFragmentIdentifier(frame->document()->url(), completeURL)) {