Cherry pick r96826.HEADreplicant-4.2-0004replicant-4.2-0003replicant-4.2

Add check for JavaScript URLs in HTMLPlugInImageElement::allowedToLoadFrameURL

Bug: 17658625
Change-Id: Icb7249526aa5f38dd6f93ad67fe7a21ad713d31b

1 files changed, 7 insertions, 1 deletions

diff --git a/Source/WebCore/html/HTMLPlugInImageElement.cpp b/Source/WebCore/html/HTMLPlugInImageElement.cpp
index f3a99dd..0cc5c58 100644
--- a/Source/WebCore/html/HTMLPlugInImageElement.cpp
+++ b/Source/WebCore/html/HTMLPlugInImageElement.cpp
@@ -30,6 +30,7 @@
 #include "Page.h"
 #include "RenderEmbeddedObject.h"
 #include "RenderImage.h"
+#include "SecurityOrigin.h"
 
 namespace WebCore {
 
@@ -75,9 +76,14 @@ bool HTMLPlugInImageElement::allowedToLoadFrameURL(const String& url)
     if (document()->frame()->page()->frameCount() >= Page::maxNumberOfFrames)
         return false;
 
+    KURL completeURL = document()->completeURL(url);
+    
+    if (contentFrame() && protocolIsJavaScript(completeURL)
+        && !document()->securityOrigin()->canAccess(contentDocument()->securityOrigin()))
+        return false;
+    
     // We allow one level of self-reference because some sites depend on that.
     // But we don't allow more than one.
-    KURL completeURL = document()->completeURL(url);
     bool foundSelfReference = false;
     for (Frame* frame = document()->frame(); frame; frame = frame->tree()->parent()) {
         if (equalIgnoringFragmentIdentifier(frame->document()->url(), completeURL)) {