Cherry-pick security fix in WebKit change 64077

See http://trac.webkit.org/changeset/64077

Bug: 2986936
Change-Id: Ic3e825e880f2094f274758af93a0949b0b9278f0

1 files changed, 3 insertions, 9 deletions

diff --git a/WebCore/page/History.cpp b/WebCore/page/History.cpp
index 78e8ea6..337f5b2 100644
--- a/WebCore/page/History.cpp
+++ b/WebCore/page/History.cpp
@@ -86,14 +86,7 @@ KURL History::urlForState(const String& urlString)
     if (urlString.isEmpty())
         return baseURL;
         
-    KURL absoluteURL(baseURL, urlString);
-    if (!absoluteURL.isValid())
-        return KURL();
-    
-    if (absoluteURL.string().left(absoluteURL.pathStart()) != baseURL.string().left(baseURL.pathStart()))
-        return KURL();
-    
-    return absoluteURL;
+    return KURL(baseURL, urlString);
 }
 
 void History::stateObjectAdded(PassRefPtr<SerializedScriptValue> data, const String& title, const String& urlString, StateObjectType stateObjectType, ExceptionCode& ec)
@@ -102,7 +95,8 @@ void History::stateObjectAdded(PassRefPtr<SerializedScriptValue> data, const Str
         return;
     
     KURL fullURL = urlForState(urlString);
-    if (!fullURL.isValid()) {
+    RefPtr<SecurityOrigin> origin = SecurityOrigin::create(fullURL);
+    if (!fullURL.isValid() || !m_frame->document()->securityOrigin()->isSameSchemeHostPort(origin.get())) {
         ec = SECURITY_ERR;
         return;
     }