diff options
author | Steve Block <steveblock@google.com> | 2010-09-09 11:17:13 +0100 |
---|---|---|
committer | Steve Block <steveblock@google.com> | 2010-09-09 12:20:25 +0100 |
commit | da4ffba387f70730453d4533272dd55870dd81bb (patch) | |
tree | ad305906f7329711ec8c6ef3b68ba1e62eab282d /WebCore | |
parent | 237faca5ff0377c7fda5c4dcc0f287e67fe66091 (diff) | |
download | external_webkit-da4ffba387f70730453d4533272dd55870dd81bb.zip external_webkit-da4ffba387f70730453d4533272dd55870dd81bb.tar.gz external_webkit-da4ffba387f70730453d4533272dd55870dd81bb.tar.bz2 |
Cherry-pick security fix in WebKit change 64077
See http://trac.webkit.org/changeset/64077
Bug: 2986936
Change-Id: Ic3e825e880f2094f274758af93a0949b0b9278f0
Diffstat (limited to 'WebCore')
-rw-r--r-- | WebCore/page/History.cpp | 12 |
1 files changed, 3 insertions, 9 deletions
diff --git a/WebCore/page/History.cpp b/WebCore/page/History.cpp index 78e8ea6..337f5b2 100644 --- a/WebCore/page/History.cpp +++ b/WebCore/page/History.cpp @@ -86,14 +86,7 @@ KURL History::urlForState(const String& urlString) if (urlString.isEmpty()) return baseURL; - KURL absoluteURL(baseURL, urlString); - if (!absoluteURL.isValid()) - return KURL(); - - if (absoluteURL.string().left(absoluteURL.pathStart()) != baseURL.string().left(baseURL.pathStart())) - return KURL(); - - return absoluteURL; + return KURL(baseURL, urlString); } void History::stateObjectAdded(PassRefPtr<SerializedScriptValue> data, const String& title, const String& urlString, StateObjectType stateObjectType, ExceptionCode& ec) @@ -102,7 +95,8 @@ void History::stateObjectAdded(PassRefPtr<SerializedScriptValue> data, const Str return; KURL fullURL = urlForState(urlString); - if (!fullURL.isValid()) { + RefPtr<SecurityOrigin> origin = SecurityOrigin::create(fullURL); + if (!fullURL.isValid() || !m_frame->document()->securityOrigin()->isSameSchemeHostPort(origin.get())) { ec = SECURITY_ERR; return; } |