1 files changed, 23 insertions, 13 deletions

diff --git a/WebCore/page/XSSAuditor.cpp b/WebCore/page/XSSAuditor.cpp
index 890c3fa..72c2591 100644
--- a/WebCore/page/XSSAuditor.cpp
+++ b/WebCore/page/XSSAuditor.cpp
@@ -144,14 +144,7 @@ bool XSSAuditor::canLoadExternalScriptFromSrc(const String& context, const Strin
     if (!isEnabled())
         return true;
 
-    // If the script is loaded from the same URL as the enclosing page, it's
-    // probably not an XSS attack, so we reduce false positives by allowing the
-    // script. If the script has a query string, we're more suspicious,
-    // however, because that's pretty rare and the attacker might be able to
-    // trick a server-side script into doing something dangerous with the query
-    // string.
-    KURL scriptURL(m_frame->document()->url(), url);
-    if (m_frame->document()->url().host() == scriptURL.host() && scriptURL.query().isEmpty())
+    if (isSameOriginResource(url))
         return true;
 
     if (findInRequest(context + url)) {
@@ -167,8 +160,11 @@ bool XSSAuditor::canLoadObject(const String& url) const
     if (!isEnabled())
         return true;
 
+    if (isSameOriginResource(url))
+        return true;
+
     if (findInRequest(url)) {
-        DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request"));
+        String consoleMessage = String::format("Refused to load an object. URL found within request: \"%s\".\n", url.utf8().data());
         m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String());
         return false;
     }
@@ -179,10 +175,12 @@ bool XSSAuditor::canSetBaseElementURL(const String& url) const
 {
     if (!isEnabled())
         return true;
-    
-    KURL baseElementURL(m_frame->document()->url(), url);
-    if (m_frame->document()->url().host() != baseElementURL.host() && findInRequest(url)) {
-        DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request"));
+
+    if (isSameOriginResource(url))
+        return true;
+
+    if (findInRequest(url)) {
+        DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to load from document base URL. URL found within request.\n"));
         m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String());
         return false;
     }
@@ -255,6 +253,18 @@ String XSSAuditor::decodeHTMLEntities(const String& string, bool leaveUndecodabl
     return String::adopt(result);
 }
 
+bool XSSAuditor::isSameOriginResource(const String& url) const
+{
+    // If the resource is loaded from the same URL as the enclosing page, it's
+    // probably not an XSS attack, so we reduce false positives by allowing the
+    // request. If the resource has a query string, we're more suspicious,
+    // however, because that's pretty rare and the attacker might be able to
+    // trick a server-side script into doing something dangerous with the query
+    // string.
+    KURL resourceURL(m_frame->document()->url(), url);
+    return (m_frame->document()->url().host() == resourceURL.host() && resourceURL.query().isEmpty());
+}
+
 bool XSSAuditor::findInRequest(const String& string, bool decodeEntities, bool allowRequestIfNoIllegalURICharacters, 
                                bool decodeURLEscapeSequencesTwice) const
 {