diff options
Diffstat (limited to 'WebCore/page/XSSAuditor.h')
-rw-r--r-- | WebCore/page/XSSAuditor.h | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/WebCore/page/XSSAuditor.h b/WebCore/page/XSSAuditor.h index adfa5c7..b64665b 100644 --- a/WebCore/page/XSSAuditor.h +++ b/WebCore/page/XSSAuditor.h @@ -42,14 +42,14 @@ namespace WebCore { // a script is to be allowed or denied based on the content of any // user-submitted data, including: // - // * the query string of the URL. + // * the URL. // * the HTTP-POST data. // // If the source code of a script resembles any user-submitted data then it // is denied execution. // - // When you instantiate the XSSAuditor you must specify the {@link Frame} - // of the page that you wish to audit. + // When you instantiate the XSSAuditor you must specify the Frame of the + // page that you wish to audit. // // Bindings // @@ -59,11 +59,14 @@ namespace WebCore { // JavaScript script is safe to execute before executing it. The following // methods call into XSSAuditor: // - // * ScriptController::evaluate - used to evaluate JavaScript scripts. - // * ScriptController::createInlineEventListener - used to create JavaScript event handlers. - // * HTMLTokenizer::scriptHandler - used to load external JavaScript scripts. + // * ScriptController::evaluateInWorld - used to evaluate JavaScript scripts. + // * ScriptController::executeIfJavaScriptURL - used to evaluate JavaScript URLs. + // * ScriptEventListener::createAttributeEventListener - used to create JavaScript event handlers. + // * HTMLBaseElement::process - used to set the document base URL. + // * HTMLTokenizer::parseTag - used to load external JavaScript scripts. + // * FrameLoader::requestObject - used to load <object>/<embed> elements. // - class XSSAuditor { + class XSSAuditor : public Noncopyable { public: XSSAuditor(Frame*); ~XSSAuditor(); @@ -122,6 +125,7 @@ namespace WebCore { bool decodeURLEscapeSequencesTwice = false); static String decodeHTMLEntities(const String&, bool leaveUndecodableEntitiesUntouched = true); + bool isSameOriginResource(const String& url) const; bool findInRequest(const String&, bool decodeEntities = true, bool allowRequestIfNoIllegalURICharacters = false, bool decodeURLEscapeSequencesTwice = false) const; bool findInRequest(Frame*, const String&, bool decodeEntities = true, bool allowRequestIfNoIllegalURICharacters = false, |