From 6141cdedee0907e68f9b42b755ab24395a2e8ebf Mon Sep 17 00:00:00 2001
From: Ben Murdoch <benm@google.com>
Date: Thu, 4 Sep 2014 15:40:31 +0100
Subject: Cherry pick r91611 Perform the JavaScript navigation check on a
 complete URL

Bug: 17050386

Change-Id: I613809864472007989938abde317b0a112c0a81c
---
 Source/WebCore/page/DOMWindow.cpp | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/Source/WebCore/page/DOMWindow.cpp b/Source/WebCore/page/DOMWindow.cpp
index 0416cb5..45f288b 100644
--- a/Source/WebCore/page/DOMWindow.cpp
+++ b/Source/WebCore/page/DOMWindow.cpp
@@ -1699,7 +1699,7 @@ void DOMWindow::setLocation(const String& urlString, DOMWindow* activeWindow, DO
     if (completedURL.isNull())
         return;
 
-    if (isInsecureScriptAccess(activeWindow, urlString))
+    if (isInsecureScriptAccess(activeWindow, completedURL))
         return;
 
     // We want a new history item if we are processing a user gesture.
@@ -1785,7 +1785,7 @@ Frame* DOMWindow::createWindow(const String& urlString, const AtomicString& fram
     newFrame->loader()->setOpener(openerFrame);
     newFrame->page()->setOpenedByDOM();
 
-    if (newFrame->domWindow()->isInsecureScriptAccess(activeWindow, urlString))
+    if (newFrame->domWindow()->isInsecureScriptAccess(activeWindow, completedURL))
         return newFrame;
 
     if (function)
@@ -1835,7 +1835,9 @@ PassRefPtr<DOMWindow> DOMWindow::open(const String& urlString, const AtomicStrin
         if (!activeFrame->loader()->shouldAllowNavigation(targetFrame))
             return 0;
 
-        if (targetFrame->domWindow()->isInsecureScriptAccess(activeWindow, urlString))
+        KURL completedURL = firstFrame->document()->completeURL(urlString);
+
+        if (targetFrame->domWindow()->isInsecureScriptAccess(activeWindow, completedURL))
             return targetFrame->domWindow();
 
         if (urlString.isEmpty())
@@ -1844,7 +1846,7 @@ PassRefPtr<DOMWindow> DOMWindow::open(const String& urlString, const AtomicStrin
         // For whatever reason, Firefox uses the first window rather than the active window to
         // determine the outgoing referrer. We replicate that behavior here.
         targetFrame->navigationScheduler()->scheduleLocationChange(activeFrame->document()->securityOrigin(),
-            firstFrame->document()->completeURL(urlString).string(),
+            completedURL,
             firstFrame->loader()->outgoingReferrer(),
             !activeFrame->script()->anyPageIsProcessingUserGesture(), false);
 
-- 
cgit v1.1