Skip to content
  • mkwst@chromium.org's avatar
    Drop full URLs from cross-origin access errors caused by protocol mismatches. · 18b6035c
    mkwst@chromium.org authored
    https://bugs.webkit.org/show_bug.cgi?id=112894
    
    Reviewed by Timothy Hatcher.
    
    Source/WebCore:
    
    Following up on http://wkbug.com/112813, this patch brings protocol
    mismatch errors into line with the new origin-only hotness. The message
    is also changed to display the URL's protocol rather than the origin's
    protocol: it makes a big difference for 'data:' URLs, for instance.
    
    * page/DOMWindow.cpp:
    (WebCore::DOMWindow::crossDomainAccessErrorMessage):
    
    LayoutTests:
    
    * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt:
    * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt:
    * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt:
    * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt:
    * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt:
    * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt:
    * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt:
    * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt:
    * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt:
    * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block-expected.txt:
    * http/tests/security/cross-frame-access-protocol-expected.txt:
    * http/tests/security/cross-frame-access-protocol-explicit-domain-expected.txt:
    * http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt:
    * http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt:
    * http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level-expected.txt:
    * http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-expected.txt:
    * http/tests/security/dataURL/xss-DENIED-from-javascript-url-window-open-expected.txt:
    * http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-expected.txt:
    * http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-location-change-expected.txt:
    * http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-window-open-expected.txt:
    * http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level-expected.txt:
    * http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-expected.txt:
    * http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-uppercase-expected.txt:
    * http/tests/security/dataURL/xss-DENIED-to-data-url-window-open-expected.txt:
    * http/tests/security/view-source-no-javascript-url-expected.txt:
    * http/tests/security/xssAuditor/block-does-not-leak-location-expected.txt:
    * http/tests/security/xssAuditor/block-does-not-leak-referrer-expected.txt:
    * http/tests/security/xssAuditor/full-block-base-href-expected.txt:
    * http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt:
    * http/tests/security/xssAuditor/full-block-javascript-link-expected.txt:
    * http/tests/security/xssAuditor/full-block-link-onclick-expected.txt:
    * http/tests/security/xssAuditor/full-block-object-tag-expected.txt:
    * http/tests/security/xssAuditor/full-block-script-tag-cross-domain-expected.txt:
    * http/tests/security/xssAuditor/full-block-script-tag-expected.txt:
    * http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt:
    * http/tests/security/xssAuditor/xss-protection-parsing-03-expected.txt:
    * http/tests/security/xssAuditor/xss-protection-parsing-04-expected.txt:
    * platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt:
    * platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt:
    * platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level-expected.txt:
    * platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-expected.txt:
    * platform/chromium/http/tests/security/dataURL/xss-DENIED-from-javascript-url-window-open-expected.txt:
    * platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-expected.txt:
    * platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-location-change-expected.txt:
    * platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-window-open-expected.txt:
    * platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level-expected.txt:
    * platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-expected.txt:
    * platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-uppercase-expected.txt:
    * platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-window-open-expected.txt:
    * platform/chromium/http/tests/security/inactive-document-with-empty-security-origin-expected.txt:
    * platform/chromium/http/tests/security/window-named-proto-expected.txt:
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@146516 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    18b6035c