-
weinig@apple.com authored
Reviewed by Sam Weinig. Fix for http://bugs.webkit.org/show_bug.cgi?id=16775 We now use frame()->loader()->url() for postMessage, preventing a malicious sender from overwriting the uri property (using a <base> tag, for example). Also, use frame->loader()->url().host() instead of instead of document()->SecurityOrigin()->domain() to reflect a recent clarification in the HTML5 spec. Tests: http/tests/security/postMessage/domain-affected-by-document-domain.html http/tests/security/postMessage/domain-and-uri-unaffected-by-base-tag.html http/tests/security/postMessage/javascript-page-still-sends-domain.html * bindings/js/JSDOMWindowCustom.cpp: (WebCore::JSDOMWindow::postMessage): LayoutTests: Reviewed by Sam Weinig. Tests for http://bugs.webkit.org/show_bug.cgi?id=16775 * http/tests/security/postMessage: Added. * http/tests/security/postMessage/domain-and-uri-unaffected-by-base-tag-expected.txt: Added. * http/tests/security/postMessage/domain-and-uri-unaffected-by-base-tag.html: Added. * http/tests/security/postMessage/domain-unaffected-by-document-domain-expected.txt: Added. * http/tests/security/postMessage/domain-unaffected-by-document-domain.html: Added. * http/tests/security/postMessage/javascript-page-still-sends-domain-expected.txt: Added. * http/tests/security/postMessage/javascript-page-still-sends-domain.html: Added. * http/tests/security/postMessage/resources: Added. * http/tests/security/postMessage/resources/javascript-post-message-sender.html: Added. * http/tests/security/postMessage/resources/post-message-listener.html: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@29678 268f45cc-cd09-0410-ab3c-d52691b4dbfc
59084be0