-
abarth@webkit.org authored
Reviewed by Eric Seidel. DOMWindow::setLocation doesn't understand that DOMWindow can be inactive https://bugs.webkit.org/show_bug.cgi?id=62057 Test that some esoteric combination of eval, load, and Location don't do something goofy. * http/tests/security/xss-DENIED-contentWindow-eval-expected.txt: Added. * http/tests/security/xss-DENIED-contentWindow-eval.html: Added. 2011-06-03 Adam Barth <abarth@webkit.org> Reviewed by Eric Seidel. DOMWindow::setLocation doesn't understand that DOMWindow can be inactive https://bugs.webkit.org/show_bug.cgi?id=62057 This code gets confused when dealing with inactive DOMWindows. We should just block inactive DOMWindows because there's no compatibility reason to support them in this code path. Test: http/tests/security/xss-DENIED-contentWindow-eval.html * page/DOMWindow.cpp: (WebCore::DOMWindow::isInsecureScriptAccess): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@88071 268f45cc-cd09-0410-ab3c-d52691b4dbfc
fff43268