Commit 234c23af authored by abarth@webkit.org's avatar abarth@webkit.org

2008-06-21 Adam Barth <abarth@webkit.org>

        Reviewed by Sam Weinig.

        Log error messages to the console when we deny a request for a URL.
        These error messages do not appear in LayoutTests, but they do
        appear in the WebInspector.

        * dom/XMLTokenizer.cpp:
        (WebCore::shouldAllowExternalLoad):
        * loader/DocLoader.cpp:
        (WebCore::DocLoader::requestResource):
        (WebCore::DocLoader::printAccessDeniedMessage):
        * loader/DocLoader.h:
        * xml/XSLTProcessor.cpp:
        (WebCore::docLoaderFunc):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@34720 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent c17c9594
2008-06-21 Adam Barth <abarth@webkit.org>
Reviewed by Sam Weinig.
Log error messages to the console when we deny a request for a URL.
These error messages do not appear in LayoutTests, but they do
appear in the WebInspector.
* dom/XMLTokenizer.cpp:
(WebCore::shouldAllowExternalLoad):
* loader/DocLoader.cpp:
(WebCore::DocLoader::requestResource):
(WebCore::DocLoader::printAccessDeniedMessage):
* loader/DocLoader.h:
* xml/XSLTProcessor.cpp:
(WebCore::docLoaderFunc):
2008-06-21 Adam Barth <abarth@webkit.org>
Reviewed by Sam Weinig.
......@@ -399,7 +399,12 @@ static bool shouldAllowExternalLoad(const KURL& url)
// retrieved content. If we had more context, we could potentially allow
// the parser to load a DTD. As things stand, we take the conservative
// route and allow same-origin requests only.
return globalDocLoader->doc()->securityOrigin()->canRequest(url);
if (!globalDocLoader->doc()->securityOrigin()->canRequest(url)) {
globalDocLoader->printAccessDeniedMessage(url);
return false;
}
return true;
}
static void* openFunc(const char* uri)
......
......@@ -32,12 +32,15 @@
#include "CachedImage.h"
#include "CachedScript.h"
#include "CachedXSLStyleSheet.h"
#include "Console.h"
#include "CString.h"
#include "Document.h"
#include "DOMWindow.h"
#include "Frame.h"
#include "FrameLoader.h"
#include "loader.h"
#include "SecurityOrigin.h"
#include "Settings.h"
#define PRELOAD_DEBUG 0
......@@ -158,8 +161,10 @@ CachedResource* DocLoader::requestResource(CachedResource::Type type, const Stri
case CachedResource::XBL:
#endif
#if ENABLE(XSLT) || ENABLE(XBL)
if (!m_doc->securityOrigin()->canRequest(fullURL))
if (!m_doc->securityOrigin()->canRequest(fullURL)) {
printAccessDeniedMessage(fullURL);
return 0;
}
break;
#endif
default:
......@@ -189,6 +194,30 @@ CachedResource* DocLoader::requestResource(CachedResource::Type type, const Stri
return resource;
}
void DocLoader::printAccessDeniedMessage(const KURL& url) const
{
if (url.isNull())
return;
if (!m_frame)
return;
Settings* settings = m_frame->settings();
if (!settings || settings->privateBrowsingEnabled())
return;
String message = m_doc->url().isNull() ?
String::format("Unsafe attempt to load URL %s.",
url.string().utf8().data()) :
String::format("Unsafe attempt to load URL %s from frame with URL %s. "
"Domains, protocols and ports must match.\n",
url.string().utf8().data(),
m_doc->url().string().utf8().data());
// FIXME: provide a real line number and source URL.
m_frame->domWindow()->console()->addMessage(OtherMessageSource, ErrorMessageLevel, message, 1, String());
}
void DocLoader::setAutoLoadImages(bool enable)
{
if (enable == m_autoLoadImages)
......
......@@ -67,6 +67,9 @@ public:
CachedXBLDocument* requestXBLDocument(const String &url);
#endif
// Logs an access denied message to the console for the specified URL.
void printAccessDeniedMessage(const KURL& url) const;
CachedResource* cachedResource(const String& url) const { return m_docResources.get(url); }
const HashMap<String, CachedResource*>& allCachedResources() const { return m_docResources; }
......
......@@ -129,6 +129,8 @@ static xmlDocPtr docLoaderFunc(const xmlChar* uri,
if (globalDocLoader->frame() && globalDocLoader->doc()->securityOrigin()->canRequest(url))
globalDocLoader->frame()->loader()->loadResourceSynchronously(url, error, response, data);
else
globalDocLoader->printAccessDeniedMessage(url);
Console* console = 0;
if (Frame* frame = globalProcessor->xslStylesheet()->ownerDocument()->frame())
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment