Reviewed by Darin Adler.
https://bugs.webkit.org/show_bug.cgi?id=23535 Strengthen debug checks in KURL Covered (and prompted) by existing tests. * platform/KURL.cpp: (WebCore::checkEncodedString): Check that the first character of the URL is an allowed first scheme character, not just that it isn't a slash. (WebCore::KURL::KURL): Assert that parsing didn't affect the string (which must be the case because of parsing being idempotent). * page/SecurityOrigin.cpp: (WebCore::SecurityOrigin::create): Added a check for the URL being valid - if it is not, an empty security origin is created. (WebCore::SecurityOrigin::createFromString): Parse the string as URL, do not just convert it - it is not guaranteed to be properly encoded. * dom/Document.cpp: (WebCore::Document::updateBaseURL): As documentURI is an arbitrary string, it needs to be parsed into an URL, not just converted into one. * html/CanvasRenderingContext2D.cpp: (WebCore::CanvasRenderingContext2D::createPattern): Create the security origin with createFromString() instead of create(). I do not know where the string comes from and whether it might not be properly encoded, but this change can't hurt, and makes the code slightly more clear. * xml/XMLHttpRequest.cpp: (WebCore::XMLHttpRequest::accessControlCheck): Create the security origin with createFromString() instead of create(). The string comes from an HTTP response header, so it may not be a properly encoded URL. * loader/DocLoader.cpp: (WebCore::DocLoader::requestResource): Do not try to request using invalid URLs. * page/DOMWindow.cpp: (WebCore::DOMWindow::postMessage): Updated to call SecurityOrigin::createFromString() (no change in behavior). git-svn-id: http://svn.webkit.org/repository/webkit/trunk@40242 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Showing with 58 additions and 13 deletions