Commit 48cade35 authored by abarth@webkit.org's avatar abarth@webkit.org
Browse files

WebCore:

2008-10-23  Adam Barth  <abarth@webkit.org>

        Reviewed by Sam Weinig.

        https://bugs.webkit.org/show_bug.cgi?id=21787

        Update postMessage to send origin = "null" for non-serializable
        origins to match latest spec.  Merge SecurityOrigin::toString and
        SecurityOrigin::toHTTPOrigin because they are now the same.

        Test: http/tests/security/postMessage/data-url-sends-null-origin.html

        * loader/FrameLoader.cpp:
        (WebCore::FrameLoader::outgoingOrigin):
        (WebCore::FrameLoader::loadURL):
        (WebCore::FrameLoader::addHTTPOriginIfNeeded):
        (WebCore::FrameLoader::loadItem):
        * loader/loader.cpp:
        (WebCore::Loader::Host::servePendingRequests):
        * page/SecurityOrigin.cpp:
        (WebCore::SecurityOrigin::toString):
        * page/SecurityOrigin.h:
        * xml/XMLHttpRequest.cpp:
        (WebCore::XMLHttpRequest::makeSimpleCrossSiteAccessRequest):
        (WebCore::XMLHttpRequest::makeCrossSiteAccessRequestWithPreflight):
        (WebCore::XMLHttpRequest::handleAsynchronousPreflightResult):
        (WebCore::XMLHttpRequest::didReceiveResponsePreflight):

LayoutTests:

2008-10-23  Adam Barth  <abarth@webkit.org>

        Reviewed by Sam Weinig.

        https://bugs.webkit.org/show_bug.cgi?id=21787

        Add test coverage for postMessaging from a data URL.

        * http/tests/security/postMessage/data-url-sends-null-origin-expected.txt: Added.
        * http/tests/security/postMessage/data-url-sends-null-origin.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@37805 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 81903a76
2008-10-23 Adam Barth <abarth@webkit.org>
Reviewed by Sam Weinig.
https://bugs.webkit.org/show_bug.cgi?id=21787
Add test coverage for postMessaging from a data URL.
* http/tests/security/postMessage/data-url-sends-null-origin-expected.txt: Added.
* http/tests/security/postMessage/data-url-sends-null-origin.html: Added.
2008-10-22 Cameron Zwarich <zwarich@apple.com>
Reviewed by Kevin McCullough.
......
window.location.href = http://127.0.0.1:8000/security/postMessage/data-url-sends-null-origin.html
Received message: data="Hello from child" origin="null"
<!DOCTYPE html>
<html>
<head>
<script>
if (window.layoutTestController) {
layoutTestController.dumpAsText();
layoutTestController.waitUntilDone();
}
function recv(e) {
var msg = 'Received message: data="' + e.data + '" origin="' + e.origin + '"';
document.getElementById("result").firstChild.data = msg;
if (window.layoutTestController)
layoutTestController.notifyDone();
}
addEventListener("message", recv, false);
</script>
<base href="http://www.example.com/">
<body>
<div>window.location.href = <script>document.write(document.location.href);</script></div>
<div><iframe src="data:text/html,<script>top.postMessage('Hello from child', '*');document.write('Message sent');</script>"
id="child" width="800" height="300" style="border: 1px solid black;">
</iframe></div>
<div id="result">waiting...</div>
</body>
</html>
2008-10-23 Adam Barth <abarth@webkit.org>
Reviewed by Sam Weinig.
https://bugs.webkit.org/show_bug.cgi?id=21787
Update postMessage to send origin = "null" for non-serializable
origins to match latest spec. Merge SecurityOrigin::toString and
SecurityOrigin::toHTTPOrigin because they are now the same.
Test: http/tests/security/postMessage/data-url-sends-null-origin.html
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::outgoingOrigin):
(WebCore::FrameLoader::loadURL):
(WebCore::FrameLoader::addHTTPOriginIfNeeded):
(WebCore::FrameLoader::loadItem):
* loader/loader.cpp:
(WebCore::Loader::Host::servePendingRequests):
* page/SecurityOrigin.cpp:
(WebCore::SecurityOrigin::toString):
* page/SecurityOrigin.h:
* xml/XMLHttpRequest.cpp:
(WebCore::XMLHttpRequest::makeSimpleCrossSiteAccessRequest):
(WebCore::XMLHttpRequest::makeCrossSiteAccessRequestWithPreflight):
(WebCore::XMLHttpRequest::handleAsynchronousPreflightResult):
(WebCore::XMLHttpRequest::didReceiveResponsePreflight):
2008-10-22 David Kilzer <ddkilzer@apple.com>
 
Bug 21781: WebCore::Settings should have a maximum decoded image size setting
......
......@@ -1790,9 +1790,9 @@ String FrameLoader::outgoingReferrer() const
String FrameLoader::outgoingOrigin() const
{
if (m_frame->document())
return m_frame->document()->securityOrigin()->toHTTPOrigin();
return m_frame->document()->securityOrigin()->toString();
return SecurityOrigin::createEmpty()->toHTTPOrigin();
return SecurityOrigin::createEmpty()->toString();
}
Frame* FrameLoader::opener()
......@@ -2138,7 +2138,7 @@ void FrameLoader::loadURL(const KURL& newURL, const String& referrer, const Stri
if (!referrer.isEmpty()) {
request.setHTTPReferrer(referrer);
RefPtr<SecurityOrigin> referrerOrigin = SecurityOrigin::createFromString(referrer);
addHTTPOriginIfNeeded(request, referrerOrigin->toHTTPOrigin());
addHTTPOriginIfNeeded(request, referrerOrigin->toString());
}
addExtraFieldsToRequest(request, true, event || isFormSubmission);
if (newLoadType == FrameLoadTypeReload)
......@@ -3444,7 +3444,7 @@ void FrameLoader::addHTTPOriginIfNeeded(ResourceRequest& request, String origin)
if (origin.isEmpty()) {
// If we don't know what origin header to attach, we attach the value
// for an empty origin.
origin = SecurityOrigin::createEmpty()->toHTTPOrigin();
origin = SecurityOrigin::createEmpty()->toString();
}
request.setHTTPOrigin(origin);
......@@ -4356,7 +4356,7 @@ void FrameLoader::loadItem(HistoryItem* item, FrameLoadType loadType)
request.setHTTPBody(formData);
request.setHTTPContentType(item->formContentType());
RefPtr<SecurityOrigin> securityOrigin = SecurityOrigin::createFromString(item->formReferrer());
addHTTPOriginIfNeeded(request, securityOrigin->toHTTPOrigin());
addHTTPOriginIfNeeded(request, securityOrigin->toString());
// FIXME: Slight hack to test if the NSURL cache contains the page we're going to.
// We want to know this before talking to the policy delegate, since it affects whether
......
......@@ -240,7 +240,7 @@ void Loader::Host::servePendingRequests(RequestQueue& requestsPending, bool& ser
if ((referrer.protocolIs("http") || referrer.protocolIs("https")) && referrer.path().isEmpty())
referrer.setPath("/");
resourceRequest.setHTTPReferrer(referrer.string());
FrameLoader::addHTTPOriginIfNeeded(resourceRequest, docLoader->doc()->securityOrigin()->toHTTPOrigin());
FrameLoader::addHTTPOriginIfNeeded(resourceRequest, docLoader->doc()->securityOrigin()->toString());
if (resourceIsCacheValidator) {
CachedResource* resourceToRevalidate = request->cachedResource()->resourceToRevalidate();
......
......@@ -198,10 +198,10 @@ bool SecurityOrigin::isSecureTransitionTo(const KURL& url) const
String SecurityOrigin::toString() const
{
if (isEmpty())
return String();
return "null";
if (m_noAccess)
return String();
return "null";
if (m_protocol == "file")
return String("file://");
......@@ -220,15 +220,6 @@ String SecurityOrigin::toString() const
return String::adopt(result);
}
String SecurityOrigin::toHTTPOrigin() const
{
String origin = toString();
if (origin.isEmpty())
return "null";
return origin;
}
PassRefPtr<SecurityOrigin> SecurityOrigin::createFromString(const String& originString)
{
return SecurityOrigin::create(KURL(originString));
......
......@@ -103,14 +103,9 @@ namespace WebCore {
// representation of a SecurityOrigin is similar to a URL, except it
// lacks a path component. The string representation does not encode
// the value of the SecurityOrigin's domain property. The empty
// SecurityOrigin is represented with the null string.
// SecurityOrigin is represented with the string "null".
String toString() const;
// Convert this SecurityOrigin into a string for use in the HTTP Origin
// header. This is similar to toString(), except that the empty
// SecurityOrigin is represented as the string "null".
String toHTTPOrigin() const;
// Serialize the security origin for storage in the database. This format is
// deprecated and should be used only for compatibility with old databases;
// use toString() and createFromString() instead.
......
......@@ -543,7 +543,7 @@ void XMLHttpRequest::makeSimpleCrossSiteAccessRequest(ExceptionCode& ec)
ResourceRequest request(url);
request.setHTTPMethod(m_method);
request.setAllowHTTPCookies(m_includeCredentials);
request.setHTTPOrigin(document()->securityOrigin()->toHTTPOrigin());
request.setHTTPOrigin(document()->securityOrigin()->toString());
if (m_requestHeaders.size() > 0)
request.addHTTPHeaderFields(m_requestHeaders);
......@@ -574,7 +574,7 @@ static bool canSkipPrelight(PreflightResultCache::iterator cacheIt, bool include
void XMLHttpRequest::makeCrossSiteAccessRequestWithPreflight(ExceptionCode& ec)
{
String origin = document()->securityOrigin()->toHTTPOrigin();
String origin = document()->securityOrigin()->toString();
KURL url = m_url;
url.setUser(String());
url.setPass(String());
......@@ -662,7 +662,7 @@ void XMLHttpRequest::handleAsynchronousPreflightResult()
ResourceRequest request(url);
request.setHTTPMethod(m_method);
request.setAllowHTTPCookies(m_includeCredentials);
request.setHTTPOrigin(document()->securityOrigin()->toHTTPOrigin());
request.setHTTPOrigin(document()->securityOrigin()->toString());
if (m_requestHeaders.size() > 0)
request.addHTTPHeaderFields(m_requestHeaders);
......@@ -1186,7 +1186,7 @@ void XMLHttpRequest::didReceiveResponsePreflight(SubresourceLoader*, const Resou
if (!parseAccessControlMaxAge(response.httpHeaderField("Access-Control-Max-Age"), expiryDelta))
expiryDelta = 5;
appendPreflightResultCacheEntry(document()->securityOrigin()->toHTTPOrigin(), m_url, expiryDelta, m_includeCredentials, methods.release(), headers.release());
appendPreflightResultCacheEntry(document()->securityOrigin()->toString(), m_url, expiryDelta, m_includeCredentials, methods.release(), headers.release());
}
void XMLHttpRequest::receivedCancellation(SubresourceLoader*, const AuthenticationChallenge& challenge)
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment