Commit c4eeafc6 authored by ap@apple.com's avatar ap@apple.com

Reviewed by Adam Barth.

        https://bugs.webkit.org/show_bug.cgi?id=38497
        <rdar://problem/7759438> Make sure that http URLs always have a host in SecurityOrigin

        This is a hardening fix, and behavior really depends on what an underlying networking layer
        does. So, no test.

        * page/SecurityOrigin.cpp:
        (WebCore::schemeRequiresAuthority): List schemes that need an authority for successful loading.
        (WebCore::SecurityOrigin::SecurityOrigin): Never let e.g. http origins with empty authorities
        have the same security origin.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@58792 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 639abe1f
2010-05-03 Alexey Proskuryakov <ap@apple.com>
Reviewed by Adam Barth.
https://bugs.webkit.org/show_bug.cgi?id=38497
<rdar://problem/7759438> Make sure that http URLs always have a host in SecurityOrigin
This is a hardening fix, and behavior really depends on what an underlying networking layer
does. So, no test.
* page/SecurityOrigin.cpp:
(WebCore::schemeRequiresAuthority): List schemes that need an authority for successful loading.
(WebCore::SecurityOrigin::SecurityOrigin): Never let e.g. http origins with empty authorities
have the same security origin.
2010-05-04 Zhenyao Mo <zmo@google.com>
Reviewed by Dimitri Glazkov.
......@@ -89,6 +89,20 @@ static URLSchemesMap& schemesWithUniqueOrigins()
return schemesWithUniqueOrigins;
}
static bool schemeRequiresAuthority(const String& scheme)
{
DEFINE_STATIC_LOCAL(URLSchemesMap, schemes, ());
if (schemes.isEmpty()) {
schemes.add("http");
schemes.add("https");
schemes.add("ftp");
}
return schemes.contains(scheme);
}
SecurityOrigin::SecurityOrigin(const KURL& url, SandboxFlags sandboxFlags)
: m_sandboxFlags(sandboxFlags)
, m_protocol(url.protocol().isNull() ? "" : url.protocol().lower())
......@@ -103,6 +117,10 @@ SecurityOrigin::SecurityOrigin(const KURL& url, SandboxFlags sandboxFlags)
if (m_protocol == "about" || m_protocol == "javascript")
m_protocol = "";
// For edge case URLs that were probably misparsed, make sure that the origin is unique.
if (schemeRequiresAuthority(m_protocol) && m_host.isEmpty())
m_isUnique = true;
// document.domain starts as m_host, but can be set by the DOM.
m_domain = m_host;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment