OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) | 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) |
3 * (C) 1999 Antti Koivisto (koivisto@kde.org) | 3 * (C) 1999 Antti Koivisto (koivisto@kde.org) |
4 * (C) 2001 Dirk Mueller (mueller@kde.org) | 4 * (C) 2001 Dirk Mueller (mueller@kde.org) |
5 * (C) 2006 Alexey Proskuryakov (ap@webkit.org) | 5 * (C) 2006 Alexey Proskuryakov (ap@webkit.org) |
6 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2011 Apple Inc. All rights
reserved. | 6 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2011 Apple Inc. All rights
reserved. |
7 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.t
orchmobile.com/) | 7 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.t
orchmobile.com/) |
8 * Copyright (C) 2008, 2009, 2011 Google Inc. All rights reserved. | 8 * Copyright (C) 2008, 2009, 2011 Google Inc. All rights reserved. |
9 * Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies) | 9 * Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies) |
10 * Copyright (C) Research In Motion Limited 2010-2011. All rights reserved. | 10 * Copyright (C) Research In Motion Limited 2010-2011. All rights reserved. |
(...skipping 321 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
332 #ifdef TARGETING_LEOPARD | 332 #ifdef TARGETING_LEOPARD |
333 // Disable Range mutation on document modifications in Leopard Mail. | 333 // Disable Range mutation on document modifications in Leopard Mail. |
334 // See <rdar://problem/5865171> | 334 // See <rdar://problem/5865171> |
335 return page && page->settings()->needsLeopardMailQuirks(); | 335 return page && page->settings()->needsLeopardMailQuirks(); |
336 #else | 336 #else |
337 UNUSED_PARAM(page); | 337 UNUSED_PARAM(page); |
338 return false; | 338 return false; |
339 #endif | 339 #endif |
340 } | 340 } |
341 | 341 |
| 342 static bool canAccessAncestor(const SecurityOrigin* activeSecurityOrigin, Frame*
targetFrame) |
| 343 { |
| 344 // targetFrame can be 0 when we're trying to navigate a top-level frame |
| 345 // that has a 0 opener. |
| 346 if (!targetFrame) |
| 347 return false; |
| 348 |
| 349 const bool isLocalActiveOrigin = activeSecurityOrigin->isLocal(); |
| 350 for (Frame* ancestorFrame = targetFrame; ancestorFrame; ancestorFrame = ance
storFrame->tree()->parent()) { |
| 351 Document* ancestorDocument = ancestorFrame->document(); |
| 352 // FIXME: Should be an ASSERT? Frames should alway have documents. |
| 353 if (!ancestorDocument) |
| 354 return true; |
| 355 |
| 356 const SecurityOrigin* ancestorSecurityOrigin = ancestorDocument->securit
yOrigin(); |
| 357 if (activeSecurityOrigin->canAccess(ancestorSecurityOrigin)) |
| 358 return true; |
| 359 |
| 360 // Allow file URL descendant navigation even when allowFileAccessFromFil
eURLs is false. |
| 361 // FIXME: It's a bit strange to special-case local origins here. Should
we be doing |
| 362 // something more general instead? |
| 363 if (isLocalActiveOrigin && ancestorSecurityOrigin->isLocal()) |
| 364 return true; |
| 365 } |
| 366 |
| 367 return false; |
| 368 } |
| 369 |
342 static HashSet<Document*>* documentsThatNeedStyleRecalc = 0; | 370 static HashSet<Document*>* documentsThatNeedStyleRecalc = 0; |
343 | 371 |
344 class DocumentWeakReference : public ThreadSafeRefCounted<DocumentWeakReference>
{ | 372 class DocumentWeakReference : public ThreadSafeRefCounted<DocumentWeakReference>
{ |
345 public: | 373 public: |
346 static PassRefPtr<DocumentWeakReference> create(Document* document) | 374 static PassRefPtr<DocumentWeakReference> create(Document* document) |
347 { | 375 { |
348 return adoptRef(new DocumentWeakReference(document)); | 376 return adoptRef(new DocumentWeakReference(document)); |
349 } | 377 } |
350 | 378 |
351 Document* document() | 379 Document* document() |
(...skipping 2175 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2527 } | 2555 } |
2528 | 2556 |
2529 void Document::disableEval() | 2557 void Document::disableEval() |
2530 { | 2558 { |
2531 if (!frame()) | 2559 if (!frame()) |
2532 return; | 2560 return; |
2533 | 2561 |
2534 frame()->script()->disableEval(); | 2562 frame()->script()->disableEval(); |
2535 } | 2563 } |
2536 | 2564 |
| 2565 bool Document::canNavigate(Frame* targetFrame) |
| 2566 { |
| 2567 // The navigation change is safe if the active document is: |
| 2568 // - in the same security origin as the target or one of the target's |
| 2569 // ancestors. |
| 2570 // |
| 2571 // Or the target frame is: |
| 2572 // - a top-level frame in the frame hierarchy and the active frame can |
| 2573 // navigate the target frame's opener per above or it is the opener of |
| 2574 // the target frame. |
| 2575 |
| 2576 if (!m_frame) |
| 2577 return false; |
| 2578 |
| 2579 // FIXME: Do we actually ever call this function without a targetFrame? |
| 2580 if (!targetFrame) |
| 2581 return true; |
| 2582 |
| 2583 // Performance optimization. |
| 2584 // FIXME: Delete this code. It seems very unlikely that this affects perform
ance. |
| 2585 if (m_frame == targetFrame) |
| 2586 return true; |
| 2587 |
| 2588 // Let a document navigate window.top so that it can framebust. |
| 2589 if (!isSandboxed(SandboxTopNavigation) && targetFrame == m_frame->tree()->to
p()) |
| 2590 return true; |
| 2591 |
| 2592 // A sandboxed frame can only navigate itself and its descendants. |
| 2593 if (isSandboxed(SandboxNavigation) && !targetFrame->tree()->isDescendantOf(m
_frame)) |
| 2594 return false; |
| 2595 |
| 2596 // Let a frame navigate its opener if the opener is a top-level window. |
| 2597 if (!targetFrame->tree()->parent() && m_frame->loader()->opener() == targetF
rame) |
| 2598 return true; |
| 2599 |
| 2600 // For top-level windows, check the opener. |
| 2601 // FIXME: Can this check be combined with the previous check? |
| 2602 if (!targetFrame->tree()->parent() && canAccessAncestor(securityOrigin(), ta
rgetFrame->loader()->opener())) |
| 2603 return true; |
| 2604 |
| 2605 // In general, check the frame's ancestors. |
| 2606 if (canAccessAncestor(securityOrigin(), targetFrame)) |
| 2607 return true; |
| 2608 |
| 2609 Document* targetDocument = targetFrame->document(); |
| 2610 // FIXME: this error message should contain more specifics of why the naviga
tion change is not allowed. |
| 2611 String message = "Unsafe JavaScript attempt to initiate a navigation change
for frame with URL " + |
| 2612 targetDocument->url().string() + " from frame with URL " +
url().string() + ".\n"; |
| 2613 |
| 2614 // FIXME: should we print to the console of the activeFrame as well? |
| 2615 targetFrame->domWindow()->printErrorMessage(message); |
| 2616 |
| 2617 return false; |
| 2618 } |
| 2619 |
2537 CSSStyleSheet* Document::pageUserSheet() | 2620 CSSStyleSheet* Document::pageUserSheet() |
2538 { | 2621 { |
2539 if (m_pageUserSheet) | 2622 if (m_pageUserSheet) |
2540 return m_pageUserSheet.get(); | 2623 return m_pageUserSheet.get(); |
2541 | 2624 |
2542 Page* owningPage = page(); | 2625 Page* owningPage = page(); |
2543 if (!owningPage) | 2626 if (!owningPage) |
2544 return 0; | 2627 return 0; |
2545 | 2628 |
2546 String userSheetText = owningPage->userStyleSheet(); | 2629 String userSheetText = owningPage->userStyleSheet(); |
(...skipping 2862 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
5409 | 5492 |
5410 NodeListsNodeData* data = rareData()->nodeLists(); | 5493 NodeListsNodeData* data = rareData()->nodeLists(); |
5411 | 5494 |
5412 String localTypeNames = typeNames.isNull() ? String("http://webkit.org/micro
data/undefinedItemType") : typeNames; | 5495 String localTypeNames = typeNames.isNull() ? String("http://webkit.org/micro
data/undefinedItemType") : typeNames; |
5413 ASSERT_UNUSED(list, list == data->m_microDataItemListCache.get(localTypeName
s)); | 5496 ASSERT_UNUSED(list, list == data->m_microDataItemListCache.get(localTypeName
s)); |
5414 data->m_microDataItemListCache.remove(localTypeNames); | 5497 data->m_microDataItemListCache.remove(localTypeNames); |
5415 } | 5498 } |
5416 #endif | 5499 #endif |
5417 | 5500 |
5418 } // namespace WebCore | 5501 } // namespace WebCore |
OLD | NEW |