75155 2011-12-22 17:45:20 -0800 [chromium] Add isSameSchemeHostPort method to WebSecurityOrigin 2012-05-07 12:09:23 -0700 1 1 1 Unclassified WebKit WebKit API 528+ (Nightly build) Unspecified Unspecified RESOLVED WONTFIX P2 Normal --- 73337 1 supersat supersat abarth creis fishd webkit.review.bot oldest_to_newest 526668 0 supersat 2011-12-22 17:45:20 -0800 To support cross-process postMessage (bug 73337), we need to perform an origin check in Chromium. WebKit does the same check by calling SecurityOrigin::isSameSchemeHostPort. So, we need a way to call this function from Chromium. 526669 1 120419 supersat 2011-12-22 17:47:14 -0800 Created attachment 120419 Patch 526671 2 webkit.review.bot 2011-12-22 17:49:11 -0800 Please wait for approval from fishd@chromium.org before submitting because this patch contains changes to the Chromium public API. 526677 3 120419 abarth 2011-12-22 18:13:28 -0800 Comment on attachment 120419 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=120419&action=review > Source/WebKit/chromium/public/WebSecurityOrigin.h:96 > + // Returns true if this origin matches the other's scheme, host, and port > + WEBKIT_EXPORT bool isSameSchemeHostPort(const WebSecurityOrigin&) const; Hum... I can understand why you wrote this patch, but it makes me somewhat sad. isSameSchemeHostPort is a tempting function to call, but it's almost aways wrong. Is there some way we can do this access check inside of WebKit or WebCore instead of exposing this sandtrap to the embedder? 526678 4 120419 supersat 2011-12-22 18:17:25 -0800 Comment on attachment 120419 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=120419&action=review >> Source/WebKit/chromium/public/WebSecurityOrigin.h:96 >> + WEBKIT_EXPORT bool isSameSchemeHostPort(const WebSecurityOrigin&) const; > > Hum... I can understand why you wrote this patch, but it makes me somewhat sad. isSameSchemeHostPort is a tempting function to call, but it's almost aways wrong. Is there some way we can do this access check inside of WebKit or WebCore instead of exposing this sandtrap to the embedder? We could move this check into SecurityOrigin, which is what bug 73359 did. However, we wouldn't need to add grantReceivePostMessagesFromAnyOrigin(). Alternatively, we could add an API to call DOMWindow::postMessage instead of just injecting the event. 526684 5 abarth 2011-12-22 18:33:52 -0800 > Alternatively, we could add an API to call DOMWindow::postMessage instead of just injecting the event. That's probably the best choice. It seems like an API that other code might want to call as well. 526685 6 abarth 2011-12-22 18:34:33 -0800 We'd probably add that on WebFrame since I don't think we have a notion of the DOMWindow in the API. 617807 7 creis 2012-05-07 12:09:23 -0700 We're now going to expose checkAndDispatchMessageEvent in bug 85815, making this bug obsolete. 120419 2011-12-22 17:47:14 -0800 2011-12-22 18:17:25 -0800 Patch bug-75155-20111222174712.patch text/plain 2388 supersat U3VidmVyc2lvbiBSZXZpc2lvbjogMTAzNDc2CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0L2No cm9taXVtL0NoYW5nZUxvZyBiL1NvdXJjZS9XZWJLaXQvY2hyb21pdW0vQ2hhbmdlTG9nCmluZGV4 IDdhOTcyYjhmM2RmMDFiZjRkNjhiMTQyY2RiNDBkNzA3YjFmY2NjM2EuLmNhMGM1MWUwOGRiMThj M2JmMDE4Y2Q5YmM1YzY4YjA5OTcwOTMwYWUgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJLaXQvY2hy b21pdW0vQ2hhbmdlTG9nCisrKyBiL1NvdXJjZS9XZWJLaXQvY2hyb21pdW0vQ2hhbmdlTG9nCkBA IC0xLDMgKzEsMTQgQEAKKzIwMTEtMTItMjIgIEthcmwgS29zY2hlciAgPHN1cGVyc2F0QGNocm9t aXVtLm9yZz4KKworICAgICAgICBbY2hyb21pdW1dIEFkZCBpc1NhbWVTY2hlbWVIb3N0UG9ydCBt ZXRob2QgdG8gV2ViU2VjdXJpdHlPcmlnaW4KKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5v cmcvc2hvd19idWcuY2dpP2lkPTc1MTU1CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChP T1BTISkuCisKKyAgICAgICAgKiBwdWJsaWMvV2ViU2VjdXJpdHlPcmlnaW4uaDoKKyAgICAgICAg KiBzcmMvV2ViU2VjdXJpdHlPcmlnaW4uY3BwOgorICAgICAgICAoV2ViS2l0OjpXZWJTZWN1cml0 eU9yaWdpbjo6aXNTYW1lU2NoZW1lSG9zdFBvcnQpOgorCiAyMDExLTEyLTIwICBBbmRyZXkgS29z eWFrb3YgIDxjYXNlcUBjaHJvbWl1bS5vcmc+CiAKICAgICAgICAgV2ViIEluc3BlY3RvcjogW0V4 dGVuc2lvbiBBUEldIHJlZmFjdG9yIGV4dGVuc2lvbiBBUEkgYnVpbGQgY29kZSwgZXhwb3NlIGV4 cGVyaW1lbnRhbCBBUElzIGNvbmRpdGlvbmFsbHkgaW4gY2hyb21pdW0KZGlmZiAtLWdpdCBhL1Nv dXJjZS9XZWJLaXQvY2hyb21pdW0vcHVibGljL1dlYlNlY3VyaXR5T3JpZ2luLmggYi9Tb3VyY2Uv V2ViS2l0L2Nocm9taXVtL3B1YmxpYy9XZWJTZWN1cml0eU9yaWdpbi5oCmluZGV4IGZmZGRmMDkz YTQ3MzM5YjZhMGJmODRjYmFhZmM3ZWQ1YWMwOTkzZjIuLjI4NzFkN2YyZmIwYjAyNTAyZDNjZGY5 MjYyZGYyZTg0Nzg1ZWJkMjkgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJLaXQvY2hyb21pdW0vcHVi bGljL1dlYlNlY3VyaXR5T3JpZ2luLmgKKysrIGIvU291cmNlL1dlYktpdC9jaHJvbWl1bS9wdWJs aWMvV2ViU2VjdXJpdHlPcmlnaW4uaApAQCAtOTIsNiArOTIsOSBAQCBwdWJsaWM6CiAgICAgLy8g YmUgdXNlZCBhcyBhIGZpbGUuICBTaG91bGQgYmUgdXNlZCBpbiBzdG9yYWdlIEFQSXMgb25seS4K ICAgICBXRUJLSVRfRVhQT1JUIFdlYlN0cmluZyBkYXRhYmFzZUlkZW50aWZpZXIoKSBjb25zdDsK IAorICAgIC8vIFJldHVybnMgdHJ1ZSBpZiB0aGlzIG9yaWdpbiBtYXRjaGVzIHRoZSBvdGhlcidz IHNjaGVtZSwgaG9zdCwgYW5kIHBvcnQKKyAgICBXRUJLSVRfRVhQT1JUIGJvb2wgaXNTYW1lU2No ZW1lSG9zdFBvcnQoY29uc3QgV2ViU2VjdXJpdHlPcmlnaW4mKSBjb25zdDsKKwogICAgIC8vIFJl dHVybnMgdHJ1ZSBpZiB0aGlzIFdlYlNlY3VyaXR5T3JpZ2luIGNhbiBhY2Nlc3MgdXNlcm5hbWVz IGFuZCAKICAgICAvLyBwYXNzd29yZHMgc3RvcmVkIGluIHBhc3N3b3JkIG1hbmFnZXIuCiAgICAg V0VCS0lUX0VYUE9SVCBib29sIGNhbkFjY2Vzc1Bhc3N3b3JkTWFuYWdlcigpIGNvbnN0OwpkaWZm IC0tZ2l0IGEvU291cmNlL1dlYktpdC9jaHJvbWl1bS9zcmMvV2ViU2VjdXJpdHlPcmlnaW4uY3Bw IGIvU291cmNlL1dlYktpdC9jaHJvbWl1bS9zcmMvV2ViU2VjdXJpdHlPcmlnaW4uY3BwCmluZGV4 IGFmZTIwNGQ1NWFjNzk3NTZkZjAxODYzYjZjMTdhYzY5OWJhZTYwNTcuLmMxZDUxNTM3NzY3YWMz ZGJiODU4N2Q4YzEwZjZlYmZkYTI0NGJjN2IgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJLaXQvY2hy b21pdW0vc3JjL1dlYlNlY3VyaXR5T3JpZ2luLmNwcAorKysgYi9Tb3VyY2UvV2ViS2l0L2Nocm9t aXVtL3NyYy9XZWJTZWN1cml0eU9yaWdpbi5jcHAKQEAgLTEyMSw2ICsxMjEsMTMgQEAgV2ViU3Ry aW5nIFdlYlNlY3VyaXR5T3JpZ2luOjpkYXRhYmFzZUlkZW50aWZpZXIoKSBjb25zdAogICAgIHJl dHVybiBtX3ByaXZhdGUtPmRhdGFiYXNlSWRlbnRpZmllcigpOwogfQogCitib29sIFdlYlNlY3Vy aXR5T3JpZ2luOjppc1NhbWVTY2hlbWVIb3N0UG9ydChjb25zdCBXZWJTZWN1cml0eU9yaWdpbiYg b3RoZXIpIGNvbnN0Cit7CisgICAgQVNTRVJUKG1fcHJpdmF0ZSk7CisgICAgQVNTRVJUKG90aGVy Lm1fcHJpdmF0ZSk7CisgICAgcmV0dXJuIG1fcHJpdmF0ZS0+aXNTYW1lU2NoZW1lSG9zdFBvcnQo b3RoZXIubV9wcml2YXRlKTsKK30KKwogYm9vbCBXZWJTZWN1cml0eU9yaWdpbjo6Y2FuQWNjZXNz UGFzc3dvcmRNYW5hZ2VyKCkgY29uc3QKIHsKICAgICBBU1NFUlQobV9wcml2YXRlKTsK