Bug 272734
| Summary: | Investigate SecurityOrigin::shouldIgnoreHost() | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Anne van Kesteren <annevk> |
| Component: | DOM | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | webkit-bug-importer, youennf |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Anne van Kesteren
In particular the way this method is used doesn't seem very sound. Stripping the host and port of data:/about:/javascript:/file: URLs and then just carrying on as if nothing happened.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/126907661>
Anne van Kesteren
These checks are the result of bug 205157 and bug 212739. I can see them working for file: URLs, but not for about: URLs. E.g., location="about://test:12/blank" stays as about://test:12/blank in the address bar, though document.URL does end up returning about:///blank. (Not sure how beneficial that is as it doesn't work as a URL anyway.)
I also think Windows ports would not want this behavior as there file: URLs with hosts have significant meaning.
A proper fix here would likely to make it a network error when schemes violate certain invariants we decide to care about.