Bug 84865

Summary: SecurityOrigin::canDisplay() should return true when m_universalAccess is true
Product: WebKit Reporter: Yong Li <yong.li.webkit>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, ap, sam, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
the patch none

Yong Li
Reported 2012-04-25 07:59:43 PDT
At the time m_universalAccess was invented, it was supposed to by-pass all security checks. http://trac.webkit.org/changeset/40449 2009-01-30 Adam Barth < abarth@webkit.org> Reviewed by Sam Weinig. Add a pref to disable web security. Then SecurityOrigin::canLoad() was added later with code moved from FrameLoader, and it doesn't respect m_universalAccess. The result is even m_universalAccess is on, there can still be some contents blocked by canLoad(). I think it makes sense that SecurityOrigin::canLoad() should also check m_universalAccess.
Attachments
the patch (1.45 KB, patch)
2012-04-27 11:56 PDT, Yong Li 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Yong Li
Comment 1 2012-04-25 10:29:54 PDT
Any objection?
Yong Li
Comment 2 2012-04-27 11:47:42 PDT
Actually I mean "canDisplay"
Yong Li
Comment 3 2012-04-27 11:56:34 PDT
Created attachment 139244 [details] the patch
Yong Li
Comment 4 2012-06-20 12:48:13 PDT
Comment on attachment 139244 [details] the patch Thanks!
WebKit Review Bot
Comment 5 2012-06-20 13:24:07 PDT
Comment on attachment 139244 [details] the patch Clearing flags on attachment: 139244 Committed r120855: <http://trac.webkit.org/changeset/120855>
WebKit Review Bot
Comment 6 2012-06-20 13:24:23 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.