No need for isURLAllowed function in Frame
Created attachment 209578 [details] Patch
Comment on attachment 209578 [details] Patch Attachment 209578 [details] did not pass mac-ews (mac): Output: http://webkit-queues.appspot.com/results/1555802 New failing tests: http/tests/security/xss-DENIED-object-element.html
Created attachment 209583 [details] Archive of layout-test-results from webkit-ews-07 for mac-mountainlion The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: webkit-ews-07 Port: mac-mountainlion Platform: Mac OS X 10.8.4
Comment on attachment 209578 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=209578&action=review > Source/WebCore/html/HTMLPlugInImageElement.cpp:-175 > - if (contentFrame() && protocolIsJavaScript(completeURL) > - && !document()->securityOrigin()->canAccess(contentDocument()->securityOrigin())) > - return false; I suppose this check is not equivalent to the new, shared one.
Comment on attachment 209578 [details] Patch Attachment 209578 [details] did not pass mac-ews (mac): Output: http://webkit-queues.appspot.com/results/1561485 New failing tests: http/tests/security/xss-DENIED-object-element.html
Created attachment 209586 [details] Archive of layout-test-results from webkit-ews-04 for mac-mountainlion The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: webkit-ews-04 Port: mac-mountainlion Platform: Mac OS X 10.8.4
Comment on attachment 209578 [details] Patch Attachment 209578 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.appspot.com/results/1542917 New failing tests: http/tests/security/xss-DENIED-object-element.html
Created attachment 209594 [details] Archive of layout-test-results from webkit-ews-11 for mac-mountainlion-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: webkit-ews-11 Port: mac-mountainlion-wk2 Platform: Mac OS X 10.8.4
Created attachment 373203 [details] Patch
The new patch should not have the mistake from the one I posted about 6 years ago.
Since EWS is all green, adding some possible reviewers to the cc list.
I chose the names that start with "can" to match the style of existing functions, including the ones in SecurityOrigin. I also consider names that start with "may" and various other wording. Iām open to suggestions for other naming schemes.
Comment on attachment 373203 [details] Patch This looks like it's full of subtle changes. Could we hold off on this and land it at a better time in our release cycle? It's been waiting 6 years, what's a few more weeks?
(In reply to Alex Christensen from comment #13) > This looks like it's full of subtle changes. Could we hold off on this and > land it at a better time in our release cycle? It's been waiting 6 years, > what's a few more weeks? Yes, sure, reviewing this and landing this could wait a few more weeks, months, or even years.
I guess it would be best to review and land this soon after Apple makes the internal major release branches, which is weeks or months away.
Comment on attachment 373203 [details] Patch Let's do this
Comment on attachment 373203 [details] Patch Clearing flags on attachment: 373203 Committed r247529: <https://trac.webkit.org/changeset/247529>
All reviewed patches have been landed. Closing bug.
<rdar://problem/53216964>