Data URLs should set an Access-Control-Origin of "null". Currently, we're setting the header to the empty string.
Created attachment 21332 [details]
Here's a patch. It's untested at the moment. I really wish I had a Mac... :)
Comment on attachment 21332 [details]
I think the logic for:
String accessControlOrigin = m_doc->securityOrigin()->toString();
+ if (accessControlOrigin.isEmpty())
+ accessControlOrigin = "null";
should be lifted out into a separate function. There is one other places that put the access-control-origin into the request that you have missed, in handleAsynchronousMethodCheckResult where the helper should be used.
Created attachment 21554 [details]
patch with test
This turned out to be a bit more involved than I expected, but here's an improved patch.
Comment on attachment 21554 [details]
patch with test
Actually, I'm not sure this patch is right w.r.t. document that have set their document.domain property. Let me test how this works in other browsers.
Created attachment 21619 [details]
This patch handles document.domain properly (and adds a test for this behavior). As a side effect, this should also fix Bug 15100.
Created attachment 21620 [details]
Oops. Attached the old version of the patch before.
Comment on attachment 21620 [details]
This includes some document.domain changes that I think should be landed separately.
Created attachment 21644 [details]
updated and tweaked
Adam, I took the chunk of your patch that relates to this specific bug and tweaked it a bit. If something looks amiss, please let me know.
> Adam, I took the chunk of your patch that relates to this specific bug and
> tweaked it a bit. If something looks amiss, please let me know.
Yeah that looks right. Thanks.
Fixed in r34504.