RESOLVED FIXED 33806
Would like API to disallow setting of document.domain for pages with certain URL schemes 
https://bugs.webkit.org/show_bug.cgi?id=33806
Summary Would like API to disallow setting of document.domain for pages with certain ...
Adam Roben (:aroben)
Reported 2010-01-18 12:40:04 PST
It would be useful to have an API to tell WebKit to disallow setting document.domain on pages with certain URL schemes.
Attachments
Add WebKit SPI to disallow setting document.domain from certain URL schemes (22.84 KB, patch)
2010-01-18 13:02 PST, Adam Roben (:aroben) 		sam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Adam Roben (:aroben)
Comment 1 2010-01-18 12:40:40 PST
<rdar://problem/7552837>
Adam Roben (:aroben)
Comment 2 2010-01-18 13:02:50 PST
Created attachment 46839 [details] Add WebKit SPI to disallow setting document.domain from certain URL schemes
Sam Weinig
Comment 3 2010-01-18 13:09:57 PST
Comment on attachment 46839 [details] Add WebKit SPI to disallow setting document.domain from certain URL schemes r=me
Adam Roben (:aroben)
Comment 4 2010-01-18 13:27:01 PST
Committed r53423: <http://trac.webkit.org/changeset/53423>
Adam Barth
Comment 5 2010-01-18 14:31:10 PST
+ if (SecurityOrigin::isDomainRelaxationForbiddenForURLScheme(securityOrigin()->protocol())) { That line looks overly convoluted. Why not just if (securityOrigin()->canSetDomainFromDOM()) { ?
Adam Roben (:aroben)
Comment 6 2010-01-18 14:39:35 PST
(In reply to comment #5) > + if > (SecurityOrigin::isDomainRelaxationForbiddenForURLScheme(securityOrigin()->protocol())) > { > > That line looks overly convoluted. Why not just > > if (securityOrigin()->canSetDomainFromDOM()) { > > ? That seems OK to me. isDomainRelaxationForbiddenForURLScheme seemed more symmetric with setDomainRelaxationForbiddenForURLScheme, which is why I did it this way. Also, adding canSetDomainFromDOM() seems strange when all the other "can set" checks are in Document::setDomain. But if you really think it would be better, I'm happy to change it.
Adam Barth
Comment 7 2010-01-18 14:49:34 PST
That's a good point. We probably should really move that whole function into SecurityOrigin because it's operating on SecurityOrigin's member variable. It should return a bool that document can then uses to decide whether to call m_frame->script()->updateSecurityOrigin(). As an added benefit, that would make the code less redundant.
Note You need to log in before you can comment on or make changes to this bug.