Local frame loads should check against origin (not referrer))
Created attachment 65942 [details]
Created attachment 65946 [details]
Fixed some formatting issues in the layout test.
Comment on attachment 65946 [details]
Rejecting patch 65946 from commit-queue.
Failed to run "['WebKitTools/Scripts/run-webkit-tests', '--no-launch-safari', '--exit-after-n-failures=1', '--wait-for-httpd', '--ignore-tests', 'compositing,media', '--quiet']" exit_code: 1
Compiling Java tests
make: Nothing to be done for `default'.
Running tests from /Users/eseidel/Projects/CommitQueue/LayoutTests
Testing 20871 test cases.
fast/loader/recursive-before-unload-crash.html -> failed
Exiting early after 1 failures. 14296 tests run.
364.51s total testing time
14295 test cases (99%) succeeded
1 test case (<1%) had incorrect layout
1 test case (<1%) had stderr output
Full output: http://queues.webkit.org/results/3881173
Committed r66496: <http://trac.webkit.org/changeset/66496>
Could you please document the reason for this change for posterity? Is this matching other browsers and/or HTML5? Are there known Web pages affected by this problem?
Sorry for the lack of explanation. I ran into this bug while implementing @srcdoc and testing with local URLs. The problem is that we were blocking local sub-frame loads from a local frame with no referrer. (The layout test demonstrates this by adding a child file: frame to an about:blank frame on a file: URL.)
I couldn't find any spec on this case (local URL behavior is grossly under-specified). So, I verified that both Firefox and IE allow the access, and that in all other cases we use the parent document's origin for access checking. Based on that, both Nate and I decided it was a bug.
I doubt anyone is hitting this now because it's such an odd corner case. However, it would be hit more often once srcdoc lands.