Bug 44888 - Local frame loads should check against origin (not referrer))
Summary: Local frame loads should check against origin (not referrer))
Alias: None
Product: WebKit
Classification: Unclassified
Component: Page Loading (show other bugs)
Version: 528+ (Nightly build)
Hardware: Other OS X 10.5
: P2 Normal
Assignee: Justin Schuh
Depends on:
Reported: 2010-08-30 12:40 PDT by Justin Schuh
Modified: 2010-08-31 11:47 PDT (History)
3 users (show)

See Also:

Patch (4.44 KB, patch)
2010-08-30 12:48 PDT, Justin Schuh
no flags Details | Formatted Diff | Diff
Patch (4.44 KB, patch)
2010-08-30 13:00 PDT, Justin Schuh
japhet: review+
commit-queue: commit-queue-
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Justin Schuh 2010-08-30 12:40:27 PDT
Local frame loads should check against origin (not referrer))
Comment 1 Justin Schuh 2010-08-30 12:48:31 PDT
Created attachment 65942 [details]
Comment 2 Justin Schuh 2010-08-30 13:00:36 PDT
Created attachment 65946 [details]

Fixed some formatting issues in the layout test.
Comment 3 WebKit Commit Bot 2010-08-30 23:38:28 PDT
Comment on attachment 65946 [details]

Rejecting patch 65946 from commit-queue.

Failed to run "['WebKitTools/Scripts/run-webkit-tests', '--no-launch-safari', '--exit-after-n-failures=1', '--wait-for-httpd', '--ignore-tests', 'compositing,media', '--quiet']" exit_code: 1
Running build-dumprendertree
Compiling Java tests
make: Nothing to be done for `default'.
Running tests from /Users/eseidel/Projects/CommitQueue/LayoutTests
Testing 20871 test cases.
fast/loader/recursive-before-unload-crash.html -> failed

Exiting early after 1 failures. 14296 tests run.
364.51s total testing time

14295 test cases (99%) succeeded
1 test case (<1%) had incorrect layout
1 test case (<1%) had stderr output

Full output: http://queues.webkit.org/results/3881173
Comment 4 Justin Schuh 2010-08-31 10:04:48 PDT
Committed r66496: <http://trac.webkit.org/changeset/66496>
Comment 5 Alexey Proskuryakov 2010-08-31 10:07:58 PDT
Could you please document the reason for this change for posterity? Is this matching other browsers and/or HTML5? Are there known Web pages affected by this problem?
Comment 6 Justin Schuh 2010-08-31 11:47:48 PDT
Sorry for the lack of explanation. I ran into this bug while implementing @srcdoc and testing with local URLs. The problem is that we were blocking local sub-frame loads from a local frame with no referrer. (The layout test demonstrates this by adding a child file: frame to an about:blank frame on a file: URL.)

I couldn't find any spec on this case (local URL behavior is grossly under-specified). So, I verified that both Firefox and IE allow the access, and that in all other cases we use the parent document's origin for access checking. Based on that, both Nate and I decided it was a bug.

I doubt anyone is hitting this now because it's such an odd corner case. However, it would be hit more often once srcdoc lands.