Bug 75155 - [chromium] Add isSameSchemeHostPort method to WebSecurityOrigin
Summary: [chromium] Add isSameSchemeHostPort method to WebSecurityOrigin
Status: RESOLVED WONTFIX
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit API (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Karl Koscher
URL:
Keywords:
Depends on:
Blocks: 73337
  Show dependency treegraph
 
Reported: 2011-12-22 17:45 PST by Karl Koscher
Modified: 2012-05-07 12:09 PDT (History)
4 users (show)

See Also:

Attachments
Patch (2.33 KB, patch)
2011-12-22 17:47 PST, Karl Koscher 		abarth: review-
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Karl Koscher 2011-12-22 17:45:20 PST 
To support cross-process postMessage (bug 73337), we need to perform an origin check in Chromium. WebKit does the same check by calling SecurityOrigin::isSameSchemeHostPort. So, we need a way to call this function from Chromium.
Comment 1 Karl Koscher 2011-12-22 17:47:14 PST 
Created attachment 120419 [details]
Patch
Comment 2 WebKit Review Bot 2011-12-22 17:49:11 PST 
Please wait for approval from fishd@chromium.org before submitting because this patch contains changes to the Chromium public API.
Comment 3 Adam Barth 2011-12-22 18:13:28 PST 
Comment on attachment 120419 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=120419&action=review

> Source/WebKit/chromium/public/WebSecurityOrigin.h:96
> +    // Returns true if this origin matches the other's scheme, host, and port
> +    WEBKIT_EXPORT bool isSameSchemeHostPort(const WebSecurityOrigin&) const;

Hum...  I can understand why you wrote this patch, but it makes me somewhat sad.  isSameSchemeHostPort is a tempting function to call, but it's almost aways wrong.  Is there some way we can do this access check inside of WebKit or WebCore instead of exposing this sandtrap to the embedder?
Comment 4 Karl Koscher 2011-12-22 18:17:25 PST 
Comment on attachment 120419 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=120419&action=review

>> Source/WebKit/chromium/public/WebSecurityOrigin.h:96
>> +    WEBKIT_EXPORT bool isSameSchemeHostPort(const WebSecurityOrigin&) const;
> 
> Hum...  I can understand why you wrote this patch, but it makes me somewhat sad.  isSameSchemeHostPort is a tempting function to call, but it's almost aways wrong.  Is there some way we can do this access check inside of WebKit or WebCore instead of exposing this sandtrap to the embedder?

We could move this check into SecurityOrigin, which is what bug 73359 did. However, we wouldn't need to add grantReceivePostMessagesFromAnyOrigin().

Alternatively, we could add an API to call DOMWindow::postMessage instead of just injecting the event.
Comment 5 Adam Barth 2011-12-22 18:33:52 PST 
> Alternatively, we could add an API to call DOMWindow::postMessage instead of just injecting the event.

That's probably the best choice.  It seems like an API that other code might want to call as well.
Comment 6 Adam Barth 2011-12-22 18:34:33 PST 
We'd probably add that on WebFrame since I don't think we have a notion of the DOMWindow in the API.
Comment 7 Charles Reis 2012-05-07 12:09:23 PDT 
We're now going to expose checkAndDispatchMessageEvent in bug 85815, making this bug obsolete.