At the time m_universalAccess was invented, it was supposed to by-pass all security checks. http://trac.webkit.org/changeset/40449 2009-01-30 Adam Barth < abarth@webkit.org> Reviewed by Sam Weinig. Add a pref to disable web security. Then SecurityOrigin::canLoad() was added later with code moved from FrameLoader, and it doesn't respect m_universalAccess. The result is even m_universalAccess is on, there can still be some contents blocked by canLoad(). I think it makes sense that SecurityOrigin::canLoad() should also check m_universalAccess.
Any objection?
Actually I mean "canDisplay"
Created attachment 139244 [details] the patch
Comment on attachment 139244 [details] the patch Thanks!
Comment on attachment 139244 [details] the patch Clearing flags on attachment: 139244 Committed r120855: <http://trac.webkit.org/changeset/120855>
All reviewed patches have been landed. Closing bug.