diff options
author | Ben Murdoch <benm@google.com> | 2014-09-30 17:09:30 +0000 |
---|---|---|
committer | Android Git Automerger <android-git-automerger@android.com> | 2014-09-30 17:09:30 +0000 |
commit | cb953816c35bf4d6c32df51972dc817074a128b8 (patch) | |
tree | 1dea5344f9eb25b318327d006f20b25e46b7b7e4 | |
parent | ab25f2f7d2100b6051e1473b374664d3f4911582 (diff) | |
parent | aeaacd090e79fffa53e548f19814a3b0c8d8574c (diff) | |
download | webkit-jb-mr1.1-dev.tar.gz |
am aeaacd09: am a1a3dab3: am a1cf4f31: am 109d59bf: Cherry pick r96826.jb-mr1.1-dev
* commit 'aeaacd090e79fffa53e548f19814a3b0c8d8574c':
Cherry pick r96826.
-rw-r--r-- | Source/WebCore/html/HTMLPlugInImageElement.cpp | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/Source/WebCore/html/HTMLPlugInImageElement.cpp b/Source/WebCore/html/HTMLPlugInImageElement.cpp index f3a99dd63..0cc5c58ae 100644 --- a/Source/WebCore/html/HTMLPlugInImageElement.cpp +++ b/Source/WebCore/html/HTMLPlugInImageElement.cpp @@ -30,6 +30,7 @@ #include "Page.h" #include "RenderEmbeddedObject.h" #include "RenderImage.h" +#include "SecurityOrigin.h" namespace WebCore { @@ -75,9 +76,14 @@ bool HTMLPlugInImageElement::allowedToLoadFrameURL(const String& url) if (document()->frame()->page()->frameCount() >= Page::maxNumberOfFrames) return false; + KURL completeURL = document()->completeURL(url); + + if (contentFrame() && protocolIsJavaScript(completeURL) + && !document()->securityOrigin()->canAccess(contentDocument()->securityOrigin())) + return false; + // We allow one level of self-reference because some sites depend on that. // But we don't allow more than one. - KURL completeURL = document()->completeURL(url); bool foundSelfReference = false; for (Frame* frame = document()->frame(); frame; frame = frame->tree()->parent()) { if (equalIgnoringFragmentIdentifier(frame->document()->url(), completeURL)) { |