am aeaacd09: am a1a3dab3: am a1cf4f31: am 109d59bf: Cherry pick r96826.jb-mr1.1-dev

* commit 'aeaacd090e79fffa53e548f19814a3b0c8d8574c':
  Cherry pick r96826.

1 files changed, 7 insertions, 1 deletions

diff --git a/Source/WebCore/html/HTMLPlugInImageElement.cpp b/Source/WebCore/html/HTMLPlugInImageElement.cpp
index f3a99dd63..0cc5c58ae 100644
--- a/Source/WebCore/html/HTMLPlugInImageElement.cpp
+++ b/Source/WebCore/html/HTMLPlugInImageElement.cpp
@@ -30,6 +30,7 @@
 #include "Page.h"
 #include "RenderEmbeddedObject.h"
 #include "RenderImage.h"
+#include "SecurityOrigin.h"
 
 namespace WebCore {
 
@@ -75,9 +76,14 @@ bool HTMLPlugInImageElement::allowedToLoadFrameURL(const String& url)
     if (document()->frame()->page()->frameCount() >= Page::maxNumberOfFrames)
         return false;
 
+    KURL completeURL = document()->completeURL(url);
+    
+    if (contentFrame() && protocolIsJavaScript(completeURL)
+        && !document()->securityOrigin()->canAccess(contentDocument()->securityOrigin()))
+        return false;
+    
     // We allow one level of self-reference because some sites depend on that.
     // But we don't allow more than one.
-    KURL completeURL = document()->completeURL(url);
     bool foundSelfReference = false;
     for (Frame* frame = document()->frame(); frame; frame = frame->tree()->parent()) {
         if (equalIgnoringFragmentIdentifier(frame->document()->url(), completeURL)) {