diff options
author | Ben Murdoch <benm@google.com> | 2014-09-30 17:26:45 +0000 |
---|---|---|
committer | Android Git Automerger <android-git-automerger@android.com> | 2014-09-30 17:26:45 +0000 |
commit | 6c39111a52512f9c25025c13067629d5117662c4 (patch) | |
tree | 5d8ad92694e8f35b0f78436f743009920a2e2393 | |
parent | 4f0fe1bf6a2fe4e28859bb48dc6e9a155c147d74 (diff) | |
parent | 34b2dd0a331007d310b2ac57978763327eb9fcce (diff) | |
download | webkit-jb-mr2-dev.tar.gz |
am 34b2dd0a: am cb953816: am aeaacd09: am a1a3dab3: am a1cf4f31: am 109d59bf: Cherry pick r96826.jb-mr2-dev
* commit '34b2dd0a331007d310b2ac57978763327eb9fcce':
Cherry pick r96826.
-rw-r--r-- | Source/WebCore/html/HTMLPlugInImageElement.cpp | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/Source/WebCore/html/HTMLPlugInImageElement.cpp b/Source/WebCore/html/HTMLPlugInImageElement.cpp index f3a99dd63..0cc5c58ae 100644 --- a/Source/WebCore/html/HTMLPlugInImageElement.cpp +++ b/Source/WebCore/html/HTMLPlugInImageElement.cpp @@ -30,6 +30,7 @@ #include "Page.h" #include "RenderEmbeddedObject.h" #include "RenderImage.h" +#include "SecurityOrigin.h" namespace WebCore { @@ -75,9 +76,14 @@ bool HTMLPlugInImageElement::allowedToLoadFrameURL(const String& url) if (document()->frame()->page()->frameCount() >= Page::maxNumberOfFrames) return false; + KURL completeURL = document()->completeURL(url); + + if (contentFrame() && protocolIsJavaScript(completeURL) + && !document()->securityOrigin()->canAccess(contentDocument()->securityOrigin())) + return false; + // We allow one level of self-reference because some sites depend on that. // But we don't allow more than one. - KURL completeURL = document()->completeURL(url); bool foundSelfReference = false; for (Frame* frame = document()->frame(); frame; frame = frame->tree()->parent()) { if (equalIgnoringFragmentIdentifier(frame->document()->url(), completeURL)) { |