[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

jschuh at chromium.org jschuh at chromium.org
Wed Dec 22 11:28:33 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit f18c093452a61d26e955f561ff3944c725c45bfe
Author: jschuh at chromium.org <jschuh at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Mon Jul 26 21:36:47 2010 +0000

    2010-07-26  Justin Schuh  <jschuh at chromium.org>
    
            Reviewed by Darin Fisher.
    
            Check history state against origin before setting
            https://bugs.webkit.org/show_bug.cgi?id=42858
    
            Tests: fast/loader/stateobjects/replacestate-base-illegal.html
                   fast/loader/stateobjects/replacestate-base-legal.html
    
            * page/History.cpp:
            (WebCore::History::urlForState):
            (WebCore::History::stateObjectAdded):
    2010-07-26  Justin Schuh  <jschuh at chromium.org>
    
            Reviewed by Darin Fisher.
    
            Check history state when base URL is changed
            https://bugs.webkit.org/show_bug.cgi?id=42858
    
            * fast/loader/stateobjects/replacestate-base-illegal-expected.txt: Added.
            * fast/loader/stateobjects/replacestate-base-illegal.html: Added.
            * fast/loader/stateobjects/replacestate-base-legal-expected.txt: Added.
            * fast/loader/stateobjects/replacestate-base-legal.html: Added.
            * fast/loader/stateobjects/resources/replacestate-base-pass.html: Added.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@64077 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index bb8d7c8..9532068 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2010-07-26  Justin Schuh  <jschuh at chromium.org>
+
+        Reviewed by Darin Fisher.
+
+        Check history state when base URL is changed
+        https://bugs.webkit.org/show_bug.cgi?id=42858
+
+        * fast/loader/stateobjects/replacestate-base-illegal-expected.txt: Added.
+        * fast/loader/stateobjects/replacestate-base-illegal.html: Added.
+        * fast/loader/stateobjects/replacestate-base-legal-expected.txt: Added.
+        * fast/loader/stateobjects/replacestate-base-legal.html: Added.
+        * fast/loader/stateobjects/resources/replacestate-base-pass.html: Added.
+
 2010-07-26  Mark Rowe  <mrowe at apple.com>
 
         Disable a test that was added to verify the vendor prefix change that I rolled out in r64071.
diff --git a/LayoutTests/fast/loader/stateobjects/replacestate-base-illegal-expected.txt b/LayoutTests/fast/loader/stateobjects/replacestate-base-illegal-expected.txt
new file mode 100644
index 0000000..75d04db
--- /dev/null
+++ b/LayoutTests/fast/loader/stateobjects/replacestate-base-illegal-expected.txt
@@ -0,0 +1,3 @@
+This page should trigger an error on attempting to set the URL bar to https://www.test.com/
+
+PASS: Security exception thrown.
diff --git a/LayoutTests/fast/loader/stateobjects/replacestate-base-illegal.html b/LayoutTests/fast/loader/stateobjects/replacestate-base-illegal.html
new file mode 100644
index 0000000..a7523bf
--- /dev/null
+++ b/LayoutTests/fast/loader/stateobjects/replacestate-base-illegal.html
@@ -0,0 +1,26 @@
+<html>
+<head>
+<base href="https://www.test.com/">
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+window.onload = function(){
+    var msg;
+    try {
+        window.history.replaceState({}, {}, 'https://www.test.com/');
+        msg = document.createTextNode("FAIL: URL bar was changed.");
+    } catch (e) {
+        if (e.code == 18)
+            msg = document.createTextNode("PASS: Security exception thrown.");
+        else
+            msg = document.createTextNode("FAIL: Unknown exception thrown.");
+    }
+    document.body.appendChild(msg);
+};
+</script>
+</head>
+<body>
+<p>This page should trigger an error on attempting to set the URL bar to https://www.test.com/</p>
+</body>
+</html>
diff --git a/LayoutTests/fast/loader/stateobjects/replacestate-base-legal-expected.txt b/LayoutTests/fast/loader/stateobjects/replacestate-base-legal-expected.txt
new file mode 100644
index 0000000..deb24d4
--- /dev/null
+++ b/LayoutTests/fast/loader/stateobjects/replacestate-base-legal-expected.txt
@@ -0,0 +1 @@
+PASS: Navigation relative to base element.
diff --git a/LayoutTests/fast/loader/stateobjects/replacestate-base-legal.html b/LayoutTests/fast/loader/stateobjects/replacestate-base-legal.html
new file mode 100644
index 0000000..f808baf
--- /dev/null
+++ b/LayoutTests/fast/loader/stateobjects/replacestate-base-legal.html
@@ -0,0 +1,21 @@
+<html>
+<head>
+<base id="base">
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+var url = window.location.href;
+url = url.slice(0, url.lastIndexOf('/') + 1) + "resources/";
+document.getElementById("base").href = url;
+
+window.onload = function() {
+    window.history.replaceState({}, {}, "replacestate-base-pass.html");
+    window.history.go(0);
+}
+
+</script>
+</head>
+</html>
diff --git a/LayoutTests/fast/loader/stateobjects/resources/replacestate-base-pass.html b/LayoutTests/fast/loader/stateobjects/resources/replacestate-base-pass.html
new file mode 100644
index 0000000..cd9b117
--- /dev/null
+++ b/LayoutTests/fast/loader/stateobjects/resources/replacestate-base-pass.html
@@ -0,0 +1,13 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    window.onload = function() {layoutTestController.notifyDone();};
+}
+</script>
+</head>
+<body>
+PASS: Navigation relative to base element.
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 434bb8e..61f50c8 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,17 @@
+2010-07-26  Justin Schuh  <jschuh at chromium.org>
+
+        Reviewed by Darin Fisher.
+
+        Check history state against origin before setting
+        https://bugs.webkit.org/show_bug.cgi?id=42858
+
+        Tests: fast/loader/stateobjects/replacestate-base-illegal.html
+               fast/loader/stateobjects/replacestate-base-legal.html
+
+        * page/History.cpp:
+        (WebCore::History::urlForState):
+        (WebCore::History::stateObjectAdded):
+
 2010-07-26  Martin Robinson  <mrobinson at igalia.com>
 
         Reviewed by Xan Lopez.
diff --git a/WebCore/page/History.cpp b/WebCore/page/History.cpp
index 78e8ea6..337f5b2 100644
--- a/WebCore/page/History.cpp
+++ b/WebCore/page/History.cpp
@@ -86,14 +86,7 @@ KURL History::urlForState(const String& urlString)
     if (urlString.isEmpty())
         return baseURL;
         
-    KURL absoluteURL(baseURL, urlString);
-    if (!absoluteURL.isValid())
-        return KURL();
-    
-    if (absoluteURL.string().left(absoluteURL.pathStart()) != baseURL.string().left(baseURL.pathStart()))
-        return KURL();
-    
-    return absoluteURL;
+    return KURL(baseURL, urlString);
 }
 
 void History::stateObjectAdded(PassRefPtr<SerializedScriptValue> data, const String& title, const String& urlString, StateObjectType stateObjectType, ExceptionCode& ec)
@@ -102,7 +95,8 @@ void History::stateObjectAdded(PassRefPtr<SerializedScriptValue> data, const Str
         return;
     
     KURL fullURL = urlForState(urlString);
-    if (!fullURL.isValid()) {
+    RefPtr<SecurityOrigin> origin = SecurityOrigin::create(fullURL);
+    if (!fullURL.isValid() || !m_frame->document()->securityOrigin()->isSameSchemeHostPort(origin.get())) {
         ec = SECURITY_ERR;
         return;
     }

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list