<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[128208] trunk</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/128208">128208</a></dd>
<dt>Author</dt> <dd>commit-queue@webkit.org</dd>
<dt>Date</dt> <dd>2012-09-11 11:12:47 -0700 (Tue, 11 Sep 2012)</dd>
</dl>

<h3>Log Message</h3>
<pre>Improve console error messages when 'document.domain' blocks cross-origin script access.
https://bugs.webkit.org/show_bug.cgi?id=96247

Patch by Mike West &lt;mkwst@chromium.org&gt; on 2012-09-11
Reviewed by Adam Barth.

Source/WebCore:

Setting 'document.domain' can produce counterintuitive &quot;cross-origin&quot;
error messages for script access in cases where the property isn't set
to the same value in both the accessor and accessee. This patch adds a
bit more context to the error message to make it clear that both sides
must set the property, and that the values must match.

This shouldn't change any externally visible behavior other than the
error warnings. It's covered by changes to existing tests.

* page/DOMWindow.cpp:
(WebCore::DOMWindow::crossDomainAccessErrorMessage):
    Adding checks for 'document.domain'-related errors, and adding an
    ASSERT that crossDomainAccessErrorMessage is called in cases where
    the accessing frame is actually denied access to the frame being
    accessed.

LayoutTests:

* http/tests/security/cross-frame-access-callback-explicit-domain-DENY-expected.txt:
* http/tests/security/cross-frame-access-child-explicit-domain-expected.txt:
* http/tests/security/cross-frame-access-parent-explicit-domain-expected.txt:
* http/tests/security/cross-frame-access-protocol-expected.txt:
* http/tests/security/cross-frame-access-protocol-explicit-domain-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-javascript-url-window-open-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-location-change-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-window-open-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-uppercase-expected.txt:
* http/tests/security/dataURL/xss-DENIED-to-data-url-window-open-expected.txt:
* http/tests/security/view-source-no-javascript-url-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-from-javascript-url-window-open-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-location-change-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-window-open-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-uppercase-expected.txt:
* platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-window-open-expected.txt:
* platform/chromium/http/tests/security/inactive-document-with-empty-security-origin-expected.txt:
* platform/chromium/http/tests/security/window-named-proto-expected.txt:
    Updating error message.</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycrossframeaccesscallbackexplicitdomainDENYexpectedtxt">trunk/LayoutTests/http/tests/security/cross-frame-access-callback-explicit-domain-DENY-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycrossframeaccesschildexplicitdomainexpectedtxt">trunk/LayoutTests/http/tests/security/cross-frame-access-child-explicit-domain-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycrossframeaccessparentexplicitdomainexpectedtxt">trunk/LayoutTests/http/tests/security/cross-frame-access-parent-explicit-domain-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycrossframeaccessprotocolexpectedtxt">trunk/LayoutTests/http/tests/security/cross-frame-access-protocol-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycrossframeaccessprotocolexplicitdomainexpectedtxt">trunk/LayoutTests/http/tests/security/cross-frame-access-protocol-explicit-domain-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritydataURLxssDENIEDfromdataurlinforeigndomainsubframeexpectedtxt">trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritydataURLxssDENIEDfromdataurlinforeigndomainwindowopenexpectedtxt">trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritydataURLxssDENIEDfromdataurlsubframe2levelexpectedtxt">trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritydataURLxssDENIEDfromdataurlsubframeexpectedtxt">trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritydataURLxssDENIEDfromjavascripturlwindowopenexpectedtxt">trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-javascript-url-window-open-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritydataURLxssDENIEDtodataurlinforeigndomainsubframeexpectedtxt">trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritydataURLxssDENIEDtodataurlinforeigndomainsubframelocationchangeexpectedtxt">trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-location-change-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritydataURLxssDENIEDtodataurlinforeigndomainwindowopenexpectedtxt">trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-window-open-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritydataURLxssDENIEDtodataurlsubframe2levelexpectedtxt">trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritydataURLxssDENIEDtodataurlsubframeexpectedtxt">trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritydataURLxssDENIEDtodataurlsubframeuppercaseexpectedtxt">trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-uppercase-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritydataURLxssDENIEDtodataurlwindowopenexpectedtxt">trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-window-open-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityviewsourcenojavascripturlexpectedtxt">trunk/LayoutTests/http/tests/security/view-source-no-javascript-url-expected.txt</a></li>
<li><a href="#trunkLayoutTestsplatformchromiumhttptestssecuritydataURLxssDENIEDfromdataurlinforeigndomainsubframeexpectedtxt">trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt</a></li>
<li><a href="#trunkLayoutTestsplatformchromiumhttptestssecuritydataURLxssDENIEDfromdataurlinforeigndomainwindowopenexpectedtxt">trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt</a></li>
<li><a href="#trunkLayoutTestsplatformchromiumhttptestssecuritydataURLxssDENIEDfromdataurlsubframe2levelexpectedtxt">trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level-expected.txt</a></li>
<li><a href="#trunkLayoutTestsplatformchromiumhttptestssecuritydataURLxssDENIEDfromdataurlsubframeexpectedtxt">trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-expected.txt</a></li>
<li><a href="#trunkLayoutTestsplatformchromiumhttptestssecuritydataURLxssDENIEDfromjavascripturlwindowopenexpectedtxt">trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-from-javascript-url-window-open-expected.txt</a></li>
<li><a href="#trunkLayoutTestsplatformchromiumhttptestssecuritydataURLxssDENIEDtodataurlinforeigndomainsubframeexpectedtxt">trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-expected.txt</a></li>
<li><a href="#trunkLayoutTestsplatformchromiumhttptestssecuritydataURLxssDENIEDtodataurlinforeigndomainsubframelocationchangeexpectedtxt">trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-location-change-expected.txt</a></li>
<li><a href="#trunkLayoutTestsplatformchromiumhttptestssecuritydataURLxssDENIEDtodataurlinforeigndomainwindowopenexpectedtxt">trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-window-open-expected.txt</a></li>
<li><a href="#trunkLayoutTestsplatformchromiumhttptestssecuritydataURLxssDENIEDtodataurlsubframe2levelexpectedtxt">trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level-expected.txt</a></li>
<li><a href="#trunkLayoutTestsplatformchromiumhttptestssecuritydataURLxssDENIEDtodataurlsubframeexpectedtxt">trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-expected.txt</a></li>
<li><a href="#trunkLayoutTestsplatformchromiumhttptestssecuritydataURLxssDENIEDtodataurlsubframeuppercaseexpectedtxt">trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-uppercase-expected.txt</a></li>
<li><a href="#trunkLayoutTestsplatformchromiumhttptestssecuritydataURLxssDENIEDtodataurlwindowopenexpectedtxt">trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-window-open-expected.txt</a></li>
<li><a href="#trunkLayoutTestsplatformchromiumhttptestssecurityinactivedocumentwithemptysecurityoriginexpectedtxt">trunk/LayoutTests/platform/chromium/http/tests/security/inactive-document-with-empty-security-origin-expected.txt</a></li>
<li><a href="#trunkLayoutTestsplatformchromiumhttptestssecuritywindownamedprotoexpectedtxt">trunk/LayoutTests/platform/chromium/http/tests/security/window-named-proto-expected.txt</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorepageDOMWindowcpp">trunk/Source/WebCore/page/DOMWindow.cpp</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/ChangeLog        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,3 +1,44 @@
</span><ins>+2012-09-11  Mike West  &lt;mkwst@chromium.org&gt;
+
+        Improve console error messages when 'document.domain' blocks cross-origin script access.
+        https://bugs.webkit.org/show_bug.cgi?id=96247
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/cross-frame-access-callback-explicit-domain-DENY-expected.txt:
+        * http/tests/security/cross-frame-access-child-explicit-domain-expected.txt:
+        * http/tests/security/cross-frame-access-parent-explicit-domain-expected.txt:
+        * http/tests/security/cross-frame-access-protocol-expected.txt:
+        * http/tests/security/cross-frame-access-protocol-explicit-domain-expected.txt:
+        * http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt:
+        * http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt:
+        * http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level-expected.txt:
+        * http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-expected.txt:
+        * http/tests/security/dataURL/xss-DENIED-from-javascript-url-window-open-expected.txt:
+        * http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-expected.txt:
+        * http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-location-change-expected.txt:
+        * http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-window-open-expected.txt:
+        * http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level-expected.txt:
+        * http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-expected.txt:
+        * http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-uppercase-expected.txt:
+        * http/tests/security/dataURL/xss-DENIED-to-data-url-window-open-expected.txt:
+        * http/tests/security/view-source-no-javascript-url-expected.txt:
+        * platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt:
+        * platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt:
+        * platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level-expected.txt:
+        * platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-expected.txt:
+        * platform/chromium/http/tests/security/dataURL/xss-DENIED-from-javascript-url-window-open-expected.txt:
+        * platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-expected.txt:
+        * platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-location-change-expected.txt:
+        * platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-window-open-expected.txt:
+        * platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level-expected.txt:
+        * platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-expected.txt:
+        * platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-uppercase-expected.txt:
+        * platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-window-open-expected.txt:
+        * platform/chromium/http/tests/security/inactive-document-with-empty-security-origin-expected.txt:
+        * platform/chromium/http/tests/security/window-named-proto-expected.txt:
+            Updating error message.
+
</ins><span class="cx"> 2012-09-11  Sergio Villar Senin  &lt;svillar@igalia.com&gt;
</span><span class="cx"> 
</span><span class="cx">         [GTK] WebKitGtk+ crashes with non-UTF8 HTTP header names
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycrossframeaccesscallbackexplicitdomainDENYexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-callback-explicit-domain-DENY-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/cross-frame-access-callback-explicit-domain-DENY-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-callback-explicit-domain-DENY-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/cross-frame-access-callback-explicit-domain-DENY.html from frame with URL http://127.0.0.1:8000/security/resources/cross-frame-iframe-callback-explicit-domain-DENY.html. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/cross-frame-access-callback-explicit-domain-DENY.html from frame with URL http://127.0.0.1:8000/security/resources/cross-frame-iframe-callback-explicit-domain-DENY.html. The frame requesting access set 'document.domain' to '127.0.0.1', but the frame being accessed did not. Both must set 'document.domain' to the same value to allow access.
</ins><span class="cx"> 
</span><span class="cx"> Test that a child frame can't define a function and the use it to access parent properties after document.domain write blocks the access.  
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycrossframeaccesschildexplicitdomainexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-child-explicit-domain-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/cross-frame-access-child-explicit-domain-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-child-explicit-domain-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/resources/cross-frame-iframe-with-explicit-domain-set.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-child-explicit-domain.html. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/resources/cross-frame-iframe-with-explicit-domain-set.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-child-explicit-domain.html. The frame being accessed set 'document.domain' to '127.0.0.1', but the frame requesting access did not. Both must set 'document.domain' to the same value to allow access.
</ins><span class="cx"> 
</span><span class="cx"> 
</span><span class="cx"> PASS: Cross frame access to frame explicitly setting document.domain was denied.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycrossframeaccessparentexplicitdomainexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-parent-explicit-domain-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/cross-frame-access-parent-explicit-domain-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-parent-explicit-domain-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/resources/cross-frame-iframe.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-parent-explicit-domain.html. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/resources/cross-frame-iframe.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-parent-explicit-domain.html. The frame requesting access set 'document.domain' to '127.0.0.1', but the frame being accessed did not. Both must set 'document.domain' to the same value to allow access.
</ins><span class="cx"> 
</span><span class="cx"> 
</span><span class="cx"> PASS: Cross frame access from frame explicitly setting document.domain was denied.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycrossframeaccessprotocolexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-protocol-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/cross-frame-access-protocol-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-protocol-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL https://127.0.0.1:8443/security/resources/cross-frame-iframe.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-protocol.html. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL https://127.0.0.1:8443/security/resources/cross-frame-iframe.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-protocol.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of 'https'. Protocols must match.
</ins><span class="cx"> 
</span><span class="cx"> 
</span><span class="cx"> PASS: Cross frame access to https from http was denied!
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycrossframeaccessprotocolexplicitdomainexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-protocol-explicit-domain-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/cross-frame-access-protocol-explicit-domain-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-protocol-explicit-domain-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL https://127.0.0.1:8443/security/resources/cross-frame-iframe-with-explicit-domain-set.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-protocol-explicit-domain.html. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL https://127.0.0.1:8443/security/resources/cross-frame-iframe-with-explicit-domain-set.html from frame with URL http://127.0.0.1:8000/security/cross-frame-access-protocol-explicit-domain.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of 'https'. Protocols must match.
</ins><span class="cx"> 
</span><span class="cx"> This test currently fails because we check the port and protocol even if document.domain is explicitly set (rdar://problem/5366437).
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritydataURLxssDENIEDfromdataurlinforeigndomainsubframeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe.html from frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;window.onload = function(){try {top.document.getElementById('accessMe').innerHTML = 'FAIL: Cross frame access from a data: URL on a different domain was allowed';alert('FAIL: No exception thrown.');} catch (e) {alert('PASS: Exception thrown successfully.');}if (window.testRunner)testRunner.notifyDone();}&lt;/script&gt;&lt;/head&gt;&lt;body&gt;&lt;p&gt;Inner-inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame attempting to access the main frame.  It should not have access to it.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt;. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe.html from frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;window.onload = function(){try {top.document.getElementById('accessMe').innerHTML = 'FAIL: Cross frame access from a data: URL on a different domain was allowed';alert('FAIL: No exception thrown.');} catch (e) {alert('PASS: Exception thrown successfully.');}if (window.testRunner)testRunner.notifyDone();}&lt;/script&gt;&lt;/head&gt;&lt;body&gt;&lt;p&gt;Inner-inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame attempting to access the main frame.  It should not have access to it.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt;. The frame requesting access has a protocol of '', the frame being accessed has a protocol of 'http'. Protocols must match.
</ins><span class="cx"> 
</span><span class="cx"> ALERT: PASS: Exception thrown successfully.
</span><span class="cx"> The scenario for this test is that you have an iframe with content from a foreign domain. In that foreign content is an iframe which loads a data: URL. This tests that the data: URL loaded iframe does not have access to the main frame using top.document.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritydataURLxssDENIEDfromdataurlinforeigndomainwindowopenexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open.html from frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;window.onload = function(){try {parent.opener.document.getElementById('accessMe').innerHTML = 'FAIL: Cross frame access from a data: URL on a different domain was allowed';alert('FAIL: No exception thrown.');} catch (e) {alert('PASS: Exception thrown successfully.');}if (window.testRunner)testRunner.globalFlag = true;}&lt;/script&gt;&lt;/head&gt;&lt;body&gt;&lt;p&gt;Inner-inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame attempting to access the main frame.  It should not have access to it.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt;. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open.html from frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;window.onload = function(){try {parent.opener.document.getElementById('accessMe').innerHTML = 'FAIL: Cross frame access from a data: URL on a different domain was allowed';alert('FAIL: No exception thrown.');} catch (e) {alert('PASS: Exception thrown successfully.');}if (window.testRunner)testRunner.globalFlag = true;}&lt;/script&gt;&lt;/head&gt;&lt;body&gt;&lt;p&gt;Inner-inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame attempting to access the main frame.  It should not have access to it.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt;. The frame requesting access has a protocol of '', the frame being accessed has a protocol of 'http'. Protocols must match.
</ins><span class="cx"> 
</span><span class="cx"> ALERT: PASS: Exception thrown successfully.
</span><span class="cx"> Opener Frame
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritydataURLxssDENIEDfromdataurlsubframe2levelexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level.html from frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function test() {try {top.document.getElementById(&quot;accessMe&quot;).innerHTML = &quot;FAIL: Cross frame access from a data: URL inside another data: URL was allowed.&quot;;} catch (e) {}if (window.testRunner)testRunner.notifyDone();}&lt;/script&gt;&lt;/head&gt;&lt;body onload=&quot;test();&quot;&gt;&lt;p&gt;Inner-inner iframe.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt;. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level.html from frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function test() {try {top.document.getElementById(&quot;accessMe&quot;).innerHTML = &quot;FAIL: Cross frame access from a data: URL inside another data: URL was allowed.&quot;;} catch (e) {}if (window.testRunner)testRunner.notifyDone();}&lt;/script&gt;&lt;/head&gt;&lt;body onload=&quot;test();&quot;&gt;&lt;p&gt;Inner-inner iframe.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt;. The frame requesting access has a protocol of '', the frame being accessed has a protocol of 'http'. Protocols must match.
</ins><span class="cx"> 
</span><span class="cx"> This tests that a data: URL loaded in an iframe inside another data: URL loaded iframe doesn't have access to the main frame.
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritydataURLxssDENIEDfromdataurlsubframeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-from-data-url-sub-frame.html from frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function test() {try {parent.document.getElementById('accessMe').innerHTML = 'FAIL: Cross frame access from a data: URL was allowed.';} catch (e) {}if (window.testRunner)testRunner.notifyDone();}&lt;/script&gt;&lt;/head&gt;&lt;body onload=&quot;test()&quot;&gt;&lt;p&gt;Inner iframe.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt;. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-from-data-url-sub-frame.html from frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function test() {try {parent.document.getElementById('accessMe').innerHTML = 'FAIL: Cross frame access from a data: URL was allowed.';} catch (e) {}if (window.testRunner)testRunner.notifyDone();}&lt;/script&gt;&lt;/head&gt;&lt;body onload=&quot;test()&quot;&gt;&lt;p&gt;Inner iframe.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt;. The frame requesting access has a protocol of '', the frame being accessed has a protocol of 'http'. Protocols must match.
</ins><span class="cx"> 
</span><span class="cx"> This tests that a data: URL loaded in an iframe doesn't have access to its parent's frame
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritydataURLxssDENIEDfromjavascripturlwindowopenexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-javascript-url-window-open-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-javascript-url-window-open-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-from-javascript-url-window-open-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-from-javascript-url-window-open.html from frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function test() {try {opener.document.getElementById(&quot;accessMe&quot;).innerHTML = &quot;FAIL: Access from a window opened with a data: URL was allowed!&quot;;} catch (e) {}if (window.testRunner)testRunner.globalFlag = true;}&lt;/script&gt;&lt;/head&gt;&lt;body onload=&quot;test();&quot;&gt;&lt;p&gt;Opened Frame.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt;. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-from-javascript-url-window-open.html from frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function test() {try {opener.document.getElementById(&quot;accessMe&quot;).innerHTML = &quot;FAIL: Access from a window opened with a data: URL was allowed!&quot;;} catch (e) {}if (window.testRunner)testRunner.globalFlag = true;}&lt;/script&gt;&lt;/head&gt;&lt;body onload=&quot;test();&quot;&gt;&lt;p&gt;Opened Frame.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt;. The frame requesting access has a protocol of '', the frame being accessed has a protocol of 'http'. Protocols must match.
</ins><span class="cx"> 
</span><span class="cx"> Opener Frame
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritydataURLxssDENIEDtodataurlinforeigndomainsubframeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function loaded() {if (window.testRunner)testRunner.globalFlag = true;}&lt;/script&gt;&lt;/head&gt;&lt;body onload='loaded();'&gt;&lt;p id='accessMe'&gt;PASS: Cross frame access from a frame on a foreign domain denied!&lt;/p&gt;&lt;p&gt;Inner-inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame that the main frame is trying to access.  It should not have access to it.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt; from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe.html. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function loaded() {if (window.testRunner)testRunner.globalFlag = true;}&lt;/script&gt;&lt;/head&gt;&lt;body onload='loaded();'&gt;&lt;p id='accessMe'&gt;PASS: Cross frame access from a frame on a foreign domain denied!&lt;/p&gt;&lt;p&gt;Inner-inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame that the main frame is trying to access.  It should not have access to it.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt; from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
</ins><span class="cx"> 
</span><span class="cx"> The scenario for this test is that you have an iframe with content from a foreign domain. In that foreign content is an iframe which loads a data: URL. This tests that this main document does not have access to that data: URL loaded iframe.
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritydataURLxssDENIEDtodataurlinforeigndomainsubframelocationchangeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-location-change-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-location-change-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-location-change-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function loaded() {if (window.testRunner)testRunner.globalFlag = true;}&lt;/script&gt;&lt;/head&gt;&lt;body onload='loaded();'&gt;&lt;p id='accessMe'&gt;PASS: Cross frame access from a frame on a foreign domain denied!&lt;/p&gt;&lt;p&gt;Inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame that the main frame is trying to access.  It should not have access to it.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt; from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-location-change.html. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function loaded() {if (window.testRunner)testRunner.globalFlag = true;}&lt;/script&gt;&lt;/head&gt;&lt;body onload='loaded();'&gt;&lt;p id='accessMe'&gt;PASS: Cross frame access from a frame on a foreign domain denied!&lt;/p&gt;&lt;p&gt;Inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame that the main frame is trying to access.  It should not have access to it.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt; from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-location-change.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
</ins><span class="cx"> 
</span><span class="cx"> Opener frame
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritydataURLxssDENIEDtodataurlinforeigndomainwindowopenexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-window-open-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-window-open-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-window-open-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function loaded() {if (window.testRunner)testRunner.globalFlag = true;}&lt;/script&gt;&lt;/head&gt;&lt;body onload='loaded();'&gt;&lt;p id='accessMe'&gt;PASS: Access from the main frame was denied!&lt;/p&gt;&lt;p&gt;Inner-inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame that the main frame is trying to access.  It should not have access to it.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt; from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-window-open.html. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function loaded() {if (window.testRunner)testRunner.globalFlag = true;}&lt;/script&gt;&lt;/head&gt;&lt;body onload='loaded();'&gt;&lt;p id='accessMe'&gt;PASS: Access from the main frame was denied!&lt;/p&gt;&lt;p&gt;Inner-inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame that the main frame is trying to access.  It should not have access to it.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt; from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-window-open.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
</ins><span class="cx"> 
</span><span class="cx"> PASS: Cross frame access to a data: URL embed in a frame window.open'ed on foreign domain denied!
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritydataURLxssDENIEDtodataurlsubframe2levelexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function fireSentinel() {if (window.testRunner)testRunner.globalFlag = true;}&lt;/script&gt;&lt;/head&gt;&lt;body onload=&quot;fireSentinel();&quot;&gt;&lt;p id=&quot;accessMe&quot;&gt;PASS: Cross frame access to a data: URL 2 levels deep was denied.&lt;/p&gt;&lt;p&gt;Inner-inner iframe.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt; from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level.html. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function fireSentinel() {if (window.testRunner)testRunner.globalFlag = true;}&lt;/script&gt;&lt;/head&gt;&lt;body onload=&quot;fireSentinel();&quot;&gt;&lt;p id=&quot;accessMe&quot;&gt;PASS: Cross frame access to a data: URL 2 levels deep was denied.&lt;/p&gt;&lt;p&gt;Inner-inner iframe.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt; from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
</ins><span class="cx"> 
</span><span class="cx"> This tests that the main frame doesn't have access to a data: URL loaded in an iframe inside another data: URL loaded iframe.
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritydataURLxssDENIEDtodataurlsubframeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,&lt;html&gt;&lt;script&gt;onload = function() { parent.postMessage('LOADED', '*'); } &lt;/script&gt;&lt;body&gt;&lt;p id='accessMe'&gt;&lt;/p&gt;&lt;p&gt;Inner iframe.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt; from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-sub-frame.html. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,&lt;html&gt;&lt;script&gt;onload = function() { parent.postMessage('LOADED', '*'); } &lt;/script&gt;&lt;body&gt;&lt;p id='accessMe'&gt;&lt;/p&gt;&lt;p&gt;Inner iframe.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt; from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-sub-frame.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
</ins><span class="cx"> 
</span><span class="cx"> This tests that the main frame can't access the contents of an iframe that contains a data: URL loaded page
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritydataURLxssDENIEDtodataurlsubframeuppercaseexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-uppercase-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-uppercase-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-uppercase-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,&lt;html&gt;&lt;script&gt;onload = function() { parent.postMessage('LOADED', '*'); } &lt;/script&gt;&lt;body&gt;&lt;p id='accessMe'&gt;&lt;/p&gt;&lt;p&gt;Inner iframe.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt; from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-sub-frame-uppercase.html. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,&lt;html&gt;&lt;script&gt;onload = function() { parent.postMessage('LOADED', '*'); } &lt;/script&gt;&lt;body&gt;&lt;p id='accessMe'&gt;&lt;/p&gt;&lt;p&gt;Inner iframe.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt; from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-sub-frame-uppercase.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
</ins><span class="cx"> 
</span><span class="cx"> This tests that the main frame can't access the contents of an iframe that contains a data: URL loaded page using the uppercased variant DATA:
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritydataURLxssDENIEDtodataurlwindowopenexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-window-open-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-window-open-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/http/tests/security/dataURL/xss-DENIED-to-data-url-window-open-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function fireSentinel() {if (window.testRunner)testRunner.globalFlag = true;}&lt;/script&gt;&lt;/head&gt;&lt;body onload=&quot;fireSentinel();&quot;&gt;&lt;p&gt;Opened Frame&lt;/p&gt;&lt;p id='accessMe'&gt;PASS: Cross frame access from an opener frame was denied&lt;/p&gt;&lt;/body&gt;&lt;/html&gt; from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-window-open.html. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function fireSentinel() {if (window.testRunner)testRunner.globalFlag = true;}&lt;/script&gt;&lt;/head&gt;&lt;body onload=&quot;fireSentinel();&quot;&gt;&lt;p&gt;Opened Frame&lt;/p&gt;&lt;p id='accessMe'&gt;PASS: Cross frame access from an opener frame was denied&lt;/p&gt;&lt;/body&gt;&lt;/html&gt; from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-window-open.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
</ins><span class="cx"> 
</span><span class="cx"> Opener Frame
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityviewsourcenojavascripturlexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/view-source-no-javascript-url-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/view-source-no-javascript-url-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/http/tests/security/view-source-no-javascript-url-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/view-source-no-javascript-url.html. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/view-source-no-javascript-url.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
</ins><span class="cx"> 
</span><span class="cx"> This test passes if it does not alert FAIL.
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkLayoutTestsplatformchromiumhttptestssecuritydataURLxssDENIEDfromdataurlinforeigndomainsubframeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe.html from frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;window.onload = function(){try {top.document.getElementById('accessMe').innerHTML = 'FAIL: Cross frame access from a data: URL on a different domain was allowed';alert('FAIL: No exception thrown.');} catch (e) {alert('PASS: Exception thrown successfully.');}if (window.testRunner)testRunner.notifyDone();}&lt;/script&gt;&lt;/head&gt;&lt;body&gt;&lt;p&gt;Inner-inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame attempting to access the main frame.  It should not have access to it.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt;. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe.html from frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;window.onload = function(){try {top.document.getElementById('accessMe').innerHTML = 'FAIL: Cross frame access from a data: URL on a different domain was allowed';alert('FAIL: No exception thrown.');} catch (e) {alert('PASS: Exception thrown successfully.');}if (window.testRunner)testRunner.notifyDone();}&lt;/script&gt;&lt;/head&gt;&lt;body&gt;&lt;p&gt;Inner-inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame attempting to access the main frame.  It should not have access to it.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt;. The frame requesting access has a protocol of '', the frame being accessed has a protocol of 'http'. Protocols must match.
</ins><span class="cx"> 
</span><span class="cx"> ALERT: PASS: Exception thrown successfully.
</span><span class="cx"> The scenario for this test is that you have an iframe with content from a foreign domain. In that foreign content is an iframe which loads a data: URL. This tests that the data: URL loaded iframe does not have access to the main frame using top.document.
</span></span></pre></div>
<a id="trunkLayoutTestsplatformchromiumhttptestssecuritydataURLxssDENIEDfromdataurlinforeigndomainwindowopenexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open.html from frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;window.onload = function(){try {parent.opener.document.getElementById('accessMe').innerHTML = 'FAIL: Cross frame access from a data: URL on a different domain was allowed';alert('FAIL: No exception thrown.');} catch (e) {alert('PASS: Exception thrown successfully.');}if (window.testRunner)testRunner.globalFlag = true;}&lt;/script&gt;&lt;/head&gt;&lt;body&gt;&lt;p&gt;Inner-inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame attempting to access the main frame.  It should not have access to it.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt;. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open.html from frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;window.onload = function(){try {parent.opener.document.getElementById('accessMe').innerHTML = 'FAIL: Cross frame access from a data: URL on a different domain was allowed';alert('FAIL: No exception thrown.');} catch (e) {alert('PASS: Exception thrown successfully.');}if (window.testRunner)testRunner.globalFlag = true;}&lt;/script&gt;&lt;/head&gt;&lt;body&gt;&lt;p&gt;Inner-inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame attempting to access the main frame.  It should not have access to it.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt;. The frame requesting access has a protocol of '', the frame being accessed has a protocol of 'http'. Protocols must match.
</ins><span class="cx"> 
</span><span class="cx"> ALERT: PASS: Exception thrown successfully.
</span><span class="cx"> Opener Frame
</span></span></pre></div>
<a id="trunkLayoutTestsplatformchromiumhttptestssecuritydataURLxssDENIEDfromdataurlsubframe2levelexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level.html from frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function test() {try {top.document.getElementById(&quot;accessMe&quot;).innerHTML = &quot;FAIL: Cross frame access from a data: URL inside another data: URL was allowed.&quot;;} catch (e) {}if (window.testRunner)testRunner.notifyDone();}&lt;/script&gt;&lt;/head&gt;&lt;body onload=&quot;test();&quot;&gt;&lt;p&gt;Inner-inner iframe.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt;. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-from-data-url-sub-frame-2-level.html from frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function test() {try {top.document.getElementById(&quot;accessMe&quot;).innerHTML = &quot;FAIL: Cross frame access from a data: URL inside another data: URL was allowed.&quot;;} catch (e) {}if (window.testRunner)testRunner.notifyDone();}&lt;/script&gt;&lt;/head&gt;&lt;body onload=&quot;test();&quot;&gt;&lt;p&gt;Inner-inner iframe.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt;. The frame requesting access has a protocol of '', the frame being accessed has a protocol of 'http'. Protocols must match.
</ins><span class="cx"> 
</span><span class="cx"> This tests that a data: URL loaded in an iframe inside another data: URL loaded iframe doesn't have access to the main frame.
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkLayoutTestsplatformchromiumhttptestssecuritydataURLxssDENIEDfromdataurlsubframeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-from-data-url-sub-frame.html from frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function test() {try {parent.document.getElementById('accessMe').innerHTML = 'FAIL: Cross frame access from a data: URL was allowed.';} catch (e) {}if (window.testRunner)testRunner.notifyDone();}&lt;/script&gt;&lt;/head&gt;&lt;body onload=&quot;test()&quot;&gt;&lt;p&gt;Inner iframe.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt;. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-from-data-url-sub-frame.html from frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function test() {try {parent.document.getElementById('accessMe').innerHTML = 'FAIL: Cross frame access from a data: URL was allowed.';} catch (e) {}if (window.testRunner)testRunner.notifyDone();}&lt;/script&gt;&lt;/head&gt;&lt;body onload=&quot;test()&quot;&gt;&lt;p&gt;Inner iframe.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt;. The frame requesting access has a protocol of '', the frame being accessed has a protocol of 'http'. Protocols must match.
</ins><span class="cx"> 
</span><span class="cx"> This tests that a data: URL loaded in an iframe doesn't have access to its parent's frame
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkLayoutTestsplatformchromiumhttptestssecuritydataURLxssDENIEDfromjavascripturlwindowopenexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-from-javascript-url-window-open-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-from-javascript-url-window-open-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-from-javascript-url-window-open-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-from-javascript-url-window-open.html from frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function test() {try {opener.document.getElementById(&quot;accessMe&quot;).innerHTML = &quot;FAIL: Access from a window opened with a data: URL was allowed!&quot;;} catch (e) {}if (window.testRunner)testRunner.globalFlag = true;}&lt;/script&gt;&lt;/head&gt;&lt;body onload=&quot;test();&quot;&gt;&lt;p&gt;Opened Frame.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt;. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-from-javascript-url-window-open.html from frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function test() {try {opener.document.getElementById(&quot;accessMe&quot;).innerHTML = &quot;FAIL: Access from a window opened with a data: URL was allowed!&quot;;} catch (e) {}if (window.testRunner)testRunner.globalFlag = true;}&lt;/script&gt;&lt;/head&gt;&lt;body onload=&quot;test();&quot;&gt;&lt;p&gt;Opened Frame.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt;. The frame requesting access has a protocol of '', the frame being accessed has a protocol of 'http'. Protocols must match.
</ins><span class="cx"> 
</span><span class="cx"> Opener Frame
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkLayoutTestsplatformchromiumhttptestssecuritydataURLxssDENIEDtodataurlinforeigndomainsubframeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function loaded() {if (window.testRunner)testRunner.globalFlag = true;}&lt;/script&gt;&lt;/head&gt;&lt;body onload='loaded();'&gt;&lt;p id='accessMe'&gt;PASS: Cross frame access from a frame on a foreign domain denied!&lt;/p&gt;&lt;p&gt;Inner-inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame that the main frame is trying to access.  It should not have access to it.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt; from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe.html. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function loaded() {if (window.testRunner)testRunner.globalFlag = true;}&lt;/script&gt;&lt;/head&gt;&lt;body onload='loaded();'&gt;&lt;p id='accessMe'&gt;PASS: Cross frame access from a frame on a foreign domain denied!&lt;/p&gt;&lt;p&gt;Inner-inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame that the main frame is trying to access.  It should not have access to it.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt; from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
</ins><span class="cx"> 
</span><span class="cx"> The scenario for this test is that you have an iframe with content from a foreign domain. In that foreign content is an iframe which loads a data: URL. This tests that this main document does not have access to that data: URL loaded iframe.
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkLayoutTestsplatformchromiumhttptestssecuritydataURLxssDENIEDtodataurlinforeigndomainsubframelocationchangeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-location-change-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-location-change-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-location-change-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function loaded() {if (window.testRunner)testRunner.globalFlag = true;}&lt;/script&gt;&lt;/head&gt;&lt;body onload='loaded();'&gt;&lt;p id='accessMe'&gt;PASS: Cross frame access from a frame on a foreign domain denied!&lt;/p&gt;&lt;p&gt;Inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame that the main frame is trying to access.  It should not have access to it.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt; from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-location-change.html. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function loaded() {if (window.testRunner)testRunner.globalFlag = true;}&lt;/script&gt;&lt;/head&gt;&lt;body onload='loaded();'&gt;&lt;p id='accessMe'&gt;PASS: Cross frame access from a frame on a foreign domain denied!&lt;/p&gt;&lt;p&gt;Inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame that the main frame is trying to access.  It should not have access to it.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt; from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-subframe-location-change.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
</ins><span class="cx"> 
</span><span class="cx"> Opener frame
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkLayoutTestsplatformchromiumhttptestssecuritydataURLxssDENIEDtodataurlinforeigndomainwindowopenexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-window-open-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-window-open-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-window-open-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function loaded() {if (window.testRunner)testRunner.globalFlag = true;}&lt;/script&gt;&lt;/head&gt;&lt;body onload='loaded();'&gt;&lt;p id='accessMe'&gt;PASS: Access from the main frame was denied!&lt;/p&gt;&lt;p&gt;Inner-inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame that the main frame is trying to access.  It should not have access to it.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt; from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-window-open.html. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function loaded() {if (window.testRunner)testRunner.globalFlag = true;}&lt;/script&gt;&lt;/head&gt;&lt;body onload='loaded();'&gt;&lt;p id='accessMe'&gt;PASS: Access from the main frame was denied!&lt;/p&gt;&lt;p&gt;Inner-inner iframe. This iframe (which is data: URL and whose parent is on a foreign domain) is the frame that the main frame is trying to access.  It should not have access to it.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt; from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-in-foreign-domain-window-open.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
</ins><span class="cx"> 
</span><span class="cx"> PASS: Cross frame access to a data: URL embed in a frame window.open'ed on foreign domain denied!
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkLayoutTestsplatformchromiumhttptestssecuritydataURLxssDENIEDtodataurlsubframe2levelexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function fireSentinel() {if (window.testRunner)testRunner.globalFlag = true;}&lt;/script&gt;&lt;/head&gt;&lt;body onload=&quot;fireSentinel();&quot;&gt;&lt;p id=&quot;accessMe&quot;&gt;PASS: Cross frame access to a data: URL 2 levels deep was denied.&lt;/p&gt;&lt;p&gt;Inner-inner iframe.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt; from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level.html. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function fireSentinel() {if (window.testRunner)testRunner.globalFlag = true;}&lt;/script&gt;&lt;/head&gt;&lt;body onload=&quot;fireSentinel();&quot;&gt;&lt;p id=&quot;accessMe&quot;&gt;PASS: Cross frame access to a data: URL 2 levels deep was denied.&lt;/p&gt;&lt;p&gt;Inner-inner iframe.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt; from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-sub-frame-2-level.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
</ins><span class="cx"> 
</span><span class="cx"> This tests that the main frame doesn't have access to a data: URL loaded in an iframe inside another data: URL loaded iframe.
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkLayoutTestsplatformchromiumhttptestssecuritydataURLxssDENIEDtodataurlsubframeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,&lt;html&gt;&lt;script&gt;onload = function() { parent.postMessage('LOADED', '*'); } &lt;/script&gt;&lt;body&gt;&lt;p id='accessMe'&gt;&lt;/p&gt;&lt;p&gt;Inner iframe.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt; from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-sub-frame.html. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,&lt;html&gt;&lt;script&gt;onload = function() { parent.postMessage('LOADED', '*'); } &lt;/script&gt;&lt;body&gt;&lt;p id='accessMe'&gt;&lt;/p&gt;&lt;p&gt;Inner iframe.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt; from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-sub-frame.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
</ins><span class="cx"> 
</span><span class="cx"> This tests that the main frame can't access the contents of an iframe that contains a data: URL loaded page
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkLayoutTestsplatformchromiumhttptestssecuritydataURLxssDENIEDtodataurlsubframeuppercaseexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-uppercase-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-uppercase-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-sub-frame-uppercase-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,&lt;html&gt;&lt;script&gt;onload = function() { parent.postMessage('LOADED', '*'); } &lt;/script&gt;&lt;body&gt;&lt;p id='accessMe'&gt;&lt;/p&gt;&lt;p&gt;Inner iframe.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt; from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-sub-frame-uppercase.html. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,&lt;html&gt;&lt;script&gt;onload = function() { parent.postMessage('LOADED', '*'); } &lt;/script&gt;&lt;body&gt;&lt;p id='accessMe'&gt;&lt;/p&gt;&lt;p&gt;Inner iframe.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt; from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-sub-frame-uppercase.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
</ins><span class="cx"> 
</span><span class="cx"> This tests that the main frame can't access the contents of an iframe that contains a data: URL loaded page using the uppercased variant DATA:
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkLayoutTestsplatformchromiumhttptestssecuritydataURLxssDENIEDtodataurlwindowopenexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-window-open-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-window-open-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/dataURL/xss-DENIED-to-data-url-window-open-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function fireSentinel() {if (window.testRunner)testRunner.globalFlag = true;}&lt;/script&gt;&lt;/head&gt;&lt;body onload=&quot;fireSentinel();&quot;&gt;&lt;p&gt;Opened Frame&lt;/p&gt;&lt;p id='accessMe'&gt;PASS: Cross frame access from an opener frame was denied&lt;/p&gt;&lt;/body&gt;&lt;/html&gt; from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-window-open.html. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL data:text/html,&lt;html&gt;&lt;head&gt;&lt;script&gt;function fireSentinel() {if (window.testRunner)testRunner.globalFlag = true;}&lt;/script&gt;&lt;/head&gt;&lt;body onload=&quot;fireSentinel();&quot;&gt;&lt;p&gt;Opened Frame&lt;/p&gt;&lt;p id='accessMe'&gt;PASS: Cross frame access from an opener frame was denied&lt;/p&gt;&lt;/body&gt;&lt;/html&gt; from frame with URL http://127.0.0.1:8000/security/dataURL/xss-DENIED-to-data-url-window-open.html. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
</ins><span class="cx"> 
</span><span class="cx"> Opener Frame
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkLayoutTestsplatformchromiumhttptestssecurityinactivedocumentwithemptysecurityoriginexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/chromium/http/tests/security/inactive-document-with-empty-security-origin-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/chromium/http/tests/security/inactive-document-with-empty-security-origin-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/inactive-document-with-empty-security-origin-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,3 +1,3 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL about:blank from frame with URL http://127.0.0.1:8000/security/inactive-document-with-empty-security-origin.html#stop. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL about:blank from frame with URL http://127.0.0.1:8000/security/inactive-document-with-empty-security-origin.html#stop. The frame requesting access has a protocol of 'http', the frame being accessed has a protocol of ''. Protocols must match.
</ins><span class="cx"> 
</span><span class="cx"> This test passes if it doesn't alert something ugly.
</span></span></pre></div>
<a id="trunkLayoutTestsplatformchromiumhttptestssecuritywindownamedprotoexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/chromium/http/tests/security/window-named-proto-expected.txt (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/chromium/http/tests/security/window-named-proto-expected.txt        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/window-named-proto-expected.txt        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim-with-iframe.html from frame with URL data:text/html,&lt;script&gt;(function () {            setTimeout(function() {                if (window.testRunner)                    testRunner.notifyDone();            }, 0);            window.name = &quot;__proto__&quot;;            parent.__proto__.alert.constructor(&quot;alert(document.body.innerHTML)&quot;)();        })()&lt;/script&gt;. Domains, protocols and ports must match.
</del><ins>+CONSOLE MESSAGE: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim-with-iframe.html from frame with URL data:text/html,&lt;script&gt;(function () {            setTimeout(function() {                if (window.testRunner)                    testRunner.notifyDone();            }, 0);            window.name = &quot;__proto__&quot;;            parent.__proto__.alert.constructor(&quot;alert(document.body.innerHTML)&quot;)();        })()&lt;/script&gt;. The frame requesting access has a protocol of '', the frame being accessed has a protocol of 'http'. Protocols must match.
</ins><span class="cx"> 
</span><span class="cx"> CONSOLE MESSAGE: line 1: Uncaught TypeError: Cannot read property 'alert' of undefined
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/Source/WebCore/ChangeLog        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1,3 +1,26 @@
</span><ins>+2012-09-11  Mike West  &lt;mkwst@chromium.org&gt;
+
+        Improve console error messages when 'document.domain' blocks cross-origin script access.
+        https://bugs.webkit.org/show_bug.cgi?id=96247
+
+        Reviewed by Adam Barth.
+
+        Setting 'document.domain' can produce counterintuitive &quot;cross-origin&quot;
+        error messages for script access in cases where the property isn't set
+        to the same value in both the accessor and accessee. This patch adds a
+        bit more context to the error message to make it clear that both sides
+        must set the property, and that the values must match.
+
+        This shouldn't change any externally visible behavior other than the
+        error warnings. It's covered by changes to existing tests.
+
+        * page/DOMWindow.cpp:
+        (WebCore::DOMWindow::crossDomainAccessErrorMessage):
+            Adding checks for 'document.domain'-related errors, and adding an
+            ASSERT that crossDomainAccessErrorMessage is called in cases where
+            the accessing frame is actually denied access to the frame being
+            accessed.
+
</ins><span class="cx"> 2012-09-11  Jinwoo Song  &lt;jinwoo7.song@samsung.com&gt;
</span><span class="cx"> 
</span><span class="cx">         Deploy StringBuilder::appendNumber() and StringBuilder::appendLiteral() in more places
</span></span></pre></div>
<a id="trunkSourceWebCorepageDOMWindowcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/DOMWindow.cpp (128207 => 128208)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/DOMWindow.cpp        2012-09-11 18:00:09 UTC (rev 128207)
+++ trunk/Source/WebCore/page/DOMWindow.cpp        2012-09-11 18:12:47 UTC (rev 128208)
</span><span class="lines">@@ -1755,16 +1755,35 @@
</span><span class="cx">     if (activeWindowURL.isNull())
</span><span class="cx">         return String();
</span><span class="cx"> 
</span><ins>+    ASSERT(!activeWindow-&gt;document()-&gt;securityOrigin()-&gt;canAccess(document()-&gt;securityOrigin()));
+
</ins><span class="cx">     // FIXME: This message, and other console messages, have extra newlines. Should remove them.
</span><del>-    String message = makeString(&quot;Unsafe JavaScript attempt to access frame with URL &quot;, document()-&gt;url().string(), &quot; from frame with URL &quot;, activeWindowURL.string(), &quot;.&quot;);
</del><ins>+    String message = &quot;Unsafe JavaScript attempt to access frame with URL &quot; + document()-&gt;url().string() + &quot; from frame with URL &quot; + activeWindowURL.string() + &quot;.&quot;;
+
+    // Sandbox errors.
</ins><span class="cx">     if (document()-&gt;isSandboxed(SandboxOrigin) || activeWindow-&gt;document()-&gt;isSandboxed(SandboxOrigin)) {
</span><span class="cx">         if (document()-&gt;isSandboxed(SandboxOrigin) &amp;&amp; activeWindow-&gt;document()-&gt;isSandboxed(SandboxOrigin))
</span><del>-            return makeString(&quot;Sandbox access violation: &quot;, message, &quot; Both frames are sandboxed into unique origins.\n&quot;);
</del><ins>+            return &quot;Sandbox access violation: &quot; + message + &quot; Both frames are sandboxed into unique origins.\n&quot;;
</ins><span class="cx">         if (document()-&gt;isSandboxed(SandboxOrigin))
</span><del>-            return makeString(&quot;Sandbox access violation: &quot;, message, &quot; The frame being accessed is sandboxed into a unique origin.\n&quot;);
-        return makeString(&quot;Sandbox access violation: &quot;, message, &quot; The frame requesting access is sandboxed into a unique origin.\n&quot;);
</del><ins>+            return &quot;Sandbox access violation: &quot; + message + &quot; The frame being accessed is sandboxed into a unique origin.\n&quot;;
+        return &quot;Sandbox access violation: &quot; + message + &quot; The frame requesting access is sandboxed into a unique origin.\n&quot;;
</ins><span class="cx">     }
</span><del>-    return makeString(message, &quot; Domains, protocols and ports must match.\n&quot;);
</del><ins>+
+    SecurityOrigin* activeOrigin = activeWindow-&gt;document()-&gt;securityOrigin();
+    SecurityOrigin* targetOrigin = document()-&gt;securityOrigin();
+    if (targetOrigin-&gt;protocol() != activeOrigin-&gt;protocol())
+        return message + &quot; The frame requesting access has a protocol of '&quot; + activeOrigin-&gt;protocol() + &quot;', the frame being accessed has a protocol of '&quot; + targetOrigin-&gt;protocol() + &quot;'. Protocols must match.\n&quot;;
+
+    // 'document.domain' errors.
+    if (targetOrigin-&gt;domainWasSetInDOM() &amp;&amp; activeOrigin-&gt;domainWasSetInDOM())
+        return message + &quot; The frame requesting access set 'document.domain' to '&quot; + activeOrigin-&gt;domain() + &quot;', the frame being accessed set it to '&quot; + targetOrigin-&gt;domain() + &quot;'. Both must set 'document.domain' to the same value to allow access.\n&quot;;
+    if (activeOrigin-&gt;domainWasSetInDOM())
+        return message + &quot; The frame requesting access set 'document.domain' to '&quot; + activeOrigin-&gt;domain() + &quot;', but the frame being accessed did not. Both must set 'document.domain' to the same value to allow access.\n&quot;;
+    if (targetOrigin-&gt;domainWasSetInDOM())
+        return message + &quot; The frame being accessed set 'document.domain' to '&quot; + targetOrigin-&gt;domain() + &quot;', but the frame requesting access did not. Both must set 'document.domain' to the same value to allow access.\n&quot;;
+
+    // Default.
+    return message + &quot; Domains, protocols and ports must match.\n&quot;;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> bool DOMWindow::isInsecureScriptAccess(DOMWindow* activeWindow, const String&amp; urlString)
</span></span></pre>
</div>
</div>

</body>
</html>