[webkit-dev] Window::isSafeScript: which URLs to use in the error message

Anyang Ren anyang.ren at gmail.com
Fri Aug 31 14:24:50 PDT 2007


In kjs_window.cpp, Window::isSafeScript(ExecState *exec), we have:

  KURL actURL = activeFrame->loader()->url();
  WebCore::String actDomain = actURL.host();
  ...
  KURL thisURL = frame->loader()->url();
  ...
  WebCore::String thisDomain = thisURL.host();

  if (actDomain == thisDomain && actURL.protocol() ==
thisURL.protocol() && actURL.port() == thisURL.port())
    return true;

  if (Interpreter::shouldPrintExceptions()) {
      printf("Unsafe JavaScript attempt to access frame with URL %s
from frame with URL %s. Domains, protocols and ports must match.\n",
             thisDocument->URL().latin1(), actDocument->URL().latin1());
  }
  String message = String::format("Unsafe JavaScript attempt to access
frame with URL %s from frame with URL %s. Domains, protocols and ports
must match.\n",
                  thisDocument->URL().latin1(), actDocument->URL().latin1());

Since thisURL and actURL are the URLs used in the test, why are
we using thisDocument->URL() and actDocument->URL() in the
error messages?

In fact, actDocument could be NULL.  Earlier in this function, we have:

  WebCore::Document* actDocument = activeFrame->document();

  if (actDocument) {
    if (thisDocument->domainWasSetInDOM() && actDocument->domainWasSetInDOM()) {
      if (thisDocument->domain() == actDocument->domain())
        return true;
    }
  }

The if (actDocument) test suggests that actDocument could
be NULL.

-- 
Anyang Ren
Open source developer



More information about the webkit-dev mailing list