[webkit-dev] Window::isSafeScript: which URLs to use in the error
message
Anyang Ren
anyang.ren at gmail.com
Fri Aug 31 14:24:50 PDT 2007
In kjs_window.cpp, Window::isSafeScript(ExecState *exec), we have:
KURL actURL = activeFrame->loader()->url();
WebCore::String actDomain = actURL.host();
...
KURL thisURL = frame->loader()->url();
...
WebCore::String thisDomain = thisURL.host();
if (actDomain == thisDomain && actURL.protocol() ==
thisURL.protocol() && actURL.port() == thisURL.port())
return true;
if (Interpreter::shouldPrintExceptions()) {
printf("Unsafe JavaScript attempt to access frame with URL %s
from frame with URL %s. Domains, protocols and ports must match.\n",
thisDocument->URL().latin1(), actDocument->URL().latin1());
}
String message = String::format("Unsafe JavaScript attempt to access
frame with URL %s from frame with URL %s. Domains, protocols and ports
must match.\n",
thisDocument->URL().latin1(), actDocument->URL().latin1());
Since thisURL and actURL are the URLs used in the test, why are
we using thisDocument->URL() and actDocument->URL() in the
error messages?
In fact, actDocument could be NULL. Earlier in this function, we have:
WebCore::Document* actDocument = activeFrame->document();
if (actDocument) {
if (thisDocument->domainWasSetInDOM() && actDocument->domainWasSetInDOM()) {
if (thisDocument->domain() == actDocument->domain())
return true;
}
}
The if (actDocument) test suggests that actDocument could
be NULL.
--
Anyang Ren
Open source developer
More information about the webkit-dev
mailing list