[webkit-reviews] review denied: [Bug 15100] XMLHttpRequest::urlMatchesDocumentDomain raises error if port information does not match exactly : [Attachment 16149] Added use of default http/https port for comparison if no port was specified in the url.

[bugzilla-daemon at webkit.org]

Maciej Stachowiak <mjs at apple.com> has denied Christian Mittendorf
<christian.mittendorf at freenet.de>'s request for review:
Bug 15100: XMLHttpRequest::urlMatchesDocumentDomain raises error if port
information does not match exactly
http://bugs.webkit.org/show_bug.cgi?id=15100

Attachment 16149: Added use of default http/https port for comparison if no
port was specified in the url.
http://bugs.webkit.org/attachment.cgi?id=16149&action=edit

------- Additional Comments from Maciej Stachowiak <mjs at apple.com>
I think we should match Mozilla and IE on this. Some technicalities about the
current patch:

1) All these steps are done twice:

+    int document_port = documentURL.port();
+    
+    if (document_port == 0) {
+	 if(documentURL.protocol().lower() == "http")
+	     document_port = 80;
+	 if(documentURL.protocol().lower() == "https")
+	     document_port = 443;
+    }

It would be nice to factor this work out into a common function, especially so
we can reuse it anywhere that an XSS same origin check is needed. Also, I'd
suggest adding the default port for "ftp". And finally, we probably need to
eventually add a way to ask the network layer for the default ports for various
protocols.

r- for these technicalities. I will gladly r+ a version that improves these
things. I also asked Sam Weinig to look at this, to see if we can apply the
same fix to scripting checks.