[webkit-reviews] review canceled: [Bug 73359] Move postMessage origin check to SecurityOrigin : [Attachment 117065] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Dec 1 14:23:07 PST 2011
Karl Koscher <supersat at chromium.org> has canceled Karl Koscher
<supersat at chromium.org>'s request for review:
Bug 73359: Move postMessage origin check to SecurityOrigin
https://bugs.webkit.org/show_bug.cgi?id=73359
Attachment 117065: Patch
https://bugs.webkit.org/attachment.cgi?id=117065&action=review
------- Additional Comments from Karl Koscher <supersat at chromium.org>
(In reply to comment #5)
> (From update of attachment 117065 [details])
> View in context:
https://bugs.webkit.org/attachment.cgi?id=117065&action=review
>
> > Source/WebCore/page/SecurityOrigin.h:103
> > + bool canReceivePostMessage(const SecurityOrigin* intendedOrigin);
>
> Maybe canReceivePostMessage => canReceiveMessagesFor ? You want to be clear
that it's "for" the intendedOrigin rather than "from" a source origin, even at
the call sites.
Yeah. I was confused a bit myself, but cleaned that all up.
> > Source/WebCore/page/SecurityOrigin.h:113
> > + // Explicitly grant the ability to receive postMessages from any
origin.
> > + void grantReceivePostMessagesFromAnyOrigin();
>
> Can you explain when we'd want to grant this privilege?
I'm working on getting cross-process postMessages to work. The way we're doing
it is by installing a native event listener from the chromium side on a blank,
swapped-out document. However, since this document doesn't have an origin, it
needs to be able to receive messages intended for any origin. We then call
canReceiveMessagesFor from the chromium side right before we dispatch the
message. This prevents a race where the origin could change between the time it
was checked and the time it was dispatched (which is why we can't simply set
the proxy document's origin).
More information about the webkit-reviews
mailing list