Bug 33806 - Would like API to disallow setting of document.domain for pages with certain URL schemes
Summary: Would like API to disallow setting of document.domain for pages with certain ...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit API (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2010-01-18 12:40 PST by Adam Roben (:aroben)
Modified: 2010-01-18 14:49 PST (History)
2 users (show)

See Also:

Attachments
Add WebKit SPI to disallow setting document.domain from certain URL schemes (22.84 KB, patch)
2010-01-18 13:02 PST, Adam Roben (:aroben) 		sam: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Adam Roben (:aroben) 2010-01-18 12:40:04 PST 
It would be useful to have an API to tell WebKit to disallow setting document.domain on pages with certain URL schemes.
Comment 1 Adam Roben (:aroben) 2010-01-18 12:40:40 PST 
<rdar://problem/7552837>
Comment 2 Adam Roben (:aroben) 2010-01-18 13:02:50 PST 
Created attachment 46839 [details]
Add WebKit SPI to disallow setting document.domain from certain URL schemes
Comment 3 Sam Weinig 2010-01-18 13:09:57 PST 
Comment on attachment 46839 [details]
Add WebKit SPI to disallow setting document.domain from certain URL schemes

r=me
Comment 4 Adam Roben (:aroben) 2010-01-18 13:27:01 PST 
Committed r53423: <http://trac.webkit.org/changeset/53423>
Comment 5 Adam Barth 2010-01-18 14:31:10 PST 
+ if (SecurityOrigin::isDomainRelaxationForbiddenForURLScheme(securityOrigin()->protocol())) {

That line looks overly convoluted.  Why not just

if (securityOrigin()->canSetDomainFromDOM()) {

?
Comment 6 Adam Roben (:aroben) 2010-01-18 14:39:35 PST 
(In reply to comment #5)
> + if
> (SecurityOrigin::isDomainRelaxationForbiddenForURLScheme(securityOrigin()->protocol()))
> {
> 
> That line looks overly convoluted.  Why not just
> 
> if (securityOrigin()->canSetDomainFromDOM()) {
> 
> ?

That seems OK to me. isDomainRelaxationForbiddenForURLScheme seemed more symmetric with setDomainRelaxationForbiddenForURLScheme, which is why I did it this way. Also, adding canSetDomainFromDOM() seems strange when all the other "can set" checks are in Document::setDomain.

But if you really think it would be better, I'm happy to change it.
Comment 7 Adam Barth 2010-01-18 14:49:34 PST 
That's a good point.  We probably should really move that whole function into SecurityOrigin because it's operating on SecurityOrigin's member variable.  It should return a bool that document can then uses to decide whether to call m_frame->script()->updateSecurityOrigin().  As an added benefit, that would make the code less redundant.