It would be useful to have an API to tell WebKit to disallow setting document.domain on pages with certain URL schemes.
<rdar://problem/7552837>
Created attachment 46839 [details] Add WebKit SPI to disallow setting document.domain from certain URL schemes
Comment on attachment 46839 [details] Add WebKit SPI to disallow setting document.domain from certain URL schemes r=me
Committed r53423: <http://trac.webkit.org/changeset/53423>
+ if (SecurityOrigin::isDomainRelaxationForbiddenForURLScheme(securityOrigin()->protocol())) { That line looks overly convoluted. Why not just if (securityOrigin()->canSetDomainFromDOM()) { ?
(In reply to comment #5) > + if > (SecurityOrigin::isDomainRelaxationForbiddenForURLScheme(securityOrigin()->protocol())) > { > > That line looks overly convoluted. Why not just > > if (securityOrigin()->canSetDomainFromDOM()) { > > ? That seems OK to me. isDomainRelaxationForbiddenForURLScheme seemed more symmetric with setDomainRelaxationForbiddenForURLScheme, which is why I did it this way. Also, adding canSetDomainFromDOM() seems strange when all the other "can set" checks are in Document::setDomain. But if you really think it would be better, I'm happy to change it.
That's a good point. We probably should really move that whole function into SecurityOrigin because it's operating on SecurityOrigin's member variable. It should return a bool that document can then uses to decide whether to call m_frame->script()->updateSecurityOrigin(). As an added benefit, that would make the code less redundant.