summaryrefslogtreecommitdiff
path: root/Source/WebCore/loader/DocumentThreadableLoader.cpp
diff options
context:
space:
mode:
authorAllan Sandfeld Jensen <allan.jensen@theqtcompany.com>2015-04-17 17:16:23 +0200
committerAllan Sandfeld Jensen <allan.jensen@theqtcompany.com>2015-04-28 19:29:19 +0000
commit9cbcd93cfe0ba6f7531574f7784e8978bd723110 (patch)
tree2f7c926e7f334669b7885ecd219a197bd181de0c /Source/WebCore/loader/DocumentThreadableLoader.cpp
parent8ce4aba7d1742f07c01f2786e75ff7a5c8386aa6 (diff)
downloadqtwebkit-9cbcd93cfe0ba6f7531574f7784e8978bd723110.tar.gz
Enforce no remote access from local URLs for XHR
Add a specific setting to disable remote access for local URLs and also enforce that on data-URLs loaded owned by local URLs. Change-Id: Ied8ec141eb1c28775644fce184a4759a79e1d177 Task-number: QTBUG-45556 Reviewed-by: Dmitry Shachnev <mitya57@gmail.com> Reviewed-by: Michael BrĂ¼ning <michael.bruning@theqtcompany.com>
Diffstat (limited to 'Source/WebCore/loader/DocumentThreadableLoader.cpp')
-rw-r--r--Source/WebCore/loader/DocumentThreadableLoader.cpp5
1 files changed, 5 insertions, 0 deletions
diff --git a/Source/WebCore/loader/DocumentThreadableLoader.cpp b/Source/WebCore/loader/DocumentThreadableLoader.cpp
index e8fe0185e..d51751ca5 100644
--- a/Source/WebCore/loader/DocumentThreadableLoader.cpp
+++ b/Source/WebCore/loader/DocumentThreadableLoader.cpp
@@ -127,6 +127,11 @@ void DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest(const Resource
return;
}
+ if (!securityOrigin()->allowsCrossOriginRequests()) {
+ m_client->didFailAccessControlCheck(ResourceError(errorDomainWebKitInternal, 0, request.url().string(), "Cross origin requests are not allowed from " + securityOrigin()->toString() + "."));
+ return;
+ }
+
loadRequest(request, DoSecurityCheck);
}
View Lorry Controller Status