void FrameLoaderClientAndroid::dispatchDidReceiveIcon() { ASSERT(m_frame); if (m_frame->tree() && m_frame->tree()->parent()) return; WebCore::String url(m_frame->loader()->url().string()); // Try to obtain the icon image. WebCore::Image* icon = WebCore::iconDatabase()->iconForPageURL( url, WebCore::IntSize(16, 16)); // If the request fails, try the original request url. if (!icon) { DocumentLoader* docLoader = m_frame->loader()->activeDocumentLoader(); KURL originalURL = docLoader->originalRequest().url(); icon = WebCore::iconDatabase()->iconForPageURL( originalURL, WebCore::IntSize(16, 16)); } // There is a bug in webkit where cancelling an icon load is treated as a // failure. When this is fixed, we can ASSERT again that we have an icon. if (icon) { LOGV("Received icon (%p) for %s", icon, url.utf8().data()); m_webFrame->didReceiveIcon(icon); } else { LOGV("Icon data for %s unavailable, registering for notification...", url.utf8().data()); registerForIconNotification(); } }
PassRefPtr<HistoryItem> HistoryController::createItem(bool useOriginal) { DocumentLoader* documentLoader = m_frame->loader()->documentLoader(); KURL unreachableURL = documentLoader ? documentLoader->unreachableURL() : KURL(); KURL url; KURL originalURL; if (!unreachableURL.isEmpty()) { url = unreachableURL; originalURL = unreachableURL; } else { originalURL = documentLoader ? documentLoader->originalURL() : KURL(); if (useOriginal) url = originalURL; else if (documentLoader) url = documentLoader->requestURL(); } LOG(History, "WebCoreHistory: Creating item for %s", url.string().ascii().data()); // Frames that have never successfully loaded any content // may have no URL at all. Currently our history code can't // deal with such things, so we nip that in the bud here. // Later we may want to learn to live with nil for URL. // See bug 3368236 and related bugs for more information. if (url.isEmpty()) url = blankURL(); if (originalURL.isEmpty()) originalURL = blankURL(); Frame* parentFrame = m_frame->tree()->parent(); String parent = parentFrame ? parentFrame->tree()->uniqueName() : ""; String title = documentLoader ? documentLoader->title() : ""; RefPtr<HistoryItem> item = HistoryItem::create(url, m_frame->tree()->uniqueName(), parent, title); item->setOriginalURLString(originalURL.string()); if (!unreachableURL.isEmpty() || !documentLoader || documentLoader->response().httpStatusCode() >= 400) item->setLastVisitWasFailure(true); // Save form state if this is a POST if (documentLoader) { if (useOriginal) item->setFormInfoFromRequest(documentLoader->originalRequest()); else item->setFormInfoFromRequest(documentLoader->request()); } // Set the item for which we will save document state m_frameLoadComplete = false; m_previousItem = m_currentItem; m_currentItem = item; return item.release(); }
bool XSSAuditor::findInRequest(Frame* frame, const FindTask& task) const { ASSERT(frame->document()); if (!frame->document()->decoder()) { // Note, JavaScript URLs do not have a charset. return false; } if (task.string.isEmpty()) return false; DocumentLoader *documentLoader = frame->loader()->documentLoader(); if (!documentLoader) return false; FormData* formDataObj = documentLoader->originalRequest().httpBody(); const bool hasFormData = formDataObj && !formDataObj->isEmpty(); String pageURL = frame->document()->url().string(); if (!hasFormData) { // We clear out our form data caches, in case we're holding onto a bunch of memory. m_formDataCache.clear(); m_formDataSuffixTree.clear(); } String canonicalizedString; if (!hasFormData && task.string.length() > 2 * pageURL.length()) { // Q: Why do we bother to do this check at all? // A: Canonicalizing large inline scripts can be expensive. We want to // reduce the size of the string before we call canonicalize below, // since it could result in an unneeded allocation and memcpy. // // Q: Why do we multiply by two here? // A: We attempt to detect reflected XSS even when the server // transforms the attacker's input with addSlashes. The best the // attacker can do get the server to inflate his/her input by a // factor of two by sending " characters, which the server // transforms to \". canonicalizedString = task.string.substring(0, 2 * pageURL.length()); } else canonicalizedString = task.string; if (frame->document()->url().protocolIs("data")) return false; canonicalizedString = canonicalize(canonicalizedString); if (canonicalizedString.isEmpty()) return false; if (!task.context.isEmpty()) canonicalizedString = task.context + canonicalizedString; String decodedPageURL = m_pageURLCache.canonicalizeURL(pageURL, frame->document()->decoder()->encoding(), task.decodeEntities, task.decodeURLEscapeSequencesTwice); if (task.allowRequestIfNoIllegalURICharacters && !hasFormData && decodedPageURL.find(&isIllegalURICharacter, 0) == -1) return false; // Injection is impossible because the request does not contain any illegal URI characters. if (decodedPageURL.find(canonicalizedString, 0, false) != -1) return true; // We've found the string in the GET data. if (hasFormData) { String decodedFormData = m_formDataCache.canonicalizeURL(formDataObj, frame->document()->decoder()->encoding(), task.decodeEntities, task.decodeURLEscapeSequencesTwice); if (m_generationOfSuffixTree != m_formDataCache.generation()) { m_formDataSuffixTree = new SuffixTree<ASCIICodebook>(decodedFormData, 5); m_generationOfSuffixTree = m_formDataCache.generation(); } // Try a fast-reject via the suffixTree. if (m_formDataSuffixTree && !m_formDataSuffixTree->mightContain(canonicalizedString)) return false; if (decodedFormData.find(canonicalizedString, 0, false) != -1) return true; // We found the string in the POST data. } return false; }