// Check if the current execution context can access a target frame.
// First it checks same domain policy using the lexical context
//
// This is equivalent to KJS::Window::allowsAccessFrom(ExecState*, String&).
bool V8Proxy::canAccessPrivate(DOMWindow* targetWindow)
{
ASSERT(targetWindow);
String message;
DOMWindow* originWindow = retrieveWindow(currentContext());
if (originWindow == targetWindow)
return true;
if (!originWindow)
return false;
const SecurityOrigin* activeSecurityOrigin = originWindow->securityOrigin();
const SecurityOrigin* targetSecurityOrigin = targetWindow->securityOrigin();
// We have seen crashes were the security origin of the target has not been
// initialized. Defend against that.
if (!targetSecurityOrigin)
return false;
if (activeSecurityOrigin->canAccess(targetSecurityOrigin))
return true;
// Allow access to a "about:blank" page if the dynamic context is a
// detached context of the same frame as the blank page.
if (targetSecurityOrigin->isEmpty() && originWindow->frame() == targetWindow->frame())
return true;
return false;
}
static CString frameOrigin(Frame* frame)
{
DOMWindow* window = frame->domWindow();
SecurityOrigin* origin = window->securityOrigin();
CString latinOrigin = origin->toString().latin1();
return latinOrigin;
}
void Location::reload(DOMWindow* activeWindow)
{
if (!m_frame)
return;
// FIXME: It's not clear this cross-origin security check is valuable.
// We allow one page to change the location of another. Why block attempts to reload?
// Other location operations simply block use of JavaScript URLs cross origin.
DOMWindow* targetWindow = m_frame->document()->domWindow();
if (!activeWindow->securityOrigin()->canAccess(targetWindow->securityOrigin())) {
targetWindow->printErrorMessage(targetWindow->crossDomainAccessErrorMessage(activeWindow));
return;
}
if (protocolIsJavaScript(m_frame->document()->url()))
return;
m_frame->navigationScheduler()->scheduleRefresh();
}