+2011-05-26 James Kozianski <koz@chromium.org>
+
+ Reviewed by Eric Seidel.
+
+ Implement a whitelist for registerProtocolHandler.
+
+ Described in the thread here
+ http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2011-April/031220.html
+
+ https://bugs.webkit.org/show_bug.cgi?id=60322
+
+ * fast/dom/register-protocol-handler.html:
+
2011-05-26 Adam Klein <adamk@chromium.org>
Unreviewed. Remove some passing tests from the test expectations.
invalid_urls.forEach(function (url) {
var succeeded = false;
try {
- window.navigator.registerProtocolHandler('myprotocol', url, 'title');
+ window.navigator.registerProtocolHandler('web+myprotocol', url, 'title');
} catch (e) {
succeeded = 'SYNTAX_ERR' == e.name;
}
// Test that the API has default no-op implementation.
var succeeded = true;
try {
- window.navigator.registerProtocolHandler('myprotocol', "%s", "title");
+ window.navigator.registerProtocolHandler('web+myprotocol', "%s", "title");
} catch (e) {
succeeded = false;
}
+2011-05-26 James Kozianski <koz@chromium.org>
+
+ Reviewed by Eric Seidel.
+
+ Implement a whitelist for registerProtocolHandler
+ https://bugs.webkit.org/show_bug.cgi?id=60322
+
+ * page/Navigator.cpp:
+ (WebCore::initProtocolHandlerWhitelist):
+ (WebCore::isProtocolWhitelisted):
+ (WebCore::verifyProtocolHandlerScheme):
+
2011-05-26 Annie Sullivan <sullivan@chromium.org>
Reviewed by Ryosuke Niwa.
#include "PluginData.h"
#include "Settings.h"
#include "StorageNamespace.h"
+#include <wtf/HashSet.h>
#include <wtf/StdLibExtras.h>
namespace WebCore {
#endif
#if ENABLE(REGISTER_PROTOCOL_HANDLER)
+static HashSet<String>* protocolWhitelist;
+
+static void initProtocolHandlerWhitelist()
+{
+ protocolWhitelist = new HashSet<String>;
+ static const char* protocols[] = {
+ "mailto",
+ "mms",
+ "nntp",
+ "rtsp",
+ "webcal",
+ };
+ for (size_t i = 0; i < WTF_ARRAY_LENGTH(protocols); ++i)
+ protocolWhitelist->add(protocols[i]);
+}
+
static bool verifyCustomHandlerURL(const String& baseURL, const String& url, ExceptionCode& ec)
{
// The specification requires that it is a SYNTAX_ERR if the "%s" token is
return true;
}
+static bool isProtocolWhitelisted(const String& scheme)
+{
+ if (!protocolWhitelist)
+ initProtocolHandlerWhitelist();
+ return protocolWhitelist->contains(scheme);
+}
+
static bool verifyProtocolHandlerScheme(const String& scheme, ExceptionCode& ec)
{
- // It is a SECURITY_ERR for these schemes to be handled by a custom handler.
- if (equalIgnoringCase(scheme, "http") || equalIgnoringCase(scheme, "https") || equalIgnoringCase(scheme, "file")) {
+ if (scheme.startsWith("web+")) {
+ if (isValidProtocol(scheme))
+ return true;
ec = SECURITY_ERR;
return false;
}
- return true;
+
+ if (isProtocolWhitelisted(scheme))
+ return true;
+ ec = SECURITY_ERR;
+ return false;
}
void Navigator::registerProtocolHandler(const String& scheme, const String& url, const String& title, ExceptionCode& ec)