REGRESSION(r100691): Safari error pages and Growl notifications fail to load stylesheets
https://bugs.webkit.org/show_bug.cgi?id=72836
Reviewed by Sam Weinig.
Source/WebCore:
This patch removes a (minor) security mitigation. Previously, we tried
sequester "directory listings" into unique origins to make it more
difficult for an attacker to crawl the user's local file system.
Unfortunately, this mitigation doesn't really buy us much security
because if the attacker has access to local files, we've probably lost
anyway.
The larger problem, however, is that this condition is overly
complicated and has broken in sublte ways several times in its
(relatively short) lifetime. In the cases reported in this bug, we see
that this check affects error pages in Safari and Growl notifications,
even those have nothing to do with directory listings.
If we have our heart set on this directory listing mitigation, we'll
need a more robust way of triggering the behavior than examining URLs
and guess whether they contain directory listings. For example, if we
implement Allow-From or Access-Control-Deny-Origin, then the embedder
can supply those policies along with the directory listings. Those
seem like much better solutions than the in-engine hack this patch
removes.
* page/SecurityOrigin.cpp:
(WebCore::shouldTreatAsUniqueOrigin):
LayoutTests:
Update test results to show that XMLHttpRequets for directory listings
aren't blocked.
* fast/xmlhttprequest/resources/xmlhttprequest-nonexistent-file-real.html:
* fast/xmlhttprequest/xmlhttprequest-nonexistent-file-expected.txt:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@100877 268f45cc-cd09-0410-ab3c-d52691b4dbfc
6 files changed
