diff options
author | Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> | 2015-01-22 11:30:24 +0100 |
---|---|---|
committer | Jocelyn Turcotte <jocelyn.turcotte@digia.com> | 2015-01-22 17:55:41 +0100 |
commit | 4c724c022664286191558803632d45cd28749ae4 (patch) | |
tree | 128ac4e844990fa1d85dfca446d54baf62918f7a /src/core/web_contents_delegate_qt.cpp | |
parent | b6c905a0616f3ed22e553171ad4f5667c1250941 (diff) |
Improve geolocation permission security
Ensure we only grant permission to the origin the user replied to,
otherwise we might get a race exploit.
Change-Id: I4f737148f4e41432c160b81c324531e9cde0edc6
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
Diffstat (limited to 'src/core/web_contents_delegate_qt.cpp')
-rw-r--r-- | src/core/web_contents_delegate_qt.cpp | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/src/core/web_contents_delegate_qt.cpp b/src/core/web_contents_delegate_qt.cpp index 92b61dcdd..18b61cd2d 100644 --- a/src/core/web_contents_delegate_qt.cpp +++ b/src/core/web_contents_delegate_qt.cpp @@ -314,6 +314,13 @@ void WebContentsDelegateQt::allowCertificateError(const QExplicitlySharedDataPoi void WebContentsDelegateQt::requestGeolocationPermission(const GURL &requestingFrameOrigin, base::Callback<void (bool)> resultCallback) { - m_lastGeolocationRequestCallback = resultCallback; - m_viewClient->runGeolocationPermissionRequest(toQt(requestingFrameOrigin)); + m_lastGeolocationPermissionRequest.url = toQt(requestingFrameOrigin); + m_lastGeolocationPermissionRequest.callback = resultCallback; + m_viewClient->runGeolocationPermissionRequest(m_lastGeolocationPermissionRequest.url); +} + +void WebContentsDelegateQt::geolocationPermissionReply(const QUrl &origin, bool permission) +{ + if (m_lastGeolocationPermissionRequest.url == origin) + m_lastGeolocationPermissionRequest.callback.Run(permission); } |