Improve geolocation permission security

Ensure we only grant permission to the origin the user replied to,
otherwise we might get a race exploit.

Change-Id: I4f737148f4e41432c160b81c324531e9cde0edc6
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>

1 files changed, 6 insertions, 1 deletions

diff --git a/src/core/web_contents_delegate_qt.h b/src/core/web_contents_delegate_qt.h
index 2a541a768..c57a2fc67 100644
--- a/src/core/web_contents_delegate_qt.h
+++ b/src/core/web_contents_delegate_qt.h
@@ -92,11 +92,16 @@ public:
     void overrideWebPreferences(content::WebContents *, content::WebPreferences*);
     void allowCertificateError(const QExplicitlySharedDataPointer<CertificateErrorController> &) ;
     void requestGeolocationPermission(const GURL &requestingFrameOrigin, base::Callback<void (bool)> resultCallback);
+    void geolocationPermissionReply(const QUrl&,  bool permission);
 
-    base::Callback<void (bool)> m_lastGeolocationRequestCallback;
 private:
     WebContentsAdapter *createWindow(content::WebContents *new_contents, WindowOpenDisposition disposition, const gfx::Rect& initial_pos, bool user_gesture);
 
+    struct {
+        QUrl url;
+        base::Callback<void (bool)> callback;
+    } m_lastGeolocationPermissionRequest;
+
     WebContentsAdapterClient *m_viewClient;
     QString m_lastSearchedString;
     int m_lastReceivedFindReply;