Enforce no remote access from local URLs for XHR

Add a specific setting to disable remote access for local URLs and also enforce that on data-URLs loaded owned by local URLs. Change-Id: Ied8ec141eb1c28775644fce184a4759a79e1d177 Task-number: QTBUG-45556 Reviewed-by: Dmitry Shachnev <mitya57@gmail.com> Reviewed-by: Michael Brüning <michael.bruning@theqtcompany.com>
author: Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> 2015-04-17 17:16:23 +0200
committer: Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> 2015-04-28 19:29:19 +0000
commit: 9cbcd93cfe0ba6f7531574f7784e8978bd723110 (patch)
tree: 2f7c926e7f334669b7885ecd219a197bd181de0c /Source/WebCore/page/EventSource.cpp
parent: 8ce4aba7d1742f07c01f2786e75ff7a5c8386aa6 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/Source/WebCore/page/EventSource.cpp b/Source/WebCore/page/EventSource.cpp
index 77a8e6f33..d3e6bbc6b 100644
--- a/Source/WebCore/page/EventSource.cpp
+++ b/Source/WebCore/page/EventSource.cpp
@@ -132,7 +132,7 @@ void EventSource::connect()
     options.sniffContent = DoNotSniffContent;
     options.allowCredentials = (origin->canRequest(m_url) || m_withCredentials) ? AllowStoredCredentials : DoNotAllowStoredCredentials;
     options.preflightPolicy = PreventPreflight;
-    options.crossOriginRequestPolicy = UseAccessControl;
+    options.crossOriginRequestPolicy = origin->allowsCrossOriginRequests() ? UseAccessControl : DenyCrossOriginRequests;
     options.dataBufferingPolicy = DoNotBufferData;
     options.securityOrigin = origin;
author	Allan Sandfeld Jensen <allan.jensen@theqtcompany.com>	2015-04-17 17:16:23 +0200
committer	Allan Sandfeld Jensen <allan.jensen@theqtcompany.com>	2015-04-28 19:29:19 +0000
commit	9cbcd93cfe0ba6f7531574f7784e8978bd723110 (patch)
tree	2f7c926e7f334669b7885ecd219a197bd181de0c /Source/WebCore/page/EventSource.cpp
parent	8ce4aba7d1742f07c01f2786e75ff7a5c8386aa6 (diff)