From a950d3dd5f7a7c6650ec056e0460f81bdd37f207 Mon Sep 17 00:00:00 2001
From: Brendan Coles <bcoles@gmail.com>
Date: Sat, 7 Nov 2020 09:51:22 +0000
Subject: [PATCH] LibWeb: Reject iframing file:// URLs if document is not a
 file:// URL

---
 Libraries/LibWeb/HTML/HTMLIFrameElement.cpp | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/Libraries/LibWeb/HTML/HTMLIFrameElement.cpp b/Libraries/LibWeb/HTML/HTMLIFrameElement.cpp
index 4b10624550..8577f364d3 100644
--- a/Libraries/LibWeb/HTML/HTMLIFrameElement.cpp
+++ b/Libraries/LibWeb/HTML/HTMLIFrameElement.cpp
@@ -74,13 +74,17 @@ void HTMLIFrameElement::document_will_detach_from_frame(Frame&)
 
 void HTMLIFrameElement::load_src(const String& value)
 {
-    dbg() << "Loading iframe document from " << value;
     auto url = document().complete_url(value);
     if (!url.is_valid()) {
-        dbg() << "Actually no I'm not, because the URL is not valid :(";
+        dbg() << "iframe failed to load URL: Invalid URL: " << value;
+        return;
+    }
+    if (url.protocol() == "file" && content_origin().protocol() != "file") {
+        dbg() << "iframe failed to load URL: Security violation: " << document().url() << " may not load " << value;
         return;
     }
 
+    dbg() << "Loading iframe document from " << value;
     m_content_frame->loader().load(url, FrameLoader::Type::IFrame);
 }