JS: Align DOM::locationRef with isDocumentURL

Author: asger-semmle

javascript/ql/src/semmle/javascript/DOM.qll

@@ -326,7 +326,15 @@ module DOM {
 
     private class DefaultRange extends Range {
       DefaultRange() {
-        this = domValueRef().getAPropertyRead("location")
+        exists(string propName | this = documentRef().getAPropertyRead(propName) |
+          propName = "documentURI" or
+          propName = "documentURIObject" or
+          propName = "location" or
+          propName = "referrer" or
+          propName = "URL"
+        )
+        or
+        this = DOM::domValueRef().getAPropertyRead("baseUri")
         or
         this = DataFlow::globalVarRef("location")
       }

javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll

@@ -38,17 +38,7 @@ predicate isDocument(Expr e) { DOM::documentRef().flowsToExpr(e) }
 
 /** Holds if `e` could refer to the document URL. */
 predicate isDocumentURL(Expr e) {
-  exists(string propName | e = DOM::documentRef().getAPropertyRead(propName).asExpr() |
-    propName = "documentURI" or
-    propName = "documentURIObject" or
-    propName = "location" or
-    propName = "referrer" or
-    propName = "URL"
-  )
-  or
-  e = DOM::domValueRef().getAPropertyRead("baseUri").asExpr()
-  or
-  e.accessesGlobal("location")
+  DOM::locationRef().flowsToExpr(e)
 }
 
 /**

javascript/ql/test/library-tests/DOM/Customizations.expected

@@ -1,5 +1,6 @@
 test_documentRef
 | customization.js:2:13:2:31 | customGetDocument() |
 test_locationRef
+| customization.js:3:3:3:14 | doc.location |
 test_domValueRef
 | customization.js:4:3:4:28 | doc.get ... 'test') |