Diff
Modified: branches/safari-600.8-branch/LayoutTests/ChangeLog (186846 => 186847)
--- branches/safari-600.8-branch/LayoutTests/ChangeLog 2015-07-15 16:04:40 UTC (rev 186846)
+++ branches/safari-600.8-branch/LayoutTests/ChangeLog 2015-07-15 16:04:47 UTC (rev 186847)
@@ -1,5 +1,28 @@
2015-07-15 Matthew Hanson <matthew_han...@apple.com>
+ Merge r186744. rdar://problem/21716371
+
+ 2015-07-12 David Kilzer <ddkil...@apple.com>
+
+ Merge r184434, and a small part of r173173. rdar://problem/21716506
+
+ * http/tests/security/canvas-remote-read-data-url-image-redirect-expected.txt:
+ Update for the branch by removing line numbers from the console
+ message.
+
+ 2015-05-15 Antti Koivisto <an...@apple.com>
+
+ When redirecting to data URL use HTTP response for same origin policy checks
+ https://bugs.webkit.org/show_bug.cgi?id=145054
+ rdar://problem/20299050
+
+ Reviewed by Alexey Proskuryakov.
+
+ * http/tests/security/canvas-remote-read-data-url-image-redirect-expected.txt: Added.
+ * http/tests/security/canvas-remote-read-data-url-image-redirect.html: Added.
+
+2015-07-15 Matthew Hanson <matthew_han...@apple.com>
+
Merge r186793. rdar://problem/21707880
2015-07-13 David Kilzer <ddkil...@apple.com>
Added: branches/safari-600.8-branch/LayoutTests/http/tests/security/canvas-remote-read-data-url-image-redirect-expected.txt (0 => 186847)
--- branches/safari-600.8-branch/LayoutTests/http/tests/security/canvas-remote-read-data-url-image-redirect-expected.txt (rev 0)
+++ branches/safari-600.8-branch/LayoutTests/http/tests/security/canvas-remote-read-data-url-image-redirect-expected.txt 2015-07-15 16:04:47 UTC (rev 186847)
@@ -0,0 +1,7 @@
+CONSOLE MESSAGE: Unable to get image data from canvas because the canvas has been tainted by cross-origin data.
+CONSOLE MESSAGE: Unable to get image data from canvas because the canvas has been tainted by cross-origin data.
+PASS: Calling getImageData() from a canvas tainted by a redirected data URL image was not allowed - Threw error: Error: SecurityError: DOM Exception 18.
+PASS: Calling toDataURL() on a canvas tainted by a redirected data URL image was not allowed - Threw error: Error: SecurityError: DOM Exception 18.
+PASS: Calling getImageData() from a canvas tainted by a redirected data URL image pattern was not allowed - Threw error: Error: SecurityError: DOM Exception 18.
+PASS: Calling toDataURL() on a canvas tainted by a redirected data URL image pattern was not allowed - Threw error: Error: SecurityError: DOM Exception 18.
+
Added: branches/safari-600.8-branch/LayoutTests/http/tests/security/canvas-remote-read-data-url-image-redirect.html (0 => 186847)
--- branches/safari-600.8-branch/LayoutTests/http/tests/security/canvas-remote-read-data-url-image-redirect.html (rev 0)
+++ branches/safari-600.8-branch/LayoutTests/http/tests/security/canvas-remote-read-data-url-image-redirect.html 2015-07-15 16:04:47 UTC (rev 186847)
@@ -0,0 +1,69 @@
+<pre id="console"></pre>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+log = function(msg)
+{
+ document.getElementById('console').appendChild(document.createTextNode(msg + "\n"));
+}
+
+testGetImageData = function(context, description)
+{
+ description = "Calling getImageData() from a canvas tainted by a " + description;
+ try {
+ var imageData = context.getImageData(0,0,100,100);
+ log("FAIL: " + description + " was allowed.");
+ } catch (e) {
+ log("PASS: " + description + " was not allowed - Threw error: " + e + ".");
+ }
+}
+
+testToDataURL = function(canvas, description)
+{
+ description = "Calling toDataURL() on a canvas tainted by a " + description;
+ try {
+ var dataURL = canvas.toDataURL();
+ log("FAIL: " + description + " was allowed.");
+ } catch (e) {
+ log("PASS: " + description + " was not allowed - Threw error: " + e + ".");
+ }
+}
+
+test = function(canvas, description)
+{
+ testGetImageData(canvas.getContext("2d"), description);
+ testToDataURL(canvas, description);
+}
+
+var image = new Image();
+image._onload_ = function() {
+ var canvas = document.createElement("canvas");
+ canvas.width = 100;
+ canvas.height = 100;
+ var context = canvas.getContext("2d");
+
+ // Test reading from a canvas after drawing a data URL image onto it
+ context.drawImage(image, 0, 0, 100, 100);
+
+ test(canvas, "redirected data URL image");
+
+ // Test reading after using a data URL pattern
+ canvas = document.createElement("canvas");
+ canvas.width = 100;
+ canvas.height = 100;
+ var context = canvas.getContext("2d");
+ var remoteImagePattern = context.createPattern(image, "repeat");
+ context.fillStyle = remoteImagePattern;
+ context.fillRect(0, 0, 100, 100);
+
+ test(canvas, "redirected data URL image pattern");
+
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+image.src = ""
+</script>
Modified: branches/safari-600.8-branch/Source/WebCore/ChangeLog (186846 => 186847)
--- branches/safari-600.8-branch/Source/WebCore/ChangeLog 2015-07-15 16:04:40 UTC (rev 186846)
+++ branches/safari-600.8-branch/Source/WebCore/ChangeLog 2015-07-15 16:04:47 UTC (rev 186847)
@@ -1,5 +1,53 @@
2015-07-15 Matthew Hanson <matthew_han...@apple.com>
+ Merge r186744. rdar://problem/21716371
+
+ 2015-07-12 David Kilzer <ddkil...@apple.com>
+
+ Merge r184434, and a small part of r173173. rdar://problem/21716506
+
+ 2015-05-15 Antti Koivisto <an...@apple.com>
+
+ When redirecting to data URL use HTTP response for same origin policy checks
+ https://bugs.webkit.org/show_bug.cgi?id=145054
+ rdar://problem/20299050
+
+ Reviewed by Alexey Proskuryakov.
+
+ Test: http/tests/security/canvas-remote-read-data-url-image-redirect.html
+
+ * dom/ScriptElement.cpp:
+ (WebCore::ScriptElement::notifyFinished):
+ * dom/ScriptExecutionContext.cpp:
+ (WebCore::ScriptExecutionContext::sanitizeScriptError):
+ * html/canvas/CanvasRenderingContext.cpp:
+ (WebCore::CanvasRenderingContext::wouldTaintOrigin):
+ * loader/ImageLoader.cpp:
+ (WebCore::ImageLoader::notifyFinished):
+ * loader/MediaResourceLoader.cpp:
+ (WebCore::MediaResourceLoader::responseReceived):
+ * loader/TextTrackLoader.cpp:
+ (WebCore::TextTrackLoader::notifyFinished):
+ * loader/cache/CachedImage.cpp:
+ (WebCore::CachedImage::isOriginClean):
+ * loader/cache/CachedResource.cpp:
+ (WebCore::CachedResource::passesAccessControlCheck):
+ (WebCore::CachedResource::passesSameOriginPolicyCheck):
+
+ Factor repeatedly used same origin policy test into a function.
+
+ (WebCore::CachedResource::redirectReceived):
+
+ When redirecting to a data URL save the redirect response.
+
+ (WebCore::CachedResource::responseForSameOriginPolicyChecks):
+
+ In case we got redirected to data use that response instead of the final data response for policy checks.
+
+ * loader/cache/CachedResource.h:
+
+2015-07-15 Matthew Hanson <matthew_han...@apple.com>
+
Merge r186793. rdar://problem/21707880
2015-07-13 David Kilzer <ddkil...@apple.com>
Modified: branches/safari-600.8-branch/Source/WebCore/dom/ScriptElement.cpp (186846 => 186847)
--- branches/safari-600.8-branch/Source/WebCore/dom/ScriptElement.cpp 2015-07-15 16:04:40 UTC (rev 186846)
+++ branches/safari-600.8-branch/Source/WebCore/dom/ScriptElement.cpp 2015-07-15 16:04:47 UTC (rev 186847)
@@ -344,10 +344,7 @@
if (!m_cachedScript)
return;
- if (m_requestUsesAccessControl
- && !m_element.document().securityOrigin()->canRequest(m_cachedScript->response().url())
- && !m_cachedScript->passesAccessControlCheck(m_element.document().securityOrigin())) {
-
+ if (m_requestUsesAccessControl && !m_cachedScript->passesSameOriginPolicyCheck(*m_element.document().securityOrigin())) {
dispatchErrorEvent();
DEPRECATED_DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Cross-origin script load denied by Cross-Origin Resource Sharing policy.")));
m_element.document().addConsoleMessage(MessageSource::JS, MessageLevel::Error, consoleMessage);
Modified: branches/safari-600.8-branch/Source/WebCore/dom/ScriptExecutionContext.cpp (186846 => 186847)
--- branches/safari-600.8-branch/Source/WebCore/dom/ScriptExecutionContext.cpp 2015-07-15 16:04:40 UTC (rev 186846)
+++ branches/safari-600.8-branch/Source/WebCore/dom/ScriptExecutionContext.cpp 2015-07-15 16:04:47 UTC (rev 186847)
@@ -340,7 +340,7 @@
bool ScriptExecutionContext::sanitizeScriptError(String& errorMessage, int& lineNumber, int& columnNumber, String& sourceURL, CachedScript* cachedScript)
{
URL targetURL = completeURL(sourceURL);
- if (securityOrigin()->canRequest(targetURL) || (cachedScript && cachedScript->passesAccessControlCheck(securityOrigin())))
+ if (securityOrigin()->canRequest(targetURL) || (cachedScript && cachedScript->passesAccessControlCheck(*securityOrigin())))
return false;
errorMessage = "Script error.";
sourceURL = String();
Modified: branches/safari-600.8-branch/Source/WebCore/html/canvas/CanvasRenderingContext.cpp (186846 => 186847)
--- branches/safari-600.8-branch/Source/WebCore/html/canvas/CanvasRenderingContext.cpp 2015-07-15 16:04:40 UTC (rev 186846)
+++ branches/safari-600.8-branch/Source/WebCore/html/canvas/CanvasRenderingContext.cpp 2015-07-15 16:04:47 UTC (rev 186847)
@@ -64,7 +64,7 @@
if (!cachedImage->image()->hasSingleSecurityOrigin())
return true;
- return wouldTaintOrigin(cachedImage->response().url()) && !cachedImage->passesAccessControlCheck(canvas()->securityOrigin());
+ return wouldTaintOrigin(cachedImage->responseForSameOriginPolicyChecks().url()) && !cachedImage->passesAccessControlCheck(*canvas()->securityOrigin());
}
bool CanvasRenderingContext::wouldTaintOrigin(const HTMLVideoElement* video)
Modified: branches/safari-600.8-branch/Source/WebCore/loader/ImageLoader.cpp (186846 => 186847)
--- branches/safari-600.8-branch/Source/WebCore/loader/ImageLoader.cpp 2015-07-15 16:04:40 UTC (rev 186846)
+++ branches/safari-600.8-branch/Source/WebCore/loader/ImageLoader.cpp 2015-07-15 16:04:47 UTC (rev 186847)
@@ -287,10 +287,7 @@
if (!m_hasPendingLoadEvent)
return;
- if (element().fastHasAttribute(HTMLNames::crossoriginAttr)
- && !element().document().securityOrigin()->canRequest(image()->response().url())
- && !resource->passesAccessControlCheck(element().document().securityOrigin())) {
-
+ if (element().fastHasAttribute(HTMLNames::crossoriginAttr) && !resource->passesSameOriginPolicyCheck(*element().document().securityOrigin())) {
setImageWithoutConsideringPendingLoadEvent(0);
m_hasPendingErrorEvent = true;
Modified: branches/safari-600.8-branch/Source/WebCore/loader/TextTrackLoader.cpp (186846 => 186847)
--- branches/safari-600.8-branch/Source/WebCore/loader/TextTrackLoader.cpp 2015-07-15 16:04:40 UTC (rev 186846)
+++ branches/safari-600.8-branch/Source/WebCore/loader/TextTrackLoader.cpp 2015-07-15 16:04:47 UTC (rev 186847)
@@ -127,12 +127,8 @@
ASSERT(m_resource == resource);
Document* document = toDocument(m_scriptExecutionContext);
- if (!m_crossOriginMode.isNull()
- && !document->securityOrigin()->canRequest(resource->response().url())
- && !resource->passesAccessControlCheck(document->securityOrigin())) {
-
+ if (!m_crossOriginMode.isNull() && !resource->passesSameOriginPolicyCheck(*document->securityOrigin()))
corsPolicyPreventedLoad();
- }
if (m_state != Failed) {
processNewCueData(resource);
Modified: branches/safari-600.8-branch/Source/WebCore/loader/cache/CachedImage.cpp (186846 => 186847)
--- branches/safari-600.8-branch/Source/WebCore/loader/cache/CachedImage.cpp 2015-07-15 16:04:40 UTC (rev 186846)
+++ branches/safari-600.8-branch/Source/WebCore/loader/cache/CachedImage.cpp 2015-07-15 16:04:47 UTC (rev 186847)
@@ -563,9 +563,9 @@
{
if (!image()->hasSingleSecurityOrigin())
return false;
- if (passesAccessControlCheck(securityOrigin))
+ if (passesAccessControlCheck(*securityOrigin))
return true;
- return !securityOrigin->taintsCanvas(response().url());
+ return !securityOrigin->taintsCanvas(responseForSameOriginPolicyChecks().url());
}
bool CachedImage::mustRevalidateDueToCacheHeaders(CachePolicy policy) const
Modified: branches/safari-600.8-branch/Source/WebCore/loader/cache/CachedResource.cpp (186846 => 186847)
--- branches/safari-600.8-branch/Source/WebCore/loader/cache/CachedResource.cpp 2015-07-15 16:04:40 UTC (rev 186846)
+++ branches/safari-600.8-branch/Source/WebCore/loader/cache/CachedResource.cpp 2015-07-15 16:04:47 UTC (rev 186847)
@@ -380,12 +380,19 @@
m_status = Cached;
}
-bool CachedResource::passesAccessControlCheck(SecurityOrigin* securityOrigin)
+bool CachedResource::passesAccessControlCheck(SecurityOrigin& securityOrigin)
{
String errorDescription;
- return WebCore::passesAccessControlCheck(m_response, resourceRequest().allowCookies() ? AllowStoredCredentials : DoNotAllowStoredCredentials, securityOrigin, errorDescription);
+ return WebCore::passesAccessControlCheck(response(), resourceRequest().allowCookies() ? AllowStoredCredentials : DoNotAllowStoredCredentials, &securityOrigin, errorDescription);
}
+bool CachedResource::passesSameOriginPolicyCheck(SecurityOrigin& securityOrigin)
+{
+ if (securityOrigin.canRequest(responseForSameOriginPolicyChecks().url()))
+ return true;
+ return passesAccessControlCheck(securityOrigin);
+}
+
bool CachedResource::isExpired() const
{
if (m_response.isNull())
@@ -434,6 +441,22 @@
return 0;
}
+void CachedResource::willSendRequest(ResourceRequest& request, const ResourceResponse& response)
+{
+ m_requestedFromNetworkingLayer = true;
+ if (response.isNull())
+ return;
+
+ // Redirect to data: URL uses the last HTTP response for SOP.
+ if (response.isHTTP() && request.url().protocolIsData())
+ m_redirectResponseForSameOriginPolicyChecks = response;
+}
+
+const ResourceResponse& CachedResource::responseForSameOriginPolicyChecks() const
+{
+ return m_redirectResponseForSameOriginPolicyChecks.isNull() ? m_response : m_redirectResponseForSameOriginPolicyChecks;
+}
+
void CachedResource::responseReceived(const ResourceResponse& response)
{
setResponse(response);
Modified: branches/safari-600.8-branch/Source/WebCore/loader/cache/CachedResource.h (186846 => 186847)
--- branches/safari-600.8-branch/Source/WebCore/loader/cache/CachedResource.h 2015-07-15 16:04:40 UTC (rev 186846)
+++ branches/safari-600.8-branch/Source/WebCore/loader/cache/CachedResource.h 2015-07-15 16:04:47 UTC (rev 186847)
@@ -175,7 +175,8 @@
// Updates the expire date on the cache entry file
void finish();
- bool passesAccessControlCheck(SecurityOrigin*);
+ bool passesAccessControlCheck(SecurityOrigin&);
+ bool passesSameOriginPolicyCheck(SecurityOrigin&);
// Called by the cache if the object has been removed from the cache
// while still being referenced. This means the object should delete itself
@@ -190,10 +191,12 @@
ResourceBuffer* resourceBuffer() const { ASSERT(!m_purgeableData); return m_data.get(); }
- virtual void willSendRequest(ResourceRequest&, const ResourceResponse&) { m_requestedFromNetworkingLayer = true; }
+ virtual void willSendRequest(ResourceRequest&, const ResourceResponse&);
virtual void responseReceived(const ResourceResponse&);
void setResponse(const ResourceResponse& response) { m_response = response; }
const ResourceResponse& response() const { return m_response; }
+ // This is the same as response() except after HTTP redirect to data: URL.
+ const ResourceResponse& responseForSameOriginPolicyChecks() const;
bool canDelete() const { return !hasClients() && !m_loader && !m_preloadCount && !m_handleCount && !m_resourceToRevalidate && !m_proxyResource; }
bool hasOneHandle() const { return m_handleCount == 1; }
@@ -299,6 +302,7 @@
ResourceLoadPriority m_loadPriority;
ResourceResponse m_response;
+ ResourceResponse m_redirectResponseForSameOriginPolicyChecks;
double m_responseTimestamp;
RefPtr<ResourceBuffer> m_data;