Diff
Modified: trunk/Source/WebCore/ChangeLog (202673 => 202674)
--- trunk/Source/WebCore/ChangeLog 2016-06-30 05:57:22 UTC (rev 202673)
+++ trunk/Source/WebCore/ChangeLog 2016-06-30 06:28:58 UTC (rev 202674)
@@ -1,3 +1,47 @@
+2016-06-29 Youenn Fablet <you...@apple.com>
+
+ Pass SecurityOrigin as references in CORS check code
+ https://bugs.webkit.org/show_bug.cgi?id=159263
+
+ Reviewed by Alex Christensen.
+
+ No change of behavior.
+
+ * css/CSSImageSetValue.cpp:
+ (WebCore::CSSImageSetValue::cachedImageSet):
+ * css/CSSImageValue.cpp:
+ (WebCore::CSSImageValue::cachedImage):
+ * dom/ScriptElement.cpp:
+ (WebCore::ScriptElement::requestScript):
+ * loader/CrossOriginAccessControl.cpp:
+ (WebCore::updateRequestForAccessControl):
+ (WebCore::createAccessControlPreflightRequest):
+ (WebCore::passesAccessControlCheck):
+ * loader/CrossOriginAccessControl.h:
+ * loader/CrossOriginPreflightChecker.cpp:
+ (WebCore::CrossOriginPreflightChecker::validatePreflightResponse):
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::DocumentThreadableLoader):
+ (WebCore::DocumentThreadableLoader::makeCrossOriginAccessRequest):
+ (WebCore::DocumentThreadableLoader::preflightSuccess):
+ (WebCore::DocumentThreadableLoader::isAllowedRedirect):
+ (WebCore::DocumentThreadableLoader::securityOrigin):
+ * loader/DocumentThreadableLoader.h:
+ * loader/ImageLoader.cpp:
+ (WebCore::ImageLoader::updateFromElement):
+ * loader/LinkLoader.cpp:
+ (WebCore::preloadIfNeeded):
+ * loader/MediaResourceLoader.cpp:
+ (WebCore::MediaResourceLoader::requestResource):
+ * loader/SubresourceLoader.cpp:
+ (WebCore::SubresourceLoader::checkCrossOriginAccessControl):
+ * loader/TextTrackLoader.cpp:
+ (WebCore::TextTrackLoader::load):
+ * loader/cache/CachedResource.cpp:
+ (WebCore::CachedResource::passesAccessControlCheck):
+ * loader/cache/CachedResourceRequest.cpp:
+ (WebCore::CachedResourceRequest::setAsPotentiallyCrossOrigin):
+
2016-06-29 Adam Bergkvist <adam.bergkv...@ericsson.com>
WebRTC: Implement MediaEndpointPeerConnection::setConfiguration()
Modified: trunk/Source/WebCore/css/CSSImageSetValue.cpp (202673 => 202674)
--- trunk/Source/WebCore/css/CSSImageSetValue.cpp 2016-06-30 05:57:22 UTC (rev 202673)
+++ trunk/Source/WebCore/css/CSSImageSetValue.cpp 2016-06-30 06:28:58 UTC (rev 202674)
@@ -118,8 +118,10 @@
ImageWithScale image = bestImageForScaleFactor();
CachedResourceRequest request(ResourceRequest(document->completeURL(image.imageURL)), options);
request.setInitiator(cachedResourceRequestInitiators().css);
- if (options.requestOriginPolicy() == PotentiallyCrossOriginEnabled)
- updateRequestForAccessControl(request.mutableResourceRequest(), document->securityOrigin(), options.allowCredentials());
+ if (options.requestOriginPolicy() == PotentiallyCrossOriginEnabled) {
+ ASSERT(document->securityOrigin());
+ updateRequestForAccessControl(request.mutableResourceRequest(), *document->securityOrigin(), options.allowCredentials());
+ }
if (CachedResourceHandle<CachedImage> cachedImage = loader.requestImage(request)) {
detachPendingImage();
m_imageSet = StyleCachedImageSet::create(cachedImage.get(), image.scaleFactor, this);
Modified: trunk/Source/WebCore/css/CSSImageValue.cpp (202673 => 202674)
--- trunk/Source/WebCore/css/CSSImageValue.cpp 2016-06-30 05:57:22 UTC (rev 202673)
+++ trunk/Source/WebCore/css/CSSImageValue.cpp 2016-06-30 06:28:58 UTC (rev 202674)
@@ -82,9 +82,10 @@
else
request.setInitiator(m_initiatorName);
- if (options.requestOriginPolicy() == PotentiallyCrossOriginEnabled)
- updateRequestForAccessControl(request.mutableResourceRequest(), loader.document()->securityOrigin(), options.allowCredentials());
-
+ if (options.requestOriginPolicy() == PotentiallyCrossOriginEnabled) {
+ ASSERT(loader.document()->securityOrigin());
+ updateRequestForAccessControl(request.mutableResourceRequest(), *loader.document()->securityOrigin(), options.allowCredentials());
+ }
if (CachedResourceHandle<CachedImage> cachedImage = loader.requestImage(request)) {
detachPendingImage();
m_image = StyleCachedImage::create(cachedImage.get());
Modified: trunk/Source/WebCore/dom/ScriptElement.cpp (202673 => 202674)
--- trunk/Source/WebCore/dom/ScriptElement.cpp 2016-06-30 05:57:22 UTC (rev 202673)
+++ trunk/Source/WebCore/dom/ScriptElement.cpp 2016-06-30 06:28:58 UTC (rev 202674)
@@ -271,7 +271,8 @@
if (!crossOriginMode.isNull()) {
m_requestUsesAccessControl = true;
StoredCredentials allowCredentials = equalLettersIgnoringASCIICase(crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
- updateRequestForAccessControl(request.mutableResourceRequest(), m_element.document().securityOrigin(), allowCredentials);
+ ASSERT(m_element.document().securityOrigin());
+ updateRequestForAccessControl(request.mutableResourceRequest(), *m_element.document().securityOrigin(), allowCredentials);
}
request.setCharset(scriptCharset());
request.setInitiator(&element());
Modified: trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp (202673 => 202674)
--- trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp 2016-06-30 05:57:22 UTC (rev 202673)
+++ trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp 2016-06-30 06:28:58 UTC (rev 202674)
@@ -98,14 +98,14 @@
return allowedCrossOriginResponseHeaders.get().contains(name);
}
-void updateRequestForAccessControl(ResourceRequest& request, SecurityOrigin* securityOrigin, StoredCredentials allowCredentials)
+void updateRequestForAccessControl(ResourceRequest& request, SecurityOrigin& securityOrigin, StoredCredentials allowCredentials)
{
request.removeCredentials();
request.setAllowCookies(allowCredentials == AllowStoredCredentials);
- request.setHTTPOrigin(securityOrigin->toString());
+ request.setHTTPOrigin(securityOrigin.toString());
}
-ResourceRequest createAccessControlPreflightRequest(const ResourceRequest& request, SecurityOrigin* securityOrigin)
+ResourceRequest createAccessControlPreflightRequest(const ResourceRequest& request, SecurityOrigin& securityOrigin)
{
ResourceRequest preflightRequest(request.url());
updateRequestForAccessControl(preflightRequest, securityOrigin, DoNotAllowStoredCredentials);
@@ -152,7 +152,7 @@
request.clearHTTPAcceptEncoding();
}
-bool passesAccessControlCheck(const ResourceResponse& response, StoredCredentials includeCredentials, SecurityOrigin* securityOrigin, String& errorDescription)
+bool passesAccessControlCheck(const ResourceResponse& response, StoredCredentials includeCredentials, SecurityOrigin& securityOrigin, String& errorDescription)
{
// A wildcard Access-Control-Allow-Origin can not be used if credentials are to be sent,
// even with Access-Control-Allow-Credentials set to true.
@@ -161,11 +161,11 @@
return true;
// FIXME: Access-Control-Allow-Origin can contain a list of origins.
- if (accessControlOriginString != securityOrigin->toString()) {
+ if (accessControlOriginString != securityOrigin.toString()) {
if (accessControlOriginString == "*")
errorDescription = "Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.";
else
- errorDescription = "Origin " + securityOrigin->toString() + " is not allowed by Access-Control-Allow-Origin.";
+ errorDescription = "Origin " + securityOrigin.toString() + " is not allowed by Access-Control-Allow-Origin.";
return false;
}
Modified: trunk/Source/WebCore/loader/CrossOriginAccessControl.h (202673 => 202674)
--- trunk/Source/WebCore/loader/CrossOriginAccessControl.h 2016-06-30 05:57:22 UTC (rev 202673)
+++ trunk/Source/WebCore/loader/CrossOriginAccessControl.h 2016-06-30 06:28:58 UTC (rev 202674)
@@ -48,13 +48,13 @@
bool isOnAccessControlSimpleRequestHeaderWhitelist(HTTPHeaderName, const String& value);
bool isOnAccessControlResponseHeaderWhitelist(const String&);
-void updateRequestForAccessControl(ResourceRequest&, SecurityOrigin*, StoredCredentials);
-ResourceRequest createAccessControlPreflightRequest(const ResourceRequest&, SecurityOrigin*);
+void updateRequestForAccessControl(ResourceRequest&, SecurityOrigin&, StoredCredentials);
+ResourceRequest createAccessControlPreflightRequest(const ResourceRequest&, SecurityOrigin&);
bool isValidCrossOriginRedirectionURL(const URL&);
void cleanRedirectedRequestForAccessControl(ResourceRequest&);
-bool passesAccessControlCheck(const ResourceResponse&, StoredCredentials, SecurityOrigin*, String& errorDescription);
+bool passesAccessControlCheck(const ResourceResponse&, StoredCredentials, SecurityOrigin&, String& errorDescription);
void parseAccessControlExposeHeadersAllowList(const String& headerValue, HTTPHeaderSet&);
} // namespace WebCore
Modified: trunk/Source/WebCore/loader/CrossOriginPreflightChecker.cpp (202673 => 202674)
--- trunk/Source/WebCore/loader/CrossOriginPreflightChecker.cpp 2016-06-30 05:57:22 UTC (rev 202673)
+++ trunk/Source/WebCore/loader/CrossOriginPreflightChecker.cpp 2016-06-30 06:28:58 UTC (rev 202674)
@@ -82,7 +82,7 @@
return;
}
- CrossOriginPreflightResultCache::singleton().appendEntry(loader.securityOrigin()->toString(), request.url(), WTFMove(result));
+ CrossOriginPreflightResultCache::singleton().appendEntry(loader.securityOrigin().toString(), request.url(), WTFMove(result));
loader.preflightSuccess(WTFMove(request));
}
Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp (202673 => 202674)
--- trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2016-06-30 05:57:22 UTC (rev 202673)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2016-06-30 06:28:58 UTC (rev 202674)
@@ -86,7 +86,7 @@
, m_document(document)
, m_options(options)
, m_origin(WTFMove(origin))
- , m_sameOriginRequest(securityOrigin()->canRequest(request.url()))
+ , m_sameOriginRequest(securityOrigin().canRequest(request.url()))
, m_simpleRequest(true)
, m_async(blockingBehavior == LoadAsynchronously)
, m_contentSecurityPolicy(WTFMove(contentSecurityPolicy))
@@ -120,7 +120,7 @@
makeSimpleCrossOriginAccessRequest(crossOriginRequest);
else {
m_simpleRequest = false;
- if (CrossOriginPreflightResultCache::singleton().canSkipPreflight(securityOrigin()->toString(), crossOriginRequest.url(), m_options.allowCredentials(), crossOriginRequest.httpMethod(), crossOriginRequest.httpHeaderFields()))
+ if (CrossOriginPreflightResultCache::singleton().canSkipPreflight(securityOrigin().toString(), crossOriginRequest.url(), m_options.allowCredentials(), crossOriginRequest.httpMethod(), crossOriginRequest.httpHeaderFields()))
preflightSuccess(WTFMove(crossOriginRequest));
else
makeCrossOriginAccessRequestWithPreflight(WTFMove(crossOriginRequest));
@@ -327,7 +327,7 @@
void DocumentThreadableLoader::preflightSuccess(ResourceRequest&& request)
{
ResourceRequest actualRequest(WTFMove(request));
- actualRequest.setHTTPOrigin(securityOrigin()->toString());
+ actualRequest.setHTTPOrigin(securityOrigin().toString());
m_preflightChecker = Nullopt;
@@ -435,7 +435,7 @@
if (m_options.crossOriginRequestPolicy == AllowCrossOriginRequests)
return true;
- return m_sameOriginRequest && securityOrigin()->canRequest(url);
+ return m_sameOriginRequest && securityOrigin().canRequest(url);
}
bool DocumentThreadableLoader::isXMLHttpRequest() const
@@ -443,9 +443,10 @@
return m_options.initiator == cachedResourceRequestInitiators().xmlhttprequest;
}
-SecurityOrigin* DocumentThreadableLoader::securityOrigin() const
+SecurityOrigin& DocumentThreadableLoader::securityOrigin() const
{
- return m_origin ? m_origin.get() : m_document.securityOrigin();
+ ASSERT(m_document.securityOrigin());
+ return m_origin ? *m_origin : *m_document.securityOrigin();
}
const ContentSecurityPolicy& DocumentThreadableLoader::contentSecurityPolicy() const
Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.h (202673 => 202674)
--- trunk/Source/WebCore/loader/DocumentThreadableLoader.h 2016-06-30 05:57:22 UTC (rev 202673)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.h 2016-06-30 06:28:58 UTC (rev 202674)
@@ -97,7 +97,7 @@
bool isXMLHttpRequest() const final;
- SecurityOrigin* securityOrigin() const;
+ SecurityOrigin& securityOrigin() const;
const ContentSecurityPolicy& contentSecurityPolicy() const;
Document& document() { return m_document; }
Modified: trunk/Source/WebCore/loader/ImageLoader.cpp (202673 => 202674)
--- trunk/Source/WebCore/loader/ImageLoader.cpp 2016-06-30 05:57:22 UTC (rev 202673)
+++ trunk/Source/WebCore/loader/ImageLoader.cpp 2016-06-30 06:28:58 UTC (rev 202674)
@@ -182,7 +182,8 @@
String crossOriginMode = element().fastGetAttribute(HTMLNames::crossoriginAttr);
if (!crossOriginMode.isNull()) {
StoredCredentials allowCredentials = equalLettersIgnoringASCIICase(crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
- updateRequestForAccessControl(request.mutableResourceRequest(), document.securityOrigin(), allowCredentials);
+ ASSERT(document.securityOrigin());
+ updateRequestForAccessControl(request.mutableResourceRequest(), *document.securityOrigin(), allowCredentials);
}
if (m_loadManually) {
Modified: trunk/Source/WebCore/loader/LinkLoader.cpp (202673 => 202674)
--- trunk/Source/WebCore/loader/LinkLoader.cpp 2016-06-30 05:57:22 UTC (rev 202673)
+++ trunk/Source/WebCore/loader/LinkLoader.cpp 2016-06-30 06:28:58 UTC (rev 202674)
@@ -128,8 +128,9 @@
linkRequest.setInitiator("link");
if (!crossOriginMode.isNull()) {
+ ASSERT(document.securityOrigin());
StoredCredentials allowCredentials = equalLettersIgnoringASCIICase(crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
- updateRequestForAccessControl(linkRequest.mutableResourceRequest(), document.securityOrigin(), allowCredentials);
+ updateRequestForAccessControl(linkRequest.mutableResourceRequest(), *document.securityOrigin(), allowCredentials);
}
linkRequest.setForPreload(true);
document.cachedResourceLoader().preload(type.value(), linkRequest, emptyString());
Modified: trunk/Source/WebCore/loader/MediaResourceLoader.cpp (202673 => 202674)
--- trunk/Source/WebCore/loader/MediaResourceLoader.cpp 2016-06-30 05:57:22 UTC (rev 202673)
+++ trunk/Source/WebCore/loader/MediaResourceLoader.cpp 2016-06-30 06:28:58 UTC (rev 202674)
@@ -80,9 +80,10 @@
// is in a user-agent shadow tree. See <https://bugs.webkit.org/show_bug.cgi?id=155505>.
CachedResourceRequest cacheRequest(updatedRequest, ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, bufferingPolicy, allowCredentials, AskClientForAllCredentials, ClientDidNotRequestCredentials, DoSecurityCheck, corsPolicy, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading, cachingPolicy));
- if (!m_crossOriginMode.isNull())
- updateRequestForAccessControl(cacheRequest.mutableResourceRequest(), m_document->securityOrigin(), allowCredentials);
-
+ if (!m_crossOriginMode.isNull()) {
+ ASSERT(m_document->securityOrigin());
+ updateRequestForAccessControl(cacheRequest.mutableResourceRequest(), *m_document->securityOrigin(), allowCredentials);
+ }
CachedResourceHandle<CachedRawResource> resource = m_document->cachedResourceLoader().requestMedia(cacheRequest);
if (!resource)
return nullptr;
Modified: trunk/Source/WebCore/loader/SubresourceLoader.cpp (202673 => 202674)
--- trunk/Source/WebCore/loader/SubresourceLoader.cpp 2016-06-30 05:57:22 UTC (rev 202673)
+++ trunk/Source/WebCore/loader/SubresourceLoader.cpp 2016-06-30 06:28:58 UTC (rev 202674)
@@ -403,7 +403,7 @@
String errorDescription;
bool responsePassesCORS = m_origin->canRequest(previousRequest.url())
- || passesAccessControlCheck(redirectResponse, options().allowCredentials(), m_origin.get(), errorDescription);
+ || passesAccessControlCheck(redirectResponse, options().allowCredentials(), *m_origin, errorDescription);
if (!responsePassesCORS || !isValidCrossOriginRedirectionURL(newRequest.url())) {
if (m_frame && m_frame->document()) {
String errorMessage = "Cross-origin redirection denied by Cross-Origin Resource Sharing policy: " +
@@ -416,7 +416,7 @@
// If the request URL origin is not the same as the original origin, the request origin should be set to a globally unique identifier.
m_origin = SecurityOrigin::createUnique();
cleanRedirectedRequestForAccessControl(newRequest);
- updateRequestForAccessControl(newRequest, m_origin.get(), options().allowCredentials());
+ updateRequestForAccessControl(newRequest, *m_origin, options().allowCredentials());
return true;
}
Modified: trunk/Source/WebCore/loader/TextTrackLoader.cpp (202673 => 202674)
--- trunk/Source/WebCore/loader/TextTrackLoader.cpp 2016-06-30 05:57:22 UTC (rev 202673)
+++ trunk/Source/WebCore/loader/TextTrackLoader.cpp 2016-06-30 06:28:58 UTC (rev 202674)
@@ -160,7 +160,7 @@
if (!crossOriginMode.isNull()) {
m_crossOriginMode = crossOriginMode;
StoredCredentials allowCredentials = equalLettersIgnoringASCIICase(crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
- updateRequestForAccessControl(cueRequest.mutableResourceRequest(), document->securityOrigin(), allowCredentials);
+ updateRequestForAccessControl(cueRequest.mutableResourceRequest(), *document->securityOrigin(), allowCredentials);
} else {
// Cross-origin resources that are not suitably CORS-enabled may not load.
if (!document->securityOrigin()->canRequest(url)) {
Modified: trunk/Source/WebCore/loader/cache/CachedResource.cpp (202673 => 202674)
--- trunk/Source/WebCore/loader/cache/CachedResource.cpp 2016-06-30 05:57:22 UTC (rev 202673)
+++ trunk/Source/WebCore/loader/cache/CachedResource.cpp 2016-06-30 06:28:58 UTC (rev 202674)
@@ -352,7 +352,7 @@
bool CachedResource::passesAccessControlCheck(SecurityOrigin& securityOrigin)
{
String errorDescription;
- return WebCore::passesAccessControlCheck(response(), resourceRequest().allowCookies() ? AllowStoredCredentials : DoNotAllowStoredCredentials, &securityOrigin, errorDescription);
+ return WebCore::passesAccessControlCheck(response(), resourceRequest().allowCookies() ? AllowStoredCredentials : DoNotAllowStoredCredentials, securityOrigin, errorDescription);
}
bool CachedResource::passesSameOriginPolicyCheck(SecurityOrigin& securityOrigin)
Modified: trunk/Source/WebCore/loader/cache/CachedResourceRequest.cpp (202673 => 202674)
--- trunk/Source/WebCore/loader/cache/CachedResourceRequest.cpp 2016-06-30 05:57:22 UTC (rev 202673)
+++ trunk/Source/WebCore/loader/cache/CachedResourceRequest.cpp 2016-06-30 06:28:58 UTC (rev 202674)
@@ -100,7 +100,8 @@
m_options.setRequestOriginPolicy(PotentiallyCrossOriginEnabled);
m_options.setAllowCredentials(equalLettersIgnoringASCIICase(mode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials);
- updateRequestForAccessControl(m_resourceRequest, document.securityOrigin(), m_options.allowCredentials());
+ ASSERT(document.securityOrigin());
+ updateRequestForAccessControl(m_resourceRequest, *document.securityOrigin(), m_options.allowCredentials());
}
} // namespace WebCore
