Diff
Modified: trunk/LayoutTests/ChangeLog (205853 => 205854)
--- trunk/LayoutTests/ChangeLog 2016-09-13 06:15:09 UTC (rev 205853)
+++ trunk/LayoutTests/ChangeLog 2016-09-13 06:46:15 UTC (rev 205854)
@@ -1,3 +1,43 @@
+2016-09-12 Youenn Fablet <[email protected]>
+
+ ScriptElement should use FetchOptions::mode according its crossOrigin attribute
+ https://bugs.webkit.org/show_bug.cgi?id=161686
+
+ Reviewed by Darin Adler.
+
+ Added new tests.
+ Updated cookie test for robustness as the order of the cookie items when more than one may not be preserved.
+
+ Moved one of the blink test to http/tests as it requires HTTP to run properly.
+ Updated blink test expectation as it is run from file, while it should be run from http.
+
+ Copied a similar test to http/tests/local to ensure that script load fails when served from the filesystem , CORS check failing.
+ The test was previously passing in WebKit as the test file was served from filesystem and was granted universal access.
+ The CORS checks were done through SecurityOrigin::canRequest which was testing that first.
+ With the patch, CORS checks are done at a lower level and do not take in to account universal access.
+ This aligns with Chrome and Firefox behavior.
+
+ * http/tests/local/script-crossorigin-loads-fail-origin-expected.txt: Added.
+ * http/tests/local/script-crossorigin-loads-fail-origin.html: Copied from LayoutTests/imported/blink/http/tests/security/script-crossorigin-loads-correctly-credentials.html.
+ * http/tests/cookies/resources/third-party-cookie-relaxing-iframe.html: Sorting the cookie to make the test more resistant.
+ * http/tests/security/cross-origin-cached-images-expected.txt: Added.
+ * http/tests/security/cross-origin-cached-images-parallel-expected.txt: Added.
+ * http/tests/security/cross-origin-cached-images-parallel.html: Renamed from LayoutTests/http/tests/security/cross-origin-cached-resource-parallel.html.
+ * http/tests/security/cross-origin-cached-images.html: Renamed from LayoutTests/http/tests/security/cross-origin-cached-resource.html.
+ * http/tests/security/cross-origin-cached-resource-parallel-expected.txt: Removed.
+ * http/tests/security/cross-origin-cached-scripts-expected.txt: Added.
+ * http/tests/security/cross-origin-cached-scripts-parallel-expected.txt: Added.
+ * http/tests/security/cross-origin-cached-scripts-parallel.html: Added.
+ * http/tests/security/cross-origin-cached-scripts.html: Added.
+ * http/tests/security/resources/cors-script.php: Updated according chromium script to activate CORS credentials header if requested.
+ * http/tests/security/resources/cross-origin-cached-resource-iframe.html:
+ * http/tests/security/resources/notify-loaded.js: Added.
+ * http/tests/security/script-crossorigin-loads-correctly-credentials-expected.txt: Renamed from LayoutTests/imported/blink/http/tests/security/script-crossorigin-loads-correctly-credentials-expected.txt.
+ * http/tests/security/script-crossorigin-loads-correctly-credentials.html: Renamed from LayoutTests/imported/blink/http/tests/security/script-crossorigin-loads-correctly-credentials.html.
+ * http/tests/security/script-with-dataurl-expected.txt: Added.
+ * http/tests/security/script-with-dataurl.html: Added.
+ * http/tests/security/script-with-failed-cors-check-fails-to-load-expected.txt:
+
2016-09-12 Fujii Hironori <[email protected]>
[GTK] Fix lint warnings of LayoutTests/platform/gtk/TestExpectations
Modified: trunk/LayoutTests/http/tests/cookies/resources/third-party-cookie-relaxing-iframe.html (205853 => 205854)
--- trunk/LayoutTests/http/tests/cookies/resources/third-party-cookie-relaxing-iframe.html 2016-09-13 06:15:09 UTC (rev 205853)
+++ trunk/LayoutTests/http/tests/cookies/resources/third-party-cookie-relaxing-iframe.html 2016-09-13 06:46:15 UTC (rev 205854)
@@ -21,11 +21,18 @@
alert("Unknown message.");
}
+function sortCookie(cookie)
+{
+ var items = cookie.split("; ");
+ items.sort();
+ return items.join("; ");
+}
+
var stage = 1;
function showCookies()
{
- alert("Test stage " + stage++ + " document.cookie is: " + document.cookie);
- parent.window.postMessage("done", "*");
+ alert("Test stage " + stage++ + " document.cookie is: " + sortCookie(document.cookie));
+ parent.window.postMessage("done", "*");
}
function sendXHR(queryCommand)
Added: trunk/LayoutTests/http/tests/local/script-crossorigin-loads-fail-origin-expected.txt (0 => 205854)
--- trunk/LayoutTests/http/tests/local/script-crossorigin-loads-fail-origin-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/local/script-crossorigin-loads-fail-origin-expected.txt 2016-09-13 06:46:15 UTC (rev 205854)
@@ -0,0 +1,5 @@
+CONSOLE MESSAGE: Origin is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Cross-origin script load denied by Cross-Origin Resource Sharing policy.
+This test fails if the script loads correctly.
+
+PASS
Copied: trunk/LayoutTests/http/tests/local/script-crossorigin-loads-fail-origin.html (from rev 205853, trunk/LayoutTests/imported/blink/http/tests/security/script-crossorigin-loads-correctly-credentials.html) (0 => 205854)
--- trunk/LayoutTests/http/tests/local/script-crossorigin-loads-fail-origin.html (rev 0)
+++ trunk/LayoutTests/http/tests/local/script-crossorigin-loads-fail-origin.html 2016-09-13 06:46:15 UTC (rev 205854)
@@ -0,0 +1,23 @@
+<body>
+<p>This test fails if the script loads correctly.</p>
+<pre></pre>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+function done(msg) {
+ document.querySelector("pre").innerHTML = msg;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+var script = document.createElement("script");
+script.crossOrigin = "use-credentials";
+// We are serving the test from the filesystem, so it should fail as authorized origin is 127.0.0.1:8000.
+script.src = ""
+script._onload_ = function() { done("FAIL"); }
+script._onerror_ = function() { done("PASS");}
+document.body.appendChild(script);
+</script>
Added: trunk/LayoutTests/http/tests/security/cross-origin-cached-images-expected.txt (0 => 205854)
--- trunk/LayoutTests/http/tests/security/cross-origin-cached-images-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/cross-origin-cached-images-expected.txt 2016-09-13 06:46:15 UTC (rev 205854)
@@ -0,0 +1,17 @@
+CONSOLE MESSAGE: Origin http://localhost:8080 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Cross-origin image load denied by Cross-Origin Resource Sharing policy.
+CONSOLE MESSAGE: Origin http://localhost:8080 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Cross-origin image load denied by Cross-Origin Resource Sharing policy.
+Tests source origin difference for cached resources.
+
+Trying to load sequentially the same image from different origins.
+Test 1 PASS: Loaded img http://127.0.0.1:8000/security/resources/abe-allow-star.php?allowCache from localhost:8000 (crossOrigin=anonymous)
+Test 2 PASS: Loaded img http://127.0.0.1:8000/security/resources/abe-allow-star.php?allowCache from localhost:8080 (crossOrigin=anonymous)
+Test 3 PASS: Loaded img http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000 from localhost:8000 (crossOrigin=anonymous)
+Test 4 PASS: Did not load img http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000 from localhost:8080 (crossOrigin=anonymous)
+Test 5 PASS: Loaded img http://127.0.0.1:8080/security/resources/abe-allow-star.php?allowCache from localhost:8000
+Test 6 PASS: Loaded img http://127.0.0.1:8080/security/resources/abe-allow-star.php?allowCache from localhost:8000 (crossOrigin=anonymous)
+Test 7 PASS: Loaded img http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000 from localhost:8080
+Test 8 PASS: Did not load img http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000 from localhost:8080 (crossOrigin=anonymous)
+
+
Added: trunk/LayoutTests/http/tests/security/cross-origin-cached-images-parallel-expected.txt (0 => 205854)
--- trunk/LayoutTests/http/tests/security/cross-origin-cached-images-parallel-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/cross-origin-cached-images-parallel-expected.txt 2016-09-13 06:46:15 UTC (rev 205854)
@@ -0,0 +1,17 @@
+CONSOLE MESSAGE: Origin http://localhost:8080 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Cross-origin image load denied by Cross-Origin Resource Sharing policy.
+CONSOLE MESSAGE: Origin http://localhost:8080 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Cross-origin image load denied by Cross-Origin Resource Sharing policy.
+Tests source origin difference for cached resources.
+
+Trying to load sequentially the same image from different origins.
+Test 1 PASS: Loaded img http://127.0.0.1:8000/security/resources/abe-allow-star.php?allowCache from localhost:8000 (crossOrigin=anonymous)
+Test 2 PASS: Loaded img http://127.0.0.1:8000/security/resources/abe-allow-star.php?allowCache from localhost:8080 (crossOrigin=anonymous)
+Test 3 PASS: Loaded img http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&delay=200 from localhost:8000 (crossOrigin=anonymous)
+Test 4 PASS: Did not load img http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&delay=200 from localhost:8080 (crossOrigin=anonymous)
+Test 5 PASS: Loaded img http://127.0.0.1:8080/security/resources/abe-allow-star.php?allowCache from localhost:8000
+Test 6 PASS: Loaded img http://127.0.0.1:8080/security/resources/abe-allow-star.php?allowCache from localhost:8000 (crossOrigin=anonymous)
+Test 7 PASS: Loaded img http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&delay=200 from localhost:8080
+Test 8 PASS: Did not load img http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&delay=200 from localhost:8080 (crossOrigin=anonymous)
+
+
Copied: trunk/LayoutTests/http/tests/security/cross-origin-cached-images-parallel.html (from rev 205853, trunk/LayoutTests/http/tests/security/cross-origin-cached-resource-parallel.html) (0 => 205854)
--- trunk/LayoutTests/http/tests/security/cross-origin-cached-images-parallel.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/cross-origin-cached-images-parallel.html 2016-09-13 06:46:15 UTC (rev 205854)
@@ -0,0 +1,66 @@
+<html>
+<body>
+<p>Tests source origin difference for cached resources.</p
+<p>Trying to load sequentially the same image from different origins.</p>
+<div id="console"></div>
+<div>
+ <iframe id="iframe1"></iframe>
+ <iframe id="iframe2"></iframe>
+ <iframe id="iframe3"></iframe>
+ <iframe id="iframe4"></iframe>
+</div>
+<div>
+ <iframe id="iframe5"></iframe>
+ <iframe id="iframe6"></iframe>
+ <iframe id="iframe7"></iframe>
+ <iframe id="iframe8"></iframe>
+</div>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+var counter = 0;
+var messages = [];
+window.addEventListener("message", function(event) {
+ messages.push(event.data);
+ if (messages.length == 8) {
+ messages.sort();
+ messages.forEach((message) => {
+ document.getElementById('console').innerHTML += message + "<br/>";
+ })
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+});
+
+var iframeURL8000 = "http://localhost:8000/security/resources/cross-origin-cached-resource-iframe.html";
+var iframeURL8080 = "http://localhost:8080/security/resources/cross-origin-cached-resource-iframe.html";
+
+var allowAllImage1 = "http://127.0.0.1:8000/security/resources/abe-allow-star.php?allowCache";
+var allow8000Image1 = "http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&delay=200";
+
+var allowAllImage2 = "http://127.0.0.1:8080/security/resources/abe-allow-star.php?allowCache";
+var allow8000Image2 = "http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&delay=200";
+
+document.getElementById('iframe1').src = "" + "#" +
+ encodeURIComponent(JSON.stringify({node: "img", url: allowAllImage1, shouldPass:true, crossOrigin: "anonymous", id: 1}));
+document.getElementById('iframe2').src = "" + "#" +
+ encodeURIComponent(JSON.stringify({node: "img", url: allowAllImage1, shouldPass: true, crossOrigin: "anonymous", id: 2}));
+document.getElementById('iframe3').src = "" + "#" +
+ encodeURIComponent(JSON.stringify({node: "img", url: allow8000Image1, shouldPass: true, crossOrigin: "anonymous", id: 3}));
+document.getElementById('iframe4').src = "" + "#" +
+ encodeURIComponent(JSON.stringify({node: "img", url: allow8000Image1, shouldPass: false, crossOrigin: "anonymous", id: 4}));
+
+document.getElementById('iframe5').src = "" + "#" +
+ encodeURIComponent(JSON.stringify({node: "img", url: allowAllImage2, shouldPass:true, id: 5}));
+document.getElementById('iframe6').src = "" + "#" +
+ encodeURIComponent(JSON.stringify({node: "img", url: allowAllImage2, shouldPass:true, crossOrigin: "anonymous", id: 6}));
+document.getElementById('iframe7').src = "" + "#" +
+ encodeURIComponent(JSON.stringify({node: "img", url: allow8000Image2, shouldPass:true, id: 7}));
+document.getElementById('iframe8').src = "" + "#" +
+ encodeURIComponent(JSON.stringify({node: "img", url: allow8000Image2, shouldPass:false, crossOrigin: "anonymous", id: 8}));
+</script>
+</body>
+</html>
Copied: trunk/LayoutTests/http/tests/security/cross-origin-cached-images.html (from rev 205853, trunk/LayoutTests/http/tests/security/cross-origin-cached-resource.html) (0 => 205854)
--- trunk/LayoutTests/http/tests/security/cross-origin-cached-images.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/cross-origin-cached-images.html 2016-09-13 06:46:15 UTC (rev 205854)
@@ -0,0 +1,77 @@
+<html>
+<body>
+<p>Tests source origin difference for cached resources.</p
+<p>Trying to load sequentially the same image from different origins.</p>
+<div id="console"></div>
+<div>
+ <iframe id="iframe1"></iframe>
+ <iframe id="iframe2"></iframe>
+ <iframe id="iframe3"></iframe>
+ <iframe id="iframe4"></iframe>
+</div>
+<div>
+ <iframe id="iframe5"></iframe>
+ <iframe id="iframe6"></iframe>
+ <iframe id="iframe7"></iframe>
+ <iframe id="iframe8"></iframe>
+</div>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+window.addEventListener("message", function(event) {
+ document.getElementById('console').innerHTML += event.data + "<br/>";
+ loadNextFrame();
+});
+
+var iframeURL8000 = "http://localhost:8000/security/resources/cross-origin-cached-resource-iframe.html";
+var iframeURL8080 = "http://localhost:8080/security/resources/cross-origin-cached-resource-iframe.html";
+
+var allowAllImage1 = "http://127.0.0.1:8000/security/resources/abe-allow-star.php?allowCache";
+var allow8000Image1 = "http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000";
+
+var allowAllImage2 = "http://127.0.0.1:8080/security/resources/abe-allow-star.php?allowCache";
+var allow8000Image2 = "http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000";
+
+var counter = 0;
+function loadNextFrame()
+{
+ counter++;
+ // Four first tests try to load an image with a given origin and then the same image (in cache) with a different origin.
+ if (counter == 1)
+ document.getElementById('iframe1').src = "" + "#" +
+ encodeURIComponent(JSON.stringify({node: "img", url: allowAllImage1, shouldPass:true, crossOrigin: "anonymous", id: 1}));
+ else if (counter == 2)
+ document.getElementById('iframe2').src = "" + "#" +
+ encodeURIComponent(JSON.stringify({node: "img", url: allowAllImage1, shouldPass: true, crossOrigin: "anonymous", id: 2}));
+ else if (counter == 3)
+ document.getElementById('iframe3').src = "" + "#" +
+ encodeURIComponent(JSON.stringify({node: "img", url: allow8000Image1, shouldPass: true, crossOrigin: "anonymous", id: 3}));
+ // Fourth image load should fail since requesting image from localhost:8080 while only allowed from localhost:8000.
+ else if (counter == 4)
+ document.getElementById('iframe4').src = "" + "#" +
+ encodeURIComponent(JSON.stringify({node: "img", url: allow8000Image1, shouldPass: false, crossOrigin: "anonymous", id: 4}));
+
+ // Four next tests try to load a cross-origin image without cors and then with cors.
+ else if (counter == 5)
+ document.getElementById('iframe5').src = "" + "#" +
+ encodeURIComponent(JSON.stringify({node: "img", url: allowAllImage2, shouldPass:true, id: 5}));
+ else if (counter == 6)
+ document.getElementById('iframe6').src = "" + "#" +
+ encodeURIComponent(JSON.stringify({node: "img", url: allowAllImage2, shouldPass:true, crossOrigin: "anonymous", id: 6}));
+ else if (counter == 7)
+ document.getElementById('iframe7').src = "" + "#" +
+ encodeURIComponent(JSON.stringify({node: "img", url: allow8000Image2, shouldPass:true, id: 7}));
+ else if (counter == 8)
+ document.getElementById('iframe8').src = "" + "#" +
+ encodeURIComponent(JSON.stringify({node: "img", url: allow8000Image2, shouldPass:false, crossOrigin: "anonymous", id: 8}));
+ else if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+loadNextFrame();
+</script>
+</body>
+</html>
Deleted: trunk/LayoutTests/http/tests/security/cross-origin-cached-resource-parallel-expected.txt (205853 => 205854)
--- trunk/LayoutTests/http/tests/security/cross-origin-cached-resource-parallel-expected.txt 2016-09-13 06:15:09 UTC (rev 205853)
+++ trunk/LayoutTests/http/tests/security/cross-origin-cached-resource-parallel-expected.txt 2016-09-13 06:46:15 UTC (rev 205854)
@@ -1,19 +0,0 @@
-CONSOLE MESSAGE: Origin http://localhost:8080 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: Cross-origin image load denied by Cross-Origin Resource Sharing policy.
-CONSOLE MESSAGE: Origin http://localhost:8080 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: Cross-origin image load denied by Cross-Origin Resource Sharing policy.
-Tests source origin difference for cached resources.
-
-Trying to load sequentially the same image from various origins.
-All images should load.
-
-Test 1 PASS: Loaded image http://127.0.0.1:8000/security/resources/abe-allow-star.php?allowCache from localhost:8000 (crossOrigin=anonymous)
-Test 2 PASS: Loaded image http://127.0.0.1:8000/security/resources/abe-allow-star.php?allowCache from localhost:8080 (crossOrigin=anonymous)
-Test 3 PASS: Loaded image http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000 from localhost:8000 (crossOrigin=anonymous)
-Test 4 PASS: Did not load image http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000 from localhost:8080 (crossOrigin=anonymous)
-Test 5 PASS: Loaded image http://127.0.0.1:8080/security/resources/abe-allow-star.php?allowCache from localhost:8000
-Test 6 PASS: Loaded image http://127.0.0.1:8080/security/resources/abe-allow-star.php?allowCache from localhost:8000 (crossOrigin=anonymous)
-Test 7 PASS: Loaded image http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000 from localhost:8080
-Test 8 PASS: Did not load image http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000 from localhost:8080 (crossOrigin=anonymous)
-
-
Deleted: trunk/LayoutTests/http/tests/security/cross-origin-cached-resource-parallel.html (205853 => 205854)
--- trunk/LayoutTests/http/tests/security/cross-origin-cached-resource-parallel.html 2016-09-13 06:15:09 UTC (rev 205853)
+++ trunk/LayoutTests/http/tests/security/cross-origin-cached-resource-parallel.html 2016-09-13 06:46:15 UTC (rev 205854)
@@ -1,67 +0,0 @@
-<html>
-<body>
-<p>Tests source origin difference for cached resources.</p
-<p>Trying to load sequentially the same image from various origins.</p>
-<p>All images should load.</p>
-<div id="console"></div>
-<div>
- <iframe id="iframe1"></iframe>
- <iframe id="iframe2"></iframe>
- <iframe id="iframe3"></iframe>
- <iframe id="iframe4"></iframe>
-</div>
-<div>
- <iframe id="iframe5"></iframe>
- <iframe id="iframe6"></iframe>
- <iframe id="iframe7"></iframe>
- <iframe id="iframe8"></iframe>
-</div>
-<script>
-if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.waitUntilDone();
-}
-
-var counter = 0;
-var messages = [];
-window.addEventListener("message", function(event) {
- messages.push(event.data);
- if (messages.length == 8) {
- messages.sort();
- messages.forEach((message) => {
- document.getElementById('console').innerHTML += message + "<br/>";
- })
- if (window.testRunner)
- testRunner.notifyDone();
- }
-});
-
-var iframeURL8000 = "http://localhost:8000/security/resources/cross-origin-cached-resource-iframe.html";
-var iframeURL8080 = "http://localhost:8080/security/resources/cross-origin-cached-resource-iframe.html";
-
-var allowAllImage1 = "http://127.0.0.1:8000/security/resources/abe-allow-star.php?allowCache";
-var allow8000Image1 = "http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000";
-
-var allowAllImage2 = "http://127.0.0.1:8080/security/resources/abe-allow-star.php?allowCache";
-var allow8000Image2 = "http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000";
-
-document.getElementById('iframe1').src = "" + "#" +
- encodeURIComponent(JSON.stringify({url: allowAllImage1, shouldPass:true, crossOrigin: "anonymous", id: 1}));
-document.getElementById('iframe2').src = "" + "#" +
- encodeURIComponent(JSON.stringify({url: allowAllImage1, shouldPass: true, crossOrigin: "anonymous", id: 2}));
-document.getElementById('iframe3').src = "" + "#" +
- encodeURIComponent(JSON.stringify({url: allow8000Image1, shouldPass: true, crossOrigin: "anonymous", id: 3}));
-document.getElementById('iframe4').src = "" + "#" +
- encodeURIComponent(JSON.stringify({url: allow8000Image1, shouldPass: false, crossOrigin: "anonymous", id: 4}));
-
-document.getElementById('iframe5').src = "" + "#" +
- encodeURIComponent(JSON.stringify({url: allowAllImage2, shouldPass:true, id: 5}));
-document.getElementById('iframe6').src = "" + "#" +
- encodeURIComponent(JSON.stringify({url: allowAllImage2, shouldPass:true, crossOrigin: "anonymous", id: 6}));
-document.getElementById('iframe7').src = "" + "#" +
- encodeURIComponent(JSON.stringify({url: allow8000Image2, shouldPass:true, id: 7}));
-document.getElementById('iframe8').src = "" + "#" +
- encodeURIComponent(JSON.stringify({url: allow8000Image2, shouldPass:false, crossOrigin: "anonymous", id: 8}));
-</script>
-</body>
-</html>
Deleted: trunk/LayoutTests/http/tests/security/cross-origin-cached-resource.html (205853 => 205854)
--- trunk/LayoutTests/http/tests/security/cross-origin-cached-resource.html 2016-09-13 06:15:09 UTC (rev 205853)
+++ trunk/LayoutTests/http/tests/security/cross-origin-cached-resource.html 2016-09-13 06:46:15 UTC (rev 205854)
@@ -1,78 +0,0 @@
-<html>
-<body>
-<p>Tests source origin difference for cached resources.</p
-<p>Trying to load sequentially the same image from various origins.</p>
-<p>All images should load.</p>
-<div id="console"></div>
-<div>
- <iframe id="iframe1"></iframe>
- <iframe id="iframe2"></iframe>
- <iframe id="iframe3"></iframe>
- <iframe id="iframe4"></iframe>
-</div>
-<div>
- <iframe id="iframe5"></iframe>
- <iframe id="iframe6"></iframe>
- <iframe id="iframe7"></iframe>
- <iframe id="iframe8"></iframe>
-</div>
-<script>
-if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.waitUntilDone();
-}
-
-window.addEventListener("message", function(event) {
- document.getElementById('console').innerHTML += event.data + "<br/>";
- loadNextFrame();
-});
-
-var iframeURL8000 = "http://localhost:8000/security/resources/cross-origin-cached-resource-iframe.html";
-var iframeURL8080 = "http://localhost:8080/security/resources/cross-origin-cached-resource-iframe.html";
-
-var allowAllImage1 = "http://127.0.0.1:8000/security/resources/abe-allow-star.php?allowCache";
-var allow8000Image1 = "http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000";
-
-var allowAllImage2 = "http://127.0.0.1:8080/security/resources/abe-allow-star.php?allowCache";
-var allow8000Image2 = "http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000";
-
-var counter = 0;
-function loadNextFrame()
-{
- counter++;
- // Four first tests try to load an image with a given origin and then the same image (in cache) with a different origin.
- if (counter == 1)
- document.getElementById('iframe1').src = "" + "#" +
- encodeURIComponent(JSON.stringify({url: allowAllImage1, shouldPass:true, crossOrigin: "anonymous", id: 1}));
- else if (counter == 2)
- document.getElementById('iframe2').src = "" + "#" +
- encodeURIComponent(JSON.stringify({url: allowAllImage1, shouldPass: true, crossOrigin: "anonymous", id: 2}));
- else if (counter == 3)
- document.getElementById('iframe3').src = "" + "#" +
- encodeURIComponent(JSON.stringify({url: allow8000Image1, shouldPass: true, crossOrigin: "anonymous", id: 3}));
- // Fourth image load should fail since requesting image from localhost:8080 while only allowed from localhost:8000.
- else if (counter == 4)
- document.getElementById('iframe4').src = "" + "#" +
- encodeURIComponent(JSON.stringify({url: allow8000Image1, shouldPass: false, crossOrigin: "anonymous", id: 4}));
-
- // Four next tests try to load a cross-origin image without cors and then with cors.
- else if (counter == 5)
- document.getElementById('iframe5').src = "" + "#" +
- encodeURIComponent(JSON.stringify({url: allowAllImage2, shouldPass:true, id: 5}));
- else if (counter == 6)
- document.getElementById('iframe6').src = "" + "#" +
- encodeURIComponent(JSON.stringify({url: allowAllImage2, shouldPass:true, crossOrigin: "anonymous", id: 6}));
- else if (counter == 7)
- document.getElementById('iframe7').src = "" + "#" +
- encodeURIComponent(JSON.stringify({url: allow8000Image2, shouldPass:true, id: 7}));
- else if (counter == 8)
- document.getElementById('iframe8').src = "" + "#" +
- encodeURIComponent(JSON.stringify({url: allow8000Image2, shouldPass:false, crossOrigin: "anonymous", id: 8}));
- else if (window.testRunner)
- testRunner.notifyDone();
-}
-
-loadNextFrame();
-</script>
-</body>
-</html>
Added: trunk/LayoutTests/http/tests/security/cross-origin-cached-scripts-expected.txt (0 => 205854)
--- trunk/LayoutTests/http/tests/security/cross-origin-cached-scripts-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/cross-origin-cached-scripts-expected.txt 2016-09-13 06:46:15 UTC (rev 205854)
@@ -0,0 +1,13 @@
+CONSOLE MESSAGE: Origin http://localhost:8080 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Cross-origin script load denied by Cross-Origin Resource Sharing policy.
+CONSOLE MESSAGE: Origin http://localhost:8080 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Cross-origin script load denied by Cross-Origin Resource Sharing policy.
+Tests source origin difference for cached resources.
+
+Trying to load sequentially the same script from different origins.
+Test 1 PASS: Loaded script http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js from localhost:8000 (crossOrigin=anonymous)
+Test 2 PASS: Did not load script http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js from localhost:8080 (crossOrigin=anonymous)
+Test 3 PASS: Loaded script http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js from localhost:8080
+Test 4 PASS: Did not load script http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js from localhost:8080 (crossOrigin=anonymous)
+
+
Added: trunk/LayoutTests/http/tests/security/cross-origin-cached-scripts-parallel-expected.txt (0 => 205854)
--- trunk/LayoutTests/http/tests/security/cross-origin-cached-scripts-parallel-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/cross-origin-cached-scripts-parallel-expected.txt 2016-09-13 06:46:15 UTC (rev 205854)
@@ -0,0 +1,13 @@
+CONSOLE MESSAGE: Origin http://localhost:8080 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Cross-origin script load denied by Cross-Origin Resource Sharing policy.
+CONSOLE MESSAGE: Origin http://localhost:8080 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Cross-origin script load denied by Cross-Origin Resource Sharing policy.
+Tests source origin difference for cached resources.
+
+Trying to load sequentially the same script from various origins.
+Test 1 PASS: Loaded script http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&delay=100 from localhost:8000 (crossOrigin=anonymous)
+Test 2 PASS: Did not load script http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&delay=100 from localhost:8080 (crossOrigin=anonymous)
+Test 3 PASS: Loaded script http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&delay=100 from localhost:8080
+Test 4 PASS: Did not load script http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&delay=100 from localhost:8080 (crossOrigin=anonymous)
+
+
Added: trunk/LayoutTests/http/tests/security/cross-origin-cached-scripts-parallel.html (0 => 205854)
--- trunk/LayoutTests/http/tests/security/cross-origin-cached-scripts-parallel.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/cross-origin-cached-scripts-parallel.html 2016-09-13 06:46:15 UTC (rev 205854)
@@ -0,0 +1,51 @@
+<html>
+<body>
+<p>Tests source origin difference for cached resources.</p
+<p>Trying to load sequentially the same script from various origins.</p>
+<div id="console"></div>
+<div>
+ <iframe id="iframe1"></iframe>
+ <iframe id="iframe2"></iframe>
+</div>
+<div>
+ <iframe id="iframe3"></iframe>
+ <iframe id="iframe4"></iframe>
+</div>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+var counter = 0;
+var messages = [];
+window.addEventListener("message", function(event) {
+ messages.push(event.data);
+ if (messages.length == 4) {
+ messages.sort();
+ messages.forEach((message) => {
+ document.getElementById('console').innerHTML += message + "<br/>";
+ })
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+});
+
+var iframeURL8000 = "http://localhost:8000/security/resources/cross-origin-cached-resource-iframe.html";
+var iframeURL8080 = "http://localhost:8080/security/resources/cross-origin-cached-resource-iframe.html";
+
+var allow8000Script1 = "http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&delay=100";
+var allow8000Script2 = "http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&delay=100";
+
+document.getElementById('iframe1').src = "" + "#" +
+ encodeURIComponent(JSON.stringify({node: "script", url: allow8000Script1, shouldPass: true, crossOrigin: "anonymous", id: 1}));
+document.getElementById('iframe2').src = "" + "#" +
+ encodeURIComponent(JSON.stringify({node: "script", url: allow8000Script1, shouldPass: false, crossOrigin: "anonymous", id: 2}));
+
+document.getElementById('iframe3').src = "" + "#" +
+ encodeURIComponent(JSON.stringify({node: "script", url: allow8000Script2, shouldPass:true, id: 3}));
+document.getElementById('iframe4').src = "" + "#" +
+ encodeURIComponent(JSON.stringify({node: "script", url: allow8000Script2, shouldPass:false, crossOrigin: "anonymous", id: 4}));
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/cross-origin-cached-scripts.html (0 => 205854)
--- trunk/LayoutTests/http/tests/security/cross-origin-cached-scripts.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/cross-origin-cached-scripts.html 2016-09-13 06:46:15 UTC (rev 205854)
@@ -0,0 +1,58 @@
+<html>
+<body>
+<p>Tests source origin difference for cached resources.</p
+<p>Trying to load sequentially the same script from different origins.</p>
+<div id="console"></div>
+<div>
+ <iframe id="iframe1"></iframe>
+ <iframe id="iframe2"></iframe>
+</div>
+<div>
+ <iframe id="iframe3"></iframe>
+ <iframe id="iframe4"></iframe>
+</div>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+window.addEventListener("message", function(event) {
+ document.getElementById('console').innerHTML += event.data + "<br/>";
+ loadNextFrame();
+});
+
+var iframeURL8000 = "http://localhost:8000/security/resources/cross-origin-cached-resource-iframe.html";
+var iframeURL8080 = "http://localhost:8080/security/resources/cross-origin-cached-resource-iframe.html";
+
+var allow8000Script1 = "http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js";
+var allow8000Script2 = "http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js";
+
+var counter = 0;
+function loadNextFrame()
+{
+ counter++;
+ // Four first tests try to load an image with a given origin and then the same image (in cache) with a different origin.
+ if (counter == 1)
+ document.getElementById('iframe1').src = "" + "#" +
+ encodeURIComponent(JSON.stringify({node: "script", url: allow8000Script1, shouldPass: true, crossOrigin: "anonymous", id: 1}));
+ // Fourth image load should fail since requesting image from localhost:8080 while only allowed from localhost:8000.
+ else if (counter == 2)
+ document.getElementById('iframe2').src = "" + "#" +
+ encodeURIComponent(JSON.stringify({node: "script", url: allow8000Script1, shouldPass: false, crossOrigin: "anonymous", id: 2}));
+
+ // Four next tests try to load a cross-origin image without cors and then with cors.
+ else if (counter == 3)
+ document.getElementById('iframe3').src = "" + "#" +
+ encodeURIComponent(JSON.stringify({node: "script", url: allow8000Script2, shouldPass:true, id: 3}));
+ else if (counter == 4)
+ document.getElementById('iframe4').src = "" + "#" +
+ encodeURIComponent(JSON.stringify({node: "script", url: allow8000Script2, shouldPass:false, crossOrigin: "anonymous", id: 4}));
+ else if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+loadNextFrame();
+</script>
+</body>
+</html>
Modified: trunk/LayoutTests/http/tests/security/resources/cors-script.php (205853 => 205854)
--- trunk/LayoutTests/http/tests/security/resources/cors-script.php 2016-09-13 06:15:09 UTC (rev 205853)
+++ trunk/LayoutTests/http/tests/security/resources/cors-script.php 2016-09-13 06:46:15 UTC (rev 205854)
@@ -1,6 +1,11 @@
<?php
header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
header("Content-Type: application/_javascript_");
+
+if (strtolower($_GET["credentials"]) == "true") {
+ header("Access-Control-Allow-Credentials: true");
+}
+
if (strtolower($_GET["fail"]) == "true")
echo "throw({toString: function(){ return 'SomeError' }});";
else
Modified: trunk/LayoutTests/http/tests/security/resources/cross-origin-cached-resource-iframe.html (205853 => 205854)
--- trunk/LayoutTests/http/tests/security/resources/cross-origin-cached-resource-iframe.html 2016-09-13 06:15:09 UTC (rev 205853)
+++ trunk/LayoutTests/http/tests/security/resources/cross-origin-cached-resource-iframe.html 2016-09-13 06:46:15 UTC (rev 205854)
@@ -1,7 +1,8 @@
<html>
<body>
-<img id="img" _onload_="logStatus(true)" _onerror_="logStatus(false)"/>
+<img id="img" _onload_="logStatus(true)" _onerror_="logStatus(false)"></img>
+<script id="script" _onload_="logStatus(true)" _onerror_="logStatus(false)"></script>
<script>
var test = JSON.parse(decodeURIComponent(location.hash.substring(1)));
@@ -11,7 +12,7 @@
msg += test.shouldPass == status ? " PASS: " : " FAIL: ";
msg += status ? "Loaded" : "Did not load";
- msg += " image " + img.src + " from " + location.host;
+ msg += " " + test.node + " " + node.src + " from " + location.host;
if (test.crossOrigin)
msg += " (crossOrigin=" + test.crossOrigin + ")";
@@ -18,10 +19,10 @@
parent.postMessage(msg, "*");
}
-var image = document.getElementById('img');
+var node = document.getElementById(test.node);
if (test.crossOrigin !== undefined)
- image.crossOrigin = test.crossOrigin;
-image.src = ""
+ node.crossOrigin = test.crossOrigin;
+node.src = ""
</script>
</body>
</html>
Added: trunk/LayoutTests/http/tests/security/resources/notify-loaded.js (0 => 205854)
--- trunk/LayoutTests/http/tests/security/resources/notify-loaded.js (rev 0)
+++ trunk/LayoutTests/http/tests/security/resources/notify-loaded.js 2016-09-13 06:46:15 UTC (rev 205854)
@@ -0,0 +1 @@
+document.body.innerHTML += "LOADED";
Copied: trunk/LayoutTests/http/tests/security/script-crossorigin-loads-correctly-credentials-expected.txt (from rev 205853, trunk/LayoutTests/imported/blink/http/tests/security/script-crossorigin-loads-correctly-credentials-expected.txt) (0 => 205854)
--- trunk/LayoutTests/http/tests/security/script-crossorigin-loads-correctly-credentials-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/script-crossorigin-loads-correctly-credentials-expected.txt 2016-09-13 06:46:15 UTC (rev 205854)
@@ -0,0 +1,4 @@
+ALERT: script ran.
+This test passes if the script loads correctly.
+
+PASS
Copied: trunk/LayoutTests/http/tests/security/script-crossorigin-loads-correctly-credentials.html (from rev 205853, trunk/LayoutTests/imported/blink/http/tests/security/script-crossorigin-loads-correctly-credentials.html) (0 => 205854)
--- trunk/LayoutTests/http/tests/security/script-crossorigin-loads-correctly-credentials.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/script-crossorigin-loads-correctly-credentials.html 2016-09-13 06:46:15 UTC (rev 205854)
@@ -0,0 +1,22 @@
+<body>
+<p>This test passes if the script loads correctly.</p>
+<pre></pre>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+function done(msg) {
+ document.querySelector("pre").innerHTML = msg;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+var script = document.createElement("script");
+script.crossOrigin = "use-credentials";
+script.src = ""
+script._onload_ = function() { done("PASS"); }
+script._onerror_ = function() { done("FAIL");}
+document.body.appendChild(script);
+</script>
Added: trunk/LayoutTests/http/tests/security/script-with-dataurl-expected.txt (0 => 205854)
--- trunk/LayoutTests/http/tests/security/script-with-dataurl-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/script-with-dataurl-expected.txt 2016-09-13 06:46:15 UTC (rev 205854)
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: line 1: PASS: my data URL in no-cors mode is throwing rich messages
+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Cross-origin script load denied by Cross-Origin Resource Sharing policy.
+Trying to load data URLs scripts. If being loaded, the scripts should throw error messages.
+
+Received error 'Script error.' from '', location 0:0.
+PASS: loaded script in no-cors mode
+PASS: did not load script in cors mode
+DONE
+
Added: trunk/LayoutTests/http/tests/security/script-with-dataurl.html (0 => 205854)
--- trunk/LayoutTests/http/tests/security/script-with-dataurl.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/script-with-dataurl.html 2016-09-13 06:46:15 UTC (rev 205854)
@@ -0,0 +1,47 @@
+<body>
+<p>Trying to load data URLs scripts. If being loaded, the scripts should throw error messages.</p>
+<pre></pre>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+function done() {
+ log("DONE");
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+function log(msg) {
+ document.querySelector("pre").innerHTML += msg + "<br>";
+}
+
+window._onerror_ = function(message, source, lineno, colno, error)
+{
+ log("Received error '" + message + "' from '" + source + "', location " + lineno + ":" + colno + ".");
+}
+
+function test1()
+{
+ var script = document.createElement("script");
+ script.src = "" throw 'PASS: my data URL in no-cors mode is throwing rich messages';";
+ script._onload_ = () => { log("PASS: loaded script in no-cors mode"); test2(); }
+ script._onerror_ = () => { log("FAIL: did not load script in no-cors mode"); test2(); }
+ document.body.appendChild(script);
+}
+
+function test2()
+{
+ var script = document.createElement("script");
+ script.crossOrigin = "";
+ script.src = "" throw 'FAIL: my error is too rich!'";
+ script._onload_ = () => { log("FAIL: loaded script in cors mode"); done(); }
+ script._onerror_ = () => { log("PASS: did not load script in cors mode"); done(); }
+ document.body.appendChild(script);
+}
+
+test1();
+
+</script>
+</body>
Modified: trunk/LayoutTests/http/tests/security/script-with-failed-cors-check-fails-to-load-expected.txt (205853 => 205854)
--- trunk/LayoutTests/http/tests/security/script-with-failed-cors-check-fails-to-load-expected.txt 2016-09-13 06:15:09 UTC (rev 205853)
+++ trunk/LayoutTests/http/tests/security/script-with-failed-cors-check-fails-to-load-expected.txt 2016-09-13 06:46:15 UTC (rev 205854)
@@ -1,3 +1,4 @@
+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
CONSOLE MESSAGE: Cross-origin script load denied by Cross-Origin Resource Sharing policy.
This test passes if the script does not load.
Deleted: trunk/LayoutTests/imported/blink/http/tests/security/script-crossorigin-loads-correctly-credentials-expected.txt (205853 => 205854)
--- trunk/LayoutTests/imported/blink/http/tests/security/script-crossorigin-loads-correctly-credentials-expected.txt 2016-09-13 06:15:09 UTC (rev 205853)
+++ trunk/LayoutTests/imported/blink/http/tests/security/script-crossorigin-loads-correctly-credentials-expected.txt 2016-09-13 06:46:15 UTC (rev 205854)
@@ -1,4 +0,0 @@
-ALERT: script ran.
-This test passes if the script loads correctly.
-
-PASS
Deleted: trunk/LayoutTests/imported/blink/http/tests/security/script-crossorigin-loads-correctly-credentials.html (205853 => 205854)
--- trunk/LayoutTests/imported/blink/http/tests/security/script-crossorigin-loads-correctly-credentials.html 2016-09-13 06:15:09 UTC (rev 205853)
+++ trunk/LayoutTests/imported/blink/http/tests/security/script-crossorigin-loads-correctly-credentials.html 2016-09-13 06:46:15 UTC (rev 205854)
@@ -1,22 +0,0 @@
-<body>
-<p>This test passes if the script loads correctly.</p>
-<pre></pre>
-<script>
-if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.waitUntilDone();
-}
-
-function done(msg) {
- document.querySelector("pre").innerHTML = msg;
- if (window.testRunner)
- testRunner.notifyDone();
-}
-
-var script = document.createElement("script");
-script.crossOrigin = "use-credentials";
-script.src = ""
-script._onload_ = function() { done("PASS"); }
-script._onerror_ = function() { done("FAIL");}
-document.body.appendChild(script);
-</script>
Modified: trunk/Source/WebCore/ChangeLog (205853 => 205854)
--- trunk/Source/WebCore/ChangeLog 2016-09-13 06:15:09 UTC (rev 205853)
+++ trunk/Source/WebCore/ChangeLog 2016-09-13 06:46:15 UTC (rev 205854)
@@ -1,3 +1,43 @@
+2016-09-12 Youenn Fablet <[email protected]>
+
+ ScriptElement should use FetchOptions::mode according its crossOrigin attribute
+ https://bugs.webkit.org/show_bug.cgi?id=161686
+
+ Reviewed by Darin Adler.
+
+ Setting ScriptElement fetch mode according its crossOrigin attribute.
+ Removing LoadableClassicScriptchecking of CORS since this is now done at ResourceLoader/CachedResource level.
+
+ Updating CachedResourceLoader to ensure that a resource that matches an on-going resource load but with different fetch mode/origin,
+ always gets its loading started if the resource state is not Cached.
+
+ Tests: fast/dom/script-crossorigin-loads-fail-origin.html
+ http/tests/security/cross-origin-cached-images-parallel.html
+ http/tests/security/cross-origin-cached-images.html
+ http/tests/security/cross-origin-cached-scripts-parallel.html
+ http/tests/security/cross-origin-cached-scripts.html
+ http/tests/security/script-crossorigin-loads-correctly-credentials.html
+ http/tests/security/script-with-dataurl.html
+
+ * dom/LoadableClassicScript.cpp:
+ (WebCore::LoadableClassicScript::create):
+ (WebCore::LoadableClassicScript::notifyFinished): Checking CORS failures using the resource state.
+ (WebCore::LoadableClassicScript::~LoadableClassicScript): Deleted.
+ (WebCore::LoadableClassicScript::isLoaded): Deleted.
+ * dom/LoadableClassicScript.h:
+ * dom/ScriptElement.cpp:
+ (WebCore::ScriptElement::requestClassicScript):
+ (WebCore::ScriptElement::requestScriptWithCache): Using CachedResourceRequest::setAsPotentiallyCrossOrigin to set fetch mode according crossOrigin attribute.
+ * dom/ScriptElement.h:
+ * loader/cache/CachedImage.cpp:
+ (WebCore::CachedImage::setBodyDataFrom):
+ * loader/cache/CachedResourceLoader.cpp:
+ (WebCore::CachedResourceLoader::updateCachedResourceWithCurrentRequest): Adding support for script resources.
+ (WebCore::CachedResourceLoader::requestResource): Ensuring that 'updated' resources gets actually loaded.
+ * loader/cache/CachedScript.cpp:
+ (WebCore::CachedScript::setBodyDataFrom): Implementing specific data copy from another CachedScript.
+ * loader/cache/CachedScript.h:
+
2016-09-12 Carlos Garcia Campos <[email protected]>
[GTK] Scrollbar too large
Modified: trunk/Source/WebCore/dom/LoadableClassicScript.cpp (205853 => 205854)
--- trunk/Source/WebCore/dom/LoadableClassicScript.cpp 2016-09-13 06:15:09 UTC (rev 205853)
+++ trunk/Source/WebCore/dom/LoadableClassicScript.cpp 2016-09-13 06:46:15 UTC (rev 205854)
@@ -33,21 +33,14 @@
namespace WebCore {
-Ref<LoadableClassicScript> LoadableClassicScript::create(CachedResourceHandle<CachedScript>&& cachedScript, const String& crossOriginMode, SecurityOrigin& securityOrigin)
+Ref<LoadableClassicScript> LoadableClassicScript::create(CachedResourceHandle<CachedScript>&& cachedScript)
{
ASSERT(cachedScript);
- auto script = adoptRef(*new LoadableClassicScript(WTFMove(cachedScript), crossOriginMode, securityOrigin));
+ auto script = adoptRef(*new LoadableClassicScript(WTFMove(cachedScript)));
cachedScript->addClient(script.ptr());
return script;
}
-LoadableClassicScript::LoadableClassicScript(CachedResourceHandle<CachedScript>&& cachedScript, const String& crossOriginMode, SecurityOrigin& securityOrigin)
- : m_cachedScript(cachedScript)
- , m_securityOrigin(securityOrigin)
- , m_requestUsesAccessControl(!crossOriginMode.isNull())
-{
-}
-
LoadableClassicScript::~LoadableClassicScript()
{
m_cachedScript->removeClient(this);
@@ -74,9 +67,10 @@
return m_cachedScript->wasCanceled();
}
-void LoadableClassicScript::notifyFinished(CachedResource*)
+void LoadableClassicScript::notifyFinished(CachedResource* resource)
{
- if (!m_error && m_requestUsesAccessControl && !m_cachedScript->passesSameOriginPolicyCheck(m_securityOrigin.get())) {
+ ASSERT(resource);
+ if (resource->resourceError().isAccessControl()) {
static NeverDestroyed<String> consoleMessage(ASCIILiteral("Cross-origin script load denied by Cross-Origin Resource Sharing policy."));
m_error = Error {
ErrorType::CrossOriginLoad,
Modified: trunk/Source/WebCore/dom/LoadableClassicScript.h (205853 => 205854)
--- trunk/Source/WebCore/dom/LoadableClassicScript.h 2016-09-13 06:15:09 UTC (rev 205853)
+++ trunk/Source/WebCore/dom/LoadableClassicScript.h 2016-09-13 06:46:15 UTC (rev 205854)
@@ -42,7 +42,7 @@
public:
~LoadableClassicScript();
- static Ref<LoadableClassicScript> create(CachedResourceHandle<CachedScript>&&, const String& crossOriginMode, SecurityOrigin&);
+ static Ref<LoadableClassicScript> create(CachedResourceHandle<CachedScript>&&);
bool isLoaded() const override;
Optional<Error> wasErrored() const override;
bool wasCanceled() const override;
@@ -53,14 +53,12 @@
void execute(ScriptElement&) override;
private:
- LoadableClassicScript(CachedResourceHandle<CachedScript>&&, const String& crossOriginMode, SecurityOrigin&);
+ LoadableClassicScript(CachedResourceHandle<CachedScript>&& cachedScript) : m_cachedScript(WTFMove(cachedScript)) { }
void notifyFinished(CachedResource*) override;
CachedResourceHandle<CachedScript> m_cachedScript;
- Ref<SecurityOrigin> m_securityOrigin;
Optional<Error> m_error { Nullopt };
- bool m_requestUsesAccessControl;
};
}
Modified: trunk/Source/WebCore/dom/ScriptElement.cpp (205853 => 205854)
--- trunk/Source/WebCore/dom/ScriptElement.cpp 2016-09-13 06:15:09 UTC (rev 205853)
+++ trunk/Source/WebCore/dom/ScriptElement.cpp 2016-09-13 06:46:15 UTC (rev 205854)
@@ -263,10 +263,9 @@
ASSERT(!m_loadableScript);
if (!stripLeadingAndTrailingHTMLSpaces(sourceURL).isEmpty()) {
- String crossOriginMode = m_element.attributeWithoutSynchronization(HTMLNames::crossoriginAttr);
- auto request = requestScriptWithCache(m_element.document().completeURL(sourceURL), m_element.attributeWithoutSynchronization(HTMLNames::nonceAttr), crossOriginMode);
+ auto request = requestScriptWithCache(m_element.document().completeURL(sourceURL), m_element.attributeWithoutSynchronization(HTMLNames::nonceAttr));
if (request) {
- m_loadableScript = LoadableClassicScript::create(WTFMove(request), crossOriginMode, *m_element.document().securityOrigin());
+ m_loadableScript = LoadableClassicScript::create(WTFMove(request));
m_isExternalScript = true;
}
}
@@ -280,7 +279,7 @@
return false;
}
-CachedResourceHandle<CachedScript> ScriptElement::requestScriptWithCache(const URL& sourceURL, const String& nonceAttribute, const String& crossOriginMode)
+CachedResourceHandle<CachedScript> ScriptElement::requestScriptWithCache(const URL& sourceURL, const String& nonceAttribute)
{
bool hasKnownNonce = m_element.document().contentSecurityPolicy()->allowScriptWithNonce(nonceAttribute, m_element.isInUserAgentShadowTree());
ResourceLoaderOptions options = CachedResourceLoader::defaultCachedResourceOptions();
@@ -287,15 +286,10 @@
options.contentSecurityPolicyImposition = hasKnownNonce ? ContentSecurityPolicyImposition::SkipPolicyCheck : ContentSecurityPolicyImposition::DoPolicyCheck;
CachedResourceRequest request(ResourceRequest(sourceURL), options);
+ request.setAsPotentiallyCrossOrigin(m_element.attributeWithoutSynchronization(HTMLNames::crossoriginAttr), m_element.document());
m_element.document().contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(request.mutableResourceRequest(), ContentSecurityPolicy::InsecureRequestType::Load);
- if (!crossOriginMode.isNull()) {
- StoredCredentials allowCredentials = equalLettersIgnoringASCIICase(crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
- ASSERT(m_element.document().securityOrigin());
- updateRequestForAccessControl(request.mutableResourceRequest(), *m_element.document().securityOrigin(), allowCredentials);
- }
-
request.setCharset(scriptCharset());
request.setInitiator(&element());
Modified: trunk/Source/WebCore/dom/ScriptElement.h (205853 => 205854)
--- trunk/Source/WebCore/dom/ScriptElement.h 2016-09-13 06:15:09 UTC (rev 205853)
+++ trunk/Source/WebCore/dom/ScriptElement.h 2016-09-13 06:46:15 UTC (rev 205854)
@@ -89,7 +89,7 @@
bool ignoresLoadRequest() const;
bool isScriptForEventSupported() const;
- CachedResourceHandle<CachedScript> requestScriptWithCache(const URL&, const String& nonceAttribute, const String& crossoriginAttribute);
+ CachedResourceHandle<CachedScript> requestScriptWithCache(const URL&, const String&);
bool requestClassicScript(const String& sourceURL);
Modified: trunk/Source/WebCore/loader/cache/CachedImage.cpp (205853 => 205854)
--- trunk/Source/WebCore/loader/cache/CachedImage.cpp 2016-09-13 06:15:09 UTC (rev 205853)
+++ trunk/Source/WebCore/loader/cache/CachedImage.cpp 2016-09-13 06:46:15 UTC (rev 205854)
@@ -119,7 +119,6 @@
ASSERT(resource.type() == type());
const CachedImage& image = static_cast<const CachedImage&>(resource);
- setLoading(false);
m_image = image.m_image;
if (m_image && is<SVGImage>(*m_image))
Modified: trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp (205853 => 205854)
--- trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2016-09-13 06:15:09 UTC (rev 205853)
+++ trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2016-09-13 06:46:15 UTC (rev 205854)
@@ -546,7 +546,7 @@
CachedResource& resource = *resourceHandle;
// FIXME: We should progressively extend this to other reusable resources
- if (resource.type() != CachedResource::Type::ImageResource && resource.type() != CachedResource::Type::TextTrackResource)
+ if (resource.type() != CachedResource::Type::ImageResource && resource.type() != CachedResource::Type::Script && resource.type() != CachedResource::Type::TextTrackResource)
return false;
bool shouldUpdate = resource.options().mode != request.options().mode || request.resourceRequest().httpOrigin() != resource.resourceRequest().httpOrigin();
@@ -647,7 +647,7 @@
logMemoryCacheResourceRequest(frame(), resource ? DiagnosticLoggingKeys::inMemoryCacheKey() : DiagnosticLoggingKeys::notInMemoryCacheKey());
- const RevalidationPolicy policy = determineRevalidationPolicy(type, request, resource.get());
+ RevalidationPolicy policy = determineRevalidationPolicy(type, request, resource.get());
switch (policy) {
case Reload:
memoryCache.remove(*resource);
@@ -663,7 +663,11 @@
resource = revalidateResource(request, resource.get());
break;
case Use:
- if (!updateCachedResourceWithCurrentRequest(request, resource)) {
+ if (updateCachedResourceWithCurrentRequest(request, resource)) {
+ if (resource->status() != CachedResource::Status::Cached)
+ policy = Load;
+ } else {
+ ASSERT(policy == Use);
if (!shouldContinueAfterNotifyingLoadedFromMemoryCache(request, resource.get()))
return nullptr;
logMemoryCacheResourceRequest(frame(), DiagnosticLoggingKeys::inMemoryCacheKey(), DiagnosticLoggingKeys::usedKey());
Modified: trunk/Source/WebCore/loader/cache/CachedScript.cpp (205853 => 205854)
--- trunk/Source/WebCore/loader/cache/CachedScript.cpp 2016-09-13 06:15:09 UTC (rev 205853)
+++ trunk/Source/WebCore/loader/cache/CachedScript.cpp 2016-09-13 06:46:15 UTC (rev 205854)
@@ -123,6 +123,18 @@
setDecodedSize(0);
}
+void CachedScript::setBodyDataFrom(const CachedResource& resource)
+{
+ ASSERT(resource.type() == type());
+ auto& script = static_cast<const CachedScript&>(resource);
+
+ m_data = script.m_data;
+ m_script = script.m_script;
+ m_scriptHash = script.m_scriptHash;
+ m_decodingState = script.m_decodingState;
+ m_decoder = script.m_decoder;
+}
+
#if ENABLE(NOSNIFF)
bool CachedScript::mimeTypeAllowedByNosniff() const
{
Modified: trunk/Source/WebCore/loader/cache/CachedScript.h (205853 => 205854)
--- trunk/Source/WebCore/loader/cache/CachedScript.h 2016-09-13 06:15:09 UTC (rev 205853)
+++ trunk/Source/WebCore/loader/cache/CachedScript.h 2016-09-13 06:46:15 UTC (rev 205854)
@@ -47,17 +47,19 @@
#endif
private:
- bool mayTryReplaceEncodedData() const override { return true; }
+ bool mayTryReplaceEncodedData() const final { return true; }
- bool shouldIgnoreHTTPStatusCodeErrors() const override;
+ bool shouldIgnoreHTTPStatusCodeErrors() const final;
- void setEncoding(const String&) override;
- String encoding() const override;
- const TextResourceDecoder* textResourceDecoder() const override { return m_decoder.get(); }
- void finishLoading(SharedBuffer*) override;
+ void setEncoding(const String&) final;
+ String encoding() const final;
+ const TextResourceDecoder* textResourceDecoder() const final { return m_decoder.get(); }
+ void finishLoading(SharedBuffer*) final;
- void destroyDecodedData() override;
+ void destroyDecodedData() final;
+ void setBodyDataFrom(const CachedResource&) final;
+
String m_script;
unsigned m_scriptHash { 0 };
