Diff
Modified: trunk/Source/WebCore/ChangeLog (206202 => 206203)
--- trunk/Source/WebCore/ChangeLog 2016-09-21 07:48:32 UTC (rev 206202)
+++ trunk/Source/WebCore/ChangeLog 2016-09-21 08:43:23 UTC (rev 206203)
@@ -1,3 +1,50 @@
+2016-09-21 Youenn Fablet <you...@apple.com>
+
+ Refactor CachedResourceLoader::canRequest
+ https://bugs.webkit.org/show_bug.cgi?id=162144
+
+ Reviewed by Darin Adler.
+
+ Covered by existing tests.
+
+ Simplifying CachedResourceLoader::canRequest by doing:
+ - CSP checks in another method
+ - Removing Same-Origin type-specific checks by setting FetchOptions::Mode appropriately in resource loader clients
+ - Moving script specific check in ScriptElement
+
+ Note that the last check may affect the loading behavior in the case scripts are enabled when starting the load
+ of a script, but gets disabled before receiving a redirection for the script load.
+
+ * dom/ProcessingInstruction.cpp:
+ (WebCore::ProcessingInstruction::checkStyleSheet): Setting XSLT stylesheet fetch mode to SameOrigin.
+ * dom/ScriptElement.cpp:
+ (WebCore::ScriptElement::requestScriptWithCache): Returning early if scripts are disabled.
+ * loader/CrossOriginPreflightChecker.cpp:
+ (WebCore::CrossOriginPreflightChecker::startPreflight): Bypassing CSP checks.
+ * loader/DocumentLoader.cpp:
+ (WebCore::DocumentLoader::startLoadingMainResource): Bypassing CSP checks as CachedResourceLoader was not
+ checking them for MainResource.
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::loadRequest): Ditto.
+ * loader/LinkLoader.cpp:
+ (WebCore::LinkLoader::preloadIfNeeded): Using new CachedResourceRequest constructor to enable moving the ResourceRequest.
+ (WebCore::LinkLoader::loadLink): Skipping CSP checks for link prefetch/subresources as CachedResourceLoader was
+ not checking them for Link Prefetch and Subresource types.
+ * loader/cache/CachedResourceLoader.cpp:
+ (WebCore::CachedResourceLoader::allowedByContentSecurityPolicy): Helper routine to check for CSP.
+ (WebCore::CachedResourceLoader::canRequest): Making use of introduced helper routine.
+ Simplified same origin check as all requests should have their options set.
+ * loader/cache/CachedResourceLoader.h:
+ * loader/cache/CachedResourceRequest.cpp:
+ (WebCore::CachedResourceRequest::CachedResourceRequest): More efficient constructor.
+ * loader/cache/CachedResourceRequest.h:
+ * loader/cache/CachedSVGDocumentReference.cpp:
+ (WebCore::CachedSVGDocumentReference::load): Setting fetch mode to SameOrigin.
+ * svg/SVGUseElement.cpp:
+ (WebCore::SVGUseElement::updateExternalDocument): Ditto.
+ * xml/XSLImportRule.cpp:
+ (WebCore::XSLImportRule::loadSheet): Ditto.
+
2016-09-21 Miguel Gomez <mago...@igalia.com>
Build fails with GSTREAMER_GL when both desktop GL and GLES2 are enabled in gst-plugins-bad
Modified: trunk/Source/WebCore/dom/ProcessingInstruction.cpp (206202 => 206203)
--- trunk/Source/WebCore/dom/ProcessingInstruction.cpp 2016-09-21 07:48:32 UTC (rev 206202)
+++ trunk/Source/WebCore/dom/ProcessingInstruction.cpp 2016-09-21 08:43:23 UTC (rev 206203)
@@ -137,13 +137,15 @@
m_loading = true;
document().authorStyleSheets().addPendingSheet();
- CachedResourceRequest request(ResourceRequest(document().completeURL(href)));
#if ENABLE(XSLT)
- if (m_isXSL)
- m_cachedSheet = document().cachedResourceLoader().requestXSLStyleSheet(WTFMove(request));
- else
+ if (m_isXSL) {
+ auto options = CachedResourceLoader::defaultCachedResourceOptions();
+ options.mode = FetchOptions::Mode::SameOrigin;
+ m_cachedSheet = document().cachedResourceLoader().requestXSLStyleSheet({ResourceRequest(document().completeURL(href)), options});
+ } else
#endif
{
+ CachedResourceRequest request(ResourceRequest(document().completeURL(href)));
String charset = attrs.get("charset");
if (charset.isEmpty())
charset = document().charset();
Modified: trunk/Source/WebCore/dom/ScriptElement.cpp (206202 => 206203)
--- trunk/Source/WebCore/dom/ScriptElement.cpp 2016-09-21 07:48:32 UTC (rev 206202)
+++ trunk/Source/WebCore/dom/ScriptElement.cpp 2016-09-21 08:43:23 UTC (rev 206203)
@@ -281,19 +281,25 @@
CachedResourceHandle<CachedScript> ScriptElement::requestScriptWithCache(const URL& sourceURL, const String& nonceAttribute)
{
- bool hasKnownNonce = m_element.document().contentSecurityPolicy()->allowScriptWithNonce(nonceAttribute, m_element.isInUserAgentShadowTree());
+ Document& document = m_element.document();
+ auto* settings = document.settings();
+ if (settings && !settings->isScriptEnabled())
+ return nullptr;
+
+ ASSERT(document.contentSecurityPolicy());
+ bool hasKnownNonce = document.contentSecurityPolicy()->allowScriptWithNonce(nonceAttribute, m_element.isInUserAgentShadowTree());
ResourceLoaderOptions options = CachedResourceLoader::defaultCachedResourceOptions();
options.contentSecurityPolicyImposition = hasKnownNonce ? ContentSecurityPolicyImposition::SkipPolicyCheck : ContentSecurityPolicyImposition::DoPolicyCheck;
CachedResourceRequest request(ResourceRequest(sourceURL), options);
- request.setAsPotentiallyCrossOrigin(m_element.attributeWithoutSynchronization(HTMLNames::crossoriginAttr), m_element.document());
+ request.setAsPotentiallyCrossOrigin(m_element.attributeWithoutSynchronization(HTMLNames::crossoriginAttr), document);
- m_element.document().contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(request.mutableResourceRequest(), ContentSecurityPolicy::InsecureRequestType::Load);
+ document.contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(request.mutableResourceRequest(), ContentSecurityPolicy::InsecureRequestType::Load);
request.setCharset(scriptCharset());
request.setInitiator(&element());
- return m_element.document().cachedResourceLoader().requestScript(WTFMove(request));
+ return document.cachedResourceLoader().requestScript(WTFMove(request));
}
void ScriptElement::executeScript(const ScriptSourceCode& sourceCode)
Modified: trunk/Source/WebCore/loader/CrossOriginPreflightChecker.cpp (206202 => 206203)
--- trunk/Source/WebCore/loader/CrossOriginPreflightChecker.cpp 2016-09-21 07:48:32 UTC (rev 206202)
+++ trunk/Source/WebCore/loader/CrossOriginPreflightChecker.cpp 2016-09-21 08:43:23 UTC (rev 206203)
@@ -103,6 +103,7 @@
ResourceLoaderOptions options;
options.referrerPolicy = m_loader.options().referrerPolicy;
options.redirect = FetchOptions::Redirect::Manual;
+ options.contentSecurityPolicyImposition = ContentSecurityPolicyImposition::SkipPolicyCheck;
CachedResourceRequest preflightRequest(createAccessControlPreflightRequest(m_request, m_loader.securityOrigin()), options);
if (RuntimeEnabledFeatures::sharedFeatures().resourceTimingEnabled())
Modified: trunk/Source/WebCore/loader/DocumentLoader.cpp (206202 => 206203)
--- trunk/Source/WebCore/loader/DocumentLoader.cpp 2016-09-21 07:48:32 UTC (rev 206202)
+++ trunk/Source/WebCore/loader/DocumentLoader.cpp 2016-09-21 08:43:23 UTC (rev 206203)
@@ -1518,7 +1518,7 @@
RELEASE_LOG_IF_ALLOWED("startLoadingMainResource: Starting load (frame = %p, main = %d)", m_frame, m_frame->isMainFrame());
- static NeverDestroyed<ResourceLoaderOptions> mainResourceLoadOptions(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, ClientCredentialPolicy::MayAskClientForCredentials, FetchOptions::Credentials::Include, SkipSecurityCheck, FetchOptions::Mode::NoCors, IncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading, CachingPolicy::AllowCaching);
+ static NeverDestroyed<ResourceLoaderOptions> mainResourceLoadOptions(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, ClientCredentialPolicy::MayAskClientForCredentials, FetchOptions::Credentials::Include, SkipSecurityCheck, FetchOptions::Mode::NoCors, IncludeCertificateInfo, ContentSecurityPolicyImposition::SkipPolicyCheck, DefersLoadingPolicy::AllowDefersLoading, CachingPolicy::AllowCaching);
m_mainResource = m_cachedResourceLoader->requestMainResource(CachedResourceRequest(ResourceRequest(request), mainResourceLoadOptions));
#if ENABLE(CONTENT_EXTENSIONS)
Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp (206202 => 206203)
--- trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2016-09-21 07:48:32 UTC (rev 206202)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2016-09-21 08:43:23 UTC (rev 206203)
@@ -363,8 +363,9 @@
request.setHTTPReferrer(m_referrer);
if (m_async) {
- ThreadableLoaderOptions options = m_options;
+ ResourceLoaderOptions options = m_options;
options.clientCredentialPolicy = m_sameOriginRequest ? ClientCredentialPolicy::MayAskClientForCredentials : ClientCredentialPolicy::CannotAskClientForCredentials;
+ options.contentSecurityPolicyImposition = ContentSecurityPolicyImposition::SkipPolicyCheck;
CachedResourceRequest newRequest(WTFMove(request), options);
if (RuntimeEnabledFeatures::sharedFeatures().resourceTimingEnabled())
Modified: trunk/Source/WebCore/loader/LinkLoader.cpp (206202 => 206203)
--- trunk/Source/WebCore/loader/LinkLoader.cpp 2016-09-21 07:48:32 UTC (rev 206202)
+++ trunk/Source/WebCore/loader/LinkLoader.cpp 2016-09-21 08:43:23 UTC (rev 206203)
@@ -158,7 +158,7 @@
ResourceRequest resourceRequest(document.completeURL(href));
resourceRequest.setIgnoreForRequestCount(true);
- CachedResourceRequest linkRequest(resourceRequest, CachedResource::defaultPriorityForResourceType(type.value()));
+ CachedResourceRequest linkRequest(WTFMove(resourceRequest), CachedResourceLoader::defaultCachedResourceOptions(), CachedResource::defaultPriorityForResourceType(type.value()));
linkRequest.setInitiator("link");
linkRequest.setAsPotentiallyCrossOrigin(crossOriginMode, document);
@@ -200,7 +200,9 @@
m_cachedLinkResource->removeClient(this);
m_cachedLinkResource = nullptr;
}
- m_cachedLinkResource = document.cachedResourceLoader().requestLinkResource(type, CachedResourceRequest(ResourceRequest(document.completeURL(href)), priority));
+ ResourceLoaderOptions options = CachedResourceLoader::defaultCachedResourceOptions();
+ options.contentSecurityPolicyImposition = ContentSecurityPolicyImposition::SkipPolicyCheck;
+ m_cachedLinkResource = document.cachedResourceLoader().requestLinkResource(type, CachedResourceRequest(ResourceRequest(document.completeURL(href)), options, priority));
if (m_cachedLinkResource)
m_cachedLinkResource->addClient(this);
}
Modified: trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp (206202 => 206203)
--- trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2016-09-21 07:48:32 UTC (rev 206202)
+++ trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2016-09-21 08:43:23 UTC (rev 206203)
@@ -384,100 +384,73 @@
return !didReceiveRedirectResponse && url.protocolIsData() && options.sameOriginDataURLFlag == SameOriginDataURLFlag::Set;
}
-bool CachedResourceLoader::canRequest(CachedResource::Type type, const URL& url, const ResourceLoaderOptions& options, bool forPreload, bool didReceiveRedirectResponse)
+bool CachedResourceLoader::allowedByContentSecurityPolicy(CachedResource::Type type, const URL& url, const ResourceLoaderOptions& options, bool didReceiveRedirectResponse)
{
- if (document() && !document()->securityOrigin()->canDisplay(url)) {
- if (!forPreload)
- FrameLoader::reportLocalLoadFailed(frame(), url.stringCenterEllipsizedToLength());
- LOG(ResourceLoading, "CachedResourceLoader::requestResource URL was not allowed by SecurityOrigin::canDisplay");
- return false;
- }
+ if (options.contentSecurityPolicyImposition == ContentSecurityPolicyImposition::SkipPolicyCheck)
+ return true;
- bool skipContentSecurityPolicyCheck = options.contentSecurityPolicyImposition == ContentSecurityPolicyImposition::SkipPolicyCheck;
- ContentSecurityPolicy::RedirectResponseReceived redirectResponseReceived = didReceiveRedirectResponse ? ContentSecurityPolicy::RedirectResponseReceived::Yes : ContentSecurityPolicy::RedirectResponseReceived::No;
+ ASSERT(m_document);
+ ASSERT(m_document->contentSecurityPolicy());
- // Some types of resources can be loaded only from the same origin. Other types of resources, like Images, Scripts, and CSS, can be loaded from any URL.
- // FIXME: We should remove that check and handle it by setting the correct ResourceLoaderOptions::mode.
- switch (type) {
- case CachedResource::MainResource:
- case CachedResource::ImageResource:
- case CachedResource::CSSStyleSheet:
- case CachedResource::Script:
-#if ENABLE(SVG_FONTS)
- case CachedResource::SVGFontResource:
-#endif
- case CachedResource::MediaResource:
- case CachedResource::FontResource:
- case CachedResource::RawResource:
-#if ENABLE(LINK_PREFETCH)
- case CachedResource::LinkPrefetch:
- case CachedResource::LinkSubresource:
-#endif
-#if ENABLE(VIDEO_TRACK)
- case CachedResource::TextTrackResource:
-#endif
- if (options.mode == FetchOptions::Mode::SameOrigin && !isSameOriginDataURL(url, options, didReceiveRedirectResponse) &&!m_document->securityOrigin()->canRequest(url)) {
- printAccessDeniedMessage(url);
- return false;
- }
- break;
- case CachedResource::SVGDocumentResource:
-#if ENABLE(XSLT)
- case CachedResource::XSLStyleSheet:
- if (!m_document->securityOrigin()->canRequest(url)) {
- printAccessDeniedMessage(url);
- return false;
- }
-#endif
- break;
- }
+ auto redirectResponseReceived = didReceiveRedirectResponse ? ContentSecurityPolicy::RedirectResponseReceived::Yes : ContentSecurityPolicy::RedirectResponseReceived::No;
switch (type) {
#if ENABLE(XSLT)
case CachedResource::XSLStyleSheet:
- if (!m_document->contentSecurityPolicy()->allowScriptFromSource(url, skipContentSecurityPolicyCheck, redirectResponseReceived))
- return false;
- break;
#endif
case CachedResource::Script:
- if (!m_document->contentSecurityPolicy()->allowScriptFromSource(url, skipContentSecurityPolicyCheck, redirectResponseReceived))
+ if (!m_document->contentSecurityPolicy()->allowScriptFromSource(url, false, redirectResponseReceived))
return false;
- if (frame() && !frame()->settings().isScriptEnabled())
- return false;
break;
case CachedResource::CSSStyleSheet:
- if (!m_document->contentSecurityPolicy()->allowStyleFromSource(url, skipContentSecurityPolicyCheck, redirectResponseReceived))
+ if (!m_document->contentSecurityPolicy()->allowStyleFromSource(url, false, redirectResponseReceived))
return false;
break;
case CachedResource::SVGDocumentResource:
case CachedResource::ImageResource:
- if (!m_document->contentSecurityPolicy()->allowImageFromSource(url, skipContentSecurityPolicyCheck, redirectResponseReceived))
+ if (!m_document->contentSecurityPolicy()->allowImageFromSource(url, false, redirectResponseReceived))
return false;
break;
#if ENABLE(SVG_FONTS)
case CachedResource::SVGFontResource:
#endif
- case CachedResource::FontResource: {
- if (!m_document->contentSecurityPolicy()->allowFontFromSource(url, skipContentSecurityPolicyCheck, redirectResponseReceived))
+ case CachedResource::FontResource:
+ if (!m_document->contentSecurityPolicy()->allowFontFromSource(url, false, redirectResponseReceived))
return false;
break;
- }
- case CachedResource::MainResource:
- case CachedResource::RawResource:
-#if ENABLE(LINK_PREFETCH)
- case CachedResource::LinkPrefetch:
- case CachedResource::LinkSubresource:
-#endif
- break;
case CachedResource::MediaResource:
#if ENABLE(VIDEO_TRACK)
case CachedResource::TextTrackResource:
#endif
- if (!m_document->contentSecurityPolicy()->allowMediaFromSource(url, skipContentSecurityPolicyCheck, redirectResponseReceived))
+ if (!m_document->contentSecurityPolicy()->allowMediaFromSource(url, false, redirectResponseReceived))
return false;
break;
+ case CachedResource::RawResource:
+ return true;
+ default:
+ ASSERT_NOT_REACHED();
}
+ return true;
+}
+bool CachedResourceLoader::canRequest(CachedResource::Type type, const URL& url, const ResourceLoaderOptions& options, bool forPreload, bool didReceiveRedirectResponse)
+{
+ if (document() && !document()->securityOrigin()->canDisplay(url)) {
+ if (!forPreload)
+ FrameLoader::reportLocalLoadFailed(frame(), url.stringCenterEllipsizedToLength());
+ LOG(ResourceLoading, "CachedResourceLoader::requestResource URL was not allowed by SecurityOrigin::canDisplay");
+ return false;
+ }
+
+ // FIXME: Remove same-origin data URL flag since it was removed from fetch spec (see https://github.com/whatwg/fetch/issues/381).
+ if (options.mode == FetchOptions::Mode::SameOrigin && !isSameOriginDataURL(url, options, didReceiveRedirectResponse) && !m_document->securityOrigin()->canRequest(url)) {
+ printAccessDeniedMessage(url);
+ return false;
+ }
+
+ if (!allowedByContentSecurityPolicy(type, url, options, didReceiveRedirectResponse))
+ return false;
+
// SVG Images have unique security rules that prevent all subresource requests except for data urls.
if (type != CachedResource::MainResource && frame() && frame()->page()) {
if (frame()->page()->chrome().client().isSVGImageChromeClient() && !url.protocolIsData())
Modified: trunk/Source/WebCore/loader/cache/CachedResourceLoader.h (206202 => 206203)
--- trunk/Source/WebCore/loader/cache/CachedResourceLoader.h 2016-09-21 07:48:32 UTC (rev 206202)
+++ trunk/Source/WebCore/loader/cache/CachedResourceLoader.h 2016-09-21 08:43:23 UTC (rev 206203)
@@ -163,6 +163,7 @@
bool shouldContinueAfterNotifyingLoadedFromMemoryCache(const CachedResourceRequest&, CachedResource*);
bool checkInsecureContent(CachedResource::Type, const URL&) const;
+ bool allowedByContentSecurityPolicy(CachedResource::Type, const URL&, const ResourceLoaderOptions&, bool);
void performPostLoadActions();
Modified: trunk/Source/WebCore/loader/cache/CachedResourceRequest.cpp (206202 => 206203)
--- trunk/Source/WebCore/loader/cache/CachedResourceRequest.cpp 2016-09-21 07:48:32 UTC (rev 206202)
+++ trunk/Source/WebCore/loader/cache/CachedResourceRequest.cpp 2016-09-21 08:43:23 UTC (rev 206203)
@@ -44,17 +44,9 @@
{
}
-CachedResourceRequest::CachedResourceRequest(ResourceRequest&& resourceRequest, const ResourceLoaderOptions& options)
+CachedResourceRequest::CachedResourceRequest(ResourceRequest&& resourceRequest, const ResourceLoaderOptions& options, Optional<ResourceLoadPriority> priority)
: m_resourceRequest(WTFMove(resourceRequest))
, m_options(options)
- , m_forPreload(false)
- , m_defer(NoDefer)
-{
-}
-
-CachedResourceRequest::CachedResourceRequest(const ResourceRequest& resourceRequest, Optional<ResourceLoadPriority> priority)
- : m_resourceRequest(resourceRequest)
- , m_options(CachedResourceLoader::defaultCachedResourceOptions())
, m_priority(priority)
, m_forPreload(false)
, m_defer(NoDefer)
@@ -61,10 +53,6 @@
{
}
-CachedResourceRequest::~CachedResourceRequest()
-{
-}
-
void CachedResourceRequest::setInitiator(PassRefPtr<Element> element)
{
ASSERT(!m_initiatorElement && m_initiatorName.isEmpty());
Modified: trunk/Source/WebCore/loader/cache/CachedResourceRequest.h (206202 => 206203)
--- trunk/Source/WebCore/loader/cache/CachedResourceRequest.h 2016-09-21 07:48:32 UTC (rev 206202)
+++ trunk/Source/WebCore/loader/cache/CachedResourceRequest.h 2016-09-21 08:43:23 UTC (rev 206203)
@@ -42,9 +42,7 @@
enum DeferOption { NoDefer, DeferredByClient };
explicit CachedResourceRequest(const ResourceRequest&, const String& charset = String(), Optional<ResourceLoadPriority> = Nullopt);
- CachedResourceRequest(ResourceRequest&&, const ResourceLoaderOptions&);
- CachedResourceRequest(const ResourceRequest&, Optional<ResourceLoadPriority>);
- ~CachedResourceRequest();
+ CachedResourceRequest(ResourceRequest&&, const ResourceLoaderOptions&, Optional<ResourceLoadPriority> = Nullopt);
ResourceRequest& mutableResourceRequest() { return m_resourceRequest; }
const ResourceRequest& resourceRequest() const { return m_resourceRequest; }
Modified: trunk/Source/WebCore/loader/cache/CachedSVGDocumentReference.cpp (206202 => 206203)
--- trunk/Source/WebCore/loader/cache/CachedSVGDocumentReference.cpp 2016-09-21 07:48:32 UTC (rev 206202)
+++ trunk/Source/WebCore/loader/cache/CachedSVGDocumentReference.cpp 2016-09-21 08:43:23 UTC (rev 206203)
@@ -52,7 +52,9 @@
if (m_loadRequested)
return;
- CachedResourceRequest request(ResourceRequest(loader.document()->completeURL(m_url)), options);
+ auto fetchOptions = options;
+ fetchOptions.mode = FetchOptions::Mode::SameOrigin;
+ CachedResourceRequest request(ResourceRequest(loader.document()->completeURL(m_url)), fetchOptions);
request.setInitiator(cachedResourceRequestInitiators().css);
m_document = loader.requestSVGDocument(WTFMove(request));
if (m_document)
Modified: trunk/Source/WebCore/svg/SVGUseElement.cpp (206202 => 206203)
--- trunk/Source/WebCore/svg/SVGUseElement.cpp 2016-09-21 07:48:32 UTC (rev 206202)
+++ trunk/Source/WebCore/svg/SVGUseElement.cpp 2016-09-21 08:43:23 UTC (rev 206203)
@@ -570,7 +570,7 @@
else {
ResourceLoaderOptions options = CachedResourceLoader::defaultCachedResourceOptions();
options.contentSecurityPolicyImposition = isInUserAgentShadowTree() ? ContentSecurityPolicyImposition::SkipPolicyCheck : ContentSecurityPolicyImposition::DoPolicyCheck;
-
+ options.mode = FetchOptions::Mode::SameOrigin;
CachedResourceRequest request { ResourceRequest { externalDocumentURL }, options };
request.setInitiator(this);
m_externalDocument = document().cachedResourceLoader().requestSVGDocument(WTFMove(request));
Modified: trunk/Source/WebCore/xml/XSLImportRule.cpp (206202 => 206203)
--- trunk/Source/WebCore/xml/XSLImportRule.cpp 2016-09-21 07:48:32 UTC (rev 206202)
+++ trunk/Source/WebCore/xml/XSLImportRule.cpp 2016-09-21 08:43:23 UTC (rev 206203)
@@ -100,8 +100,11 @@
if (m_cachedSheet)
m_cachedSheet->removeClient(this);
- m_cachedSheet = cachedResourceLoader->requestXSLStyleSheet(CachedResourceRequest(ResourceRequest(cachedResourceLoader->document()->completeURL(absHref))));
+ auto options = CachedResourceLoader::defaultCachedResourceOptions();
+ options.mode = FetchOptions::Mode::SameOrigin;
+ m_cachedSheet = cachedResourceLoader->requestXSLStyleSheet({ResourceRequest(cachedResourceLoader->document()->completeURL(absHref)), options});
+
if (m_cachedSheet) {
m_cachedSheet->addClient(this);