Diff
Modified: trunk/LayoutTests/ChangeLog (216293 => 216294)
--- trunk/LayoutTests/ChangeLog 2017-05-05 23:46:45 UTC (rev 216293)
+++ trunk/LayoutTests/ChangeLog 2017-05-05 23:49:41 UTC (rev 216294)
@@ -1,3 +1,22 @@
+2017-05-05 Dean Jackson <d...@apple.com>
+
+ Restrict SVG filters to accessible security origins
+ https://bugs.webkit.org/show_bug.cgi?id=118689
+ <rdar://problem/27362159>
+
+ Reviewed by Brent Fulgham.
+
+ Add a test that shows safe frames, unsafe frames, and
+ then a safe frame that itself has an unsafe frame, to
+ show that the security requirements are being forwarded
+ down the tree.
+
+ * http/tests/css/filters-on-iframes-expected.html: Added.
+ * http/tests/css/filters-on-iframes.html: Added.
+ * http/tests/css/resources/blank.html: Added.
+ * http/tests/css/resources/references-external.html: Added.
+ * http/tests/css/resources/solid-red.html: Added.
+
2017-05-05 Simon Fraser <simon.fra...@apple.com>
Make it possible to test rotation in iOS WebKitTestRunner
Added: trunk/LayoutTests/http/tests/css/filters-on-iframes-expected.html (0 => 216294)
--- trunk/LayoutTests/http/tests/css/filters-on-iframes-expected.html (rev 0)
+++ trunk/LayoutTests/http/tests/css/filters-on-iframes-expected.html 2017-05-05 23:49:41 UTC (rev 216294)
@@ -0,0 +1,40 @@
+<style>
+body {
+ margin: 0;
+ padding: 0;
+}
+iframe {
+ border: none;
+}
+div {
+ display: inline-block;
+}
+</style>
+
+<div>
+ <iframe src=""
+</div>
+
+<div class="filtered">
+ <iframe src=""
+</div>
+
+<br>
+
+<div>
+ <iframe src=""
+</div>
+
+<div class="filtered">
+ <iframe src=""
+</div>
+
+<br>
+
+<div>
+ <iframe src=""
+</div>
+
+<div class="filtered">
+ <iframe src=""
+</div>
Property changes on: trunk/LayoutTests/http/tests/css/filters-on-iframes-expected.html
___________________________________________________________________
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:keywords
+Date Revision
\ No newline at end of property
Added: svn:mime-type
+text/html
\ No newline at end of property
Added: trunk/LayoutTests/http/tests/css/filters-on-iframes.html (0 => 216294)
--- trunk/LayoutTests/http/tests/css/filters-on-iframes.html (rev 0)
+++ trunk/LayoutTests/http/tests/css/filters-on-iframes.html 2017-05-05 23:49:41 UTC (rev 216294)
@@ -0,0 +1,54 @@
+<style>
+body {
+ margin: 0;
+ padding: 0;
+}
+iframe {
+ border: none;
+}
+div {
+ display: inline-block;
+}
+.filtered {
+ filter: url(#noop);
+}
+svg {
+ display: none;
+}
+</style>
+
+<div>
+ <iframe src=""
+</div>
+
+<div class="filtered">
+ <iframe src=""
+</div>
+
+<br>
+
+<div>
+ <iframe src=""
+</div>
+
+<div class="filtered">
+ <iframe src=""
+</div>
+
+<br>
+
+<div>
+ <iframe src=""
+</div>
+
+<div class="filtered">
+ <iframe src=""
+</div>
+
+<svg>
+ <defs>
+ <filter id="noop">
+ <feMorphology operator="dilate" in="SourceGraphic" radius="0"/>
+ </filter>
+ </defs>
+</svg>
Property changes on: trunk/LayoutTests/http/tests/css/filters-on-iframes.html
___________________________________________________________________
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:keywords
+Date Revision
\ No newline at end of property
Added: svn:mime-type
+text/html
\ No newline at end of property
Added: trunk/LayoutTests/http/tests/css/resources/blank.html (0 => 216294)
--- trunk/LayoutTests/http/tests/css/resources/blank.html (rev 0)
+++ trunk/LayoutTests/http/tests/css/resources/blank.html 2017-05-05 23:49:41 UTC (rev 216294)
@@ -0,0 +1,5 @@
+<style>
+ body {
+ background-color: white;
+ }
+</style>
Property changes on: trunk/LayoutTests/http/tests/css/resources/blank.html
___________________________________________________________________
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:keywords
+Date Revision
\ No newline at end of property
Added: svn:mime-type
+text/html
\ No newline at end of property
Added: trunk/LayoutTests/http/tests/css/resources/references-external.html (0 => 216294)
--- trunk/LayoutTests/http/tests/css/resources/references-external.html (rev 0)
+++ trunk/LayoutTests/http/tests/css/resources/references-external.html 2017-05-05 23:49:41 UTC (rev 216294)
@@ -0,0 +1,11 @@
+<style>
+body {
+ margin: 0;
+ padding: 0;
+}
+
+iframe {
+ border: none;
+}
+</style>
+<iframe src=""
Property changes on: trunk/LayoutTests/http/tests/css/resources/references-external.html
___________________________________________________________________
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:keywords
+Date Revision
\ No newline at end of property
Added: svn:mime-type
+text/html
\ No newline at end of property
Added: trunk/LayoutTests/http/tests/css/resources/solid-red.html (0 => 216294)
--- trunk/LayoutTests/http/tests/css/resources/solid-red.html (rev 0)
+++ trunk/LayoutTests/http/tests/css/resources/solid-red.html 2017-05-05 23:49:41 UTC (rev 216294)
@@ -0,0 +1,5 @@
+<style>
+ body {
+ background-color: red;
+ }
+</style>
Property changes on: trunk/LayoutTests/http/tests/css/resources/solid-red.html
___________________________________________________________________
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:keywords
+Date Revision
\ No newline at end of property
Added: svn:mime-type
+text/html
\ No newline at end of property
Modified: trunk/Source/WebCore/ChangeLog (216293 => 216294)
--- trunk/Source/WebCore/ChangeLog 2017-05-05 23:46:45 UTC (rev 216293)
+++ trunk/Source/WebCore/ChangeLog 2017-05-05 23:49:41 UTC (rev 216294)
@@ -1,3 +1,57 @@
+2017-05-05 Dean Jackson <d...@apple.com>
+
+ Restrict SVG filters to accessible security origins
+ https://bugs.webkit.org/show_bug.cgi?id=118689
+ <rdar://problem/27362159>
+
+ Reviewed by Brent Fulgham.
+
+ Certain SVG filters should only be allowed to operate
+ on content that is has SecurityOrigin access to. Implement
+ this by including a flag in PaintInfo and LayerPaintingInfo,
+ and have RenderWidget make sure the documents have acceptable
+ SecurityOrigins as it goes to paint.
+
+ This could be used as the first step in a "safe painting"
+ strategy, allowing some content to be rendered into a
+ canvas or via the element() CSS function... but it is only
+ a small first step.
+
+ Test: http/tests/css/filters-on-iframes.html
+
+ * page/FrameView.cpp:
+ (WebCore::FrameView::paintContents):
+ * page/FrameView.h:
+ * platform/ScrollView.cpp:
+ (WebCore::ScrollView::paint):
+ * platform/ScrollView.h:
+ * platform/Scrollbar.cpp:
+ (WebCore::Scrollbar::paint):
+ * platform/Scrollbar.h:
+ * platform/Widget.h:
+ * platform/graphics/filters/FilterOperation.h:
+ (WebCore::FilterOperation::shouldBeRestrictedBySecurityOrigin):
+ * platform/graphics/filters/FilterOperations.cpp:
+ (WebCore::FilterOperations::hasFilterThatShouldBeRestrictedBySecurityOrigin):
+ * platform/graphics/filters/FilterOperations.h:
+ * platform/mac/WidgetMac.mm:
+ (WebCore::Widget::paint):
+ * rendering/FilterEffectRenderer.cpp:
+ (WebCore::FilterEffectRenderer::build):
+ * rendering/FilterEffectRenderer.h:
+ * rendering/PaintInfo.h:
+ (WebCore::PaintInfo::PaintInfo):
+ * rendering/RenderLayer.cpp:
+ (WebCore::RenderLayer::paint):
+ (WebCore::RenderLayer::setupFilters):
+ (WebCore::RenderLayer::paintForegroundForFragmentsWithPhase):
+ * rendering/RenderLayer.h:
+ * rendering/RenderScrollbar.cpp:
+ (WebCore::RenderScrollbar::paint):
+ * rendering/RenderScrollbar.h:
+ * rendering/RenderWidget.cpp:
+ (WebCore::RenderWidget::paintContents):
+
2017-05-05 Ryan Haddad <ryanhad...@apple.com>
Unreviewed, rolling out r216273.
Modified: trunk/Source/WebCore/page/FrameView.cpp (216293 => 216294)
--- trunk/Source/WebCore/page/FrameView.cpp 2017-05-05 23:46:45 UTC (rev 216293)
+++ trunk/Source/WebCore/page/FrameView.cpp 2017-05-05 23:49:41 UTC (rev 216294)
@@ -4419,7 +4419,7 @@
}
}
-void FrameView::paintContents(GraphicsContext& context, const IntRect& dirtyRect)
+void FrameView::paintContents(GraphicsContext& context, const IntRect& dirtyRect, SecurityOriginPaintPolicy securityOriginPaintPolicy)
{
#ifndef NDEBUG
bool fillWithRed;
@@ -4471,7 +4471,7 @@
while (is<RenderInline>(renderer) && !downcast<RenderInline>(*renderer).firstLineBox())
renderer = renderer->parent();
- rootLayer->paint(context, dirtyRect, LayoutSize(), m_paintBehavior, renderer);
+ rootLayer->paint(context, dirtyRect, LayoutSize(), m_paintBehavior, renderer, 0, securityOriginPaintPolicy == SecurityOriginPaintPolicy::AnyOrigin ? RenderLayer::SecurityOriginPaintPolicy::AnyOrigin : RenderLayer::SecurityOriginPaintPolicy::AccessibleOriginOnly);
if (rootLayer->containsDirtyOverlayScrollbars())
rootLayer->paintOverlayScrollbars(context, dirtyRect, m_paintBehavior, renderer);
Modified: trunk/Source/WebCore/page/FrameView.h (216293 => 216294)
--- trunk/Source/WebCore/page/FrameView.h 2017-05-05 23:46:45 UTC (rev 216293)
+++ trunk/Source/WebCore/page/FrameView.h 2017-05-05 23:49:41 UTC (rev 216294)
@@ -344,7 +344,7 @@
void addEmbeddedObjectToUpdate(RenderEmbeddedObject&);
void removeEmbeddedObjectToUpdate(RenderEmbeddedObject&);
- WEBCORE_EXPORT void paintContents(GraphicsContext&, const IntRect& dirtyRect) final;
+ WEBCORE_EXPORT void paintContents(GraphicsContext&, const IntRect& dirtyRect, SecurityOriginPaintPolicy = SecurityOriginPaintPolicy::AnyOrigin) final;
struct PaintingState {
PaintBehavior paintBehavior;
Modified: trunk/Source/WebCore/platform/ScrollView.cpp (216293 => 216294)
--- trunk/Source/WebCore/platform/ScrollView.cpp 2017-05-05 23:46:45 UTC (rev 216293)
+++ trunk/Source/WebCore/platform/ScrollView.cpp 2017-05-05 23:49:41 UTC (rev 216294)
@@ -1166,7 +1166,7 @@
context.drawImage(*panScrollIcon, iconGCPoint);
}
-void ScrollView::paint(GraphicsContext& context, const IntRect& rect)
+void ScrollView::paint(GraphicsContext& context, const IntRect& rect, SecurityOriginPaintPolicy securityOriginPaintPolicy)
{
if (platformWidget()) {
Widget::paint(context, rect);
@@ -1198,7 +1198,7 @@
context.clip(visibleContentRect(LegacyIOSDocumentVisibleRect));
}
- paintContents(context, documentDirtyRect);
+ paintContents(context, documentDirtyRect, securityOriginPaintPolicy);
}
#if ENABLE(RUBBER_BANDING)
Modified: trunk/Source/WebCore/platform/ScrollView.h (216293 => 216294)
--- trunk/Source/WebCore/platform/ScrollView.h 2017-05-05 23:46:45 UTC (rev 216293)
+++ trunk/Source/WebCore/platform/ScrollView.h 2017-05-05 23:49:41 UTC (rev 216294)
@@ -344,7 +344,7 @@
}
// Widget override. Handles painting of the contents of the view as well as the scrollbars.
- WEBCORE_EXPORT void paint(GraphicsContext&, const IntRect&) final;
+ WEBCORE_EXPORT void paint(GraphicsContext&, const IntRect&, Widget::SecurityOriginPaintPolicy = SecurityOriginPaintPolicy::AnyOrigin) final;
void paintScrollbars(GraphicsContext&, const IntRect&);
// Widget overrides to ensure that our children's visibility status is kept up to date when we get shown and hidden.
@@ -380,7 +380,7 @@
ScrollView();
virtual void repaintContentRectangle(const IntRect&);
- virtual void paintContents(GraphicsContext&, const IntRect& damageRect) = 0;
+ virtual void paintContents(GraphicsContext&, const IntRect& damageRect, SecurityOriginPaintPolicy = SecurityOriginPaintPolicy::AnyOrigin) = 0;
virtual void paintOverhangAreas(GraphicsContext&, const IntRect& horizontalOverhangArea, const IntRect& verticalOverhangArea, const IntRect& dirtyRect);
Modified: trunk/Source/WebCore/platform/Scrollbar.cpp (216293 => 216294)
--- trunk/Source/WebCore/platform/Scrollbar.cpp 2017-05-05 23:46:45 UTC (rev 216293)
+++ trunk/Source/WebCore/platform/Scrollbar.cpp 2017-05-05 23:49:41 UTC (rev 216294)
@@ -157,7 +157,7 @@
updateThumb();
}
-void Scrollbar::paint(GraphicsContext& context, const IntRect& damageRect)
+void Scrollbar::paint(GraphicsContext& context, const IntRect& damageRect, Widget::SecurityOriginPaintPolicy)
{
if (context.updatingControlTints() && theme().supportsControlTints()) {
invalidate();
Modified: trunk/Source/WebCore/platform/Scrollbar.h (216293 => 216294)
--- trunk/Source/WebCore/platform/Scrollbar.h 2017-05-05 23:46:45 UTC (rev 216293)
+++ trunk/Source/WebCore/platform/Scrollbar.h 2017-05-05 23:49:41 UTC (rev 216294)
@@ -85,7 +85,7 @@
WEBCORE_EXPORT void setProportion(int visibleSize, int totalSize);
void setPressedPos(int p) { m_pressedPos = p; }
- void paint(GraphicsContext&, const IntRect& damageRect) override;
+ void paint(GraphicsContext&, const IntRect& damageRect, Widget::SecurityOriginPaintPolicy = SecurityOriginPaintPolicy::AnyOrigin) override;
bool enabled() const { return m_enabled; }
virtual void setEnabled(bool);
Modified: trunk/Source/WebCore/platform/Widget.h (216293 => 216294)
--- trunk/Source/WebCore/platform/Widget.h 2017-05-05 23:46:45 UTC (rev 216293)
+++ trunk/Source/WebCore/platform/Widget.h 2017-05-05 23:49:41 UTC (rev 216294)
@@ -114,7 +114,9 @@
void move(int x, int y) { setFrameRect(IntRect(x, y, width(), height())); }
void move(const IntPoint& p) { setFrameRect(IntRect(p, size())); }
- WEBCORE_EXPORT virtual void paint(GraphicsContext&, const IntRect&);
+ enum class SecurityOriginPaintPolicy { AnyOrigin, AccessibleOriginOnly };
+
+ WEBCORE_EXPORT virtual void paint(GraphicsContext&, const IntRect&, SecurityOriginPaintPolicy = SecurityOriginPaintPolicy::AnyOrigin);
void invalidate() { invalidateRect(boundsRect()); }
virtual void invalidateRect(const IntRect&) = 0;
Modified: trunk/Source/WebCore/platform/graphics/filters/FilterOperation.h (216293 => 216294)
--- trunk/Source/WebCore/platform/graphics/filters/FilterOperation.h 2017-05-05 23:46:45 UTC (rev 216293)
+++ trunk/Source/WebCore/platform/graphics/filters/FilterOperation.h 2017-05-05 23:49:41 UTC (rev 216294)
@@ -103,6 +103,8 @@
virtual bool affectsOpacity() const { return false; }
// True if the the value of one pixel can affect the value of another pixel under this operation, such as blur.
virtual bool movesPixels() const { return false; }
+ // True if the filter should not be allowed to work on content that is not available from this security origin.
+ virtual bool shouldBeRestrictedBySecurityOrigin() const { return false; }
// True if the filter needs the size of the box in order to calculate the animations.
virtual bool blendingNeedsRendererSize() const { return false; }
@@ -182,6 +184,9 @@
bool affectsOpacity() const override { return true; }
bool movesPixels() const override { return true; }
+ // FIXME: This only needs to return true for graphs that include ConvolveMatrix, DisplacementMap, Morphology and possibly Lighting.
+ // https://bugs.webkit.org/show_bug.cgi?id=171753
+ bool shouldBeRestrictedBySecurityOrigin() const override { return true; }
const String& url() const { return m_url; }
const String& fragment() const { return m_fragment; }
Modified: trunk/Source/WebCore/platform/graphics/filters/FilterOperations.cpp (216293 => 216294)
--- trunk/Source/WebCore/platform/graphics/filters/FilterOperations.cpp 2017-05-05 23:46:45 UTC (rev 216293)
+++ trunk/Source/WebCore/platform/graphics/filters/FilterOperations.cpp 2017-05-05 23:49:41 UTC (rev 216294)
@@ -137,6 +137,15 @@
return false;
}
+bool FilterOperations::hasFilterThatShouldBeRestrictedBySecurityOrigin() const
+{
+ for (auto& operation : m_operations) {
+ if (operation->shouldBeRestrictedBySecurityOrigin())
+ return true;
+ }
+ return false;
+}
+
TextStream& operator<<(TextStream& ts, const FilterOperations& filters)
{
for (size_t i = 0; i < filters.size(); ++i) {
Modified: trunk/Source/WebCore/platform/graphics/filters/FilterOperations.h (216293 => 216294)
--- trunk/Source/WebCore/platform/graphics/filters/FilterOperations.h 2017-05-05 23:46:45 UTC (rev 216293)
+++ trunk/Source/WebCore/platform/graphics/filters/FilterOperations.h 2017-05-05 23:49:41 UTC (rev 216294)
@@ -56,6 +56,7 @@
bool hasFilterThatAffectsOpacity() const;
bool hasFilterThatMovesPixels() const;
+ bool hasFilterThatShouldBeRestrictedBySecurityOrigin() const;
bool hasReferenceFilter() const;
Modified: trunk/Source/WebCore/platform/mac/WidgetMac.mm (216293 => 216294)
--- trunk/Source/WebCore/platform/mac/WidgetMac.mm 2017-05-05 23:46:45 UTC (rev 216293)
+++ trunk/Source/WebCore/platform/mac/WidgetMac.mm 2017-05-05 23:49:41 UTC (rev 216294)
@@ -184,7 +184,7 @@
return view;
}
-void Widget::paint(GraphicsContext& p, const IntRect& r)
+void Widget::paint(GraphicsContext& p, const IntRect& r, SecurityOriginPaintPolicy)
{
if (p.paintingDisabled())
return;
Modified: trunk/Source/WebCore/rendering/FilterEffectRenderer.cpp (216293 => 216294)
--- trunk/Source/WebCore/rendering/FilterEffectRenderer.cpp 2017-05-05 23:46:45 UTC (rev 216293)
+++ trunk/Source/WebCore/rendering/FilterEffectRenderer.cpp 2017-05-05 23:49:41 UTC (rev 216294)
@@ -128,6 +128,7 @@
bool FilterEffectRenderer::build(RenderElement& renderer, const FilterOperations& operations, FilterConsumer consumer)
{
m_hasFilterThatMovesPixels = operations.hasFilterThatMovesPixels();
+ m_hasFilterThatShouldBeRestrictedBySecurityOrigin = operations.hasFilterThatShouldBeRestrictedBySecurityOrigin();
if (m_hasFilterThatMovesPixels)
m_outsets = operations.outsets();
Modified: trunk/Source/WebCore/rendering/FilterEffectRenderer.h (216293 => 216294)
--- trunk/Source/WebCore/rendering/FilterEffectRenderer.h 2017-05-05 23:46:45 UTC (rev 216293)
+++ trunk/Source/WebCore/rendering/FilterEffectRenderer.h 2017-05-05 23:49:41 UTC (rev 216294)
@@ -84,6 +84,7 @@
void apply();
bool hasFilterThatMovesPixels() const { return m_hasFilterThatMovesPixels; }
+ bool hasFilterThatShouldBeRestrictedBySecurityOrigin() const { return m_hasFilterThatShouldBeRestrictedBySecurityOrigin; }
private:
FilterEffectRenderer();
@@ -115,6 +116,7 @@
bool m_graphicsBufferAttached { false };
bool m_hasFilterThatMovesPixels { false };
+ bool m_hasFilterThatShouldBeRestrictedBySecurityOrigin { false };
};
inline FilterEffectRendererHelper::FilterEffectRendererHelper(bool haveFilterEffect, GraphicsContext& targetContext)
Modified: trunk/Source/WebCore/rendering/PaintInfo.h (216293 => 216294)
--- trunk/Source/WebCore/rendering/PaintInfo.h 2017-05-05 23:46:45 UTC (rev 216293)
+++ trunk/Source/WebCore/rendering/PaintInfo.h 2017-05-05 23:49:41 UTC (rev 216294)
@@ -50,7 +50,8 @@
struct PaintInfo {
PaintInfo(GraphicsContext& newContext, const LayoutRect& newRect, PaintPhase newPhase, PaintBehavior newPaintBehavior,
RenderObject* newSubtreePaintRoot = nullptr, ListHashSet<RenderInline*>* newOutlineObjects = nullptr,
- OverlapTestRequestMap* overlapTestRequests = nullptr, const RenderLayerModelObject* newPaintContainer = nullptr)
+ OverlapTestRequestMap* overlapTestRequests = nullptr, const RenderLayerModelObject* newPaintContainer = nullptr,
+ bool newRequireSecurityOriginAccessForWidgets = false)
: rect(newRect)
, phase(newPhase)
, paintBehavior(newPaintBehavior)
@@ -58,6 +59,7 @@
, outlineObjects(newOutlineObjects)
, overlapTestRequests(overlapTestRequests)
, paintContainer(newPaintContainer)
+ , requireSecurityOriginAccessForWidgets(newRequireSecurityOriginAccessForWidgets)
, m_context(&newContext)
{
}
@@ -120,6 +122,7 @@
ListHashSet<RenderInline*>* outlineObjects; // used to list outlines that should be painted by a block with inline children
OverlapTestRequestMap* overlapTestRequests;
const RenderLayerModelObject* paintContainer; // the layer object that originates the current painting
+ bool requireSecurityOriginAccessForWidgets { false };
private:
GraphicsContext* m_context;
Modified: trunk/Source/WebCore/rendering/RenderLayer.cpp (216293 => 216294)
--- trunk/Source/WebCore/rendering/RenderLayer.cpp 2017-05-05 23:46:45 UTC (rev 216293)
+++ trunk/Source/WebCore/rendering/RenderLayer.cpp 2017-05-05 23:49:41 UTC (rev 216294)
@@ -3843,11 +3843,11 @@
return ScrollableArea::scroll(direction, granularity, multiplier);
}
-void RenderLayer::paint(GraphicsContext& context, const LayoutRect& damageRect, const LayoutSize& subpixelOffset, PaintBehavior paintBehavior, RenderObject* subtreePaintRoot, PaintLayerFlags paintFlags)
+void RenderLayer::paint(GraphicsContext& context, const LayoutRect& damageRect, const LayoutSize& subpixelOffset, PaintBehavior paintBehavior, RenderObject* subtreePaintRoot, PaintLayerFlags paintFlags, SecurityOriginPaintPolicy paintPolicy)
{
OverlapTestRequestMap overlapTestRequests;
- LayerPaintingInfo paintingInfo(this, enclosingIntRect(damageRect), paintBehavior, subpixelOffset, subtreePaintRoot, &overlapTestRequests);
+ LayerPaintingInfo paintingInfo(this, enclosingIntRect(damageRect), paintBehavior, subpixelOffset, subtreePaintRoot, &overlapTestRequests, paintPolicy == SecurityOriginPaintPolicy::AccessibleOriginOnly);
paintLayer(context, paintingInfo, paintFlags);
for (auto& widget : overlapTestRequests.keys())
@@ -4242,6 +4242,8 @@
// Note that we will still apply the clipping on the final rendering of the filter.
paintingInfo.clipToDirtyRect = !filterInfo.renderer()->hasFilterThatMovesPixels();
+ paintingInfo.requireSecurityOriginAccessForWidgets = filterInfo.renderer()->hasFilterThatShouldBeRestrictedBySecurityOrigin();
+
return WTFMove(painter.second);
}
@@ -4809,7 +4811,7 @@
if (shouldClip)
clipToRect(context, localPaintingInfo, fragment.foregroundRect);
- PaintInfo paintInfo(context, fragment.foregroundRect.rect(), phase, paintBehavior, subtreePaintRootForRenderer, nullptr, nullptr, &localPaintingInfo.rootLayer->renderer());
+ PaintInfo paintInfo(context, fragment.foregroundRect.rect(), phase, paintBehavior, subtreePaintRootForRenderer, nullptr, nullptr, &localPaintingInfo.rootLayer->renderer(), localPaintingInfo.requireSecurityOriginAccessForWidgets);
if (phase == PaintPhaseForeground)
paintInfo.overlapTestRequests = localPaintingInfo.overlapTestRequests;
renderer().paint(paintInfo, toLayoutPoint(fragment.layerBounds.location() - renderBoxLocation() + localPaintingInfo.subpixelOffset));
Modified: trunk/Source/WebCore/rendering/RenderLayer.h (216293 => 216294)
--- trunk/Source/WebCore/rendering/RenderLayer.h 2017-05-05 23:46:45 UTC (rev 216293)
+++ trunk/Source/WebCore/rendering/RenderLayer.h 2017-05-05 23:49:41 UTC (rev 216294)
@@ -496,12 +496,14 @@
typedef unsigned PaintLayerFlags;
+ enum class SecurityOriginPaintPolicy { AnyOrigin, AccessibleOriginOnly };
+
// The two main functions that use the layer system. The paint method
// paints the layers that intersect the damage rect from back to
// front. The hitTest method looks for mouse events by walking
// layers that intersect the point from front to back.
void paint(GraphicsContext&, const LayoutRect& damageRect, const LayoutSize& subpixelOffset = LayoutSize(), PaintBehavior = PaintBehaviorNormal,
- RenderObject* subtreePaintRoot = nullptr, PaintLayerFlags = 0);
+ RenderObject* subtreePaintRoot = nullptr, PaintLayerFlags = 0, SecurityOriginPaintPolicy = SecurityOriginPaintPolicy::AnyOrigin);
bool hitTest(const HitTestRequest&, HitTestResult&);
bool hitTest(const HitTestRequest&, const HitTestLocation&, HitTestResult&);
void paintOverlayScrollbars(GraphicsContext&, const LayoutRect& damageRect, PaintBehavior, RenderObject* subtreePaintRoot = nullptr);
@@ -718,7 +720,7 @@
enum CollectLayersBehavior { StopAtStackingContexts, StopAtStackingContainers };
struct LayerPaintingInfo {
- LayerPaintingInfo(RenderLayer* inRootLayer, const LayoutRect& inDirtyRect, PaintBehavior inPaintBehavior, const LayoutSize& inSupixelOffset, RenderObject* inSubtreePaintRoot = nullptr, OverlapTestRequestMap* inOverlapTestRequests = nullptr)
+ LayerPaintingInfo(RenderLayer* inRootLayer, const LayoutRect& inDirtyRect, PaintBehavior inPaintBehavior, const LayoutSize& inSupixelOffset, RenderObject* inSubtreePaintRoot = nullptr, OverlapTestRequestMap* inOverlapTestRequests = nullptr, bool inRequireSecurityOriginAccessForWidgets = false)
: rootLayer(inRootLayer)
, subtreePaintRoot(inSubtreePaintRoot)
, paintDirtyRect(inDirtyRect)
@@ -725,7 +727,7 @@
, subpixelOffset(inSupixelOffset)
, overlapTestRequests(inOverlapTestRequests)
, paintBehavior(inPaintBehavior)
- , clipToDirtyRect(true)
+ , requireSecurityOriginAccessForWidgets(inRequireSecurityOriginAccessForWidgets)
{ }
RenderLayer* rootLayer;
RenderObject* subtreePaintRoot; // only paint descendants of this object
@@ -733,7 +735,8 @@
LayoutSize subpixelOffset;
OverlapTestRequestMap* overlapTestRequests; // May be null.
PaintBehavior paintBehavior;
- bool clipToDirtyRect;
+ bool requireSecurityOriginAccessForWidgets;
+ bool clipToDirtyRect { true };
};
// Compute, cache and return clip rects computed with the given layer as the root.
Modified: trunk/Source/WebCore/rendering/RenderScrollbar.cpp (216293 => 216294)
--- trunk/Source/WebCore/rendering/RenderScrollbar.cpp 2017-05-05 23:46:45 UTC (rev 216293)
+++ trunk/Source/WebCore/rendering/RenderScrollbar.cpp 2017-05-05 23:49:41 UTC (rev 216294)
@@ -102,7 +102,7 @@
updateScrollbarParts();
}
-void RenderScrollbar::paint(GraphicsContext& context, const IntRect& damageRect)
+void RenderScrollbar::paint(GraphicsContext& context, const IntRect& damageRect, Widget::SecurityOriginPaintPolicy)
{
if (context.updatingControlTints()) {
updateScrollbarParts();
Modified: trunk/Source/WebCore/rendering/RenderScrollbar.h (216293 => 216294)
--- trunk/Source/WebCore/rendering/RenderScrollbar.h 2017-05-05 23:46:45 UTC (rev 216293)
+++ trunk/Source/WebCore/rendering/RenderScrollbar.h 2017-05-05 23:49:41 UTC (rev 216294)
@@ -66,7 +66,7 @@
void setParent(ScrollView*) override;
void setEnabled(bool) override;
- void paint(GraphicsContext&, const IntRect& damageRect) override;
+ void paint(GraphicsContext&, const IntRect& damageRect, Widget::SecurityOriginPaintPolicy) override;
void setHoveredPart(ScrollbarPart) override;
void setPressedPart(ScrollbarPart) override;
Modified: trunk/Source/WebCore/rendering/RenderWidget.cpp (216293 => 216294)
--- trunk/Source/WebCore/rendering/RenderWidget.cpp 2017-05-05 23:46:45 UTC (rev 216293)
+++ trunk/Source/WebCore/rendering/RenderWidget.cpp 2017-05-05 23:49:41 UTC (rev 216294)
@@ -31,6 +31,7 @@
#include "RenderLayer.h"
#include "RenderLayerBacking.h"
#include "RenderView.h"
+#include "SecurityOrigin.h"
#include <wtf/StackStats.h>
#include <wtf/Ref.h>
@@ -216,6 +217,13 @@
void RenderWidget::paintContents(PaintInfo& paintInfo, const LayoutPoint& paintOffset)
{
+ if (paintInfo.requireSecurityOriginAccessForWidgets) {
+ if (auto contentDocument = frameOwnerElement().contentDocument()) {
+ if (!document().securityOrigin().canAccess(contentDocument->securityOrigin()))
+ return;
+ }
+ }
+
IntPoint contentPaintOffset = roundedIntPoint(paintOffset + location() + contentBoxRect().location());
// Tell the widget to paint now. This is the only time the widget is allowed
// to paint itself. That way it will composite properly with z-indexed layers.
@@ -229,8 +237,8 @@
paintInfo.context().translate(widgetPaintOffset);
paintRect.move(-widgetPaintOffset);
}
- // FIXME: Remove repaintrect encolsing/integral snapping when RenderWidget becomes device pixel snapped.
- m_widget->paint(paintInfo.context(), snappedIntRect(paintRect));
+ // FIXME: Remove repaintrect enclosing/integral snapping when RenderWidget becomes device pixel snapped.
+ m_widget->paint(paintInfo.context(), snappedIntRect(paintRect), paintInfo.requireSecurityOriginAccessForWidgets ? Widget::SecurityOriginPaintPolicy::AccessibleOriginOnly : Widget::SecurityOriginPaintPolicy::AnyOrigin);
if (!widgetPaintOffset.isZero())
paintInfo.context().translate(-widgetPaintOffset);
Modified: trunk/Source/WebKit2/ChangeLog (216293 => 216294)
--- trunk/Source/WebKit2/ChangeLog 2017-05-05 23:46:45 UTC (rev 216293)
+++ trunk/Source/WebKit2/ChangeLog 2017-05-05 23:49:41 UTC (rev 216294)
@@ -1,3 +1,17 @@
+2017-05-05 Dean Jackson <d...@apple.com>
+
+ Restrict SVG filters to accessible security origins
+ https://bugs.webkit.org/show_bug.cgi?id=118689
+ <rdar://problem/27362159>
+
+ Reviewed by Brent Fulgham.
+
+ Update parameter lists.
+
+ * WebProcess/Plugins/PluginView.cpp:
+ (WebKit::PluginView::paint):
+ * WebProcess/Plugins/PluginView.h:
+
2017-05-05 Beth Dakin <bda...@apple.com>
Ensure NSColorPickerTouchBarItem only uses sRGB colors
Modified: trunk/Source/WebKit2/WebProcess/Plugins/PluginView.cpp (216293 => 216294)
--- trunk/Source/WebKit2/WebProcess/Plugins/PluginView.cpp 2017-05-05 23:46:45 UTC (rev 216293)
+++ trunk/Source/WebKit2/WebProcess/Plugins/PluginView.cpp 2017-05-05 23:49:41 UTC (rev 216294)
@@ -782,7 +782,7 @@
viewGeometryDidChange();
}
-void PluginView::paint(GraphicsContext& context, const IntRect& /*dirtyRect*/)
+void PluginView::paint(GraphicsContext& context, const IntRect& /*dirtyRect*/, Widget::SecurityOriginPaintPolicy)
{
if (!m_plugin || !m_isInitialized || m_pluginElement->displayState() < HTMLPlugInElement::Restarting)
return;
Modified: trunk/Source/WebKit2/WebProcess/Plugins/PluginView.h (216293 => 216294)
--- trunk/Source/WebKit2/WebProcess/Plugins/PluginView.h 2017-05-05 23:46:45 UTC (rev 216293)
+++ trunk/Source/WebKit2/WebProcess/Plugins/PluginView.h 2017-05-05 23:49:41 UTC (rev 216294)
@@ -171,7 +171,7 @@
// WebCore::Widget
void setFrameRect(const WebCore::IntRect&) override;
- void paint(WebCore::GraphicsContext&, const WebCore::IntRect&) override;
+ void paint(WebCore::GraphicsContext&, const WebCore::IntRect&, WebCore::Widget::SecurityOriginPaintPolicy) override;
void invalidateRect(const WebCore::IntRect&) override;
void setFocus(bool) override;
void frameRectsChanged() override;
