Title: [216417] releases/WebKitGTK/webkit-2.16
Revision
216417
Author
carlo...@webkit.org
Date
2017-05-08 07:24:57 -0700 (Mon, 08 May 2017)

Log Message

Merge r216294 - Restrict SVG filters to accessible security origins
https://bugs.webkit.org/show_bug.cgi?id=118689
<rdar://problem/27362159>

Reviewed by Brent Fulgham.

Source/WebCore:

Certain SVG filters should only be allowed to operate
on content that is has SecurityOrigin access to. Implement
this by including a flag in PaintInfo and LayerPaintingInfo,
and have RenderWidget make sure the documents have acceptable
SecurityOrigins as it goes to paint.

This could be used as the first step in a "safe painting"
strategy, allowing some content to be rendered into a
canvas or via the element() CSS function... but it is only
a small first step.

Test: http/tests/css/filters-on-iframes.html

* page/FrameView.cpp:
(WebCore::FrameView::paintContents):
* page/FrameView.h:
* platform/ScrollView.cpp:
(WebCore::ScrollView::paint):
* platform/ScrollView.h:
* platform/Scrollbar.cpp:
(WebCore::Scrollbar::paint):
* platform/Scrollbar.h:
* platform/Widget.h:
* platform/graphics/filters/FilterOperation.h:
(WebCore::FilterOperation::shouldBeRestrictedBySecurityOrigin):
* platform/graphics/filters/FilterOperations.cpp:
(WebCore::FilterOperations::hasFilterThatShouldBeRestrictedBySecurityOrigin):
* platform/graphics/filters/FilterOperations.h:
* platform/mac/WidgetMac.mm:
(WebCore::Widget::paint):
* rendering/FilterEffectRenderer.cpp:
(WebCore::FilterEffectRenderer::build):
* rendering/FilterEffectRenderer.h:
* rendering/PaintInfo.h:
(WebCore::PaintInfo::PaintInfo):
* rendering/RenderLayer.cpp:
(WebCore::RenderLayer::paint):
(WebCore::RenderLayer::setupFilters):
(WebCore::RenderLayer::paintForegroundForFragmentsWithPhase):
* rendering/RenderLayer.h:
* rendering/RenderScrollbar.cpp:
(WebCore::RenderScrollbar::paint):
* rendering/RenderScrollbar.h:
* rendering/RenderWidget.cpp:
(WebCore::RenderWidget::paintContents):

Source/WebKit2:

Update parameter lists.

* WebProcess/Plugins/PluginView.cpp:
(WebKit::PluginView::paint):
* WebProcess/Plugins/PluginView.h:

LayoutTests:

Add a test that shows safe frames, unsafe frames, and
then a safe frame that itself has an unsafe frame, to
show that the security requirements are being forwarded
down the tree.

* http/tests/css/filters-on-iframes-expected.html: Added.
* http/tests/css/filters-on-iframes.html: Added.
* http/tests/css/resources/blank.html: Added.
* http/tests/css/resources/references-external.html: Added.
* http/tests/css/resources/solid-red.html: Added.

Modified Paths

Added Paths

Diff

Modified: releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog (216416 => 216417)


--- releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog	2017-05-08 14:06:29 UTC (rev 216416)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog	2017-05-08 14:24:57 UTC (rev 216417)
@@ -1,3 +1,22 @@
+2017-05-05  Dean Jackson  <d...@apple.com>
+
+        Restrict SVG filters to accessible security origins
+        https://bugs.webkit.org/show_bug.cgi?id=118689
+        <rdar://problem/27362159>
+
+        Reviewed by Brent Fulgham.
+
+        Add a test that shows safe frames, unsafe frames, and
+        then a safe frame that itself has an unsafe frame, to
+        show that the security requirements are being forwarded
+        down the tree.
+
+        * http/tests/css/filters-on-iframes-expected.html: Added.
+        * http/tests/css/filters-on-iframes.html: Added.
+        * http/tests/css/resources/blank.html: Added.
+        * http/tests/css/resources/references-external.html: Added.
+        * http/tests/css/resources/solid-red.html: Added.
+
 2017-05-04  Antti Koivisto  <an...@apple.com>
 
         REGRESSION (Safari 10.1): When 'transition' contains -ms-transform, transform-origin is also transitioned

Added: releases/WebKitGTK/webkit-2.16/LayoutTests/http/tests/css/filters-on-iframes-expected.html (0 => 216417)


--- releases/WebKitGTK/webkit-2.16/LayoutTests/http/tests/css/filters-on-iframes-expected.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/http/tests/css/filters-on-iframes-expected.html	2017-05-08 14:24:57 UTC (rev 216417)
@@ -0,0 +1,40 @@
+<style>
+body {
+    margin: 0;
+    padding: 0;
+}
+iframe {
+    border: none;
+}
+div {
+    display: inline-block;
+}
+</style>
+
+<div>
+    <iframe src=""
+</div>
+
+<div class="filtered">
+    <iframe src=""
+</div>
+
+<br>
+
+<div>
+    <iframe src=""
+</div>
+
+<div class="filtered">
+    <iframe src=""
+</div>
+
+<br>
+
+<div>
+    <iframe src=""
+</div>
+
+<div class="filtered">
+    <iframe src=""
+</div>

Added: releases/WebKitGTK/webkit-2.16/LayoutTests/http/tests/css/filters-on-iframes.html (0 => 216417)


--- releases/WebKitGTK/webkit-2.16/LayoutTests/http/tests/css/filters-on-iframes.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/http/tests/css/filters-on-iframes.html	2017-05-08 14:24:57 UTC (rev 216417)
@@ -0,0 +1,54 @@
+<style>
+body {
+    margin: 0;
+    padding: 0;
+}
+iframe {
+    border: none;
+}
+div {
+    display: inline-block;
+}
+.filtered {
+    filter: url(#noop);
+}
+svg {
+    display: none;
+}
+</style>
+
+<div>
+    <iframe src=""
+</div>
+
+<div class="filtered">
+    <iframe src=""
+</div>
+
+<br>
+
+<div>
+    <iframe src=""
+</div>
+
+<div class="filtered">
+    <iframe src=""
+</div>
+
+<br>
+
+<div>
+    <iframe src=""
+</div>
+
+<div class="filtered">
+    <iframe src=""
+</div>
+
+<svg>
+    <defs>
+        <filter id="noop">
+            <feMorphology operator="dilate" in="SourceGraphic" radius="0"/>
+        </filter>
+    </defs>
+</svg>

Added: releases/WebKitGTK/webkit-2.16/LayoutTests/http/tests/css/resources/blank.html (0 => 216417)


--- releases/WebKitGTK/webkit-2.16/LayoutTests/http/tests/css/resources/blank.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/http/tests/css/resources/blank.html	2017-05-08 14:24:57 UTC (rev 216417)
@@ -0,0 +1,5 @@
+<style>
+    body {
+        background-color: white;
+    }
+</style>

Added: releases/WebKitGTK/webkit-2.16/LayoutTests/http/tests/css/resources/references-external.html (0 => 216417)


--- releases/WebKitGTK/webkit-2.16/LayoutTests/http/tests/css/resources/references-external.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/http/tests/css/resources/references-external.html	2017-05-08 14:24:57 UTC (rev 216417)
@@ -0,0 +1,11 @@
+<style>
+body {
+    margin: 0;
+    padding: 0;
+}
+
+iframe {
+    border: none;
+}
+</style>
+<iframe src=""

Added: releases/WebKitGTK/webkit-2.16/LayoutTests/http/tests/css/resources/solid-red.html (0 => 216417)


--- releases/WebKitGTK/webkit-2.16/LayoutTests/http/tests/css/resources/solid-red.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/http/tests/css/resources/solid-red.html	2017-05-08 14:24:57 UTC (rev 216417)
@@ -0,0 +1,5 @@
+<style>
+    body {
+        background-color: red;
+    }
+</style>

Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog (216416 => 216417)


--- releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog	2017-05-08 14:06:29 UTC (rev 216416)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog	2017-05-08 14:24:57 UTC (rev 216417)
@@ -1,3 +1,66 @@
+2017-05-05  Dean Jackson  <d...@apple.com>
+
+        ...and now the GTK and Windows builds.
+
+        * platform/gtk/WidgetGtk.cpp:
+        (WebCore::Widget::paint):
+        * platform/win/WidgetWin.cpp:
+        (WebCore::Widget::paint):
+
+2017-05-05  Dean Jackson  <d...@apple.com>
+
+        Restrict SVG filters to accessible security origins
+        https://bugs.webkit.org/show_bug.cgi?id=118689
+        <rdar://problem/27362159>
+
+        Reviewed by Brent Fulgham.
+
+        Certain SVG filters should only be allowed to operate
+        on content that is has SecurityOrigin access to. Implement
+        this by including a flag in PaintInfo and LayerPaintingInfo,
+        and have RenderWidget make sure the documents have acceptable
+        SecurityOrigins as it goes to paint.
+
+        This could be used as the first step in a "safe painting"
+        strategy, allowing some content to be rendered into a 
+        canvas or via the element() CSS function... but it is only
+        a small first step.
+
+        Test: http/tests/css/filters-on-iframes.html
+
+        * page/FrameView.cpp:
+        (WebCore::FrameView::paintContents):
+        * page/FrameView.h:
+        * platform/ScrollView.cpp:
+        (WebCore::ScrollView::paint):
+        * platform/ScrollView.h:
+        * platform/Scrollbar.cpp:
+        (WebCore::Scrollbar::paint):
+        * platform/Scrollbar.h:
+        * platform/Widget.h:
+        * platform/graphics/filters/FilterOperation.h:
+        (WebCore::FilterOperation::shouldBeRestrictedBySecurityOrigin):
+        * platform/graphics/filters/FilterOperations.cpp:
+        (WebCore::FilterOperations::hasFilterThatShouldBeRestrictedBySecurityOrigin):
+        * platform/graphics/filters/FilterOperations.h:
+        * platform/mac/WidgetMac.mm:
+        (WebCore::Widget::paint):
+        * rendering/FilterEffectRenderer.cpp:
+        (WebCore::FilterEffectRenderer::build):
+        * rendering/FilterEffectRenderer.h:
+        * rendering/PaintInfo.h:
+        (WebCore::PaintInfo::PaintInfo):
+        * rendering/RenderLayer.cpp:
+        (WebCore::RenderLayer::paint):
+        (WebCore::RenderLayer::setupFilters):
+        (WebCore::RenderLayer::paintForegroundForFragmentsWithPhase):
+        * rendering/RenderLayer.h:
+        * rendering/RenderScrollbar.cpp:
+        (WebCore::RenderScrollbar::paint):
+        * rendering/RenderScrollbar.h:
+        * rendering/RenderWidget.cpp:
+        (WebCore::RenderWidget::paintContents):
+
 2017-05-05  Antti Koivisto  <an...@apple.com>
 
         ASSERTION FAILED: !frame().document()->inRenderTreeUpdate() in WebCore::FrameView::layout(bool)

Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/page/FrameView.cpp (216416 => 216417)


--- releases/WebKitGTK/webkit-2.16/Source/WebCore/page/FrameView.cpp	2017-05-08 14:06:29 UTC (rev 216416)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/page/FrameView.cpp	2017-05-08 14:24:57 UTC (rev 216417)
@@ -4407,7 +4407,7 @@
     }
 }
 
-void FrameView::paintContents(GraphicsContext& context, const IntRect& dirtyRect)
+void FrameView::paintContents(GraphicsContext& context, const IntRect& dirtyRect, SecurityOriginPaintPolicy securityOriginPaintPolicy)
 {
 #ifndef NDEBUG
     bool fillWithRed;
@@ -4461,7 +4461,7 @@
     while (is<RenderInline>(renderer) && !downcast<RenderInline>(*renderer).firstLineBox())
         renderer = renderer->parent();
 
-    rootLayer->paint(context, dirtyRect, LayoutSize(), m_paintBehavior, renderer);
+    rootLayer->paint(context, dirtyRect, LayoutSize(), m_paintBehavior, renderer, 0, securityOriginPaintPolicy == SecurityOriginPaintPolicy::AnyOrigin ? RenderLayer::SecurityOriginPaintPolicy::AnyOrigin : RenderLayer::SecurityOriginPaintPolicy::AccessibleOriginOnly);
     if (rootLayer->containsDirtyOverlayScrollbars())
         rootLayer->paintOverlayScrollbars(context, dirtyRect, m_paintBehavior, renderer);
 

Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/page/FrameView.h (216416 => 216417)


--- releases/WebKitGTK/webkit-2.16/Source/WebCore/page/FrameView.h	2017-05-08 14:06:29 UTC (rev 216416)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/page/FrameView.h	2017-05-08 14:24:57 UTC (rev 216417)
@@ -344,7 +344,7 @@
     void addEmbeddedObjectToUpdate(RenderEmbeddedObject&);
     void removeEmbeddedObjectToUpdate(RenderEmbeddedObject&);
 
-    WEBCORE_EXPORT void paintContents(GraphicsContext&, const IntRect& dirtyRect) final;
+    WEBCORE_EXPORT void paintContents(GraphicsContext&, const IntRect& dirtyRect, SecurityOriginPaintPolicy = SecurityOriginPaintPolicy::AnyOrigin) final;
 
     struct PaintingState {
         PaintBehavior paintBehavior;

Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/ScrollView.cpp (216416 => 216417)


--- releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/ScrollView.cpp	2017-05-08 14:06:29 UTC (rev 216416)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/ScrollView.cpp	2017-05-08 14:24:57 UTC (rev 216417)
@@ -1166,7 +1166,7 @@
     context.drawImage(*panScrollIcon, iconGCPoint);
 }
 
-void ScrollView::paint(GraphicsContext& context, const IntRect& rect)
+void ScrollView::paint(GraphicsContext& context, const IntRect& rect, SecurityOriginPaintPolicy securityOriginPaintPolicy)
 {
     if (platformWidget()) {
         Widget::paint(context, rect);
@@ -1198,7 +1198,7 @@
             context.clip(visibleContentRect(LegacyIOSDocumentVisibleRect));
         }
 
-        paintContents(context, documentDirtyRect);
+        paintContents(context, documentDirtyRect, securityOriginPaintPolicy);
     }
 
 #if ENABLE(RUBBER_BANDING)

Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/ScrollView.h (216416 => 216417)


--- releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/ScrollView.h	2017-05-08 14:06:29 UTC (rev 216416)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/ScrollView.h	2017-05-08 14:24:57 UTC (rev 216417)
@@ -344,7 +344,7 @@
     }
 
     // Widget override. Handles painting of the contents of the view as well as the scrollbars.
-    WEBCORE_EXPORT void paint(GraphicsContext&, const IntRect&) final;
+    WEBCORE_EXPORT void paint(GraphicsContext&, const IntRect&, Widget::SecurityOriginPaintPolicy = SecurityOriginPaintPolicy::AnyOrigin) final;
     void paintScrollbars(GraphicsContext&, const IntRect&);
 
     // Widget overrides to ensure that our children's visibility status is kept up to date when we get shown and hidden.
@@ -380,7 +380,7 @@
     ScrollView();
 
     virtual void repaintContentRectangle(const IntRect&);
-    virtual void paintContents(GraphicsContext&, const IntRect& damageRect) = 0;
+    virtual void paintContents(GraphicsContext&, const IntRect& damageRect, SecurityOriginPaintPolicy = SecurityOriginPaintPolicy::AnyOrigin) = 0;
 
     virtual void paintOverhangAreas(GraphicsContext&, const IntRect& horizontalOverhangArea, const IntRect& verticalOverhangArea, const IntRect& dirtyRect);
 

Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/Scrollbar.cpp (216416 => 216417)


--- releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/Scrollbar.cpp	2017-05-08 14:06:29 UTC (rev 216416)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/Scrollbar.cpp	2017-05-08 14:24:57 UTC (rev 216417)
@@ -157,7 +157,7 @@
     updateThumb();
 }
 
-void Scrollbar::paint(GraphicsContext& context, const IntRect& damageRect)
+void Scrollbar::paint(GraphicsContext& context, const IntRect& damageRect, Widget::SecurityOriginPaintPolicy)
 {
     if (context.updatingControlTints() && theme().supportsControlTints()) {
         invalidate();

Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/Scrollbar.h (216416 => 216417)


--- releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/Scrollbar.h	2017-05-08 14:06:29 UTC (rev 216416)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/Scrollbar.h	2017-05-08 14:24:57 UTC (rev 216417)
@@ -85,7 +85,7 @@
     WEBCORE_EXPORT void setProportion(int visibleSize, int totalSize);
     void setPressedPos(int p) { m_pressedPos = p; }
 
-    void paint(GraphicsContext&, const IntRect& damageRect) override;
+    void paint(GraphicsContext&, const IntRect& damageRect, Widget::SecurityOriginPaintPolicy = SecurityOriginPaintPolicy::AnyOrigin) override;
 
     bool enabled() const { return m_enabled; }
     virtual void setEnabled(bool);

Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/Widget.h (216416 => 216417)


--- releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/Widget.h	2017-05-08 14:06:29 UTC (rev 216416)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/Widget.h	2017-05-08 14:24:57 UTC (rev 216417)
@@ -114,7 +114,9 @@
     void move(int x, int y) { setFrameRect(IntRect(x, y, width(), height())); }
     void move(const IntPoint& p) { setFrameRect(IntRect(p, size())); }
 
-    WEBCORE_EXPORT virtual void paint(GraphicsContext&, const IntRect&);
+    enum class SecurityOriginPaintPolicy { AnyOrigin, AccessibleOriginOnly };
+
+    WEBCORE_EXPORT virtual void paint(GraphicsContext&, const IntRect&, SecurityOriginPaintPolicy = SecurityOriginPaintPolicy::AnyOrigin);
     void invalidate() { invalidateRect(boundsRect()); }
     virtual void invalidateRect(const IntRect&) = 0;
 

Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/graphics/filters/FilterOperation.h (216416 => 216417)


--- releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/graphics/filters/FilterOperation.h	2017-05-08 14:06:29 UTC (rev 216416)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/graphics/filters/FilterOperation.h	2017-05-08 14:24:57 UTC (rev 216417)
@@ -103,6 +103,8 @@
     virtual bool affectsOpacity() const { return false; }
     // True if the the value of one pixel can affect the value of another pixel under this operation, such as blur.
     virtual bool movesPixels() const { return false; }
+    // True if the filter should not be allowed to work on content that is not available from this security origin.
+    virtual bool shouldBeRestrictedBySecurityOrigin() const { return false; }
     // True if the filter needs the size of the box in order to calculate the animations.
     virtual bool blendingNeedsRendererSize() const { return false; }
 
@@ -182,6 +184,9 @@
 
     bool affectsOpacity() const override { return true; }
     bool movesPixels() const override { return true; }
+    // FIXME: This only needs to return true for graphs that include ConvolveMatrix, DisplacementMap, Morphology and possibly Lighting.
+    // https://bugs.webkit.org/show_bug.cgi?id=171753
+    bool shouldBeRestrictedBySecurityOrigin() const override { return true; }
 
     const String& url() const { return m_url; }
     const String& fragment() const { return m_fragment; }

Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/graphics/filters/FilterOperations.cpp (216416 => 216417)


--- releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/graphics/filters/FilterOperations.cpp	2017-05-08 14:06:29 UTC (rev 216416)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/graphics/filters/FilterOperations.cpp	2017-05-08 14:24:57 UTC (rev 216417)
@@ -137,6 +137,15 @@
     return false;
 }
 
+bool FilterOperations::hasFilterThatShouldBeRestrictedBySecurityOrigin() const
+{
+    for (auto& operation : m_operations) {
+        if (operation->shouldBeRestrictedBySecurityOrigin())
+            return true;
+    }
+    return false;
+}
+
 TextStream& operator<<(TextStream& ts, const FilterOperations& filters)
 {
     for (size_t i = 0; i < filters.size(); ++i) {

Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/graphics/filters/FilterOperations.h (216416 => 216417)


--- releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/graphics/filters/FilterOperations.h	2017-05-08 14:06:29 UTC (rev 216416)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/graphics/filters/FilterOperations.h	2017-05-08 14:24:57 UTC (rev 216417)
@@ -56,6 +56,7 @@
 
     bool hasFilterThatAffectsOpacity() const;
     bool hasFilterThatMovesPixels() const;
+    bool hasFilterThatShouldBeRestrictedBySecurityOrigin() const;
 
     bool hasReferenceFilter() const;
 

Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/gtk/WidgetGtk.cpp (216416 => 216417)


--- releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/gtk/WidgetGtk.cpp	2017-05-08 14:06:29 UTC (rev 216416)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/gtk/WidgetGtk.cpp	2017-05-08 14:24:57 UTC (rev 216417)
@@ -80,7 +80,7 @@
         gtk_widget_hide(platformWidget());
 }
 
-void Widget::paint(GraphicsContext&, const IntRect&)
+void Widget::paint(GraphicsContext&, const IntRect&, SecurityOriginPaintPolicy)
 {
 }
 

Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/mac/WidgetMac.mm (216416 => 216417)


--- releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/mac/WidgetMac.mm	2017-05-08 14:06:29 UTC (rev 216416)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/mac/WidgetMac.mm	2017-05-08 14:24:57 UTC (rev 216417)
@@ -184,7 +184,7 @@
     return view;
 }
 
-void Widget::paint(GraphicsContext& p, const IntRect& r)
+void Widget::paint(GraphicsContext& p, const IntRect& r, SecurityOriginPaintPolicy)
 {
     if (p.paintingDisabled())
         return;

Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/win/WidgetWin.cpp (216416 => 216417)


--- releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/win/WidgetWin.cpp	2017-05-08 14:06:29 UTC (rev 216416)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/win/WidgetWin.cpp	2017-05-08 14:24:57 UTC (rev 216417)
@@ -75,7 +75,7 @@
     view->hostWindow()->setCursor(cursor);
 }
 
-void Widget::paint(GraphicsContext&, const IntRect&)
+void Widget::paint(GraphicsContext&, const IntRect&, SecurityOriginPaintPolicy)
 {
 }
 

Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/FilterEffectRenderer.cpp (216416 => 216417)


--- releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/FilterEffectRenderer.cpp	2017-05-08 14:06:29 UTC (rev 216416)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/FilterEffectRenderer.cpp	2017-05-08 14:24:57 UTC (rev 216417)
@@ -128,6 +128,7 @@
 bool FilterEffectRenderer::build(RenderElement& renderer, const FilterOperations& operations, FilterConsumer consumer)
 {
     m_hasFilterThatMovesPixels = operations.hasFilterThatMovesPixels();
+    m_hasFilterThatShouldBeRestrictedBySecurityOrigin = operations.hasFilterThatShouldBeRestrictedBySecurityOrigin();
     if (m_hasFilterThatMovesPixels)
         m_outsets = operations.outsets();
 

Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/FilterEffectRenderer.h (216416 => 216417)


--- releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/FilterEffectRenderer.h	2017-05-08 14:06:29 UTC (rev 216416)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/FilterEffectRenderer.h	2017-05-08 14:24:57 UTC (rev 216417)
@@ -84,6 +84,7 @@
     void apply();
 
     bool hasFilterThatMovesPixels() const { return m_hasFilterThatMovesPixels; }
+    bool hasFilterThatShouldBeRestrictedBySecurityOrigin() const { return m_hasFilterThatShouldBeRestrictedBySecurityOrigin; }
 
 private:
     FilterEffectRenderer();
@@ -115,6 +116,7 @@
 
     bool m_graphicsBufferAttached { false };
     bool m_hasFilterThatMovesPixels { false };
+    bool m_hasFilterThatShouldBeRestrictedBySecurityOrigin { false };
 };
 
 inline FilterEffectRendererHelper::FilterEffectRendererHelper(bool haveFilterEffect, GraphicsContext& targetContext)

Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/PaintInfo.h (216416 => 216417)


--- releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/PaintInfo.h	2017-05-08 14:06:29 UTC (rev 216416)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/PaintInfo.h	2017-05-08 14:24:57 UTC (rev 216417)
@@ -50,7 +50,8 @@
 struct PaintInfo {
     PaintInfo(GraphicsContext& newContext, const LayoutRect& newRect, PaintPhase newPhase, PaintBehavior newPaintBehavior,
         RenderObject* newSubtreePaintRoot = nullptr, ListHashSet<RenderInline*>* newOutlineObjects = nullptr,
-        OverlapTestRequestMap* overlapTestRequests = nullptr, const RenderLayerModelObject* newPaintContainer = nullptr)
+        OverlapTestRequestMap* overlapTestRequests = nullptr, const RenderLayerModelObject* newPaintContainer = nullptr,
+        bool newRequireSecurityOriginAccessForWidgets = false)
             : rect(newRect)
             , phase(newPhase)
             , paintBehavior(newPaintBehavior)
@@ -58,6 +59,7 @@
             , outlineObjects(newOutlineObjects)
             , overlapTestRequests(overlapTestRequests)
             , paintContainer(newPaintContainer)
+            , requireSecurityOriginAccessForWidgets(newRequireSecurityOriginAccessForWidgets)
             , m_context(&newContext)
     {
     }
@@ -120,6 +122,7 @@
     ListHashSet<RenderInline*>* outlineObjects; // used to list outlines that should be painted by a block with inline children
     OverlapTestRequestMap* overlapTestRequests;
     const RenderLayerModelObject* paintContainer; // the layer object that originates the current painting
+    bool requireSecurityOriginAccessForWidgets { false };
 
 private:
     GraphicsContext* m_context;

Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/RenderLayer.cpp (216416 => 216417)


--- releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/RenderLayer.cpp	2017-05-08 14:06:29 UTC (rev 216416)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/RenderLayer.cpp	2017-05-08 14:24:57 UTC (rev 216417)
@@ -3837,11 +3837,11 @@
     return ScrollableArea::scroll(direction, granularity, multiplier);
 }
 
-void RenderLayer::paint(GraphicsContext& context, const LayoutRect& damageRect, const LayoutSize& subpixelOffset, PaintBehavior paintBehavior, RenderObject* subtreePaintRoot, PaintLayerFlags paintFlags)
+void RenderLayer::paint(GraphicsContext& context, const LayoutRect& damageRect, const LayoutSize& subpixelOffset, PaintBehavior paintBehavior, RenderObject* subtreePaintRoot, PaintLayerFlags paintFlags, SecurityOriginPaintPolicy paintPolicy)
 {
     OverlapTestRequestMap overlapTestRequests;
 
-    LayerPaintingInfo paintingInfo(this, enclosingIntRect(damageRect), paintBehavior, subpixelOffset, subtreePaintRoot, &overlapTestRequests);
+    LayerPaintingInfo paintingInfo(this, enclosingIntRect(damageRect), paintBehavior, subpixelOffset, subtreePaintRoot, &overlapTestRequests, paintPolicy == SecurityOriginPaintPolicy::AccessibleOriginOnly);
     paintLayer(context, paintingInfo, paintFlags);
 
     for (auto& widget : overlapTestRequests.keys())
@@ -4239,6 +4239,8 @@
     // Note that we will still apply the clipping on the final rendering of the filter.
     paintingInfo.clipToDirtyRect = !filterInfo.renderer()->hasFilterThatMovesPixels();
 
+    paintingInfo.requireSecurityOriginAccessForWidgets = filterInfo.renderer()->hasFilterThatShouldBeRestrictedBySecurityOrigin();
+
     return WTFMove(painter.second);
 }
 
@@ -4800,7 +4802,7 @@
         if (shouldClip)
             clipToRect(context, localPaintingInfo, fragment.foregroundRect);
     
-        PaintInfo paintInfo(context, fragment.foregroundRect.rect(), phase, paintBehavior, subtreePaintRootForRenderer, nullptr, nullptr, &localPaintingInfo.rootLayer->renderer());
+        PaintInfo paintInfo(context, fragment.foregroundRect.rect(), phase, paintBehavior, subtreePaintRootForRenderer, nullptr, nullptr, &localPaintingInfo.rootLayer->renderer(), localPaintingInfo.requireSecurityOriginAccessForWidgets);
         if (phase == PaintPhaseForeground)
             paintInfo.overlapTestRequests = localPaintingInfo.overlapTestRequests;
         renderer().paint(paintInfo, toLayoutPoint(fragment.layerBounds.location() - renderBoxLocation() + localPaintingInfo.subpixelOffset));

Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/RenderLayer.h (216416 => 216417)


--- releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/RenderLayer.h	2017-05-08 14:06:29 UTC (rev 216416)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/RenderLayer.h	2017-05-08 14:24:57 UTC (rev 216417)
@@ -462,12 +462,14 @@
     
     typedef unsigned PaintLayerFlags;
 
+    enum class SecurityOriginPaintPolicy { AnyOrigin, AccessibleOriginOnly };
+
     // The two main functions that use the layer system.  The paint method
     // paints the layers that intersect the damage rect from back to
     // front.  The hitTest method looks for mouse events by walking
     // layers that intersect the point from front to back.
     void paint(GraphicsContext&, const LayoutRect& damageRect, const LayoutSize& subpixelOffset = LayoutSize(), PaintBehavior = PaintBehaviorNormal,
-        RenderObject* subtreePaintRoot = nullptr, PaintLayerFlags = 0);
+        RenderObject* subtreePaintRoot = nullptr, PaintLayerFlags = 0, SecurityOriginPaintPolicy = SecurityOriginPaintPolicy::AnyOrigin);
     bool hitTest(const HitTestRequest&, HitTestResult&);
     bool hitTest(const HitTestRequest&, const HitTestLocation&, HitTestResult&);
     void paintOverlayScrollbars(GraphicsContext&, const LayoutRect& damageRect, PaintBehavior, RenderObject* subtreePaintRoot = nullptr);
@@ -678,7 +680,7 @@
     enum CollectLayersBehavior { StopAtStackingContexts, StopAtStackingContainers };
 
     struct LayerPaintingInfo {
-        LayerPaintingInfo(RenderLayer* inRootLayer, const LayoutRect& inDirtyRect, PaintBehavior inPaintBehavior, const LayoutSize& inSupixelOffset, RenderObject* inSubtreePaintRoot = nullptr, OverlapTestRequestMap* inOverlapTestRequests = nullptr)
+        LayerPaintingInfo(RenderLayer* inRootLayer, const LayoutRect& inDirtyRect, PaintBehavior inPaintBehavior, const LayoutSize& inSupixelOffset, RenderObject* inSubtreePaintRoot = nullptr, OverlapTestRequestMap* inOverlapTestRequests = nullptr, bool inRequireSecurityOriginAccessForWidgets = false)
             : rootLayer(inRootLayer)
             , subtreePaintRoot(inSubtreePaintRoot)
             , paintDirtyRect(inDirtyRect)
@@ -685,7 +687,7 @@
             , subpixelOffset(inSupixelOffset)
             , overlapTestRequests(inOverlapTestRequests)
             , paintBehavior(inPaintBehavior)
-            , clipToDirtyRect(true)
+            , requireSecurityOriginAccessForWidgets(inRequireSecurityOriginAccessForWidgets)
         { }
         RenderLayer* rootLayer;
         RenderObject* subtreePaintRoot; // only paint descendants of this object
@@ -693,7 +695,8 @@
         LayoutSize subpixelOffset;
         OverlapTestRequestMap* overlapTestRequests; // May be null.
         PaintBehavior paintBehavior;
-        bool clipToDirtyRect;
+        bool requireSecurityOriginAccessForWidgets;
+        bool clipToDirtyRect { true };
     };
 
     // Compute, cache and return clip rects computed with the given layer as the root.

Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/RenderScrollbar.cpp (216416 => 216417)


--- releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/RenderScrollbar.cpp	2017-05-08 14:06:29 UTC (rev 216416)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/RenderScrollbar.cpp	2017-05-08 14:24:57 UTC (rev 216417)
@@ -102,7 +102,7 @@
     updateScrollbarParts();
 }
 
-void RenderScrollbar::paint(GraphicsContext& context, const IntRect& damageRect)
+void RenderScrollbar::paint(GraphicsContext& context, const IntRect& damageRect, Widget::SecurityOriginPaintPolicy)
 {
     if (context.updatingControlTints()) {
         updateScrollbarParts();

Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/RenderScrollbar.h (216416 => 216417)


--- releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/RenderScrollbar.h	2017-05-08 14:06:29 UTC (rev 216416)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/RenderScrollbar.h	2017-05-08 14:24:57 UTC (rev 216417)
@@ -66,7 +66,7 @@
     void setParent(ScrollView*) override;
     void setEnabled(bool) override;
 
-    void paint(GraphicsContext&, const IntRect& damageRect) override;
+    void paint(GraphicsContext&, const IntRect& damageRect, Widget::SecurityOriginPaintPolicy) override;
 
     void setHoveredPart(ScrollbarPart) override;
     void setPressedPart(ScrollbarPart) override;

Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/RenderWidget.cpp (216416 => 216417)


--- releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/RenderWidget.cpp	2017-05-08 14:06:29 UTC (rev 216416)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/RenderWidget.cpp	2017-05-08 14:24:57 UTC (rev 216417)
@@ -31,6 +31,7 @@
 #include "RenderLayer.h"
 #include "RenderLayerBacking.h"
 #include "RenderView.h"
+#include "SecurityOrigin.h"
 #include <wtf/StackStats.h>
 #include <wtf/Ref.h>
 
@@ -216,6 +217,13 @@
 
 void RenderWidget::paintContents(PaintInfo& paintInfo, const LayoutPoint& paintOffset)
 {
+    if (paintInfo.requireSecurityOriginAccessForWidgets) {
+        if (auto contentDocument = frameOwnerElement().contentDocument()) {
+            if (!document().securityOrigin().canAccess(contentDocument->securityOrigin()))
+                return;
+        }
+    }
+
     IntPoint contentPaintOffset = roundedIntPoint(paintOffset + location() + contentBoxRect().location());
     // Tell the widget to paint now. This is the only time the widget is allowed
     // to paint itself. That way it will composite properly with z-indexed layers.
@@ -229,8 +237,8 @@
         paintInfo.context().translate(widgetPaintOffset);
         paintRect.move(-widgetPaintOffset);
     }
-    // FIXME: Remove repaintrect encolsing/integral snapping when RenderWidget becomes device pixel snapped.
-    m_widget->paint(paintInfo.context(), snappedIntRect(paintRect));
+    // FIXME: Remove repaintrect enclosing/integral snapping when RenderWidget becomes device pixel snapped.
+    m_widget->paint(paintInfo.context(), snappedIntRect(paintRect), paintInfo.requireSecurityOriginAccessForWidgets ? Widget::SecurityOriginPaintPolicy::AccessibleOriginOnly : Widget::SecurityOriginPaintPolicy::AnyOrigin);
 
     if (!widgetPaintOffset.isZero())
         paintInfo.context().translate(-widgetPaintOffset);

Modified: releases/WebKitGTK/webkit-2.16/Source/WebKit2/ChangeLog (216416 => 216417)


--- releases/WebKitGTK/webkit-2.16/Source/WebKit2/ChangeLog	2017-05-08 14:06:29 UTC (rev 216416)
+++ releases/WebKitGTK/webkit-2.16/Source/WebKit2/ChangeLog	2017-05-08 14:24:57 UTC (rev 216417)
@@ -1,3 +1,17 @@
+2017-05-05  Dean Jackson  <d...@apple.com>
+
+        Restrict SVG filters to accessible security origins
+        https://bugs.webkit.org/show_bug.cgi?id=118689
+        <rdar://problem/27362159>
+
+        Reviewed by Brent Fulgham.
+
+        Update parameter lists.
+
+        * WebProcess/Plugins/PluginView.cpp:
+        (WebKit::PluginView::paint):
+        * WebProcess/Plugins/PluginView.h:
+
 2017-05-04  Konstantin Tokarev  <annu...@yandex.ru>
 
         Fix compilation with ICU 59.1

Modified: releases/WebKitGTK/webkit-2.16/Source/WebKit2/WebProcess/Plugins/PluginView.cpp (216416 => 216417)


--- releases/WebKitGTK/webkit-2.16/Source/WebKit2/WebProcess/Plugins/PluginView.cpp	2017-05-08 14:06:29 UTC (rev 216416)
+++ releases/WebKitGTK/webkit-2.16/Source/WebKit2/WebProcess/Plugins/PluginView.cpp	2017-05-08 14:24:57 UTC (rev 216417)
@@ -775,7 +775,7 @@
     viewGeometryDidChange();
 }
 
-void PluginView::paint(GraphicsContext& context, const IntRect& /*dirtyRect*/)
+void PluginView::paint(GraphicsContext& context, const IntRect& /*dirtyRect*/, Widget::SecurityOriginPaintPolicy)
 {
     if (!m_plugin || !m_isInitialized || m_pluginElement->displayState() < HTMLPlugInElement::Restarting)
         return;

Modified: releases/WebKitGTK/webkit-2.16/Source/WebKit2/WebProcess/Plugins/PluginView.h (216416 => 216417)


--- releases/WebKitGTK/webkit-2.16/Source/WebKit2/WebProcess/Plugins/PluginView.h	2017-05-08 14:06:29 UTC (rev 216416)
+++ releases/WebKitGTK/webkit-2.16/Source/WebKit2/WebProcess/Plugins/PluginView.h	2017-05-08 14:24:57 UTC (rev 216417)
@@ -170,7 +170,7 @@
 
     // WebCore::Widget
     void setFrameRect(const WebCore::IntRect&) override;
-    void paint(WebCore::GraphicsContext&, const WebCore::IntRect&) override;
+    void paint(WebCore::GraphicsContext&, const WebCore::IntRect&, WebCore::Widget::SecurityOriginPaintPolicy) override;
     void invalidateRect(const WebCore::IntRect&) override;
     void setFocus(bool) override;
     void frameRectsChanged() override;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to