Diff
Modified: trunk/LayoutTests/ChangeLog (293310 => 293311)
--- trunk/LayoutTests/ChangeLog 2022-04-25 05:56:51 UTC (rev 293310)
+++ trunk/LayoutTests/ChangeLog 2022-04-25 06:02:41 UTC (rev 293311)
@@ -1,3 +1,18 @@
+2022-04-24 Youenn Fablet <you...@apple.com>
+
+ TextTrackLoader should use SameOrigin mode by default
+ https://bugs.webkit.org/show_bug.cgi?id=239381
+
+ Reviewed by Eric Carlson.
+
+ * http/tests/security/contentSecurityPolicy/resources/track.vtt.py: Added.
+ * http/tests/security/contentSecurityPolicy/track-redirect-allowed.html:
+ * http/tests/security/contentSecurityPolicy/track-redirect-allowed2.html:
+ * http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/track-redirect-blocked.html:
+ * http/tests/security/text-track-crossorigin-expected.txt:
+ * http/tests/security/text-track-crossorigin.html:
+
2022-04-23 Andres Gonzalez <andresg...@apple.com>
AX ITM: Table row objects should return a non-null unignored parent even when a table object is not found in its ancestry.
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/track.vtt.py (0 => 293311)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/track.vtt.py (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/track.vtt.py 2022-04-25 06:02:41 UTC (rev 293311)
@@ -0,0 +1,19 @@
+#!/usr/bin/env python3
+
+import sys
+import os
+
+sys.stdout.write(
+ 'Content-Type: text/vtt\r\n'
+ 'Cache-Control: no-cache, no-store, must-revalidate\r\n'
+ 'Pragma: no-cache\r\n'
+ 'Access-Control-Allow-Origin: *\r\n\r\n'
+)
+
+sys.stdout.write(
+ 'WEBVTT\r\n'
+ '\r\n'
+ '1\r\n'
+ '00:00:00.000 --> 00:00:01.000\r\n'
+ 'Sample'
+)
Property changes on: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/track.vtt.py
___________________________________________________________________
Added: svn:executable
+*
\ No newline at end of property
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed.html (293310 => 293311)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed.html 2022-04-25 05:56:51 UTC (rev 293310)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed.html 2022-04-25 06:02:41 UTC (rev 293311)
@@ -6,8 +6,8 @@
<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.py http://localhost:8000">
</head>
<body>
-<video>
- <track src="" kind="captions" _onload_="alertAndDone('PASS')" _onerror_="alertAndDone('FAIL')">
+<video crossOrigin="anonymous">
+ <track src="" kind="captions" _onload_="alertAndDone('PASS')" _onerror_="alertAndDone('FAIL')">
</video>
<script>
document.querySelector("track").track.mode = "hidden"; // Load the track
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed2.html (293310 => 293311)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed2.html 2022-04-25 05:56:51 UTC (rev 293310)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed2.html 2022-04-25 06:02:41 UTC (rev 293311)
@@ -6,8 +6,8 @@
<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.py http://localhost:8000/this-path-should-be-ignored-when-matching-a-redirected-request">
</head>
<body>
-<video>
- <track src="" kind="captions" _onload_="alertAndDone('PASS')" _onerror_="alertAndDone('FAIL')">
+<video crossOrigin="anonymous">
+ <track src="" kind="captions" _onload_="alertAndDone('PASS')" _onerror_="alertAndDone('FAIL')">
</video>
<script>
document.querySelector("track").track.mode = "hidden"; // Load the track
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt (293310 => 293311)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt 2022-04-25 05:56:51 UTC (rev 293310)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt 2022-04-25 06:02:41 UTC (rev 293311)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/track.vtt because it does not appear in the media-src directive of the Content Security Policy.
- blockedURI = http://127.0.0.1:8000/resources/redirect.py?code=307&url=""
+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/track.vtt.py because it does not appear in the media-src directive of the Content Security Policy.
+ blockedURI = http://127.0.0.1:8000/resources/redirect.py?code=307&url=""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked.html (293310 => 293311)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked.html 2022-04-25 05:56:51 UTC (rev 293310)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked.html 2022-04-25 06:02:41 UTC (rev 293311)
@@ -13,8 +13,8 @@
window.testRunner.notifyDone();
});
</script>
-<video>
-<track src="" kind="captions">
+<video crossOrigin="anonymous">
+<track src="" kind="captions">
</video>
<script>
document.querySelector("track").track.mode = "hidden"; // Load the track
Modified: trunk/LayoutTests/http/tests/security/text-track-crossorigin-expected.txt (293310 => 293311)
--- trunk/LayoutTests/http/tests/security/text-track-crossorigin-expected.txt 2022-04-25 05:56:51 UTC (rev 293310)
+++ trunk/LayoutTests/http/tests/security/text-track-crossorigin-expected.txt 2022-04-25 06:02:41 UTC (rev 293311)
@@ -1,3 +1,5 @@
+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/resources/captions-with-access-control-headers.py from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
+
CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin. Status code: 200
CONSOLE MESSAGE: Cross-origin text track load denied by Cross-Origin Resource Sharing policy.
Tests loading cross-domain <track>.
@@ -4,10 +6,10 @@
Loading without Access-Control-Allow-Origin header, no "crossorigin" attribute on <video>
-EVENT(load)
-PASS: shouldLoad should be 'true' and is.
+EVENT(error)
+PASS: shouldLoad should be 'false' and is.
PASS: event.target should be '[object HTMLTrackElement]' and is.
-PASS: trackElement.readyState should be '2' and is.
+PASS: trackElement.readyState should be '3' and is.
Loading without Access-Control-Allow-Origin header, setting video.crossorigin to "anonymous"
Modified: trunk/LayoutTests/http/tests/security/text-track-crossorigin.html (293310 => 293311)
--- trunk/LayoutTests/http/tests/security/text-track-crossorigin.html 2022-04-25 05:56:51 UTC (rev 293310)
+++ trunk/LayoutTests/http/tests/security/text-track-crossorigin.html 2022-04-25 06:02:41 UTC (rev 293311)
@@ -29,21 +29,13 @@
log('<br>');
switch(counter) {
- case 0:
- log('Loading <b>without</b> Access-Control-Allow-Origin header, setting video.crossorigin to "anonymous"');
- url = "" + counter;
- videoElement.setAttribute('crossorigin', 'anonymous');
- trackElement.removeAttribute('src');
- trackElement.setAttribute('src', url);
- shouldLoad = false;
- ++counter;
- break;
-
case 2:
log('Loading <b>with</b> Access-Control-Allow-Origin and Access-Control-Allow-Credentials headers, setting video.crossorigin to "use-credentials"');
- url = ""
- trackElement.setAttribute('crossorigin', 'use-credentials');
+ url = ""
+ videoElement.setAttribute('crossorigin', 'use-credentials');
+ trackElement.removeAttribute('src');
trackElement.setAttribute('src', url);
+ shouldLoad = true;
++counter;
break;
@@ -51,6 +43,7 @@
log("END OF TEST");
if (window.testRunner)
testRunner.notifyDone();
+
defaut:
if (window.testRunner)
testRunner.notifyDone();
@@ -69,13 +62,25 @@
log('<br>');
switch(counter) {
+ case 0:
+ log('Loading <b>without</b> Access-Control-Allow-Origin header, setting video.crossorigin to "anonymous"');
+ url = "" + counter;
+ videoElement.setAttribute('crossorigin', 'anonymous');
+ trackElement.removeAttribute('src');
+ trackElement.setAttribute('src', url);
+ shouldLoad = false;
+ ++counter;
+ break;
+
case 1:
log('Loading <b>with</b> Access-Control-Allow-Origin header, leaving video.crossorigin as "anonymous"');
url = ""
+ trackElement.removeAttribute('src');
trackElement.setAttribute('src', url);
shouldLoad = true;
++counter;
break;
+
defaut:
if (window.testRunner)
testRunner.notifyDone();
@@ -89,6 +94,7 @@
log('Loading <b>without</b> Access-Control-Allow-Origin header, no "crossorigin" attribute on <video>');
var url = ""
trackElement.setAttribute('src', url);
+ shouldLoad = false;
}
</script>
Modified: trunk/LayoutTests/imported/w3c/ChangeLog (293310 => 293311)
--- trunk/LayoutTests/imported/w3c/ChangeLog 2022-04-25 05:56:51 UTC (rev 293310)
+++ trunk/LayoutTests/imported/w3c/ChangeLog 2022-04-25 06:02:41 UTC (rev 293311)
@@ -1,3 +1,14 @@
+2022-04-24 Youenn Fablet <you...@apple.com>
+
+ TextTrackLoader should use SameOrigin mode by default
+ https://bugs.webkit.org/show_bug.cgi?id=239381
+
+ Reviewed by Eric Carlson.
+
+ * web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/cloneNode-expected.txt:
+ * web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/track-data-url-expected.txt:
+ * web-platform-tests/service-workers/service-worker/webvtt-cross-origin.https-expected.txt:
+
2022-04-22 Cathie Chen <cathiec...@igalia.com>
The layout is not updated when style.contain is changed from "size"/"inline-size" to empty string
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/cloneNode-expected.txt (293310 => 293311)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/cloneNode-expected.txt 2022-04-25 05:56:51 UTC (rev 293310)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/cloneNode-expected.txt 2022-04-25 06:02:41 UTC (rev 293311)
@@ -1,4 +1,8 @@
+CONSOLE MESSAGE: Unsafe attempt to load URL _javascript_:"network error" from origin http://localhost:8800. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe attempt to load URL _javascript_:"network error" from origin http://localhost:8800. Domains, protocols and ports must match.
+
+
PASS track element cloneNode, not loaded
PASS track element cloneNode, loading
PASS track element cloneNode, loaded
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/track-data-url-expected.txt (293310 => 293311)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/track-data-url-expected.txt 2022-04-25 05:56:51 UTC (rev 293310)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/track-data-url-expected.txt 2022-04-25 06:02:41 UTC (rev 293311)
@@ -1,9 +1,5 @@
-CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin. Status code: 200
-CONSOLE MESSAGE: Cross-origin text track load denied by Cross-Origin Resource Sharing policy.
-CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin. Status code: 200
-CONSOLE MESSAGE: Cross-origin text track load denied by Cross-Origin Resource Sharing policy.
FAIL track element data: URL No CORS null is not an object (evaluating 't.track.cues.length')
-FAIL track element data: URL anonymous assert_unreached: got error event Reached unreachable code
-FAIL track element data: URL use-credentials assert_unreached: got error event Reached unreachable code
+FAIL track element data: URL anonymous null is not an object (evaluating 't.track.cues.length')
+FAIL track element data: URL use-credentials null is not an object (evaluating 't.track.cues.length')
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/webvtt-cross-origin.https-expected.txt (293310 => 293311)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/webvtt-cross-origin.https-expected.txt 2022-04-25 05:56:51 UTC (rev 293310)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/webvtt-cross-origin.https-expected.txt 2022-04-25 06:02:41 UTC (rev 293311)
@@ -1,12 +1,12 @@
PASS initialize global state
PASS same-origin text track should load
-FAIL cross-origin text track with no-cors request should not load assert_equals: expected "error event" but got "load event"
+PASS cross-origin text track with no-cors request should not load
PASS cross-origin text track with rejected cors request should not load
-FAIL cross-origin text track with approved cors request should not load assert_equals: expected "error event" but got "load event"
+PASS cross-origin text track with approved cors request should not load
PASS same-origin text track that redirects same-origin should load
-FAIL same-origin text track that redirects cross-origin should not load assert_equals: expected "error event" but got "load event"
+PASS same-origin text track that redirects cross-origin should not load
PASS same-origin text track that redirects to a cross-origin text track with rejected cors should not load
-FAIL same-origin text track that redirects to a cross-origin text track with approved cors should not load assert_equals: expected "error event" but got "load event"
+PASS same-origin text track that redirects to a cross-origin text track with approved cors should not load
PASS restore global state
Modified: trunk/Source/WebCore/ChangeLog (293310 => 293311)
--- trunk/Source/WebCore/ChangeLog 2022-04-25 05:56:51 UTC (rev 293310)
+++ trunk/Source/WebCore/ChangeLog 2022-04-25 06:02:41 UTC (rev 293311)
@@ -1,3 +1,14 @@
+2022-04-24 Youenn Fablet <you...@apple.com>
+
+ TextTrackLoader should use SameOrigin mode by default
+ https://bugs.webkit.org/show_bug.cgi?id=239381
+
+ Reviewed by Eric Carlson.
+
+ Covered by updated test.
+
+ * loader/TextTrackLoader.cpp:
+
2022-04-24 Diego Pino Garcia <dp...@igalia.com>
Unreviewed, non-unified build fixes after r293285
Modified: trunk/Source/WebCore/loader/TextTrackLoader.cpp (293310 => 293311)
--- trunk/Source/WebCore/loader/TextTrackLoader.cpp 2022-04-25 05:56:51 UTC (rev 293310)
+++ trunk/Source/WebCore/loader/TextTrackLoader.cpp 2022-04-25 06:02:41 UTC (rev 293311)
@@ -147,6 +147,7 @@
ResourceLoaderOptions options = CachedResourceLoader::defaultCachedResourceOptions();
options.contentSecurityPolicyImposition = element.isInUserAgentShadowTree() ? ContentSecurityPolicyImposition::SkipPolicyCheck : ContentSecurityPolicyImposition::DoPolicyCheck;
+ options.sameOriginDataURLFlag = SameOriginDataURLFlag::Set;
// FIXME: Do we really need to call completeURL here?
ResourceRequest resourceRequest(m_document.completeURL(url.string()));
@@ -154,7 +155,7 @@
if (auto mediaElement = element.mediaElement())
resourceRequest.setInspectorInitiatorNodeIdentifier(InspectorInstrumentation::identifierForNode(*mediaElement));
- auto cueRequest = createPotentialAccessControlRequest(WTFMove(resourceRequest), WTFMove(options), m_document, element.mediaElementCrossOriginAttribute());
+ auto cueRequest = createPotentialAccessControlRequest(WTFMove(resourceRequest), WTFMove(options), m_document, element.mediaElementCrossOriginAttribute(), SameOriginFlag::Yes);
m_resource = m_document.cachedResourceLoader().requestTextTrack(WTFMove(cueRequest)).value_or(nullptr);
if (!m_resource)
return false;
