Diff
Modified: trunk/LayoutTests/ChangeLog (201929 => 201930)
--- trunk/LayoutTests/ChangeLog 2016-06-10 18:01:54 UTC (rev 201929)
+++ trunk/LayoutTests/ChangeLog 2016-06-10 18:17:11 UTC (rev 201930)
@@ -1,3 +1,15 @@
+2016-06-10 Youenn Fablet <[email protected]>
+
+ Origin header is not included in CORS requests for preloaded cross-origin resources
+ https://bugs.webkit.org/show_bug.cgi?id=155761
+ <rdar://problem/25351850>
+
+ Reviewed by Alex Christensen.
+
+ * http/tests/security/cross-origin-css-9-expected.txt: Added.
+ * http/tests/security/cross-origin-css-9.html: Added.
+ * http/tests/security/resources/get-css-if-origin-header.php: Added.
+
2016-06-10 Ryan Haddad <[email protected]>
Marking fast/hidpi/hidpi-3x-device-pixel-ratio.html as failing on ios-simulator
Added: trunk/LayoutTests/http/tests/security/cross-origin-css-9-expected.txt (0 => 201930)
--- trunk/LayoutTests/http/tests/security/cross-origin-css-9-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/cross-origin-css-9-expected.txt 2016-06-10 18:17:11 UTC (rev 201930)
@@ -0,0 +1,9 @@
+
+PASS Testing that link element to load stylesheets correctly handle crossorigin mode.
+PASS Same-origin URL link without crossorigin attribute should be loaded without an Origin header
+PASS Cross-origin URL link without crossorigin attribute should be loaded without an Origin header
+PASS Same-origin URL link with crossorigin="" attribute should be loaded with an Origin header
+PASS Cross-origin URL link with crossorigin="" should be loaded with an Origin header
+PASS Cross-origin URL link with crossorigin="anonymous" should be loaded with an Origin header
+PASS Cross-origin URL link with crossorigin="credentials" should be loaded with an Origin header
+
Added: trunk/LayoutTests/http/tests/security/cross-origin-css-9.html (0 => 201930)
--- trunk/LayoutTests/http/tests/security/cross-origin-css-9.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/cross-origin-css-9.html 2016-06-10 18:17:11 UTC (rev 201930)
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Cross-origin CSS: Origin header should be set when fetching stylesheet in cors mode</title>
+
+<script src=""
+<script src=""
+
+<link id="link-id0" rel="stylesheet" type="text/css" href=""
+<link id="link-id1" rel="stylesheet" type="text/css" href=""
+<link id="link-id2" rel="stylesheet" type="text/css" href="" crossorigin=""></link>
+<link id="link-id3" rel="stylesheet" type="text/css" href="" crossorigin=""></link>
+<link id="link-id4" rel="stylesheet" type="text/css" href="" crossorigin="anonymous"></link>
+<link id="link-id5" rel="stylesheet" type="text/css" href="" crossorigin="credentials"></link>
+<script>
+function getBackgroundColorForId(id) {
+ return window.getComputedStyle(document.getElementById(id), null).getPropertyValue('background-color')
+}
+
+function checkCSSLoading(id, expectToIncludeOrigin, expectVisibility)
+{
+ expectedColor = expectToIncludeOrigin ? "rgb(255, 255, 0)" : "rgb(0, 0, 255)";
+ assert_equals(getBackgroundColorForId(id), expectedColor);
+ // FIXME: cssRules should be made visible according resource tainted status, not only based on the resource URL being cross origin.
+ // assert_equals(document.getElementById("link-" + id).sheet.cssRules !== null, expectVisibility);
+}
+
+var _onloadTest_ = async_test(" Testing that link element to load stylesheets correctly handle crossorigin mode.");
+
+window._onload_ = function () {
+ test(function () {
+ checkCSSLoading('id0', false, true);
+ }, 'Same-origin URL link without crossorigin attribute should be loaded without an Origin header');
+ test(function () {
+ checkCSSLoading('id1', false, false);
+ }, 'Cross-origin URL link without crossorigin attribute should be loaded without an Origin header');
+ test(function () {
+ checkCSSLoading('id2', true, true);
+ }, 'Same-origin URL link with crossorigin="" attribute should be loaded with an Origin header');
+ test(function () {
+ checkCSSLoading('id3', true, true);
+ }, 'Cross-origin URL link with crossorigin="" should be loaded with an Origin header');
+ test(function () {
+ checkCSSLoading('id4', true, true);
+ }, 'Cross-origin URL link with crossorigin="anonymous" should be loaded with an Origin header');
+ test(function () {
+ checkCSSLoading('id5', true, true);
+ }, 'Cross-origin URL link with crossorigin="credentials" should be loaded with an Origin header');
+
+ onloadTest.done();
+};
+</script>
+</head>
+<body>
+ <div id="id0" class="id0"></div>
+ <div id="id1" class="id1"></div>
+ <div id="id2" class="id2"></div>
+ <div id="id3" class="id3"></div>
+ <div id="id4" class="id4"></div>
+ <div id="id5" class="id5"></div>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/resources/get-css-if-origin-header.php (0 => 201930)
--- trunk/LayoutTests/http/tests/security/resources/get-css-if-origin-header.php (rev 0)
+++ trunk/LayoutTests/http/tests/security/resources/get-css-if-origin-header.php 2016-06-10 18:17:11 UTC (rev 201930)
@@ -0,0 +1,14 @@
+<?php
+header("Cache-Control: no-store");
+header("Content-Type: text/css");
+
+$id = isset($_GET['id']) ? $_GET['id'] : "id";
+$originHeader = isset($_SERVER['HTTP_ORIGIN']) ? $_SERVER['HTTP_ORIGIN'] : null;
+if ($originHeader) {
+ header("Access-Control-Allow-Origin: $originHeader");
+ echo "." . $id . " { background-color: yellow; }";
+} else {
+ echo "." . $id . " { background-color: blue; }";
+}
+
+?>
Modified: trunk/Source/WebCore/ChangeLog (201929 => 201930)
--- trunk/Source/WebCore/ChangeLog 2016-06-10 18:01:54 UTC (rev 201929)
+++ trunk/Source/WebCore/ChangeLog 2016-06-10 18:17:11 UTC (rev 201930)
@@ -1,3 +1,35 @@
+2016-06-10 Youenn Fablet <[email protected]>
+
+ Origin header is not included in CORS requests for preloaded cross-origin resources
+ https://bugs.webkit.org/show_bug.cgi?id=155761
+ <rdar://problem/25351850>
+
+ Reviewed by Alex Christensen.
+
+ Making HTML preloader fully aware of crossorigin attribute value.
+ Introducing CachedResourceRequest::setAsPotentiallyCrossOrigin as a helper routine to activate CORS mode.
+ Making HTMLLinkElement and HTMLResourcePreloader use that routine.
+ Making TokenPreloadScanner store the crossorigin attribute value in preload requests.
+ Making TokenPreloadScanner store the crossorigin attribute value for link elements.
+
+ Test: http/tests/security/cross-origin-css-9.html
+
+ * html/HTMLLinkElement.cpp:
+ (WebCore::HTMLLinkElement::process):
+ * html/parser/HTMLPreloadScanner.cpp:
+ (WebCore::TokenPreloadScanner::StartTagScanner::createPreloadRequest):
+ (WebCore::TokenPreloadScanner::StartTagScanner::processAttribute):
+ * html/parser/HTMLResourcePreloader.cpp:
+ (WebCore::crossOriginModeAllowsCookies):
+ (WebCore::PreloadRequest::resourceRequest):
+ * html/parser/HTMLResourcePreloader.h:
+ (WebCore::PreloadRequest::setCrossOriginMode):
+ (WebCore::PreloadRequest::PreloadRequest): Deleted.
+ (WebCore::PreloadRequest::resourceType): Deleted.
+ * loader/cache/CachedResourceRequest.cpp:
+ (WebCore::CachedResourceRequest::setAsPotentiallyCrossOrigin):
+ * loader/cache/CachedResourceRequest.h:
+
2016-06-10 Chris Dumez <[email protected]>
ErrorEvent / ProgressEvent should be exposed to workers
Modified: trunk/Source/WebCore/html/HTMLLinkElement.cpp (201929 => 201930)
--- trunk/Source/WebCore/html/HTMLLinkElement.cpp 2016-06-10 18:01:54 UTC (rev 201929)
+++ trunk/Source/WebCore/html/HTMLLinkElement.cpp 2016-06-10 18:17:11 UTC (rev 201930)
@@ -261,9 +261,10 @@
options.setContentSecurityPolicyImposition(ContentSecurityPolicyImposition::SkipPolicyCheck);
request.setOptions(options);
}
+ request.setAsPotentiallyCrossOrigin(crossOrigin(), document());
m_cachedSheet = document().cachedResourceLoader().requestCSSStyleSheet(request);
-
+
if (m_cachedSheet)
m_cachedSheet->addClient(this);
else {
Modified: trunk/Source/WebCore/html/parser/HTMLPreloadScanner.cpp (201929 => 201930)
--- trunk/Source/WebCore/html/parser/HTMLPreloadScanner.cpp 2016-06-10 18:01:54 UTC (rev 201929)
+++ trunk/Source/WebCore/html/parser/HTMLPreloadScanner.cpp 2016-06-10 18:17:11 UTC (rev 201930)
@@ -22,7 +22,7 @@
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
* OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
@@ -143,8 +143,7 @@
return nullptr;
auto request = std::make_unique<PreloadRequest>(initiatorFor(m_tagId), m_urlToLoad, predictedBaseURL, resourceType(), m_mediaAttribute);
-
- request->setCrossOriginModeAllowsCookies(crossOriginModeAllowsCookies());
+ request->setCrossOriginMode(m_crossOriginMode);
request->setCharset(charset());
return request;
}
@@ -160,7 +159,7 @@
{
if (match(attributeName, srcAttr))
setUrlToLoad(attributeValue);
- else if (match(attributeName, crossoriginAttr) && !attributeValue.isNull())
+ else if (match(attributeName, crossoriginAttr))
m_crossOriginMode = stripLeadingAndTrailingHTMLSpaces(attributeValue);
else if (match(attributeName, charsetAttr))
m_charset = attributeValue;
@@ -215,6 +214,8 @@
m_mediaAttribute = attributeValue;
else if (match(attributeName, charsetAttr))
m_charset = attributeValue;
+ else if (match(attributeName, crossoriginAttr))
+ m_crossOriginMode = stripLeadingAndTrailingHTMLSpaces(attributeValue);
break;
case TagId::Input:
if (match(attributeName, srcAttr))
@@ -302,11 +303,6 @@
return true;
}
- bool crossOriginModeAllowsCookies()
- {
- return m_crossOriginMode.isNull() || equalLettersIgnoringASCIICase(m_crossOriginMode, "use-credentials");
- }
-
TagId m_tagId;
String m_urlToLoad;
String m_srcSetAttribute;
Modified: trunk/Source/WebCore/html/parser/HTMLResourcePreloader.cpp (201929 => 201930)
--- trunk/Source/WebCore/html/parser/HTMLResourcePreloader.cpp 2016-06-10 18:01:54 UTC (rev 201929)
+++ trunk/Source/WebCore/html/parser/HTMLResourcePreloader.cpp 2016-06-10 18:17:11 UTC (rev 201930)
@@ -20,7 +20,7 @@
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
* OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
@@ -45,10 +45,7 @@
ASSERT(isMainThread());
CachedResourceRequest request(ResourceRequest(completeURL(document)));
request.setInitiator(m_initiator);
-
- // FIXME: It's possible CORS should work for other request types?
- if (m_resourceType == CachedResource::Script)
- request.mutableResourceRequest().setAllowCookies(m_crossOriginModeAllowsCookies);
+ request.setAsPotentiallyCrossOrigin(m_crossOriginMode, document);
return request;
}
Modified: trunk/Source/WebCore/html/parser/HTMLResourcePreloader.h (201929 => 201930)
--- trunk/Source/WebCore/html/parser/HTMLResourcePreloader.h 2016-06-10 18:01:54 UTC (rev 201929)
+++ trunk/Source/WebCore/html/parser/HTMLResourcePreloader.h 2016-06-10 18:17:11 UTC (rev 201930)
@@ -20,7 +20,7 @@
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
* OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef HTMLResourcePreloader_h
@@ -40,7 +40,6 @@
, m_baseURL(baseURL.isolatedCopy())
, m_resourceType(resourceType)
, m_mediaAttribute(mediaAttribute)
- , m_crossOriginModeAllowsCookies(false)
{
}
@@ -49,7 +48,7 @@
const String& charset() const { return m_charset; }
const String& media() const { return m_mediaAttribute; }
void setCharset(const String& charset) { m_charset = charset.isolatedCopy(); }
- void setCrossOriginModeAllowsCookies(bool allowsCookies) { m_crossOriginModeAllowsCookies = allowsCookies; }
+ void setCrossOriginMode(const String& mode) { m_crossOriginMode = mode; }
CachedResource::Type resourceType() const { return m_resourceType; }
private:
@@ -61,7 +60,7 @@
String m_charset;
CachedResource::Type m_resourceType;
String m_mediaAttribute;
- bool m_crossOriginModeAllowsCookies;
+ String m_crossOriginMode;
};
typedef Vector<std::unique_ptr<PreloadRequest>> PreloadRequestStream;
Modified: trunk/Source/WebCore/loader/cache/CachedResourceRequest.cpp (201929 => 201930)
--- trunk/Source/WebCore/loader/cache/CachedResourceRequest.cpp 2016-06-10 18:01:54 UTC (rev 201929)
+++ trunk/Source/WebCore/loader/cache/CachedResourceRequest.cpp 2016-06-10 18:17:11 UTC (rev 201930)
@@ -27,6 +27,7 @@
#include "CachedResourceRequest.h"
#include "CachedResourceLoader.h"
+#include "CrossOriginAccessControl.h"
#include "Document.h"
#include "Element.h"
#include <wtf/NeverDestroyed.h>
@@ -92,4 +93,14 @@
return defaultName;
}
+void CachedResourceRequest::setAsPotentiallyCrossOrigin(const String& mode, Document& document)
+{
+ if (mode.isNull())
+ return;
+ m_options.setRequestOriginPolicy(PotentiallyCrossOriginEnabled);
+ m_options.setAllowCredentials(equalLettersIgnoringASCIICase(mode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials);
+
+ updateRequestForAccessControl(m_resourceRequest, document.securityOrigin(), m_options.allowCredentials());
+}
+
} // namespace WebCore
Modified: trunk/Source/WebCore/loader/cache/CachedResourceRequest.h (201929 => 201930)
--- trunk/Source/WebCore/loader/cache/CachedResourceRequest.h 2016-06-10 18:01:54 UTC (rev 201929)
+++ trunk/Source/WebCore/loader/cache/CachedResourceRequest.h 2016-06-10 18:17:11 UTC (rev 201930)
@@ -65,6 +65,8 @@
void setInitiator(DocumentLoader&);
DocumentLoader* initiatingDocumentLoader() const { return m_initiatingDocumentLoader.get(); }
+ void setAsPotentiallyCrossOrigin(const String&, Document&);
+
private:
ResourceRequest m_resourceRequest;
String m_charset;
