[webkit-changes] [98215] trunk

Sun, 23 Oct 2011 21:35:41 -0700

Title: [98215] trunk
Revision
98215
Author
[email protected]
Date
2011-10-23 21:36:38 -0700 (Sun, 23 Oct 2011)

Log Message

<img crossorigin> should fail to load when CORS check fails
https://bugs.webkit.org/show_bug.cgi?id=69732

Reviewed by Darin Adler.

Source/WebCore:

When loading an image with the crossorigin attribute, the spec says
that we're not supposed to load the image if the CORS check fails.
This "fails fast" behavior is intended to help developers understand
whether they've configured CORS correctly (instead of only catching the
error later when trying to read back the canvas).

Our new behavior matches the spec and Firefox.

Test: http/tests/security/img-with-failed-cors-check-fails-to-load.html

* loader/ImageLoader.cpp:
(WebCore::ImageLoader::notifyFinished):

LayoutTests:

Test that images loaded with the crossorigin attribute fail to load if
the CORS access check doesn't pass.

* http/tests/security/img-with-failed-cors-check-fails-to-load-expected.txt: Added.
* http/tests/security/img-with-failed-cors-check-fails-to-load.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (98214 => 98215)


--- trunk/LayoutTests/ChangeLog	2011-10-24 03:58:03 UTC (rev 98214)
+++ trunk/LayoutTests/ChangeLog	2011-10-24 04:36:38 UTC (rev 98215)
@@ -1,3 +1,16 @@
+2011-10-23  Adam Barth  <[email protected]>
+
+        <img crossorigin> should fail to load when CORS check fails
+        https://bugs.webkit.org/show_bug.cgi?id=69732
+
+        Reviewed by Darin Adler.
+
+        Test that images loaded with the crossorigin attribute fail to load if
+        the CORS access check doesn't pass.
+
+        * http/tests/security/img-with-failed-cors-check-fails-to-load-expected.txt: Added.
+        * http/tests/security/img-with-failed-cors-check-fails-to-load.html: Added.
+
 2011-10-23  Filip Pizlo  <[email protected]>
 
         DFG should inline constructors

Added: trunk/LayoutTests/http/tests/security/img-with-failed-cors-check-fails-to-load-expected.txt (0 => 98215)


--- trunk/LayoutTests/http/tests/security/img-with-failed-cors-check-fails-to-load-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/img-with-failed-cors-check-fails-to-load-expected.txt	2011-10-24 04:36:38 UTC (rev 98215)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: line 1: Cross-origin image load denied by Cross-Origin Resource Sharing policy.
+This test passes if the image below does not load.

Added: trunk/LayoutTests/http/tests/security/img-with-failed-cors-check-fails-to-load.html (0 => 98215)


--- trunk/LayoutTests/http/tests/security/img-with-failed-cors-check-fails-to-load.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/img-with-failed-cors-check-fails-to-load.html	2011-10-24 04:36:38 UTC (rev 98215)
@@ -0,0 +1,16 @@
+<body>
+This test passes if the image below does not load.
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+var img = new Image();
+
+img.addEventListener('load', function(event) {
+    alert('FAIL: The image loaded.');
+}, false);
+
+img.crossOrigin = "";
+img.src = ""
+document.body.appendChild(img);
+</script>

Modified: trunk/Source/WebCore/ChangeLog (98214 => 98215)


--- trunk/Source/WebCore/ChangeLog	2011-10-24 03:58:03 UTC (rev 98214)
+++ trunk/Source/WebCore/ChangeLog	2011-10-24 04:36:38 UTC (rev 98215)
@@ -1,3 +1,23 @@
+2011-10-23  Adam Barth  <[email protected]>
+
+        <img crossorigin> should fail to load when CORS check fails
+        https://bugs.webkit.org/show_bug.cgi?id=69732
+
+        Reviewed by Darin Adler.
+
+        When loading an image with the crossorigin attribute, the spec says
+        that we're not supposed to load the image if the CORS check fails.
+        This "fails fast" behavior is intended to help developers understand
+        whether they've configured CORS correctly (instead of only catching the
+        error later when trying to read back the canvas).
+
+        Our new behavior matches the spec and Firefox.
+
+        Test: http/tests/security/img-with-failed-cors-check-fails-to-load.html
+
+        * loader/ImageLoader.cpp:
+        (WebCore::ImageLoader::notifyFinished):
+
 2011-10-23  Noel Gordon  <[email protected]>
 
         [chromium] Remove GeolocationServiceGtk.{h,cpp} from the gyp projects

Modified: trunk/Source/WebCore/loader/ImageLoader.cpp (98214 => 98215)


--- trunk/Source/WebCore/loader/ImageLoader.cpp	2011-10-24 03:58:03 UTC (rev 98214)
+++ trunk/Source/WebCore/loader/ImageLoader.cpp	2011-10-24 04:36:38 UTC (rev 98215)
@@ -32,6 +32,7 @@
 #include "HTMLObjectElement.h"
 #include "HTMLParserIdioms.h"
 #include "RenderImage.h"
+#include "ScriptCallStack.h"
 
 #if ENABLE(SVG)
 #include "RenderSVGImage.h"
@@ -239,6 +240,16 @@
     if (m_firedLoad)
         return;
 
+    if (m_element->fastHasAttribute(HTMLNames::crossoriginAttr) && !resource->passesAccessControlCheck(m_element->document()->securityOrigin())) {
+        setImage(0);
+
+        DEFINE_STATIC_LOCAL(String, consoleMessage, ("Cross-origin image load denied by Cross-Origin Resource Sharing policy."));
+        m_element->document()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String(), 0);
+
+        ASSERT(m_firedLoad);
+        return;
+    }
+
     if (resource->wasCanceled()) {
         m_firedLoad = true;
         return;

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to