Diff
Modified: trunk/LayoutTests/imported/w3c/ChangeLog (205264 => 205265)
--- trunk/LayoutTests/imported/w3c/ChangeLog 2016-08-31 19:54:12 UTC (rev 205264)
+++ trunk/LayoutTests/imported/w3c/ChangeLog 2016-08-31 20:18:44 UTC (rev 205265)
@@ -1,5 +1,23 @@
2016-08-31 Youenn Fablet <[email protected]>
+ [Fetch API] Fetch API should be able to load data URL in Same Origin mode
+ https://bugs.webkit.org/show_bug.cgi?id=161434
+
+ Reviewed by Sam Weinig.
+
+ * web-platform-tests/fetch/api/basic/scheme-data-expected.txt:
+ * web-platform-tests/fetch/api/basic/scheme-data-worker-expected.txt:
+ * web-platform-tests/fetch/api/basic/scheme-data.js:
+ (checkFetchResponse):
+ * web-platform-tests/fetch/api/redirect/redirect-to-dataurl-expected.txt: Added.
+ * web-platform-tests/fetch/api/redirect/redirect-to-dataurl-worker-expected.txt: Added.
+ * web-platform-tests/fetch/api/redirect/redirect-to-dataurl-worker.html: Added.
+ * web-platform-tests/fetch/api/redirect/redirect-to-dataurl.html: Added.
+ * web-platform-tests/fetch/api/redirect/redirect-to-dataurl.js: Added.
+ (redirectDataURL):
+
+2016-08-31 Youenn Fablet <[email protected]>
+
[Fetch API] Request construction failure should not set "bodyUsed"
https://bugs.webkit.org/show_bug.cgi?id=161432
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/scheme-data-expected.txt (205264 => 205265)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/scheme-data-expected.txt 2016-08-31 19:54:12 UTC (rev 205264)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/scheme-data-expected.txt 2016-08-31 20:18:44 UTC (rev 205265)
@@ -1,5 +1,7 @@
PASS Fetching data:,response%27s%20body is OK
+PASS Fetching data:,response%27s%20body is OK (same-origin)
+PASS Fetching data:,response%27s%20body is OK (cors)
PASS Fetching data:text/plain;base64,cmVzcG9uc2UncyBib[...] is OK
PASS Fetching data:image/png;base64,cmVzcG9uc2UncyBib2[...] is OK
FAIL Fetching [GET] data:notAdataUrl.com is KO assert_unreached: Should have rejected. Reached unreachable code
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/scheme-data-worker-expected.txt (205264 => 205265)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/scheme-data-worker-expected.txt 2016-08-31 19:54:12 UTC (rev 205264)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/scheme-data-worker-expected.txt 2016-08-31 20:18:44 UTC (rev 205265)
@@ -1,5 +1,7 @@
PASS Fetching data:,response%27s%20body is OK
+PASS Fetching data:,response%27s%20body is OK (same-origin)
+PASS Fetching data:,response%27s%20body is OK (cors)
PASS Fetching data:text/plain;base64,cmVzcG9uc2UncyBib[...] is OK
PASS Fetching data:image/png;base64,cmVzcG9uc2UncyBib2[...] is OK
FAIL Fetching [GET] data:notAdataUrl.com is KO assert_unreached: Should have rejected. Reached unreachable code
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/scheme-data.js (205264 => 205265)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/scheme-data.js 2016-08-31 19:54:12 UTC (rev 205264)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/scheme-data.js 2016-08-31 20:18:44 UTC (rev 205265)
@@ -3,11 +3,16 @@
importScripts("../resources/utils.js");
}
-function checkFetchResponse(url, data, mime) {
+function checkFetchResponse(url, data, mime, fetchMode) {
var cut = (url.length >= 40) ? "[...]" : "";
- desc = "Fetching " + url.substring(0, 40) + cut + " is OK"
+ desc = "Fetching " + url.substring(0, 40) + cut + " is OK";
+ var init = { };
+ if (fetchMode) {
+ init.mode = fetchMode;
+ desc += " (" + fetchMode + ")";
+ }
promise_test(function(test) {
- return fetch(url).then(function(resp) {
+ return fetch(url, init).then(function(resp) {
assert_equals(resp.status, 200, "HTTP status is 200");
assert_equals(resp.statusText, "OK", "HTTP statusText is OK");
assert_equals(resp.type, "basic", "response type is basic");
@@ -20,6 +25,8 @@
}
checkFetchResponse("data:,response%27s%20body", "response's body", "text/plain;charset=US-ASCII");
+checkFetchResponse("data:,response%27s%20body", "response's body", "text/plain;charset=US-ASCII", "same-origin");
+checkFetchResponse("data:,response%27s%20body", "response's body", "text/plain;charset=US-ASCII", "cors");
checkFetchResponse("data:text/plain;base64,cmVzcG9uc2UncyBib2R5", "response's body", "text/plain");
checkFetchResponse("data:image/png;base64,cmVzcG9uc2UncyBib2R5",
"response's body",
Added: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-expected.txt (0 => 205265)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-expected.txt (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-expected.txt 2016-08-31 20:18:44 UTC (rev 205265)
@@ -0,0 +1,11 @@
+CONSOLE MESSAGE: Cross-origin redirection to data:text/plain;base64,cmVzcG9uc2UncyBib2R5 denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: Unsafe attempt to load URL data:text/plain;base64,cmVzcG9uc2UncyBib2R5 from frame with URL http://localhost:8800/fetch/api/redirect/redirect-to-dataurl.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: Cross-origin redirection to data:text/plain;base64,cmVzcG9uc2UncyBib2R5 denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+
+PASS Testing data URL loading after same-origin redirection (cors mode)
+PASS Testing data URL loading after same-origin redirection (no-cors mode)
+PASS Testing data URL loading after same-origin redirection (same-origin mode)
+PASS Testing data URL loading after cross-origin redirection (cors mode)
+PASS Testing data URL loading after cross-origin redirection (no-cors mode)
+
Added: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-worker-expected.txt (0 => 205265)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-worker-expected.txt (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-worker-expected.txt 2016-08-31 20:18:44 UTC (rev 205265)
@@ -0,0 +1,11 @@
+CONSOLE MESSAGE: Cross-origin redirection to data:text/plain;base64,cmVzcG9uc2UncyBib2R5 denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: Unsafe attempt to load URL data:text/plain;base64,cmVzcG9uc2UncyBib2R5 from frame with URL http://localhost:8800/fetch/api/redirect/redirect-to-dataurl-worker.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: Cross-origin redirection to data:text/plain;base64,cmVzcG9uc2UncyBib2R5 denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+
+PASS Testing data URL loading after same-origin redirection (cors mode)
+PASS Testing data URL loading after same-origin redirection (no-cors mode)
+PASS Testing data URL loading after same-origin redirection (same-origin mode)
+PASS Testing data URL loading after cross-origin redirection (cors mode)
+PASS Testing data URL loading after cross-origin redirection (no-cors mode)
+
Added: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-worker.html (0 => 205265)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-worker.html (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-worker.html 2016-08-31 20:18:44 UTC (rev 205265)
@@ -0,0 +1,14 @@
+<!doctype html>
+<html>
+ <head>
+ <meta charset="utf-8">
+ <title>Fetch in worker: data URL loading after redirections</title>
+ <script src=""
+ <script src=""
+ </head>
+ <body>
+ <script>
+ fetch_tests_from_worker(new Worker("redirect-to-dataurl.js"));
+ </script>
+ </body>
+</html>
Added: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl.html (0 => 205265)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl.html (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl.html 2016-08-31 20:18:44 UTC (rev 205265)
@@ -0,0 +1,13 @@
+<!doctype html>
+<html>
+ <head>
+ <meta charset="utf-8">
+ <title>Fetch: data URL loading after redirections</title>
+ <script src=""
+ <script src=""
+ </head>
+ <body>
+ <script src=""
+ <script src=""
+ </body>
+</html>
Added: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl.js (0 => 205265)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl.js (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl.js 2016-08-31 20:18:44 UTC (rev 205265)
@@ -0,0 +1,35 @@
+if (this.document === undefined) {
+ importScripts("/common/get-host-info.sub.js")
+ importScripts("/resources/testharness.js");
+}
+
+var dataURL = "data:text/plain;base64,cmVzcG9uc2UncyBib2R5";
+var body = "response's body";
+var contentType = "text/plain";
+
+function redirectDataURL(desc, redirectUrl, mode, isOK) {
+ var url = "" + "?cors&location=" + encodeURIComponent(dataURL);
+
+ var requestInit = {"mode": mode};
+
+ promise_test(function(test) {
+ var promise = fetch(url, requestInit).then(function(response) {
+ assert_equals(response.type, "opaque", "Response's type should be opaque");
+ assert_equals(response.url, "", "Response URL is empty");
+ assert_equals(response.status, 0, "Response's status should be 0");
+ });
+ return isOK ? promise : promise_rejects(test, new TypeError(), promise);
+ }, desc);
+}
+
+var redirUrl = get_host_info().HTTP_ORIGIN + "/fetch/api/resources/redirect.py";
+var corsRedirUrl = get_host_info().HTTP_REMOTE_ORIGIN + "/fetch/api/resources/redirect.py";
+
+redirectDataURL("Testing data URL loading after same-origin redirection (cors mode)", redirUrl, "cors", false);
+redirectDataURL("Testing data URL loading after same-origin redirection (no-cors mode)", redirUrl, "no-cors", true);
+redirectDataURL("Testing data URL loading after same-origin redirection (same-origin mode)", redirUrl, "same-origin", false);
+
+redirectDataURL("Testing data URL loading after cross-origin redirection (cors mode)", corsRedirUrl, "cors", false);
+redirectDataURL("Testing data URL loading after cross-origin redirection (no-cors mode)", corsRedirUrl, "no-cors", true);
+
+done();
Modified: trunk/Source/WebCore/ChangeLog (205264 => 205265)
--- trunk/Source/WebCore/ChangeLog 2016-08-31 19:54:12 UTC (rev 205264)
+++ trunk/Source/WebCore/ChangeLog 2016-08-31 20:18:44 UTC (rev 205265)
@@ -1,3 +1,38 @@
+2016-08-31 Youenn Fablet <[email protected]>
+
+ [Fetch API] Fetch API should be able to load data URL in Same Origin mode
+ https://bugs.webkit.org/show_bug.cgi?id=161434
+
+ Reviewed by Sam Weinig.
+
+ Tests: imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-worker.html
+ imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl.html
+ Covered also by added sub-test.
+
+ Moving SameDataURLOrigin option from ThreadableLoaderOptions to ResourceLoaderOptions.
+ This allows doing some of the checks in CachedResourceLoader/CachedResource.
+ This also allows setting this options in CachedResourceLoader clients, ImageLoader in that case.
+
+ * Modules/fetch/FetchLoader.cpp:
+ (WebCore::FetchLoader::start): Setting sameOriginDataURL as ResourceLoader option.
+ * loader/ImageLoader.cpp:
+ (WebCore::ImageLoader::updateFromElement): Setting sameOriginDataURL as specificied in
+ https://html.spec.whatwg.org/multipage/embedded-content.html#the-img-element.
+ * loader/ResourceLoaderOptions.h: Adding sameOriginDataURL as ResourceLoader option.
+ * loader/ThreadableLoader.cpp:
+ (WebCore::ThreadableLoaderOptions::ThreadableLoaderOptions): Removing sameOriginDataURL option.
+ * loader/ThreadableLoader.h:
+ * loader/WorkerThreadableLoader.cpp: Setting sameOriginDataURL as ResourceLoader option.
+ (WebCore::LoaderTaskOptions::LoaderTaskOptions):
+ * loader/cache/CachedResource.cpp:
+ (WebCore::CachedResource::load): If resource URL is a data url, we previously marked the resource as same origin.
+ We only do that now if the sameOriginDataURL flag is set as per fetch specification.
+ See https://fetch.spec.whatwg.org/#main-fetch.
+ * loader/cache/CachedResourceLoader.cpp:
+ (WebCore::isSameOriginDataURL): Helper function.
+ (WebCore::CachedResourceLoader::canRequest): Allowing same origin loads of data URLs if flag is set and no redirection happens.
+ See https://fetch.spec.whatwg.org/#http-redirect-fetch for why we check redirection.
+
2016-08-31 Ryosuke Niwa <[email protected]>
HTML constructor must throw when newTarget is itself
Modified: trunk/Source/WebCore/Modules/fetch/FetchLoader.cpp (205264 => 205265)
--- trunk/Source/WebCore/Modules/fetch/FetchLoader.cpp 2016-08-31 19:54:12 UTC (rev 205264)
+++ trunk/Source/WebCore/Modules/fetch/FetchLoader.cpp 2016-08-31 20:18:44 UTC (rev 205265)
@@ -77,10 +77,10 @@
ThreadableLoaderOptions options(request.fetchOptions(), ConsiderPreflight,
context.shouldBypassMainWorldContentSecurityPolicy() ? ContentSecurityPolicyEnforcement::DoNotEnforce : ContentSecurityPolicyEnforcement::EnforceConnectSrcDirective,
String(cachedResourceRequestInitiators().fetch),
- OpaqueResponseBodyPolicy::DoNotReceive,
- SameOriginDataURLFlag::Set);
+ OpaqueResponseBodyPolicy::DoNotReceive);
options.sendLoadCallbacks = SendCallbacks;
options.dataBufferingPolicy = DoNotBufferData;
+ options.sameOriginDataURLFlag = SameOriginDataURLFlag::Set;
ResourceRequest fetchRequest = request.internalRequest();
Modified: trunk/Source/WebCore/loader/ImageLoader.cpp (205264 => 205265)
--- trunk/Source/WebCore/loader/ImageLoader.cpp 2016-08-31 19:54:12 UTC (rev 205264)
+++ trunk/Source/WebCore/loader/ImageLoader.cpp 2016-08-31 20:18:44 UTC (rev 205265)
@@ -175,6 +175,7 @@
if (!attr.isNull() && !stripLeadingAndTrailingHTMLSpaces(attr).isEmpty()) {
ResourceLoaderOptions options = CachedResourceLoader::defaultCachedResourceOptions();
options.contentSecurityPolicyImposition = element().isInUserAgentShadowTree() ? ContentSecurityPolicyImposition::SkipPolicyCheck : ContentSecurityPolicyImposition::DoPolicyCheck;
+ options.sameOriginDataURLFlag = SameOriginDataURLFlag::Set;
CachedResourceRequest request(ResourceRequest(document.completeURL(sourceURI(attr))), options);
request.setInitiator(&element());
Modified: trunk/Source/WebCore/loader/ResourceLoaderOptions.h (205264 => 205265)
--- trunk/Source/WebCore/loader/ResourceLoaderOptions.h 2016-08-31 19:54:12 UTC (rev 205264)
+++ trunk/Source/WebCore/loader/ResourceLoaderOptions.h 2016-08-31 20:18:44 UTC (rev 205265)
@@ -80,6 +80,11 @@
MayAskClientForCredentials
};
+enum class SameOriginDataURLFlag {
+ Set,
+ Unset
+};
+
struct ResourceLoaderOptions : public FetchOptions {
ResourceLoaderOptions() { }
@@ -110,6 +115,7 @@
ContentSecurityPolicyImposition contentSecurityPolicyImposition { ContentSecurityPolicyImposition::DoPolicyCheck };
DefersLoadingPolicy defersLoadingPolicy { DefersLoadingPolicy::AllowDefersLoading };
CachingPolicy cachingPolicy { CachingPolicy::AllowCaching };
+ SameOriginDataURLFlag sameOriginDataURLFlag { SameOriginDataURLFlag::Unset };
ClientCredentialPolicy clientCredentialPolicy { ClientCredentialPolicy::CannotAskClientForCredentials };
};
Modified: trunk/Source/WebCore/loader/ThreadableLoader.cpp (205264 => 205265)
--- trunk/Source/WebCore/loader/ThreadableLoader.cpp 2016-08-31 19:54:12 UTC (rev 205264)
+++ trunk/Source/WebCore/loader/ThreadableLoader.cpp 2016-08-31 20:18:44 UTC (rev 205265)
@@ -50,13 +50,12 @@
{
}
-ThreadableLoaderOptions::ThreadableLoaderOptions(const ResourceLoaderOptions& baseOptions, PreflightPolicy preflightPolicy, ContentSecurityPolicyEnforcement contentSecurityPolicyEnforcement, String&& initiator, OpaqueResponseBodyPolicy opaqueResponse, SameOriginDataURLFlag sameOriginDataURLFlag)
+ThreadableLoaderOptions::ThreadableLoaderOptions(const ResourceLoaderOptions& baseOptions, PreflightPolicy preflightPolicy, ContentSecurityPolicyEnforcement contentSecurityPolicyEnforcement, String&& initiator, OpaqueResponseBodyPolicy opaqueResponse)
: ResourceLoaderOptions(baseOptions)
, preflightPolicy(preflightPolicy)
, contentSecurityPolicyEnforcement(contentSecurityPolicyEnforcement)
, initiator(WTFMove(initiator))
, opaqueResponse(opaqueResponse)
- , sameOriginDataURLFlag(sameOriginDataURLFlag)
{
}
Modified: trunk/Source/WebCore/loader/ThreadableLoader.h (205264 => 205265)
--- trunk/Source/WebCore/loader/ThreadableLoader.h 2016-08-31 19:54:12 UTC (rev 205264)
+++ trunk/Source/WebCore/loader/ThreadableLoader.h 2016-08-31 20:18:44 UTC (rev 205265)
@@ -63,14 +63,9 @@
DoNotReceive
};
- enum class SameOriginDataURLFlag {
- Set,
- Unset
- };
-
struct ThreadableLoaderOptions : ResourceLoaderOptions {
ThreadableLoaderOptions();
- ThreadableLoaderOptions(const ResourceLoaderOptions&, PreflightPolicy, ContentSecurityPolicyEnforcement, String&& initiator, OpaqueResponseBodyPolicy, SameOriginDataURLFlag);
+ ThreadableLoaderOptions(const ResourceLoaderOptions&, PreflightPolicy, ContentSecurityPolicyEnforcement, String&& initiator, OpaqueResponseBodyPolicy);
~ThreadableLoaderOptions();
PreflightPolicy preflightPolicy { ConsiderPreflight };
@@ -77,7 +72,6 @@
ContentSecurityPolicyEnforcement contentSecurityPolicyEnforcement { ContentSecurityPolicyEnforcement::EnforceConnectSrcDirective };
String initiator; // This cannot be an AtomicString, as isolatedCopy() wouldn't create an object that's safe for passing to another thread.
OpaqueResponseBodyPolicy opaqueResponse { OpaqueResponseBodyPolicy::Receive };
- SameOriginDataURLFlag sameOriginDataURLFlag { SameOriginDataURLFlag::Unset };
};
// Useful for doing loader operations from any thread (not threadsafe,
Modified: trunk/Source/WebCore/loader/WorkerThreadableLoader.cpp (205264 => 205265)
--- trunk/Source/WebCore/loader/WorkerThreadableLoader.cpp 2016-08-31 19:54:12 UTC (rev 205264)
+++ trunk/Source/WebCore/loader/WorkerThreadableLoader.cpp 2016-08-31 20:18:44 UTC (rev 205265)
@@ -92,7 +92,7 @@
};
LoaderTaskOptions::LoaderTaskOptions(const ThreadableLoaderOptions& options, const String& referrer, const SecurityOrigin& origin)
- : options(options, options.preflightPolicy, options.contentSecurityPolicyEnforcement, options.initiator.isolatedCopy(), options.opaqueResponse, options.sameOriginDataURLFlag)
+ : options(options, options.preflightPolicy, options.contentSecurityPolicyEnforcement, options.initiator.isolatedCopy(), options.opaqueResponse)
, referrer(referrer.isolatedCopy())
, origin(origin.isolatedCopy())
{
Modified: trunk/Source/WebCore/loader/cache/CachedResource.cpp (205264 => 205265)
--- trunk/Source/WebCore/loader/cache/CachedResource.cpp 2016-08-31 19:54:12 UTC (rev 205264)
+++ trunk/Source/WebCore/loader/cache/CachedResource.cpp 2016-08-31 20:18:44 UTC (rev 205265)
@@ -309,7 +309,7 @@
m_origin = cachedResourceLoader.document()->securityOrigin();
ASSERT(m_origin);
- if (!m_resourceRequest.url().protocolIsData() && m_origin && !m_origin->canRequest(m_resourceRequest.url()))
+ if (!(m_resourceRequest.url().protocolIsData() && options.sameOriginDataURLFlag == SameOriginDataURLFlag::Set) && m_origin && !m_origin->canRequest(m_resourceRequest.url()))
setCrossOrigin();
addAdditionalRequestHeaders(cachedResourceLoader);
Modified: trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp (205264 => 205265)
--- trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2016-08-31 19:54:12 UTC (rev 205264)
+++ trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2016-08-31 20:18:44 UTC (rev 205265)
@@ -382,6 +382,11 @@
return true;
}
+static inline bool isSameOriginDataURL(const URL& url, const ResourceLoaderOptions& options, bool didReceiveRedirectResponse)
+{
+ return !didReceiveRedirectResponse && url.protocolIsData() && options.sameOriginDataURLFlag == SameOriginDataURLFlag::Set;
+}
+
bool CachedResourceLoader::canRequest(CachedResource::Type type, const URL& url, const ResourceLoaderOptions& options, bool forPreload, bool didReceiveRedirectResponse)
{
if (document() && !document()->securityOrigin()->canDisplay(url)) {
@@ -394,9 +399,8 @@
bool skipContentSecurityPolicyCheck = options.contentSecurityPolicyImposition == ContentSecurityPolicyImposition::SkipPolicyCheck;
ContentSecurityPolicy::RedirectResponseReceived redirectResponseReceived = didReceiveRedirectResponse ? ContentSecurityPolicy::RedirectResponseReceived::Yes : ContentSecurityPolicy::RedirectResponseReceived::No;
- // Some types of resources can be loaded only from the same origin. Other
- // types of resources, like Images, Scripts, and CSS, can be loaded from
- // any URL.
+ // Some types of resources can be loaded only from the same origin. Other types of resources, like Images, Scripts, and CSS, can be loaded from any URL.
+ // FIXME: We should remove that check and handle it by setting the correct ResourceLoaderOptions::mode.
switch (type) {
case CachedResource::MainResource:
case CachedResource::ImageResource:
@@ -416,7 +420,7 @@
#if ENABLE(VIDEO_TRACK)
case CachedResource::TextTrackResource:
#endif
- if (options.mode == FetchOptions::Mode::SameOrigin && !m_document->securityOrigin()->canRequest(url)) {
+ if (options.mode == FetchOptions::Mode::SameOrigin && !isSameOriginDataURL(url, options, didReceiveRedirectResponse) &&!m_document->securityOrigin()->canRequest(url)) {
printAccessDeniedMessage(url);
return false;
}
