Skip to site navigation (Press enter)

[webkit-changes] [99298] trunk

abarth Fri, 04 Nov 2011 11:09:42 -0700

Title: [99298] trunk

Revision: 99298
Author: [email protected]
Date: 2011-11-04 11:09:36 -0700 (Fri, 04 Nov 2011)

Log Message

Anonymous CORS fetch for WebGL texture fails when there is no appropriate server response even for the same origin requests
https://bugs.webkit.org/show_bug.cgi?id=71053


Reviewed by Darin Adler.

Source/WebCore:

The crossorigin attribute should behave like XMLHttpRequest:
same-origin images pass without and CORS headers, but CORS checks are
performed for cross-origin loads.  This patch better aligns our
behavior with Firefox, as discussed in the bug.

Test: http/tests/security/img-crossorigin-loads-same-origin.html

* loader/ImageLoader.cpp:
(WebCore::ImageLoader::notifyFinished):

LayoutTests:

Test that we succeed in loading a same-origin image without the help of
CORS even if the image has the crossorigin attribute.

* http/tests/security/img-crossorigin-loads-same-origin-expected.txt: Added.
* http/tests/security/img-crossorigin-loads-same-origin.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/loader/ImageLoader.cpp

Added Paths

trunk/LayoutTests/http/tests/security/img-crossorigin-loads-same-origin-expected.txt
trunk/LayoutTests/http/tests/security/img-crossorigin-loads-same-origin.html

Diff

Modified: trunk/LayoutTests/ChangeLog (99297 => 99298)


--- trunk/LayoutTests/ChangeLog	2011-11-04 17:55:14 UTC (rev 99297)
+++ trunk/LayoutTests/ChangeLog	2011-11-04 18:09:36 UTC (rev 99298)
@@ -1,3 +1,16 @@
+2011-11-04  Adam Barth  <[email protected]>
+
+        Anonymous CORS fetch for WebGL texture fails when there is no appropriate server response even for the same origin requests
+        https://bugs.webkit.org/show_bug.cgi?id=71053
+
+        Reviewed by Darin Adler.
+
+        Test that we succeed in loading a same-origin image without the help of
+        CORS even if the image has the crossorigin attribute.
+
+        * http/tests/security/img-crossorigin-loads-same-origin-expected.txt: Added.
+        * http/tests/security/img-crossorigin-loads-same-origin.html: Added.
+
 2011-11-04  Gaurav Shah  <[email protected]>
 
         HTMLKeygenElement: Fix "keytype" handling in appendFormData.

Added: trunk/LayoutTests/http/tests/security/img-crossorigin-loads-same-origin-expected.txt (0 => 99298)


--- trunk/LayoutTests/http/tests/security/img-crossorigin-loads-same-origin-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/img-crossorigin-loads-same-origin-expected.txt	2011-11-04 18:09:36 UTC (rev 99298)
@@ -0,0 +1,3 @@
+ALERT: PASS
+This image should load:
+

Added: trunk/LayoutTests/http/tests/security/img-crossorigin-loads-same-origin.html (0 => 99298)


--- trunk/LayoutTests/http/tests/security/img-crossorigin-loads-same-origin.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/img-crossorigin-loads-same-origin.html	2011-11-04 18:09:36 UTC (rev 99298)
@@ -0,0 +1,15 @@
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function loaded() {
+    var image = document.body.getElementsByTagName('img')[0];
+    alert(image.width > 0 ? 'PASS' : 'FAIL');
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+</script>
+This image should load:<br>
+<img crossorigin="anonymous" src="" _onload_="loaded()">

Modified: trunk/Source/WebCore/ChangeLog (99297 => 99298)


--- trunk/Source/WebCore/ChangeLog	2011-11-04 17:55:14 UTC (rev 99297)
+++ trunk/Source/WebCore/ChangeLog	2011-11-04 18:09:36 UTC (rev 99298)
@@ -1,3 +1,20 @@
+2011-11-04  Adam Barth  <[email protected]>
+
+        Anonymous CORS fetch for WebGL texture fails when there is no appropriate server response even for the same origin requests
+        https://bugs.webkit.org/show_bug.cgi?id=71053
+
+        Reviewed by Darin Adler.
+
+        The crossorigin attribute should behave like XMLHttpRequest:
+        same-origin images pass without and CORS headers, but CORS checks are
+        performed for cross-origin loads.  This patch better aligns our
+        behavior with Firefox, as discussed in the bug.
+
+        Test: http/tests/security/img-crossorigin-loads-same-origin.html
+
+        * loader/ImageLoader.cpp:
+        (WebCore::ImageLoader::notifyFinished):
+
 2011-11-04  Gaurav Shah  <[email protected]>
 
         HTMLKeygenElement: Fix "keytype" handling in appendFormData.

Modified: trunk/Source/WebCore/loader/ImageLoader.cpp (99297 => 99298)


--- trunk/Source/WebCore/loader/ImageLoader.cpp	2011-11-04 17:55:14 UTC (rev 99297)
+++ trunk/Source/WebCore/loader/ImageLoader.cpp	2011-11-04 18:09:36 UTC (rev 99298)
@@ -33,6 +33,7 @@
 #include "HTMLParserIdioms.h"
 #include "RenderImage.h"
 #include "ScriptCallStack.h"
+#include "SecurityOrigin.h"
 
 #if ENABLE(SVG)
 #include "RenderSVGImage.h"
@@ -240,7 +241,10 @@
     if (m_firedLoad)
         return;
 
-    if (m_element->fastHasAttribute(HTMLNames::crossoriginAttr) && !resource->passesAccessControlCheck(m_element->document()->securityOrigin())) {
+    if (m_element->fastHasAttribute(HTMLNames::crossoriginAttr)
+        && !m_element->document()->securityOrigin()->canRequest(image()->response().url())
+        && !resource->passesAccessControlCheck(m_element->document()->securityOrigin())) {
+
         setImage(0);
 
         DEFINE_STATIC_LOCAL(String, consoleMessage, ("Cross-origin image load denied by Cross-Origin Resource Sharing policy."));

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes