Diff
Modified: trunk/LayoutTests/ChangeLog (218299 => 218300)
--- trunk/LayoutTests/ChangeLog 2017-06-15 00:39:21 UTC (rev 218299)
+++ trunk/LayoutTests/ChangeLog 2017-06-15 01:01:08 UTC (rev 218300)
@@ -1,3 +1,23 @@
+2017-06-14 Dean Jackson <[email protected]>
+
+ Restrict filtered painting across cross-origin boundaries with transforms
+ https://bugs.webkit.org/show_bug.cgi?id=173388
+ <rdar://problem/27362159>
+
+ Reviewed by Simon Fraser.
+
+ New test that checks painting across a origin boundary when in
+ a transformed container. Also clean up the existing test
+ to make it smfr-compliant (green is good, red is bad).
+
+ * http/tests/css/filters-on-iframes-expected.html:
+ * http/tests/css/filters-on-iframes-transform-expected.html: Added.
+ * http/tests/css/filters-on-iframes-transform.html: Added.
+ * http/tests/css/filters-on-iframes.html:
+ * http/tests/css/resources/references-external-green.html: Copied from LayoutTests/http/tests/css/resources/references-external.html.
+ * http/tests/css/resources/references-external-red.html: Renamed from LayoutTests/http/tests/css/resources/references-external.html.
+ * http/tests/css/resources/solid-green.html: Added.
+
2017-06-14 Matt Lewis <[email protected]>
Unreviewed, rolling out r218161.
Modified: trunk/LayoutTests/http/tests/css/filters-on-iframes-expected.html (218299 => 218300)
--- trunk/LayoutTests/http/tests/css/filters-on-iframes-expected.html 2017-06-15 00:39:21 UTC (rev 218299)
+++ trunk/LayoutTests/http/tests/css/filters-on-iframes-expected.html 2017-06-15 01:01:08 UTC (rev 218300)
@@ -5,36 +5,60 @@
}
iframe {
border: none;
+ background-color: red;
}
div {
display: inline-block;
}
+.filtered {
+ filter: url(#noop);
+}
+.wrapper {
+ width: 300px;
+ height: 150px;
+ overflow: hidden;
+}
+.scroll {
+ width: 50px;
+ height: 50px;
+ overflow: hidden;
+ transform: scale(20);
+}
+svg {
+ display: none;
+}
</style>
+<p>Seeing green is ok. Seeing any red is bad.</p>
+<p>Same origin</p>
<div>
- <iframe src=""
+ <iframe src=""
</div>
<div class="filtered">
- <iframe src=""
+ <iframe src=""
</div>
<br>
+<p>Cross origin (must have http server running)</p>
<div>
- <iframe src=""
+ <iframe src=""
</div>
<div class="filtered">
- <iframe src=""
+ <iframe style="background-color: white" src=""
</div>
<br>
+<p>Same origin that then references cross origin (must have http server running)</p>
<div>
- <iframe src=""
+ <iframe src=""
</div>
<div class="filtered">
- <iframe src=""
+ <iframe style="background-color: white" src=""
</div>
+
+<br>
Added: trunk/LayoutTests/http/tests/css/filters-on-iframes-transform-expected.html (0 => 218300)
--- trunk/LayoutTests/http/tests/css/filters-on-iframes-transform-expected.html (rev 0)
+++ trunk/LayoutTests/http/tests/css/filters-on-iframes-transform-expected.html 2017-06-15 01:01:08 UTC (rev 218300)
@@ -0,0 +1,42 @@
+<style>
+body {
+ margin: 0;
+ padding: 0;
+}
+iframe {
+ border: none;
+ background-color: red;
+}
+div {
+ display: inline-block;
+}
+.filtered {
+ filter: url(#noop);
+}
+.wrapper {
+ width: 300px;
+ height: 150px;
+ overflow: hidden;
+}
+.scroll {
+ width: 50px;
+ height: 50px;
+ overflow: hidden;
+ transform: scale(20);
+}
+svg {
+ display: none;
+}
+</style>
+<p>Cross origin with transform (must have http server running)</p>
+<div class="wrapper">
+ <div class="scroll">
+ <iframe src=""
+ </div>
+</div>
+
+<div class="wrapper filtered">
+ <div class="scroll">
+ <iframe style="background-color: white" src=""
+ </div>
+</div>
Property changes on: trunk/LayoutTests/http/tests/css/filters-on-iframes-transform-expected.html
___________________________________________________________________
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:keywords
+Date Revision
\ No newline at end of property
Added: svn:mime-type
+text/html
\ No newline at end of property
Added: trunk/LayoutTests/http/tests/css/filters-on-iframes-transform.html (0 => 218300)
--- trunk/LayoutTests/http/tests/css/filters-on-iframes-transform.html (rev 0)
+++ trunk/LayoutTests/http/tests/css/filters-on-iframes-transform.html 2017-06-15 01:01:08 UTC (rev 218300)
@@ -0,0 +1,51 @@
+<style>
+body {
+ margin: 0;
+ padding: 0;
+}
+iframe {
+ border: none;
+ background-color: red;
+}
+div {
+ display: inline-block;
+}
+.filtered {
+ filter: url(#noop);
+}
+.wrapper {
+ width: 300px;
+ height: 150px;
+ overflow: hidden;
+}
+.scroll {
+ width: 50px;
+ height: 50px;
+ overflow: hidden;
+ transform: scale(20);
+}
+svg {
+ display: none;
+}
+</style>
+
+<p>Cross origin with transform (must have http server running)</p>
+<div class="wrapper">
+ <div class="scroll">
+ <iframe src=""
+ </div>
+</div>
+
+<div class="wrapper filtered">
+ <div class="scroll">
+ <iframe style="background-color: white" src=""
+ </div>
+</div>
+
+<svg>
+ <defs>
+ <filter id="noop">
+ <feMorphology operator="dilate" in="SourceGraphic" radius="0"/>
+ </filter>
+ </defs>
+</svg>
Property changes on: trunk/LayoutTests/http/tests/css/filters-on-iframes-transform.html
___________________________________________________________________
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:keywords
+Date Revision
\ No newline at end of property
Added: svn:mime-type
+text/html
\ No newline at end of property
Modified: trunk/LayoutTests/http/tests/css/filters-on-iframes.html (218299 => 218300)
--- trunk/LayoutTests/http/tests/css/filters-on-iframes.html 2017-06-15 00:39:21 UTC (rev 218299)
+++ trunk/LayoutTests/http/tests/css/filters-on-iframes.html 2017-06-15 01:01:08 UTC (rev 218300)
@@ -5,6 +5,7 @@
}
iframe {
border: none;
+ background-color: red;
}
div {
display: inline-block;
@@ -16,35 +17,41 @@
display: none;
}
</style>
+<p>Seeing green is ok. Seeing any red is bad.</p>
+<p>Same origin</p>
<div>
- <iframe src=""
+ <iframe src=""
</div>
<div class="filtered">
- <iframe src=""
+ <iframe src=""
</div>
<br>
+<p>Cross origin (must have http server running)</p>
<div>
- <iframe src=""
+ <iframe src=""
</div>
<div class="filtered">
- <iframe src=""
+ <iframe style="background-color: white" src=""
</div>
<br>
+<p>Same origin that then references cross origin (must have http server running)</p>
<div>
- <iframe src=""
+ <iframe src=""
</div>
<div class="filtered">
- <iframe src=""
+ <iframe style="background-color: white" src=""
</div>
+<br>
+
<svg>
<defs>
<filter id="noop">
Copied: trunk/LayoutTests/http/tests/css/resources/references-external-green.html (from rev 218299, trunk/LayoutTests/http/tests/css/resources/references-external.html) (0 => 218300)
--- trunk/LayoutTests/http/tests/css/resources/references-external-green.html (rev 0)
+++ trunk/LayoutTests/http/tests/css/resources/references-external-green.html 2017-06-15 01:01:08 UTC (rev 218300)
@@ -0,0 +1,11 @@
+<style>
+body {
+ margin: 0;
+ padding: 0;
+}
+
+iframe {
+ border: none;
+}
+</style>
+<iframe src=""
Copied: trunk/LayoutTests/http/tests/css/resources/references-external-red.html (from rev 218299, trunk/LayoutTests/http/tests/css/resources/references-external.html) (0 => 218300)
--- trunk/LayoutTests/http/tests/css/resources/references-external-red.html (rev 0)
+++ trunk/LayoutTests/http/tests/css/resources/references-external-red.html 2017-06-15 01:01:08 UTC (rev 218300)
@@ -0,0 +1,11 @@
+<style>
+body {
+ margin: 0;
+ padding: 0;
+}
+
+iframe {
+ border: none;
+}
+</style>
+<iframe src=""
Deleted: trunk/LayoutTests/http/tests/css/resources/references-external.html (218299 => 218300)
--- trunk/LayoutTests/http/tests/css/resources/references-external.html 2017-06-15 00:39:21 UTC (rev 218299)
+++ trunk/LayoutTests/http/tests/css/resources/references-external.html 2017-06-15 01:01:08 UTC (rev 218300)
@@ -1,11 +0,0 @@
-<style>
-body {
- margin: 0;
- padding: 0;
-}
-
-iframe {
- border: none;
-}
-</style>
-<iframe src=""
Added: trunk/LayoutTests/http/tests/css/resources/solid-green.html (0 => 218300)
--- trunk/LayoutTests/http/tests/css/resources/solid-green.html (rev 0)
+++ trunk/LayoutTests/http/tests/css/resources/solid-green.html 2017-06-15 01:01:08 UTC (rev 218300)
@@ -0,0 +1,5 @@
+<style>
+ body {
+ background-color: green;
+ }
+</style>
Property changes on: trunk/LayoutTests/http/tests/css/resources/solid-green.html
___________________________________________________________________
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:keywords
+Date Revision
\ No newline at end of property
Added: svn:mime-type
+text/html
\ No newline at end of property
Modified: trunk/Source/WebCore/ChangeLog (218299 => 218300)
--- trunk/Source/WebCore/ChangeLog 2017-06-15 00:39:21 UTC (rev 218299)
+++ trunk/Source/WebCore/ChangeLog 2017-06-15 01:01:08 UTC (rev 218300)
@@ -1,3 +1,22 @@
+2017-06-14 Dean Jackson <[email protected]>
+
+ Restrict filtered painting across cross-origin boundaries with transforms
+ https://bugs.webkit.org/show_bug.cgi?id=173388
+ <rdar://problem/27362159>
+
+ Reviewed by Simon Fraser.
+
+ Make sure all cases of LayerPaintingInfo maintain the security
+ flag. In this case there was only one new place, and since
+ everything is scalar, there was no need for a real copy constructor.
+
+ Test: http/tests/css/filters-on-iframes-transform.html
+
+ * rendering/RenderLayer.cpp:
+ (WebCore::RenderLayer::paintLayerByApplyingTransform): Make sure the cross
+ origin flag is used in the call to paint the layer children.
+ * rendering/RenderLayer.h: Fix some typos.
+
2017-06-14 Commit Queue <[email protected]>
Unreviewed, rolling out r218285.
Modified: trunk/Source/WebCore/rendering/RenderLayer.cpp (218299 => 218300)
--- trunk/Source/WebCore/rendering/RenderLayer.cpp 2017-06-15 00:39:21 UTC (rev 218299)
+++ trunk/Source/WebCore/rendering/RenderLayer.cpp 2017-06-15 01:01:08 UTC (rev 218300)
@@ -4517,8 +4517,10 @@
// Now do a paint with the root layer shifted to be us.
LayoutSize adjustedSubpixelOffset = offsetForThisLayer - LayoutSize(devicePixelSnappedOffsetForThisLayer);
- LayerPaintingInfo transformedPaintingInfo(this, LayoutRect(encloseRectToDevicePixels(transform.inverse().value_or(AffineTransform()).mapRect(paintingInfo.paintDirtyRect), deviceScaleFactor)),
- paintingInfo.paintBehavior, adjustedSubpixelOffset, paintingInfo.subtreePaintRoot, paintingInfo.overlapTestRequests);
+ LayerPaintingInfo transformedPaintingInfo(paintingInfo);
+ transformedPaintingInfo.rootLayer = this;
+ transformedPaintingInfo.paintDirtyRect = LayoutRect(encloseRectToDevicePixels(transform.inverse().value_or(AffineTransform()).mapRect(paintingInfo.paintDirtyRect), deviceScaleFactor));
+ transformedPaintingInfo.subpixelOffset = adjustedSubpixelOffset;
paintLayerContentsAndReflection(context, transformedPaintingInfo, paintFlags);
context.setCTM(oldTransfrom);
}
Modified: trunk/Source/WebCore/rendering/RenderLayer.h (218299 => 218300)
--- trunk/Source/WebCore/rendering/RenderLayer.h 2017-06-15 00:39:21 UTC (rev 218299)
+++ trunk/Source/WebCore/rendering/RenderLayer.h 2017-06-15 01:01:08 UTC (rev 218300)
@@ -721,18 +721,19 @@
enum CollectLayersBehavior { StopAtStackingContexts, StopAtStackingContainers };
struct LayerPaintingInfo {
- LayerPaintingInfo(RenderLayer* inRootLayer, const LayoutRect& inDirtyRect, PaintBehavior inPaintBehavior, const LayoutSize& inSupixelOffset, RenderObject* inSubtreePaintRoot = nullptr, OverlapTestRequestMap* inOverlapTestRequests = nullptr, bool inRequireSecurityOriginAccessForWidgets = false)
+ LayerPaintingInfo(RenderLayer* inRootLayer, const LayoutRect& inDirtyRect, PaintBehavior inPaintBehavior, const LayoutSize& inSubpixelOffset, RenderObject* inSubtreePaintRoot = nullptr, OverlapTestRequestMap* inOverlapTestRequests = nullptr, bool inRequireSecurityOriginAccessForWidgets = false)
: rootLayer(inRootLayer)
, subtreePaintRoot(inSubtreePaintRoot)
, paintDirtyRect(inDirtyRect)
- , subpixelOffset(inSupixelOffset)
+ , subpixelOffset(inSubpixelOffset)
, overlapTestRequests(inOverlapTestRequests)
, paintBehavior(inPaintBehavior)
, requireSecurityOriginAccessForWidgets(inRequireSecurityOriginAccessForWidgets)
{ }
+
RenderLayer* rootLayer;
- RenderObject* subtreePaintRoot; // only paint descendants of this object
- LayoutRect paintDirtyRect; // relative to rootLayer;
+ RenderObject* subtreePaintRoot; // Only paint descendants of this object.
+ LayoutRect paintDirtyRect; // Relative to rootLayer;
LayoutSize subpixelOffset;
OverlapTestRequestMap* overlapTestRequests; // May be null.
PaintBehavior paintBehavior;
