Diff
Modified: trunk/LayoutTests/ChangeLog (270295 => 270296)
--- trunk/LayoutTests/ChangeLog 2020-12-01 14:43:15 UTC (rev 270295)
+++ trunk/LayoutTests/ChangeLog 2020-12-01 14:58:10 UTC (rev 270296)
@@ -1,5 +1,18 @@
2020-12-01 Youenn Fablet <[email protected]>
+ CSSStyleSheet.cssRules and rules should throw in case of opaque stylesheets
+ https://bugs.webkit.org/show_bug.cgi?id=219203
+
+ Reviewed by Alex Christensen.
+
+ Rebased tests and update test to expect throwing.
+
+ * http/tests/security/cannot-read-cssrules-expected.txt:
+ * http/tests/security/cannot-read-cssrules-redirect-expected.txt:
+ * http/tests/security/cross-origin-css-9.html:
+
+2020-12-01 Youenn Fablet <[email protected]>
+
Allow RTCRtpScriptTransformer to request key frames
https://bugs.webkit.org/show_bug.cgi?id=219199
Modified: trunk/LayoutTests/http/tests/security/cannot-read-cssrules-expected.txt (270295 => 270296)
--- trunk/LayoutTests/http/tests/security/cannot-read-cssrules-expected.txt 2020-12-01 14:43:15 UTC (rev 270295)
+++ trunk/LayoutTests/http/tests/security/cannot-read-cssrules-expected.txt 2020-12-01 14:58:10 UTC (rev 270296)
@@ -3,8 +3,8 @@
Test begins.
== Cross-Origin resource, no-cors mode ==
-cssRules: null
-rules: null
+exception thrown for cssRules: SecurityError: Not allowed to access cross-origin stylesheet
+exception thrown for rules: SecurityError: Not allowed to access cross-origin stylesheet
== Same-Origin resource, no-cors mode ==
cssRules: [object CSSRuleList]
cssRules length: 1
@@ -11,8 +11,8 @@
rules: [object CSSRuleList]
rules length: 1
== Cross-Origin resource, cors mode, failing cors check ==
-cssRules: null
-rules: null
+exception thrown for cssRules: SecurityError: Not allowed to access cross-origin stylesheet
+exception thrown for rules: SecurityError: Not allowed to access cross-origin stylesheet
== Cross-Origin resource, cors mode, successful cors check ==
cssRules: [object CSSRuleList]
cssRules length: 1
Modified: trunk/LayoutTests/http/tests/security/cannot-read-cssrules-redirect-expected.txt (270295 => 270296)
--- trunk/LayoutTests/http/tests/security/cannot-read-cssrules-redirect-expected.txt 2020-12-01 14:43:15 UTC (rev 270295)
+++ trunk/LayoutTests/http/tests/security/cannot-read-cssrules-redirect-expected.txt 2020-12-01 14:58:10 UTC (rev 270296)
@@ -3,8 +3,8 @@
Test begins.
== Same-Origin to Cross-Origin, no-cors mode ==
-cssRules: null
-rules: null
+exception thrown for cssRules: SecurityError: Not allowed to access cross-origin stylesheet
+exception thrown for rules: SecurityError: Not allowed to access cross-origin stylesheet
== Cross-Origin to Same-Origin, no-cors mode ==
cssRules: [object CSSRuleList]
cssRules length: 1
@@ -21,6 +21,6 @@
rules: [object CSSRuleList]
rules length: 1
== Cross-Origin to Same-Origin, cors mode, failing cors check ==
-cssRules: null
-rules: null
+exception thrown for cssRules: SecurityError: Not allowed to access cross-origin stylesheet
+exception thrown for rules: SecurityError: Not allowed to access cross-origin stylesheet
Test ends.
Modified: trunk/LayoutTests/http/tests/security/cross-origin-css-9.html (270295 => 270296)
--- trunk/LayoutTests/http/tests/security/cross-origin-css-9.html 2020-12-01 14:43:15 UTC (rev 270295)
+++ trunk/LayoutTests/http/tests/security/cross-origin-css-9.html 2020-12-01 14:58:10 UTC (rev 270296)
@@ -21,7 +21,13 @@
{
expectedColor = expectToIncludeOrigin ? "rgb(255, 255, 0)" : "rgb(0, 0, 255)";
assert_equals(getBackgroundColorForId(id), expectedColor);
- assert_equals(document.getElementById("link-" + id).sheet.cssRules !== null, expectVisibility);
+ let visibility = true;
+ try {
+ document.getElementById("link-" + id).sheet.cssRules
+ } catch (e) {
+ visibility = false;
+ }
+ assert_equals(visibility, expectVisibility);
}
var _onloadTest_ = async_test(" Testing that link element to load stylesheets correctly handle crossorigin mode.");
Modified: trunk/LayoutTests/imported/w3c/ChangeLog (270295 => 270296)
--- trunk/LayoutTests/imported/w3c/ChangeLog 2020-12-01 14:43:15 UTC (rev 270295)
+++ trunk/LayoutTests/imported/w3c/ChangeLog 2020-12-01 14:58:10 UTC (rev 270296)
@@ -1,3 +1,15 @@
+2020-12-01 Youenn Fablet <[email protected]>
+
+ CSSStyleSheet.cssRules and rules should throw in case of opaque stylesheets
+ https://bugs.webkit.org/show_bug.cgi?id=219203
+
+ Reviewed by Alex Christensen.
+
+ Rebased tests.
+
+ * web-platform-tests/css/cssom/stylesheet-same-origin.sub-expected.txt:
+ * web-platform-tests/service-workers/service-worker/fetch-request-css-cross-origin.https-expected.txt:
+
2020-12-01 Sergio Villar Senin <[email protected]>
[css-flexbox] WebKit doesn't preserve aspect ratio when computing cross size of flexed images in auto-height flex container
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/css/cssom/stylesheet-same-origin.sub-expected.txt (270295 => 270296)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/css/cssom/stylesheet-same-origin.sub-expected.txt 2020-12-01 14:43:15 UTC (rev 270295)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/css/cssom/stylesheet-same-origin.sub-expected.txt 2020-12-01 14:58:10 UTC (rev 270296)
@@ -17,5 +17,5 @@
sheet.cssRules;
}" did not throw
PASS Origin-clean check in same-origin CSSOM Stylesheets
-FAIL Origin-clean check in data:css CSSOM Stylesheets null is not an object (evaluating 'sheet.cssRules.length')
+FAIL Origin-clean check in data:css CSSOM Stylesheets Not allowed to access cross-origin stylesheet
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-css-cross-origin.https-expected.txt (270295 => 270296)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-css-cross-origin.https-expected.txt 2020-12-01 14:43:15 UTC (rev 270295)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-css-cross-origin.https-expected.txt 2020-12-01 14:58:10 UTC (rev 270296)
@@ -3,6 +3,6 @@
PASS MIME checking of CSS resources fetched via service worker when Content-Type is not set.
FAIL Same-origin policy for access to CSS resources fetched via service worker assert_throws_dom: function "() => {
f.contentDocument.styleSheets[0].cssRules[0].cssText;
- }" threw object "TypeError: null is not an object (evaluating 'f.contentDocument.styleSheets[0].cssRules[0]')" that is not a DOMException SecurityError: property "code" is equal to undefined, expected 18
+ }" threw an exception from the wrong global
PASS cleanup global state
Modified: trunk/Source/WebCore/ChangeLog (270295 => 270296)
--- trunk/Source/WebCore/ChangeLog 2020-12-01 14:43:15 UTC (rev 270295)
+++ trunk/Source/WebCore/ChangeLog 2020-12-01 14:58:10 UTC (rev 270296)
@@ -1,5 +1,20 @@
2020-12-01 Youenn Fablet <[email protected]>
+ CSSStyleSheet.cssRules and rules should throw in case of opaque stylesheets
+ https://bugs.webkit.org/show_bug.cgi?id=219203
+
+ Reviewed by Alex Christensen.
+
+ In case of opaque stylesheet, throw a SecurityError as done by Chrome and Firefox.
+ Covered by updated and rebased tests.
+
+ * css/CSSStyleSheet.cpp:
+ (WebCore::CSSStyleSheet::cssRulesFromJS):
+ (WebCore::CSSStyleSheet::rulesFromJS):
+ * css/CSSStyleSheet.idl:
+
+2020-12-01 Youenn Fablet <[email protected]>
+
Allow RTCRtpScriptTransformer to request key frames
https://bugs.webkit.org/show_bug.cgi?id=219199
<rdar://problem/71763010>
Modified: trunk/Source/WebCore/css/CSSStyleSheet.cpp (270295 => 270296)
--- trunk/Source/WebCore/css/CSSStyleSheet.cpp 2020-12-01 14:43:15 UTC (rev 270295)
+++ trunk/Source/WebCore/css/CSSStyleSheet.cpp 2020-12-01 14:58:10 UTC (rev 270296)
@@ -254,6 +254,14 @@
return document->securityOrigin().canRequest(baseURL);
}
+ExceptionOr<Ref<CSSRuleList>> CSSStyleSheet::rulesForBindings()
+{
+ auto rules = this->rules();
+ if (!rules)
+ return Exception { SecurityError, "Not allowed to access cross-origin stylesheet"_s };
+ return rules.releaseNonNull();
+}
+
RefPtr<CSSRuleList> CSSStyleSheet::rules()
{
if (!canAccessRules())
@@ -324,6 +332,14 @@
return -1;
}
+ExceptionOr<Ref<CSSRuleList>> CSSStyleSheet::cssRulesForBindings()
+{
+ auto cssRules = this->cssRules();
+ if (!cssRules)
+ return Exception { SecurityError, "Not allowed to access cross-origin stylesheet"_s };
+ return cssRules.releaseNonNull();
+}
+
RefPtr<CSSRuleList> CSSStyleSheet::cssRules()
{
if (!canAccessRules())
Modified: trunk/Source/WebCore/css/CSSStyleSheet.h (270295 => 270296)
--- trunk/Source/WebCore/css/CSSStyleSheet.h 2020-12-01 14:43:15 UTC (rev 270295)
+++ trunk/Source/WebCore/css/CSSStyleSheet.h 2020-12-01 14:58:10 UTC (rev 270296)
@@ -61,7 +61,10 @@
String title() const final { return m_title; }
bool disabled() const final { return m_isDisabled; }
void setDisabled(bool) final;
-
+
+ ExceptionOr<Ref<CSSRuleList>> cssRulesForBindings();
+ ExceptionOr<Ref<CSSRuleList>> rulesForBindings();
+
WEBCORE_EXPORT RefPtr<CSSRuleList> cssRules();
WEBCORE_EXPORT ExceptionOr<unsigned> insertRule(const String& rule, unsigned index);
WEBCORE_EXPORT ExceptionOr<void> deleteRule(unsigned index);
Modified: trunk/Source/WebCore/css/CSSStyleSheet.idl (270295 => 270296)
--- trunk/Source/WebCore/css/CSSStyleSheet.idl 2020-12-01 14:43:15 UTC (rev 270295)
+++ trunk/Source/WebCore/css/CSSStyleSheet.idl 2020-12-01 14:58:10 UTC (rev 270296)
@@ -22,11 +22,11 @@
Exposed=Window
] interface CSSStyleSheet : StyleSheet {
readonly attribute CSSRule ownerRule;
- readonly attribute CSSRuleList cssRules;
+ [MayThrowException, ImplementedAs=cssRulesForBindings] readonly attribute CSSRuleList cssRules;
[MayThrowException] unsigned long insertRule(DOMString rule, optional unsigned long index = 0);
[MayThrowException] undefined deleteRule(unsigned long index);
- readonly attribute CSSRuleList rules;
+ [MayThrowException, ImplementedAs=rulesForBindings] readonly attribute CSSRuleList rules;
[MayThrowException] long addRule(optional DOMString selector = "undefined", optional DOMString style = "undefined", optional unsigned long index);
[MayThrowException] undefined removeRule(optional unsigned long index = 0);
};
