Diff
Modified: trunk/LayoutTests/ChangeLog (147290 => 147291)
--- trunk/LayoutTests/ChangeLog 2013-03-31 23:25:33 UTC (rev 147290)
+++ trunk/LayoutTests/ChangeLog 2013-03-31 23:27:34 UTC (rev 147291)
@@ -1,3 +1,15 @@
+2013-03-31 Rafael Weinstein <[email protected]>
+
+ HTMLLinkElement should resolve resource URLs when resources will be fetched
+ https://bugs.webkit.org/show_bug.cgi?id=113630
+
+ Reviewed by Eric Seidel.
+
+ * fast/dom/HTMLLinkElement/resolve-url-on-insertion-expected.txt: Added.
+ * fast/dom/HTMLLinkElement/resolve-url-on-insertion.html: Added.
+ * fast/dom/HTMLLinkElement/resources/stylesheet2.css: Added.
+ (#test2):
+
2013-03-30 Tom Sepez <[email protected]>
Cross-Origin copy&paste / drag&drop allowing XSS via srcdoc attribute.
Added: trunk/LayoutTests/fast/dom/HTMLLinkElement/resolve-url-on-insertion-expected.txt (0 => 147291)
--- trunk/LayoutTests/fast/dom/HTMLLinkElement/resolve-url-on-insertion-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLLinkElement/resolve-url-on-insertion-expected.txt 2013-03-31 23:27:34 UTC (rev 147291)
@@ -0,0 +1,7 @@
+This tests that links resouce URLs are resolved dynamically when inserted into the document, and honor the base URL of the document at the time of insertion.
+
+I should be blue...and I am!!!
+
+I should be red...and I am!!!
+
+
Added: trunk/LayoutTests/fast/dom/HTMLLinkElement/resolve-url-on-insertion.html (0 => 147291)
--- trunk/LayoutTests/fast/dom/HTMLLinkElement/resolve-url-on-insertion.html (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLLinkElement/resolve-url-on-insertion.html 2013-03-31 23:27:34 UTC (rev 147291)
@@ -0,0 +1,38 @@
+<html>
+<body>
+<script>
+var base = document.createElement('base');
+base.href = '';
+
+var link1 = document.createElement('link');
+link1.setAttribute('rel', 'stylesheet');
+link1.setAttribute('href', 'stylesheet.css');
+
+var foreignDocument = document.implementation.createHTMLDocument('');
+var link2 = foreignDocument.createElement('link');
+link2.setAttribute('rel', 'stylesheet');
+link2.setAttribute('href', 'stylesheet2.css');
+
+document.body.appendChild(base);
+document.body.appendChild(link1);
+document.body.appendChild(link2);
+
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<p>This tests that links resouce URLs are resolved dynamically when inserted into
+ the document, and honor the base URL of the document at the time of insertion.</p>
+
+<h1 id=test>I should be blue</h1>
+<h1 id=test2>I should be red</h1>
+
+<script>
+var test = document.getElementById('test');
+var testColor = window.getComputedStyle(document.getElementById('test'), null).color;
+var test2 = document.getElementById('test2');
+var test2Color = window.getComputedStyle(document.getElementById('test2'), null).color;
+test.innerHTML += testColor === 'rgb(0, 0, 255)' ? '...and I am!!!' : '...but I am not =-(';
+test2.innerHTML += test2Color === 'rgb(255, 0, 0)' ? '...and I am!!!' : '...but I am not =-(';
+</script>
+</body></html>
+
Added: trunk/LayoutTests/fast/dom/HTMLLinkElement/resources/stylesheet2.css (0 => 147291)
--- trunk/LayoutTests/fast/dom/HTMLLinkElement/resources/stylesheet2.css (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLLinkElement/resources/stylesheet2.css 2013-03-31 23:27:34 UTC (rev 147291)
@@ -0,0 +1 @@
+#test2 { color: red !important; }
Modified: trunk/Source/WebCore/ChangeLog (147290 => 147291)
--- trunk/Source/WebCore/ChangeLog 2013-03-31 23:25:33 UTC (rev 147290)
+++ trunk/Source/WebCore/ChangeLog 2013-03-31 23:27:34 UTC (rev 147291)
@@ -1,3 +1,25 @@
+2013-03-31 Rafael Weinstein <[email protected]>
+
+ HTMLLinkElement should resolve resource URLs when resources will be fetched
+ https://bugs.webkit.org/show_bug.cgi?id=113630
+
+ HTMLLinkElement was resolving its URL when the href attribute was processed and caching it without ever
+ invalidating the cached URL. This patch removes the cached URL and adds getURL() which resolve the
+ URL dynamically.
+
+ Reviewed by Eric Seidel.
+
+ Test: fast/dom/HTMLLinkElement/resolve-url-on-insertion.html
+
+ * html/HTMLLinkElement.cpp:
+ (WebCore::HTMLLinkElement::getURL):
+ (WebCore):
+ (WebCore::HTMLLinkElement::parseAttribute):
+ (WebCore::HTMLLinkElement::shouldLoadLink):
+ (WebCore::HTMLLinkElement::process):
+ * html/HTMLLinkElement.h:
+ (HTMLLinkElement):
+
2013-03-31 Brady Eidson <[email protected]>
NetworkProcess crashes in WebCoreResourceHandleAsOperationQueueDelegate callbacks.
Modified: trunk/Source/WebCore/html/HTMLLinkElement.cpp (147290 => 147291)
--- trunk/Source/WebCore/html/HTMLLinkElement.cpp 2013-03-31 23:25:33 UTC (rev 147290)
+++ trunk/Source/WebCore/html/HTMLLinkElement.cpp 2013-03-31 23:27:34 UTC (rev 147291)
@@ -137,8 +137,6 @@
m_relAttribute = LinkRelAttribute(value);
process();
} else if (name == hrefAttr) {
- String url = ""
- m_url = url.isEmpty() ? KURL() : document()->completeURL(url);
process();
} else if (name == typeAttr) {
m_type = value;
@@ -163,7 +161,7 @@
bool HTMLLinkElement::shouldLoadLink()
{
RefPtr<Document> originalDocument = document();
- if (!dispatchBeforeLoadEvent(m_url))
+ if (!dispatchBeforeLoadEvent(getNonEmptyURLAttribute(hrefAttr)))
return false;
// A beforeload handler might have removed us from the document or changed the document.
if (!inDocument() || document() != originalDocument)
@@ -179,14 +177,15 @@
}
String type = m_type.lower();
+ KURL url = ""
- if (!m_linkLoader.loadLink(m_relAttribute, type, m_sizes->toString(), m_url, document()))
+ if (!m_linkLoader.loadLink(m_relAttribute, type, m_sizes->toString(), url, document()))
return;
bool acceptIfTypeContainsTextCSS = document()->page() && document()->page()->settings() && document()->page()->settings()->treatsAnyTextCSSLinkAsStylesheet();
if (m_disabledState != Disabled && (m_relAttribute.m_isStyleSheet || (acceptIfTypeContainsTextCSS && type.contains("text/css")))
- && document()->frame() && m_url.isValid()) {
+ && document()->frame() && url.isValid()) {
String charset = getAttribute(charsetAttr);
if (charset.isEmpty() && document()->frame())
@@ -218,7 +217,7 @@
// Load stylesheets that are not needed for the rendering immediately with low priority.
ResourceLoadPriority priority = blocking ? ResourceLoadPriorityUnresolved : ResourceLoadPriorityVeryLow;
- CachedResourceRequest request(ResourceRequest(document()->completeURL(m_url)), charset, priority);
+ CachedResourceRequest request(ResourceRequest(document()->completeURL(url)), charset, priority);
request.setInitiator(this);
m_cachedSheet = document()->cachedResourceLoader()->requestCSSStyleSheet(request);
Modified: trunk/Source/WebCore/html/HTMLLinkElement.h (147290 => 147291)
--- trunk/Source/WebCore/html/HTMLLinkElement.h 2013-03-31 23:25:33 UTC (rev 147290)
+++ trunk/Source/WebCore/html/HTMLLinkElement.h 2013-03-31 23:27:34 UTC (rev 147291)
@@ -136,7 +136,6 @@
Disabled
};
- KURL m_url;
String m_type;
String m_media;
RefPtr<DOMSettableTokenList> m_sizes;
