Diff
Modified: branches/safari-600.1.4.13-branch/LayoutTests/ChangeLog (177064 => 177065)
--- branches/safari-600.1.4.13-branch/LayoutTests/ChangeLog 2014-12-10 16:57:45 UTC (rev 177064)
+++ branches/safari-600.1.4.13-branch/LayoutTests/ChangeLog 2014-12-10 16:59:53 UTC (rev 177065)
@@ -1,5 +1,56 @@
2014-12-10 Babak Shafiei <[email protected]>
+ Merge r175074.
+
+ 2014-10-22 Said Abou-Hallawa <[email protected]>
+
+ SVG loaded through html <img> can't request to load any external resources.
+ https://bugs.webkit.org/show_bug.cgi?id=137762.
+
+ Reviewed by Daniel Bates.
+
+ Ensure that SVG images, which are loaded through the <img> tag or through the
+ CSS background image, cannot load any external sub-resource except for data-
+ URL resources (though this doesn't work at the time of writing, see bug #137941).
+ Also ensure the same rule is enforced on cached resources.
+
+ The tests are ported but modified a little from the chromium fix:
+ http://src.chromium.org/viewvc/blink?view=rev&rev=176084
+
+ Set the circle background to orange
+ * http/tests/security/resources/image-with-css-cross-domain-circle.css: Added.
+ (circle):
+
+ Set the circle stroke-width = 2 and the circle stroke = red
+ * http/tests/security/resources/image-with-css-cross-domain-circle2.css: Added.
+ (circle):
+
+ This svg references the two css files: one is relative path and the other is absolute path
+ * http/tests/security/resources/image-with-css-cross-domain.svg: Added.
+
+ This svg references an external image.
+ * http/tests/security/resources/image-with-remote-image.svg: Added.
+
+ A helper css which sets the formatting style for some html tags
+ * http/tests/security/svg-image-with-css-cross-domain.css: Added.
+ (span):
+ (span.circle-css-cross-domain):
+ (embed):
+ (iframe):
+
+ Test the svg which is referenced as a cached image by an <object> tag, does not load
+ external sub-resource.
+ * http/tests/security/svg-image-with-cached-remote-image-expected.html: Added.
+ * http/tests/security/svg-image-with-cached-remote-image.html: Added.
+
+ Test loading sub-resources for an svg which is included in the html by different ways
+ and which references external css files.
+ Ensure the image object does not load any external sub-resources.
+ * http/tests/security/svg-image-with-css-cross-domain-expected.html: Added.
+ * http/tests/security/svg-image-with-css-cross-domain.html: Added.
+
+2014-12-10 Babak Shafiei <[email protected]>
+
Merge r174946.
2014-10-21 Manuel Rego Casasnovas <[email protected]>
Copied: branches/safari-600.1.4.13-branch/LayoutTests/http/tests/security/resources/image-with-css-cross-domain-circle.css (from rev 175523, branches/safari-600.3-branch/LayoutTests/http/tests/security/resources/image-with-css-cross-domain-circle.css) (0 => 177065)
--- branches/safari-600.1.4.13-branch/LayoutTests/http/tests/security/resources/image-with-css-cross-domain-circle.css (rev 0)
+++ branches/safari-600.1.4.13-branch/LayoutTests/http/tests/security/resources/image-with-css-cross-domain-circle.css 2014-12-10 16:59:53 UTC (rev 177065)
@@ -0,0 +1,3 @@
+circle {
+ fill: orange;
+}
Copied: branches/safari-600.1.4.13-branch/LayoutTests/http/tests/security/resources/image-with-css-cross-domain-circle2.css (from rev 175523, branches/safari-600.3-branch/LayoutTests/http/tests/security/resources/image-with-css-cross-domain-circle2.css) (0 => 177065)
--- branches/safari-600.1.4.13-branch/LayoutTests/http/tests/security/resources/image-with-css-cross-domain-circle2.css (rev 0)
+++ branches/safari-600.1.4.13-branch/LayoutTests/http/tests/security/resources/image-with-css-cross-domain-circle2.css 2014-12-10 16:59:53 UTC (rev 177065)
@@ -0,0 +1,4 @@
+circle {
+ stroke: red;
+ stroke-width: 2;
+}
Copied: branches/safari-600.1.4.13-branch/LayoutTests/http/tests/security/resources/image-with-css-cross-domain.svg (from rev 175523, branches/safari-600.3-branch/LayoutTests/http/tests/security/resources/image-with-css-cross-domain.svg) (0 => 177065)
--- branches/safari-600.1.4.13-branch/LayoutTests/http/tests/security/resources/image-with-css-cross-domain.svg (rev 0)
+++ branches/safari-600.1.4.13-branch/LayoutTests/http/tests/security/resources/image-with-css-cross-domain.svg 2014-12-10 16:59:53 UTC (rev 177065)
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<?xml-stylesheet type="text/css" href=""
+<?xml-stylesheet type="text/css" href=""
+<svg xmlns="http://www.w3.org/2000/svg" width="68" height="68" viewBox="-34 -34 68 68" >
+ <circle cx="0" cy="0" r="24" fill="#c8c8c8"/>
+</svg>
Copied: branches/safari-600.1.4.13-branch/LayoutTests/http/tests/security/resources/image-with-remote-image.svg (from rev 175523, branches/safari-600.3-branch/LayoutTests/http/tests/security/resources/image-with-remote-image.svg) (0 => 177065)
--- branches/safari-600.1.4.13-branch/LayoutTests/http/tests/security/resources/image-with-remote-image.svg (rev 0)
+++ branches/safari-600.1.4.13-branch/LayoutTests/http/tests/security/resources/image-with-remote-image.svg 2014-12-10 16:59:53 UTC (rev 177065)
@@ -0,0 +1,5 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="100" height="100">
+ <rect width="100%" height="100%" fill="#0f0"/>
+ <rect x="20%" y="20%" width="60%" height="60%" stroke-width="1" stroke="black" fill="transparent"/>
+ <image xlink:href="" x="20%" y="20%" width="60%" height="60%" _onload_="window.parent.notifyDidLoadSVG()"/>
+</svg>
Copied: branches/safari-600.1.4.13-branch/LayoutTests/http/tests/security/svg-image-with-cached-remote-image-expected.html (from rev 175523, branches/safari-600.3-branch/LayoutTests/http/tests/security/svg-image-with-cached-remote-image-expected.html) (0 => 177065)
--- branches/safari-600.1.4.13-branch/LayoutTests/http/tests/security/svg-image-with-cached-remote-image-expected.html (rev 0)
+++ branches/safari-600.1.4.13-branch/LayoutTests/http/tests/security/svg-image-with-cached-remote-image-expected.html 2014-12-10 16:59:53 UTC (rev 177065)
@@ -0,0 +1,17 @@
+<!DOCTYPE HTML>
+<html>
+<body>
+<p>SVG loaded in <img> (should not see head of Abe Lincoln)</p>
+<svg width="100" height="100">
+ <rect width="100%" height="100%" fill="#0f0"/>
+ <rect x="20%" y="20%" width="60%" height="60%" stroke-width="1" stroke="black" fill="transparent"/>
+</svg>
+<br>
+<p>SVG loaded in <object> (should see head of Abe Lincoln)</p>
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="100" height="100">
+ <rect width="100%" height="100%" fill="#0f0"/>
+ <rect x="20%" y="20%" width="60%" height="60%" stroke-width="1" stroke="black" fill="transparent"/>
+ <image xlink:href="" x="20%" y="20%" width="60%" height="60%"/>
+</svg>
+</body>
+</html>
Copied: branches/safari-600.1.4.13-branch/LayoutTests/http/tests/security/svg-image-with-cached-remote-image.html (from rev 175523, branches/safari-600.3-branch/LayoutTests/http/tests/security/svg-image-with-cached-remote-image.html) (0 => 177065)
--- branches/safari-600.1.4.13-branch/LayoutTests/http/tests/security/svg-image-with-cached-remote-image.html (rev 0)
+++ branches/safari-600.1.4.13-branch/LayoutTests/http/tests/security/svg-image-with-cached-remote-image.html 2014-12-10 16:59:53 UTC (rev 177065)
@@ -0,0 +1,29 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+<script>
+ if (window.testRunner)
+ testRunner.waitUntilDone();
+
+ // Called from resources/image-with-remote-image.svg when loaded inside <object>.
+ function notifyDidLoadSVG()
+ {
+ function done()
+ {
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+ var image = document.getElementById("non-interactive-SVG");
+ image._onload_ = done;
+ image.src = ""
+ }
+</script>
+</head>
+<body>
+ <p>SVG loaded in <img> (should not see head of Abe Lincoln)</p>
+ <img id="non-interactive-SVG" src="" width="100" height="100">
+ <br>
+ <p>SVG loaded in <object> (should see head of Abe Lincoln)</p>
+ <object id="interactive-SVG" data="" width="100" height="100"></object>
+</body>
+</html>
Copied: branches/safari-600.1.4.13-branch/LayoutTests/http/tests/security/svg-image-with-css-cross-domain-expected.html (from rev 175523, branches/safari-600.3-branch/LayoutTests/http/tests/security/svg-image-with-css-cross-domain-expected.html) (0 => 177065)
--- branches/safari-600.1.4.13-branch/LayoutTests/http/tests/security/svg-image-with-css-cross-domain-expected.html (rev 0)
+++ branches/safari-600.1.4.13-branch/LayoutTests/http/tests/security/svg-image-with-css-cross-domain-expected.html 2014-12-10 16:59:53 UTC (rev 177065)
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <link rel="stylesheet" type="text/css" href=""
+ </head>
+ <body>
+ <h1>WebKit bug</h1>
+ <h3>SVG circle with same-origin and different-origin CSS</h3>
+ <p>Expected: 2 gray circles, 4 orange circles with red borders, 2 gray circle.</p>
+ <p>
+ <span class="image">
+ <svg height="68" width="68" viewBox="-34 -34 68 68">
+ <circle cx="0" cy="0" r="24" fill="#c8c8c8" />
+ </svg>
+ </span>
+ <span class="image">
+ <svg height="68" width="68" viewBox="-34 -34 68 68">
+ <circle cx="0" cy="0" r="24" fill="#c8c8c8" />
+ </svg>
+ </span>
+ <span class="image">
+ <svg height="68" width="68" viewBox="-34 -34 68 68">
+ <circle cx="0" cy="0" r="24" stroke="red" stroke-width="2" fill="orange" />
+ </svg>
+ </span>
+ <span class="image">
+ <svg height="68" width="68" viewBox="-34 -34 68 68">
+ <circle cx="0" cy="0" r="24" stroke="red" stroke-width="2" fill="orange" />
+ </svg>
+ </span>
+ <span class="image">
+ <svg height="68" width="68" viewBox="-34 -34 68 68">
+ <circle cx="0" cy="0" r="24" stroke="red" stroke-width="2" fill="orange" />
+ </svg>
+ </span>
+ <span class="image">
+ <svg height="68" width="68" viewBox="-34 -34 68 68">
+ <circle cx="0" cy="0" r="24" stroke="red" stroke-width="2" fill="orange" />
+ </svg>
+ </span>
+ <span class="image">
+ <svg height="68" width="68" viewBox="-34 -34 68 68">
+ <circle cx="0" cy="0" r="24" fill="#c8c8c8" />
+ </svg>
+ </span>
+ <span class="image">
+ <svg height="68" width="68" viewBox="-34 -34 68 68">
+ <circle cx="0" cy="0" r="24" fill="#c8c8c8" />
+ </svg>
+ </span>
+ </p>
+ </body>
+</html>
Copied: branches/safari-600.1.4.13-branch/LayoutTests/http/tests/security/svg-image-with-css-cross-domain.css (from rev 175523, branches/safari-600.3-branch/LayoutTests/http/tests/security/svg-image-with-css-cross-domain.css) (0 => 177065)
--- branches/safari-600.1.4.13-branch/LayoutTests/http/tests/security/svg-image-with-css-cross-domain.css (rev 0)
+++ branches/safari-600.1.4.13-branch/LayoutTests/http/tests/security/svg-image-with-css-cross-domain.css 2014-12-10 16:59:53 UTC (rev 177065)
@@ -0,0 +1,17 @@
+span {
+ display: inline-block;
+ height: 68px;
+ width: 68px;
+}
+
+span.circle-css-cross-domain {
+ background-image: url('resources/image-with-css-cross-domain.svg');
+}
+
+embed {
+ display: inline-block;
+}
+
+iframe {
+ border-width: 0px;
+}
Copied: branches/safari-600.1.4.13-branch/LayoutTests/http/tests/security/svg-image-with-css-cross-domain.html (from rev 175523, branches/safari-600.3-branch/LayoutTests/http/tests/security/svg-image-with-css-cross-domain.html) (0 => 177065)
--- branches/safari-600.1.4.13-branch/LayoutTests/http/tests/security/svg-image-with-css-cross-domain.html (rev 0)
+++ branches/safari-600.1.4.13-branch/LayoutTests/http/tests/security/svg-image-with-css-cross-domain.html 2014-12-10 16:59:53 UTC (rev 177065)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <link rel="stylesheet" type="text/css" href=""
+ </head>
+ <body>
+ <h1>WebKit bug</h1>
+ <h3>SVG circle with same-origin and different-origin CSS</h3>
+ <p>Expected: 2 gray circles, 4 orange circles with red borders, 2 gray circle.</p>
+ <p>
+ <span class="image"><img src="" alt="circle" width="68" height="68"/></span>
+ <span class="image circle-css-cross-domain"></span>
+ <object data="" type="image/svg+xml" width="68" height="68"></object>
+ <embed src="" type="image/svg+xml" width="68" height="68"></embed>
+ <iframe src="" width="68" height="68"></iframe>
+ <iframe src="" width="68" height="68" sandbox=""></iframe>
+ <span class="image"><img width="68" height="68" alt="circle" src=""
+ <span class="image">
+ <?xml version="1.0" encoding="UTF-8" standalone="no"?>
+ <?xml-stylesheet type="text/css" href=""
+ <?xml-stylesheet type="text/css" href=""
+ <svg xmlns="http://www.w3.org/2000/svg" width="68" height="68" viewBox="-34 -34 68 68" version="1.1">
+ <circle cx="0" cy="0" r="24" fill="#c8c8c8"/>
+ </svg>
+ </span>
+ </p>
+ </body>
+</html>
Modified: branches/safari-600.1.4.13-branch/Source/WebCore/ChangeLog (177064 => 177065)
--- branches/safari-600.1.4.13-branch/Source/WebCore/ChangeLog 2014-12-10 16:57:45 UTC (rev 177064)
+++ branches/safari-600.1.4.13-branch/Source/WebCore/ChangeLog 2014-12-10 16:59:53 UTC (rev 177065)
@@ -1,5 +1,30 @@
2014-12-10 Babak Shafiei <[email protected]>
+ Merge r175074.
+
+ 2014-10-22 Said Abou-Hallawa <[email protected]>
+
+ SVG loaded through html <img> can't request to load any external resources.
+ https://bugs.webkit.org/show_bug.cgi?id=137762.
+
+ Reviewed by Daniel Bates.
+
+ SVG images have unique security rules that prevent them from loading any external
+ resources. This patch enforces these rules in CachedResourceLoader::canRequest for
+ all non-data-uri resources.
+
+ The fix and the tests are ported but modified a little from the chromium fix:
+ http://src.chromium.org/viewvc/blink?view=rev&rev=176084
+
+ Test: http/tests/security/svg-image-with-cached-remote-image.html
+ http/tests/security/svg-image-with-css-cross-domain.html
+
+ For the SVG image, prevent loading any external sub-resource except for data urls.
+ * loader/cache/CachedResourceLoader.cpp:
+ (WebCore::CachedResourceLoader::canRequest):
+
+2014-12-10 Babak Shafiei <[email protected]>
+
Merge r174946.
2014-10-21 Manuel Rego Casasnovas <[email protected]>
Modified: branches/safari-600.1.4.13-branch/Source/WebCore/loader/cache/CachedResourceLoader.cpp (177064 => 177065)
--- branches/safari-600.1.4.13-branch/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2014-12-10 16:57:45 UTC (rev 177064)
+++ branches/safari-600.1.4.13-branch/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2014-12-10 16:59:53 UTC (rev 177065)
@@ -36,6 +36,8 @@
#include "CachedResourceRequest.h"
#include "CachedScript.h"
#include "CachedXSLStyleSheet.h"
+#include "Chrome.h"
+#include "ChromeClient.h"
#include "ContentSecurityPolicy.h"
#include "DOMWindow.h"
#include "Document.h"
@@ -381,6 +383,12 @@
#endif
}
+ // SVG Images have unique security rules that prevent all subresource requests except for data urls.
+ if (type != CachedResource::MainResource && frame() && frame()->page()) {
+ if (frame()->page()->chrome().client().isSVGImageChromeClient() && !url.protocolIsData())
+ return false;
+ }
+
// Last of all, check for insecure content. We do this last so that when
// folks block insecure content with a CSP policy, they don't get a warning.
// They'll still get a warning in the console about CSP blocking the load.
