<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[161812] trunk/Source/WebCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/161812">161812</a></dd>
<dt>Author</dt> <dd>andersca@apple.com</dd>
<dt>Date</dt> <dd>2014-01-12 09:33:38 -0800 (Sun, 12 Jan 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>Remove unsafe uses of AtomicallyInitializedStatic
https://bugs.webkit.org/show_bug.cgi?id=126838
Reviewed by Andreas Kling.
AtomicStrings are per thread so any static initialization of them is potentially dangerous
unless it's certain that they're only ever used from the same thread.
This goes against using them with AtomicallyInitializedStatic, so just create AtomicStrings where needed.
(This is highly unlikely to have any real negative performance impact since these two functions
aren't called very frequently).
* loader/CrossOriginAccessControl.cpp:
(WebCore::passesAccessControlCheck):
* page/PerformanceResourceTiming.cpp:
(WebCore::passesTimingAllowCheck):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreloaderCrossOriginAccessControlcpp">trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp</a></li>
<li><a href="#trunkSourceWebCorepagePerformanceResourceTimingcpp">trunk/Source/WebCore/page/PerformanceResourceTiming.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (161811 => 161812)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2014-01-12 17:29:54 UTC (rev 161811)
+++ trunk/Source/WebCore/ChangeLog 2014-01-12 17:33:38 UTC (rev 161812)
</span><span class="lines">@@ -1,3 +1,22 @@
</span><ins>+2014-01-11 Anders Carlsson <andersca@apple.com>
+
+ Remove unsafe uses of AtomicallyInitializedStatic
+ https://bugs.webkit.org/show_bug.cgi?id=126838
+
+ Reviewed by Andreas Kling.
+
+ AtomicStrings are per thread so any static initialization of them is potentially dangerous
+ unless it's certain that they're only ever used from the same thread.
+
+ This goes against using them with AtomicallyInitializedStatic, so just create AtomicStrings where needed.
+ (This is highly unlikely to have any real negative performance impact since these two functions
+ aren't called very frequently).
+
+ * loader/CrossOriginAccessControl.cpp:
+ (WebCore::passesAccessControlCheck):
+ * page/PerformanceResourceTiming.cpp:
+ (WebCore::passesTimingAllowCheck):
+
</ins><span class="cx"> 2014-01-12 David Kilzer <ddkilzer@apple.com>
</span><span class="cx">
</span><span class="cx"> [iOS] Fix link errors for iOS: Part 2
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderCrossOriginAccessControlcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp (161811 => 161812)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp 2014-01-12 17:29:54 UTC (rev 161811)
+++ trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp 2014-01-12 17:33:38 UTC (rev 161812)
</span><span class="lines">@@ -133,12 +133,9 @@
</span><span class="cx">
</span><span class="cx"> bool passesAccessControlCheck(const ResourceResponse& response, StoredCredentials includeCredentials, SecurityOrigin* securityOrigin, String& errorDescription)
</span><span class="cx"> {
</span><del>- AtomicallyInitializedStatic(AtomicString&, accessControlAllowOrigin = *new AtomicString("access-control-allow-origin", AtomicString::ConstructFromLiteral));
- AtomicallyInitializedStatic(AtomicString&, accessControlAllowCredentials = *new AtomicString("access-control-allow-credentials", AtomicString::ConstructFromLiteral));
-
</del><span class="cx"> // A wildcard Access-Control-Allow-Origin can not be used if credentials are to be sent,
</span><span class="cx"> // even with Access-Control-Allow-Credentials set to true.
</span><del>- const String& accessControlOriginString = response.httpHeaderField(accessControlAllowOrigin);
</del><ins>+ const String& accessControlOriginString = response.httpHeaderField("access-control-allow-origin");
</ins><span class="cx"> if (accessControlOriginString == "*" && includeCredentials == DoNotAllowStoredCredentials)
</span><span class="cx"> return true;
</span><span class="cx">
</span><span class="lines">@@ -157,7 +154,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (includeCredentials == AllowStoredCredentials) {
</span><del>- const String& accessControlCredentialsString = response.httpHeaderField(accessControlAllowCredentials);
</del><ins>+ const String& accessControlCredentialsString = response.httpHeaderField("access-control-allow-credentials");
</ins><span class="cx"> if (accessControlCredentialsString != "true") {
</span><span class="cx"> errorDescription = "Credentials flag is true, but Access-Control-Allow-Credentials is not \"true\".";
</span><span class="cx"> return false;
</span></span></pre></div>
<a id="trunkSourceWebCorepagePerformanceResourceTimingcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/PerformanceResourceTiming.cpp (161811 => 161812)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/PerformanceResourceTiming.cpp 2014-01-12 17:29:54 UTC (rev 161811)
+++ trunk/Source/WebCore/page/PerformanceResourceTiming.cpp 2014-01-12 17:33:38 UTC (rev 161812)
</span><span class="lines">@@ -53,13 +53,11 @@
</span><span class="cx">
</span><span class="cx"> static bool passesTimingAllowCheck(const ResourceResponse& response, Document* requestingDocument)
</span><span class="cx"> {
</span><del>- AtomicallyInitializedStatic(AtomicString&, timingAllowOrigin = *new AtomicString("timing-allow-origin"));
-
</del><span class="cx"> RefPtr<SecurityOrigin> resourceOrigin = SecurityOrigin::create(response.url());
</span><span class="cx"> if (resourceOrigin->isSameSchemeHostPort(requestingDocument->securityOrigin()))
</span><span class="cx"> return true;
</span><span class="cx">
</span><del>- const String& timingAllowOriginString = response.httpHeaderField(timingAllowOrigin);
</del><ins>+ const String& timingAllowOriginString = response.httpHeaderField("timing-allow-origin");
</ins><span class="cx"> if (timingAllowOriginString.isEmpty() || equalIgnoringCase(timingAllowOriginString, "null"))
</span><span class="cx"> return false;
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>