<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[184434] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/184434">184434</a></dd>
<dt>Author</dt> <dd>antti@apple.com</dd>
<dt>Date</dt> <dd>2015-05-16 06:53:21 -0700 (Sat, 16 May 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>When redirecting to data URL use HTTP response for same origin policy checks
https://bugs.webkit.org/show_bug.cgi?id=145054
rdar://problem/20299050
Reviewed by Alexey Proskuryakov.
Source/WebCore:
Test: http/tests/security/canvas-remote-read-data-url-image-redirect.html
* dom/ScriptElement.cpp:
(WebCore::ScriptElement::notifyFinished):
* dom/ScriptExecutionContext.cpp:
(WebCore::ScriptExecutionContext::sanitizeScriptError):
* html/canvas/CanvasRenderingContext.cpp:
(WebCore::CanvasRenderingContext::wouldTaintOrigin):
* loader/ImageLoader.cpp:
(WebCore::ImageLoader::notifyFinished):
* loader/MediaResourceLoader.cpp:
(WebCore::MediaResourceLoader::responseReceived):
* loader/TextTrackLoader.cpp:
(WebCore::TextTrackLoader::notifyFinished):
* loader/cache/CachedImage.cpp:
(WebCore::CachedImage::isOriginClean):
* loader/cache/CachedResource.cpp:
(WebCore::CachedResource::passesAccessControlCheck):
(WebCore::CachedResource::passesSameOriginPolicyCheck):
Factor repeatedly used same origin policy test into a function.
(WebCore::CachedResource::redirectReceived):
When redirecting to a data URL save the redirect response.
(WebCore::CachedResource::responseForSameOriginPolicyChecks):
In case we got redirected to data use that response instead of the final data response for policy checks.
* loader/cache/CachedResource.h:
LayoutTests:
* http/tests/security/canvas-remote-read-data-url-image-redirect-expected.txt: Added.
* http/tests/security/canvas-remote-read-data-url-image-redirect.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoredomScriptElementcpp">trunk/Source/WebCore/dom/ScriptElement.cpp</a></li>
<li><a href="#trunkSourceWebCoredomScriptExecutionContextcpp">trunk/Source/WebCore/dom/ScriptExecutionContext.cpp</a></li>
<li><a href="#trunkSourceWebCorehtmlcanvasCanvasRenderingContextcpp">trunk/Source/WebCore/html/canvas/CanvasRenderingContext.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderImageLoadercpp">trunk/Source/WebCore/loader/ImageLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderMediaResourceLoadercpp">trunk/Source/WebCore/loader/MediaResourceLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderTextTrackLoadercpp">trunk/Source/WebCore/loader/TextTrackLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloadercacheCachedImagecpp">trunk/Source/WebCore/loader/cache/CachedImage.cpp</a></li>
<li><a href="#trunkSourceWebCoreloadercacheCachedResourcecpp">trunk/Source/WebCore/loader/cache/CachedResource.cpp</a></li>
<li><a href="#trunkSourceWebCoreloadercacheCachedResourceh">trunk/Source/WebCore/loader/cache/CachedResource.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecuritycanvasremotereaddataurlimageredirectexpectedtxt">trunk/LayoutTests/http/tests/security/canvas-remote-read-data-url-image-redirect-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycanvasremotereaddataurlimageredirecthtml">trunk/LayoutTests/http/tests/security/canvas-remote-read-data-url-image-redirect.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (184433 => 184434)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2015-05-16 07:52:22 UTC (rev 184433)
+++ trunk/LayoutTests/ChangeLog 2015-05-16 13:53:21 UTC (rev 184434)
</span><span class="lines">@@ -1,3 +1,14 @@
</span><ins>+2015-05-15 Antti Koivisto <antti@apple.com>
+
+ When redirecting to data URL use HTTP response for same origin policy checks
+ https://bugs.webkit.org/show_bug.cgi?id=145054
+ rdar://problem/20299050
+
+ Reviewed by Alexey Proskuryakov.
+
+ * http/tests/security/canvas-remote-read-data-url-image-redirect-expected.txt: Added.
+ * http/tests/security/canvas-remote-read-data-url-image-redirect.html: Added.
+
</ins><span class="cx"> 2015-05-15 Simon Fraser <simon.fraser@apple.com>
</span><span class="cx">
</span><span class="cx"> REGRESSION (r183300): Background missing on top links on apple.com
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycanvasremotereaddataurlimageredirectexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/canvas-remote-read-data-url-image-redirect-expected.txt (0 => 184434)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/canvas-remote-read-data-url-image-redirect-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/canvas-remote-read-data-url-image-redirect-expected.txt 2015-05-16 13:53:21 UTC (rev 184434)
</span><span class="lines">@@ -0,0 +1,7 @@
</span><ins>+CONSOLE MESSAGE: line 17: Unable to get image data from canvas because the canvas has been tainted by cross-origin data.
+CONSOLE MESSAGE: line 17: Unable to get image data from canvas because the canvas has been tainted by cross-origin data.
+PASS: Calling getImageData() from a canvas tainted by a redirected data URL image was not allowed - Threw error: Error: SecurityError: DOM Exception 18.
+PASS: Calling toDataURL() on a canvas tainted by a redirected data URL image was not allowed - Threw error: Error: SecurityError: DOM Exception 18.
+PASS: Calling getImageData() from a canvas tainted by a redirected data URL image pattern was not allowed - Threw error: Error: SecurityError: DOM Exception 18.
+PASS: Calling toDataURL() on a canvas tainted by a redirected data URL image pattern was not allowed - Threw error: Error: SecurityError: DOM Exception 18.
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycanvasremotereaddataurlimageredirecthtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/canvas-remote-read-data-url-image-redirect.html (0 => 184434)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/canvas-remote-read-data-url-image-redirect.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/canvas-remote-read-data-url-image-redirect.html 2015-05-16 13:53:21 UTC (rev 184434)
</span><span class="lines">@@ -0,0 +1,69 @@
</span><ins>+<pre id="console"></pre>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+log = function(msg)
+{
+ document.getElementById('console').appendChild(document.createTextNode(msg + "\n"));
+}
+
+testGetImageData = function(context, description)
+{
+ description = "Calling getImageData() from a canvas tainted by a " + description;
+ try {
+ var imageData = context.getImageData(0,0,100,100);
+ log("FAIL: " + description + " was allowed.");
+ } catch (e) {
+ log("PASS: " + description + " was not allowed - Threw error: " + e + ".");
+ }
+}
+
+testToDataURL = function(canvas, description)
+{
+ description = "Calling toDataURL() on a canvas tainted by a " + description;
+ try {
+ var dataURL = canvas.toDataURL();
+ log("FAIL: " + description + " was allowed.");
+ } catch (e) {
+ log("PASS: " + description + " was not allowed - Threw error: " + e + ".");
+ }
+}
+
+test = function(canvas, description)
+{
+ testGetImageData(canvas.getContext("2d"), description);
+ testToDataURL(canvas, description);
+}
+
+var image = new Image();
+image.onload = function() {
+ var canvas = document.createElement("canvas");
+ canvas.width = 100;
+ canvas.height = 100;
+ var context = canvas.getContext("2d");
+
+ // Test reading from a canvas after drawing a data URL image onto it
+ context.drawImage(image, 0, 0, 100, 100);
+
+ test(canvas, "redirected data URL image");
+
+ // Test reading after using a data URL pattern
+ canvas = document.createElement("canvas");
+ canvas.width = 100;
+ canvas.height = 100;
+ var context = canvas.getContext("2d");
+ var remoteImagePattern = context.createPattern(image, "repeat");
+ context.fillStyle = remoteImagePattern;
+ context.fillRect(0, 0, 100, 100);
+
+ test(canvas, "redirected data URL image pattern");
+
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+image.src = "http://localhost:8000/resources/redirect.php?url=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVR42mP4%2F58BAAT%2FAf9jgNErAAAAAElFTkSuQmCC";
+</script>
</ins></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (184433 => 184434)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2015-05-16 07:52:22 UTC (rev 184433)
+++ trunk/Source/WebCore/ChangeLog 2015-05-16 13:53:21 UTC (rev 184434)
</span><span class="lines">@@ -1,3 +1,43 @@
</span><ins>+2015-05-15 Antti Koivisto <antti@apple.com>
+
+ When redirecting to data URL use HTTP response for same origin policy checks
+ https://bugs.webkit.org/show_bug.cgi?id=145054
+ rdar://problem/20299050
+
+ Reviewed by Alexey Proskuryakov.
+
+ Test: http/tests/security/canvas-remote-read-data-url-image-redirect.html
+
+ * dom/ScriptElement.cpp:
+ (WebCore::ScriptElement::notifyFinished):
+ * dom/ScriptExecutionContext.cpp:
+ (WebCore::ScriptExecutionContext::sanitizeScriptError):
+ * html/canvas/CanvasRenderingContext.cpp:
+ (WebCore::CanvasRenderingContext::wouldTaintOrigin):
+ * loader/ImageLoader.cpp:
+ (WebCore::ImageLoader::notifyFinished):
+ * loader/MediaResourceLoader.cpp:
+ (WebCore::MediaResourceLoader::responseReceived):
+ * loader/TextTrackLoader.cpp:
+ (WebCore::TextTrackLoader::notifyFinished):
+ * loader/cache/CachedImage.cpp:
+ (WebCore::CachedImage::isOriginClean):
+ * loader/cache/CachedResource.cpp:
+ (WebCore::CachedResource::passesAccessControlCheck):
+ (WebCore::CachedResource::passesSameOriginPolicyCheck):
+
+ Factor repeatedly used same origin policy test into a function.
+
+ (WebCore::CachedResource::redirectReceived):
+
+ When redirecting to a data URL save the redirect response.
+
+ (WebCore::CachedResource::responseForSameOriginPolicyChecks):
+
+ In case we got redirected to data use that response instead of the final data response for policy checks.
+
+ * loader/cache/CachedResource.h:
+
</ins><span class="cx"> 2015-05-16 Jon Lee <jonlee@apple.com>
</span><span class="cx">
</span><span class="cx"> [iOS] wireless playback picker button is drawn incorrectly
</span></span></pre></div>
<a id="trunkSourceWebCoredomScriptElementcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/dom/ScriptElement.cpp (184433 => 184434)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/dom/ScriptElement.cpp 2015-05-16 07:52:22 UTC (rev 184433)
+++ trunk/Source/WebCore/dom/ScriptElement.cpp 2015-05-16 13:53:21 UTC (rev 184434)
</span><span class="lines">@@ -336,10 +336,7 @@
</span><span class="cx"> if (!m_cachedScript)
</span><span class="cx"> return;
</span><span class="cx">
</span><del>- if (m_requestUsesAccessControl
- && !m_element.document().securityOrigin()->canRequest(m_cachedScript->response().url())
- && !m_cachedScript->passesAccessControlCheck(m_element.document().securityOrigin())) {
-
</del><ins>+ if (m_requestUsesAccessControl && !m_cachedScript->passesSameOriginPolicyCheck(*m_element.document().securityOrigin())) {
</ins><span class="cx"> dispatchErrorEvent();
</span><span class="cx"> DEPRECATED_DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Cross-origin script load denied by Cross-Origin Resource Sharing policy.")));
</span><span class="cx"> m_element.document().addConsoleMessage(MessageSource::JS, MessageLevel::Error, consoleMessage);
</span></span></pre></div>
<a id="trunkSourceWebCoredomScriptExecutionContextcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/dom/ScriptExecutionContext.cpp (184433 => 184434)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/dom/ScriptExecutionContext.cpp 2015-05-16 07:52:22 UTC (rev 184433)
+++ trunk/Source/WebCore/dom/ScriptExecutionContext.cpp 2015-05-16 13:53:21 UTC (rev 184434)
</span><span class="lines">@@ -347,7 +347,7 @@
</span><span class="cx"> bool ScriptExecutionContext::sanitizeScriptError(String& errorMessage, int& lineNumber, int& columnNumber, String& sourceURL, CachedScript* cachedScript)
</span><span class="cx"> {
</span><span class="cx"> URL targetURL = completeURL(sourceURL);
</span><del>- if (securityOrigin()->canRequest(targetURL) || (cachedScript && cachedScript->passesAccessControlCheck(securityOrigin())))
</del><ins>+ if (securityOrigin()->canRequest(targetURL) || (cachedScript && cachedScript->passesAccessControlCheck(*securityOrigin())))
</ins><span class="cx"> return false;
</span><span class="cx"> errorMessage = "Script error.";
</span><span class="cx"> sourceURL = String();
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlcanvasCanvasRenderingContextcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/canvas/CanvasRenderingContext.cpp (184433 => 184434)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/canvas/CanvasRenderingContext.cpp 2015-05-16 07:52:22 UTC (rev 184433)
+++ trunk/Source/WebCore/html/canvas/CanvasRenderingContext.cpp 2015-05-16 13:53:21 UTC (rev 184434)
</span><span class="lines">@@ -64,7 +64,7 @@
</span><span class="cx"> if (!cachedImage->image()->hasSingleSecurityOrigin())
</span><span class="cx"> return true;
</span><span class="cx">
</span><del>- return wouldTaintOrigin(cachedImage->response().url()) && !cachedImage->passesAccessControlCheck(canvas()->securityOrigin());
</del><ins>+ return wouldTaintOrigin(cachedImage->responseForSameOriginPolicyChecks().url()) && !cachedImage->passesAccessControlCheck(*canvas()->securityOrigin());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool CanvasRenderingContext::wouldTaintOrigin(const HTMLVideoElement* video)
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderImageLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/ImageLoader.cpp (184433 => 184434)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/ImageLoader.cpp 2015-05-16 07:52:22 UTC (rev 184433)
+++ trunk/Source/WebCore/loader/ImageLoader.cpp 2015-05-16 13:53:21 UTC (rev 184434)
</span><span class="lines">@@ -285,10 +285,7 @@
</span><span class="cx"> if (!m_hasPendingLoadEvent)
</span><span class="cx"> return;
</span><span class="cx">
</span><del>- if (element().fastHasAttribute(HTMLNames::crossoriginAttr)
- && !element().document().securityOrigin()->canRequest(image()->response().url())
- && !resource->passesAccessControlCheck(element().document().securityOrigin())) {
-
</del><ins>+ if (element().fastHasAttribute(HTMLNames::crossoriginAttr) && !resource->passesSameOriginPolicyCheck(*element().document().securityOrigin())) {
</ins><span class="cx"> clearImageWithoutConsideringPendingLoadEvent();
</span><span class="cx">
</span><span class="cx"> m_hasPendingErrorEvent = true;
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderMediaResourceLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/MediaResourceLoader.cpp (184433 => 184434)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/MediaResourceLoader.cpp 2015-05-16 07:52:22 UTC (rev 184433)
+++ trunk/Source/WebCore/loader/MediaResourceLoader.cpp 2015-05-16 13:53:21 UTC (rev 184434)
</span><span class="lines">@@ -94,9 +94,7 @@
</span><span class="cx"> ASSERT_UNUSED(resource, resource == m_resource);
</span><span class="cx">
</span><span class="cx"> RefPtr<MediaResourceLoader> protect(this);
</span><del>- if (!m_crossOriginMode.isNull()
- && !m_document.securityOrigin()->canRequest(resource->response().url())
- && !resource->passesAccessControlCheck(m_document.securityOrigin())) {
</del><ins>+ if (!m_crossOriginMode.isNull() && !resource->passesSameOriginPolicyCheck(*m_document.securityOrigin())) {
</ins><span class="cx"> static NeverDestroyed<const String> consoleMessage("Cross-origin media resource load denied by Cross-Origin Resource Sharing policy.");
</span><span class="cx"> m_document.addConsoleMessage(MessageSource::Security, MessageLevel::Error, consoleMessage.get());
</span><span class="cx"> m_didPassAccessControlCheck = false;
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderTextTrackLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/TextTrackLoader.cpp (184433 => 184434)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/TextTrackLoader.cpp 2015-05-16 07:52:22 UTC (rev 184433)
+++ trunk/Source/WebCore/loader/TextTrackLoader.cpp 2015-05-16 13:53:21 UTC (rev 184434)
</span><span class="lines">@@ -125,12 +125,8 @@
</span><span class="cx"> ASSERT(m_resource == resource);
</span><span class="cx">
</span><span class="cx"> Document* document = downcast<Document>(m_scriptExecutionContext);
</span><del>- if (!m_crossOriginMode.isNull()
- && !document->securityOrigin()->canRequest(resource->response().url())
- && !resource->passesAccessControlCheck(document->securityOrigin())) {
-
</del><ins>+ if (!m_crossOriginMode.isNull() && !resource->passesSameOriginPolicyCheck(*document->securityOrigin()))
</ins><span class="cx"> corsPolicyPreventedLoad();
</span><del>- }
</del><span class="cx">
</span><span class="cx"> if (m_state != Failed) {
</span><span class="cx"> processNewCueData(resource);
</span></span></pre></div>
<a id="trunkSourceWebCoreloadercacheCachedImagecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/cache/CachedImage.cpp (184433 => 184434)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/cache/CachedImage.cpp 2015-05-16 07:52:22 UTC (rev 184433)
+++ trunk/Source/WebCore/loader/cache/CachedImage.cpp 2015-05-16 13:53:21 UTC (rev 184434)
</span><span class="lines">@@ -510,9 +510,9 @@
</span><span class="cx"> {
</span><span class="cx"> if (!image()->hasSingleSecurityOrigin())
</span><span class="cx"> return false;
</span><del>- if (passesAccessControlCheck(securityOrigin))
</del><ins>+ if (passesAccessControlCheck(*securityOrigin))
</ins><span class="cx"> return true;
</span><del>- return !securityOrigin->taintsCanvas(response().url());
</del><ins>+ return !securityOrigin->taintsCanvas(responseForSameOriginPolicyChecks().url());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> CachedResource::RevalidationDecision CachedImage::makeRevalidationDecision(CachePolicy cachePolicy) const
</span></span></pre></div>
<a id="trunkSourceWebCoreloadercacheCachedResourcecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/cache/CachedResource.cpp (184433 => 184434)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/cache/CachedResource.cpp 2015-05-16 07:52:22 UTC (rev 184433)
+++ trunk/Source/WebCore/loader/cache/CachedResource.cpp 2015-05-16 13:53:21 UTC (rev 184434)
</span><span class="lines">@@ -333,12 +333,19 @@
</span><span class="cx"> m_status = Cached;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool CachedResource::passesAccessControlCheck(SecurityOrigin* securityOrigin)
</del><ins>+bool CachedResource::passesAccessControlCheck(SecurityOrigin& securityOrigin)
</ins><span class="cx"> {
</span><span class="cx"> String errorDescription;
</span><del>- return WebCore::passesAccessControlCheck(m_response, resourceRequest().allowCookies() ? AllowStoredCredentials : DoNotAllowStoredCredentials, securityOrigin, errorDescription);
</del><ins>+ return WebCore::passesAccessControlCheck(response(), resourceRequest().allowCookies() ? AllowStoredCredentials : DoNotAllowStoredCredentials, &securityOrigin, errorDescription);
</ins><span class="cx"> }
</span><span class="cx">
</span><ins>+bool CachedResource::passesSameOriginPolicyCheck(SecurityOrigin& securityOrigin)
+{
+ if (securityOrigin.canRequest(responseForSameOriginPolicyChecks().url()))
+ return true;
+ return passesAccessControlCheck(securityOrigin);
+}
+
</ins><span class="cx"> bool CachedResource::isExpired() const
</span><span class="cx"> {
</span><span class="cx"> if (m_response.isNull())
</span><span class="lines">@@ -362,14 +369,24 @@
</span><span class="cx"> return computeFreshnessLifetimeForHTTPFamily(response, m_responseTimestamp);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void CachedResource::redirectReceived(ResourceRequest&, const ResourceResponse& response)
</del><ins>+void CachedResource::redirectReceived(ResourceRequest& request, const ResourceResponse& response)
</ins><span class="cx"> {
</span><span class="cx"> m_requestedFromNetworkingLayer = true;
</span><span class="cx"> if (response.isNull())
</span><span class="cx"> return;
</span><ins>+
+ // Redirect to data: URL uses the last HTTP response for SOP.
+ if (response.isHTTP() && request.url().protocolIsData())
+ m_redirectResponseForSameOriginPolicyChecks = response;
+
</ins><span class="cx"> updateRedirectChainStatus(m_redirectChainCacheStatus, response);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+const ResourceResponse& CachedResource::responseForSameOriginPolicyChecks() const
+{
+ return m_redirectResponseForSameOriginPolicyChecks.isNull() ? m_response : m_redirectResponseForSameOriginPolicyChecks;
+}
+
</ins><span class="cx"> void CachedResource::responseReceived(const ResourceResponse& response)
</span><span class="cx"> {
</span><span class="cx"> setResponse(response);
</span></span></pre></div>
<a id="trunkSourceWebCoreloadercacheCachedResourceh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/cache/CachedResource.h (184433 => 184434)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/cache/CachedResource.h 2015-05-16 07:52:22 UTC (rev 184433)
+++ trunk/Source/WebCore/loader/cache/CachedResource.h 2015-05-16 13:53:21 UTC (rev 184434)
</span><span class="lines">@@ -180,7 +180,8 @@
</span><span class="cx"> // Updates the expire date on the cache entry file
</span><span class="cx"> void finish();
</span><span class="cx">
</span><del>- bool passesAccessControlCheck(SecurityOrigin*);
</del><ins>+ bool passesAccessControlCheck(SecurityOrigin&);
+ bool passesSameOriginPolicyCheck(SecurityOrigin&);
</ins><span class="cx">
</span><span class="cx"> // Called by the cache if the object has been removed from the cache
</span><span class="cx"> // while still being referenced. This means the object should delete itself
</span><span class="lines">@@ -197,6 +198,8 @@
</span><span class="cx"> virtual void responseReceived(const ResourceResponse&);
</span><span class="cx"> void setResponse(const ResourceResponse& response) { m_response = response; }
</span><span class="cx"> const ResourceResponse& response() const { return m_response; }
</span><ins>+ // This is the same as response() except after HTTP redirect to data: URL.
+ const ResourceResponse& responseForSameOriginPolicyChecks() const;
</ins><span class="cx">
</span><span class="cx"> bool canDelete() const { return !hasClients() && !m_loader && !m_preloadCount && !m_handleCount && !m_resourceToRevalidate && !m_proxyResource; }
</span><span class="cx"> bool hasOneHandle() const { return m_handleCount == 1; }
</span><span class="lines">@@ -268,6 +271,7 @@
</span><span class="cx"> RefPtr<SubresourceLoader> m_loader;
</span><span class="cx"> ResourceLoaderOptions m_options;
</span><span class="cx"> ResourceResponse m_response;
</span><ins>+ ResourceResponse m_redirectResponseForSameOriginPolicyChecks;
</ins><span class="cx"> RefPtr<SharedBuffer> m_data;
</span><span class="cx"> DeferrableOneShotTimer m_decodedDataDeletionTimer;
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>