<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[199418] releases/WebKitGTK/webkit-2.12</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/199418">199418</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2016-04-13 00:30:08 -0700 (Wed, 13 Apr 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/198395">r198395</a> - crossorigin element resource loading should check HTTP redirection
https://bugs.webkit.org/show_bug.cgi?id=130578
Reviewed by Daniel Bates and Brent Fulgham.
Source/WebCore:
Moved part of DocumentThreadableLoader redirection cross origin control code
into functions in CrossOriginAccessControl.cpp. Added cross origin control for
redirections in SubResourceLoader when policy is set to PotentiallyCrossOriginEnabled
using CrossOriginAccessControl.cpp new functions. Added a new test that checks that
cross-origin redirections are checked against CORS.
Test: http/tests/security/shape-image-cors-redirect.html
* loader/CrossOriginAccessControl.cpp:
(WebCore::isValidCrossOriginRedirectionURL): Returns true if the redirected URL is a valid URL for cross-origin requests.
(WebCore::cleanRedirectedRequestForAccessControl): Removes all headers added by the network backend that may cause the response CORS validation to fail.
* loader/CrossOriginAccessControl.h: Added above function prototypes.
* loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::redirectReceived): Used new CORS redirection methods of CrossOriginAccessControl.cpp.
* loader/SubresourceLoader.cpp:
(WebCore::SubresourceLoader::init): Initialize the SecurityOrigin to be used for loading the resource.
(WebCore::SubresourceLoader::willSendRequest): Added cross-origin redirection response check.
(WebCore::SubresourceLoader::checkCrossOriginAccessControl): Checks CORS and update request if needed. Returns true if control checks passed.
* loader/SubresourceLoader.h: Added checkCrossOriginAccessControl declaration and m_origin declaration.
LayoutTests:
shape-image-cors-redirect.html checks that cross-origin redirections are checked against CORS.
It also checks that same-origin redirections are not checked against CORS.
* http/tests/security/resources/redirect-allow-star.php: Added.
* http/tests/security/shape-image-cors-redirect-expected.html: Added.
* http/tests/security/shape-image-cors-redirect.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsChangeLog">releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsTestExpectations">releases/WebKitGTK/webkit-2.12/LayoutTests/TestExpectations</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceWebCoreChangeLog">releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceWebCoreloaderCrossOriginAccessControlcpp">releases/WebKitGTK/webkit-2.12/Source/WebCore/loader/CrossOriginAccessControl.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceWebCoreloaderCrossOriginAccessControlh">releases/WebKitGTK/webkit-2.12/Source/WebCore/loader/CrossOriginAccessControl.h</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceWebCoreloaderDocumentThreadableLoadercpp">releases/WebKitGTK/webkit-2.12/Source/WebCore/loader/DocumentThreadableLoader.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceWebCoreloaderSubresourceLoadercpp">releases/WebKitGTK/webkit-2.12/Source/WebCore/loader/SubresourceLoader.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceWebCoreloaderSubresourceLoaderh">releases/WebKitGTK/webkit-2.12/Source/WebCore/loader/SubresourceLoader.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecurityresourcesredirectallowstarphp">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/resources/redirect-allow-star.php</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecurityshapeimagecorsredirecterrormessagelogging1expectedtxt">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecurityshapeimagecorsredirecterrormessagelogging1html">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-1.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecurityshapeimagecorsredirecterrormessagelogging2expectedtxt">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecurityshapeimagecorsredirecterrormessagelogging2html">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-2.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecurityshapeimagecorsredirecterrormessagelogging3expectedtxt">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-3-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecurityshapeimagecorsredirecterrormessagelogging3html">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-3.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecurityshapeimagecorsredirecterrormessagelogging4expectedtxt">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-4-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecurityshapeimagecorsredirecterrormessagelogging4html">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-4.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecurityshapeimagecorsredirectexpectedhtml">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-expected.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecurityshapeimagecorsredirecthtml">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit212LayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog (199417 => 199418)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-04-13 07:25:27 UTC (rev 199417)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-04-13 07:30:08 UTC (rev 199418)
</span><span class="lines">@@ -1,5 +1,19 @@
</span><span class="cx"> 2016-03-18 Youenn Fablet <youenn.fablet@crf.canon.fr>
</span><span class="cx">
</span><ins>+ crossorigin element resource loading should check HTTP redirection
+ https://bugs.webkit.org/show_bug.cgi?id=130578
+
+ Reviewed by Daniel Bates and Brent Fulgham.
+
+ shape-image-cors-redirect.html checks that cross-origin redirections are checked against CORS.
+ It also checks that same-origin redirections are not checked against CORS.
+
+ * http/tests/security/resources/redirect-allow-star.php: Added.
+ * http/tests/security/shape-image-cors-redirect-expected.html: Added.
+ * http/tests/security/shape-image-cors-redirect.html: Added.
+
+2016-03-18 Youenn Fablet <youenn.fablet@crf.canon.fr>
+
</ins><span class="cx"> Move IndexedDB regular test to web-platform-tests
</span><span class="cx"> https://bugs.webkit.org/show_bug.cgi?id=155581
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsTestExpectations"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/TestExpectations (199417 => 199418)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/TestExpectations 2016-04-13 07:25:27 UTC (rev 199417)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/TestExpectations 2016-04-13 07:30:08 UTC (rev 199418)
</span><span class="lines">@@ -800,6 +800,11 @@
</span><span class="cx">
</span><span class="cx"> webkit.org/b/52185 fast/css/vertical-align-baseline-rowspan-010.html [ ImageOnlyFailure ]
</span><span class="cx">
</span><ins>+webkit.org/b/155634 http/tests/security/shape-image-cors-redirect-error-message-logging-1.html [ Pass Failure ]
+webkit.org/b/155634 http/tests/security/shape-image-cors-redirect-error-message-logging-2.html [ Pass Failure ]
+webkit.org/b/155634 http/tests/security/shape-image-cors-redirect-error-message-logging-3.html [ Pass Failure ]
+webkit.org/b/155634 http/tests/security/shape-image-cors-redirect-error-message-logging-4.html [ Pass Failure ]
+
</ins><span class="cx"> # Content Security Policy failures
</span><span class="cx"> webkit.org/b/85558 http/tests/security/contentSecurityPolicy/1.1
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/child-src [ Pass ]
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecurityresourcesredirectallowstarphp"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/resources/redirect-allow-star.php (0 => 199418)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/resources/redirect-allow-star.php (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/resources/redirect-allow-star.php 2016-04-13 07:30:08 UTC (rev 199418)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+<?php
+ $url = $_GET["url"];
+
+ $code = isset($_GET["code"]) ? $_GET["code"] : 302;
+
+ header("HTTP/1.1 $code");
+ header("Location: $url");
+ header("Access-Control-Allow-Origin: *");
+
+ # Workaround for https://bugs.webkit.org/show_bug.cgi?id=77538
+ # Caching redirects results in flakiness in tests that dump loader delegates.
+ header("Cache-Control: no-store");
+?>
</ins><span class="cx">Property changes on: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/resources/redirect-allow-star.php
</span><span class="cx">___________________________________________________________________
</span></span></pre></div>
<a id="svnexecutable"></a>
<div class="addfile"><h4>Added: svn:executable</h4></div>
<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecurityshapeimagecorsredirecterrormessagelogging1expectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt (0 => 199418)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt 2016-04-13 07:30:08 UTC (rev 199418)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+CONSOLE MESSAGE: Unsafe attempt to load URL http://127.0.0.1:8000/resources/redirect.php?url=http%3A%2F%2Flocalhost%3A8080%2Fsecurity%2Fresources%2Fimage-access-control.php%3Ffile%3D..%2F..%2Fresources%2Fsquare100.png%26allow%3Dfalse.
+Verify the error message in console in case of CORS failing checks.
+
+
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecurityshapeimagecorsredirecterrormessagelogging1html"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-1.html (0 => 199418)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-1.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-1.html 2016-04-13 07:30:08 UTC (rev 199418)
</span><span class="lines">@@ -0,0 +1,24 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<title>Triggering message logging in case of failing CORS check</title>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<style>
+ /* Not OK Tests: image resource loading should fail */
+ /* Cross-origin request is not OK because the HTTP header "Access-Control-Allow-Origin:" header is not returned for the final resource when the redirection was initiated from the same origin as the page. */
+ #notok-shape-outside-same-origin-redirection-disallow-url {
+ float: left;
+ width: 200px;
+ height: 20px;
+ -webkit-shape-outside: url("/resources/redirect.php?url=http%3A%2F%2Flocalhost%3A8080%2Fsecurity%2Fresources%2Fimage-access-control.php%3Ffile%3D..%2F..%2Fresources%2Fsquare100.png%26allow%3Dfalse");
+ }
+</style>
+</head>
+<body>
+ <p>Verify the error message in console in case of CORS failing checks.</p>
+ <div id="notok-shape-outside-same-origin-redirection-disallow-url"></div>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecurityshapeimagecorsredirecterrormessagelogging2expectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt (0 => 199418)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt 2016-04-13 07:30:08 UTC (rev 199418)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8080/security/resources/redirect-allow-star.php?url=http%3A%2F%2Flocalhost%3A8080%2Fsecurity%2Fresources%2Fimage-access-control.php%3Ffile%3D..%2F..%2Fresources%2Fsquare100.png%26allow%3Dfalse.
+Verify the error message in console in case of CORS failing checks.
+
+
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecurityshapeimagecorsredirecterrormessagelogging2html"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-2.html (0 => 199418)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-2.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-2.html 2016-04-13 07:30:08 UTC (rev 199418)
</span><span class="lines">@@ -0,0 +1,23 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<title>Triggering message logging in case of failing CORS check</title>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<style>
+ /* Cross-origin request is not OK because a "Access-Control-Allow-Origin:" header is not returned for the final resource. */
+ #notok-shape-outside-allow-redirection-disallow-url {
+ float: left;
+ width: 200px;
+ height: 20px;
+ -webkit-shape-outside: url("http://localhost:8080/security/resources/redirect-allow-star.php?url=http%3A%2F%2Flocalhost%3A8080%2Fsecurity%2Fresources%2Fimage-access-control.php%3Ffile%3D..%2F..%2Fresources%2Fsquare100.png%26allow%3Dfalse");
+ }
+</style>
+</head>
+<body>
+ <p>Verify the error message in console in case of CORS failing checks.</p>
+ <div id="notok-shape-outside-allow-redirection-disallow-url"></div>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecurityshapeimagecorsredirecterrormessagelogging3expectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-3-expected.txt (0 => 199418)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-3-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-3-expected.txt 2016-04-13 07:30:08 UTC (rev 199418)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+CONSOLE MESSAGE: Cross-origin redirection denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+Verify the error message in console in case of CORS failing checks.
+
+
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecurityshapeimagecorsredirecterrormessagelogging3html"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-3.html (0 => 199418)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-3.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-3.html 2016-04-13 07:30:08 UTC (rev 199418)
</span><span class="lines">@@ -0,0 +1,24 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<title>Triggering message logging in case of failing CORS check</title>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<style>
+ /* Cross-origin request is not OK because the "Access-Control-Allow-Origin: *" is not returned for the redirection */
+ #notok-shape-outside-disallow-redirection-allow-url {
+ float: left;
+ width: 200px;
+ height: 20px;
+ -webkit-shape-outside: url("http://localhost:8080/resources/redirect.php?url=http%3A%2F%2Flocalhost%3A8080%2Fsecurity%2Fresources%2Fimage-access-control.php%3Ffile%3D..%2F..%2Fresources%2Fsquare100.png%26allow%3Dtrue");
+ }
+
+</style>
+</head>
+<body>
+ <p>Verify the error message in console in case of CORS failing checks.</p>
+ <div id="notok-shape-outside-disallow-redirection-allow-url"></div>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecurityshapeimagecorsredirecterrormessagelogging4expectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-4-expected.txt (0 => 199418)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-4-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-4-expected.txt 2016-04-13 07:30:08 UTC (rev 199418)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+CONSOLE MESSAGE: Cross-origin redirection denied by Cross-Origin Resource Sharing policy: Redirected to either a non-HTTP URL or a URL that contains credentials.
+Verify the error message in console in case of CORS failing checks.
+
+
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecurityshapeimagecorsredirecterrormessagelogging4html"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-4.html (0 => 199418)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-4.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-4.html 2016-04-13 07:30:08 UTC (rev 199418)
</span><span class="lines">@@ -0,0 +1,23 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<title>Triggering message logging in case of failing CORS check</title>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<style>
+ /* Cross-origin request is not OK because redirection URL is not a http URL */
+ #notok-shape-outside-disallow-redirection-not-http-url {
+ float: left;
+ width: 200px;
+ height: 20px;
+ -webkit-shape-outside: url("http://localhost:8080/security/resources/redirect-allow-star.php?url=mailto%3A%2F%2Fuser%40example.com");
+ }
+</style>
+</head>
+<body>
+ <p>Verify the error message in console in case of CORS failing checks.</p>
+ <div id="notok-shape-outside-disallow-redirection-not-http-url"></div>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecurityshapeimagecorsredirectexpectedhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-expected.html (0 => 199418)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-expected.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect-expected.html 2016-04-13 07:30:08 UTC (rev 199418)
</span><span class="lines">@@ -0,0 +1,52 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<style>
+ #clear-left {
+ clear: left;
+ font: 20px/1 Ahem, sans-serif;
+ color: green;
+ }
+
+ #clear-left > div {
+ float: left;
+ height: 20px;
+ }
+
+ /* OK Tests: image resource loading should succeed */
+ #ok-shape-outside-allow-url {
+ width: 100px;
+ }
+
+ #ok-shape-outside-same-origin-redirection-allow-url {
+ width: 100px;
+ }
+
+ #ok-shape-outside-allow-redirection-allow-url {
+ width: 100px;
+ }
+
+ /* Not OK Tests: image resource loading should fail */
+ #notok-shape-outside-same-origin-redirection-disallow-url {
+ width: 200px;
+ }
+
+ #notok-shape-outside-allow-redirection-disallow-url {
+ width: 200px;
+ }
+
+ #notok-shape-outside-disallow-redirection-allow-url {
+ width: 200px;
+ }
+</style>
+</head>
+<body>
+ <p>Verify that images not allowed by CORS don't affect the layout and that images (and any redirection) with a "Access-Control-Allow-Origin: *" header do define the layout.</p>
+ <div id="clear-left"><div id="ok-shape-outside-allow-url"></div>X</div>
+ <div id="clear-left"><div id="ok-shape-outside-same-origin-redirection-allow-url"></div>X</div>
+ <div id="clear-left"><div id="ok-shape-outside-allow-redirection-allow-url"></div>X</div>
+ <div id="clear-left"><div id="notok-shape-outside-same-origin-redirection-disallow-url"></div>X</div>
+ <div id="clear-left"><div id="notok-shape-outside-allow-redirection-disallow-url"></div>X</div>
+ <div id="clear-left"><div id="notok-shape-outside-disallow-redirection-allow-url"></div>X</div>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecurityshapeimagecorsredirecthtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect.html (0 => 199418)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/shape-image-cors-redirect.html 2016-04-13 07:30:08 UTC (rev 199418)
</span><span class="lines">@@ -0,0 +1,59 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<style>
+ #clear-left {
+ clear: left;
+ font: 20px/1 Ahem, sans-serif;
+ color: green;
+ }
+
+ #clear-left > div {
+ float: left;
+ width: 200px;
+ height: 20px;
+ }
+
+ /* OK Tests: image resource loading should succeed */
+ /* Cross-origin request is OK because the "Access-Control-Allow-Origin: *" is returned for the resource (no redirection). */
+ #ok-shape-outside-allow-url {
+ -webkit-shape-outside: url("http://localhost:8080/security/resources/image-access-control.php?file=../../resources/square100.png&allow=true");
+ }
+
+ /* Cross-origin request is OK because the "Access-Control-Allow-Origin: *" is returned for the final resource and the redirection is same origin. */
+ #ok-shape-outside-same-origin-redirection-allow-url {
+ -webkit-shape-outside: url("/resources/redirect.php?url=http%3A%2F%2Flocalhost%3A8080%2Fsecurity%2Fresources%2Fimage-access-control.php%3Ffile%3D..%2F..%2Fresources%2Fsquare100.png%26allow%3Dtrue");
+ }
+
+ /* Cross-origin request is OK because the "Access-Control-Allow-Origin: *" is returned for both redirection and final resource. */
+ #ok-shape-outside-allow-redirection-allow-url {
+ -webkit-shape-outside: url("http://localhost:8080/security/resources/redirect-allow-star.php?url=http%3A%2F%2Flocalhost%3A8080%2Fsecurity%2Fresources%2Fimage-access-control.php%3Ffile%3D..%2F..%2Fresources%2Fsquare100.png%26allow%3Dtrue");
+ }
+
+ /* Not OK Tests: image resource loading should fail */
+ /* Cross-origin request is not OK because the HTTP header "Access-Control-Allow-Origin:" header is not returned for the final resource when the redirection was initiated from the same origin as the page. */
+ #notok-shape-outside-same-origin-redirection-disallow-url {
+ -webkit-shape-outside: url("/resources/redirect.php?url=http%3A%2F%2Flocalhost%3A8080%2Fsecurity%2Fresources%2Fimage-access-control.php%3Ffile%3D..%2F..%2Fresources%2Fsquare100.png%26allow%3Dfalse");
+ }
+
+ /* Cross-origin request is not OK because a "Access-Control-Allow-Origin:" header is not returned for the final resource. */
+ #notok-shape-outside-allow-redirection-disallow-url {
+ -webkit-shape-outside: url("http://localhost:8080/security/resources/redirect-allow-star.php?url=http%3A%2F%2Flocalhost%3A8080%2Fsecurity%2Fresources%2Fimage-access-control.php%3Ffile%3D..%2F..%2Fresources%2Fsquare100.png%26allow%3Dfalse");
+ }
+
+ /* Cross-origin request is not OK because the "Access-Control-Allow-Origin: *" is not returned for the redirection */
+ #notok-shape-outside-disallow-redirection-allow-url {
+ -webkit-shape-outside: url("http://localhost:8080/resources/redirect.php?url=http%3A%2F%2Flocalhost%3A8080%2Fsecurity%2Fresources%2Fimage-access-control.php%3Ffile%3D..%2F..%2Fresources%2Fsquare100.png%26allow%3Dtrue");
+ }
+</style>
+</head>
+<body>
+ <p>Verify that images not allowed by CORS don't affect the layout and that images (and any redirection) with a "Access-Control-Allow-Origin: *" header do define the layout.</p>
+ <div id="clear-left"><div id="ok-shape-outside-allow-url"></div>X</div>
+ <div id="clear-left"><div id="ok-shape-outside-same-origin-redirection-allow-url"></div>X</div>
+ <div id="clear-left"><div id="ok-shape-outside-allow-redirection-allow-url"></div>X</div>
+ <div id="clear-left"><div id="notok-shape-outside-same-origin-redirection-disallow-url"></div>X</div>
+ <div id="clear-left"><div id="notok-shape-outside-allow-redirection-disallow-url"></div>X</div>
+ <div id="clear-left"><div id="notok-shape-outside-disallow-redirection-allow-url"></div>X</div>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog (199417 => 199418)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-04-13 07:25:27 UTC (rev 199417)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-04-13 07:30:08 UTC (rev 199418)
</span><span class="lines">@@ -1,3 +1,30 @@
</span><ins>+2016-03-18 Youenn Fablet <youenn.fablet@crf.canon.fr>
+
+ crossorigin element resource loading should check HTTP redirection
+ https://bugs.webkit.org/show_bug.cgi?id=130578
+
+ Reviewed by Daniel Bates and Brent Fulgham.
+
+ Moved part of DocumentThreadableLoader redirection cross origin control code
+ into functions in CrossOriginAccessControl.cpp. Added cross origin control for
+ redirections in SubResourceLoader when policy is set to PotentiallyCrossOriginEnabled
+ using CrossOriginAccessControl.cpp new functions. Added a new test that checks that
+ cross-origin redirections are checked against CORS.
+
+ Test: http/tests/security/shape-image-cors-redirect.html
+
+ * loader/CrossOriginAccessControl.cpp:
+ (WebCore::isValidCrossOriginRedirectionURL): Returns true if the redirected URL is a valid URL for cross-origin requests.
+ (WebCore::cleanRedirectedRequestForAccessControl): Removes all headers added by the network backend that may cause the response CORS validation to fail.
+ * loader/CrossOriginAccessControl.h: Added above function prototypes.
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::redirectReceived): Used new CORS redirection methods of CrossOriginAccessControl.cpp.
+ * loader/SubresourceLoader.cpp:
+ (WebCore::SubresourceLoader::init): Initialize the SecurityOrigin to be used for loading the resource.
+ (WebCore::SubresourceLoader::willSendRequest): Added cross-origin redirection response check.
+ (WebCore::SubresourceLoader::checkCrossOriginAccessControl): Checks CORS and update request if needed. Returns true if control checks passed.
+ * loader/SubresourceLoader.h: Added checkCrossOriginAccessControl declaration and m_origin declaration.
+
</ins><span class="cx"> 2016-03-17 Antti Koivisto <antti@apple.com>
</span><span class="cx">
</span><span class="cx"> Data URL DecodeTask may get deleted outside main thread
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceWebCoreloaderCrossOriginAccessControlcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/loader/CrossOriginAccessControl.cpp (199417 => 199418)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/WebCore/loader/CrossOriginAccessControl.cpp 2016-04-13 07:25:27 UTC (rev 199417)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/loader/CrossOriginAccessControl.cpp 2016-04-13 07:30:08 UTC (rev 199418)
</span><span class="lines">@@ -31,6 +31,7 @@
</span><span class="cx"> #include "HTTPParsers.h"
</span><span class="cx"> #include "ResourceRequest.h"
</span><span class="cx"> #include "ResourceResponse.h"
</span><ins>+#include "SchemeRegistry.h"
</ins><span class="cx"> #include "SecurityOrigin.h"
</span><span class="cx"> #include <mutex>
</span><span class="cx"> #include <wtf/NeverDestroyed.h>
</span><span class="lines">@@ -133,6 +134,24 @@
</span><span class="cx"> return preflightRequest;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool isValidCrossOriginRedirectionURL(const URL& redirectURL)
+{
+ return SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(redirectURL.protocol())
+ && redirectURL.user().isEmpty()
+ && redirectURL.pass().isEmpty();
+}
+
+void cleanRedirectedRequestForAccessControl(ResourceRequest& request)
+{
+ // Remove headers that may have been added by the network layer that cause access control to fail.
+ request.clearHTTPContentType();
+ request.clearHTTPReferrer();
+ request.clearHTTPOrigin();
+ request.clearHTTPUserAgent();
+ request.clearHTTPAccept();
+ request.clearHTTPAcceptEncoding();
+}
+
</ins><span class="cx"> bool passesAccessControlCheck(const ResourceResponse& response, StoredCredentials includeCredentials, SecurityOrigin* securityOrigin, String& errorDescription)
</span><span class="cx"> {
</span><span class="cx"> // A wildcard Access-Control-Allow-Origin can not be used if credentials are to be sent,
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceWebCoreloaderCrossOriginAccessControlh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/loader/CrossOriginAccessControl.h (199417 => 199418)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/WebCore/loader/CrossOriginAccessControl.h 2016-04-13 07:25:27 UTC (rev 199417)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/loader/CrossOriginAccessControl.h 2016-04-13 07:30:08 UTC (rev 199418)
</span><span class="lines">@@ -41,6 +41,7 @@
</span><span class="cx"> class ResourceRequest;
</span><span class="cx"> class ResourceResponse;
</span><span class="cx"> class SecurityOrigin;
</span><ins>+class URL;
</ins><span class="cx">
</span><span class="cx"> bool isSimpleCrossOriginAccessRequest(const String& method, const HTTPHeaderMap&);
</span><span class="cx"> bool isOnAccessControlSimpleRequestMethodWhitelist(const String&);
</span><span class="lines">@@ -50,6 +51,9 @@
</span><span class="cx"> void updateRequestForAccessControl(ResourceRequest&, SecurityOrigin*, StoredCredentials);
</span><span class="cx"> ResourceRequest createAccessControlPreflightRequest(const ResourceRequest&, SecurityOrigin*);
</span><span class="cx">
</span><ins>+bool isValidCrossOriginRedirectionURL(const URL&);
+void cleanRedirectedRequestForAccessControl(ResourceRequest&);
+
</ins><span class="cx"> bool passesAccessControlCheck(const ResourceResponse&, StoredCredentials, SecurityOrigin*, String& errorDescription);
</span><span class="cx"> void parseAccessControlExposeHeadersAllowList(const String& headerValue, HTTPHeaderSet&);
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceWebCoreloaderDocumentThreadableLoadercpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/loader/DocumentThreadableLoader.cpp (199417 => 199418)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/WebCore/loader/DocumentThreadableLoader.cpp 2016-04-13 07:25:27 UTC (rev 199417)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/loader/DocumentThreadableLoader.cpp 2016-04-13 07:30:08 UTC (rev 199418)
</span><span class="lines">@@ -208,9 +208,7 @@
</span><span class="cx"> bool allowRedirect = false;
</span><span class="cx"> if (m_simpleRequest) {
</span><span class="cx"> String accessControlErrorDescription;
</span><del>- allowRedirect = SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(request.url().protocol())
- && request.url().user().isEmpty()
- && request.url().pass().isEmpty()
</del><ins>+ allowRedirect = isValidCrossOriginRedirectionURL(request.url())
</ins><span class="cx"> && (m_sameOriginRequest || passesAccessControlCheck(redirectResponse, m_options.allowCredentials(), securityOrigin(), accessControlErrorDescription));
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -233,13 +231,8 @@
</span><span class="cx"> if (m_options.credentialRequest() == ClientDidNotRequestCredentials)
</span><span class="cx"> m_options.setAllowCredentials(DoNotAllowStoredCredentials);
</span><span class="cx">
</span><del>- // Remove any headers that may have been added by the network layer that cause access control to fail.
- request.clearHTTPContentType();
- request.clearHTTPReferrer();
- request.clearHTTPOrigin();
- request.clearHTTPUserAgent();
- request.clearHTTPAccept();
- request.clearHTTPAcceptEncoding();
</del><ins>+ cleanRedirectedRequestForAccessControl(request);
+
</ins><span class="cx"> makeCrossOriginAccessRequest(request);
</span><span class="cx"> return;
</span><span class="cx"> }
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceWebCoreloaderSubresourceLoadercpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/loader/SubresourceLoader.cpp (199417 => 199418)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/WebCore/loader/SubresourceLoader.cpp 2016-04-13 07:25:27 UTC (rev 199417)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/loader/SubresourceLoader.cpp 2016-04-13 07:30:08 UTC (rev 199418)
</span><span class="lines">@@ -30,6 +30,7 @@
</span><span class="cx"> #include "SubresourceLoader.h"
</span><span class="cx">
</span><span class="cx"> #include "CachedResourceLoader.h"
</span><ins>+#include "CrossOriginAccessControl.h"
</ins><span class="cx"> #include "DiagnosticLoggingClient.h"
</span><span class="cx"> #include "DiagnosticLoggingKeys.h"
</span><span class="cx"> #include "Document.h"
</span><span class="lines">@@ -146,6 +147,13 @@
</span><span class="cx"> ASSERT(!reachedTerminalState());
</span><span class="cx"> m_state = Initialized;
</span><span class="cx"> m_documentLoader->addSubresourceLoader(this);
</span><ins>+
+ // FIXME: https://bugs.webkit.org/show_bug.cgi?id=155633.
+ // SubresourceLoader could use the document origin as a default and set PotentiallyCrossOriginEnabled requests accordingly.
+ // This would simplify resource loader users as they would only need to set the policy to PotentiallyCrossOriginEnabled.
+ if (options().requestOriginPolicy() == PotentiallyCrossOriginEnabled)
+ m_origin = SecurityOrigin::createFromString(request.httpOrigin());
+
</ins><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -182,6 +190,12 @@
</span><span class="cx"> cancel();
</span><span class="cx"> return;
</span><span class="cx"> }
</span><ins>+
+ if (options().requestOriginPolicy() == PotentiallyCrossOriginEnabled && !checkCrossOriginAccessControl(request(), redirectResponse, newRequest)) {
+ cancel();
+ return;
+ }
+
</ins><span class="cx"> if (m_resource->isImage() && m_documentLoader->cachedResourceLoader().shouldDeferImageLoad(newRequest.url())) {
</span><span class="cx"> cancel();
</span><span class="cx"> return;
</span><span class="lines">@@ -370,6 +384,31 @@
</span><span class="cx"> frame->mainFrame().diagnosticLoggingClient().logDiagnosticMessageWithValue(DiagnosticLoggingKeys::resourceKey(), DiagnosticLoggingKeys::loadedKey(), resourceType, ShouldSample::Yes);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool SubresourceLoader::checkCrossOriginAccessControl(const ResourceRequest& previousRequest, const ResourceResponse& redirectResponse, ResourceRequest& newRequest)
+{
+ if (m_origin->canRequest(newRequest.url()))
+ return true;
+
+ String errorDescription;
+ bool responsePassesCORS = m_origin->canRequest(previousRequest.url())
+ || passesAccessControlCheck(redirectResponse, options().allowCredentials(), m_origin.get(), errorDescription);
+ if (!responsePassesCORS || !isValidCrossOriginRedirectionURL(newRequest.url())) {
+ if (m_frame && m_frame->document()) {
+ String errorMessage = "Cross-origin redirection denied by Cross-Origin Resource Sharing policy: " +
+ (!responsePassesCORS ? errorDescription : "Redirected to either a non-HTTP URL or a URL that contains credentials.");
+ m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, errorMessage);
+ }
+ return false;
+ }
+
+ // If the request URL origin is not the same as the original origin, the request origin should be set to a globally unique identifier.
+ m_origin = SecurityOrigin::createUnique();
+ cleanRedirectedRequestForAccessControl(newRequest);
+ updateRequestForAccessControl(newRequest, m_origin.get(), options().allowCredentials());
+
+ return true;
+}
+
</ins><span class="cx"> void SubresourceLoader::didFinishLoading(double finishTime)
</span><span class="cx"> {
</span><span class="cx"> if (m_state != Initialized)
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceWebCoreloaderSubresourceLoaderh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/loader/SubresourceLoader.h (199417 => 199418)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/WebCore/loader/SubresourceLoader.h 2016-04-13 07:25:27 UTC (rev 199417)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/loader/SubresourceLoader.h 2016-04-13 07:30:08 UTC (rev 199418)
</span><span class="lines">@@ -40,6 +40,7 @@
</span><span class="cx"> class CachedResourceLoader;
</span><span class="cx"> class Document;
</span><span class="cx"> class ResourceRequest;
</span><ins>+class SecurityOrigin;
</ins><span class="cx">
</span><span class="cx"> class SubresourceLoader final : public ResourceLoader {
</span><span class="cx"> public:
</span><span class="lines">@@ -91,6 +92,7 @@
</span><span class="cx"> #endif
</span><span class="cx">
</span><span class="cx"> bool checkForHTTPStatusCodeError();
</span><ins>+ bool checkCrossOriginAccessControl(const ResourceRequest&, const ResourceResponse&, ResourceRequest& newRequest);
</ins><span class="cx">
</span><span class="cx"> void didReceiveDataOrBuffer(const char*, int, PassRefPtr<SharedBuffer>, long long encodedDataLength, DataPayloadType);
</span><span class="cx">
</span><span class="lines">@@ -124,6 +126,7 @@
</span><span class="cx"> bool m_loadingMultipartContent;
</span><span class="cx"> SubresourceLoaderState m_state;
</span><span class="cx"> std::unique_ptr<RequestCountTracker> m_requestCountTracker;
</span><ins>+ RefPtr<SecurityOrigin> m_origin;
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> }
</span></span></pre>
</div>
</div>
</body>
</html>