<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[206203] trunk/Source/WebCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/206203">206203</a></dd>
<dt>Author</dt> <dd>commit-queue@webkit.org</dd>
<dt>Date</dt> <dd>2016-09-21 01:43:23 -0700 (Wed, 21 Sep 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Refactor CachedResourceLoader::canRequest
https://bugs.webkit.org/show_bug.cgi?id=162144
Patch by Youenn Fablet <youenn@apple.com> on 2016-09-21
Reviewed by Darin Adler.
Covered by existing tests.
Simplifying CachedResourceLoader::canRequest by doing:
- CSP checks in another method
- Removing Same-Origin type-specific checks by setting FetchOptions::Mode appropriately in resource loader clients
- Moving script specific check in ScriptElement
Note that the last check may affect the loading behavior in the case scripts are enabled when starting the load
of a script, but gets disabled before receiving a redirection for the script load.
* dom/ProcessingInstruction.cpp:
(WebCore::ProcessingInstruction::checkStyleSheet): Setting XSLT stylesheet fetch mode to SameOrigin.
* dom/ScriptElement.cpp:
(WebCore::ScriptElement::requestScriptWithCache): Returning early if scripts are disabled.
* loader/CrossOriginPreflightChecker.cpp:
(WebCore::CrossOriginPreflightChecker::startPreflight): Bypassing CSP checks.
* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::startLoadingMainResource): Bypassing CSP checks as CachedResourceLoader was not
checking them for MainResource.
* loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::loadRequest): Ditto.
* loader/LinkLoader.cpp:
(WebCore::LinkLoader::preloadIfNeeded): Using new CachedResourceRequest constructor to enable moving the ResourceRequest.
(WebCore::LinkLoader::loadLink): Skipping CSP checks for link prefetch/subresources as CachedResourceLoader was
not checking them for Link Prefetch and Subresource types.
* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::allowedByContentSecurityPolicy): Helper routine to check for CSP.
(WebCore::CachedResourceLoader::canRequest): Making use of introduced helper routine.
Simplified same origin check as all requests should have their options set.
* loader/cache/CachedResourceLoader.h:
* loader/cache/CachedResourceRequest.cpp:
(WebCore::CachedResourceRequest::CachedResourceRequest): More efficient constructor.
* loader/cache/CachedResourceRequest.h:
* loader/cache/CachedSVGDocumentReference.cpp:
(WebCore::CachedSVGDocumentReference::load): Setting fetch mode to SameOrigin.
* svg/SVGUseElement.cpp:
(WebCore::SVGUseElement::updateExternalDocument): Ditto.
* xml/XSLImportRule.cpp:
(WebCore::XSLImportRule::loadSheet): Ditto.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoredomProcessingInstructioncpp">trunk/Source/WebCore/dom/ProcessingInstruction.cpp</a></li>
<li><a href="#trunkSourceWebCoredomScriptElementcpp">trunk/Source/WebCore/dom/ScriptElement.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderCrossOriginPreflightCheckercpp">trunk/Source/WebCore/loader/CrossOriginPreflightChecker.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderDocumentLoadercpp">trunk/Source/WebCore/loader/DocumentLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderDocumentThreadableLoadercpp">trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderLinkLoadercpp">trunk/Source/WebCore/loader/LinkLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloadercacheCachedResourceLoadercpp">trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloadercacheCachedResourceLoaderh">trunk/Source/WebCore/loader/cache/CachedResourceLoader.h</a></li>
<li><a href="#trunkSourceWebCoreloadercacheCachedResourceRequestcpp">trunk/Source/WebCore/loader/cache/CachedResourceRequest.cpp</a></li>
<li><a href="#trunkSourceWebCoreloadercacheCachedResourceRequesth">trunk/Source/WebCore/loader/cache/CachedResourceRequest.h</a></li>
<li><a href="#trunkSourceWebCoreloadercacheCachedSVGDocumentReferencecpp">trunk/Source/WebCore/loader/cache/CachedSVGDocumentReference.cpp</a></li>
<li><a href="#trunkSourceWebCoresvgSVGUseElementcpp">trunk/Source/WebCore/svg/SVGUseElement.cpp</a></li>
<li><a href="#trunkSourceWebCorexmlXSLImportRulecpp">trunk/Source/WebCore/xml/XSLImportRule.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (206202 => 206203)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-09-21 07:48:32 UTC (rev 206202)
+++ trunk/Source/WebCore/ChangeLog 2016-09-21 08:43:23 UTC (rev 206203)
</span><span class="lines">@@ -1,3 +1,50 @@
</span><ins>+2016-09-21 Youenn Fablet <youenn@apple.com>
+
+ Refactor CachedResourceLoader::canRequest
+ https://bugs.webkit.org/show_bug.cgi?id=162144
+
+ Reviewed by Darin Adler.
+
+ Covered by existing tests.
+
+ Simplifying CachedResourceLoader::canRequest by doing:
+ - CSP checks in another method
+ - Removing Same-Origin type-specific checks by setting FetchOptions::Mode appropriately in resource loader clients
+ - Moving script specific check in ScriptElement
+
+ Note that the last check may affect the loading behavior in the case scripts are enabled when starting the load
+ of a script, but gets disabled before receiving a redirection for the script load.
+
+ * dom/ProcessingInstruction.cpp:
+ (WebCore::ProcessingInstruction::checkStyleSheet): Setting XSLT stylesheet fetch mode to SameOrigin.
+ * dom/ScriptElement.cpp:
+ (WebCore::ScriptElement::requestScriptWithCache): Returning early if scripts are disabled.
+ * loader/CrossOriginPreflightChecker.cpp:
+ (WebCore::CrossOriginPreflightChecker::startPreflight): Bypassing CSP checks.
+ * loader/DocumentLoader.cpp:
+ (WebCore::DocumentLoader::startLoadingMainResource): Bypassing CSP checks as CachedResourceLoader was not
+ checking them for MainResource.
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::loadRequest): Ditto.
+ * loader/LinkLoader.cpp:
+ (WebCore::LinkLoader::preloadIfNeeded): Using new CachedResourceRequest constructor to enable moving the ResourceRequest.
+ (WebCore::LinkLoader::loadLink): Skipping CSP checks for link prefetch/subresources as CachedResourceLoader was
+ not checking them for Link Prefetch and Subresource types.
+ * loader/cache/CachedResourceLoader.cpp:
+ (WebCore::CachedResourceLoader::allowedByContentSecurityPolicy): Helper routine to check for CSP.
+ (WebCore::CachedResourceLoader::canRequest): Making use of introduced helper routine.
+ Simplified same origin check as all requests should have their options set.
+ * loader/cache/CachedResourceLoader.h:
+ * loader/cache/CachedResourceRequest.cpp:
+ (WebCore::CachedResourceRequest::CachedResourceRequest): More efficient constructor.
+ * loader/cache/CachedResourceRequest.h:
+ * loader/cache/CachedSVGDocumentReference.cpp:
+ (WebCore::CachedSVGDocumentReference::load): Setting fetch mode to SameOrigin.
+ * svg/SVGUseElement.cpp:
+ (WebCore::SVGUseElement::updateExternalDocument): Ditto.
+ * xml/XSLImportRule.cpp:
+ (WebCore::XSLImportRule::loadSheet): Ditto.
+
</ins><span class="cx"> 2016-09-21 Miguel Gomez <magomez@igalia.com>
</span><span class="cx">
</span><span class="cx"> Build fails with GSTREAMER_GL when both desktop GL and GLES2 are enabled in gst-plugins-bad
</span></span></pre></div>
<a id="trunkSourceWebCoredomProcessingInstructioncpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/dom/ProcessingInstruction.cpp (206202 => 206203)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/dom/ProcessingInstruction.cpp 2016-09-21 07:48:32 UTC (rev 206202)
+++ trunk/Source/WebCore/dom/ProcessingInstruction.cpp 2016-09-21 08:43:23 UTC (rev 206203)
</span><span class="lines">@@ -137,13 +137,15 @@
</span><span class="cx"> m_loading = true;
</span><span class="cx"> document().authorStyleSheets().addPendingSheet();
</span><span class="cx">
</span><del>- CachedResourceRequest request(ResourceRequest(document().completeURL(href)));
</del><span class="cx"> #if ENABLE(XSLT)
</span><del>- if (m_isXSL)
- m_cachedSheet = document().cachedResourceLoader().requestXSLStyleSheet(WTFMove(request));
- else
</del><ins>+ if (m_isXSL) {
+ auto options = CachedResourceLoader::defaultCachedResourceOptions();
+ options.mode = FetchOptions::Mode::SameOrigin;
+ m_cachedSheet = document().cachedResourceLoader().requestXSLStyleSheet({ResourceRequest(document().completeURL(href)), options});
+ } else
</ins><span class="cx"> #endif
</span><span class="cx"> {
</span><ins>+ CachedResourceRequest request(ResourceRequest(document().completeURL(href)));
</ins><span class="cx"> String charset = attrs.get("charset");
</span><span class="cx"> if (charset.isEmpty())
</span><span class="cx"> charset = document().charset();
</span></span></pre></div>
<a id="trunkSourceWebCoredomScriptElementcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/dom/ScriptElement.cpp (206202 => 206203)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/dom/ScriptElement.cpp 2016-09-21 07:48:32 UTC (rev 206202)
+++ trunk/Source/WebCore/dom/ScriptElement.cpp 2016-09-21 08:43:23 UTC (rev 206203)
</span><span class="lines">@@ -281,19 +281,25 @@
</span><span class="cx">
</span><span class="cx"> CachedResourceHandle<CachedScript> ScriptElement::requestScriptWithCache(const URL& sourceURL, const String& nonceAttribute)
</span><span class="cx"> {
</span><del>- bool hasKnownNonce = m_element.document().contentSecurityPolicy()->allowScriptWithNonce(nonceAttribute, m_element.isInUserAgentShadowTree());
</del><ins>+ Document& document = m_element.document();
+ auto* settings = document.settings();
+ if (settings && !settings->isScriptEnabled())
+ return nullptr;
+
+ ASSERT(document.contentSecurityPolicy());
+ bool hasKnownNonce = document.contentSecurityPolicy()->allowScriptWithNonce(nonceAttribute, m_element.isInUserAgentShadowTree());
</ins><span class="cx"> ResourceLoaderOptions options = CachedResourceLoader::defaultCachedResourceOptions();
</span><span class="cx"> options.contentSecurityPolicyImposition = hasKnownNonce ? ContentSecurityPolicyImposition::SkipPolicyCheck : ContentSecurityPolicyImposition::DoPolicyCheck;
</span><span class="cx">
</span><span class="cx"> CachedResourceRequest request(ResourceRequest(sourceURL), options);
</span><del>- request.setAsPotentiallyCrossOrigin(m_element.attributeWithoutSynchronization(HTMLNames::crossoriginAttr), m_element.document());
</del><ins>+ request.setAsPotentiallyCrossOrigin(m_element.attributeWithoutSynchronization(HTMLNames::crossoriginAttr), document);
</ins><span class="cx">
</span><del>- m_element.document().contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(request.mutableResourceRequest(), ContentSecurityPolicy::InsecureRequestType::Load);
</del><ins>+ document.contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(request.mutableResourceRequest(), ContentSecurityPolicy::InsecureRequestType::Load);
</ins><span class="cx">
</span><span class="cx"> request.setCharset(scriptCharset());
</span><span class="cx"> request.setInitiator(&element());
</span><span class="cx">
</span><del>- return m_element.document().cachedResourceLoader().requestScript(WTFMove(request));
</del><ins>+ return document.cachedResourceLoader().requestScript(WTFMove(request));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void ScriptElement::executeScript(const ScriptSourceCode& sourceCode)
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderCrossOriginPreflightCheckercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/CrossOriginPreflightChecker.cpp (206202 => 206203)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/CrossOriginPreflightChecker.cpp 2016-09-21 07:48:32 UTC (rev 206202)
+++ trunk/Source/WebCore/loader/CrossOriginPreflightChecker.cpp 2016-09-21 08:43:23 UTC (rev 206203)
</span><span class="lines">@@ -103,6 +103,7 @@
</span><span class="cx"> ResourceLoaderOptions options;
</span><span class="cx"> options.referrerPolicy = m_loader.options().referrerPolicy;
</span><span class="cx"> options.redirect = FetchOptions::Redirect::Manual;
</span><ins>+ options.contentSecurityPolicyImposition = ContentSecurityPolicyImposition::SkipPolicyCheck;
</ins><span class="cx">
</span><span class="cx"> CachedResourceRequest preflightRequest(createAccessControlPreflightRequest(m_request, m_loader.securityOrigin()), options);
</span><span class="cx"> if (RuntimeEnabledFeatures::sharedFeatures().resourceTimingEnabled())
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderDocumentLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/DocumentLoader.cpp (206202 => 206203)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/DocumentLoader.cpp 2016-09-21 07:48:32 UTC (rev 206202)
+++ trunk/Source/WebCore/loader/DocumentLoader.cpp 2016-09-21 08:43:23 UTC (rev 206203)
</span><span class="lines">@@ -1518,7 +1518,7 @@
</span><span class="cx">
</span><span class="cx"> RELEASE_LOG_IF_ALLOWED("startLoadingMainResource: Starting load (frame = %p, main = %d)", m_frame, m_frame->isMainFrame());
</span><span class="cx">
</span><del>- static NeverDestroyed<ResourceLoaderOptions> mainResourceLoadOptions(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, ClientCredentialPolicy::MayAskClientForCredentials, FetchOptions::Credentials::Include, SkipSecurityCheck, FetchOptions::Mode::NoCors, IncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading, CachingPolicy::AllowCaching);
</del><ins>+ static NeverDestroyed<ResourceLoaderOptions> mainResourceLoadOptions(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, ClientCredentialPolicy::MayAskClientForCredentials, FetchOptions::Credentials::Include, SkipSecurityCheck, FetchOptions::Mode::NoCors, IncludeCertificateInfo, ContentSecurityPolicyImposition::SkipPolicyCheck, DefersLoadingPolicy::AllowDefersLoading, CachingPolicy::AllowCaching);
</ins><span class="cx"> m_mainResource = m_cachedResourceLoader->requestMainResource(CachedResourceRequest(ResourceRequest(request), mainResourceLoadOptions));
</span><span class="cx">
</span><span class="cx"> #if ENABLE(CONTENT_EXTENSIONS)
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderDocumentThreadableLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp (206202 => 206203)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2016-09-21 07:48:32 UTC (rev 206202)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2016-09-21 08:43:23 UTC (rev 206203)
</span><span class="lines">@@ -363,8 +363,9 @@
</span><span class="cx"> request.setHTTPReferrer(m_referrer);
</span><span class="cx">
</span><span class="cx"> if (m_async) {
</span><del>- ThreadableLoaderOptions options = m_options;
</del><ins>+ ResourceLoaderOptions options = m_options;
</ins><span class="cx"> options.clientCredentialPolicy = m_sameOriginRequest ? ClientCredentialPolicy::MayAskClientForCredentials : ClientCredentialPolicy::CannotAskClientForCredentials;
</span><ins>+ options.contentSecurityPolicyImposition = ContentSecurityPolicyImposition::SkipPolicyCheck;
</ins><span class="cx">
</span><span class="cx"> CachedResourceRequest newRequest(WTFMove(request), options);
</span><span class="cx"> if (RuntimeEnabledFeatures::sharedFeatures().resourceTimingEnabled())
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderLinkLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/LinkLoader.cpp (206202 => 206203)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/LinkLoader.cpp 2016-09-21 07:48:32 UTC (rev 206202)
+++ trunk/Source/WebCore/loader/LinkLoader.cpp 2016-09-21 08:43:23 UTC (rev 206203)
</span><span class="lines">@@ -158,7 +158,7 @@
</span><span class="cx">
</span><span class="cx"> ResourceRequest resourceRequest(document.completeURL(href));
</span><span class="cx"> resourceRequest.setIgnoreForRequestCount(true);
</span><del>- CachedResourceRequest linkRequest(resourceRequest, CachedResource::defaultPriorityForResourceType(type.value()));
</del><ins>+ CachedResourceRequest linkRequest(WTFMove(resourceRequest), CachedResourceLoader::defaultCachedResourceOptions(), CachedResource::defaultPriorityForResourceType(type.value()));
</ins><span class="cx"> linkRequest.setInitiator("link");
</span><span class="cx">
</span><span class="cx"> linkRequest.setAsPotentiallyCrossOrigin(crossOriginMode, document);
</span><span class="lines">@@ -200,7 +200,9 @@
</span><span class="cx"> m_cachedLinkResource->removeClient(this);
</span><span class="cx"> m_cachedLinkResource = nullptr;
</span><span class="cx"> }
</span><del>- m_cachedLinkResource = document.cachedResourceLoader().requestLinkResource(type, CachedResourceRequest(ResourceRequest(document.completeURL(href)), priority));
</del><ins>+ ResourceLoaderOptions options = CachedResourceLoader::defaultCachedResourceOptions();
+ options.contentSecurityPolicyImposition = ContentSecurityPolicyImposition::SkipPolicyCheck;
+ m_cachedLinkResource = document.cachedResourceLoader().requestLinkResource(type, CachedResourceRequest(ResourceRequest(document.completeURL(href)), options, priority));
</ins><span class="cx"> if (m_cachedLinkResource)
</span><span class="cx"> m_cachedLinkResource->addClient(this);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCoreloadercacheCachedResourceLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp (206202 => 206203)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2016-09-21 07:48:32 UTC (rev 206202)
+++ trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2016-09-21 08:43:23 UTC (rev 206203)
</span><span class="lines">@@ -384,100 +384,73 @@
</span><span class="cx"> return !didReceiveRedirectResponse && url.protocolIsData() && options.sameOriginDataURLFlag == SameOriginDataURLFlag::Set;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool CachedResourceLoader::canRequest(CachedResource::Type type, const URL& url, const ResourceLoaderOptions& options, bool forPreload, bool didReceiveRedirectResponse)
</del><ins>+bool CachedResourceLoader::allowedByContentSecurityPolicy(CachedResource::Type type, const URL& url, const ResourceLoaderOptions& options, bool didReceiveRedirectResponse)
</ins><span class="cx"> {
</span><del>- if (document() && !document()->securityOrigin()->canDisplay(url)) {
- if (!forPreload)
- FrameLoader::reportLocalLoadFailed(frame(), url.stringCenterEllipsizedToLength());
- LOG(ResourceLoading, "CachedResourceLoader::requestResource URL was not allowed by SecurityOrigin::canDisplay");
- return false;
- }
</del><ins>+ if (options.contentSecurityPolicyImposition == ContentSecurityPolicyImposition::SkipPolicyCheck)
+ return true;
</ins><span class="cx">
</span><del>- bool skipContentSecurityPolicyCheck = options.contentSecurityPolicyImposition == ContentSecurityPolicyImposition::SkipPolicyCheck;
- ContentSecurityPolicy::RedirectResponseReceived redirectResponseReceived = didReceiveRedirectResponse ? ContentSecurityPolicy::RedirectResponseReceived::Yes : ContentSecurityPolicy::RedirectResponseReceived::No;
</del><ins>+ ASSERT(m_document);
+ ASSERT(m_document->contentSecurityPolicy());
</ins><span class="cx">
</span><del>- // Some types of resources can be loaded only from the same origin. Other types of resources, like Images, Scripts, and CSS, can be loaded from any URL.
- // FIXME: We should remove that check and handle it by setting the correct ResourceLoaderOptions::mode.
- switch (type) {
- case CachedResource::MainResource:
- case CachedResource::ImageResource:
- case CachedResource::CSSStyleSheet:
- case CachedResource::Script:
-#if ENABLE(SVG_FONTS)
- case CachedResource::SVGFontResource:
-#endif
- case CachedResource::MediaResource:
- case CachedResource::FontResource:
- case CachedResource::RawResource:
-#if ENABLE(LINK_PREFETCH)
- case CachedResource::LinkPrefetch:
- case CachedResource::LinkSubresource:
-#endif
-#if ENABLE(VIDEO_TRACK)
- case CachedResource::TextTrackResource:
-#endif
- if (options.mode == FetchOptions::Mode::SameOrigin && !isSameOriginDataURL(url, options, didReceiveRedirectResponse) &&!m_document->securityOrigin()->canRequest(url)) {
- printAccessDeniedMessage(url);
- return false;
- }
- break;
- case CachedResource::SVGDocumentResource:
-#if ENABLE(XSLT)
- case CachedResource::XSLStyleSheet:
- if (!m_document->securityOrigin()->canRequest(url)) {
- printAccessDeniedMessage(url);
- return false;
- }
-#endif
- break;
- }
</del><ins>+ auto redirectResponseReceived = didReceiveRedirectResponse ? ContentSecurityPolicy::RedirectResponseReceived::Yes : ContentSecurityPolicy::RedirectResponseReceived::No;
</ins><span class="cx">
</span><span class="cx"> switch (type) {
</span><span class="cx"> #if ENABLE(XSLT)
</span><span class="cx"> case CachedResource::XSLStyleSheet:
</span><del>- if (!m_document->contentSecurityPolicy()->allowScriptFromSource(url, skipContentSecurityPolicyCheck, redirectResponseReceived))
- return false;
- break;
</del><span class="cx"> #endif
</span><span class="cx"> case CachedResource::Script:
</span><del>- if (!m_document->contentSecurityPolicy()->allowScriptFromSource(url, skipContentSecurityPolicyCheck, redirectResponseReceived))
</del><ins>+ if (!m_document->contentSecurityPolicy()->allowScriptFromSource(url, false, redirectResponseReceived))
</ins><span class="cx"> return false;
</span><del>- if (frame() && !frame()->settings().isScriptEnabled())
- return false;
</del><span class="cx"> break;
</span><span class="cx"> case CachedResource::CSSStyleSheet:
</span><del>- if (!m_document->contentSecurityPolicy()->allowStyleFromSource(url, skipContentSecurityPolicyCheck, redirectResponseReceived))
</del><ins>+ if (!m_document->contentSecurityPolicy()->allowStyleFromSource(url, false, redirectResponseReceived))
</ins><span class="cx"> return false;
</span><span class="cx"> break;
</span><span class="cx"> case CachedResource::SVGDocumentResource:
</span><span class="cx"> case CachedResource::ImageResource:
</span><del>- if (!m_document->contentSecurityPolicy()->allowImageFromSource(url, skipContentSecurityPolicyCheck, redirectResponseReceived))
</del><ins>+ if (!m_document->contentSecurityPolicy()->allowImageFromSource(url, false, redirectResponseReceived))
</ins><span class="cx"> return false;
</span><span class="cx"> break;
</span><span class="cx"> #if ENABLE(SVG_FONTS)
</span><span class="cx"> case CachedResource::SVGFontResource:
</span><span class="cx"> #endif
</span><del>- case CachedResource::FontResource: {
- if (!m_document->contentSecurityPolicy()->allowFontFromSource(url, skipContentSecurityPolicyCheck, redirectResponseReceived))
</del><ins>+ case CachedResource::FontResource:
+ if (!m_document->contentSecurityPolicy()->allowFontFromSource(url, false, redirectResponseReceived))
</ins><span class="cx"> return false;
</span><span class="cx"> break;
</span><del>- }
- case CachedResource::MainResource:
- case CachedResource::RawResource:
-#if ENABLE(LINK_PREFETCH)
- case CachedResource::LinkPrefetch:
- case CachedResource::LinkSubresource:
-#endif
- break;
</del><span class="cx"> case CachedResource::MediaResource:
</span><span class="cx"> #if ENABLE(VIDEO_TRACK)
</span><span class="cx"> case CachedResource::TextTrackResource:
</span><span class="cx"> #endif
</span><del>- if (!m_document->contentSecurityPolicy()->allowMediaFromSource(url, skipContentSecurityPolicyCheck, redirectResponseReceived))
</del><ins>+ if (!m_document->contentSecurityPolicy()->allowMediaFromSource(url, false, redirectResponseReceived))
</ins><span class="cx"> return false;
</span><span class="cx"> break;
</span><ins>+ case CachedResource::RawResource:
+ return true;
+ default:
+ ASSERT_NOT_REACHED();
</ins><span class="cx"> }
</span><ins>+ return true;
+}
</ins><span class="cx">
</span><ins>+bool CachedResourceLoader::canRequest(CachedResource::Type type, const URL& url, const ResourceLoaderOptions& options, bool forPreload, bool didReceiveRedirectResponse)
+{
+ if (document() && !document()->securityOrigin()->canDisplay(url)) {
+ if (!forPreload)
+ FrameLoader::reportLocalLoadFailed(frame(), url.stringCenterEllipsizedToLength());
+ LOG(ResourceLoading, "CachedResourceLoader::requestResource URL was not allowed by SecurityOrigin::canDisplay");
+ return false;
+ }
+
+ // FIXME: Remove same-origin data URL flag since it was removed from fetch spec (see https://github.com/whatwg/fetch/issues/381).
+ if (options.mode == FetchOptions::Mode::SameOrigin && !isSameOriginDataURL(url, options, didReceiveRedirectResponse) && !m_document->securityOrigin()->canRequest(url)) {
+ printAccessDeniedMessage(url);
+ return false;
+ }
+
+ if (!allowedByContentSecurityPolicy(type, url, options, didReceiveRedirectResponse))
+ return false;
+
</ins><span class="cx"> // SVG Images have unique security rules that prevent all subresource requests except for data urls.
</span><span class="cx"> if (type != CachedResource::MainResource && frame() && frame()->page()) {
</span><span class="cx"> if (frame()->page()->chrome().client().isSVGImageChromeClient() && !url.protocolIsData())
</span></span></pre></div>
<a id="trunkSourceWebCoreloadercacheCachedResourceLoaderh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/cache/CachedResourceLoader.h (206202 => 206203)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/cache/CachedResourceLoader.h 2016-09-21 07:48:32 UTC (rev 206202)
+++ trunk/Source/WebCore/loader/cache/CachedResourceLoader.h 2016-09-21 08:43:23 UTC (rev 206203)
</span><span class="lines">@@ -163,6 +163,7 @@
</span><span class="cx">
</span><span class="cx"> bool shouldContinueAfterNotifyingLoadedFromMemoryCache(const CachedResourceRequest&, CachedResource*);
</span><span class="cx"> bool checkInsecureContent(CachedResource::Type, const URL&) const;
</span><ins>+ bool allowedByContentSecurityPolicy(CachedResource::Type, const URL&, const ResourceLoaderOptions&, bool);
</ins><span class="cx">
</span><span class="cx"> void performPostLoadActions();
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoreloadercacheCachedResourceRequestcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/cache/CachedResourceRequest.cpp (206202 => 206203)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/cache/CachedResourceRequest.cpp 2016-09-21 07:48:32 UTC (rev 206202)
+++ trunk/Source/WebCore/loader/cache/CachedResourceRequest.cpp 2016-09-21 08:43:23 UTC (rev 206203)
</span><span class="lines">@@ -44,17 +44,9 @@
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><del>-CachedResourceRequest::CachedResourceRequest(ResourceRequest&& resourceRequest, const ResourceLoaderOptions& options)
</del><ins>+CachedResourceRequest::CachedResourceRequest(ResourceRequest&& resourceRequest, const ResourceLoaderOptions& options, Optional<ResourceLoadPriority> priority)
</ins><span class="cx"> : m_resourceRequest(WTFMove(resourceRequest))
</span><span class="cx"> , m_options(options)
</span><del>- , m_forPreload(false)
- , m_defer(NoDefer)
-{
-}
-
-CachedResourceRequest::CachedResourceRequest(const ResourceRequest& resourceRequest, Optional<ResourceLoadPriority> priority)
- : m_resourceRequest(resourceRequest)
- , m_options(CachedResourceLoader::defaultCachedResourceOptions())
</del><span class="cx"> , m_priority(priority)
</span><span class="cx"> , m_forPreload(false)
</span><span class="cx"> , m_defer(NoDefer)
</span><span class="lines">@@ -61,10 +53,6 @@
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><del>-CachedResourceRequest::~CachedResourceRequest()
-{
-}
-
</del><span class="cx"> void CachedResourceRequest::setInitiator(PassRefPtr<Element> element)
</span><span class="cx"> {
</span><span class="cx"> ASSERT(!m_initiatorElement && m_initiatorName.isEmpty());
</span></span></pre></div>
<a id="trunkSourceWebCoreloadercacheCachedResourceRequesth"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/cache/CachedResourceRequest.h (206202 => 206203)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/cache/CachedResourceRequest.h 2016-09-21 07:48:32 UTC (rev 206202)
+++ trunk/Source/WebCore/loader/cache/CachedResourceRequest.h 2016-09-21 08:43:23 UTC (rev 206203)
</span><span class="lines">@@ -42,9 +42,7 @@
</span><span class="cx"> enum DeferOption { NoDefer, DeferredByClient };
</span><span class="cx">
</span><span class="cx"> explicit CachedResourceRequest(const ResourceRequest&, const String& charset = String(), Optional<ResourceLoadPriority> = Nullopt);
</span><del>- CachedResourceRequest(ResourceRequest&&, const ResourceLoaderOptions&);
- CachedResourceRequest(const ResourceRequest&, Optional<ResourceLoadPriority>);
- ~CachedResourceRequest();
</del><ins>+ CachedResourceRequest(ResourceRequest&&, const ResourceLoaderOptions&, Optional<ResourceLoadPriority> = Nullopt);
</ins><span class="cx">
</span><span class="cx"> ResourceRequest& mutableResourceRequest() { return m_resourceRequest; }
</span><span class="cx"> const ResourceRequest& resourceRequest() const { return m_resourceRequest; }
</span></span></pre></div>
<a id="trunkSourceWebCoreloadercacheCachedSVGDocumentReferencecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/cache/CachedSVGDocumentReference.cpp (206202 => 206203)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/cache/CachedSVGDocumentReference.cpp 2016-09-21 07:48:32 UTC (rev 206202)
+++ trunk/Source/WebCore/loader/cache/CachedSVGDocumentReference.cpp 2016-09-21 08:43:23 UTC (rev 206203)
</span><span class="lines">@@ -52,7 +52,9 @@
</span><span class="cx"> if (m_loadRequested)
</span><span class="cx"> return;
</span><span class="cx">
</span><del>- CachedResourceRequest request(ResourceRequest(loader.document()->completeURL(m_url)), options);
</del><ins>+ auto fetchOptions = options;
+ fetchOptions.mode = FetchOptions::Mode::SameOrigin;
+ CachedResourceRequest request(ResourceRequest(loader.document()->completeURL(m_url)), fetchOptions);
</ins><span class="cx"> request.setInitiator(cachedResourceRequestInitiators().css);
</span><span class="cx"> m_document = loader.requestSVGDocument(WTFMove(request));
</span><span class="cx"> if (m_document)
</span></span></pre></div>
<a id="trunkSourceWebCoresvgSVGUseElementcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/svg/SVGUseElement.cpp (206202 => 206203)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/svg/SVGUseElement.cpp 2016-09-21 07:48:32 UTC (rev 206202)
+++ trunk/Source/WebCore/svg/SVGUseElement.cpp 2016-09-21 08:43:23 UTC (rev 206203)
</span><span class="lines">@@ -570,7 +570,7 @@
</span><span class="cx"> else {
</span><span class="cx"> ResourceLoaderOptions options = CachedResourceLoader::defaultCachedResourceOptions();
</span><span class="cx"> options.contentSecurityPolicyImposition = isInUserAgentShadowTree() ? ContentSecurityPolicyImposition::SkipPolicyCheck : ContentSecurityPolicyImposition::DoPolicyCheck;
</span><del>-
</del><ins>+ options.mode = FetchOptions::Mode::SameOrigin;
</ins><span class="cx"> CachedResourceRequest request { ResourceRequest { externalDocumentURL }, options };
</span><span class="cx"> request.setInitiator(this);
</span><span class="cx"> m_externalDocument = document().cachedResourceLoader().requestSVGDocument(WTFMove(request));
</span></span></pre></div>
<a id="trunkSourceWebCorexmlXSLImportRulecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/xml/XSLImportRule.cpp (206202 => 206203)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/xml/XSLImportRule.cpp 2016-09-21 07:48:32 UTC (rev 206202)
+++ trunk/Source/WebCore/xml/XSLImportRule.cpp 2016-09-21 08:43:23 UTC (rev 206203)
</span><span class="lines">@@ -100,8 +100,11 @@
</span><span class="cx">
</span><span class="cx"> if (m_cachedSheet)
</span><span class="cx"> m_cachedSheet->removeClient(this);
</span><del>- m_cachedSheet = cachedResourceLoader->requestXSLStyleSheet(CachedResourceRequest(ResourceRequest(cachedResourceLoader->document()->completeURL(absHref))));
</del><span class="cx">
</span><ins>+ auto options = CachedResourceLoader::defaultCachedResourceOptions();
+ options.mode = FetchOptions::Mode::SameOrigin;
+ m_cachedSheet = cachedResourceLoader->requestXSLStyleSheet({ResourceRequest(cachedResourceLoader->document()->completeURL(absHref)), options});
+
</ins><span class="cx"> if (m_cachedSheet) {
</span><span class="cx"> m_cachedSheet->addClient(this);
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>