Changeset 285823 in webkit

Timestamp:

Nov 15, 2021 12:21:10 PM (8 months ago)

Author:

Chris Dumez

Message:

Cross-Origin-Embedder-Policy: require-corp prevents loading of data URL images
​https://bugs.webkit.org/show_bug.cgi?id=233131
<rdar://85236459>

Reviewed by Geoffrey Garen.

Source/WebCore:

When doing an initial data URL <img> load, we properly wouldn't perform a cross-origin resource policy check.
This is per the Fetch specification that says to use a scheme fetch [1] when the request URL is a data URL.
When the protocol is data, the scheme fetch algorithm would return a response without performing an HTTP
Fetch. The HTTP check [2] is the algorithm that actually performs a cross-origin resource policy check, at
step 7.

The issue with our implementation was that data URL <img> loads would perform a cross-origin resource policy
check in the case where the image is loaded from our memory cache, due to a check we had in
CachedResourceLoader::requestResource(). As a result, data URL <img> loads would fail when served from the
memory cache, when CORP is enforced. To address the issue and match the specification, we now disable this
CORP check when the request URL is a data URL.

[1] ​https://fetch.spec.whatwg.org/#scheme-fetch
[2] ​https://fetch.spec.whatwg.org/#concept-http-fetch

Test: http/wpt/html/cross-origin-embedder-policy/require-corp-data-url.html

• loader/cache/CachedResourceLoader.cpp:

(WebCore::CachedResourceLoader::requestResource):

LayoutTests:

Add layout test coverage. This test is based on a reduce test case from Cameron McCormack.

• http/wpt/html/cross-origin-embedder-policy/require-corp-data-url-expected.txt: Added.
• http/wpt/html/cross-origin-embedder-policy/require-corp-data-url.html: Added.
• http/wpt/html/cross-origin-embedder-policy/require-corp-data-url.html.headers: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/wpt/html/cross-origin-embedder-policy/require-corp-data-url-expected.txt (added)
• LayoutTests/http/wpt/html/cross-origin-embedder-policy/require-corp-data-url.html (added)
• LayoutTests/http/wpt/html/cross-origin-embedder-policy/require-corp-data-url.html.headers (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/loader/cache/CachedResourceLoader.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2021-11-15  Chris Dumez  <cdumez@apple.com>
+
+        `Cross-Origin-Embedder-Policy: require-corp` prevents loading of data URL images
+        https://bugs.webkit.org/show_bug.cgi?id=233131
+        <rdar://85236459>
+
+        Reviewed by Geoffrey Garen.
+
+        Add layout test coverage. This test is based on a reduce test case from Cameron McCormack.
+
+        * http/wpt/html/cross-origin-embedder-policy/require-corp-data-url-expected.txt: Added.
+        * http/wpt/html/cross-origin-embedder-policy/require-corp-data-url.html: Added.
+        * http/wpt/html/cross-origin-embedder-policy/require-corp-data-url.html.headers: Added.
+
 2021-11-15  Kiet Ho  <tho22@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2021-11-15  Chris Dumez  <cdumez@apple.com>
+
+        `Cross-Origin-Embedder-Policy: require-corp` prevents loading of data URL images
+        https://bugs.webkit.org/show_bug.cgi?id=233131
+        <rdar://85236459>
+
+        Reviewed by Geoffrey Garen.
+
+        When doing an initial data URL <img> load, we properly wouldn't perform a cross-origin resource policy check.
+        This is per the Fetch specification that says to use a scheme fetch [1] when the request URL is a data URL.
+        When the protocol is data, the scheme fetch algorithm would return a response without performing an HTTP
+        Fetch. The HTTP check [2] is the algorithm that actually performs a cross-origin resource policy check, at
+        step 7.
+
+        The issue with our implementation was that data URL <img> loads would perform a cross-origin resource policy
+        check in the case where the image is loaded from our memory cache, due to a check we had in
+        CachedResourceLoader::requestResource(). As a result, data URL <img> loads would fail when served from the
+        memory cache, when CORP is enforced. To address the issue and match the specification, we now disable this
+        CORP check when the request URL is a data URL.
+
+        [1] https://fetch.spec.whatwg.org/#scheme-fetch
+        [2] https://fetch.spec.whatwg.org/#concept-http-fetch
+
+        Test: http/wpt/html/cross-origin-embedder-policy/require-corp-data-url.html
+
+        * loader/cache/CachedResourceLoader.cpp:
+        (WebCore::CachedResourceLoader::requestResource):
+
 2021-11-15  Kiet Ho  <tho22@apple.com>
 

trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp

@@ -1015 +1015 @@
             }
         }
-        if (request.options().mode == FetchOptions::Mode::NoCors) {
+        // Per the Fetch specification, the "cross-origin resource policy check" should only occur in the HTTP Fetch case (https://fetch.spec.whatwg.org/#concept-http-fetch).
+        // However, per https://fetch.spec.whatwg.org/#main-fetch, if the request URL's protocol is "data:", then we should perform a scheme fetch which would end up
+        // returning a response WITHOUT performing an HTTP fetch (and thus no CORP check).
+        if (request.options().mode == FetchOptions::Mode::NoCors && !url.protocolIsData()) {
             auto coep = document() ? document()->crossOriginEmbedderPolicy().value : CrossOriginEmbedderPolicyValue::UnsafeNone;
             if (auto error = validateCrossOriginResourcePolicy(coep, *request.origin(), request.resourceRequest().url(), resource->response(), ForNavigation::No))
                 return makeUnexpected(WTFMove(*error));
-
+        }
+        if (request.options().mode == FetchOptions::Mode::NoCors) {
             if (auto error = validateRangeRequestedFlag(request.resourceRequest(), resource->response()))
                 return makeUnexpected(WTFMove(*error));