Changeset 293311 in webkit

Timestamp:

Apr 24, 2022, 11:02:41 PM (3 years ago)

Author:

youenn@apple.com

Message:

TextTrackLoader should use SameOrigin mode by default
​https://bugs.webkit.org/show_bug.cgi?id=239381

Reviewed by Eric Carlson.

LayoutTests/imported/w3c:

• web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/cloneNode-expected.txt:
• web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/track-data-url-expected.txt:
• web-platform-tests/service-workers/service-worker/webvtt-cross-origin.https-expected.txt:

Source/WebCore:

Covered by updated test.

• loader/TextTrackLoader.cpp:

LayoutTests:

• http/tests/security/contentSecurityPolicy/resources/track.vtt.py: Added.
• http/tests/security/contentSecurityPolicy/track-redirect-allowed.html:
• http/tests/security/contentSecurityPolicy/track-redirect-allowed2.html:
• http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt:
• http/tests/security/contentSecurityPolicy/track-redirect-blocked.html:
• http/tests/security/text-track-crossorigin-expected.txt:
• http/tests/security/text-track-crossorigin.html:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/track.vtt.py (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed2.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked.html (modified) (1 diff)
• LayoutTests/http/tests/security/text-track-crossorigin-expected.txt (modified) (2 diffs)
• LayoutTests/http/tests/security/text-track-crossorigin.html (modified) (4 diffs)
• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/cloneNode-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/track-data-url-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/webvtt-cross-origin.https-expected.txt (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/loader/TextTrackLoader.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2022-04-24  Youenn Fablet  <youenn@apple.com>
+
+        TextTrackLoader should use SameOrigin mode by default
+        https://bugs.webkit.org/show_bug.cgi?id=239381
+
+        Reviewed by Eric Carlson.
+
+        * http/tests/security/contentSecurityPolicy/resources/track.vtt.py: Added.
+        * http/tests/security/contentSecurityPolicy/track-redirect-allowed.html:
+        * http/tests/security/contentSecurityPolicy/track-redirect-allowed2.html:
+        * http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt:
+        * http/tests/security/contentSecurityPolicy/track-redirect-blocked.html:
+        * http/tests/security/text-track-crossorigin-expected.txt:
+        * http/tests/security/text-track-crossorigin.html:
+
 2022-04-23  Andres Gonzalez  <andresg_22@apple.com>
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed.html

@@ -7 +7 @@
 </head>
 <body>
-<video>
-    <track src="http://127.0.0.1:8000/resources/redirect.py?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/track.vtt" kind="captions" onload="alertAndDone('PASS')" onerror="alertAndDone('FAIL')">
+<video crossOrigin="anonymous">
+    <track src="http://127.0.0.1:8000/resources/redirect.py?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/track.vtt.py" kind="captions" onload="alertAndDone('PASS')" onerror="alertAndDone('FAIL')">
 </video>
 <script>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed2.html

@@ -7 +7 @@
 </head>
 <body>
-<video>
-    <track src="http://127.0.0.1:8000/resources/redirect.py?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/track.vtt" kind="captions" onload="alertAndDone('PASS')" onerror="alertAndDone('FAIL')">
+<video crossOrigin="anonymous">
+    <track src="http://127.0.0.1:8000/resources/redirect.py?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/track.vtt.py" kind="captions" onload="alertAndDone('PASS')" onerror="alertAndDone('FAIL')">
 </video>
 <script>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/track.vtt because it does not appear in the media-src directive of the Content Security Policy.
- blockedURI = http://127.0.0.1:8000/resources/redirect.py?code=307&url=http%3A//127.0.0.1%3A8000/resources/redirect.py%3Furl=http%3A//localhost%3A8000/security/contentSecurityPolicy/resources/track.vtt
+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/track.vtt.py because it does not appear in the media-src directive of the Content Security Policy.
+ blockedURI = http://127.0.0.1:8000/resources/redirect.py?code=307&url=http%3A//127.0.0.1%3A8000/resources/redirect.py%3Furl=http%3A//localhost%3A8000/security/contentSecurityPolicy/resources/track.vtt.py
 
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked.html

@@ -14 +14 @@
     });
 </script>
-<video>
-<track src="http://127.0.0.1:8000/resources/redirect.py?code=307&url=http%3A//127.0.0.1%3A8000/resources/redirect.py%3Furl=http%3A//localhost%3A8000/security/contentSecurityPolicy/resources/track.vtt" kind="captions">
+<video crossOrigin="anonymous">
+<track src="http://127.0.0.1:8000/resources/redirect.py?code=307&url=http%3A//127.0.0.1%3A8000/resources/redirect.py%3Furl=http%3A//localhost%3A8000/security/contentSecurityPolicy/resources/track.vtt.py" kind="captions">
 </video>
 <script>

trunk/LayoutTests/http/tests/security/text-track-crossorigin-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/resources/captions-with-access-control-headers.py from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
+
 CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin. Status code: 200
 CONSOLE MESSAGE: Cross-origin text track load denied by Cross-Origin Resource Sharing policy.
@@ -5 +7 @@
 
 Loading without Access-Control-Allow-Origin header, no "crossorigin" attribute on <video>
-EVENT(load)
-PASS: shouldLoad should be 'true' and is.
+EVENT(error)
+PASS: shouldLoad should be 'false' and is.
 PASS: event.target should be '[object HTMLTrackElement]' and is.
-PASS: trackElement.readyState should be '2' and is.
+PASS: trackElement.readyState should be '3' and is.
 
 

trunk/LayoutTests/http/tests/security/text-track-crossorigin.html

@@ -30 +30 @@
                 log('<br>');
                 switch(counter) {
-                case 0:
-                    log('Loading <b>without</b> Access-Control-Allow-Origin header, setting video.crossorigin to "anonymous"');
-                    url = "http://localhost:8000/security/resources/captions-with-access-control-headers.py?count=" + counter;
-                    videoElement.setAttribute('crossorigin', 'anonymous');
+                case 2:
+                    log('Loading <b>with</b> Access-Control-Allow-Origin and Access-Control-Allow-Credentials headers, setting video.crossorigin to "use-credentials"');
+                    url = "http://localhost:8000/security/resources/captions-with-access-control-headers.py?origin=1&credentials=1";
+                    videoElement.setAttribute('crossorigin', 'use-credentials');
                     trackElement.removeAttribute('src');
                     trackElement.setAttribute('src', url);
-                    shouldLoad = false;
-                    ++counter;
-                    break;
-
-                case 2:
-                    log('Loading <b>with</b> Access-Control-Allow-Origin and Access-Control-Allow-Credentials headers, setting video.crossorigin to "use-credentials"');
-                    url = "http://localhost:8000/security/resources/captions-with-access-control-headers.py?origin=1;credentials=1";
-                    trackElement.setAttribute('crossorigin', 'use-credentials');
-                    trackElement.setAttribute('src', url);
+                    shouldLoad = true;
                     ++counter;
                     break;
@@ -52 +44 @@
                     if (window.testRunner)
                         testRunner.notifyDone();
+
                 defaut:
                     if (window.testRunner)
@@ -70 +63 @@
                 log('<br>');
                 switch(counter) {
+                case 0:
+                    log('Loading <b>without</b> Access-Control-Allow-Origin header, setting video.crossorigin to "anonymous"');
+                    url = "http://localhost:8000/security/resources/captions-with-access-control-headers.py?count=" + counter;
+                    videoElement.setAttribute('crossorigin', 'anonymous');
+                    trackElement.removeAttribute('src');
+                    trackElement.setAttribute('src', url);
+                    shouldLoad = false;
+                    ++counter;
+                    break;
+
                 case 1:
                     log('Loading <b>with</b> Access-Control-Allow-Origin header, leaving video.crossorigin as "anonymous"');
                     url = "http://localhost:8000/security/resources/captions-with-access-control-headers.py?origin=1";
+                    trackElement.removeAttribute('src');
                     trackElement.setAttribute('src', url);
                     shouldLoad = true;
                     ++counter;
                     break;
+
                 defaut:
                     if (window.testRunner)
@@ -90 +95 @@
                 var url = "http://localhost:8000/security/resources/captions-with-access-control-headers.py"
                 trackElement.setAttribute('src', url);
+                shouldLoad = false;
             }
 

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2022-04-24  Youenn Fablet  <youenn@apple.com>
+
+        TextTrackLoader should use SameOrigin mode by default
+        https://bugs.webkit.org/show_bug.cgi?id=239381
+
+        Reviewed by Eric Carlson.
+
+        * web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/cloneNode-expected.txt:
+        * web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/track-data-url-expected.txt:
+        * web-platform-tests/service-workers/service-worker/webvtt-cross-origin.https-expected.txt:
+
 2022-04-22  Cathie Chen  <cathiechen@igalia.com>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/cloneNode-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Unsafe attempt to load URL javascript:"network error" from origin http://localhost:8800. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: Unsafe attempt to load URL javascript:"network error" from origin http://localhost:8800. Domains, protocols and ports must match.
+
 
 PASS track element cloneNode, not loaded

trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/track-data-url-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin. Status code: 200
-CONSOLE MESSAGE: Cross-origin text track load denied by Cross-Origin Resource Sharing policy.
-CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin. Status code: 200
-CONSOLE MESSAGE: Cross-origin text track load denied by Cross-Origin Resource Sharing policy.
 
 FAIL track element data: URL No CORS null is not an object (evaluating 't.track.cues.length')
-FAIL track element data: URL anonymous assert_unreached: got error event Reached unreachable code
-FAIL track element data: URL use-credentials assert_unreached: got error event Reached unreachable code
+FAIL track element data: URL anonymous null is not an object (evaluating 't.track.cues.length')
+FAIL track element data: URL use-credentials null is not an object (evaluating 't.track.cues.length')
 

trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/webvtt-cross-origin.https-expected.txt

@@ -2 +2 @@
 PASS initialize global state
 PASS same-origin text track should load
-FAIL cross-origin text track with no-cors request should not load assert_equals: expected "error event" but got "load event"
+PASS cross-origin text track with no-cors request should not load
 PASS cross-origin text track with rejected cors request should not load
-FAIL cross-origin text track with approved cors request should not load assert_equals: expected "error event" but got "load event"
+PASS cross-origin text track with approved cors request should not load
 PASS same-origin text track that redirects same-origin should load
-FAIL same-origin text track that redirects cross-origin should not load assert_equals: expected "error event" but got "load event"
+PASS same-origin text track that redirects cross-origin should not load
 PASS same-origin text track that redirects to a cross-origin text track with rejected cors should not load
-FAIL same-origin text track that redirects to a cross-origin text track with approved cors should not load assert_equals: expected "error event" but got "load event"
+PASS same-origin text track that redirects to a cross-origin text track with approved cors should not load
 PASS restore global state
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2022-04-24  Youenn Fablet  <youenn@apple.com>
+
+        TextTrackLoader should use SameOrigin mode by default
+        https://bugs.webkit.org/show_bug.cgi?id=239381
+
+        Reviewed by Eric Carlson.
+
+        Covered by updated test.
+
+        * loader/TextTrackLoader.cpp:
+
 2022-04-24  Diego Pino Garcia  <dpino@igalia.com>
 

trunk/Source/WebCore/loader/TextTrackLoader.cpp

@@ -148 +148 @@
     ResourceLoaderOptions options = CachedResourceLoader::defaultCachedResourceOptions();
     options.contentSecurityPolicyImposition = element.isInUserAgentShadowTree() ? ContentSecurityPolicyImposition::SkipPolicyCheck : ContentSecurityPolicyImposition::DoPolicyCheck;
+    options.sameOriginDataURLFlag = SameOriginDataURLFlag::Set;
 
     // FIXME: Do we really need to call completeURL here?
@@ -155 +156 @@
         resourceRequest.setInspectorInitiatorNodeIdentifier(InspectorInstrumentation::identifierForNode(*mediaElement));
 
-    auto cueRequest = createPotentialAccessControlRequest(WTFMove(resourceRequest), WTFMove(options), m_document, element.mediaElementCrossOriginAttribute());
+    auto cueRequest = createPotentialAccessControlRequest(WTFMove(resourceRequest), WTFMove(options), m_document, element.mediaElementCrossOriginAttribute(), SameOriginFlag::Yes);
     m_resource = m_document.cachedResourceLoader().requestTextTrack(WTFMove(cueRequest)).value_or(nullptr);
     if (!m_resource)