Changeset 201930 in webkit


Ignore:
Timestamp:
Jun 10, 2016 11:17:11 AM (8 years ago)
Author:
youenn.fablet@crf.canon.fr
Message:

Origin header is not included in CORS requests for preloaded cross-origin resources
https://bugs.webkit.org/show_bug.cgi?id=155761
<rdar://problem/25351850>

Reviewed by Alex Christensen.

Source/WebCore:

Making HTML preloader fully aware of crossorigin attribute value.
Introducing CachedResourceRequest::setAsPotentiallyCrossOrigin as a helper routine to activate CORS mode.
Making HTMLLinkElement and HTMLResourcePreloader use that routine.
Making TokenPreloadScanner store the crossorigin attribute value in preload requests.
Making TokenPreloadScanner store the crossorigin attribute value for link elements.

Test: http/tests/security/cross-origin-css-9.html

  • html/HTMLLinkElement.cpp:

(WebCore::HTMLLinkElement::process):

  • html/parser/HTMLPreloadScanner.cpp:

(WebCore::TokenPreloadScanner::StartTagScanner::createPreloadRequest):
(WebCore::TokenPreloadScanner::StartTagScanner::processAttribute):

  • html/parser/HTMLResourcePreloader.cpp:

(WebCore::crossOriginModeAllowsCookies):
(WebCore::PreloadRequest::resourceRequest):

  • html/parser/HTMLResourcePreloader.h:

(WebCore::PreloadRequest::setCrossOriginMode):
(WebCore::PreloadRequest::PreloadRequest): Deleted.
(WebCore::PreloadRequest::resourceType): Deleted.

  • loader/cache/CachedResourceRequest.cpp:

(WebCore::CachedResourceRequest::setAsPotentiallyCrossOrigin):

  • loader/cache/CachedResourceRequest.h:

LayoutTests:

  • http/tests/security/cross-origin-css-9-expected.txt: Added.
  • http/tests/security/cross-origin-css-9.html: Added.
  • http/tests/security/resources/get-css-if-origin-header.php: Added.
Location:
trunk
Files:
3 added
8 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r201927 r201930  
     12016-06-10  Youenn Fablet  <youenn.fablet@crf.canon.fr>
     2
     3        Origin header is not included in CORS requests for preloaded cross-origin resources
     4        https://bugs.webkit.org/show_bug.cgi?id=155761
     5        <rdar://problem/25351850>
     6
     7        Reviewed by Alex Christensen.
     8
     9        * http/tests/security/cross-origin-css-9-expected.txt: Added.
     10        * http/tests/security/cross-origin-css-9.html: Added.
     11        * http/tests/security/resources/get-css-if-origin-header.php: Added.
     12
    1132016-06-10  Ryan Haddad  <ryanhaddad@apple.com>
    214
  • trunk/Source/WebCore/ChangeLog

    r201926 r201930  
     12016-06-10  Youenn Fablet  <youenn.fablet@crf.canon.fr>
     2
     3        Origin header is not included in CORS requests for preloaded cross-origin resources
     4        https://bugs.webkit.org/show_bug.cgi?id=155761
     5        <rdar://problem/25351850>
     6
     7        Reviewed by Alex Christensen.
     8
     9        Making HTML preloader fully aware of crossorigin attribute value.
     10        Introducing CachedResourceRequest::setAsPotentiallyCrossOrigin as a helper routine to activate CORS mode.
     11        Making HTMLLinkElement and HTMLResourcePreloader use that routine.
     12        Making TokenPreloadScanner store the crossorigin attribute value in preload requests.
     13        Making TokenPreloadScanner store the crossorigin attribute value for link elements.
     14
     15        Test: http/tests/security/cross-origin-css-9.html
     16
     17        * html/HTMLLinkElement.cpp:
     18        (WebCore::HTMLLinkElement::process):
     19        * html/parser/HTMLPreloadScanner.cpp:
     20        (WebCore::TokenPreloadScanner::StartTagScanner::createPreloadRequest):
     21        (WebCore::TokenPreloadScanner::StartTagScanner::processAttribute):
     22        * html/parser/HTMLResourcePreloader.cpp:
     23        (WebCore::crossOriginModeAllowsCookies):
     24        (WebCore::PreloadRequest::resourceRequest):
     25        * html/parser/HTMLResourcePreloader.h:
     26        (WebCore::PreloadRequest::setCrossOriginMode):
     27        (WebCore::PreloadRequest::PreloadRequest): Deleted.
     28        (WebCore::PreloadRequest::resourceType): Deleted.
     29        * loader/cache/CachedResourceRequest.cpp:
     30        (WebCore::CachedResourceRequest::setAsPotentiallyCrossOrigin):
     31        * loader/cache/CachedResourceRequest.h:
     32
    1332016-06-10  Chris Dumez  <cdumez@apple.com>
    234
  • trunk/Source/WebCore/html/HTMLLinkElement.cpp

    r201441 r201930  
    262262            request.setOptions(options);
    263263        }
     264        request.setAsPotentiallyCrossOrigin(crossOrigin(), document());
    264265
    265266        m_cachedSheet = document().cachedResourceLoader().requestCSSStyleSheet(request);
    266        
     267
    267268        if (m_cachedSheet)
    268269            m_cachedSheet->addClient(this);
  • trunk/Source/WebCore/html/parser/HTMLPreloadScanner.cpp

    r201441 r201930  
    2323 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
    2424 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
    25  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
     25 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    2626 */
    2727
     
    144144
    145145        auto request = std::make_unique<PreloadRequest>(initiatorFor(m_tagId), m_urlToLoad, predictedBaseURL, resourceType(), m_mediaAttribute);
    146 
    147         request->setCrossOriginModeAllowsCookies(crossOriginModeAllowsCookies());
     146        request->setCrossOriginMode(m_crossOriginMode);
    148147        request->setCharset(charset());
    149148        return request;
     
    161160        if (match(attributeName, srcAttr))
    162161            setUrlToLoad(attributeValue);
    163         else if (match(attributeName, crossoriginAttr) && !attributeValue.isNull())
     162        else if (match(attributeName, crossoriginAttr))
    164163            m_crossOriginMode = stripLeadingAndTrailingHTMLSpaces(attributeValue);
    165164        else if (match(attributeName, charsetAttr))
     
    216215            else if (match(attributeName, charsetAttr))
    217216                m_charset = attributeValue;
     217            else if (match(attributeName, crossoriginAttr))
     218                m_crossOriginMode = stripLeadingAndTrailingHTMLSpaces(attributeValue);
    218219            break;
    219220        case TagId::Input:
     
    303304    }
    304305
    305     bool crossOriginModeAllowsCookies()
    306     {
    307         return m_crossOriginMode.isNull() || equalLettersIgnoringASCIICase(m_crossOriginMode, "use-credentials");
    308     }
    309 
    310306    TagId m_tagId;
    311307    String m_urlToLoad;
  • trunk/Source/WebCore/html/parser/HTMLResourcePreloader.cpp

    r201441 r201930  
    2121 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
    2222 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
    23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
     23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    2424 */
    2525
     
    4646    CachedResourceRequest request(ResourceRequest(completeURL(document)));
    4747    request.setInitiator(m_initiator);
    48 
    49     // FIXME: It's possible CORS should work for other request types?
    50     if (m_resourceType == CachedResource::Script)
    51         request.mutableResourceRequest().setAllowCookies(m_crossOriginModeAllowsCookies);
     48    request.setAsPotentiallyCrossOrigin(m_crossOriginMode, document);
    5249    return request;
    5350}
  • trunk/Source/WebCore/html/parser/HTMLResourcePreloader.h

    r187587 r201930  
    2121 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
    2222 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
    23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
     23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    2424 */
    2525
     
    4141        , m_resourceType(resourceType)
    4242        , m_mediaAttribute(mediaAttribute)
    43         , m_crossOriginModeAllowsCookies(false)
    4443    {
    4544    }
     
    5049    const String& media() const { return m_mediaAttribute; }
    5150    void setCharset(const String& charset) { m_charset = charset.isolatedCopy(); }
    52     void setCrossOriginModeAllowsCookies(bool allowsCookies) { m_crossOriginModeAllowsCookies = allowsCookies; }
     51    void setCrossOriginMode(const String& mode) { m_crossOriginMode = mode; }
    5352    CachedResource::Type resourceType() const { return m_resourceType; }
    5453
     
    6261    CachedResource::Type m_resourceType;
    6362    String m_mediaAttribute;
    64     bool m_crossOriginModeAllowsCookies;
     63    String m_crossOriginMode;
    6564};
    6665
  • trunk/Source/WebCore/loader/cache/CachedResourceRequest.cpp

    r194819 r201930  
    2828
    2929#include "CachedResourceLoader.h"
     30#include "CrossOriginAccessControl.h"
    3031#include "Document.h"
    3132#include "Element.h"
     
    9394}
    9495
     96void CachedResourceRequest::setAsPotentiallyCrossOrigin(const String& mode, Document& document)
     97{
     98    if (mode.isNull())
     99        return;
     100    m_options.setRequestOriginPolicy(PotentiallyCrossOriginEnabled);
     101    m_options.setAllowCredentials(equalLettersIgnoringASCIICase(mode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials);
     102
     103    updateRequestForAccessControl(m_resourceRequest, document.securityOrigin(), m_options.allowCredentials());
     104}
     105
    95106} // namespace WebCore
  • trunk/Source/WebCore/loader/cache/CachedResourceRequest.h

    r195770 r201930  
    6666    DocumentLoader* initiatingDocumentLoader() const { return m_initiatingDocumentLoader.get(); }
    6767
     68    void setAsPotentiallyCrossOrigin(const String&, Document&);
     69
    6870private:
    6971    ResourceRequest m_resourceRequest;
Note: See TracChangeset for help on using the changeset viewer.