Changeset 205265 in webkit
- Timestamp:
- Aug 31, 2016 1:18:44 PM (8 years ago)
- Location:
- trunk
- Files:
-
- 5 added
- 13 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/imported/w3c/ChangeLog
r205253 r205265 1 2016-08-31 Youenn Fablet <youenn@apple.com> 2 3 [Fetch API] Fetch API should be able to load data URL in Same Origin mode 4 https://bugs.webkit.org/show_bug.cgi?id=161434 5 6 Reviewed by Sam Weinig. 7 8 * web-platform-tests/fetch/api/basic/scheme-data-expected.txt: 9 * web-platform-tests/fetch/api/basic/scheme-data-worker-expected.txt: 10 * web-platform-tests/fetch/api/basic/scheme-data.js: 11 (checkFetchResponse): 12 * web-platform-tests/fetch/api/redirect/redirect-to-dataurl-expected.txt: Added. 13 * web-platform-tests/fetch/api/redirect/redirect-to-dataurl-worker-expected.txt: Added. 14 * web-platform-tests/fetch/api/redirect/redirect-to-dataurl-worker.html: Added. 15 * web-platform-tests/fetch/api/redirect/redirect-to-dataurl.html: Added. 16 * web-platform-tests/fetch/api/redirect/redirect-to-dataurl.js: Added. 17 (redirectDataURL): 18 1 19 2016-08-31 Youenn Fablet <youenn@apple.com> 2 20 -
trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/scheme-data-expected.txt
r205113 r205265 1 1 2 2 PASS Fetching data:,response%27s%20body is OK 3 PASS Fetching data:,response%27s%20body is OK (same-origin) 4 PASS Fetching data:,response%27s%20body is OK (cors) 3 5 PASS Fetching data:text/plain;base64,cmVzcG9uc2UncyBib[...] is OK 4 6 PASS Fetching data:image/png;base64,cmVzcG9uc2UncyBib2[...] is OK -
trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/scheme-data-worker-expected.txt
r205113 r205265 1 1 2 2 PASS Fetching data:,response%27s%20body is OK 3 PASS Fetching data:,response%27s%20body is OK (same-origin) 4 PASS Fetching data:,response%27s%20body is OK (cors) 3 5 PASS Fetching data:text/plain;base64,cmVzcG9uc2UncyBib[...] is OK 4 6 PASS Fetching data:image/png;base64,cmVzcG9uc2UncyBib2[...] is OK -
trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/scheme-data.js
r205113 r205265 4 4 } 5 5 6 function checkFetchResponse(url, data, mime ) {6 function checkFetchResponse(url, data, mime, fetchMode) { 7 7 var cut = (url.length >= 40) ? "[...]" : ""; 8 desc = "Fetching " + url.substring(0, 40) + cut + " is OK" 8 desc = "Fetching " + url.substring(0, 40) + cut + " is OK"; 9 var init = { }; 10 if (fetchMode) { 11 init.mode = fetchMode; 12 desc += " (" + fetchMode + ")"; 13 } 9 14 promise_test(function(test) { 10 return fetch(url ).then(function(resp) {15 return fetch(url, init).then(function(resp) { 11 16 assert_equals(resp.status, 200, "HTTP status is 200"); 12 17 assert_equals(resp.statusText, "OK", "HTTP statusText is OK"); … … 21 26 22 27 checkFetchResponse("data:,response%27s%20body", "response's body", "text/plain;charset=US-ASCII"); 28 checkFetchResponse("data:,response%27s%20body", "response's body", "text/plain;charset=US-ASCII", "same-origin"); 29 checkFetchResponse("data:,response%27s%20body", "response's body", "text/plain;charset=US-ASCII", "cors"); 23 30 checkFetchResponse("data:text/plain;base64,cmVzcG9uc2UncyBib2R5", "response's body", "text/plain"); 24 31 checkFetchResponse("data:image/png;base64,cmVzcG9uc2UncyBib2R5", -
trunk/Source/WebCore/ChangeLog
r205263 r205265 1 2016-08-31 Youenn Fablet <youenn@apple.com> 2 3 [Fetch API] Fetch API should be able to load data URL in Same Origin mode 4 https://bugs.webkit.org/show_bug.cgi?id=161434 5 6 Reviewed by Sam Weinig. 7 8 Tests: imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-worker.html 9 imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl.html 10 Covered also by added sub-test. 11 12 Moving SameDataURLOrigin option from ThreadableLoaderOptions to ResourceLoaderOptions. 13 This allows doing some of the checks in CachedResourceLoader/CachedResource. 14 This also allows setting this options in CachedResourceLoader clients, ImageLoader in that case. 15 16 * Modules/fetch/FetchLoader.cpp: 17 (WebCore::FetchLoader::start): Setting sameOriginDataURL as ResourceLoader option. 18 * loader/ImageLoader.cpp: 19 (WebCore::ImageLoader::updateFromElement): Setting sameOriginDataURL as specificied in 20 https://html.spec.whatwg.org/multipage/embedded-content.html#the-img-element. 21 * loader/ResourceLoaderOptions.h: Adding sameOriginDataURL as ResourceLoader option. 22 * loader/ThreadableLoader.cpp: 23 (WebCore::ThreadableLoaderOptions::ThreadableLoaderOptions): Removing sameOriginDataURL option. 24 * loader/ThreadableLoader.h: 25 * loader/WorkerThreadableLoader.cpp: Setting sameOriginDataURL as ResourceLoader option. 26 (WebCore::LoaderTaskOptions::LoaderTaskOptions): 27 * loader/cache/CachedResource.cpp: 28 (WebCore::CachedResource::load): If resource URL is a data url, we previously marked the resource as same origin. 29 We only do that now if the sameOriginDataURL flag is set as per fetch specification. 30 See https://fetch.spec.whatwg.org/#main-fetch. 31 * loader/cache/CachedResourceLoader.cpp: 32 (WebCore::isSameOriginDataURL): Helper function. 33 (WebCore::CachedResourceLoader::canRequest): Allowing same origin loads of data URLs if flag is set and no redirection happens. 34 See https://fetch.spec.whatwg.org/#http-redirect-fetch for why we check redirection. 35 1 36 2016-08-31 Ryosuke Niwa <rniwa@webkit.org> 2 37 -
trunk/Source/WebCore/Modules/fetch/FetchLoader.cpp
r205113 r205265 78 78 context.shouldBypassMainWorldContentSecurityPolicy() ? ContentSecurityPolicyEnforcement::DoNotEnforce : ContentSecurityPolicyEnforcement::EnforceConnectSrcDirective, 79 79 String(cachedResourceRequestInitiators().fetch), 80 OpaqueResponseBodyPolicy::DoNotReceive, 81 SameOriginDataURLFlag::Set); 80 OpaqueResponseBodyPolicy::DoNotReceive); 82 81 options.sendLoadCallbacks = SendCallbacks; 83 82 options.dataBufferingPolicy = DoNotBufferData; 83 options.sameOriginDataURLFlag = SameOriginDataURLFlag::Set; 84 84 85 85 ResourceRequest fetchRequest = request.internalRequest(); -
trunk/Source/WebCore/loader/ImageLoader.cpp
r205134 r205265 176 176 ResourceLoaderOptions options = CachedResourceLoader::defaultCachedResourceOptions(); 177 177 options.contentSecurityPolicyImposition = element().isInUserAgentShadowTree() ? ContentSecurityPolicyImposition::SkipPolicyCheck : ContentSecurityPolicyImposition::DoPolicyCheck; 178 options.sameOriginDataURLFlag = SameOriginDataURLFlag::Set; 178 179 179 180 CachedResourceRequest request(ResourceRequest(document.completeURL(sourceURI(attr))), options); -
trunk/Source/WebCore/loader/ResourceLoaderOptions.h
r204014 r205265 81 81 }; 82 82 83 enum class SameOriginDataURLFlag { 84 Set, 85 Unset 86 }; 87 83 88 struct ResourceLoaderOptions : public FetchOptions { 84 89 ResourceLoaderOptions() { } … … 111 116 DefersLoadingPolicy defersLoadingPolicy { DefersLoadingPolicy::AllowDefersLoading }; 112 117 CachingPolicy cachingPolicy { CachingPolicy::AllowCaching }; 118 SameOriginDataURLFlag sameOriginDataURLFlag { SameOriginDataURLFlag::Unset }; 113 119 114 120 ClientCredentialPolicy clientCredentialPolicy { ClientCredentialPolicy::CannotAskClientForCredentials }; -
trunk/Source/WebCore/loader/ThreadableLoader.cpp
r205113 r205265 51 51 } 52 52 53 ThreadableLoaderOptions::ThreadableLoaderOptions(const ResourceLoaderOptions& baseOptions, PreflightPolicy preflightPolicy, ContentSecurityPolicyEnforcement contentSecurityPolicyEnforcement, String&& initiator, OpaqueResponseBodyPolicy opaqueResponse , SameOriginDataURLFlag sameOriginDataURLFlag)53 ThreadableLoaderOptions::ThreadableLoaderOptions(const ResourceLoaderOptions& baseOptions, PreflightPolicy preflightPolicy, ContentSecurityPolicyEnforcement contentSecurityPolicyEnforcement, String&& initiator, OpaqueResponseBodyPolicy opaqueResponse) 54 54 : ResourceLoaderOptions(baseOptions) 55 55 , preflightPolicy(preflightPolicy) … … 57 57 , initiator(WTFMove(initiator)) 58 58 , opaqueResponse(opaqueResponse) 59 , sameOriginDataURLFlag(sameOriginDataURLFlag)60 59 { 61 60 } -
trunk/Source/WebCore/loader/ThreadableLoader.h
r205113 r205265 64 64 }; 65 65 66 enum class SameOriginDataURLFlag {67 Set,68 Unset69 };70 71 66 struct ThreadableLoaderOptions : ResourceLoaderOptions { 72 67 ThreadableLoaderOptions(); 73 ThreadableLoaderOptions(const ResourceLoaderOptions&, PreflightPolicy, ContentSecurityPolicyEnforcement, String&& initiator, OpaqueResponseBodyPolicy , SameOriginDataURLFlag);68 ThreadableLoaderOptions(const ResourceLoaderOptions&, PreflightPolicy, ContentSecurityPolicyEnforcement, String&& initiator, OpaqueResponseBodyPolicy); 74 69 ~ThreadableLoaderOptions(); 75 70 … … 78 73 String initiator; // This cannot be an AtomicString, as isolatedCopy() wouldn't create an object that's safe for passing to another thread. 79 74 OpaqueResponseBodyPolicy opaqueResponse { OpaqueResponseBodyPolicy::Receive }; 80 SameOriginDataURLFlag sameOriginDataURLFlag { SameOriginDataURLFlag::Unset };81 75 }; 82 76 -
trunk/Source/WebCore/loader/WorkerThreadableLoader.cpp
r205113 r205265 93 93 94 94 LoaderTaskOptions::LoaderTaskOptions(const ThreadableLoaderOptions& options, const String& referrer, const SecurityOrigin& origin) 95 : options(options, options.preflightPolicy, options.contentSecurityPolicyEnforcement, options.initiator.isolatedCopy(), options.opaqueResponse , options.sameOriginDataURLFlag)95 : options(options, options.preflightPolicy, options.contentSecurityPolicyEnforcement, options.initiator.isolatedCopy(), options.opaqueResponse) 96 96 , referrer(referrer.isolatedCopy()) 97 97 , origin(origin.isolatedCopy()) -
trunk/Source/WebCore/loader/cache/CachedResource.cpp
r204019 r205265 310 310 ASSERT(m_origin); 311 311 312 if (! m_resourceRequest.url().protocolIsData()&& m_origin && !m_origin->canRequest(m_resourceRequest.url()))312 if (!(m_resourceRequest.url().protocolIsData() && options.sameOriginDataURLFlag == SameOriginDataURLFlag::Set) && m_origin && !m_origin->canRequest(m_resourceRequest.url())) 313 313 setCrossOrigin(); 314 314 -
trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp
r204976 r205265 383 383 } 384 384 385 static inline bool isSameOriginDataURL(const URL& url, const ResourceLoaderOptions& options, bool didReceiveRedirectResponse) 386 { 387 return !didReceiveRedirectResponse && url.protocolIsData() && options.sameOriginDataURLFlag == SameOriginDataURLFlag::Set; 388 } 389 385 390 bool CachedResourceLoader::canRequest(CachedResource::Type type, const URL& url, const ResourceLoaderOptions& options, bool forPreload, bool didReceiveRedirectResponse) 386 391 { … … 395 400 ContentSecurityPolicy::RedirectResponseReceived redirectResponseReceived = didReceiveRedirectResponse ? ContentSecurityPolicy::RedirectResponseReceived::Yes : ContentSecurityPolicy::RedirectResponseReceived::No; 396 401 397 // Some types of resources can be loaded only from the same origin. Other 398 // types of resources, like Images, Scripts, and CSS, can be loaded from 399 // any URL. 402 // Some types of resources can be loaded only from the same origin. Other types of resources, like Images, Scripts, and CSS, can be loaded from any URL. 403 // FIXME: We should remove that check and handle it by setting the correct ResourceLoaderOptions::mode. 400 404 switch (type) { 401 405 case CachedResource::MainResource: … … 417 421 case CachedResource::TextTrackResource: 418 422 #endif 419 if (options.mode == FetchOptions::Mode::SameOrigin && ! m_document->securityOrigin()->canRequest(url)) {423 if (options.mode == FetchOptions::Mode::SameOrigin && !isSameOriginDataURL(url, options, didReceiveRedirectResponse) &&!m_document->securityOrigin()->canRequest(url)) { 420 424 printAccessDeniedMessage(url); 421 425 return false;
Note: See TracChangeset
for help on using the changeset viewer.