Changeset 207754 in webkit


Ignore:
Timestamp:
Oct 24, 2016 1:04:20 AM (7 years ago)
Author:
commit-queue@webkit.org
Message:

ASSERTION FAILED: canvas()->securityOrigin()->toString() == cachedImage.origin()->toString()
https://bugs.webkit.org/show_bug.cgi?id=163242

Patch by Youenn Fablet <youenn@apple.com> on 2016-10-24
Reviewed by Darin Adler.

Source/WebCore:

Test: http/tests/security/cross-origin-cached-images-canvas.html

We were previously on Origin HTTP header to check whether requests were made from different origins.
This is fine for CORS enabled requests but not for GET no CORS requests since they will not have any Origin header.

Now that CachedResource and CachedResourceRequest own their origin, it is best to use these directly.

  • loader/cache/CachedResourceLoader.cpp:

(WebCore::isRequestMatchingResourceOrigin):
(WebCore::CachedResourceLoader::shouldUpdateCachedResourceWithCurrentRequest):

LayoutTests:

  • http/tests/security/cross-origin-cached-images-canvas-expected.txt: Added.
  • http/tests/security/cross-origin-cached-images-canvas.html: Added.
  • http/tests/security/resources/cross-origin-cached-image-canvas-iframe.html: Added.
Location:
trunk
Files:
3 added
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r207752 r207754  
     12016-10-24  Youenn Fablet  <youenn@apple.com>
     2
     3        ASSERTION FAILED: canvas()->securityOrigin()->toString() == cachedImage.origin()->toString()
     4        https://bugs.webkit.org/show_bug.cgi?id=163242
     5
     6        Reviewed by Darin Adler.
     7
     8        * http/tests/security/cross-origin-cached-images-canvas-expected.txt: Added.
     9        * http/tests/security/cross-origin-cached-images-canvas.html: Added.
     10        * http/tests/security/resources/cross-origin-cached-image-canvas-iframe.html: Added.
     11
    1122016-10-24  Youenn Fablet  <youenn@apple.com>
    213

  • trunk/Source/WebCore/ChangeLog

    r207753 r207754  
     12016-10-24  Youenn Fablet  <youenn@apple.com>
     2
     3        ASSERTION FAILED: canvas()->securityOrigin()->toString() == cachedImage.origin()->toString()
     4        https://bugs.webkit.org/show_bug.cgi?id=163242
     5
     6        Reviewed by Darin Adler.
     7
     8        Test: http/tests/security/cross-origin-cached-images-canvas.html
     9
     10        We were previously on Origin HTTP header to check whether requests were made from different origins.
     11        This is fine for CORS enabled requests but not for GET no CORS requests since they will not have any Origin header.
     12
     13        Now that CachedResource and CachedResourceRequest own their origin, it is best to use these directly.
     14
     15        * loader/cache/CachedResourceLoader.cpp:
     16        (WebCore::isRequestMatchingResourceOrigin):
     17        (WebCore::CachedResourceLoader::shouldUpdateCachedResourceWithCurrentRequest):
     18
    1192016-10-24  Youenn Fablet  <youenn@apple.com>
    220

  • trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp

    r207752 r207754  
    551551}
    552552
     553static inline bool originsMatch(const CachedResourceRequest& request, const CachedResource& resource)
     554{
     555    if (request.origin() == resource.origin())
     556        return true;
     557    if (!request.origin() || !resource.origin())
     558        return false;
     559    // We use string comparison as this is how they are serialized as HTTP Origin header value.
     560    // This is in particular useful for unique origins that are serialized as "null"
     561    return request.origin()->toString() == resource.origin()->toString();
     562}
     563
    553564bool CachedResourceLoader::shouldUpdateCachedResourceWithCurrentRequest(const CachedResource& resource, const CachedResourceRequest& request)
    554565{
     
    584595    }
    585596
    586     if (resource.options().mode != request.options().mode || request.resourceRequest().httpOrigin() != resource.resourceRequest().httpOrigin())
     597    if (resource.options().mode != request.options().mode || !originsMatch(request, resource))
    587598        return true;
    588599
Note: See TracChangeset for help on using the changeset viewer.