Changeset 216294 in webkit
- Timestamp:
- May 5, 2017 4:49:41 PM (7 years ago)
- Location:
- trunk
- Files:
-
- 5 added
- 24 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r216291 r216294 1 2017-05-05 Dean Jackson <dino@apple.com> 2 3 Restrict SVG filters to accessible security origins 4 https://bugs.webkit.org/show_bug.cgi?id=118689 5 <rdar://problem/27362159> 6 7 Reviewed by Brent Fulgham. 8 9 Add a test that shows safe frames, unsafe frames, and 10 then a safe frame that itself has an unsafe frame, to 11 show that the security requirements are being forwarded 12 down the tree. 13 14 * http/tests/css/filters-on-iframes-expected.html: Added. 15 * http/tests/css/filters-on-iframes.html: Added. 16 * http/tests/css/resources/blank.html: Added. 17 * http/tests/css/resources/references-external.html: Added. 18 * http/tests/css/resources/solid-red.html: Added. 19 1 20 2017-05-05 Simon Fraser <simon.fraser@apple.com> 2 21 -
trunk/Source/WebCore/ChangeLog
r216293 r216294 1 2017-05-05 Dean Jackson <dino@apple.com> 2 3 Restrict SVG filters to accessible security origins 4 https://bugs.webkit.org/show_bug.cgi?id=118689 5 <rdar://problem/27362159> 6 7 Reviewed by Brent Fulgham. 8 9 Certain SVG filters should only be allowed to operate 10 on content that is has SecurityOrigin access to. Implement 11 this by including a flag in PaintInfo and LayerPaintingInfo, 12 and have RenderWidget make sure the documents have acceptable 13 SecurityOrigins as it goes to paint. 14 15 This could be used as the first step in a "safe painting" 16 strategy, allowing some content to be rendered into a 17 canvas or via the element() CSS function... but it is only 18 a small first step. 19 20 Test: http/tests/css/filters-on-iframes.html 21 22 * page/FrameView.cpp: 23 (WebCore::FrameView::paintContents): 24 * page/FrameView.h: 25 * platform/ScrollView.cpp: 26 (WebCore::ScrollView::paint): 27 * platform/ScrollView.h: 28 * platform/Scrollbar.cpp: 29 (WebCore::Scrollbar::paint): 30 * platform/Scrollbar.h: 31 * platform/Widget.h: 32 * platform/graphics/filters/FilterOperation.h: 33 (WebCore::FilterOperation::shouldBeRestrictedBySecurityOrigin): 34 * platform/graphics/filters/FilterOperations.cpp: 35 (WebCore::FilterOperations::hasFilterThatShouldBeRestrictedBySecurityOrigin): 36 * platform/graphics/filters/FilterOperations.h: 37 * platform/mac/WidgetMac.mm: 38 (WebCore::Widget::paint): 39 * rendering/FilterEffectRenderer.cpp: 40 (WebCore::FilterEffectRenderer::build): 41 * rendering/FilterEffectRenderer.h: 42 * rendering/PaintInfo.h: 43 (WebCore::PaintInfo::PaintInfo): 44 * rendering/RenderLayer.cpp: 45 (WebCore::RenderLayer::paint): 46 (WebCore::RenderLayer::setupFilters): 47 (WebCore::RenderLayer::paintForegroundForFragmentsWithPhase): 48 * rendering/RenderLayer.h: 49 * rendering/RenderScrollbar.cpp: 50 (WebCore::RenderScrollbar::paint): 51 * rendering/RenderScrollbar.h: 52 * rendering/RenderWidget.cpp: 53 (WebCore::RenderWidget::paintContents): 54 1 55 2017-05-05 Ryan Haddad <ryanhaddad@apple.com> 2 56 -
trunk/Source/WebCore/page/FrameView.cpp
r216196 r216294 4420 4420 } 4421 4421 4422 void FrameView::paintContents(GraphicsContext& context, const IntRect& dirtyRect )4422 void FrameView::paintContents(GraphicsContext& context, const IntRect& dirtyRect, SecurityOriginPaintPolicy securityOriginPaintPolicy) 4423 4423 { 4424 4424 #ifndef NDEBUG … … 4472 4472 renderer = renderer->parent(); 4473 4473 4474 rootLayer->paint(context, dirtyRect, LayoutSize(), m_paintBehavior, renderer );4474 rootLayer->paint(context, dirtyRect, LayoutSize(), m_paintBehavior, renderer, 0, securityOriginPaintPolicy == SecurityOriginPaintPolicy::AnyOrigin ? RenderLayer::SecurityOriginPaintPolicy::AnyOrigin : RenderLayer::SecurityOriginPaintPolicy::AccessibleOriginOnly); 4475 4475 if (rootLayer->containsDirtyOverlayScrollbars()) 4476 4476 rootLayer->paintOverlayScrollbars(context, dirtyRect, m_paintBehavior, renderer); -
trunk/Source/WebCore/page/FrameView.h
r216047 r216294 345 345 void removeEmbeddedObjectToUpdate(RenderEmbeddedObject&); 346 346 347 WEBCORE_EXPORT void paintContents(GraphicsContext&, const IntRect& dirtyRect ) final;347 WEBCORE_EXPORT void paintContents(GraphicsContext&, const IntRect& dirtyRect, SecurityOriginPaintPolicy = SecurityOriginPaintPolicy::AnyOrigin) final; 348 348 349 349 struct PaintingState { -
trunk/Source/WebCore/platform/ScrollView.cpp
r211379 r216294 1167 1167 } 1168 1168 1169 void ScrollView::paint(GraphicsContext& context, const IntRect& rect )1169 void ScrollView::paint(GraphicsContext& context, const IntRect& rect, SecurityOriginPaintPolicy securityOriginPaintPolicy) 1170 1170 { 1171 1171 if (platformWidget()) { … … 1199 1199 } 1200 1200 1201 paintContents(context, documentDirtyRect );1201 paintContents(context, documentDirtyRect, securityOriginPaintPolicy); 1202 1202 } 1203 1203 -
trunk/Source/WebCore/platform/ScrollView.h
r215181 r216294 345 345 346 346 // Widget override. Handles painting of the contents of the view as well as the scrollbars. 347 WEBCORE_EXPORT void paint(GraphicsContext&, const IntRect& ) final;347 WEBCORE_EXPORT void paint(GraphicsContext&, const IntRect&, Widget::SecurityOriginPaintPolicy = SecurityOriginPaintPolicy::AnyOrigin) final; 348 348 void paintScrollbars(GraphicsContext&, const IntRect&); 349 349 … … 381 381 382 382 virtual void repaintContentRectangle(const IntRect&); 383 virtual void paintContents(GraphicsContext&, const IntRect& damageRect ) = 0;383 virtual void paintContents(GraphicsContext&, const IntRect& damageRect, SecurityOriginPaintPolicy = SecurityOriginPaintPolicy::AnyOrigin) = 0; 384 384 385 385 virtual void paintOverhangAreas(GraphicsContext&, const IntRect& horizontalOverhangArea, const IntRect& verticalOverhangArea, const IntRect& dirtyRect); -
trunk/Source/WebCore/platform/Scrollbar.cpp
r215160 r216294 158 158 } 159 159 160 void Scrollbar::paint(GraphicsContext& context, const IntRect& damageRect )160 void Scrollbar::paint(GraphicsContext& context, const IntRect& damageRect, Widget::SecurityOriginPaintPolicy) 161 161 { 162 162 if (context.updatingControlTints() && theme().supportsControlTints()) { -
trunk/Source/WebCore/platform/Scrollbar.h
r215160 r216294 86 86 void setPressedPos(int p) { m_pressedPos = p; } 87 87 88 void paint(GraphicsContext&, const IntRect& damageRect ) override;88 void paint(GraphicsContext&, const IntRect& damageRect, Widget::SecurityOriginPaintPolicy = SecurityOriginPaintPolicy::AnyOrigin) override; 89 89 90 90 bool enabled() const { return m_enabled; } -
trunk/Source/WebCore/platform/Widget.h
r212484 r216294 115 115 void move(const IntPoint& p) { setFrameRect(IntRect(p, size())); } 116 116 117 WEBCORE_EXPORT virtual void paint(GraphicsContext&, const IntRect&); 117 enum class SecurityOriginPaintPolicy { AnyOrigin, AccessibleOriginOnly }; 118 119 WEBCORE_EXPORT virtual void paint(GraphicsContext&, const IntRect&, SecurityOriginPaintPolicy = SecurityOriginPaintPolicy::AnyOrigin); 118 120 void invalidate() { invalidateRect(boundsRect()); } 119 121 virtual void invalidateRect(const IntRect&) = 0; -
trunk/Source/WebCore/platform/graphics/filters/FilterOperation.h
r206538 r216294 104 104 // True if the the value of one pixel can affect the value of another pixel under this operation, such as blur. 105 105 virtual bool movesPixels() const { return false; } 106 // True if the filter should not be allowed to work on content that is not available from this security origin. 107 virtual bool shouldBeRestrictedBySecurityOrigin() const { return false; } 106 108 // True if the filter needs the size of the box in order to calculate the animations. 107 109 virtual bool blendingNeedsRendererSize() const { return false; } … … 183 185 bool affectsOpacity() const override { return true; } 184 186 bool movesPixels() const override { return true; } 187 // FIXME: This only needs to return true for graphs that include ConvolveMatrix, DisplacementMap, Morphology and possibly Lighting. 188 // https://bugs.webkit.org/show_bug.cgi?id=171753 189 bool shouldBeRestrictedBySecurityOrigin() const override { return true; } 185 190 186 191 const String& url() const { return m_url; } -
trunk/Source/WebCore/platform/graphics/filters/FilterOperations.cpp
r210758 r216294 138 138 } 139 139 140 bool FilterOperations::hasFilterThatShouldBeRestrictedBySecurityOrigin() const 141 { 142 for (auto& operation : m_operations) { 143 if (operation->shouldBeRestrictedBySecurityOrigin()) 144 return true; 145 } 146 return false; 147 } 148 140 149 TextStream& operator<<(TextStream& ts, const FilterOperations& filters) 141 150 { -
trunk/Source/WebCore/platform/graphics/filters/FilterOperations.h
r210758 r216294 57 57 bool hasFilterThatAffectsOpacity() const; 58 58 bool hasFilterThatMovesPixels() const; 59 bool hasFilterThatShouldBeRestrictedBySecurityOrigin() const; 59 60 60 61 bool hasReferenceFilter() const; -
trunk/Source/WebCore/platform/mac/WidgetMac.mm
r210758 r216294 185 185 } 186 186 187 void Widget::paint(GraphicsContext& p, const IntRect& r )187 void Widget::paint(GraphicsContext& p, const IntRect& r, SecurityOriginPaintPolicy) 188 188 { 189 189 if (p.paintingDisabled()) -
trunk/Source/WebCore/rendering/FilterEffectRenderer.cpp
r210758 r216294 129 129 { 130 130 m_hasFilterThatMovesPixels = operations.hasFilterThatMovesPixels(); 131 m_hasFilterThatShouldBeRestrictedBySecurityOrigin = operations.hasFilterThatShouldBeRestrictedBySecurityOrigin(); 131 132 if (m_hasFilterThatMovesPixels) 132 133 m_outsets = operations.outsets(); -
trunk/Source/WebCore/rendering/FilterEffectRenderer.h
r210469 r216294 85 85 86 86 bool hasFilterThatMovesPixels() const { return m_hasFilterThatMovesPixels; } 87 bool hasFilterThatShouldBeRestrictedBySecurityOrigin() const { return m_hasFilterThatShouldBeRestrictedBySecurityOrigin; } 87 88 88 89 private: … … 116 117 bool m_graphicsBufferAttached { false }; 117 118 bool m_hasFilterThatMovesPixels { false }; 119 bool m_hasFilterThatShouldBeRestrictedBySecurityOrigin { false }; 118 120 }; 119 121 -
trunk/Source/WebCore/rendering/PaintInfo.h
r208985 r216294 51 51 PaintInfo(GraphicsContext& newContext, const LayoutRect& newRect, PaintPhase newPhase, PaintBehavior newPaintBehavior, 52 52 RenderObject* newSubtreePaintRoot = nullptr, ListHashSet<RenderInline*>* newOutlineObjects = nullptr, 53 OverlapTestRequestMap* overlapTestRequests = nullptr, const RenderLayerModelObject* newPaintContainer = nullptr) 53 OverlapTestRequestMap* overlapTestRequests = nullptr, const RenderLayerModelObject* newPaintContainer = nullptr, 54 bool newRequireSecurityOriginAccessForWidgets = false) 54 55 : rect(newRect) 55 56 , phase(newPhase) … … 59 60 , overlapTestRequests(overlapTestRequests) 60 61 , paintContainer(newPaintContainer) 62 , requireSecurityOriginAccessForWidgets(newRequireSecurityOriginAccessForWidgets) 61 63 , m_context(&newContext) 62 64 { … … 121 123 OverlapTestRequestMap* overlapTestRequests; 122 124 const RenderLayerModelObject* paintContainer; // the layer object that originates the current painting 125 bool requireSecurityOriginAccessForWidgets { false }; 123 126 124 127 private: -
trunk/Source/WebCore/rendering/RenderLayer.cpp
r215964 r216294 3844 3844 } 3845 3845 3846 void RenderLayer::paint(GraphicsContext& context, const LayoutRect& damageRect, const LayoutSize& subpixelOffset, PaintBehavior paintBehavior, RenderObject* subtreePaintRoot, PaintLayerFlags paintFlags )3846 void RenderLayer::paint(GraphicsContext& context, const LayoutRect& damageRect, const LayoutSize& subpixelOffset, PaintBehavior paintBehavior, RenderObject* subtreePaintRoot, PaintLayerFlags paintFlags, SecurityOriginPaintPolicy paintPolicy) 3847 3847 { 3848 3848 OverlapTestRequestMap overlapTestRequests; 3849 3849 3850 LayerPaintingInfo paintingInfo(this, enclosingIntRect(damageRect), paintBehavior, subpixelOffset, subtreePaintRoot, &overlapTestRequests );3850 LayerPaintingInfo paintingInfo(this, enclosingIntRect(damageRect), paintBehavior, subpixelOffset, subtreePaintRoot, &overlapTestRequests, paintPolicy == SecurityOriginPaintPolicy::AccessibleOriginOnly); 3851 3851 paintLayer(context, paintingInfo, paintFlags); 3852 3852 … … 4242 4242 // Note that we will still apply the clipping on the final rendering of the filter. 4243 4243 paintingInfo.clipToDirtyRect = !filterInfo.renderer()->hasFilterThatMovesPixels(); 4244 4245 paintingInfo.requireSecurityOriginAccessForWidgets = filterInfo.renderer()->hasFilterThatShouldBeRestrictedBySecurityOrigin(); 4244 4246 4245 4247 return WTFMove(painter.second); … … 4810 4812 clipToRect(context, localPaintingInfo, fragment.foregroundRect); 4811 4813 4812 PaintInfo paintInfo(context, fragment.foregroundRect.rect(), phase, paintBehavior, subtreePaintRootForRenderer, nullptr, nullptr, &localPaintingInfo.rootLayer->renderer() );4814 PaintInfo paintInfo(context, fragment.foregroundRect.rect(), phase, paintBehavior, subtreePaintRootForRenderer, nullptr, nullptr, &localPaintingInfo.rootLayer->renderer(), localPaintingInfo.requireSecurityOriginAccessForWidgets); 4813 4815 if (phase == PaintPhaseForeground) 4814 4816 paintInfo.overlapTestRequests = localPaintingInfo.overlapTestRequests; -
trunk/Source/WebCore/rendering/RenderLayer.h
r215964 r216294 497 497 typedef unsigned PaintLayerFlags; 498 498 499 enum class SecurityOriginPaintPolicy { AnyOrigin, AccessibleOriginOnly }; 500 499 501 // The two main functions that use the layer system. The paint method 500 502 // paints the layers that intersect the damage rect from back to … … 502 504 // layers that intersect the point from front to back. 503 505 void paint(GraphicsContext&, const LayoutRect& damageRect, const LayoutSize& subpixelOffset = LayoutSize(), PaintBehavior = PaintBehaviorNormal, 504 RenderObject* subtreePaintRoot = nullptr, PaintLayerFlags = 0 );506 RenderObject* subtreePaintRoot = nullptr, PaintLayerFlags = 0, SecurityOriginPaintPolicy = SecurityOriginPaintPolicy::AnyOrigin); 505 507 bool hitTest(const HitTestRequest&, HitTestResult&); 506 508 bool hitTest(const HitTestRequest&, const HitTestLocation&, HitTestResult&); … … 719 721 720 722 struct LayerPaintingInfo { 721 LayerPaintingInfo(RenderLayer* inRootLayer, const LayoutRect& inDirtyRect, PaintBehavior inPaintBehavior, const LayoutSize& inSupixelOffset, RenderObject* inSubtreePaintRoot = nullptr, OverlapTestRequestMap* inOverlapTestRequests = nullptr )723 LayerPaintingInfo(RenderLayer* inRootLayer, const LayoutRect& inDirtyRect, PaintBehavior inPaintBehavior, const LayoutSize& inSupixelOffset, RenderObject* inSubtreePaintRoot = nullptr, OverlapTestRequestMap* inOverlapTestRequests = nullptr, bool inRequireSecurityOriginAccessForWidgets = false) 722 724 : rootLayer(inRootLayer) 723 725 , subtreePaintRoot(inSubtreePaintRoot) … … 726 728 , overlapTestRequests(inOverlapTestRequests) 727 729 , paintBehavior(inPaintBehavior) 728 , clipToDirtyRect(true)730 , requireSecurityOriginAccessForWidgets(inRequireSecurityOriginAccessForWidgets) 729 731 { } 730 732 RenderLayer* rootLayer; … … 734 736 OverlapTestRequestMap* overlapTestRequests; // May be null. 735 737 PaintBehavior paintBehavior; 736 bool clipToDirtyRect; 738 bool requireSecurityOriginAccessForWidgets; 739 bool clipToDirtyRect { true }; 737 740 }; 738 741 -
trunk/Source/WebCore/rendering/RenderScrollbar.cpp
r207814 r216294 103 103 } 104 104 105 void RenderScrollbar::paint(GraphicsContext& context, const IntRect& damageRect )105 void RenderScrollbar::paint(GraphicsContext& context, const IntRect& damageRect, Widget::SecurityOriginPaintPolicy) 106 106 { 107 107 if (context.updatingControlTints()) { -
trunk/Source/WebCore/rendering/RenderScrollbar.h
r208668 r216294 67 67 void setEnabled(bool) override; 68 68 69 void paint(GraphicsContext&, const IntRect& damageRect ) override;69 void paint(GraphicsContext&, const IntRect& damageRect, Widget::SecurityOriginPaintPolicy) override; 70 70 71 71 void setHoveredPart(ScrollbarPart) override; -
trunk/Source/WebCore/rendering/RenderWidget.cpp
r210758 r216294 32 32 #include "RenderLayerBacking.h" 33 33 #include "RenderView.h" 34 #include "SecurityOrigin.h" 34 35 #include <wtf/StackStats.h> 35 36 #include <wtf/Ref.h> … … 217 218 void RenderWidget::paintContents(PaintInfo& paintInfo, const LayoutPoint& paintOffset) 218 219 { 220 if (paintInfo.requireSecurityOriginAccessForWidgets) { 221 if (auto contentDocument = frameOwnerElement().contentDocument()) { 222 if (!document().securityOrigin().canAccess(contentDocument->securityOrigin())) 223 return; 224 } 225 } 226 219 227 IntPoint contentPaintOffset = roundedIntPoint(paintOffset + location() + contentBoxRect().location()); 220 228 // Tell the widget to paint now. This is the only time the widget is allowed … … 230 238 paintRect.move(-widgetPaintOffset); 231 239 } 232 // FIXME: Remove repaintrect enc olsing/integral snapping when RenderWidget becomes device pixel snapped.233 m_widget->paint(paintInfo.context(), snappedIntRect(paintRect) );240 // FIXME: Remove repaintrect enclosing/integral snapping when RenderWidget becomes device pixel snapped. 241 m_widget->paint(paintInfo.context(), snappedIntRect(paintRect), paintInfo.requireSecurityOriginAccessForWidgets ? Widget::SecurityOriginPaintPolicy::AccessibleOriginOnly : Widget::SecurityOriginPaintPolicy::AnyOrigin); 234 242 235 243 if (!widgetPaintOffset.isZero()) -
trunk/Source/WebKit2/ChangeLog
r216290 r216294 1 2017-05-05 Dean Jackson <dino@apple.com> 2 3 Restrict SVG filters to accessible security origins 4 https://bugs.webkit.org/show_bug.cgi?id=118689 5 <rdar://problem/27362159> 6 7 Reviewed by Brent Fulgham. 8 9 Update parameter lists. 10 11 * WebProcess/Plugins/PluginView.cpp: 12 (WebKit::PluginView::paint): 13 * WebProcess/Plugins/PluginView.h: 14 1 15 2017-05-05 Beth Dakin <bdakin@apple.com> 2 16 -
trunk/Source/WebKit2/WebProcess/Plugins/PluginView.cpp
r215686 r216294 783 783 } 784 784 785 void PluginView::paint(GraphicsContext& context, const IntRect& /*dirtyRect*/ )785 void PluginView::paint(GraphicsContext& context, const IntRect& /*dirtyRect*/, Widget::SecurityOriginPaintPolicy) 786 786 { 787 787 if (!m_plugin || !m_isInitialized || m_pluginElement->displayState() < HTMLPlugInElement::Restarting) -
trunk/Source/WebKit2/WebProcess/Plugins/PluginView.h
r215233 r216294 172 172 // WebCore::Widget 173 173 void setFrameRect(const WebCore::IntRect&) override; 174 void paint(WebCore::GraphicsContext&, const WebCore::IntRect& ) override;174 void paint(WebCore::GraphicsContext&, const WebCore::IntRect&, WebCore::Widget::SecurityOriginPaintPolicy) override; 175 175 void invalidateRect(const WebCore::IntRect&) override; 176 176 void setFocus(bool) override;
Note: See TracChangeset
for help on using the changeset viewer.