Changeset 216294 in webkit

Timestamp:

May 5, 2017 4:49:41 PM (7 years ago)

Author:

dino@apple.com

Message:

Restrict SVG filters to accessible security origins
​https://bugs.webkit.org/show_bug.cgi?id=118689
<rdar://problem/27362159>

Reviewed by Brent Fulgham.

Source/WebCore:

Certain SVG filters should only be allowed to operate
on content that is has SecurityOrigin access to. Implement
this by including a flag in PaintInfo and LayerPaintingInfo,
and have RenderWidget make sure the documents have acceptable
SecurityOrigins as it goes to paint.

This could be used as the first step in a "safe painting"
strategy, allowing some content to be rendered into a
canvas or via the element() CSS function... but it is only
a small first step.

Test: http/tests/css/filters-on-iframes.html

• page/FrameView.cpp:

(WebCore::FrameView::paintContents):

• page/FrameView.h:
• platform/ScrollView.cpp:

(WebCore::ScrollView::paint):

• platform/ScrollView.h:
• platform/Scrollbar.cpp:

(WebCore::Scrollbar::paint):

• platform/Scrollbar.h:
• platform/Widget.h:
• platform/graphics/filters/FilterOperation.h:

(WebCore::FilterOperation::shouldBeRestrictedBySecurityOrigin):

• platform/graphics/filters/FilterOperations.cpp:

(WebCore::FilterOperations::hasFilterThatShouldBeRestrictedBySecurityOrigin):

• platform/graphics/filters/FilterOperations.h:
• platform/mac/WidgetMac.mm:

(WebCore::Widget::paint):

• rendering/FilterEffectRenderer.cpp:

(WebCore::FilterEffectRenderer::build):

• rendering/FilterEffectRenderer.h:
• rendering/PaintInfo.h:

(WebCore::PaintInfo::PaintInfo):

• rendering/RenderLayer.cpp:

(WebCore::RenderLayer::paint):
(WebCore::RenderLayer::setupFilters):
(WebCore::RenderLayer::paintForegroundForFragmentsWithPhase):

• rendering/RenderLayer.h:
• rendering/RenderScrollbar.cpp:

(WebCore::RenderScrollbar::paint):

• rendering/RenderScrollbar.h:
• rendering/RenderWidget.cpp:

(WebCore::RenderWidget::paintContents):

Source/WebKit2:

Update parameter lists.

• WebProcess/Plugins/PluginView.cpp:

(WebKit::PluginView::paint):

• WebProcess/Plugins/PluginView.h:

LayoutTests:

Add a test that shows safe frames, unsafe frames, and
then a safe frame that itself has an unsafe frame, to
show that the security requirements are being forwarded
down the tree.

• http/tests/css/filters-on-iframes-expected.html: Added.
• http/tests/css/filters-on-iframes.html: Added.
• http/tests/css/resources/blank.html: Added.
• http/tests/css/resources/references-external.html: Added.
• http/tests/css/resources/solid-red.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/css/filters-on-iframes-expected.html (added)
• LayoutTests/http/tests/css/filters-on-iframes.html (added)
• LayoutTests/http/tests/css/resources/blank.html (added)
• LayoutTests/http/tests/css/resources/references-external.html (added)
• LayoutTests/http/tests/css/resources/solid-red.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/page/FrameView.cpp (modified) (2 diffs)
• Source/WebCore/page/FrameView.h (modified) (1 diff)
• Source/WebCore/platform/ScrollView.cpp (modified) (2 diffs)
• Source/WebCore/platform/ScrollView.h (modified) (2 diffs)
• Source/WebCore/platform/Scrollbar.cpp (modified) (1 diff)
• Source/WebCore/platform/Scrollbar.h (modified) (1 diff)
• Source/WebCore/platform/Widget.h (modified) (1 diff)
• Source/WebCore/platform/graphics/filters/FilterOperation.h (modified) (2 diffs)
• Source/WebCore/platform/graphics/filters/FilterOperations.cpp (modified) (1 diff)
• Source/WebCore/platform/graphics/filters/FilterOperations.h (modified) (1 diff)
• Source/WebCore/platform/mac/WidgetMac.mm (modified) (1 diff)
• Source/WebCore/rendering/FilterEffectRenderer.cpp (modified) (1 diff)
• Source/WebCore/rendering/FilterEffectRenderer.h (modified) (2 diffs)
• Source/WebCore/rendering/PaintInfo.h (modified) (3 diffs)
• Source/WebCore/rendering/RenderLayer.cpp (modified) (3 diffs)
• Source/WebCore/rendering/RenderLayer.h (modified) (5 diffs)
• Source/WebCore/rendering/RenderScrollbar.cpp (modified) (1 diff)
• Source/WebCore/rendering/RenderScrollbar.h (modified) (1 diff)
• Source/WebCore/rendering/RenderWidget.cpp (modified) (3 diffs)
• Source/WebKit2/ChangeLog (modified) (1 diff)
• Source/WebKit2/WebProcess/Plugins/PluginView.cpp (modified) (1 diff)
• Source/WebKit2/WebProcess/Plugins/PluginView.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2017-05-05  Dean Jackson  <dino@apple.com>
+
+        Restrict SVG filters to accessible security origins
+        https://bugs.webkit.org/show_bug.cgi?id=118689
+        <rdar://problem/27362159>
+
+        Reviewed by Brent Fulgham.
+
+        Add a test that shows safe frames, unsafe frames, and
+        then a safe frame that itself has an unsafe frame, to
+        show that the security requirements are being forwarded
+        down the tree.
+
+        * http/tests/css/filters-on-iframes-expected.html: Added.
+        * http/tests/css/filters-on-iframes.html: Added.
+        * http/tests/css/resources/blank.html: Added.
+        * http/tests/css/resources/references-external.html: Added.
+        * http/tests/css/resources/solid-red.html: Added.
+
 2017-05-05  Simon Fraser  <simon.fraser@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-05-05  Dean Jackson  <dino@apple.com>
+
+        Restrict SVG filters to accessible security origins
+        https://bugs.webkit.org/show_bug.cgi?id=118689
+        <rdar://problem/27362159>
+
+        Reviewed by Brent Fulgham.
+
+        Certain SVG filters should only be allowed to operate
+        on content that is has SecurityOrigin access to. Implement
+        this by including a flag in PaintInfo and LayerPaintingInfo,
+        and have RenderWidget make sure the documents have acceptable
+        SecurityOrigins as it goes to paint.
+
+        This could be used as the first step in a "safe painting"
+        strategy, allowing some content to be rendered into a 
+        canvas or via the element() CSS function... but it is only
+        a small first step.
+
+        Test: http/tests/css/filters-on-iframes.html
+
+        * page/FrameView.cpp:
+        (WebCore::FrameView::paintContents):
+        * page/FrameView.h:
+        * platform/ScrollView.cpp:
+        (WebCore::ScrollView::paint):
+        * platform/ScrollView.h:
+        * platform/Scrollbar.cpp:
+        (WebCore::Scrollbar::paint):
+        * platform/Scrollbar.h:
+        * platform/Widget.h:
+        * platform/graphics/filters/FilterOperation.h:
+        (WebCore::FilterOperation::shouldBeRestrictedBySecurityOrigin):
+        * platform/graphics/filters/FilterOperations.cpp:
+        (WebCore::FilterOperations::hasFilterThatShouldBeRestrictedBySecurityOrigin):
+        * platform/graphics/filters/FilterOperations.h:
+        * platform/mac/WidgetMac.mm:
+        (WebCore::Widget::paint):
+        * rendering/FilterEffectRenderer.cpp:
+        (WebCore::FilterEffectRenderer::build):
+        * rendering/FilterEffectRenderer.h:
+        * rendering/PaintInfo.h:
+        (WebCore::PaintInfo::PaintInfo):
+        * rendering/RenderLayer.cpp:
+        (WebCore::RenderLayer::paint):
+        (WebCore::RenderLayer::setupFilters):
+        (WebCore::RenderLayer::paintForegroundForFragmentsWithPhase):
+        * rendering/RenderLayer.h:
+        * rendering/RenderScrollbar.cpp:
+        (WebCore::RenderScrollbar::paint):
+        * rendering/RenderScrollbar.h:
+        * rendering/RenderWidget.cpp:
+        (WebCore::RenderWidget::paintContents):
+
 2017-05-05  Ryan Haddad  <ryanhaddad@apple.com>
 

trunk/Source/WebCore/page/FrameView.cpp

@@ -4420 +4420 @@
 }
 
-void FrameView::paintContents(GraphicsContext& context, const IntRect& dirtyRect)
+void FrameView::paintContents(GraphicsContext& context, const IntRect& dirtyRect, SecurityOriginPaintPolicy securityOriginPaintPolicy)
 {
 #ifndef NDEBUG
@@ -4472 +4472 @@
         renderer = renderer->parent();
 
-    rootLayer->paint(context, dirtyRect, LayoutSize(), m_paintBehavior, renderer);
+    rootLayer->paint(context, dirtyRect, LayoutSize(), m_paintBehavior, renderer, 0, securityOriginPaintPolicy == SecurityOriginPaintPolicy::AnyOrigin ? RenderLayer::SecurityOriginPaintPolicy::AnyOrigin : RenderLayer::SecurityOriginPaintPolicy::AccessibleOriginOnly);
     if (rootLayer->containsDirtyOverlayScrollbars())
         rootLayer->paintOverlayScrollbars(context, dirtyRect, m_paintBehavior, renderer);

trunk/Source/WebCore/page/FrameView.h

@@ -345 +345 @@
     void removeEmbeddedObjectToUpdate(RenderEmbeddedObject&);
 
-    WEBCORE_EXPORT void paintContents(GraphicsContext&, const IntRect& dirtyRect) final;
+    WEBCORE_EXPORT void paintContents(GraphicsContext&, const IntRect& dirtyRect, SecurityOriginPaintPolicy = SecurityOriginPaintPolicy::AnyOrigin) final;
 
     struct PaintingState {

trunk/Source/WebCore/platform/ScrollView.cpp

@@ -1167 +1167 @@
 }
 
-void ScrollView::paint(GraphicsContext& context, const IntRect& rect)
+void ScrollView::paint(GraphicsContext& context, const IntRect& rect, SecurityOriginPaintPolicy securityOriginPaintPolicy)
 {
     if (platformWidget()) {
@@ -1199 +1199 @@
         }
 
-        paintContents(context, documentDirtyRect);
+        paintContents(context, documentDirtyRect, securityOriginPaintPolicy);
     }
 

trunk/Source/WebCore/platform/ScrollView.h

@@ -345 +345 @@
 
     // Widget override. Handles painting of the contents of the view as well as the scrollbars.
-    WEBCORE_EXPORT void paint(GraphicsContext&, const IntRect&) final;
+    WEBCORE_EXPORT void paint(GraphicsContext&, const IntRect&, Widget::SecurityOriginPaintPolicy = SecurityOriginPaintPolicy::AnyOrigin) final;
     void paintScrollbars(GraphicsContext&, const IntRect&);
 
@@ -381 +381 @@
 
     virtual void repaintContentRectangle(const IntRect&);
-    virtual void paintContents(GraphicsContext&, const IntRect& damageRect) = 0;
+    virtual void paintContents(GraphicsContext&, const IntRect& damageRect, SecurityOriginPaintPolicy = SecurityOriginPaintPolicy::AnyOrigin) = 0;
 
     virtual void paintOverhangAreas(GraphicsContext&, const IntRect& horizontalOverhangArea, const IntRect& verticalOverhangArea, const IntRect& dirtyRect);

trunk/Source/WebCore/platform/Scrollbar.cpp

@@ -158 +158 @@
 }
 
-void Scrollbar::paint(GraphicsContext& context, const IntRect& damageRect)
+void Scrollbar::paint(GraphicsContext& context, const IntRect& damageRect, Widget::SecurityOriginPaintPolicy)
 {
     if (context.updatingControlTints() && theme().supportsControlTints()) {

trunk/Source/WebCore/platform/Scrollbar.h

@@ -86 +86 @@
     void setPressedPos(int p) { m_pressedPos = p; }
 
-    void paint(GraphicsContext&, const IntRect& damageRect) override;
+    void paint(GraphicsContext&, const IntRect& damageRect, Widget::SecurityOriginPaintPolicy = SecurityOriginPaintPolicy::AnyOrigin) override;
 
     bool enabled() const { return m_enabled; }

trunk/Source/WebCore/platform/Widget.h

@@ -115 +115 @@
     void move(const IntPoint& p) { setFrameRect(IntRect(p, size())); }
 
-    WEBCORE_EXPORT virtual void paint(GraphicsContext&, const IntRect&);
+    enum class SecurityOriginPaintPolicy { AnyOrigin, AccessibleOriginOnly };
+
+    WEBCORE_EXPORT virtual void paint(GraphicsContext&, const IntRect&, SecurityOriginPaintPolicy = SecurityOriginPaintPolicy::AnyOrigin);
     void invalidate() { invalidateRect(boundsRect()); }
     virtual void invalidateRect(const IntRect&) = 0;

trunk/Source/WebCore/platform/graphics/filters/FilterOperation.h

@@ -104 +104 @@
     // True if the the value of one pixel can affect the value of another pixel under this operation, such as blur.
     virtual bool movesPixels() const { return false; }
+    // True if the filter should not be allowed to work on content that is not available from this security origin.
+    virtual bool shouldBeRestrictedBySecurityOrigin() const { return false; }
     // True if the filter needs the size of the box in order to calculate the animations.
     virtual bool blendingNeedsRendererSize() const { return false; }
@@ -183 +185 @@
     bool affectsOpacity() const override { return true; }
     bool movesPixels() const override { return true; }
+    // FIXME: This only needs to return true for graphs that include ConvolveMatrix, DisplacementMap, Morphology and possibly Lighting.
+    // https://bugs.webkit.org/show_bug.cgi?id=171753
+    bool shouldBeRestrictedBySecurityOrigin() const override { return true; }
 
     const String& url() const { return m_url; }

trunk/Source/WebCore/platform/graphics/filters/FilterOperations.cpp

@@ -138 +138 @@
 }
 
+bool FilterOperations::hasFilterThatShouldBeRestrictedBySecurityOrigin() const
+{
+    for (auto& operation : m_operations) {
+        if (operation->shouldBeRestrictedBySecurityOrigin())
+            return true;
+    }
+    return false;
+}
+
 TextStream& operator<<(TextStream& ts, const FilterOperations& filters)
 {

trunk/Source/WebCore/platform/graphics/filters/FilterOperations.h

@@ -57 +57 @@
     bool hasFilterThatAffectsOpacity() const;
     bool hasFilterThatMovesPixels() const;
+    bool hasFilterThatShouldBeRestrictedBySecurityOrigin() const;
 
     bool hasReferenceFilter() const;

trunk/Source/WebCore/platform/mac/WidgetMac.mm

@@ -185 +185 @@
 }
 
-void Widget::paint(GraphicsContext& p, const IntRect& r)
+void Widget::paint(GraphicsContext& p, const IntRect& r, SecurityOriginPaintPolicy)
 {
     if (p.paintingDisabled())

trunk/Source/WebCore/rendering/FilterEffectRenderer.cpp

@@ -129 +129 @@
 {
     m_hasFilterThatMovesPixels = operations.hasFilterThatMovesPixels();
+    m_hasFilterThatShouldBeRestrictedBySecurityOrigin = operations.hasFilterThatShouldBeRestrictedBySecurityOrigin();
     if (m_hasFilterThatMovesPixels)
         m_outsets = operations.outsets();

trunk/Source/WebCore/rendering/FilterEffectRenderer.h

@@ -85 +85 @@
 
     bool hasFilterThatMovesPixels() const { return m_hasFilterThatMovesPixels; }
+    bool hasFilterThatShouldBeRestrictedBySecurityOrigin() const { return m_hasFilterThatShouldBeRestrictedBySecurityOrigin; }
 
 private:
@@ -116 +117 @@
     bool m_graphicsBufferAttached { false };
     bool m_hasFilterThatMovesPixels { false };
+    bool m_hasFilterThatShouldBeRestrictedBySecurityOrigin { false };
 };
 

trunk/Source/WebCore/rendering/PaintInfo.h

@@ -51 +51 @@
     PaintInfo(GraphicsContext& newContext, const LayoutRect& newRect, PaintPhase newPhase, PaintBehavior newPaintBehavior,
         RenderObject* newSubtreePaintRoot = nullptr, ListHashSet<RenderInline*>* newOutlineObjects = nullptr,
-        OverlapTestRequestMap* overlapTestRequests = nullptr, const RenderLayerModelObject* newPaintContainer = nullptr)
+        OverlapTestRequestMap* overlapTestRequests = nullptr, const RenderLayerModelObject* newPaintContainer = nullptr,
+        bool newRequireSecurityOriginAccessForWidgets = false)
             : rect(newRect)
             , phase(newPhase)
@@ -59 +60 @@
             , overlapTestRequests(overlapTestRequests)
             , paintContainer(newPaintContainer)
+            , requireSecurityOriginAccessForWidgets(newRequireSecurityOriginAccessForWidgets)
             , m_context(&newContext)
     {
@@ -121 +123 @@
     OverlapTestRequestMap* overlapTestRequests;
     const RenderLayerModelObject* paintContainer; // the layer object that originates the current painting
+    bool requireSecurityOriginAccessForWidgets { false };
 
 private:

trunk/Source/WebCore/rendering/RenderLayer.cpp

@@ -3844 +3844 @@
 }
 
-void RenderLayer::paint(GraphicsContext& context, const LayoutRect& damageRect, const LayoutSize& subpixelOffset, PaintBehavior paintBehavior, RenderObject* subtreePaintRoot, PaintLayerFlags paintFlags)
+void RenderLayer::paint(GraphicsContext& context, const LayoutRect& damageRect, const LayoutSize& subpixelOffset, PaintBehavior paintBehavior, RenderObject* subtreePaintRoot, PaintLayerFlags paintFlags, SecurityOriginPaintPolicy paintPolicy)
 {
     OverlapTestRequestMap overlapTestRequests;
 
-    LayerPaintingInfo paintingInfo(this, enclosingIntRect(damageRect), paintBehavior, subpixelOffset, subtreePaintRoot, &overlapTestRequests);
+    LayerPaintingInfo paintingInfo(this, enclosingIntRect(damageRect), paintBehavior, subpixelOffset, subtreePaintRoot, &overlapTestRequests, paintPolicy == SecurityOriginPaintPolicy::AccessibleOriginOnly);
     paintLayer(context, paintingInfo, paintFlags);
 
@@ -4242 +4242 @@
     // Note that we will still apply the clipping on the final rendering of the filter.
     paintingInfo.clipToDirtyRect = !filterInfo.renderer()->hasFilterThatMovesPixels();
+
+    paintingInfo.requireSecurityOriginAccessForWidgets = filterInfo.renderer()->hasFilterThatShouldBeRestrictedBySecurityOrigin();
 
     return WTFMove(painter.second);
@@ -4810 +4812 @@
             clipToRect(context, localPaintingInfo, fragment.foregroundRect);
     
-        PaintInfo paintInfo(context, fragment.foregroundRect.rect(), phase, paintBehavior, subtreePaintRootForRenderer, nullptr, nullptr, &localPaintingInfo.rootLayer->renderer());
+        PaintInfo paintInfo(context, fragment.foregroundRect.rect(), phase, paintBehavior, subtreePaintRootForRenderer, nullptr, nullptr, &localPaintingInfo.rootLayer->renderer(), localPaintingInfo.requireSecurityOriginAccessForWidgets);
         if (phase == PaintPhaseForeground)
             paintInfo.overlapTestRequests = localPaintingInfo.overlapTestRequests;

trunk/Source/WebCore/rendering/RenderLayer.h

@@ -497 +497 @@
     typedef unsigned PaintLayerFlags;
 
+    enum class SecurityOriginPaintPolicy { AnyOrigin, AccessibleOriginOnly };
+
     // The two main functions that use the layer system.  The paint method
     // paints the layers that intersect the damage rect from back to
@@ -502 +504 @@
     // layers that intersect the point from front to back.
     void paint(GraphicsContext&, const LayoutRect& damageRect, const LayoutSize& subpixelOffset = LayoutSize(), PaintBehavior = PaintBehaviorNormal,
-        RenderObject* subtreePaintRoot = nullptr, PaintLayerFlags = 0);
+        RenderObject* subtreePaintRoot = nullptr, PaintLayerFlags = 0, SecurityOriginPaintPolicy = SecurityOriginPaintPolicy::AnyOrigin);
     bool hitTest(const HitTestRequest&, HitTestResult&);
     bool hitTest(const HitTestRequest&, const HitTestLocation&, HitTestResult&);
@@ -719 +721 @@
 
     struct LayerPaintingInfo {
-        LayerPaintingInfo(RenderLayer* inRootLayer, const LayoutRect& inDirtyRect, PaintBehavior inPaintBehavior, const LayoutSize& inSupixelOffset, RenderObject* inSubtreePaintRoot = nullptr, OverlapTestRequestMap* inOverlapTestRequests = nullptr)
+        LayerPaintingInfo(RenderLayer* inRootLayer, const LayoutRect& inDirtyRect, PaintBehavior inPaintBehavior, const LayoutSize& inSupixelOffset, RenderObject* inSubtreePaintRoot = nullptr, OverlapTestRequestMap* inOverlapTestRequests = nullptr, bool inRequireSecurityOriginAccessForWidgets = false)
             : rootLayer(inRootLayer)
             , subtreePaintRoot(inSubtreePaintRoot)
@@ -726 +728 @@
             , overlapTestRequests(inOverlapTestRequests)
             , paintBehavior(inPaintBehavior)
-            , clipToDirtyRect(true)
+            , requireSecurityOriginAccessForWidgets(inRequireSecurityOriginAccessForWidgets)
         { }
         RenderLayer* rootLayer;
@@ -734 +736 @@
         OverlapTestRequestMap* overlapTestRequests; // May be null.
         PaintBehavior paintBehavior;
-        bool clipToDirtyRect;
+        bool requireSecurityOriginAccessForWidgets;
+        bool clipToDirtyRect { true };
     };
 

trunk/Source/WebCore/rendering/RenderScrollbar.cpp

@@ -103 +103 @@
 }
 
-void RenderScrollbar::paint(GraphicsContext& context, const IntRect& damageRect)
+void RenderScrollbar::paint(GraphicsContext& context, const IntRect& damageRect, Widget::SecurityOriginPaintPolicy)
 {
     if (context.updatingControlTints()) {

trunk/Source/WebCore/rendering/RenderScrollbar.h

@@ -67 +67 @@
     void setEnabled(bool) override;
 
-    void paint(GraphicsContext&, const IntRect& damageRect) override;
+    void paint(GraphicsContext&, const IntRect& damageRect, Widget::SecurityOriginPaintPolicy) override;
 
     void setHoveredPart(ScrollbarPart) override;

trunk/Source/WebCore/rendering/RenderWidget.cpp

@@ -32 +32 @@
 #include "RenderLayerBacking.h"
 #include "RenderView.h"
+#include "SecurityOrigin.h"
 #include <wtf/StackStats.h>
 #include <wtf/Ref.h>
@@ -217 +218 @@
 void RenderWidget::paintContents(PaintInfo& paintInfo, const LayoutPoint& paintOffset)
 {
+    if (paintInfo.requireSecurityOriginAccessForWidgets) {
+        if (auto contentDocument = frameOwnerElement().contentDocument()) {
+            if (!document().securityOrigin().canAccess(contentDocument->securityOrigin()))
+                return;
+        }
+    }
+
     IntPoint contentPaintOffset = roundedIntPoint(paintOffset + location() + contentBoxRect().location());
     // Tell the widget to paint now. This is the only time the widget is allowed
@@ -230 +238 @@
         paintRect.move(-widgetPaintOffset);
     }
-    // FIXME: Remove repaintrect encolsing/integral snapping when RenderWidget becomes device pixel snapped.
-    m_widget->paint(paintInfo.context(), snappedIntRect(paintRect));
+    // FIXME: Remove repaintrect enclosing/integral snapping when RenderWidget becomes device pixel snapped.
+    m_widget->paint(paintInfo.context(), snappedIntRect(paintRect), paintInfo.requireSecurityOriginAccessForWidgets ? Widget::SecurityOriginPaintPolicy::AccessibleOriginOnly : Widget::SecurityOriginPaintPolicy::AnyOrigin);
 
     if (!widgetPaintOffset.isZero())

trunk/Source/WebKit2/ChangeLog

@@ +1 @@
+2017-05-05  Dean Jackson  <dino@apple.com>
+
+        Restrict SVG filters to accessible security origins
+        https://bugs.webkit.org/show_bug.cgi?id=118689
+        <rdar://problem/27362159>
+
+        Reviewed by Brent Fulgham.
+
+        Update parameter lists.
+
+        * WebProcess/Plugins/PluginView.cpp:
+        (WebKit::PluginView::paint):
+        * WebProcess/Plugins/PluginView.h:
+
 2017-05-05  Beth Dakin  <bdakin@apple.com>
 

trunk/Source/WebKit2/WebProcess/Plugins/PluginView.cpp

@@ -783 +783 @@
 }
 
-void PluginView::paint(GraphicsContext& context, const IntRect& /*dirtyRect*/)
+void PluginView::paint(GraphicsContext& context, const IntRect& /*dirtyRect*/, Widget::SecurityOriginPaintPolicy)
 {
     if (!m_plugin || !m_isInitialized || m_pluginElement->displayState() < HTMLPlugInElement::Restarting)

trunk/Source/WebKit2/WebProcess/Plugins/PluginView.h

@@ -172 +172 @@
     // WebCore::Widget
     void setFrameRect(const WebCore::IntRect&) override;
-    void paint(WebCore::GraphicsContext&, const WebCore::IntRect&) override;
+    void paint(WebCore::GraphicsContext&, const WebCore::IntRect&, WebCore::Widget::SecurityOriginPaintPolicy) override;
     void invalidateRect(const WebCore::IntRect&) override;
     void setFocus(bool) override;