Changeset 260598 in webkit

Timestamp:

Apr 23, 2020 2:08:12 PM (4 years ago)

Author:

commit-queue@webkit.org

Message:

Allow credentials for same-origin css mask images
​https://bugs.webkit.org/show_bug.cgi?id=210895
<rdar://problem/60093888>

Patch by Alex Christensen <​achristensen@webkit.org> on 2020-04-23
Reviewed by Brent Fulgham.

Source/WebCore:

Test: http/tests/security/css-mask-image-credentials.html

r230006 went a step too far in restricting what is allowed with css mask images.
Basic authentication credentials should be allowed with such requests as they are in Chrome and Firefox.
This can be seen by doing run-webkit-httpd then opening ​http://127.0.0.1:8000/security/css-mask-image-credentials.html
In Chrome and Firefox you'll see it forward to a page that has a blue square.
In Safari before this change you'll see a yellow square and a basic authentication prompt.
In Safari after this change you'll see the same blue square you see in Chrome and Firefox.

• style/StylePendingResources.cpp:

(WebCore::Style::loadPendingImage):

LayoutTests:

• http/tests/security/css-mask-image-credentials-expected.html: Added.
• http/tests/security/css-mask-image-credentials.html: Added.
• http/tests/security/resources/css-mask-image-credentials-2.html: Added.
• http/tests/security/resources/image-credential-check.php: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/css-mask-image-credentials-expected.html (added)
• LayoutTests/http/tests/security/css-mask-image-credentials.html (added)
• LayoutTests/http/tests/security/resources/css-mask-image-credentials-2.html (added)
• LayoutTests/http/tests/security/resources/image-credential-check.php (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/style/StylePendingResources.cpp (modified) (3 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2020-04-23  Alex Christensen  <achristensen@webkit.org>
+
+        Allow credentials for same-origin css mask images
+        https://bugs.webkit.org/show_bug.cgi?id=210895
+        <rdar://problem/60093888>
+
+        Reviewed by Brent Fulgham.
+
+        * http/tests/security/css-mask-image-credentials-expected.html: Added.
+        * http/tests/security/css-mask-image-credentials.html: Added.
+        * http/tests/security/resources/css-mask-image-credentials-2.html: Added.
+        * http/tests/security/resources/image-credential-check.php: Added.
+
 2020-04-23  Kenneth Russell  <kbr@chromium.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2020-04-23  Alex Christensen  <achristensen@webkit.org>
+
+        Allow credentials for same-origin css mask images
+        https://bugs.webkit.org/show_bug.cgi?id=210895
+        <rdar://problem/60093888>
+
+        Reviewed by Brent Fulgham.
+
+        Test: http/tests/security/css-mask-image-credentials.html
+
+        r230006 went a step too far in restricting what is allowed with css mask images.
+        Basic authentication credentials should be allowed with such requests as they are in Chrome and Firefox.
+        This can be seen by doing run-webkit-httpd then opening http://127.0.0.1:8000/security/css-mask-image-credentials.html
+        In Chrome and Firefox you'll see it forward to a page that has a blue square.
+        In Safari before this change you'll see a yellow square and a basic authentication prompt.
+        In Safari after this change you'll see the same blue square you see in Chrome and Firefox.
+
+        * style/StylePendingResources.cpp:
+        (WebCore::Style::loadPendingImage):
+
 2020-04-23  Alex Christensen  <achristensen@webkit.org>
 

trunk/Source/WebCore/style/StylePendingResources.cpp

@@ -44 +44 @@
 
 // <https://html.spec.whatwg.org/multipage/urls-and-fetching.html#cors-settings-attributes>
-enum class LoadPolicy { NoCORS, Anonymous };
+enum class LoadPolicy { CORS, NoCORS, Anonymous };
 static void loadPendingImage(Document& document, const StyleImage* styleImage, const Element* element, LoadPolicy loadPolicy = LoadPolicy::NoCORS)
 {
@@ -54 +54 @@
     options.contentSecurityPolicyImposition = isInUserAgentShadowTree ? ContentSecurityPolicyImposition::SkipPolicyCheck : ContentSecurityPolicyImposition::DoPolicyCheck;
 
-    if (loadPolicy == LoadPolicy::Anonymous && !isInUserAgentShadowTree && document.settings().useAnonymousModeWhenFetchingMaskImages()) {
-        options.mode = FetchOptions::Mode::Cors;
-        options.credentials = FetchOptions::Credentials::SameOrigin;
-        options.storedCredentialsPolicy = StoredCredentialsPolicy::DoNotUse;
-        options.sameOriginDataURLFlag = SameOriginDataURLFlag::Set;
+    if (!isInUserAgentShadowTree && document.settings().useAnonymousModeWhenFetchingMaskImages()) {
+        switch (loadPolicy) {
+        case LoadPolicy::Anonymous:
+            options.storedCredentialsPolicy = StoredCredentialsPolicy::DoNotUse;
+            FALLTHROUGH;
+        case LoadPolicy::CORS:
+            options.mode = FetchOptions::Mode::Cors;
+            options.credentials = FetchOptions::Credentials::SameOrigin;
+            options.sameOriginDataURLFlag = SameOriginDataURLFlag::Set;
+            break;
+        case LoadPolicy::NoCORS:
+            break;
+        }
     }
 
@@ -92 +100 @@
     // images are retreived in "Anonymous" mode, which uses a potentially CORS-enabled fetch.
     for (auto* maskLayer = &style.maskLayers(); maskLayer; maskLayer = maskLayer->next())
-        loadPendingImage(document, maskLayer->image(), element, LoadPolicy::Anonymous);
+        loadPendingImage(document, maskLayer->image(), element, LoadPolicy::CORS);
 
     if (style.shapeOutside())