Changeset 260598 in webkit
- Timestamp:
- Apr 23, 2020 2:08:12 PM (4 years ago)
- Location:
- trunk
- Files:
-
- 4 added
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r260588 r260598 1 2020-04-23 Alex Christensen <achristensen@webkit.org> 2 3 Allow credentials for same-origin css mask images 4 https://bugs.webkit.org/show_bug.cgi?id=210895 5 <rdar://problem/60093888> 6 7 Reviewed by Brent Fulgham. 8 9 * http/tests/security/css-mask-image-credentials-expected.html: Added. 10 * http/tests/security/css-mask-image-credentials.html: Added. 11 * http/tests/security/resources/css-mask-image-credentials-2.html: Added. 12 * http/tests/security/resources/image-credential-check.php: Added. 13 1 14 2020-04-23 Kenneth Russell <kbr@chromium.org> 2 15 -
trunk/Source/WebCore/ChangeLog
r260597 r260598 1 2020-04-23 Alex Christensen <achristensen@webkit.org> 2 3 Allow credentials for same-origin css mask images 4 https://bugs.webkit.org/show_bug.cgi?id=210895 5 <rdar://problem/60093888> 6 7 Reviewed by Brent Fulgham. 8 9 Test: http/tests/security/css-mask-image-credentials.html 10 11 r230006 went a step too far in restricting what is allowed with css mask images. 12 Basic authentication credentials should be allowed with such requests as they are in Chrome and Firefox. 13 This can be seen by doing run-webkit-httpd then opening http://127.0.0.1:8000/security/css-mask-image-credentials.html 14 In Chrome and Firefox you'll see it forward to a page that has a blue square. 15 In Safari before this change you'll see a yellow square and a basic authentication prompt. 16 In Safari after this change you'll see the same blue square you see in Chrome and Firefox. 17 18 * style/StylePendingResources.cpp: 19 (WebCore::Style::loadPendingImage): 20 1 21 2020-04-23 Alex Christensen <achristensen@webkit.org> 2 22 -
trunk/Source/WebCore/style/StylePendingResources.cpp
r244115 r260598 44 44 45 45 // <https://html.spec.whatwg.org/multipage/urls-and-fetching.html#cors-settings-attributes> 46 enum class LoadPolicy { NoCORS, Anonymous };46 enum class LoadPolicy { CORS, NoCORS, Anonymous }; 47 47 static void loadPendingImage(Document& document, const StyleImage* styleImage, const Element* element, LoadPolicy loadPolicy = LoadPolicy::NoCORS) 48 48 { … … 54 54 options.contentSecurityPolicyImposition = isInUserAgentShadowTree ? ContentSecurityPolicyImposition::SkipPolicyCheck : ContentSecurityPolicyImposition::DoPolicyCheck; 55 55 56 if (loadPolicy == LoadPolicy::Anonymous && !isInUserAgentShadowTree && document.settings().useAnonymousModeWhenFetchingMaskImages()) { 57 options.mode = FetchOptions::Mode::Cors; 58 options.credentials = FetchOptions::Credentials::SameOrigin; 59 options.storedCredentialsPolicy = StoredCredentialsPolicy::DoNotUse; 60 options.sameOriginDataURLFlag = SameOriginDataURLFlag::Set; 56 if (!isInUserAgentShadowTree && document.settings().useAnonymousModeWhenFetchingMaskImages()) { 57 switch (loadPolicy) { 58 case LoadPolicy::Anonymous: 59 options.storedCredentialsPolicy = StoredCredentialsPolicy::DoNotUse; 60 FALLTHROUGH; 61 case LoadPolicy::CORS: 62 options.mode = FetchOptions::Mode::Cors; 63 options.credentials = FetchOptions::Credentials::SameOrigin; 64 options.sameOriginDataURLFlag = SameOriginDataURLFlag::Set; 65 break; 66 case LoadPolicy::NoCORS: 67 break; 68 } 61 69 } 62 70 … … 92 100 // images are retreived in "Anonymous" mode, which uses a potentially CORS-enabled fetch. 93 101 for (auto* maskLayer = &style.maskLayers(); maskLayer; maskLayer = maskLayer->next()) 94 loadPendingImage(document, maskLayer->image(), element, LoadPolicy:: Anonymous);102 loadPendingImage(document, maskLayer->image(), element, LoadPolicy::CORS); 95 103 96 104 if (style.shapeOutside())
Note: See TracChangeset
for help on using the changeset viewer.