Changeset 61391 in webkit

Timestamp:

Jun 18, 2010 3:28:46 AM (14 years ago)

Author:

eric@webkit.org

Message:

2010-06-18 Adam Barth <​abarth@webkit.org>

Reviewed by Darin Adler.

noAccess url schemes block access to inline stylesheets
​https://bugs.webkit.org/show_bug.cgi?id=32309

Test that data URLs can access their inline style sheets.

• http/tests/security/data-url-inline.css-expected.txt: Added.
• http/tests/security/data-url-inline.css.html: Added.

2010-06-18 Adam Barth <​abarth@webkit.org>

Reviewed by Darin Adler.

noAccess url schemes block access to inline stylesheets
​https://bugs.webkit.org/show_bug.cgi?id=32309

Instead of using baseURL() to grab the security context we should just
use finalURL directly. When I wrote the original patch that added this
security check, finalURL didn't exist yet.

If finalURL is an empty URL, that means we generated the style sheet
from text that didn't have a URL. It would be slightly safer to store
a bit on CSSStyleSheet indicating whether it came from an inline style
sheet, but I think this check is fairly accurate.

Test: http/tests/security/data-url-inline.css.html

• css/CSSStyleSheet.cpp: (WebCore::CSSStyleSheet::cssRules):

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/data-url-inline.css-expected.txt (added)
• LayoutTests/http/tests/security/data-url-inline.css.html (added)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/css/CSSStyleSheet.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2010-06-18  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Darin Adler.
+
+        noAccess url schemes block access to inline stylesheets
+        https://bugs.webkit.org/show_bug.cgi?id=32309
+
+        Test that data URLs can access their inline style sheets.
+
+        * http/tests/security/data-url-inline.css-expected.txt: Added.
+        * http/tests/security/data-url-inline.css.html: Added.
+
 2010-06-18  Adam Barth  <abarth@webkit.org>
 

trunk/WebCore/ChangeLog

@@ +1 @@
+2010-06-18  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Darin Adler.
+
+        noAccess url schemes block access to inline stylesheets
+        https://bugs.webkit.org/show_bug.cgi?id=32309
+
+        Instead of using baseURL() to grab the security context we should just
+        use finalURL directly.  When I wrote the original patch that added this
+        security check, finalURL didn't exist yet.
+
+        If finalURL is an empty URL, that means we generated the style sheet
+        from text that didn't have a URL.  It would be slightly safer to store
+        a bit on CSSStyleSheet indicating whether it came from an inline style
+        sheet, but I think this check is fairly accurate.
+
+        Test: http/tests/security/data-url-inline.css.html
+
+        * css/CSSStyleSheet.cpp:
+        (WebCore::CSSStyleSheet::cssRules):
+
 2010-06-18  Adam Barth  <abarth@webkit.org>
 

trunk/WebCore/css/CSSStyleSheet.cpp

@@ -135 +135 @@
 }
 
-
 PassRefPtr<CSSRuleList> CSSStyleSheet::cssRules(bool omitCharsetRules)
 {
-    if (doc() && !doc()->securityOrigin()->canRequest(baseURL()))
+    KURL url = finalURL();
+    if (!url.isEmpty() && doc() && !doc()->securityOrigin()->canRequest(url))
         return 0;
     return CSSRuleList::create(this, omitCharsetRules);