Changeset 98215 in webkit

Timestamp:

Oct 23, 2011 9:36:38 PM (13 years ago)

Author:

abarth@webkit.org

Message:

<img crossorigin> should fail to load when CORS check fails
​https://bugs.webkit.org/show_bug.cgi?id=69732

Reviewed by Darin Adler.

Source/WebCore:

When loading an image with the crossorigin attribute, the spec says
that we're not supposed to load the image if the CORS check fails.
This "fails fast" behavior is intended to help developers understand
whether they've configured CORS correctly (instead of only catching the
error later when trying to read back the canvas).

Our new behavior matches the spec and Firefox.

Test: http/tests/security/img-with-failed-cors-check-fails-to-load.html

• loader/ImageLoader.cpp:

(WebCore::ImageLoader::notifyFinished):

LayoutTests:

Test that images loaded with the crossorigin attribute fail to load if
the CORS access check doesn't pass.

• http/tests/security/img-with-failed-cors-check-fails-to-load-expected.txt: Added.
• http/tests/security/img-with-failed-cors-check-fails-to-load.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/img-with-failed-cors-check-fails-to-load-expected.txt (added)
• LayoutTests/http/tests/security/img-with-failed-cors-check-fails-to-load.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/loader/ImageLoader.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-10-23  Adam Barth  <abarth@webkit.org>
+
+        <img crossorigin> should fail to load when CORS check fails
+        https://bugs.webkit.org/show_bug.cgi?id=69732
+
+        Reviewed by Darin Adler.
+
+        Test that images loaded with the crossorigin attribute fail to load if
+        the CORS access check doesn't pass.
+
+        * http/tests/security/img-with-failed-cors-check-fails-to-load-expected.txt: Added.
+        * http/tests/security/img-with-failed-cors-check-fails-to-load.html: Added.
+
 2011-10-23  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-10-23  Adam Barth  <abarth@webkit.org>
+
+        <img crossorigin> should fail to load when CORS check fails
+        https://bugs.webkit.org/show_bug.cgi?id=69732
+
+        Reviewed by Darin Adler.
+
+        When loading an image with the crossorigin attribute, the spec says
+        that we're not supposed to load the image if the CORS check fails.
+        This "fails fast" behavior is intended to help developers understand
+        whether they've configured CORS correctly (instead of only catching the
+        error later when trying to read back the canvas).
+
+        Our new behavior matches the spec and Firefox.
+
+        Test: http/tests/security/img-with-failed-cors-check-fails-to-load.html
+
+        * loader/ImageLoader.cpp:
+        (WebCore::ImageLoader::notifyFinished):
+
 2011-10-23  Noel Gordon  <noel.gordon@gmail.com>
 

trunk/Source/WebCore/loader/ImageLoader.cpp

@@ -33 +33 @@
 #include "HTMLParserIdioms.h"
 #include "RenderImage.h"
+#include "ScriptCallStack.h"
 
 #if ENABLE(SVG)
@@ -240 +241 @@
         return;
 
+    if (m_element->fastHasAttribute(HTMLNames::crossoriginAttr) && !resource->passesAccessControlCheck(m_element->document()->securityOrigin())) {
+        setImage(0);
+
+        DEFINE_STATIC_LOCAL(String, consoleMessage, ("Cross-origin image load denied by Cross-Origin Resource Sharing policy."));
+        m_element->document()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String(), 0);
+
+        ASSERT(m_firedLoad);
+        return;
+    }
+
     if (resource->wasCanceled()) {
         m_firedLoad = true;