Changeset 99298 in webkit

Timestamp:

Nov 4, 2011 11:09:36 AM (12 years ago)

Author:

abarth@webkit.org

Message:

Anonymous CORS fetch for WebGL texture fails when there is no appropriate server response even for the same origin requests
​https://bugs.webkit.org/show_bug.cgi?id=71053

Reviewed by Darin Adler.

Source/WebCore:

The crossorigin attribute should behave like XMLHttpRequest:
same-origin images pass without and CORS headers, but CORS checks are
performed for cross-origin loads. This patch better aligns our
behavior with Firefox, as discussed in the bug.

Test: http/tests/security/img-crossorigin-loads-same-origin.html

• loader/ImageLoader.cpp:

(WebCore::ImageLoader::notifyFinished):

LayoutTests:

Test that we succeed in loading a same-origin image without the help of
CORS even if the image has the crossorigin attribute.

• http/tests/security/img-crossorigin-loads-same-origin-expected.txt: Added.
• http/tests/security/img-crossorigin-loads-same-origin.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/img-crossorigin-loads-same-origin-expected.txt (added)
• LayoutTests/http/tests/security/img-crossorigin-loads-same-origin.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/loader/ImageLoader.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-11-04  Adam Barth  <abarth@webkit.org>
+
+        Anonymous CORS fetch for WebGL texture fails when there is no appropriate server response even for the same origin requests
+        https://bugs.webkit.org/show_bug.cgi?id=71053
+
+        Reviewed by Darin Adler.
+
+        Test that we succeed in loading a same-origin image without the help of
+        CORS even if the image has the crossorigin attribute.
+
+        * http/tests/security/img-crossorigin-loads-same-origin-expected.txt: Added.
+        * http/tests/security/img-crossorigin-loads-same-origin.html: Added.
+
 2011-11-04  Gaurav Shah  <gauravsh@chromium.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-11-04  Adam Barth  <abarth@webkit.org>
+
+        Anonymous CORS fetch for WebGL texture fails when there is no appropriate server response even for the same origin requests
+        https://bugs.webkit.org/show_bug.cgi?id=71053
+
+        Reviewed by Darin Adler.
+
+        The crossorigin attribute should behave like XMLHttpRequest:
+        same-origin images pass without and CORS headers, but CORS checks are
+        performed for cross-origin loads.  This patch better aligns our
+        behavior with Firefox, as discussed in the bug.
+
+        Test: http/tests/security/img-crossorigin-loads-same-origin.html
+
+        * loader/ImageLoader.cpp:
+        (WebCore::ImageLoader::notifyFinished):
+
 2011-11-04  Gaurav Shah  <gauravsh@chromium.org>
 

trunk/Source/WebCore/loader/ImageLoader.cpp

@@ -34 +34 @@
 #include "RenderImage.h"
 #include "ScriptCallStack.h"
+#include "SecurityOrigin.h"
 
 #if ENABLE(SVG)
@@ -241 +242 @@
         return;
 
-    if (m_element->fastHasAttribute(HTMLNames::crossoriginAttr) && !resource->passesAccessControlCheck(m_element->document()->securityOrigin())) {
+    if (m_element->fastHasAttribute(HTMLNames::crossoriginAttr)
+        && !m_element->document()->securityOrigin()->canRequest(image()->response().url())
+        && !resource->passesAccessControlCheck(m_element->document()->securityOrigin())) {
+
         setImage(0);