hmuller@adobe.com
authored
https://bugs.webkit.org/show_bug.cgi?id=117610 Reviewed by Alexey Proskuryakov. Source/WebCore: Restrict the image URL values for shape-inside and shape-outside to the same origin as the document. The alpha channel of image shape values will be thresholded to produce the shape's boundaries (see bug 116643) so normal image access rules aren't secure enough. Added a RequestOriginPolicy ResourceLoaderOption which is used by StyleResolver::loadPendingShapeImage() to request the additional restriction. The change should have no other effect although it does enable one to apply the same restriction to other resources which can currently be loaded from any origin - see CachedResourceLoader::canRequest(). Test: http/tests/security/shape-inside-image-origin.html * css/CSSImageValue.cpp: (WebCore::CSSImageValue::cachedImage): Add an effectively optional ResourceLoaderOptions parameter. * css/CSSImageValue.h: (WebCore::CSSImageValue::cachedImage): Ditto. * css/StyleResolver.cpp: (WebCore::StyleResolver::loadPendingShapeImage): Load the image with the default CachedResourceLoader options plus RestrictToSameOrigin. (WebCore::StyleResolver::loadPendingImages): Call loadPendingShapeImage(). * css/StyleResolver.h: * loader/DocumentLoader.cpp: (WebCore::DocumentLoader::startLoadingMainResource): Update the ResourceLoaderOptions static variable. * loader/NetscapePlugInStreamLoader.cpp: (WebCore::NetscapePlugInStreamLoader::NetscapePlugInStreamLoader): Ditto. * loader/ResourceLoader.h: (WebCore::ResourceLoader::options): * loader/ResourceLoaderOptions.h: Add RequestOriginPolicy enum. (WebCore::ResourceLoaderOptions::ResourceLoaderOptions): * loader/SubresourceLoader.cpp: (WebCore::SubresourceLoader::willSendRequest): Pass ResourceLoaderOptions along to revised CachedResourceLoader::canRequest(). * loader/cache/CachedResourceLoader.cpp: (WebCore::CachedResourceLoader::requestImage): (WebCore::CachedResourceLoader::requestUserCSSStyleSheet): Update load() ResourceLoaderOptions. (WebCore::CachedResourceLoader::canRequest): Replaced ContentSecurityPolicyCheck parameter with ResourceLoaderOptions. (WebCore::CachedResourceLoader::requestResource): Pass ResourceLoaderOptions along to revised CachedResourceLoader::canRequest(). (WebCore::CachedResourceLoader::defaultCachedResourceOptions): Added UseDefaultOriginRestrictionsForType initializer. * loader/cache/CachedResourceLoader.h: * loader/icon/IconLoader.cpp: (WebCore::IconLoader::startLoading): Added UseDefaultOriginRestrictionsForType intializer. LayoutTests: Verify that a non same-origin image URL specified for shape-inside or shape-outside will not load and the shape property will be reset to "none". * http/tests/resources/square100.png: Added. * http/tests/security/shape-inside-image-origin-expected.txt: Added. * http/tests/security/shape-inside-image-origin.html: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@151878 268f45cc-cd09-0410-ab3c-d52691b4dbfc