Support the usage of CORS for WebGL and the 2D canvas #3
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Factor CORS request preparation out of DocumentThreadableLoader https://bugs.webkit.org/show_bug.cgi?id=61209 2011-05-20 Adam Barth <[email protected]> Reviewed by Alexey Proskuryakov. Factor CORS request preparation out of DocumentThreadableLoader https://bugs.webkit.org/show_bug.cgi?id=61209 DocumentThreadableLoader has two jobs: 1) Proxy loads between threads. 2) Run the CORS state machine. This patch begins the work of separating those concerns, allowing CORS to be used elsewhere in the loading pipeline. In particular, this patch moves knowledge of how to prepare CORS requests out of DocumentThreadableLoder. * loader/CrossOriginAccessControl.cpp: (WebCore::isOnAccessControlSimpleRequestHeaderWhitelist): (WebCore::updateRequestForAccessControl): (WebCore::createAccessControlPreflightRequest): * loader/CrossOriginAccessControl.h: * loader/DocumentThreadableLoader.cpp: (WebCore::DocumentThreadableLoader::DocumentThreadableLoader): (WebCore::DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest): (WebCore::DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight): Change-Id: I5a4443a1655f906d833f608f15296dc7926d3326 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@86980 268f45cc-cd09-0410-ab3c-d52691b4dbfc Add rel type prerender to distinguish prerender from prefetch https://bugs.webkit.org/show_bug.cgi?id=61079 2011-05-21 Gavin Peters <[email protected]> Reviewed by Adam Barth. Add rel type prerender to distinguish prerender from prefetch https://bugs.webkit.org/show_bug.cgi?id=61079 Chrome right now uses <link rel=prefetch ...> for one of two things, to warm the cache in the same way as firefox, or to launch a speculative rendering of a web page, for faster "loading" when the user navigates to it. This new rel type will let us distinguish the two cases; the rel type prerender isn't used on the web today, but the Google Web Search example prerendering application is ready to experiment with it. * fast/dom/HTMLLinkElement/prerender-expected.txt: Added. * fast/dom/HTMLLinkElement/prerender.html: Added. * platform/gtk/Skipped: * platform/mac/Skipped: * platform/qt/Skipped: * platform/win/Skipped: 2011-05-21 Gavin Peters <[email protected]> Reviewed by Adam Barth. Add rel type prerender to distinguish prerender from prefetch https://bugs.webkit.org/show_bug.cgi?id=61079 Chrome right now uses <link rel=prefetch ...> for one of two things, to warm the cache in the same way as firefox, or to launch a speculative rendering of a web page, for faster "loading" when the user navigates to it. This new rel type will let us distinguish the two cases; the rel type prerender isn't used on the web today, but the Google Web Search example prerendering application is ready to experiment with it. Test: fast/dom/HTMLLinkElement/prerender.html * html/HTMLLinkElement.cpp: (WebCore::HTMLLinkElement::tokenizeRelAttribute): (WebCore::HTMLLinkElement::process): * html/HTMLLinkElement.h: (WebCore::HTMLLinkElement::RelAttribute::RelAttribute): * loader/cache/CachedResource.cpp: (WebCore::defaultPriorityForResourceType): * loader/cache/CachedResource.h: (WebCore::CachedResource::isLinkResource): * loader/cache/CachedResourceLoader.cpp: (WebCore::createResource): (WebCore::CachedResourceLoader::requestLinkResource): (WebCore::CachedResourceLoader::canRequest): * loader/cache/CachedResourceLoader.h: * loader/cache/CachedResourceRequest.cpp: (WebCore::cachedResourceTypeToTargetType): (WebCore::CachedResourceRequest::load): * platform/network/ResourceRequestBase.h: Change-Id: I66a012e0bc3414cc48a7c497f08fb9b83cd8ab06 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@87020 268f45cc-cd09-0410-ab3c-d52691b4dbfc Make CachedResource take a ResourceRequest instead of just a url string. 2011-05-24 Nate Chapin <[email protected]> Reviewed by Adam Barth. Change CachedResources to take a ResourceRequest instead of a url in their constructors and provide a very minimal set of cases for avoiding reusing a CachedResource. The ResourceRequest part of this change requires pushing responsibility for calling Document::completeURL() to the caller, instead of CachedResourceLoader, since ResourceRequest ASSERTs if it is constructed with an invalid url. https://bugs.webkit.org/show_bug.cgi?id=61318 Refactor, no new tests. * css/CSSFontSelector.cpp: (WebCore::CSSFontSelector::addFontFaceRule): * css/CSSImageValue.cpp: (WebCore::CSSImageValue::cachedImage): * css/CSSImportRule.cpp: (WebCore::CSSImportRule::insertedIntoParent): * dom/ProcessingInstruction.cpp: (WebCore::ProcessingInstruction::checkStyleSheet): * dom/ScriptElement.cpp: (WebCore::ScriptElement::requestScript): * html/HTMLLinkElement.cpp: (WebCore::HTMLLinkElement::process): * loader/ImageLoader.cpp: (WebCore::ImageLoader::updateFromElement): * loader/cache/CachedCSSStyleSheet.cpp: (WebCore::CachedCSSStyleSheet::CachedCSSStyleSheet): (WebCore::CachedCSSStyleSheet::didAddClient): (WebCore::CachedCSSStyleSheet::checkNotify): * loader/cache/CachedCSSStyleSheet.h: * loader/cache/CachedFont.cpp: (WebCore::CachedFont::CachedFont): * loader/cache/CachedFont.h: * loader/cache/CachedImage.cpp: (WebCore::CachedImage::CachedImage): (WebCore::CachedImage::checkShouldPaintBrokenImage): * loader/cache/CachedImage.h: * loader/cache/CachedResource.cpp: (WebCore::CachedResource::CachedResource): (WebCore::reuseRequest): (WebCore::CachedResource::allowReuseOfRequest): (WebCore::CachedResource::removeClient): (WebCore::CachedResource::canUseCacheValidator): * loader/cache/CachedResource.h: (WebCore::CachedResource::resourceRequest): (WebCore::CachedResource::url): * loader/cache/CachedResourceLoader.cpp: * loader/cache/CachedResourceLoader.h: * loader/cache/CachedResourceRequest.cpp: (WebCore::CachedResourceRequest::load): * loader/cache/CachedScript.cpp: (WebCore::CachedScript::CachedScript): * loader/cache/CachedScript.h: * loader/cache/CachedXSLStyleSheet.cpp: (WebCore::CachedXSLStyleSheet::CachedXSLStyleSheet): (WebCore::CachedXSLStyleSheet::didAddClient): (WebCore::CachedXSLStyleSheet::checkNotify): * loader/cache/CachedXSLStyleSheet.h: * svg/SVGFEImageElement.cpp: (WebCore::SVGFEImageElement::requestImageResource): * svg/SVGFontFaceUriElement.cpp: (WebCore::SVGFontFaceUriElement::loadFont): * xml/XSLImportRule.cpp: (WebCore::XSLImportRule::loadSheet): Change-Id: I4fb698cf09669661063eb42e310fbc1fd907bf76 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@87239 268f45cc-cd09-0410-ab3c-d52691b4dbfc Support cross-origin property for images 2011-05-26 Adam Barth <[email protected]> Reviewed by Eric Seidel. Support cross-origin property for images https://bugs.webkit.org/show_bug.cgi?id=61015 Test various cases involving CORS requests and canvas tainting. * http/tests/security/canvas-remote-read-remote-image-allowed-expected.txt: Added. * http/tests/security/canvas-remote-read-remote-image-allowed-with-credentials-expected.txt: Added. * http/tests/security/canvas-remote-read-remote-image-allowed-with-credentials.html: Added. * http/tests/security/canvas-remote-read-remote-image-allowed.html: Added. * http/tests/security/canvas-remote-read-remote-image-blocked-no-crossorigin-expected.txt: Added. * http/tests/security/canvas-remote-read-remote-image-blocked-no-crossorigin.html: Added. * http/tests/security/resources/abe-allow-credentials.php: Added. * http/tests/security/resources/abe-allow-star.php: Added. 2011-05-26 Adam Barth <[email protected]> Reviewed by Eric Seidel. Support cross-origin property for images https://bugs.webkit.org/show_bug.cgi?id=61015 This patch add support for the crossorigin attribute of images and teaches 2D canvas to respect that flag and not taint a canvas if the image drawn on the canvas is allowed by CORS. While I was editing this code, I couldn't resist a couple touch-up changes. Tests: http/tests/security/canvas-remote-read-remote-image-allowed-with-credentials.html http/tests/security/canvas-remote-read-remote-image-allowed.html http/tests/security/canvas-remote-read-remote-image-blocked-no-crossorigin.html * html/HTMLAttributeNames.in: * html/HTMLCanvasElement.cpp: (WebCore::HTMLCanvasElement::securityOrigin): * html/HTMLCanvasElement.h: * html/HTMLImageElement.idl: * html/canvas/CanvasRenderingContext.cpp: (WebCore::CanvasRenderingContext::checkOrigin): * html/canvas/CanvasRenderingContext2D.cpp: (WebCore::CanvasRenderingContext2D::createPattern): * loader/ImageLoader.cpp: (WebCore::ImageLoader::updateFromElement): * loader/cache/CachedResource.cpp: (WebCore::CachedResource::passesAccessControlCheck): * loader/cache/CachedResource.h: Change-Id: I074a377f0045627e54806dacd5f3eb499a8dd5d0 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@87473 268f45cc-cd09-0410-ab3c-d52691b4dbfc HTMLVideoElement::currentSrc() should return a KURL 2011-05-27 Adam Barth <[email protected]> Reviewed by Eric Seidel. HTMLVideoElement::currentSrc() should return a KURL https://bugs.webkit.org/show_bug.cgi?id=61578 I suspect we got into this mess because the author of this code didn't know about the URL attribute in WebKit IDL, which is super useful! Bad news: The line of code in question seems to have another bug, which I've documented in a FIXME. Let the yak shaving continue! * html/HTMLMediaElement.cpp: (WebCore::urlForLogging): (WebCore::HTMLMediaElement::loadResource): (WebCore::HTMLMediaElement::isSafeToLoadURL): (WebCore::HTMLMediaElement::selectNextSourceChild): (WebCore::HTMLMediaElement::getPluginProxyParams): * html/HTMLMediaElement.h: (WebCore::HTMLMediaElement::currentSrc): (WebCore::HTMLMediaElement::currentURL): * html/canvas/CanvasRenderingContext.cpp: (WebCore::CanvasRenderingContext::checkOrigin): * rendering/HitTestResult.cpp: (WebCore::HitTestResult::absoluteMediaURL): - This complete URL call was unnecessary because currentSrc is already absolute. Change-Id: I6fabb90aa5019a02a2434842824647d1484ed506 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@87539 268f45cc-cd09-0410-ab3c-d52691b4dbfc Disallow use of cross-domain media (images, video) in WebGL 2011-06-09 Kenneth Russell <[email protected]> Reviewed by Adam Barth. Disallow use of cross-domain media (images, video) in WebGL https://bugs.webkit.org/show_bug.cgi?id=62257 Updated WebGL implementation to track recent spec updates in this area. Tests: http/tests/security/webgl-remote-read-remote-image-allowed-with-credentials.html http/tests/security/webgl-remote-read-remote-image-allowed.html http/tests/security/webgl-remote-read-remote-image-blocked-no-crossorigin.html * html/canvas/CanvasRenderingContext.cpp: (WebCore::CanvasRenderingContext::wouldTaintOrigin): (WebCore::CanvasRenderingContext::checkOrigin): * html/canvas/CanvasRenderingContext.h: (WebCore::CanvasRenderingContext::checkOrigin): * html/canvas/WebGLRenderingContext.cpp: (WebCore::WebGLRenderingContext::readPixels): (WebCore::WebGLRenderingContext::texImage2D): (WebCore::WebGLRenderingContext::videoFrameToImage): (WebCore::WebGLRenderingContext::texSubImage2D): * html/canvas/WebGLRenderingContext.h: 2011-06-09 Kenneth Russell <[email protected]> Reviewed by Adam Barth. Disallow use of cross-domain media (images, video) in WebGL https://bugs.webkit.org/show_bug.cgi?id=62257 Updated origin-clean-conformance.html to track upstream version in Khronos repository. Added new layout tests mirroring those added in bug 61015 which verify that new CORS support for images is working in the context of WebGL. Verified new tests in WebKit and Chromium. Skipped tests on platforms where WebGL is disabled. * http/tests/canvas/webgl/origin-clean-conformance-expected.txt: * http/tests/canvas/webgl/origin-clean-conformance.html: * http/tests/security/webgl-remote-read-remote-image-allowed-expected.txt: Added. * http/tests/security/webgl-remote-read-remote-image-allowed-with-credentials-expected.txt: Added. * http/tests/security/webgl-remote-read-remote-image-allowed-with-credentials.html: Added. * http/tests/security/webgl-remote-read-remote-image-allowed.html: Added. * http/tests/security/webgl-remote-read-remote-image-blocked-no-crossorigin-expected.txt: Added. * http/tests/security/webgl-remote-read-remote-image-blocked-no-crossorigin.html: Added. * platform/gtk/Skipped: * platform/mac-leopard/Skipped: * platform/mac-wk2/Skipped: * platform/qt/Skipped: Change-Id: Id2e32ce41432838be6919002d606185ea60d97b3 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@88489 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Factor CORS request preparation out of DocumentThreadableLoader
https://bugs.webkit.org/show_bug.cgi?id=61209
2011-05-20 Adam Barth [email protected]
Change-Id: I5a4443a1655f906d833f608f15296dc7926d3326
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@86980 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Add rel type prerender to distinguish prerender from prefetch
https://bugs.webkit.org/show_bug.cgi?id=61079
2011-05-21 Gavin Peters [email protected]
2011-05-21 Gavin Peters [email protected]
Change-Id: I66a012e0bc3414cc48a7c497f08fb9b83cd8ab06
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@87020 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Make CachedResource take a ResourceRequest instead of just a url string.
2011-05-24 Nate Chapin [email protected]
Change-Id: I4fb698cf09669661063eb42e310fbc1fd907bf76
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@87239 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Support cross-origin property for images
2011-05-26 Adam Barth [email protected]
2011-05-26 Adam Barth [email protected]
Change-Id: I074a377f0045627e54806dacd5f3eb499a8dd5d0
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@87473 268f45cc-cd09-0410-ab3c-d52691b4dbfc
HTMLVideoElement::currentSrc() should return a KURL
2011-05-27 Adam Barth [email protected]
Change-Id: I6fabb90aa5019a02a2434842824647d1484ed506
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@87539 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Disallow use of cross-domain media (images, video) in WebGL
2011-06-09 Kenneth Russell [email protected]
2011-06-09 Kenneth Russell [email protected]
Change-Id: Id2e32ce41432838be6919002d606185ea60d97b3
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@88489 268f45cc-cd09-0410-ab3c-d52691b4dbfc