SVG loaded through html <img> can't request to load any external resources.
https://bugs.webkit.org/show_bug.cgi?id=137762.
Patch by Said Abou-Hallawa <sabouhallawa@apple.com> on 2014-10-22
Reviewed by Daniel Bates.
Source/WebCore:
SVG images have unique security rules that prevent them from loading any external
resources. This patch enforces these rules in CachedResourceLoader::canRequest for
all non-data-uri resources.
The fix and the tests are ported but modified a little from the chromium fix:
http://src.chromium.org/viewvc/blink?view=rev&rev=176084
Test: http/tests/security/svg-image-with-cached-remote-image.html
http/tests/security/svg-image-with-css-cross-domain.html
For the SVG image, prevent loading any external sub-resource except for data urls.
* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::canRequest):
LayoutTests:
Ensure that SVG images, which are loaded through the <img> tag or through the
CSS background image, cannot load any external sub-resource except for data-
URL resources (though this doesn't work at the time of writing, see bug #137941).
Also ensure the same rule is enforced on cached resources.
The tests are ported but modified a little from the chromium fix:
http://src.chromium.org/viewvc/blink?view=rev&rev=176084
Set the circle background to orange
* http/tests/security/resources/image-with-css-cross-domain-circle.css: Added.
(circle):
Set the circle stroke-width = 2 and the circle stroke = red
* http/tests/security/resources/image-with-css-cross-domain-circle2.css: Added.
(circle):
This svg references the two css files: one is relative path and the other is absolute path
* http/tests/security/resources/image-with-css-cross-domain.svg: Added.
This svg references an external image.
* http/tests/security/resources/image-with-remote-image.svg: Added.
A helper css which sets the formatting style for some html tags
* http/tests/security/svg-image-with-css-cross-domain.css: Added.
(span):
(span.circle-css-cross-domain):
(embed):
(iframe):
Test the svg which is referenced as a cached image by an <object> tag, does not load
external sub-resource.
* http/tests/security/svg-image-with-cached-remote-image-expected.html: Added.
* http/tests/security/svg-image-with-cached-remote-image.html: Added.
Test loading sub-resources for an svg which is included in the html by different ways
and which references external css files.
Ensure the image object does not load any external sub-resources.
* http/tests/security/svg-image-with-css-cross-domain-expected.html: Added.
* http/tests/security/svg-image-with-css-cross-domain.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@175074 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebCore/loader/cache/CachedResourceLoader.cpp b/Source/WebCore/loader/cache/CachedResourceLoader.cpp
index 7cf186e..d160849 100644
--- a/Source/WebCore/loader/cache/CachedResourceLoader.cpp
+++ b/Source/WebCore/loader/cache/CachedResourceLoader.cpp
@@ -35,6 +35,8 @@
#include "CachedResourceRequest.h"
#include "CachedScript.h"
#include "CachedXSLStyleSheet.h"
+#include "Chrome.h"
+#include "ChromeClient.h"
#include "ContentSecurityPolicy.h"
#include "DOMWindow.h"
#include "Document.h"
@@ -379,6 +381,12 @@
#endif
}
+ // SVG Images have unique security rules that prevent all subresource requests except for data urls.
+ if (type != CachedResource::MainResource && frame() && frame()->page()) {
+ if (frame()->page()->chrome().client().isSVGImageChromeClient() && !url.protocolIsData())
+ return false;
+ }
+
// Last of all, check for insecure content. We do this last so that when
// folks block insecure content with a CSP policy, they don't get a warning.
// They'll still get a warning in the console about CSP blocking the load.
