Don't prematurely initialize a Document for an external SVG resource

Bug: 1107442 Change-Id: Ifc0d515e10bb73a3217dd6164aded10731e126ee Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2316805 Commit-Queue: Nate Chapin <japhet@chromium.org> Reviewed-by: Philip Rogers <pdr@chromium.org> Cr-Commit-Position: refs/heads/master@{#791315}

Don't prematurely initialize a Document for an external SVG resource
Bug: 1107442 Change-Id: Ifc0d515e10bb73a3217dd6164aded10731e126ee Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2316805 Commit-Queue: Nate Chapin <japhet@chromium.org> Reviewed-by: Philip Rogers <pdr@chromium.org> Cr-Commit-Position: refs/heads/master@{#791315}
48275f11 · Nate Chapin · Commit Bot · 78a15290 · 48275f11 · 48275f11
Commit 48275f11 authored Jul 25, 2020 by Nate Chapin Committed by Commit Bot Jul 25, 2020
4 changed files
--- a/third_party/blink/renderer/core/BUILD.gn
+++ b/third_party/blink/renderer/core/BUILD.gn
@@ -1392,6 +1392,7 @@ jumbo_source_set("unit_tests") {
    "svg/animation/smil_time_container_test.cc",
    "svg/animation/svg_smil_element_test.cc",
    "svg/graphics/svg_image_test.cc",
+    "svg/svg_external_document_cache_test.cc",
    "svg/svg_foreign_object_element_test.cc",
    "svg/svg_path_parser_test.cc",
    "svg/svg_path_query_test.cc",

--- a/third_party/blink/renderer/core/svg/svg_external_document_cache.cc
+++ b/third_party/blink/renderer/core/svg/svg_external_document_cache.cc
@@ -66,7 +66,7 @@ void SVGExternalDocumentCache::Entry::NotifyFinished(Resource* resource) {
 Document* SVGExternalDocumentCache::Entry::GetDocument() {
  const TextResource* resource = To<TextResource>(GetResource());
-  if (!document_ && resource->HasData() &&
+  if (!document_ && resource->IsLoaded() && resource->HasData() &&
      MimeTypeAllowed(resource->GetResponse())) {
    document_ = XMLDocument::CreateSVG(
        DocumentInit::Create()

--- a/third_party/blink/renderer/core/svg/svg_external_document_cache.h
+++ b/third_party/blink/renderer/core/svg/svg_external_document_cache.h
@@ -24,6 +24,7 @@
 #define THIRD_PARTY_BLINK_RENDERER_CORE_SVG_SVG_EXTERNAL_DOCUMENT_CACHE_H_
 #include "services/network/public/mojom/content_security_policy.mojom-blink.h"
+#include "third_party/blink/renderer/core/core_export.h"
 #include "third_party/blink/renderer/platform/heap/handle.h"
 #include "third_party/blink/renderer/platform/loader/fetch/resource.h"
 #include "third_party/blink/renderer/platform/loader/fetch/resource_client.h"
@@ -33,7 +34,7 @@ namespace blink {
 class Document;
 class ExecutionContext;
-class SVGExternalDocumentCache
+class CORE_EXPORT SVGExternalDocumentCache
    : public GarbageCollected<SVGExternalDocumentCache>,
      public Supplement<Document> {
  USING_GARBAGE_COLLECTED_MIXIN(SVGExternalDocumentCache);
@@ -49,7 +50,8 @@ class SVGExternalDocumentCache
    virtual void NotifyFinished(Document*) = 0;
  };
-  class Entry final : public GarbageCollected<Entry>, public ResourceClient {
+  class CORE_EXPORT Entry final : public GarbageCollected<Entry>,
+                                  public ResourceClient {
    USING_GARBAGE_COLLECTED_MIXIN(Entry);
   public:

--- a/third_party/blink/renderer/core/svg/svg_external_document_cache_test.cc
+++ b/third_party/blink/renderer/core/svg/svg_external_document_cache_test.cc
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#include "third_party/blink/renderer/core/svg/svg_external_document_cache.h"
+#include "third_party/blink/renderer/core/dom/document.h"
+#include "third_party/blink/renderer/core/testing/sim/sim_request.h"
+#include "third_party/blink/renderer/core/testing/sim/sim_test.h"
+#include "third_party/blink/renderer/platform/loader/fetch/fetch_initiator_type_names.h"
+namespace blink {
+class DummyCacheClient : public GarbageCollected<DummyCacheClient>,
+                         public SVGExternalDocumentCache::Client {
+  USING_GARBAGE_COLLECTED_MIXIN(DummyCacheClient);
+ public:
+  DummyCacheClient() = default;
+  void NotifyFinished(Document*) override {}
+};
+class SVGExternalDocumentCacheTest : public SimTest {};
+TEST_F(SVGExternalDocumentCacheTest, GetDocumentBeforeLoadComplete) {
+  SimRequest main_resource("https://example.com/test.html", "text/html");
+  LoadURL("https://example.com/test.html");
+  main_resource.Complete("<html><body></body></html>");
+  const char kSVGUrl[] = "https://example.com/svg.svg";
+  SimRequest::Params params;
+  params.response_http_headers = {{"Content-Type", "application/xml"}};
+  SimSubresourceRequest svg_resource(kSVGUrl, "application/xml", params);
+  DummyCacheClient* client = MakeGarbageCollected<DummyCacheClient>();
+  // Request a resource from the cache.
+  auto* entry =
+      SVGExternalDocumentCache::From(GetDocument())
+          ->Get(client, KURL(kSVGUrl), fetch_initiator_type_names::kCSS);
+  // Write part of the response. The document should not be initialized yet,
+  // because the response is not complete. The document would be invalid at this
+  // point.
+  svg_resource.Start();
+  svg_resource.Write("<sv");
+  EXPECT_EQ(nullptr, entry->GetDocument());
+  // Finish the response, the Document should now be accessible.
+  svg_resource.Complete("g></svg>");
+  EXPECT_NE(nullptr, entry->GetDocument());
+}
+}  // namespace blink