Skip to content

GitLab

T
tangled
Commit ba077571 authored by ksakamoto@chromium.org's avatar ksakamoto@chromium.org
Browse files
Options

WebFonts: Send credentials for same origin requests 

This fixes a regression from Blink r199364 where credentials are not
sent for same-origin webfont requests. This patch basically does the
same thing as HTMLImportsController::load(); set AllowStoredCredentials
flag only when the request is same-origin.

BUG=516192
TEST=http/tests/webfont/same-origin-credentials.html

Review URL: https://codereview.chromium.org/1267023004

git-svn-id: svn://svn.chromium.org/blink/trunk@200980 bbb929c8-8fbe-4397-9dbb-9b2b20218538
parent 600d67b7
Hide whitespace changes
Inline Side-by-side
Showing with 60 additions and 7 deletions
third_party/WebKit/LayoutTests/http/tests/serviceworker/fetch-request-resources.html
View file @ ba077571
...@@ -164,7 +164,7 @@ async_test(function(t) { ...@@ -164,7 +164,7 @@ async_test(function(t) {
css_test(f, REMOTE_URL, 'anonymous', 'cors', 'omit'); css_test(f, REMOTE_URL, 'anonymous', 'cors', 'omit');
css_test(f, REMOTE_URL, 'use-credentials', 'cors', 'include'); css_test(f, REMOTE_URL, 'use-credentials', 'cors', 'include');
font_face_test(f, LOCAL_URL, 'cors', 'omit'); font_face_test(f, LOCAL_URL, 'cors', 'include');
font_face_test(f, REMOTE_URL, 'cors', 'omit'); font_face_test(f, REMOTE_URL, 'cors', 'omit');
css_image_test(f, LOCAL_URL, 'backgroundImage', css_image_test(f, LOCAL_URL, 'backgroundImage',
......
third_party/WebKit/LayoutTests/http/tests/webfont/resources/cookie-match.php 0 → 100644
View file @ ba077571
<?php
if (!isset($_COOKIE["key"])) {
echo "FAIL: Cookie is not set";
exit;
}
if ($_GET["key"] == $_COOKIE["key"]) {
$fp = fopen("../../../../resources/Ahem.ttf", "rb");
header("Content-type: application/octet-stream");
header("HTTP/1.0 200 OK");
fpassthru($fp);
} else {
echo "FAIL: Cookie: {$_COOKIE['key']}, Query: {$_GET['key']}";
exit;
}
?>
third_party/WebKit/LayoutTests/http/tests/webfont/same-origin-credentials-expected.txt 0 → 100644
View file @ ba077571
Tests that credentials are sent for same origin webfont requests
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
PASS
PASS successfullyParsed is true
TEST COMPLETE
third_party/WebKit/LayoutTests/http/tests/webfont/same-origin-credentials.html 0 → 100644
View file @ ba077571
<!DOCTYPE html>
<script src="/js-test-resources/js-test.js"></script>
<script>
description('Tests that credentials are sent for same origin webfont requests');
window.jsTestIsAsync = true;
document.cookie = 'key=WebFontCredentials';
var font = new FontFace('test', 'url(resources/cookie-match.php?key=WebFontCredentials)');
font.load().then(function() {
debug('PASS');
finishJSTest();
}).catch(function() {
debug('FAIL');
finishJSTest();
});
</script>
third_party/WebKit/Source/core/css/CSSFontFaceSrcValue.cpp
View file @ ba077571
...@@ -73,13 +73,20 @@ bool CSSFontFaceSrcValue::hasFailedOrCanceledSubresources() const ...@@ -73,13 +73,20 @@ bool CSSFontFaceSrcValue::hasFailedOrCanceledSubresources() const
return m_fetched && m_fetched->loadFailedOrCanceled(); return m_fetched && m_fetched->loadFailedOrCanceled();
} }
static bool shouldSetCrossOriginAccessControl(const KURL& resource) static void setCrossOriginAccessControl(FetchRequest& request, SecurityOrigin* securityOrigin)
{ {
// Local fonts are accessible from file: URLs even when // Local fonts are accessible from file: URLs even when
// allowFileAccessFromFileURLs is false. // allowFileAccessFromFileURLs is false.
if (resource.isLocalFile()) if (request.url().isLocalFile())
return false; return;
return true;
StoredCredentials allowCredentials = DoNotAllowStoredCredentials;
bool sameOriginRequest = securityOrigin->canRequestNoSuborigin(request.url());
// Include credentials for same origin requests (and assume that
// redirects out of origin will be handled per Fetch spec.)
if (sameOriginRequest)
allowCredentials = AllowStoredCredentials;
request.setCrossOriginAccessControl(securityOrigin, allowCredentials, ClientDidNotRequestCredentials);
} }
FontResource* CSSFontFaceSrcValue::fetch(Document* document) FontResource* CSSFontFaceSrcValue::fetch(Document* document)
...@@ -88,8 +95,7 @@ FontResource* CSSFontFaceSrcValue::fetch(Document* document) ...@@ -88,8 +95,7 @@ FontResource* CSSFontFaceSrcValue::fetch(Document* document)
FetchRequest request(ResourceRequest(document->completeURL(m_resource)), FetchInitiatorTypeNames::css); FetchRequest request(ResourceRequest(document->completeURL(m_resource)), FetchInitiatorTypeNames::css);
request.setContentSecurityCheck(m_shouldCheckContentSecurityPolicy); request.setContentSecurityCheck(m_shouldCheckContentSecurityPolicy);
SecurityOrigin* securityOrigin = document->securityOrigin(); SecurityOrigin* securityOrigin = document->securityOrigin();
if (shouldSetCrossOriginAccessControl(request.url())) setCrossOriginAccessControl(request, securityOrigin);
request.setCrossOriginAccessControl(securityOrigin, DoNotAllowStoredCredentials);
request.mutableResourceRequest().setHTTPReferrer(SecurityPolicy::generateReferrer(m_referrer.referrerPolicy, request.url(), m_referrer.referrer)); request.mutableResourceRequest().setHTTPReferrer(SecurityPolicy::generateReferrer(m_referrer.referrerPolicy, request.url(), m_referrer.referrer));
m_fetched = FontResource::fetch(request, document->fetcher()); m_fetched = FontResource::fetch(request, document->fetcher());
} else { } else {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment