Enforce SVG image security rules

SVG images have unique security rules that prevent them from loading any external resources. This patch enforces these rules in ResourceFetcher::canRequest for all non-data-uri resources. This locks down our SVG resource handling and fixes two security bugs. In the case of SVG images that reference other images, we had a bug where a cached subresource would be used directly from the cache. This has been fixed because the canRequest check occurs before we use cached resources. In the case of SVG images that use CSS imports, we had a bug where imports were blindly requested. This has been fixed by stopping all non-data-uri requests in SVG images. With this patch we now match Gecko's behavior on both testcases. BUG=380885, 382296 Review URL: https://codereview.chromium.org/320763002 git-svn-id: svn://svn.chromium.org/blink/trunk@176084 bbb929c8-8fbe-4397-9dbb-9b2b20218538

Enforce SVG image security rules
SVG images have unique security rules that prevent them from loading any external resources. This patch enforces these rules in ResourceFetcher::canRequest for all non-data-uri resources. This locks down our SVG resource handling and fixes two security bugs. In the case of SVG images that reference other images, we had a bug where a cached subresource would be used directly from the cache. This has been fixed because the canRequest check occurs before we use cached resources. In the case of SVG images that use CSS imports, we had a bug where imports were blindly requested. This has been fixed by stopping all non-data-uri requests in SVG images. With this patch we now match Gecko's behavior on both testcases. BUG=380885, 382296 Review URL: https://codereview.chromium.org/320763002 git-svn-id: svn://svn.chromium.org/blink/trunk@176084 bbb929c8-8fbe-4397-9dbb-9b2b20218538
ee281f7c · pdr@chromium.org · 41df074d · ee281f7c · ee281f7c · ee281f7c
Commit ee281f7c authored Jun 13, 2014 by pdr@chromium.org
9 changed files
--- a/third_party/WebKit/LayoutTests/http/tests/security/resources/css-import.css
+++ b/third_party/WebKit/LayoutTests/http/tests/security/resources/css-import.css
+rect {
+    fill: red;
+}
\ No newline at end of file
--- a/third_party/WebKit/LayoutTests/http/tests/security/resources/image-with-css-import.svg
+++ b/third_party/WebKit/LayoutTests/http/tests/security/resources/image-with-css-import.svg
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="100" height="100">
+    <style>
+        @import url(http://localhost:8000/security/resources/css-import.css);
+    </style>
+    <rect width="100%" height="100%" fill="green"/>
+</svg>
--- a/third_party/WebKit/LayoutTests/http/tests/security/resources/image-wrapper-with-no-image.svg
+++ b/third_party/WebKit/LayoutTests/http/tests/security/resources/image-wrapper-with-no-image.svg
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="100" height="100">
+    <rect width="100%" height="100%" fill="#0f0"/>
+    <rect x="20%" y="20%" width="60%" height="60%" stroke-width="1" stroke="black" fill="transparent"/>
+</svg>
--- a/third_party/WebKit/LayoutTests/http/tests/security/resources/image-wrapper.svg
+++ b/third_party/WebKit/LayoutTests/http/tests/security/resources/image-wrapper.svg
-<svg xmlns="http://www.w3.org/2000/svg"
-     xmlns:xlink="http://www.w3.org/1999/xlink"
-     width="100" height="100">
-    <image xlink:href="http://localhost:8000/security/resources/abe.png"
-           width="100" height="100"/>
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="100" height="100">
+    <rect width="100%" height="100%" fill="#0f0"/>
+    <rect x="20%" y="20%" width="60%" height="60%" stroke-width="1" stroke="black" fill="transparent"/>
+    <image xlink:href="http://localhost:8000/security/resources/abe.png" x="20%" y="20%" width="60%" height="60%"/>
 </svg>
--- a/third_party/WebKit/LayoutTests/http/tests/security/svg-image-with-cached-remote-image-expected.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/svg-image-with-cached-remote-image-expected.html
+<!DOCTYPE HTML>
+Test for crbug.com/380885: images should not be requested in an SVG image context.<br><br>
+Image loaded via object should show a green background with a cross-origin image of Abe Lincoln:<br>
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="100" height="100">
+    <rect width="100%" height="100%" fill="#0f0"/>
+    <rect x="20%" y="20%" width="60%" height="60%" stroke-width="1" stroke="black" fill="transparent"/>
+    <image xlink:href="resources/abe.png" x="20%" y="20%" width="60%" height="60%"/>
+</svg>
+
+<br>
+Image loaded via img should show a green background without the remote image of Abe Lincoln:<br>
+<svg width="100" height="100">
+    <rect width="100%" height="100%" fill="#0f0"/>
+    <rect x="20%" y="20%" width="60%" height="60%" stroke-width="1" stroke="black" fill="transparent"/>
+</svg>
\ No newline at end of file
--- a/third_party/WebKit/LayoutTests/http/tests/security/svg-image-with-cached-remote-image.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/svg-image-with-cached-remote-image.html
+<!DOCTYPE HTML>
+Test for crbug.com/380885: images should not be requested in an SVG image context.<br><br>
+Image loaded via object should show a green background with a cross-origin image of Abe Lincoln:<br>
+<object id="precache" data="resources/image-wrapper.svg" width="100" height="100"></object>
+<br>
+Image loaded via img should show a green background without the remote image of Abe Lincoln:<br>
+<img id="image" src="" width="100" height="100">
+<script>
+if (window.testRunner)
+    testRunner.waitUntilDone();
+
+document.getElementById('precache').onload = function() {
+    // FIXME: crbug.com/382170 SVG onload event bug.
+    setTimeout(function() {
+        var image = document.getElementById('image');
+        image.onload = function() {
+            // FIXME: crbug.com/382170 SVG onload event bug.
+            setTimeout(function() {
+                if (window.testRunner)
+                    testRunner.notifyDone();
+            }, 20);
+        }
+        image.src = "resources/image-wrapper.svg";
+    }, 20);
+}
+
+</script>
--- a/third_party/WebKit/LayoutTests/http/tests/security/svg-image-with-css-import-expected.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/svg-image-with-css-import-expected.html
+<!DOCTYPE HTML>
+Test for crbug.com/382296: CSS imports should not load in an SVG image context.<br><br>
+This test passes if there is a green square below:<br>
+<svg width="100" height="100">
+    <rect width="100" height="100" fill="green"/>
+</svg>
\ No newline at end of file
--- a/third_party/WebKit/LayoutTests/http/tests/security/svg-image-with-css-import.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/svg-image-with-css-import.html
+<!DOCTYPE HTML>
+Test for crbug.com/382296: CSS imports should not load in an SVG image context.<br><br>
+This test passes if there is a green square below:<br>
+<img id="image" src="resources/image-with-css-import.svg" width="100" height="100">
+<script>
+if (window.testRunner)
+    testRunner.waitUntilDone();
+
+document.getElementById('image').onload = function() {
+    // FIXME: crbug.com/382170 SVG onload event bug.
+    setTimeout(function() {
+        if (window.testRunner)
+            testRunner.notifyDone();
+    }, 30);
+}
+</script>
--- a/third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp
+++ b/third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp
@@ -59,6 +59,7 @@
 #include "core/timing/Performance.h"
 #include "core/timing/ResourceTimingInfo.h"
 #include "core/frame/Settings.h"
+#include "core/svg/graphics/SVGImageChromeClient.h"
 #include "platform/Logging.h"
 #include "platform/TraceEvent.h"
 #include "platform/weborigin/SecurityOrigin.h"
@@ -580,6 +581,13 @@ bool ResourceFetcher::canRequest(Resource::Type type, const KURL& url, const Res
        break;
    }

+    // SVG Images have unique security rules that prevent all subresource requests
+    // except for data urls.
+    if (type != Resource::MainResource) {
+        if (frame() && frame()->chromeClient().isSVGImageChromeClient() && !url.protocolIsData())
+            return false;
+    }
+
    // Last of all, check for insecure content. We do this last so that when
    // folks block insecure content with a CSP policy, they don't get a warning.
    // They'll still get a warning in the console about CSP blocking the load.