Allow cross-origin cssRules access to CORS-fetched stylesheet.

Source/core/html/HTMLLinkElement.cpp

 /*
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
  * Copyright (C) 2003, 2006, 2007, 2008, 2009, 2010 Apple Inc. All rights reserved.
  * Copyright (C) 2009 Rob Buis (rwlbuis@gmail.com)
  * Copyright (C) 2011 Google Inc. All rights reserved.
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Library General Public
@@ skipping 471 matching lines @@
     return adoptPtrWillBeNoop(new LinkStyle(owner));
 }
 
 LinkStyle::LinkStyle(HTMLLinkElement* owner)
     : LinkResource(owner)
     , m_disabledState(Unset)
     , m_pendingSheetType(None)
     , m_loading(false)
     , m_firedLoad(false)
     , m_loadedSheet(false)
+    , m_fetchFollowingCORS(false)
 {
 }
 
 LinkStyle::~LinkStyle()
 {
 #if !ENABLE(OILPAN)
     if (m_sheet)
         m_sheet->clearOwnerNode();
 #endif
 }
@@ skipping 24 matching lines @@
 
     if (RefPtrWillBeRawPtr<StyleSheetContents> restoredSheet = const_cast<CSSStyleSheetResource*>(cachedStyleSheet)->restoreParsedStyleSheet(parserContext)) {
         ASSERT(restoredSheet->isCacheable());
         ASSERT(!restoredSheet->isLoading());
 
         if (m_sheet)
             clearSheet();
         m_sheet = CSSStyleSheet::create(restoredSheet, m_owner);
         m_sheet->setMediaQueries(MediaQuerySet::create(m_owner->media()));
         m_sheet->setTitle(m_owner->title());
+        setCrossOriginStylesheetStatus(baseURL, m_sheet.get());
 
         m_loading = false;
         restoredSheet->checkLoaded();
         return;
     }
 
     RefPtrWillBeRawPtr<StyleSheetContents> styleSheet = StyleSheetContents::create(href, parserContext);
 
     if (m_sheet)
         clearSheet();
 
     m_sheet = CSSStyleSheet::create(styleSheet, m_owner);
     m_sheet->setMediaQueries(MediaQuerySet::create(m_owner->media()));
     m_sheet->setTitle(m_owner->title());
+    setCrossOriginStylesheetStatus(baseURL, m_sheet.get());
 
     styleSheet->parseAuthorStyleSheet(cachedStyleSheet, m_owner->document().securityOrigin());
 
     m_loading = false;
     styleSheet->notifyLoadedSheet(cachedStyleSheet);
     styleSheet->checkLoaded();
 
     if (styleSheet->isCacheable())
         const_cast<CSSStyleSheetResource*>(cachedStyleSheet)->saveParsedStyleSheet(styleSheet);
 }
@@ skipping 106 matching lines @@
         if (!m_sheet && m_disabledState == EnabledViaScript) {
             if (m_owner->shouldProcessStyle())
                 process();
         } else {
             // FIXME: We don't have enough knowledge here to know if we should call addedStyleSheet() or removedStyleSheet().
             m_owner->document().styleResolverChanged();
         }
     }
 }
 
+void LinkStyle::setCrossOriginStylesheetStatus(const KURL& baseURL, CSSStyleSheet* sheet)
+{
+    if (m_fetchFollowingCORS && resource() && !resource()->errorOccurred()) {
+        // Record the security origin the CORS access check succeeded at, if cross origin.
+        // Only origins that are script accessible to it may access the stylesheet's rules.
+        if (!m_owner->document().securityOrigin()->canRequest(baseURL))

[Mike West, 2015/03/17 20:05:46]

I'm not sure it's useful to check canRequest here, as opposed to setting the
origin regardless. If we got here, we passed CORS, right? Since
`CSSStyleSheet::canAccessRules` checks canRequest anyway, it seems like we're
just doing extra work here. Adding a ref to the SecurityOrigin unconditionally
seems cheaper than doing the canRequest() check.

[sof, 2015/03/17 21:52:15]

Yes, it serves no purpose to do this check here (now), but the CORS-laced fetch
may end up being to a same-origin resource, so no guarantee that we have passed
any CORS access check on the response at this point. But the check is redundant
given how it is used on the other side. Dropped.

+            sheet->setAllowRuleAccessFromOrigin(m_owner->document().securityOrigin());
+    }
+    m_fetchFollowingCORS = false;
+}
+
 void LinkStyle::process()
 {
     ASSERT(m_owner->shouldProcessStyle());
     String type = m_owner->typeValue().lower();
     LinkRequestBuilder builder(m_owner);
 
     if (m_owner->relAttribute().iconType() != InvalidIcon && builder.url().isValid() && !builder.url().isEmpty()) {
         if (!m_owner->shouldLoadLink())
             return;
         if (!document().securityOrigin()->canDisplay(builder.url()))
@@ skipping 30 matching lines @@
         }
 
         // Don't hold up render tree construction and script execution on stylesheets
         // that are not needed for the rendering at the moment.
         bool blocking = mediaQueryMatches && !m_owner->isAlternate();
         addPendingSheet(blocking ? Blocking : NonBlocking);
 
         // Load stylesheets that are not needed for the rendering immediately with low priority.
         FetchRequest request = builder.build(blocking);
         AtomicString crossOriginMode = m_owner->fastGetAttribute(HTMLNames::crossoriginAttr);
-        if (!crossOriginMode.isNull())
+        if (!crossOriginMode.isNull()) {
             request.setCrossOriginAccessControl(document().securityOrigin(), crossOriginMode);
+            setFetchFollowingCORS();
+        }
         setResource(document().fetcher()->fetchCSSStyleSheet(request));
 
         if (!resource()) {
             // The request may have been denied if (for example) the stylesheet is local and the document is remote.
             m_loading = false;
             removePendingSheet();
         }
     } else if (m_sheet) {
         // we no longer contain a stylesheet, e.g. perhaps rel or type was changed
         RefPtrWillBeRawPtr<StyleSheet> removedSheet = m_sheet.get();
@@ skipping 17 matching lines @@
         removePendingSheet();
 }
 
 DEFINE_TRACE(LinkStyle)
 {
     visitor->trace(m_sheet);
     LinkResource::trace(visitor);
 }
 
 } // namespace blink