Allow cross-origin cssRules access to CORS-fetched stylesheet.

Source/core/html/HTMLLinkElement.cpp

Index: Source/core/html/HTMLLinkElement.cpp
diff --git a/Source/core/html/HTMLLinkElement.cpp b/Source/core/html/HTMLLinkElement.cpp
index f7a257c06cf0927a7f32d789df1d93445134b9c4..7311236b88f01e58bebda508708019ccc75f574a 100644
--- a/Source/core/html/HTMLLinkElement.cpp
+++ b/Source/core/html/HTMLLinkElement.cpp
@@ -489,6 +489,7 @@ LinkStyle::LinkStyle(HTMLLinkElement* owner)
     , m_loading(false)
     , m_firedLoad(false)
     , m_loadedSheet(false)
+    , m_fetchFollowingCORS(false)
 {
 }
 
@@ -533,6 +534,7 @@ void LinkStyle::setCSSStyleSheet(const String& href, const KURL& baseURL, const
         m_sheet = CSSStyleSheet::create(restoredSheet, m_owner);
         m_sheet->setMediaQueries(MediaQuerySet::create(m_owner->media()));
         m_sheet->setTitle(m_owner->title());
+        setCrossOriginStylesheetStatus(baseURL, m_sheet.get());
 
         m_loading = false;
         restoredSheet->checkLoaded();
@@ -547,6 +549,7 @@ void LinkStyle::setCSSStyleSheet(const String& href, const KURL& baseURL, const
     m_sheet = CSSStyleSheet::create(styleSheet, m_owner);
     m_sheet->setMediaQueries(MediaQuerySet::create(m_owner->media()));
     m_sheet->setTitle(m_owner->title());
+    setCrossOriginStylesheetStatus(baseURL, m_sheet.get());
 
     styleSheet->parseAuthorStyleSheet(cachedStyleSheet, m_owner->document().securityOrigin());
 
@@ -673,6 +676,17 @@ void LinkStyle::setDisabledState(bool disabled)
     }
 }
 
+void LinkStyle::setCrossOriginStylesheetStatus(const KURL& baseURL, CSSStyleSheet* sheet)
+{
+    if (m_fetchFollowingCORS && resource() && !resource()->errorOccurred()) {
+        // Record the security origin the CORS access check succeeded at, if cross origin.
+        // Only origins that are script accessible to it may access the stylesheet's rules.
+        if (!m_owner->document().securityOrigin()->canRequest(baseURL))

[Mike West, 2015/03/17 20:05:46]

I'm not sure it's useful to check canRequest here, as opposed to setting the
origin regardless. If we got here, we passed CORS, right? Since
`CSSStyleSheet::canAccessRules` checks canRequest anyway, it seems like we're
just doing extra work here. Adding a ref to the SecurityOrigin unconditionally
seems cheaper than doing the canRequest() check.

[sof, 2015/03/17 21:52:15]

Yes, it serves no purpose to do this check here (now), but the CORS-laced fetch
may end up being to a same-origin resource, so no guarantee that we have passed
any CORS access check on the response at this point. But the check is redundant
given how it is used on the other side. Dropped.

+            sheet->setAllowRuleAccessFromOrigin(m_owner->document().securityOrigin());
+    }
+    m_fetchFollowingCORS = false;
+}
+
 void LinkStyle::process()
 {
     ASSERT(m_owner->shouldProcessStyle());
@@ -723,8 +737,10 @@ void LinkStyle::process()
         // Load stylesheets that are not needed for the rendering immediately with low priority.
         FetchRequest request = builder.build(blocking);
         AtomicString crossOriginMode = m_owner->fastGetAttribute(HTMLNames::crossoriginAttr);
-        if (!crossOriginMode.isNull())
+        if (!crossOriginMode.isNull()) {
             request.setCrossOriginAccessControl(document().securityOrigin(), crossOriginMode);
+            setFetchFollowingCORS();
+        }
         setResource(document().fetcher()->fetchCSSStyleSheet(request));
 
         if (!resource()) {