Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1068)

Unified Diff: Source/core/html/HTMLLinkElement.cpp

Issue 1011103002: Allow cross-origin cssRules access to CORS-fetched stylesheet. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: improve test coverage a bit Created 5 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« Source/core/html/HTMLLinkElement.h ('K') | « Source/core/html/HTMLLinkElement.h ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: Source/core/html/HTMLLinkElement.cpp
diff --git a/Source/core/html/HTMLLinkElement.cpp b/Source/core/html/HTMLLinkElement.cpp
index f7a257c06cf0927a7f32d789df1d93445134b9c4..7311236b88f01e58bebda508708019ccc75f574a 100644
--- a/Source/core/html/HTMLLinkElement.cpp
+++ b/Source/core/html/HTMLLinkElement.cpp
@@ -489,6 +489,7 @@ LinkStyle::LinkStyle(HTMLLinkElement* owner)
, m_loading(false)
, m_firedLoad(false)
, m_loadedSheet(false)
+ , m_fetchFollowingCORS(false)
{
}
@@ -533,6 +534,7 @@ void LinkStyle::setCSSStyleSheet(const String& href, const KURL& baseURL, const
m_sheet = CSSStyleSheet::create(restoredSheet, m_owner);
m_sheet->setMediaQueries(MediaQuerySet::create(m_owner->media()));
m_sheet->setTitle(m_owner->title());
+ setCrossOriginStylesheetStatus(baseURL, m_sheet.get());
m_loading = false;
restoredSheet->checkLoaded();
@@ -547,6 +549,7 @@ void LinkStyle::setCSSStyleSheet(const String& href, const KURL& baseURL, const
m_sheet = CSSStyleSheet::create(styleSheet, m_owner);
m_sheet->setMediaQueries(MediaQuerySet::create(m_owner->media()));
m_sheet->setTitle(m_owner->title());
+ setCrossOriginStylesheetStatus(baseURL, m_sheet.get());
styleSheet->parseAuthorStyleSheet(cachedStyleSheet, m_owner->document().securityOrigin());
@@ -673,6 +676,17 @@ void LinkStyle::setDisabledState(bool disabled)
}
}
+void LinkStyle::setCrossOriginStylesheetStatus(const KURL& baseURL, CSSStyleSheet* sheet)
+{
+ if (m_fetchFollowingCORS && resource() && !resource()->errorOccurred()) {
+ // Record the security origin the CORS access check succeeded at, if cross origin.
+ // Only origins that are script accessible to it may access the stylesheet's rules.
+ if (!m_owner->document().securityOrigin()->canRequest(baseURL))
Mike West 2015/03/17 20:05:46 I'm not sure it's useful to check canRequest here,
sof 2015/03/17 21:52:15 Yes, it serves no purpose to do this check here (n
+ sheet->setAllowRuleAccessFromOrigin(m_owner->document().securityOrigin());
+ }
+ m_fetchFollowingCORS = false;
+}
+
void LinkStyle::process()
{
ASSERT(m_owner->shouldProcessStyle());
@@ -723,8 +737,10 @@ void LinkStyle::process()
// Load stylesheets that are not needed for the rendering immediately with low priority.
FetchRequest request = builder.build(blocking);
AtomicString crossOriginMode = m_owner->fastGetAttribute(HTMLNames::crossoriginAttr);
- if (!crossOriginMode.isNull())
+ if (!crossOriginMode.isNull()) {
request.setCrossOriginAccessControl(document().securityOrigin(), crossOriginMode);
+ setFetchFollowingCORS();
+ }
setResource(document().fetcher()->fetchCSSStyleSheet(request));
if (!resource()) {
« Source/core/html/HTMLLinkElement.h ('K') | « Source/core/html/HTMLLinkElement.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698