Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(290)

Issue 1706243002: Don't use SVG resource documents with an unrecognized MIME-type (Closed)

Created:
4 years, 10 months ago by fs
Modified:
4 years, 10 months ago
CC:
blink-reviews, blink-reviews-dom_chromium.org, blink-reviews-style_chromium.org, chromium-reviews, dglazkov+blink, krit, eae+blinkwatch, f(malita), gavinp+loader_chromium.org, gyuyoung2, Nate Chapin, kouhei+svg_chromium.org, loading-reviews+fetch_chromium.org, pdr+svgwatchlist_chromium.org, rwlbuis, Stephen Chennney, sof, tyoshino+watch_chromium.org
Base URL:
https://chromium.googlesource.com/chromium/src.git@master
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

Don't use SVG resource documents with an unrecognized MIME-type Before parsing/creating the actual document of a DocumentResource, make sure that the resource in question was actually served as a reasonable MIME-type - one of: image/svg+xml, text/xml, application/xml or application/xhtml+xml Use the original Content-Type from the HTTP header when possible and treat empty as invalid (matches Gecko). This could help mitigate some issues with content sanitation. It seems to match what Gecko is doing so is hopefully not too web-incompatible. Move the commonly recurring *Resource::mimeType() helper from subclasses to the baseclass (Resource) and rename it httpContentType() since that should be a better match for what it is. BUG=527514 Committed: https://crrev.com/57642dc1f2d31bcade1c741f0e7a119ca9754537 Cr-Commit-Position: refs/heads/master@{#377560}

Patch Set 1 #

Total comments: 4

Patch Set 2 : Use testharness; add unit test for extractMIMETypeFromMediaType #

Unified diffs Side-by-side diffs Delta from patch set Stats (+115 lines, -32 lines) Patch
A third_party/WebKit/LayoutTests/http/tests/svg/resources/echo-query.php View 1 chunk +4 lines, -0 lines 0 comments Download
A third_party/WebKit/LayoutTests/http/tests/svg/use-contenttype-blocked.html View 1 1 chunk +14 lines, -0 lines 0 comments Download
A third_party/WebKit/LayoutTests/http/tests/svg/use-no-contenttype-blocked.html View 1 1 chunk +14 lines, -0 lines 0 comments Download
M third_party/WebKit/Source/core/dom/ScriptLoader.cpp View 1 1 chunk +4 lines, -4 lines 0 comments Download
M third_party/WebKit/Source/core/fetch/CSSStyleSheetResource.h View 1 chunk +0 lines, -2 lines 0 comments Download
M third_party/WebKit/Source/core/fetch/CSSStyleSheetResource.cpp View 1 3 chunks +2 lines, -7 lines 0 comments Download
M third_party/WebKit/Source/core/fetch/DocumentResource.h View 1 1 chunk +1 line, -0 lines 0 comments Download
M third_party/WebKit/Source/core/fetch/DocumentResource.cpp View 2 chunks +13 lines, -1 line 0 comments Download
M third_party/WebKit/Source/core/fetch/Resource.h View 1 1 chunk +2 lines, -0 lines 0 comments Download
M third_party/WebKit/Source/core/fetch/Resource.cpp View 1 2 chunks +6 lines, -0 lines 0 comments Download
M third_party/WebKit/Source/core/fetch/ScriptResource.h View 1 1 chunk +0 lines, -2 lines 0 comments Download
M third_party/WebKit/Source/core/fetch/ScriptResource.cpp View 1 3 chunks +1 line, -7 lines 0 comments Download
M third_party/WebKit/Source/core/svg/SVGUseElement.h View 1 chunk +1 line, -0 lines 0 comments Download
M third_party/WebKit/Source/core/svg/SVGUseElement.cpp View 3 chunks +15 lines, -9 lines 0 comments Download
M third_party/WebKit/Source/platform/network/HTTPParsers.h View 1 1 chunk +6 lines, -0 lines 0 comments Download
M third_party/WebKit/Source/platform/network/HTTPParsersTest.cpp View 1 1 chunk +32 lines, -0 lines 0 comments Download

Messages

Total messages: 19 (6 generated)
fs
4 years, 10 months ago (2016-02-18 17:04:11 UTC) #2
Stephen Chennney
lgtm for the portions I own.
4 years, 10 months ago (2016-02-18 17:18:22 UTC) #3
fs
japhet, could you take a look?
4 years, 10 months ago (2016-02-19 16:41:17 UTC) #5
fs
On 2016/02/19 at 16:41:17, fs wrote: > japhet, could you take a look? japhet, ping
4 years, 10 months ago (2016-02-22 15:10:02 UTC) #6
fs
Mike, could you PTAL?
4 years, 10 months ago (2016-02-23 11:47:15 UTC) #8
fs
japhet/mkwst, ping-TAL
4 years, 10 months ago (2016-02-24 12:11:11 UTC) #9
Mike West
https://codereview.chromium.org/1706243002/diff/1/third_party/WebKit/LayoutTests/http/tests/svg/use-contenttype-blocked.html File third_party/WebKit/LayoutTests/http/tests/svg/use-contenttype-blocked.html (right): https://codereview.chromium.org/1706243002/diff/1/third_party/WebKit/LayoutTests/http/tests/svg/use-contenttype-blocked.html#newcode13 third_party/WebKit/LayoutTests/http/tests/svg/use-contenttype-blocked.html:13: onload="finishTest()" onerror="finishTest()" Does `onerror` fire? It seems like you ...
4 years, 10 months ago (2016-02-24 13:23:44 UTC) #10
fs
https://codereview.chromium.org/1706243002/diff/1/third_party/WebKit/LayoutTests/http/tests/svg/use-contenttype-blocked.html File third_party/WebKit/LayoutTests/http/tests/svg/use-contenttype-blocked.html (right): https://codereview.chromium.org/1706243002/diff/1/third_party/WebKit/LayoutTests/http/tests/svg/use-contenttype-blocked.html#newcode13 third_party/WebKit/LayoutTests/http/tests/svg/use-contenttype-blocked.html:13: onload="finishTest()" onerror="finishTest()" On 2016/02/24 at 13:23:43, Mike West wrote: ...
4 years, 10 months ago (2016-02-24 17:05:00 UTC) #11
Mike West
LGTM, thank you. On 2016/02/24 at 17:05:00, fs wrote: > https://codereview.chromium.org/1706243002/diff/1/third_party/WebKit/LayoutTests/http/tests/svg/use-contenttype-blocked.html > File third_party/WebKit/LayoutTests/http/tests/svg/use-contenttype-blocked.html (right): ...
4 years, 10 months ago (2016-02-25 12:04:14 UTC) #12
fs
On 2016/02/25 at 12:04:14, mkwst wrote: ... > On 2016/02/24 at 17:05:00, fs wrote: > ...
4 years, 10 months ago (2016-02-25 12:27:23 UTC) #13
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1706243002/20001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1706243002/20001
4 years, 10 months ago (2016-02-25 12:39:23 UTC) #16
commit-bot: I haz the power
Committed patchset #2 (id:20001)
4 years, 10 months ago (2016-02-25 12:47:05 UTC) #17
commit-bot: I haz the power
4 years, 10 months ago (2016-02-25 12:48:27 UTC) #19
Message was sent while issue was closed.
Patchset 2 (id:??) landed as
https://crrev.com/57642dc1f2d31bcade1c741f0e7a119ca9754537
Cr-Commit-Position: refs/heads/master@{#377560}

Powered by Google App Engine
This is Rietveld 408576698