<image>'s src URL is resolved incorrectly when <base> element dynamically added

third_party/WebKit/Source/core/loader/ImageLoader.cpp

Index: third_party/WebKit/Source/core/loader/ImageLoader.cpp
diff --git a/third_party/WebKit/Source/core/loader/ImageLoader.cpp b/third_party/WebKit/Source/core/loader/ImageLoader.cpp
index 4f38a210caddd5649018f6609105dd1e551ac782..3e96f8e0da37642efb6c54d4eb44c396b142678f 100644
--- a/third_party/WebKit/Source/core/loader/ImageLoader.cpp
+++ b/third_party/WebKit/Source/core/loader/ImageLoader.cpp
@@ -107,6 +107,8 @@ public:
             m_scriptState = ScriptState::forMainWorld(loader->element()->document().frame());
             ASSERT(m_scriptState);
         }
+        AtomicString imageSourceURL = loader->element()->imageSourceURL();
+        m_requestURL = loader->imageSourceToKURL(imageSourceURL);
     }
 
     void run()
@@ -117,9 +119,9 @@ public:
         InspectorInstrumentation::AsyncTask asyncTask(&context, this);
         if (m_scriptState->contextIsValid()) {
             ScriptState::Scope scope(m_scriptState.get());
-            m_loader->doUpdateFromElement(m_shouldBypassMainWorldCSP, m_updateBehavior, m_referrerPolicy);
+            m_loader->doUpdateFromElement(m_shouldBypassMainWorldCSP, m_updateBehavior, m_requestURL, m_referrerPolicy);
         } else {
-            m_loader->doUpdateFromElement(m_shouldBypassMainWorldCSP, m_updateBehavior, m_referrerPolicy);
+            m_loader->doUpdateFromElement(m_shouldBypassMainWorldCSP, m_updateBehavior, m_requestURL, m_referrerPolicy);
         }
     }
 
@@ -141,6 +143,7 @@ private:
     RefPtr<ScriptState> m_scriptState;
     WeakPtrFactory<Task> m_weakFactory;
     ReferrerPolicy m_referrerPolicy;
+    KURL m_requestURL;
 };
 
 ImageLoader::ImageLoader(Element* element)
@@ -251,7 +254,7 @@ inline void ImageLoader::enqueueImageLoadingMicroTask(UpdateFromElementBehavior
     m_loadDelayCounter = IncrementLoadEventDelayCount::create(m_element->document());
 }
 
-void ImageLoader::doUpdateFromElement(BypassMainWorldBehavior bypassBehavior, UpdateFromElementBehavior updateBehavior, ReferrerPolicy referrerPolicy)
+void ImageLoader::doUpdateFromElement(BypassMainWorldBehavior bypassBehavior, UpdateFromElementBehavior updateBehavior, const KURL& url, ReferrerPolicy referrerPolicy)
 {
     // FIXME: According to
     // http://www.whatwg.org/specs/web-apps/current-work/multipage/embedded-content.html#the-img-element:the-img-element-55
@@ -271,7 +274,6 @@ void ImageLoader::doUpdateFromElement(BypassMainWorldBehavior bypassBehavior, Up
         return;
 
     AtomicString imageSourceURL = m_element->imageSourceURL();

[Yoav Weiss, 2016/07/04 07:18:14]

Can you explain why moving the imageSourceToKURL call to the time the task is
created is helpful? What is the value of imageSourceURL here and how does it
differ from url?

If url is the correct one here, we should probably deduce imageSourceURL from
it, rather than grabbing the value from m_element

-    KURL url = imageSourceToKURL(imageSourceURL);
     ImageResource* newImage = nullptr;
     if (!url.isNull()) {
         // Unlike raw <img>, we block mixed content inside of <picture> or <img srcset>.
@@ -378,7 +380,7 @@ void ImageLoader::updateFromElement(UpdateFromElementBehavior updateBehavior, Re
 
     KURL url = imageSourceToKURL(imageSourceURL);
     if (shouldLoadImmediately(url)) {
-        doUpdateFromElement(DoNotBypassMainWorldCSP, updateBehavior, referrerPolicy);
+        doUpdateFromElement(DoNotBypassMainWorldCSP, updateBehavior, url, referrerPolicy);
         return;
     }
     // Allow the idiom "img.src=''; img.src='.." to clear down the image before