CSS mask images should be retrieved using potentially CORS-enabled fetch
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 22 Mar 2018 22:02:58 +0000 (22:02 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 22 Mar 2018 22:02:58 +0000 (22:02 +0000)
commit7ce55fdb1692cc53dbb835031897ded7c9fa11a2
treeeba5b15e295efcc74a003566bf9f57361726f91e
parent6b0e477244e31b3cbd66856964136f26f4750998
CSS mask images should be retrieved using potentially CORS-enabled fetch
https://bugs.webkit.org/show_bug.cgi?id=179983
<rdar://problem/35678149>

Reviewed by Brent Fulgham.

Source/WebCore:

As per <https://drafts.fxtf.org/css-masking-1/#priv-sec> (Editor's Draft, 23 December 2017)
we should fetch CSS mask images using a potentially CORS-enabled fetch.

Both cross-origin CSS shape-outside images and CSS mask images may be sensitive to timing
attacks that can be used to reveal their pixel data when retrieved without regard to CORS.
For the same reason that we fetch CSS shape-outside images using a potentially CORS-enabled
fetch we should fetch CSS mask the same way. This also makes the behavior of WebKit more
closely align with the behavior in the spec.

Test: http/tests/security/css-mask-image.html

* style/StylePendingResources.cpp: Substitute LoadPolicy::NoCORS and LoadPolicy::Anonymous for
LoadPolicy::Normal and LoadPolicy::ShapeOutside, respectively, to match the terminology used
in the HTML, CSS Shapes Module Level 1, and CSS Masking Module Level 1 specs.
(WebCore::Style::loadPendingImage): Ditto.
(WebCore::Style::loadPendingResources): Use load policy LoadPolicy::Anonymous when fetching
a mask image or shape-outside image.

LayoutTests:

Add a test to ensure we do not fetch a cross-origin CSS mask image that does
not allow CORS access.

* http/tests/security/css-mask-image-expected.html: Added.
* http/tests/security/css-mask-image.html: Added.
* http/tests/security/resources/black-square.png: Added.
* http/tests/security/resources/fail-mask.png: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@229868 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/http/tests/security/css-mask-image-expected.html [new file with mode: 0644]
LayoutTests/http/tests/security/css-mask-image.html [new file with mode: 0644]
LayoutTests/http/tests/security/resources/black-square.png [new file with mode: 0644]
LayoutTests/http/tests/security/resources/fail-mask.png [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/style/StylePendingResources.cpp