CSS mask images should be retrieved using potentially CORS-enabled fetch
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 27 Mar 2018 20:56:09 +0000 (20:56 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 27 Mar 2018 20:56:09 +0000 (20:56 +0000)
commitabdece5842fb00ea79be69de697129c346578771
tree35c398a16637a45ea8278d6caff2c7cf16b0949e
parent6a78c27508d4429a3554839f44ae3a9ea72876fc
CSS mask images should be retrieved using potentially CORS-enabled fetch
https://bugs.webkit.org/show_bug.cgi?id=179983
<rdar://problem/35678149>

Reviewed by Brent Fulgham.

Source/WebCore:

As per <https://drafts.fxtf.org/css-masking-1/#priv-sec> (Editor’s Draft, 23 December 2017)
we should fetch CSS mask images using a potentially CORS-enabled fetch.

Both cross-origin CSS shape-outside images and CSS mask images may be sensitive to timing
attacks that can be used to reveal their pixel data when retrieved without regard to CORS.
For the same reason that we fetch CSS shape-outside images using a potentially CORS-enabled
fetch we should fetch CSS mask the same way. This also makes the behavior of WebKit more
closely align with the behavior in the spec.

Test: http/tests/security/css-mask-image.html

* page/Settings.yaml: Add a setting for toggle "Anonymous" mode fetching of mask images (defaults: true).
We need this setting to avoid breaking the developer convenience feature that some modern media controls
layout tests employ to load assets from the filesystem as opposed to using the hardcoded data URLs baked
into the WebKit binary.
* style/StylePendingResources.cpp: Substitute LoadPolicy::NoCORS and LoadPolicy::Anonymous for
LoadPolicy::Normal and LoadPolicy::ShapeOutside, respectively, to match the terminology used
in the HTML, CSS Shapes Module Level 1, and CSS Masking Module Level 1 specs.
(WebCore::Style::loadPendingImage): Ditto.
(WebCore::Style::loadPendingResources): Use load policy LoadPolicy::Anonymous when fetching
a mask image or shape-outside image.

LayoutTests:

Add a test to ensure we do not fetch a cross-origin CSS mask image that does
not allow CORS access.

* http/tests/security/css-mask-image-expected.html: Added.
* http/tests/security/css-mask-image.html: Added.
* http/tests/security/resources/black-square.png: Added.
* http/tests/security/resources/fail-mask.png: Added.
* media/modern-media-controls/resources/media-controls-loader.js: Disable "Anonymous" mode
fetching of mask images to allow modern media controls to load mask assets from the filesystem.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230006 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/http/tests/security/css-mask-image-expected.html [new file with mode: 0644]
LayoutTests/http/tests/security/css-mask-image.html [new file with mode: 0644]
LayoutTests/http/tests/security/resources/black-square.png [new file with mode: 0644]
LayoutTests/http/tests/security/resources/fail-mask.png [new file with mode: 0644]
LayoutTests/media/modern-media-controls/resources/media-controls-loader.js
Source/WebCore/ChangeLog
Source/WebCore/page/Settings.yaml
Source/WebCore/style/StylePendingResources.cpp