[Chromium] Network requests without a networking context can be started
authorabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 26 Sep 2012 02:25:50 +0000 (02:25 +0000)
committerabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 26 Sep 2012 02:25:50 +0000 (02:25 +0000)
https://bugs.webkit.org/show_bug.cgi?id=97498

Reviewed by Eric Seidel.

Source/WebCore:

We shouldn't try to start network requests without a networking
context. Other ports have a similar null check.

* platform/network/chromium/ResourceHandle.cpp:
(WebCore::ResourceHandle::start):

LayoutTests:

* http/tests/security/svg-img-leak.html: Added.
* http/tests/security/svg-img-leak-expected.txt: Added.
* http/tests/security/resources/set-cookie.php: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@129585 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/security/resources/set-cookie.php [new file with mode: 0644]
LayoutTests/http/tests/security/svg-image-leak-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/svg-image-leak.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/platform/network/chromium/ResourceHandle.cpp

index 8ff78b4..671b2ec 100644 (file)
@@ -1,3 +1,14 @@
+2012-09-25  Adam Barth  <abarth@webkit.org>
+
+        [Chromium] Network requests without a networking context can be started
+        https://bugs.webkit.org/show_bug.cgi?id=97498
+
+        Reviewed by Eric Seidel.
+
+        * http/tests/security/svg-img-leak.html: Added.
+        * http/tests/security/svg-img-leak-expected.txt: Added.
+        * http/tests/security/resources/set-cookie.php: Added.
+
 2012-09-25  Alpha Lam  <hclam@chromium.org>
 
         Unreviewed test expectations update. Round two.
diff --git a/LayoutTests/http/tests/security/resources/set-cookie.php b/LayoutTests/http/tests/security/resources/set-cookie.php
new file mode 100644 (file)
index 0000000..2ff0898
--- /dev/null
@@ -0,0 +1,4 @@
+<?php
+setcookie($_GET["name"], $_GET["value"], 0, "/");
+?>
+Set <?= $_GET["name"] ?>=<?= $_GET["value"] ?>
diff --git a/LayoutTests/http/tests/security/svg-image-leak-expected.txt b/LayoutTests/http/tests/security/svg-image-leak-expected.txt
new file mode 100644 (file)
index 0000000..f244c7c
--- /dev/null
@@ -0,0 +1,4 @@
+ALERT: PASS
+First we load an image as a control to make sure we can set cookies:
+ Then we load an SVGImage to see if we can issue network requests from inside the image:
+
diff --git a/LayoutTests/http/tests/security/svg-image-leak.html b/LayoutTests/http/tests/security/svg-image-leak.html
new file mode 100644 (file)
index 0000000..851318a
--- /dev/null
@@ -0,0 +1,51 @@
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+window.addEventListener("load", function() {
+    var cookie = document.cookie;
+
+    if (/font/.test(cookie) || /import/.test(cookie))
+        alert("FAIL! Cookies received: " + cookie);
+    else if (/img/.test(cookie))
+        alert("PASS");
+    else
+        alert("FAIL: Did not receive any cookies.")
+
+    document.cookie = "img=; Max-Age=-1; Path=/";
+    document.cookie = "font=; Max-Age=-1; Path=/";
+    document.cookie = "import=; Max-Age=-1; Path=/";
+
+    if (window.testRunner)
+        testRunner.notifyDone();
+}, false);
+</script>
+First we load an image as a control to make sure we can set cookies:<br>
+<img src="http://127.0.0.1:8000/security/resources/set-cookie.php?name=img&amp;value=PASS">
+
+Then we load an SVGImage to see if we can issue network requests from inside the image:<br>
+<img height=200px src='data:image/svg+xml;utf8,
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+<defs>
+
+<style type="text/css">
+@font-face { font-family: Extern2; src: url(http://127.0.0.1:8000/security/resources/set-cookie.php?name=font&amp;amp;value=FAIL) format("woff"); }
+
+.cc {
+font-family: Extern2;
+font-size: 20px;
+}
+</style>
+
+<style type="text/css">
+@import url("http://127.0.0.1:8000/security/resources/set-cookie.php?name=import&amp;amp;value=FAIL");
+</style>
+</defs>
+
+<polygon id="triangle" points="0,0 0,50 50,0" fill="#00FF00" stroke="#004400"/>
+<text x="50" y="50" class="cc">groebert</text>
+
+</svg>
+'>
index a9485df..f2765fa 100644 (file)
@@ -1,3 +1,16 @@
+2012-09-25  Adam Barth  <abarth@webkit.org>
+
+        [Chromium] Network requests without a networking context can be started
+        https://bugs.webkit.org/show_bug.cgi?id=97498
+
+        Reviewed by Eric Seidel.
+
+        We shouldn't try to start network requests without a networking
+        context. Other ports have a similar null check.
+
+        * platform/network/chromium/ResourceHandle.cpp:
+        (WebCore::ResourceHandle::start):
+
 2012-09-25  Justin Schuh  <jschuh@chromium.org>
 
         Mask RenderArena freelist entries.
index b753da6..aae53bb 100644 (file)
@@ -218,6 +218,9 @@ void ResourceHandle::setDefersLoading(bool value)
 
 bool ResourceHandle::start(NetworkingContext* context)
 {
+    if (!context)
+        return false;
+
     d->start();
     return true;
 }