Make text track loading set same-origin fallback flag
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 4 Jan 2020 07:57:23 +0000 (07:57 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 4 Jan 2020 07:57:23 +0000 (07:57 +0000)
https://bugs.webkit.org/show_bug.cgi?id=205744

Patch by Rob Buis <rbuis@igalia.com> on 2020-01-03
Reviewed by Darin Adler.

LayoutTests/imported/w3c:

Adjust test result to new behavior for text track loading.

* web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/cloneNode-expected.txt:
* web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/track-data-url-expected.txt:
* web-platform-tests/service-workers/service-worker/webvtt-cross-origin.https-expected.txt:

Source/WebCore:

Make text track loading set same-origin fallback flag,
which changes text track loading to be same-origin
when the crossorigin attribute is not specified.

The new behavior matches that of Chrome and Firefox.

[1] https://html.spec.whatwg.org/multipage/media.html#sourcing-out-of-band-text-tracks:create-a-potential-cors-request

Tests: http/tests/security/text-track-crossorigin.html

* loader/TextTrackLoader.cpp:
(WebCore::TextTrackLoader::load):

LayoutTests:

Adjusts test to same-origin fallback behavior for text track
loading by using CORS.

* http/tests/security/contentSecurityPolicy/resources/track.php: Added.
* http/tests/security/contentSecurityPolicy/track-redirect-allowed.html:
* http/tests/security/contentSecurityPolicy/track-redirect-allowed2.html:
* http/tests/security/contentSecurityPolicy/track-redirect-blocked.html:
* http/tests/security/text-track-crossorigin-expected.txt:
* http/tests/security/text-track-crossorigin.html:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@254031 268f45cc-cd09-0410-ab3c-d52691b4dbfc

13 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/security/contentSecurityPolicy/resources/track.php [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed.html
LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed2.html
LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked.html
LayoutTests/http/tests/security/text-track-crossorigin-expected.txt
LayoutTests/http/tests/security/text-track-crossorigin.html
LayoutTests/imported/w3c/ChangeLog
LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/cloneNode-expected.txt
LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/track-data-url-expected.txt
LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/webvtt-cross-origin.https-expected.txt
Source/WebCore/ChangeLog
Source/WebCore/loader/TextTrackLoader.cpp

index d00daf7..4fa3cbb 100644 (file)
@@ -1,3 +1,20 @@
+2020-01-03  Rob Buis  <rbuis@igalia.com>
+
+        Make text track loading set same-origin fallback flag
+        https://bugs.webkit.org/show_bug.cgi?id=205744
+
+        Reviewed by Darin Adler.
+
+        Adjusts test to same-origin fallback behavior for text track
+        loading by using CORS.
+
+        * http/tests/security/contentSecurityPolicy/resources/track.php: Added.
+        * http/tests/security/contentSecurityPolicy/track-redirect-allowed.html:
+        * http/tests/security/contentSecurityPolicy/track-redirect-allowed2.html:
+        * http/tests/security/contentSecurityPolicy/track-redirect-blocked.html:
+        * http/tests/security/text-track-crossorigin-expected.txt:
+        * http/tests/security/text-track-crossorigin.html:
+
 2020-01-03  Chris Dumez  <cdumez@apple.com>
 
         Add support for DragEvent
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/resources/track.php b/LayoutTests/http/tests/security/contentSecurityPolicy/resources/track.php
new file mode 100644 (file)
index 0000000..f31b732
--- /dev/null
@@ -0,0 +1,9 @@
+<?php
+header("content-type: text/vtt");
+header("Access-Control-Allow-Origin: *");
+?>
+WEBVTT
+
+1
+00:00:00.000 --> 00:00:01.000
+Sample
index 195782e..4f8f778 100644 (file)
@@ -6,8 +6,8 @@
 <meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
 </head>
 <body>
-<video>
-    <track src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/track.vtt" kind="captions" onload="alertAndDone('PASS')" onerror="alertAndDone('FAIL')">
+<video crossorigin="anonymous">
+    <track src="http://127.0.0.1:8000/resources/redirect.php?code=307&cors_allow_origin=*&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/track.php" kind="captions" onload="alertAndDone('PASS')" onerror="alertAndDone('FAIL')">
 </video>
 <script>
 document.querySelector("track").track.mode = "hidden"; // Load the track
index 6d0b618..f69e19e 100644 (file)
@@ -6,8 +6,8 @@
 <meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000/this-path-should-be-ignored-when-matching-a-redirected-request">
 </head>
 <body>
-<video>
-    <track src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/track.vtt" kind="captions" onload="alertAndDone('PASS')" onerror="alertAndDone('FAIL')">
+<video crossorigin="anonymous">
+    <track src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/track.php" kind="captions" onload="alertAndDone('PASS')" onerror="alertAndDone('FAIL')">
 </video>
 <script>
 document.querySelector("track").track.mode = "hidden"; // Load the track
index aa23efb..7fa04b7 100644 (file)
@@ -6,7 +6,7 @@
 <meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.php">
 </head>
 <body>
-<video>
+<video crossorigin="anonymous">
     <track src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/track.vtt" kind="captions" onload="alertAndDone('FAIL')" onerror="alertAndDone('PASS')">
 </video>
 <script>
index 93226c6..8946c32 100644 (file)
@@ -1,13 +1,15 @@
+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/resources/captions-with-access-control-headers.php from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
+
 CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
 CONSOLE MESSAGE: Cross-origin text track load denied by Cross-Origin Resource Sharing policy.
 Tests loading cross-domain <track>.
 
 
 Loading without Access-Control-Allow-Origin header, no "crossorigin" attribute on <video>
-EVENT(load)
-PASS: shouldLoad should be 'true' and is.
+EVENT(error)
+PASS: shouldLoad should be 'false' and is.
 PASS: event.target should be '[object HTMLTrackElement]' and is.
-PASS: trackElement.readyState should be '2' and is.
+PASS: trackElement.readyState should be '3' and is.
 
 
 Loading without Access-Control-Allow-Origin header, setting video.crossorigin to "anonymous"
@@ -31,5 +33,12 @@ PASS: event.target should be '[object HTMLTrackElement]' and is.
 PASS: trackElement.readyState should be '2' and is.
 
 
+Loading without Access-Control-Allow-Origin header, with a redirect, no "crossorigin" attribute on <video>
+EVENT(error)
+PASS: shouldLoad should be 'false' and is.
+PASS: event.target should be '[object HTMLTrackElement]' and is.
+PASS: trackElement.readyState should be '3' and is.
+
+
 END OF TEST
 
index 269c7d5..14c408d 100644 (file)
@@ -4,7 +4,7 @@
         <script src="resources/cross-frame-access.js"></script>
         <script>
 
-            var shouldLoad = true;
+            var shouldLoad = false;
             var counter = 0;
 
             if (window.testRunner) {
 
                 log('<br>');
                 switch(counter) {
-                case 0:
-                    log('Loading <b>without</b> Access-Control-Allow-Origin header, setting video.crossorigin to "anonymous"');
-                    url = "http://localhost:8000/security/resources/captions-with-access-control-headers.php?count=" + counter;
-                    videoElement.setAttribute('crossorigin', 'anonymous');
-                    trackElement.removeAttribute('src');
-                    trackElement.setAttribute('src', url);
-                    shouldLoad = false;
-                    ++counter;
-                    break;
-
                 case 2:
                     log('Loading <b>with</b> Access-Control-Allow-Origin and Access-Control-Allow-Credentials headers, setting video.crossorigin to "use-credentials"');
                     url = "http://localhost:8000/security/resources/captions-with-access-control-headers.php?origin=1;credentials=1";
                     break;
 
                 case 3:
+                    log('Loading <b>without</b> Access-Control-Allow-Origin header, with a redirect, no "crossorigin" attribute on &lt;video&gt;');
+                    url = "http://127.0.0.1:8000/security/resources/redir.php?url=http://localhost:8000/security/resources/captions-with-access-control-headers.php"
+                    videoElement.removeAttribute('crossorigin');
+                    trackElement.removeAttribute('crossorigin');
+                    trackElement.setAttribute('src', url);
+                    shouldLoad = false;
+                    ++counter;
+                    break;
+
+                case 4:
                     log("END OF TEST");
                     if (window.testRunner)
                         testRunner.notifyDone();
-                defaut:
-                    if (window.testRunner)
-                        testRunner.notifyDone();
+                    break;
                 }
             }
 
 
                 log('<br>');
                 switch(counter) {
+                case 0:
+                    log('Loading <b>without</b> Access-Control-Allow-Origin header, setting video.crossorigin to "anonymous"');
+                    url = "http://localhost:8000/security/resources/captions-with-access-control-headers.php?count=" + counter;
+                    videoElement.setAttribute('crossorigin', 'anonymous');
+                    trackElement.removeAttribute('src');
+                    trackElement.setAttribute('src', url);
+                    ++counter;
+                    break;
+
                 case 1:
                     log('Loading <b>with</b> Access-Control-Allow-Origin header, leaving video.crossorigin as "anonymous"');
                     url = "http://localhost:8000/security/resources/captions-with-access-control-headers.php?origin=1";
                     shouldLoad = true;
                     ++counter;
                     break;
-                defaut:
+
+                case 4:
+                    log("END OF TEST");
                     if (window.testRunner)
                         testRunner.notifyDone();
+                    break;
                 }
             }
 
index c3de429..0d346ad 100644 (file)
@@ -1,3 +1,16 @@
+2020-01-03  Rob Buis  <rbuis@igalia.com>
+
+        Make text track loading set same-origin fallback flag
+        https://bugs.webkit.org/show_bug.cgi?id=205744
+
+        Reviewed by Darin Adler.
+
+        Adjust test result to new behavior for text track loading.
+
+        * web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/cloneNode-expected.txt:
+        * web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/track-data-url-expected.txt:
+        * web-platform-tests/service-workers/service-worker/webvtt-cross-origin.https-expected.txt:
+
 2020-01-03  Chris Dumez  <cdumez@apple.com>
 
         Add support for DragEvent
index 1375999..5ee17d1 100644 (file)
@@ -1,3 +1,7 @@
+CONSOLE MESSAGE: Unsafe attempt to load URL javascript:"network error" from origin http://localhost:8800. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: Unsafe attempt to load URL javascript:"network error" from origin http://localhost:8800. Domains, protocols and ports must match.
+
 
 PASS track element cloneNode, not loaded 
 PASS track element cloneNode, loading 
index d3543cf..93685d3 100644 (file)
@@ -1,9 +1,5 @@
-CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: Cross-origin text track load denied by Cross-Origin Resource Sharing policy.
-CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: Cross-origin text track load denied by Cross-Origin Resource Sharing policy.
 
 FAIL track element data: URL No CORS null is not an object (evaluating 't.track.cues.length')
-FAIL track element data: URL anonymous assert_unreached: got error event Reached unreachable code
-FAIL track element data: URL use-credentials assert_unreached: got error event Reached unreachable code
+FAIL track element data: URL anonymous null is not an object (evaluating 't.track.cues.length')
+FAIL track element data: URL use-credentials null is not an object (evaluating 't.track.cues.length')
 
index 41ade77..7d8d818 100644 (file)
@@ -1,11 +1,11 @@
 
 PASS initialize global state 
 PASS same-origin text track should load 
-FAIL cross-origin text track with no-cors request should not load assert_equals: expected "error event" but got "load event"
+PASS cross-origin text track with no-cors request should not load 
 PASS cross-origin text track with rejected cors request should not load 
 FAIL cross-origin text track with approved cors request should not load assert_equals: expected "error event" but got "load event"
 PASS same-origin text track that redirects same-origin should load 
-FAIL same-origin text track that redirects cross-origin should not load assert_equals: expected "error event" but got "load event"
+PASS same-origin text track that redirects cross-origin should not load 
 PASS same-origin text track that redirects to a cross-origin text track with rejected cors should not load 
 FAIL same-origin text track that redirects to a cross-origin text track with approved cors should not load assert_equals: expected "error event" but got "load event"
 PASS restore global state 
index d6351b8..74114ac 100644 (file)
@@ -1,3 +1,23 @@
+2020-01-03  Rob Buis  <rbuis@igalia.com>
+
+        Make text track loading set same-origin fallback flag
+        https://bugs.webkit.org/show_bug.cgi?id=205744
+
+        Reviewed by Darin Adler.
+
+        Make text track loading set same-origin fallback flag,
+        which changes text track loading to be same-origin
+        when the crossorigin attribute is not specified.
+
+        The new behavior matches that of Chrome and Firefox.
+
+        [1] https://html.spec.whatwg.org/multipage/media.html#sourcing-out-of-band-text-tracks:create-a-potential-cors-request
+
+        Tests: http/tests/security/text-track-crossorigin.html
+
+        * loader/TextTrackLoader.cpp:
+        (WebCore::TextTrackLoader::load):
+
 2020-01-03  Sihui Liu  <sihui_liu@apple.com>
 
         IndexedDB: delete index records with ID and IndexKey instead of value in SQLiteIDBackingStore
index 353b2a6..ecd264e 100644 (file)
@@ -152,6 +152,7 @@ bool TextTrackLoader::load(const URL& url, HTMLTrackElement& element)
     Document& document = downcast<Document>(*m_scriptExecutionContext);
 
     ResourceLoaderOptions options = CachedResourceLoader::defaultCachedResourceOptions();
+    options.sameOriginDataURLFlag = SameOriginDataURLFlag::Set;
     options.contentSecurityPolicyImposition = element.isInUserAgentShadowTree() ? ContentSecurityPolicyImposition::SkipPolicyCheck : ContentSecurityPolicyImposition::DoPolicyCheck;
 
     ResourceRequest resourceRequest(document.completeURL(url));
@@ -159,7 +160,7 @@ bool TextTrackLoader::load(const URL& url, HTMLTrackElement& element)
     if (auto mediaElement = element.mediaElement())
         resourceRequest.setInspectorInitiatorNodeIdentifier(InspectorInstrumentation::identifierForNode(*mediaElement));
 
-    auto cueRequest = createPotentialAccessControlRequest(WTFMove(resourceRequest), WTFMove(options), document, element.mediaElementCrossOriginAttribute());
+    auto cueRequest = createPotentialAccessControlRequest(WTFMove(resourceRequest), WTFMove(options), document, element.mediaElementCrossOriginAttribute(), SameOriginFlag::Yes);
     m_resource = document.cachedResourceLoader().requestTextTrack(WTFMove(cueRequest)).value_or(nullptr);
     if (!m_resource)
         return false;