2010-11-29 Gavin Peters <gavinp@chromium.org>
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 29 Nov 2010 19:45:27 +0000 (19:45 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 29 Nov 2010 19:45:27 +0000 (19:45 +0000)
        Reviewed by Adam Barth.

        Web page can prevent WebKit from loading subresources on other
        pages (cache poisoning)
        https://bugs.webkit.org/show_bug.cgi?id=35404

        * http/tests/misc/unloadable-script-expected.txt: Renamed from LayoutTests/fast/loader/unloadable-script-expected.txt.
        * http/tests/misc/unloadable-script.html: Renamed from LayoutTests/fast/loader/unloadable-script.html.
        * loader/reload-subresource-when-type-changes-expected.txt: Added.
        * loader/reload-subresource-when-type-changes.html: Added.
        * loader/resources/image1.png: Added.
        * loader/resources/image2.png: Added.
        * loader/resources/reload-subresource-when-type-changes.js: Added.
2010-11-29  Gavin Peters  <gavinp@chromium.org>

        Reviewed by Adam Barth.

        Web page can prevent WebKit from loading subresources on other
        pages (cache poisoning)
        https://bugs.webkit.org/show_bug.cgi?id=35404

        Tests: http/tests/misc/unloadable-script.html
               loader/reload-subresource-when-type-changes.html

        * loader/cache/MemoryCache.cpp:
        (WebCore::MemoryCache::requestResource):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@72817 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/misc/unloadable-script-expected.txt [moved from LayoutTests/fast/loader/unloadable-script-expected.txt with 63% similarity]
LayoutTests/http/tests/misc/unloadable-script.html [moved from LayoutTests/fast/loader/unloadable-script.html with 83% similarity]
LayoutTests/loader/reload-subresource-when-type-changes-expected.txt [new file with mode: 0644]
LayoutTests/loader/reload-subresource-when-type-changes.html [new file with mode: 0644]
LayoutTests/loader/resources/image1.png [new file with mode: 0644]
LayoutTests/loader/resources/image2.png [new file with mode: 0644]
LayoutTests/loader/resources/reload-subresource-when-type-changes.js [new file with mode: 0644]
WebCore/ChangeLog
WebCore/loader/cache/MemoryCache.cpp

index 6b455d6..1315ebd 100644 (file)
@@ -1,3 +1,19 @@
+2010-11-29  Gavin Peters  <gavinp@chromium.org>
+
+        Reviewed by Adam Barth.
+
+        Web page can prevent WebKit from loading subresources on other
+        pages (cache poisoning)
+        https://bugs.webkit.org/show_bug.cgi?id=35404
+
+        * http/tests/misc/unloadable-script-expected.txt: Renamed from LayoutTests/fast/loader/unloadable-script-expected.txt.
+        * http/tests/misc/unloadable-script.html: Renamed from LayoutTests/fast/loader/unloadable-script.html.
+        * loader/reload-subresource-when-type-changes-expected.txt: Added.
+        * loader/reload-subresource-when-type-changes.html: Added.
+        * loader/resources/image1.png: Added.
+        * loader/resources/image2.png: Added.
+        * loader/resources/reload-subresource-when-type-changes.js: Added.
+
 2010-11-29  Adam Roben  <aroben@apple.com>
 
         Check in new Windows results after r72678
@@ -1,9 +1,6 @@
+CONSOLE MESSAGE: line 0: Not allowed to load local resource: foobar
 Test for bug 13584: <script> code wrongly assumes requests can't fail.
 
 No crash == SUCCESS.
 
 onerror called (good!)
-
-onerror called (good!)
-
-
@@ -15,14 +15,14 @@ function log(message) {
     
     <div id=console></div>
     
-    <img src="resources/foobar">
     <script id=test_script></script>
 
     <script>
         if (window.layoutTestController)
             layoutTestController.dumpAsText();
 
-        document.getElementById('test_script').src = "resources/foobar";
+        <!-- we are an HTTP test so the security origin will fail the file method -->
+        document.getElementById('test_script').src = "file:///foobar";
         
         script = document.createElement("script");
         script.setAttribute("src", "resources/foobar");
diff --git a/LayoutTests/loader/reload-subresource-when-type-changes-expected.txt b/LayoutTests/loader/reload-subresource-when-type-changes-expected.txt
new file mode 100644 (file)
index 0000000..49d7618
--- /dev/null
@@ -0,0 +1,5 @@
+CONSOLE MESSAGE: line 1: SyntaxError: Parse error
+PASS 1 of 3
+PASS 2 of 3
+PASS 3 of 3
+    
diff --git a/LayoutTests/loader/reload-subresource-when-type-changes.html b/LayoutTests/loader/reload-subresource-when-type-changes.html
new file mode 100644 (file)
index 0000000..0cdaade
--- /dev/null
@@ -0,0 +1,35 @@
+<div id="logDiv">FAILED</div>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+var logDiv = document.getElementById("logDiv");
+
+function clearLog()
+{
+    logDiv.innerHTML = "";
+}
+
+function log(string)
+{
+    logDiv.appendChild(document.createTextNode(string));
+    logDiv.appendChild(document.createElement("br"));
+}
+
+function checkLoadedImage(event, testNumber) {
+    var imageWidth = event.target.width;
+    if (imageWidth == 25)
+        log("PASS " + testNumber + " of 3");
+    else
+        log("IMAGE SIZE " + imageWidth + " FAIL - " + testNumber + " of 2");
+}
+</script>
+
+<img src="resources/reload-subresource-when-type-changes.js">
+<script src="resources/reload-subresource-when-type-changes.js"></script>
+
+<link rel="prefetch" href="resources/image1.png">
+<img src="resources/image1.png" onerror="log('LOAD ERROR - FAIL 2 of 3)" onload="checkLoadedImage(event, 2)">
+
+<script src="resources/image2.png"></script>
+<img src="resources/image2.png" onerror="log('LOAD ERROR - FAIL 2 of 3)" onload="checkLoadedImage(event, 3)">
diff --git a/LayoutTests/loader/resources/image1.png b/LayoutTests/loader/resources/image1.png
new file mode 100644 (file)
index 0000000..6e555e3
Binary files /dev/null and b/LayoutTests/loader/resources/image1.png differ
diff --git a/LayoutTests/loader/resources/image2.png b/LayoutTests/loader/resources/image2.png
new file mode 100644 (file)
index 0000000..6e555e3
Binary files /dev/null and b/LayoutTests/loader/resources/image2.png differ
diff --git a/LayoutTests/loader/resources/reload-subresource-when-type-changes.js b/LayoutTests/loader/resources/reload-subresource-when-type-changes.js
new file mode 100644 (file)
index 0000000..1dddb98
--- /dev/null
@@ -0,0 +1,2 @@
+clearLog();
+log("PASS 1 of 3");
index 32994e4..de53492 100644 (file)
@@ -1,3 +1,17 @@
+2010-11-29  Gavin Peters  <gavinp@chromium.org>
+
+        Reviewed by Adam Barth.
+
+        Web page can prevent WebKit from loading subresources on other
+        pages (cache poisoning)
+        https://bugs.webkit.org/show_bug.cgi?id=35404
+
+        Tests: http/tests/misc/unloadable-script.html
+               loader/reload-subresource-when-type-changes.html
+
+        * loader/cache/MemoryCache.cpp:
+        (WebCore::MemoryCache::requestResource):
+
 2010-11-29  Simon Fraser  <simon.fraser@apple.com>
 
         Reviewed by Dan Bernstein.
index 79dfc03..2f45b5d 100644 (file)
@@ -126,7 +126,13 @@ CachedResource* MemoryCache::requestResource(CachedResourceLoader* cachedResourc
             FrameLoader::reportLocalLoadFailed(cachedResourceLoader->document()->frame(), url.string());
         return 0;
     }
-    
+
+    if (resource && resource->type() != type) {
+        LOG(ResourceLoading, "Cache::requestResource found a cache resource with matching url but different type, evicting and loading with new type.");
+        evict(resource);
+        resource = 0;
+    }
+
     if (!resource) {
         LOG(ResourceLoading, "CachedResource for '%s' wasn't found in cache. Creating it", url.string().latin1().data());
         // The resource does not exist. Create it.
@@ -157,11 +163,6 @@ CachedResource* MemoryCache::requestResource(CachedResourceLoader* cachedResourc
         }
     }
 
-    if (resource->type() != type) {
-        LOG(ResourceLoading, "MemoryCache::requestResource cannot use cached resource for '%s' due to type mismatch", url.string().latin1().data());
-        return 0;
-    }
-
     if (!disabled()) {
         // This will move the resource to the front of its LRU list and increase its access count.
         resourceAccessed(resource);