[CSS Shapes] limit shape image values to same origin
authorhmuller@adobe.com <hmuller@adobe.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 22 Jun 2013 19:56:37 +0000 (19:56 +0000)
committerhmuller@adobe.com <hmuller@adobe.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 22 Jun 2013 19:56:37 +0000 (19:56 +0000)
https://bugs.webkit.org/show_bug.cgi?id=117610

Reviewed by Alexey Proskuryakov.

Source/WebCore:

Restrict the image URL values for shape-inside and shape-outside to
the same origin as the document. The alpha channel of image shape values
will be thresholded to produce the shape's boundaries (see bug 116643)
so normal image access rules aren't secure enough.

Added a RequestOriginPolicy ResourceLoaderOption which is used by
StyleResolver::loadPendingShapeImage() to request the additional restriction.
The change should have no other effect although it does enable one to apply
the same restriction to other resources which can currently be loaded from
any origin - see CachedResourceLoader::canRequest().

Test: http/tests/security/shape-inside-image-origin.html

* css/CSSImageValue.cpp:
(WebCore::CSSImageValue::cachedImage): Add an effectively optional ResourceLoaderOptions parameter.
* css/CSSImageValue.h:
(WebCore::CSSImageValue::cachedImage): Ditto.
* css/StyleResolver.cpp:
(WebCore::StyleResolver::loadPendingShapeImage): Load the image with the default CachedResourceLoader options plus RestrictToSameOrigin.
(WebCore::StyleResolver::loadPendingImages): Call loadPendingShapeImage().
* css/StyleResolver.h:
* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::startLoadingMainResource): Update the ResourceLoaderOptions static variable.
* loader/NetscapePlugInStreamLoader.cpp:
(WebCore::NetscapePlugInStreamLoader::NetscapePlugInStreamLoader): Ditto.
* loader/ResourceLoader.h:
(WebCore::ResourceLoader::options):
* loader/ResourceLoaderOptions.h: Add RequestOriginPolicy enum.
(WebCore::ResourceLoaderOptions::ResourceLoaderOptions):
* loader/SubresourceLoader.cpp:
(WebCore::SubresourceLoader::willSendRequest): Pass ResourceLoaderOptions along to revised CachedResourceLoader::canRequest().
* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::requestImage):
(WebCore::CachedResourceLoader::requestUserCSSStyleSheet): Update load() ResourceLoaderOptions.
(WebCore::CachedResourceLoader::canRequest): Replaced ContentSecurityPolicyCheck parameter with ResourceLoaderOptions.
(WebCore::CachedResourceLoader::requestResource): Pass ResourceLoaderOptions along to revised CachedResourceLoader::canRequest().
(WebCore::CachedResourceLoader::defaultCachedResourceOptions): Added UseDefaultOriginRestrictionsForType initializer.
* loader/cache/CachedResourceLoader.h:
* loader/icon/IconLoader.cpp:
(WebCore::IconLoader::startLoading): Added UseDefaultOriginRestrictionsForType intializer.

LayoutTests:

Verify that a non same-origin image URL specified for shape-inside or
shape-outside will not load and the shape property will be reset to "none".

* http/tests/resources/square100.png: Added.
* http/tests/security/shape-inside-image-origin-expected.txt: Added.
* http/tests/security/shape-inside-image-origin.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@151878 268f45cc-cd09-0410-ab3c-d52691b4dbfc

17 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/resources/square100.png [new file with mode: 0644]
LayoutTests/http/tests/security/shape-inside-image-origin-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/shape-inside-image-origin.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/css/CSSImageValue.cpp
Source/WebCore/css/CSSImageValue.h
Source/WebCore/css/StyleResolver.cpp
Source/WebCore/css/StyleResolver.h
Source/WebCore/loader/DocumentLoader.cpp
Source/WebCore/loader/NetscapePlugInStreamLoader.cpp
Source/WebCore/loader/ResourceLoader.h
Source/WebCore/loader/ResourceLoaderOptions.h
Source/WebCore/loader/SubresourceLoader.cpp
Source/WebCore/loader/cache/CachedResourceLoader.cpp
Source/WebCore/loader/cache/CachedResourceLoader.h
Source/WebCore/loader/icon/IconLoader.cpp

index c1bf317..ffa415b 100644 (file)
@@ -1,3 +1,17 @@
+2013-06-22  Hans Muller  <hmuller@adobe.com>
+
+        [CSS Shapes] limit shape image values to same origin
+        https://bugs.webkit.org/show_bug.cgi?id=117610
+
+        Reviewed by Alexey Proskuryakov.
+
+        Verify that a non same-origin image URL specified for shape-inside or
+        shape-outside will not load and the shape property will be reset to "none".
+
+        * http/tests/resources/square100.png: Added.
+        * http/tests/security/shape-inside-image-origin-expected.txt: Added.
+        * http/tests/security/shape-inside-image-origin.html: Added.
+
 2013-06-21  Brent Fulgham  <bfulgham@apple.com>
 
         [Windows] Unreviewed gardening.
diff --git a/LayoutTests/http/tests/resources/square100.png b/LayoutTests/http/tests/resources/square100.png
new file mode 100644 (file)
index 0000000..567babb
Binary files /dev/null and b/LayoutTests/http/tests/resources/square100.png differ
diff --git a/LayoutTests/http/tests/security/shape-inside-image-origin-expected.txt b/LayoutTests/http/tests/security/shape-inside-image-origin-expected.txt
new file mode 100644 (file)
index 0000000..7c32337
--- /dev/null
@@ -0,0 +1,12 @@
+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8080/security/resources/square100.png from frame with URL http://127.0.0.1:8000/security/shape-inside-image-origin.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8080/security/resources/square100.png from frame with URL http://127.0.0.1:8000/security/shape-inside-image-origin.html. Domains, protocols and ports must match.
+
+Verify that shape-inside and shape-outside can not be set to a URL with a different origin and that the result of doing so sets the property to "none". This test should generate two error messages about unsafe attempts to load a URL.
+
+PASS window.getComputedStyle(shapeElement).webkitShapeInside is "rectangle(0px, 0px, 0px, 0px, 0px, 0px)"
+PASS window.getComputedStyle(shapeElement).webkitShapeOutside is "rectangle(0px, 0px, 0px, 0px, 0px, 0px)"
+PASS window.getComputedStyle(shapeElement).webkitShapeInside is "none"
+PASS window.getComputedStyle(shapeElement).webkitShapeOutside is "none"
+
+
diff --git a/LayoutTests/http/tests/security/shape-inside-image-origin.html b/LayoutTests/http/tests/security/shape-inside-image-origin.html
new file mode 100644 (file)
index 0000000..c9227b4
--- /dev/null
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="../resources/js-test-pre.js"></script>
+<style>
+    #shape {
+        -webkit-shape-inside: rectangle(0, 0, 0, 0);
+        -webkit-shape-outside: rectangle(0, 0, 0, 0);
+    }
+</style>
+</head>
+<body>
+  <p>Verify that shape-inside and shape-outside can not be set to a URL with a different origin
+  and that the result of doing so sets the property to "none". This test should generate two error
+  messages about unsafe attempts to load a URL.</p>
+  <p id="console"></p>
+
+  <div id="shape"></div>
+
+<script>
+  var shapeElement = document.getElementById("shape");
+  shouldBeEqualToString('window.getComputedStyle(shapeElement).webkitShapeInside', "rectangle(0px, 0px, 0px, 0px, 0px, 0px)");
+  shouldBeEqualToString('window.getComputedStyle(shapeElement).webkitShapeOutside', "rectangle(0px, 0px, 0px, 0px, 0px, 0px)");
+
+  // The image URL's port does not match this document's origin. We expect a pair of console warnings.
+  shapeElement.style.webkitShapeInside = 'url("http://localhost:8080/security/resources/square100.png")';
+  shapeElement.style.webkitShapeOutside = 'url("http://localhost:8080/security/resources/square100.png")';
+
+  shouldBeEqualToString('window.getComputedStyle(shapeElement).webkitShapeInside', "none");
+  shouldBeEqualToString('window.getComputedStyle(shapeElement).webkitShapeOutside', "none");
+</script>
+<script src="../js/resources/js-test-post.js"></script>
+</body>
+</html>
index 0eef4c7..1bccca3 100644 (file)
@@ -1,3 +1,51 @@
+2013-06-22  Hans Muller  <hmuller@adobe.com>
+
+        [CSS Shapes] limit shape image values to same origin
+        https://bugs.webkit.org/show_bug.cgi?id=117610
+
+        Reviewed by Alexey Proskuryakov.
+
+        Restrict the image URL values for shape-inside and shape-outside to
+        the same origin as the document. The alpha channel of image shape values
+        will be thresholded to produce the shape's boundaries (see bug 116643)
+        so normal image access rules aren't secure enough.
+
+        Added a RequestOriginPolicy ResourceLoaderOption which is used by
+        StyleResolver::loadPendingShapeImage() to request the additional restriction.
+        The change should have no other effect although it does enable one to apply
+        the same restriction to other resources which can currently be loaded from
+        any origin - see CachedResourceLoader::canRequest().
+
+        Test: http/tests/security/shape-inside-image-origin.html
+
+        * css/CSSImageValue.cpp:
+        (WebCore::CSSImageValue::cachedImage): Add an effectively optional ResourceLoaderOptions parameter.
+        * css/CSSImageValue.h:
+        (WebCore::CSSImageValue::cachedImage): Ditto.
+        * css/StyleResolver.cpp:
+        (WebCore::StyleResolver::loadPendingShapeImage): Load the image with the default CachedResourceLoader options plus RestrictToSameOrigin.
+        (WebCore::StyleResolver::loadPendingImages): Call loadPendingShapeImage().
+        * css/StyleResolver.h:
+        * loader/DocumentLoader.cpp:
+        (WebCore::DocumentLoader::startLoadingMainResource): Update the ResourceLoaderOptions static variable.
+        * loader/NetscapePlugInStreamLoader.cpp:
+        (WebCore::NetscapePlugInStreamLoader::NetscapePlugInStreamLoader): Ditto.
+        * loader/ResourceLoader.h:
+        (WebCore::ResourceLoader::options):
+        * loader/ResourceLoaderOptions.h: Add RequestOriginPolicy enum.
+        (WebCore::ResourceLoaderOptions::ResourceLoaderOptions):
+        * loader/SubresourceLoader.cpp:
+        (WebCore::SubresourceLoader::willSendRequest): Pass ResourceLoaderOptions along to revised CachedResourceLoader::canRequest().
+        * loader/cache/CachedResourceLoader.cpp:
+        (WebCore::CachedResourceLoader::requestImage):
+        (WebCore::CachedResourceLoader::requestUserCSSStyleSheet): Update load() ResourceLoaderOptions.
+        (WebCore::CachedResourceLoader::canRequest): Replaced ContentSecurityPolicyCheck parameter with ResourceLoaderOptions.
+        (WebCore::CachedResourceLoader::requestResource): Pass ResourceLoaderOptions along to revised CachedResourceLoader::canRequest().
+        (WebCore::CachedResourceLoader::defaultCachedResourceOptions): Added UseDefaultOriginRestrictionsForType initializer.
+        * loader/cache/CachedResourceLoader.h:
+        * loader/icon/IconLoader.cpp:
+        (WebCore::IconLoader::startLoading): Added UseDefaultOriginRestrictionsForType intializer.
+
 2013-06-22  Simon Fraser  <simon.fraser@apple.com>
 
         screen.availWidth always returns width of primary display
index d6ca834..a040ac3 100644 (file)
@@ -63,14 +63,14 @@ StyleImage* CSSImageValue::cachedOrPendingImage()
     return m_image.get();
 }
 
-StyleCachedImage* CSSImageValue::cachedImage(CachedResourceLoader* loader)
+StyleCachedImage* CSSImageValue::cachedImage(CachedResourceLoader* loader, const ResourceLoaderOptions& options)
 {
     ASSERT(loader);
 
     if (!m_accessedImage) {
         m_accessedImage = true;
 
-        CachedResourceRequest request(ResourceRequest(loader->document()->completeURL(m_url)));
+        CachedResourceRequest request(ResourceRequest(loader->document()->completeURL(m_url)), options);
         if (m_initiatorName.isEmpty())
             request.setInitiator(cachedResourceRequestInitiators().css);
         else
@@ -82,6 +82,11 @@ StyleCachedImage* CSSImageValue::cachedImage(CachedResourceLoader* loader)
     return (m_image && m_image->isCachedImage()) ? static_cast<StyleCachedImage*>(m_image.get()) : 0;
 }
 
+StyleCachedImage* CSSImageValue::cachedImage(CachedResourceLoader* loader)
+{
+    return cachedImage(loader, CachedResourceLoader::defaultCachedResourceOptions());
+}
+
 bool CSSImageValue::hasFailedOrCanceledSubresources() const
 {
     if (!m_image || !m_image->isCachedImage())
index 62e1162..8b73cee 100644 (file)
@@ -31,6 +31,7 @@ class Element;
 class StyleCachedImage;
 class StyleImage;
 class RenderObject;
+struct ResourceLoaderOptions;
 
 class CSSImageValue : public CSSValue {
 public:
@@ -38,6 +39,7 @@ public:
     static PassRefPtr<CSSImageValue> create(const String& url, StyleImage* image) { return adoptRef(new CSSImageValue(url, image)); }
     ~CSSImageValue();
 
+    StyleCachedImage* cachedImage(CachedResourceLoader*, const ResourceLoaderOptions&);
     StyleCachedImage* cachedImage(CachedResourceLoader*);
     // Returns a StyleCachedImage if the image is cached already, otherwise a StylePendingImage.
     StyleImage* cachedOrPendingImage();
index 0bd172d..f3dab56 100644 (file)
@@ -52,6 +52,9 @@
 #include "CSSVariableValue.h"
 #endif
 #include "CachedImage.h"
+#if ENABLE(CSS_SHAPES)
+#include "CachedResourceLoader.h"
+#endif
 #include "CalculationValue.h"
 #include "ContentData.h"
 #include "ContextFeatures.h"
@@ -4106,6 +4109,28 @@ PassRefPtr<StyleImage> StyleResolver::loadPendingImage(StylePendingImage* pendin
     return 0;
 }
 
+
+#if ENABLE(CSS_SHAPES)
+void StyleResolver::loadPendingShapeImage(ShapeValue* shapeValue)
+{
+    if (!shapeValue)
+        return;
+
+    StyleImage* image = shapeValue->image();
+    if (!image || !image->isPendingImage())
+        return;
+
+    StylePendingImage* pendingImage = static_cast<StylePendingImage*>(image);
+    CSSImageValue* cssImageValue =  pendingImage->cssImageValue();
+    CachedResourceLoader* cachedResourceLoader = m_state.document()->cachedResourceLoader();
+
+    ResourceLoaderOptions options = CachedResourceLoader::defaultCachedResourceOptions();
+    options.requestOriginPolicy = RestrictToSameOrigin;
+
+    shapeValue->setImage(cssImageValue->cachedImage(cachedResourceLoader, options));
+}
+#endif
+
 void StyleResolver::loadPendingImages()
 {
     if (m_state.pendingImageProperties().isEmpty())
@@ -4182,12 +4207,10 @@ void StyleResolver::loadPendingImages()
         }
 #if ENABLE(CSS_SHAPES)
         case CSSPropertyWebkitShapeInside:
-            if (m_state.style()->shapeInside() && m_state.style()->shapeInside()->image() && m_state.style()->shapeInside()->image()->isPendingImage())
-                m_state.style()->shapeInside()->setImage(loadPendingImage(static_cast<StylePendingImage*>(m_state.style()->shapeInside()->image())));
+            loadPendingShapeImage(m_state.style()->shapeInside());
             break;
         case CSSPropertyWebkitShapeOutside:
-            if (m_state.style()->shapeOutside() && m_state.style()->shapeOutside()->image() && m_state.style()->shapeOutside()->image()->isPendingImage())
-                m_state.style()->shapeOutside()->setImage(loadPendingImage(static_cast<StylePendingImage*>(m_state.style()->shapeOutside()->image())));
+            loadPendingShapeImage(m_state.style()->shapeOutside());
             break;
 #endif
         default:
index 1ebe932..ae08045 100644 (file)
@@ -581,6 +581,9 @@ private:
 
     PassRefPtr<StyleImage> loadPendingImage(StylePendingImage*);
     void loadPendingImages();
+#if ENABLE(CSS_SHAPES)
+    void loadPendingShapeImage(ShapeValue*);
+#endif
 
     static unsigned computeMatchedPropertiesHash(const MatchedProperties*, unsigned size);
     struct MatchedPropertiesCacheItem {
index 7f4c31f..de400de 100644 (file)
@@ -1371,7 +1371,7 @@ void DocumentLoader::startLoadingMainResource()
 
     ResourceRequest request(m_request);
     DEFINE_STATIC_LOCAL(ResourceLoaderOptions, mainResourceLoadOptions,
-        (SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForAllCredentials, SkipSecurityCheck));
+        (SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForAllCredentials, SkipSecurityCheck, UseDefaultOriginRestrictionsForType));
     CachedResourceRequest cachedResourceRequest(request, mainResourceLoadOptions);
     m_mainResource = m_cachedResourceLoader->requestMainResource(cachedResourceRequest);
     if (!m_mainResource) {
index a78e807..cc43ebb 100644 (file)
@@ -36,7 +36,7 @@
 namespace WebCore {
 
 NetscapePlugInStreamLoader::NetscapePlugInStreamLoader(Frame* frame, NetscapePlugInStreamLoaderClient* client)
-    : ResourceLoader(frame, ResourceLoaderOptions(SendCallbacks, SniffContent, DoNotBufferData, AllowStoredCredentials, AskClientForAllCredentials, SkipSecurityCheck))
+    : ResourceLoader(frame, ResourceLoaderOptions(SendCallbacks, SniffContent, DoNotBufferData, AllowStoredCredentials, AskClientForAllCredentials, SkipSecurityCheck, UseDefaultOriginRestrictionsForType))
     , m_client(client)
 {
 }
index 0a5499b..d82aa82 100644 (file)
@@ -160,6 +160,8 @@ protected:
 
     void didReceiveDataOrBuffer(const char*, int, PassRefPtr<SharedBuffer>, long long encodedDataLength, DataPayloadType);
 
+    const ResourceLoaderOptions& options() { return m_options; }
+
     RefPtr<ResourceHandle> m_handle;
     RefPtr<Frame> m_frame;
     RefPtr<DocumentLoader> m_documentLoader;
index d1b907b..0a2f873 100644 (file)
@@ -55,15 +55,31 @@ enum SecurityCheckPolicy {
     DoSecurityCheck
 };
 
+enum RequestOriginPolicy {
+    UseDefaultOriginRestrictionsForType,
+    RestrictToSameOrigin
+};
+
 struct ResourceLoaderOptions {
-    ResourceLoaderOptions() : sendLoadCallbacks(DoNotSendCallbacks), sniffContent(DoNotSniffContent), dataBufferingPolicy(BufferData), allowCredentials(DoNotAllowStoredCredentials), clientCredentialPolicy(DoNotAskClientForAnyCredentials), securityCheck(DoSecurityCheck) { }
-    ResourceLoaderOptions(SendCallbackPolicy sendLoadCallbacks, ContentSniffingPolicy sniffContent, DataBufferingPolicy dataBufferingPolicy, StoredCredentials allowCredentials, ClientCredentialPolicy credentialPolicy, SecurityCheckPolicy securityCheck)
+    ResourceLoaderOptions()
+        : sendLoadCallbacks(DoNotSendCallbacks)
+        , sniffContent(DoNotSniffContent)
+        , dataBufferingPolicy(BufferData)
+        , allowCredentials(DoNotAllowStoredCredentials)
+        , clientCredentialPolicy(DoNotAskClientForAnyCredentials)
+        , securityCheck(DoSecurityCheck)
+        , requestOriginPolicy(UseDefaultOriginRestrictionsForType)
+    {
+    }
+
+    ResourceLoaderOptions(SendCallbackPolicy sendLoadCallbacks, ContentSniffingPolicy sniffContent, DataBufferingPolicy dataBufferingPolicy, StoredCredentials allowCredentials, ClientCredentialPolicy credentialPolicy, SecurityCheckPolicy securityCheck, RequestOriginPolicy requestOriginPolicy)
         : sendLoadCallbacks(sendLoadCallbacks)
         , sniffContent(sniffContent)
         , dataBufferingPolicy(dataBufferingPolicy)
         , allowCredentials(allowCredentials)
         , clientCredentialPolicy(credentialPolicy)
         , securityCheck(securityCheck)
+        , requestOriginPolicy(requestOriginPolicy)
     {
     }
     SendCallbackPolicy sendLoadCallbacks;
@@ -72,6 +88,7 @@ struct ResourceLoaderOptions {
     StoredCredentials allowCredentials; // Whether HTTP credentials and cookies are sent with the request.
     ClientCredentialPolicy clientCredentialPolicy; // When we should ask the client for credentials (if we allow credentials at all).
     SecurityCheckPolicy securityCheck;
+    RequestOriginPolicy requestOriginPolicy;
 };
 
 } // namespace WebCore    
index f4fe72b..af26e30 100644 (file)
@@ -136,7 +136,7 @@ void SubresourceLoader::willSendRequest(ResourceRequest& newRequest, const Resou
             memoryCache()->revalidationFailed(m_resource);
         }
         
-        if (!m_documentLoader->cachedResourceLoader()->canRequest(m_resource->type(), newRequest.url())) {
+        if (!m_documentLoader->cachedResourceLoader()->canRequest(m_resource->type(), newRequest.url(), options())) {
             cancel();
             return;
         }
index 8989bf1..80e2f8d 100644 (file)
@@ -161,7 +161,7 @@ CachedResourceHandle<CachedImage> CachedResourceLoader::requestImage(CachedResou
     if (Frame* f = frame()) {
         if (f->loader()->pageDismissalEventBeingDispatched() != FrameLoader::NoDismissal) {
             KURL requestURL = request.resourceRequest().url();
-            if (requestURL.isValid() && canRequest(CachedResource::ImageResource, requestURL))
+            if (requestURL.isValid() && canRequest(CachedResource::ImageResource, requestURL, request.options(), request.forPreload()))
                 PingLoader::loadImage(f, requestURL);
             return 0;
         }
@@ -215,7 +215,7 @@ CachedResourceHandle<CachedCSSStyleSheet> CachedResourceLoader::requestUserCSSSt
     memoryCache()->add(userSheet.get());
     // FIXME: loadResource calls setOwningCachedResourceLoader() if the resource couldn't be added to cache. Does this function need to call it, too?
 
-    userSheet->load(this, ResourceLoaderOptions(DoNotSendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForAllCredentials, SkipSecurityCheck));
+    userSheet->load(this, ResourceLoaderOptions(DoNotSendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForAllCredentials, SkipSecurityCheck, UseDefaultOriginRestrictionsForType));
     
     return userSheet;
 }
@@ -303,7 +303,7 @@ bool CachedResourceLoader::checkInsecureContent(CachedResource::Type type, const
     return true;
 }
 
-bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url, bool forPreload)
+bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url, const ResourceLoaderOptions& options, bool forPreload)
 {
     if (document() && !document()->securityOrigin()->canDisplay(url)) {
         if (!forPreload)
@@ -335,8 +335,10 @@ bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url
 #if ENABLE(CSS_SHADERS)
     case CachedResource::ShaderResource:
 #endif
-        // These types of resources can be loaded from any origin.
-        // FIXME: Are we sure about CachedResource::FontResource?
+        if (options.requestOriginPolicy == RestrictToSameOrigin && !m_document->securityOrigin()->canRequest(url)) {
+            printAccessDeniedMessage(url);
+            return false;
+        }
         break;
 #if ENABLE(SVG)
     case CachedResource::SVGDocumentResource:
@@ -443,7 +445,7 @@ CachedResourceHandle<CachedResource> CachedResourceLoader::requestResource(Cache
     if (!url.isValid())
         return 0;
 
-    if (!canRequest(type, url, request.forPreload()))
+    if (!canRequest(type, url, request.options(), request.forPreload()))
         return 0;
 
     if (Frame* f = frame())
@@ -980,7 +982,7 @@ void CachedResourceLoader::printPreloadStats()
 
 const ResourceLoaderOptions& CachedResourceLoader::defaultCachedResourceOptions()
 {
-    static ResourceLoaderOptions options(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForAllCredentials, DoSecurityCheck);
+    static ResourceLoaderOptions options(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForAllCredentials, DoSecurityCheck, UseDefaultOriginRestrictionsForType);
     return options;
 }
 
index 0e58688..4760832 100644 (file)
@@ -133,7 +133,7 @@ public:
     void preload(CachedResource::Type, CachedResourceRequest&, const String& charset);
     void checkForPendingPreloads();
     void printPreloadStats();
-    bool canRequest(CachedResource::Type, const KURL&, bool forPreload = false);
+    bool canRequest(CachedResource::Type, const KURL&, const ResourceLoaderOptions&, bool forPreload = false);
 
     static const ResourceLoaderOptions& defaultCachedResourceOptions();
 
index 1855854..c63344c 100644 (file)
@@ -62,7 +62,7 @@ void IconLoader::startLoading()
     if (m_resource || !m_frame->document())
         return;
 
-    CachedResourceRequest request(ResourceRequest(m_frame->loader()->icon()->url()), ResourceLoaderOptions(SendCallbacks, SniffContent, BufferData, DoNotAllowStoredCredentials, DoNotAskClientForAnyCredentials, DoSecurityCheck));
+    CachedResourceRequest request(ResourceRequest(m_frame->loader()->icon()->url()), ResourceLoaderOptions(SendCallbacks, SniffContent, BufferData, DoNotAllowStoredCredentials, DoNotAskClientForAnyCredentials, DoSecurityCheck, UseDefaultOriginRestrictionsForType));
 
 #if PLATFORM(BLACKBERRY)
     request.mutableResourceRequest().setTargetType(ResourceRequest::TargetIsFavicon);