Tighten up stylesheet loading
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 5 Jan 2020 19:18:14 +0000 (19:18 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 5 Jan 2020 19:18:14 +0000 (19:18 +0000)
https://bugs.webkit.org/show_bug.cgi?id=189913

Patch by Rob Buis <rbuis@igalia.com> on 2020-01-05
Reviewed by Antti Koivisto.

LayoutTests/imported/w3c:

Update improved test result.

* web-platform-tests/html/semantics/document-metadata/the-link-element/link-load-error-events.https-expected.txt:

Source/WebCore:

When fetching and processing a linked resource [1], step 11.3 states
that fetch failure should result in a network error. This patch
implements that for stylesheets.

The behavior matches Chrome and Firefox.

[1] https://html.spec.whatwg.org/multipage/semantics.html#default-fetch-and-process-the-linked-resource

Test: imported/w3c/web-platform-tests/html/semantics/document-metadata/the-link-element/link-load-error-events.https.html

* css/StyleRuleImport.cpp:
(WebCore::StyleRuleImport::requestStyleSheet):
* css/StyleSheetContents.h:
* html/HTMLLinkElement.cpp:
(WebCore::HTMLLinkElement::process):

LayoutTests:

Adjust test to new behavior.

* http/tests/security/mixedContent/insecure-stylesheet-redirects-to-basic-auth-secure-stylesheet-expected.txt:
* http/tests/security/mixedContent/resources/frame-with-insecure-stylesheet-redirects-to-basic-auth-secure-stylesheet.html:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@254043 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/security/mixedContent/insecure-stylesheet-redirects-to-basic-auth-secure-stylesheet-expected.txt
LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-stylesheet-redirects-to-basic-auth-secure-stylesheet.html
LayoutTests/imported/w3c/ChangeLog
LayoutTests/imported/w3c/web-platform-tests/html/semantics/document-metadata/the-link-element/link-load-error-events.https-expected.txt
Source/WebCore/ChangeLog
Source/WebCore/css/StyleRuleImport.cpp
Source/WebCore/css/StyleSheetContents.h
Source/WebCore/html/HTMLLinkElement.cpp

index d1bc17e..9b6e8f6 100644 (file)
@@ -1,3 +1,15 @@
+2020-01-05  Rob Buis  <rbuis@igalia.com>
+
+        Tighten up stylesheet loading
+        https://bugs.webkit.org/show_bug.cgi?id=189913
+
+        Reviewed by Antti Koivisto.
+
+        Adjust test to new behavior.
+
+        * http/tests/security/mixedContent/insecure-stylesheet-redirects-to-basic-auth-secure-stylesheet-expected.txt:
+        * http/tests/security/mixedContent/resources/frame-with-insecure-stylesheet-redirects-to-basic-auth-secure-stylesheet.html:
+
 2020-01-05  Ross Kirsling  <ross.kirsling@sony.com>
 
         JavaScript: Invalid date parse for ISO 8601 strings when no timezone given
index 4220cc7..0bffc21 100644 (file)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: line 14: [blocked] The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-stylesheet-redirects-to-basic-auth-secure-stylesheet.html was not allowed to run insecure content from http://127.0.0.1:8080/resources/redirect.php?url=https://localhost:8443/security/mixedContent/resources/subresource/protected-stylesheet.php.
+CONSOLE MESSAGE: line 13: [blocked] The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-stylesheet-redirects-to-basic-auth-secure-stylesheet.html was not allowed to run insecure content from http://127.0.0.1:8080/resources/redirect.php?url=https://localhost:8443/security/mixedContent/resources/subresource/protected-stylesheet.php.
 
 This test opens a new window to a secure page that loads an insecure stylesheet that redirects to a secure stylesheet guarded by basic authentication. The secure script should be blocked because it requires credentials and was loaded via an insecure redirect.
 
index df62bcd..7298afe 100644 (file)
@@ -10,8 +10,7 @@ function checkDidLoadStylesheet()
         window.opener.postMessage("PASS did not load stylesheet.", "*");
 }
 </script>
-<!-- For some reason, a blocked stylesheet is not treated as a network error. -->
-<link rel="stylesheet" href="http://127.0.0.1:8080/resources/redirect.php?url=https://localhost:8443/security/mixedContent/resources/subresource/protected-stylesheet.php" onload="checkDidLoadStylesheet()">
+<link rel="stylesheet" href="http://127.0.0.1:8080/resources/redirect.php?url=https://localhost:8443/security/mixedContent/resources/subresource/protected-stylesheet.php" onerror="checkDidLoadStylesheet()">
 </head>
 <body>
 </body>
index 0d346ad..daeaece 100644 (file)
@@ -1,3 +1,14 @@
+2020-01-05  Rob Buis  <rbuis@igalia.com>
+
+        Tighten up stylesheet loading
+        https://bugs.webkit.org/show_bug.cgi?id=189913
+
+        Reviewed by Antti Koivisto.
+
+        Update improved test result.
+
+        * web-platform-tests/html/semantics/document-metadata/the-link-element/link-load-error-events.https-expected.txt:
+
 2020-01-03  Rob Buis  <rbuis@igalia.com>
 
         Make text track loading set same-origin fallback flag
index b07773c..435e90c 100644 (file)
@@ -8,8 +8,8 @@ FAIL Import of import of nonexistent stylesheet assert_unreached: load fired whe
 FAIL Load of non-CSS stylesheet assert_unreached: load fired when error expected Reached unreachable code
 FAIL Import of non-CSS stylesheet assert_unreached: load fired when error expected Reached unreachable code
 FAIL Import of import of non-CSS stylesheet assert_unreached: load fired when error expected Reached unreachable code
-FAIL Load of http:// stylesheet assert_unreached: load fired when error expected Reached unreachable code
-FAIL Import of http:// stylesheet assert_unreached: load fired when error expected Reached unreachable code
+PASS Load of http:// stylesheet 
+PASS Import of http:// stylesheet 
 FAIL Import of import of http:// stylesheet assert_unreached: load fired when error expected Reached unreachable code
 PASS Load of https:// stylesheet 
 PASS Import of https:// stylesheet 
index 4136f0a..cbf2a96 100644 (file)
@@ -1,3 +1,26 @@
+2020-01-05  Rob Buis  <rbuis@igalia.com>
+
+        Tighten up stylesheet loading
+        https://bugs.webkit.org/show_bug.cgi?id=189913
+
+        Reviewed by Antti Koivisto.
+
+        When fetching and processing a linked resource [1], step 11.3 states
+        that fetch failure should result in a network error. This patch
+        implements that for stylesheets.
+
+        The behavior matches Chrome and Firefox.
+
+        [1] https://html.spec.whatwg.org/multipage/semantics.html#default-fetch-and-process-the-linked-resource
+
+        Test: imported/w3c/web-platform-tests/html/semantics/document-metadata/the-link-element/link-load-error-events.https.html
+
+        * css/StyleRuleImport.cpp:
+        (WebCore::StyleRuleImport::requestStyleSheet):
+        * css/StyleSheetContents.h:
+        * html/HTMLLinkElement.cpp:
+        (WebCore::HTMLLinkElement::process):
+
 2020-01-05  Zalan Bujtas  <zalan@apple.com>
 
         [LFC][Integration] Fix compositing/masks/compositing-clip-path-change-no-repaint.html
index 8a1565b..ce17fb4 100644 (file)
@@ -156,6 +156,9 @@ void StyleRuleImport::requestStyleSheet()
             m_parentStyleSheet->startLoadingDynamicSheet();
         m_loading = true;
         m_cachedSheet->addClient(m_styleSheetClient);
+    } else if (m_parentStyleSheet) {
+        m_parentStyleSheet->setLoadErrorOccured();
+        m_parentStyleSheet->checkLoaded();
     }
 }
 
index cedc0ed..dfa8cbf 100644 (file)
@@ -147,6 +147,8 @@ public:
     void setAsOpaque() { m_parserContext.isContentOpaque = true; }
     bool isContentOpaque() const { return m_parserContext.isContentOpaque; }
 
+    void setLoadErrorOccured() { m_didLoadErrorOccur = true; }
+
 private:
     WEBCORE_EXPORT StyleSheetContents(StyleRuleImport* ownerRule, const String& originalURL, const CSSParserContext&);
     StyleSheetContents(const StyleSheetContents&);
index 5b46b9e..396c937 100644 (file)
@@ -348,7 +348,7 @@ void HTMLLinkElement::process()
             // The request may have been denied if (for example) the stylesheet is local and the document is remote.
             m_loading = false;
             sheetLoaded();
-            notifyLoadedSheetAndAllCriticalSubresources(false);
+            notifyLoadedSheetAndAllCriticalSubresources(true);
         }
     } else if (m_sheet) {
         // we no longer contain a stylesheet, e.g. perhaps rel or type was changed