CSS mask images should be retrieved using potentially CORS-enabled fetch
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 22 Mar 2018 22:02:58 +0000 (22:02 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 22 Mar 2018 22:02:58 +0000 (22:02 +0000)
commit85d1cec96bcb59dcb539a174699b71c99cbd46f3
treeeba5b15e295efcc74a003566bf9f57361726f91e
parent86d9867a59a847313ef6fed1cf8afad8245e0dc1
CSS mask images should be retrieved using potentially CORS-enabled fetch
https://bugs.webkit.org/show_bug.cgi?id=179983
<rdar://problem/35678149>

Reviewed by Brent Fulgham.

Source/WebCore:

As per <https://drafts.fxtf.org/css-masking-1/#priv-sec> (Editor's Draft, 23 December 2017)
we should fetch CSS mask images using a potentially CORS-enabled fetch.

Both cross-origin CSS shape-outside images and CSS mask images may be sensitive to timing
attacks that can be used to reveal their pixel data when retrieved without regard to CORS.
For the same reason that we fetch CSS shape-outside images using a potentially CORS-enabled
fetch we should fetch CSS mask the same way. This also makes the behavior of WebKit more
closely align with the behavior in the spec.

Test: http/tests/security/css-mask-image.html

* style/StylePendingResources.cpp: Substitute LoadPolicy::NoCORS and LoadPolicy::Anonymous for
LoadPolicy::Normal and LoadPolicy::ShapeOutside, respectively, to match the terminology used
in the HTML, CSS Shapes Module Level 1, and CSS Masking Module Level 1 specs.
(WebCore::Style::loadPendingImage): Ditto.
(WebCore::Style::loadPendingResources): Use load policy LoadPolicy::Anonymous when fetching
a mask image or shape-outside image.

LayoutTests:

Add a test to ensure we do not fetch a cross-origin CSS mask image that does
not allow CORS access.

* http/tests/security/css-mask-image-expected.html: Added.
* http/tests/security/css-mask-image.html: Added.
* http/tests/security/resources/black-square.png: Added.
* http/tests/security/resources/fail-mask.png: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@229868 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/http/tests/security/css-mask-image-expected.html [new file with mode: 0644]
LayoutTests/http/tests/security/css-mask-image.html [new file with mode: 0644]
LayoutTests/http/tests/security/resources/black-square.png [new file with mode: 0644]
LayoutTests/http/tests/security/resources/fail-mask.png [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/style/StylePendingResources.cpp