Skip Content Security Policy check for a media request using standard schemes initiat...
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 20 Jun 2017 22:04:31 +0000 (22:04 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 20 Jun 2017 22:04:31 +0000 (22:04 +0000)
an element in user agent shadow tree
https://bugs.webkit.org/show_bug.cgi?id=155505
<rdar://problem/25169452>

Reviewed by Brent Fulgham.

This change makes the following tests pass on iOS 11:
    http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video.html
    http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-audio.html

* loader/MediaResourceLoader.cpp:
(WebCore::MediaResourceLoader::requestResource):
* platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm:
(WebCore::WebCoreAVFResourceLoader::startLoading):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@218609 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/loader/MediaResourceLoader.cpp
Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm

index 0c474e0..171c873 100644 (file)
@@ -1,3 +1,21 @@
+2017-06-20  Daniel Bates  <dabates@apple.com>
+
+        Skip Content Security Policy check for a media request using standard schemes initiated from
+        an element in user agent shadow tree
+        https://bugs.webkit.org/show_bug.cgi?id=155505
+        <rdar://problem/25169452>
+
+        Reviewed by Brent Fulgham.
+
+        This change makes the following tests pass on iOS 11:
+            http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video.html
+            http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-audio.html
+
+        * loader/MediaResourceLoader.cpp:
+        (WebCore::MediaResourceLoader::requestResource):
+        * platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm:
+        (WebCore::WebCoreAVFResourceLoader::startLoading):
+
 2017-06-20  Andreas Kling  <akling@apple.com>
 
         Remove no-op calls to purge SQLite caches on memory pressure.
index c170579..72caea7 100644 (file)
@@ -76,8 +76,8 @@ RefPtr<PlatformMediaResource> MediaResourceLoader::requestResource(ResourceReque
         request.makeUnconditional();
 #endif
 
-    // FIXME: Skip Content Security Policy check if the element that initiated this request is in a user-agent shadow tree. See <https://bugs.webkit.org/show_bug.cgi?id=155505>.
-    CachedResourceRequest cacheRequest(WTFMove(request), ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, bufferingPolicy, AllowStoredCredentials, ClientCredentialPolicy::MayAskClientForCredentials, FetchOptions::Credentials::Include, DoSecurityCheck, FetchOptions::Mode::NoCors, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading, cachingPolicy));
+    ContentSecurityPolicyImposition contentSecurityPolicyImposition = m_mediaElement && m_mediaElement->isInUserAgentShadowTree() ? ContentSecurityPolicyImposition::SkipPolicyCheck : ContentSecurityPolicyImposition::DoPolicyCheck;
+    CachedResourceRequest cacheRequest(WTFMove(request), ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, bufferingPolicy, AllowStoredCredentials, ClientCredentialPolicy::MayAskClientForCredentials, FetchOptions::Credentials::Include, DoSecurityCheck, FetchOptions::Mode::NoCors, DoNotIncludeCertificateInfo, contentSecurityPolicyImposition, DefersLoadingPolicy::AllowDefersLoading, cachingPolicy));
     cacheRequest.setAsPotentiallyCrossOrigin(m_crossOriginMode, *m_document);
     if (m_mediaElement)
         cacheRequest.setInitiator(*m_mediaElement.get());
index 37bc487..c8e403a 100644 (file)
@@ -71,7 +71,7 @@ void WebCoreAVFResourceLoader::startLoading()
     resourceRequest.setPriority(ResourceLoadPriority::Low);
 
     // FIXME: Skip Content Security Policy check if the element that inititated this request
-    // is in a user-agent shadow tree. See <https://bugs.webkit.org/show_bug.cgi?id=155505>.
+    // is in a user-agent shadow tree. See <https://bugs.webkit.org/show_bug.cgi?id=173498>.
     CachedResourceRequest request(WTFMove(resourceRequest), ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, BufferData, DoNotAllowStoredCredentials, ClientCredentialPolicy::CannotAskClientForCredentials, FetchOptions::Credentials::Omit, DoSecurityCheck, FetchOptions::Mode::NoCors, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading, CachingPolicy::DisallowCaching));
     if (auto* loader = m_parent->player()->cachedResourceLoader())
         m_resource = loader->requestMedia(WTFMove(request));