Skip to content
Permalink
Browse files
Cross-Origin-Embedder-Policy: require-corp prevents loading of data…
… URL images

https://bugs.webkit.org/show_bug.cgi?id=233131
<rdar://85236459>

Reviewed by Geoffrey Garen.

Source/WebCore:

When doing an initial data URL <img> load, we properly wouldn't perform a cross-origin resource policy check.
This is per the Fetch specification that says to use a scheme fetch [1] when the request URL is a data URL.
When the protocol is data, the scheme fetch algorithm would return a response without performing an HTTP
Fetch. The HTTP check [2] is the algorithm that actually performs a cross-origin resource policy check, at
step 7.

The issue with our implementation was that data URL <img> loads would perform a cross-origin resource policy
check in the case where the image is loaded from our memory cache, due to a check we had in
CachedResourceLoader::requestResource(). As a result, data URL <img> loads would fail when served from the
memory cache, when CORP is enforced. To address the issue and match the specification, we now disable this
CORP check when the request URL is a data URL.

[1] https://fetch.spec.whatwg.org/#scheme-fetch
[2] https://fetch.spec.whatwg.org/#concept-http-fetch

Test: http/wpt/html/cross-origin-embedder-policy/require-corp-data-url.html

* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::requestResource):

LayoutTests:

Add layout test coverage. This test is based on a reduce test case from Cameron McCormack.

* http/wpt/html/cross-origin-embedder-policy/require-corp-data-url-expected.txt: Added.
* http/wpt/html/cross-origin-embedder-policy/require-corp-data-url.html: Added.
* http/wpt/html/cross-origin-embedder-policy/require-corp-data-url.html.headers: Added.



Canonical link: https://commits.webkit.org/244263@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@285823 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
cdumez committed Nov 15, 2021
1 parent 0c63065 commit 7f6e68b9c1e18f091c530a05e1c8e8f4c45737b4
@@ -1,3 +1,17 @@
2021-11-15 Chris Dumez <cdumez@apple.com>

`Cross-Origin-Embedder-Policy: require-corp` prevents loading of data URL images
https://bugs.webkit.org/show_bug.cgi?id=233131
<rdar://85236459>

Reviewed by Geoffrey Garen.

Add layout test coverage. This test is based on a reduce test case from Cameron McCormack.

* http/wpt/html/cross-origin-embedder-policy/require-corp-data-url-expected.txt: Added.
* http/wpt/html/cross-origin-embedder-policy/require-corp-data-url.html: Added.
* http/wpt/html/cross-origin-embedder-policy/require-corp-data-url.html.headers: Added.

2021-11-15 Kiet Ho <tho22@apple.com>

Implement parsing and animation support for offset-rotate
@@ -0,0 +1,3 @@

PASS Tests that loading of data URL images works when COEP: require-corp is used

@@ -0,0 +1,26 @@
<!DOCTYPE html>
<html>
<head>
<script src=/resources/testharness.js></script>
<script src=/resources/testharnessreport.js></script>
</head>
<body>
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAGQAAABkAQMAAABKLAcXAAAAA1BMVEUA%2FwA0XsCoAAAAFElEQVQYGWNgGAWjYBSMglFATwAABXgAAYNi4HQAAAAASUVORK5CYII%3D">
<script>
async_test((t) => {
onload = t.step_func(function() {
let img = document.querySelector("img");
let clone = img.cloneNode();
clone.onload = t.step_func_done(() => {
});
clone.onerror = t.unreached_func();
document.body.append(clone);
t.add_cleanup(() => {
img.remove();
clone.remove();
});
});
}, "Tests that loading of data URL images works when COEP: require-corp is used");
</script>
</body>
</html>
@@ -0,0 +1 @@
Cross-Origin-Embedder-Policy: require-corp
@@ -1,3 +1,31 @@
2021-11-15 Chris Dumez <cdumez@apple.com>

`Cross-Origin-Embedder-Policy: require-corp` prevents loading of data URL images
https://bugs.webkit.org/show_bug.cgi?id=233131
<rdar://85236459>

Reviewed by Geoffrey Garen.

When doing an initial data URL <img> load, we properly wouldn't perform a cross-origin resource policy check.
This is per the Fetch specification that says to use a scheme fetch [1] when the request URL is a data URL.
When the protocol is data, the scheme fetch algorithm would return a response without performing an HTTP
Fetch. The HTTP check [2] is the algorithm that actually performs a cross-origin resource policy check, at
step 7.

The issue with our implementation was that data URL <img> loads would perform a cross-origin resource policy
check in the case where the image is loaded from our memory cache, due to a check we had in
CachedResourceLoader::requestResource(). As a result, data URL <img> loads would fail when served from the
memory cache, when CORP is enforced. To address the issue and match the specification, we now disable this
CORP check when the request URL is a data URL.

[1] https://fetch.spec.whatwg.org/#scheme-fetch
[2] https://fetch.spec.whatwg.org/#concept-http-fetch

Test: http/wpt/html/cross-origin-embedder-policy/require-corp-data-url.html

* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::requestResource):

2021-11-15 Kiet Ho <tho22@apple.com>

Implement parsing and animation support for offset-rotate
@@ -1014,11 +1014,15 @@ ResourceErrorOr<CachedResourceHandle<CachedResource>> CachedResourceLoader::requ
return makeUnexpected(WTFMove(*error));
}
}
if (request.options().mode == FetchOptions::Mode::NoCors) {
// Per the Fetch specification, the "cross-origin resource policy check" should only occur in the HTTP Fetch case (https://fetch.spec.whatwg.org/#concept-http-fetch).
// However, per https://fetch.spec.whatwg.org/#main-fetch, if the request URL's protocol is "data:", then we should perform a scheme fetch which would end up
// returning a response WITHOUT performing an HTTP fetch (and thus no CORP check).
if (request.options().mode == FetchOptions::Mode::NoCors && !url.protocolIsData()) {
auto coep = document() ? document()->crossOriginEmbedderPolicy().value : CrossOriginEmbedderPolicyValue::UnsafeNone;
if (auto error = validateCrossOriginResourcePolicy(coep, *request.origin(), request.resourceRequest().url(), resource->response(), ForNavigation::No))
return makeUnexpected(WTFMove(*error));

}
if (request.options().mode == FetchOptions::Mode::NoCors) {
if (auto error = validateRangeRequestedFlag(request.resourceRequest(), resource->response()))
return makeUnexpected(WTFMove(*error));
}

0 comments on commit 7f6e68b

Please sign in to comment.