Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Disallow cross-origin same-page image drag-drop
Capture ImageResourceContent::IsAccessAllowed() when image drag starts. This should be true if image is same-origin as frame, or has set <img crossorigin ...> and CORS Access-Control-Allow-Origin header was included. Only populate image (FileContents) in drag/drop events if access is allowed, or if target page (RenderViewHostID) does not match source page. Fixed: 1264873 Change-Id: Ia830a9a111008555d0f8f8e12e85666a2ae0b26d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3257967 Auto-Submit: Joel Hockey <joelhockey@chromium.org> Commit-Queue: Joel Hockey <joelhockey@chromium.org> Reviewed-by: Sadrul Chowdhury <sadrul@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Reviewed-by: Alex Moshchuk <alexmos@chromium.org> Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> Cr-Commit-Position: refs/heads/main@{#939734}
- Loading branch information
Joel Hockey
authored and
Chromium LUCI CQ
committed
Nov 9, 2021
1 parent
fce9da0
commit f62c364
Showing
18 changed files
with
253 additions
and
116 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2 changes: 2 additions & 0 deletions
2
chrome/test/data/drag_and_drop/cors-allowed.jpg.mock-http-headers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
HTTP/1.1 200 OK | ||
Access-Control-Allow-Origin: * |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.