diff options
| author | Said Abou-Hallawa <sabouhallawa@apple.com> | 2015-04-27 10:34:56 +0200 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> | 2015-04-27 08:44:48 +0000 |
| commit | 8ce4aba7d1742f07c01f2786e75ff7a5c8386aa6 (patch) | |
| tree | 9acedcce67c5890d47264e139536ee4dbc73c1a9 /Source/WebCore/xml/XMLHttpRequest.cpp | |
| parent | fc4d06c43fb783c5b79444f2474d5fb6359042e7 (diff) | |
SVG loaded through html <img> can't request to load any external resources.
https://bugs.webkit.org/show_bug.cgi?id=137762.
Patch by Said Abou-Hallawa <sabouhallawa@apple.com> on 2014-10-22
Reviewed by Daniel Bates.
Source/WebCore:
SVG images have unique security rules that prevent them from loading any external
resources. This patch enforces these rules in CachedResourceLoader::canRequest for
all non-data-uri resources.
The fix and the tests are ported but modified a little from the chromium fix:
http://src.chromium.org/viewvc/blink?view=rev&rev=176084
Test: http/tests/security/svg-image-with-cached-remote-image.html
http/tests/security/svg-image-with-css-cross-domain.html
For the SVG image, prevent loading any external sub-resource except for data urls.
* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::canRequest):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@175074 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Change-Id: Iec5014e81e25c37cc6754d7cc73645b17994974f
Reviewed-by: Michael BrĂ¼ning <michael.bruning@theqtcompany.com>
Diffstat (limited to 'Source/WebCore/xml/XMLHttpRequest.cpp')
0 files changed, 0 insertions, 0 deletions