diff options
| -rw-r--r-- | Source/WebCore/loader/cache/CachedResourceLoader.cpp | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/Source/WebCore/loader/cache/CachedResourceLoader.cpp b/Source/WebCore/loader/cache/CachedResourceLoader.cpp index 80e2f8de2..0735fc8ff 100644 --- a/Source/WebCore/loader/cache/CachedResourceLoader.cpp +++ b/Source/WebCore/loader/cache/CachedResourceLoader.cpp @@ -35,6 +35,8 @@ #include "CachedResourceRequest.h" #include "CachedScript.h" #include "CachedXSLStyleSheet.h" +#include "Chrome.h" +#include "ChromeClient.h" #include "Console.h" #include "ContentSecurityPolicy.h" #include "DOMWindow.h" @@ -48,6 +50,7 @@ #include "LoaderStrategy.h" #include "Logging.h" #include "MemoryCache.h" +#include "Page.h" #include "PingLoader.h" #include "PlatformStrategies.h" #include "ResourceLoadScheduler.h" @@ -409,6 +412,12 @@ bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url #endif } + // SVG Images have unique security rules that prevent all subresource requests except for data urls. + if (type != CachedResource::MainResource && frame() && frame()->page()) { + if (frame()->page()->chrome().client()->isSVGImageChromeClient() && !url.protocolIsData()) + return false; + } + // Last of all, check for insecure content. We do this last so that when // folks block insecure content with a CSP policy, they don't get a warning. // They'll still get a warning in the console about CSP blocking the load. |