32309 2009-12-09 00:47:10 -0800 noAccess url schemes block access to inline stylesheets 2010-06-18 03:29:01 -0700 1 1 1 Unclassified WebKit WebCore JavaScript 528+ (Nightly build) PC OS X 10.5 RESOLVED FIXED P2 Normal --- 1 eisinger webkit-unassigned abarth ap commit-queue oldest_to_newest 169925 0 eisinger 2009-12-09 00:47:10 -0800 url schemes that are listed as noAccess block access from javascripts to inline stylesheets. The description of the noAccess feature suggests that javascripts in such a document should be allowed to access itself. This is also an issue in Chrome, see http://code.google.com/p/chromium/issues/detail?id=29422 169926 1 44516 eisinger 2009-12-09 00:49:25 -0800 Created attachment 44516 test case The following html file is a small test case. The javascript announces the number of CSS rules found in the inline css stylesheet. When you encode this file as a data: link, the variable rules will be null and rules.length results into an error: data:text/html;base64,PGh0bWw+CiAgPHN0eWxlPgogICAgYm9keSB7CiAgICAgIGJhY2tncm91bmQ6IGdyZWVuOwogICAgfQogIDwvc3R5bGU+CiAgPGJvZHk+CiAgICA8c2NyaXB0PgogICAgICB2YXIgc3R5bGVzaGVldHMgPSBkb2N1bWVudC5zdHlsZVNoZWV0czsKICAgICAgdmFyIHN0eWxlc2hlZXQgPSBzdHlsZXNoZWV0c1tzdHlsZXNoZWV0cy5sZW5ndGgtMV07CiAgICAgIHZhciBydWxlcyA9IHN0eWxlc2hlZXQuY3NzUnVsZXM7CiAgICAgIGFsZXJ0KHJ1bGVzLmxlbmd0aCArICcgcnVsZXMgZm91bmQnKTsKICAgIDwvc2NyaXB0PgogIDwvYm9keT4KPC9odG1sPgo= 169946 2 abarth 2009-12-09 01:54:05 -0800 This is likely a regression from my patch in this area. I'll look at this unless someone beats me to it. 205781 3 51990 abarth 2010-03-29 18:09:06 -0700 Created attachment 51990 Patch 206149 4 51990 darin 2010-03-30 13:24:46 -0700 Comment on attachment 51990 Patch The test covers the isEmpty case, but does not cover cases where baseURL != finalURL. Since you are making both changes, I think we need to test both. 206157 5 abarth 2010-03-30 13:38:30 -0700 > The test covers the isEmpty case, but does not cover cases where baseURL != > finalURL. Since you are making both changes, I think we need to test both. Looking at the implementation of baseURL(), I think the only case where they are different is when finalURL is empty: http://trac.webkit.org/browser/trunk/WebCore/css/StyleBase.cpp#L51 239809 6 51990 abarth 2010-06-18 01:38:03 -0700 Comment on attachment 51990 Patch Thanks. 239839 7 51990 commit-queue 2010-06-18 03:28:56 -0700 Comment on attachment 51990 Patch Clearing flags on attachment: 51990 Committed r61391: <http://trac.webkit.org/changeset/61391> 239840 8 commit-queue 2010-06-18 03:29:01 -0700 All reviewed patches have been landed. Closing bug. 44516 2009-12-09 00:49:25 -0800 2009-12-09 00:49:25 -0800 test case test.html text/html 311 eisinger PGh0bWw+CiAgPHN0eWxlPgogICAgYm9keSB7CiAgICAgIGJhY2tncm91bmQ6IGdyZWVuOwogICAg fQogIDwvc3R5bGU+CiAgPGJvZHk+CiAgICA8c2NyaXB0PgogICAgICB2YXIgc3R5bGVzaGVldHMg PSBkb2N1bWVudC5zdHlsZVNoZWV0czsKICAgICAgdmFyIHN0eWxlc2hlZXQgPSBzdHlsZXNoZWV0 c1tzdHlsZXNoZWV0cy5sZW5ndGgtMV07CiAgICAgIHZhciBydWxlcyA9IHN0eWxlc2hlZXQuY3Nz UnVsZXM7CiAgICAgIGFsZXJ0KHJ1bGVzLmxlbmd0aCArICcgcnVsZXMgZm91bmQnKTsKICAgIDwv c2NyaXB0PgogIDwvYm9keT4KPC9odG1sPgo= 51990 2010-03-29 18:09:06 -0700 2010-06-18 03:28:56 -0700 Patch bug-32309-20100329180904.patch text/plain 4158 abarth ZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL0NoYW5nZUxvZyBiL0xheW91dFRlc3RzL0NoYW5nZUxv ZwppbmRleCA4ZGQ5Njk5Li5lYmUyZGViIDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0cy9DaGFuZ2VM b2cKKysrIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTUgQEAKKzIwMTAtMDMt MjkgIEFkYW0gQmFydGggIDxhYmFydGhAd2Via2l0Lm9yZz4KKworICAgICAgICBSZXZpZXdlZCBi eSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBub0FjY2VzcyB1cmwgc2NoZW1lcyBibG9jayBh Y2Nlc3MgdG8gaW5saW5lIHN0eWxlc2hlZXRzCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQu b3JnL3Nob3dfYnVnLmNnaT9pZD0zMjMwOQorCisgICAgICAgIFRlc3QgdGhhdCBkYXRhIFVSTHMg Y2FuIGFjY2VzcyB0aGVpciBpbmxpbmUgc3R5bGUgc2hlZXRzLgorCisgICAgICAgICogaHR0cC90 ZXN0cy9zZWN1cml0eS9kYXRhLXVybC1pbmxpbmUuY3NzLWV4cGVjdGVkLnR4dDogQWRkZWQuCisg ICAgICAgICogaHR0cC90ZXN0cy9zZWN1cml0eS9kYXRhLXVybC1pbmxpbmUuY3NzLmh0bWw6IEFk ZGVkLgorCiAyMDEwLTAzLTI5ICBEYXZpZCBMZXZpbiAgPGxldmluQGNocm9taXVtLm9yZz4KIAog ICAgICAgICBSdWJiZXItc3RhbXBlZCBieSBEbWl0cnkgVGl0b3YuCmRpZmYgLS1naXQgYS9MYXlv dXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L2RhdGEtdXJsLWlubGluZS5jc3MtZXhwZWN0ZWQu dHh0IGIvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS9kYXRhLXVybC1pbmxpbmUuY3Nz LWV4cGVjdGVkLnR4dApuZXcgZmlsZSBtb2RlIDEwMDY0NAppbmRleCAwMDAwMDAwLi5iY2ZhZjg4 Ci0tLSAvZGV2L251bGwKKysrIGIvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS9kYXRh LXVybC1pbmxpbmUuY3NzLWV4cGVjdGVkLnR4dApAQCAtMCwwICsxLDYgQEAKK0FMRVJUOiAxIHJ1 bGVzIGZvdW5kCitUaGlzIHRlc3QgZW5zdXJlcyB0aGF0IGEgZGF0YSBVUkwgY2FuIGFjY2VzcyBp dHMgb3duIGlubGluZSBzdHlsZSBzaGVldHMuIFNvcnJ5IGZvciB0aGUgb2JzY3VyaXR5IG9mIHRo ZSB0ZXN0IGNhc2UsIGJ1dCBpdCdzIHRoZSByZXBybyBmcm9tIEJ1ZyAzMjMwOSwgd2hpY2ggaGFz IGFuICJ1bm9iZnVzY2F0ZWQiIHZlcnNpb24gb2YgdGhlIGNvZGUuCisKK1RoaXMgdGVzdCBwYXNz ZXMgaWYgaXQgYWxlcnRzIHRoYXQgaXQgZm91bmQgMSBydWxlLgorCisKZGlmZiAtLWdpdCBhL0xh eW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkvZGF0YS11cmwtaW5saW5lLmNzcy5odG1sIGIv TGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS9kYXRhLXVybC1pbmxpbmUuY3NzLmh0bWwK bmV3IGZpbGUgbW9kZSAxMDA2NDQKaW5kZXggMDAwMDAwMC4uMGY2YzY0MgotLS0gL2Rldi9udWxs CisrKyBiL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkvZGF0YS11cmwtaW5saW5lLmNz cy5odG1sCkBAIC0wLDAgKzEsMTAgQEAKKzxzY3JpcHQ+CitpZiAod2luZG93LmxheW91dFRlc3RD b250cm9sbGVyKQorICAgIGxheW91dFRlc3RDb250cm9sbGVyLmR1bXBBc1RleHQoKTsKKzwvc2Ny aXB0PgorPHA+VGhpcyB0ZXN0IGVuc3VyZXMgdGhhdCBhIGRhdGEgVVJMIGNhbiBhY2Nlc3MgaXRz IG93biBpbmxpbmUgc3R5bGUgc2hlZXRzLgorU29ycnkgZm9yIHRoZSBvYnNjdXJpdHkgb2YgdGhl IHRlc3QgY2FzZSwgYnV0IGl0J3MgdGhlIHJlcHJvIGZyb20KKzxhIGhyZWY9Imh0dHBzOi8vYnVn cy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0zMjMwOSI+QnVnIDMyMzA5PC9hPiwgd2hpY2gK K2hhcyBhbiAidW5vYmZ1c2NhdGVkIiB2ZXJzaW9uIG9mIHRoZSBjb2RlLjwvcD4KKzxwPlRoaXMg dGVzdCBwYXNzZXMgaWYgaXQgYWxlcnRzIHRoYXQgaXQgZm91bmQgMSBydWxlLjwvcD4KKzxpZnJh bWUgc3JjPSJkYXRhOnRleHQvaHRtbDtiYXNlNjQsUEdoMGJXdytDaUFnUEhOMGVXeGxQZ29nSUNB Z1ltOWtlU0I3Q2lBZ0lDQWdJR0poWTJ0bmNtOTFibVE2SUdkeVpXVnVPd29nSUNBZ2ZRb2dJRHd2 YzNSNWJHVStDaUFnUEdKdlpIaytDaUFnSUNBOGMyTnlhWEIwUGdvZ0lDQWdJQ0IyWVhJZ2MzUjVi R1Z6YUdWbGRITWdQU0JrYjJOMWJXVnVkQzV6ZEhsc1pWTm9aV1YwY3pzS0lDQWdJQ0FnZG1GeUlI TjBlV3hsYzJobFpYUWdQU0J6ZEhsc1pYTm9aV1YwYzF0emRIbHNaWE5vWldWMGN5NXNaVzVuZEdn dE1WMDdDaUFnSUNBZ0lIWmhjaUJ5ZFd4bGN5QTlJSE4wZVd4bGMyaGxaWFF1WTNOelVuVnNaWE03 Q2lBZ0lDQWdJR0ZzWlhKMEtISjFiR1Z6TG14bGJtZDBhQ0FySUNjZ2NuVnNaWE1nWm05MWJtUW5L VHNLSUNBZ0lEd3ZjMk55YVhCMFBnb2dJRHd2WW05a2VUNEtQQzlvZEcxc1Bnbz0iPjwvaWZyYW1l PgpkaWZmIC0tZ2l0IGEvV2ViQ29yZS9DaGFuZ2VMb2cgYi9XZWJDb3JlL0NoYW5nZUxvZwppbmRl eCBiYWEwNTUyLi44M2NlYzczIDEwMDY0NAotLS0gYS9XZWJDb3JlL0NoYW5nZUxvZworKysgYi9X ZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDI0IEBACisyMDEwLTAzLTI5ICBBZGFtIEJhcnRo ICA8YWJhcnRoQHdlYmtpdC5vcmc+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BT ISkuCisKKyAgICAgICAgbm9BY2Nlc3MgdXJsIHNjaGVtZXMgYmxvY2sgYWNjZXNzIHRvIGlubGlu ZSBzdHlsZXNoZWV0cworICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5j Z2k/aWQ9MzIzMDkKKworICAgICAgICBJbnN0ZWFkIG9mIHVzaW5nIGJhc2VVUkwoKSB0byBncmFi IHRoZSBzZWN1cml0eSBjb250ZXh0IHdlIHNob3VsZCBqdXN0CisgICAgICAgIHVzZSBmaW5hbFVS TCBkaXJlY3RseS4gIFdoZW4gSSB3cm90ZSB0aGUgb3JpZ2luYWwgcGF0Y2ggdGhhdCBhZGRlZCB0 aGlzCisgICAgICAgIHNlY3VyaXR5IGNoZWNrLCBmaW5hbFVSTCBkaWRuJ3QgZXhpc3QgeWV0Lgor CisgICAgICAgIElmIGZpbmFsVVJMIGlzIGFuIGVtcHR5IFVSTCwgdGhhdCBtZWFucyB3ZSBnZW5l cmF0ZWQgdGhlIHN0eWxlIHNoZWV0CisgICAgICAgIGZyb20gdGV4dCB0aGF0IGRpZG4ndCBoYXZl IGEgVVJMLiAgSXQgd291bGQgYmUgc2xpZ2h0bHkgc2FmZXIgdG8gc3RvcmUKKyAgICAgICAgYSBi aXQgb24gQ1NTU3R5bGVTaGVldCBpbmRpY2F0aW5nIHdoZXRoZXIgaXQgY2FtZSBmcm9tIGFuIGlu bGluZSBzdHlsZQorICAgICAgICBzaGVldCwgYnV0IEkgdGhpbmsgdGhpcyBjaGVjayBpcyBmYWly bHkgYWNjdXJhdGUuCisKKyAgICAgICAgVGVzdDogaHR0cC90ZXN0cy9zZWN1cml0eS9kYXRhLXVy bC1pbmxpbmUuY3NzLmh0bWwKKworICAgICAgICAqIGNzcy9DU1NTdHlsZVNoZWV0LmNwcDoKKyAg ICAgICAgKFdlYkNvcmU6OkNTU1N0eWxlU2hlZXQ6OmNzc1J1bGVzKToKKwogMjAxMC0wMy0yOSAg S2VubmV0aCBSdXNzZWxsICA8a2JyQGdvb2dsZS5jb20+CiAKICAgICAgICAgUmV2aWV3ZWQgYnkg RGFyaW4gRmlzaGVyLgpkaWZmIC0tZ2l0IGEvV2ViQ29yZS9jc3MvQ1NTU3R5bGVTaGVldC5jcHAg Yi9XZWJDb3JlL2Nzcy9DU1NTdHlsZVNoZWV0LmNwcAppbmRleCBmYjI1Mzc0Li40YTEwMDAzIDEw MDY0NAotLS0gYS9XZWJDb3JlL2Nzcy9DU1NTdHlsZVNoZWV0LmNwcAorKysgYi9XZWJDb3JlL2Nz cy9DU1NTdHlsZVNoZWV0LmNwcApAQCAtMTM0LDEwICsxMzQsMTAgQEAgaW50IENTU1N0eWxlU2hl ZXQ6OmFkZFJ1bGUoY29uc3QgU3RyaW5nJiBzZWxlY3RvciwgY29uc3QgU3RyaW5nJiBzdHlsZSwg RXhjZXB0aW8KICAgICByZXR1cm4gYWRkUnVsZShzZWxlY3Rvciwgc3R5bGUsIGxlbmd0aCgpLCBl Yyk7CiB9CiAKLQogUGFzc1JlZlB0cjxDU1NSdWxlTGlzdD4gQ1NTU3R5bGVTaGVldDo6Y3NzUnVs ZXMoYm9vbCBvbWl0Q2hhcnNldFJ1bGVzKQogewotICAgIGlmIChkb2MoKSAmJiAhZG9jKCktPnNl Y3VyaXR5T3JpZ2luKCktPmNhblJlcXVlc3QoYmFzZVVSTCgpKSkKKyAgICBLVVJMIHVybCA9IGZp bmFsVVJMKCk7CisgICAgaWYgKCF1cmwuaXNFbXB0eSgpICYmIGRvYygpICYmICFkb2MoKS0+c2Vj dXJpdHlPcmlnaW4oKS0+Y2FuUmVxdWVzdCh1cmwpKQogICAgICAgICByZXR1cm4gMDsKICAgICBy ZXR1cm4gQ1NTUnVsZUxpc3Q6OmNyZWF0ZSh0aGlzLCBvbWl0Q2hhcnNldFJ1bGVzKTsKIH0K