68011 2011-09-13 11:02:47 -0700 CORS images viewed from different domains fail security checks 2011-10-13 02:14:26 -0700 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 1 abarth abarth ap kbr webkit.review.bot oldest_to_newest 466401 0 abarth 2011-09-13 11:02:47 -0700 Report from developer: === 1. Load a page that fetches images from a client on domainA to server that responds with Access-Control-Allow-Origin: *. 2. Load the same images from domainB, and attempt to embed them in a WebGL canvas on the page on domainB. Expected: should be able to embed the images. Actual: DOM security error 18 occurs. The problem appears to be that domainA is encoded in the cache entry from step 1, despite the server specifying *. Then when loading the page on domainB, Chrome refuses to allow access to embed the image in the WebGL canvas. === 466623 1 abarth 2011-09-13 15:42:54 -0700 (I haven't reproduced this yet, so I'm not entirely sure what's causing the issue.) 468305 2 abarth 2011-09-15 22:57:17 -0700 I'm having trouble reproducing the issue. I need to follow up with the original reporter. In the mean time, here is a LayoutTest capturing the reproduction steps. 468308 3 107607 abarth 2011-09-15 22:58:20 -0700 Created attachment 107607 Patch 468978 4 107607 webkit.review.bot 2011-09-16 18:46:44 -0700 Comment on attachment 107607 Patch Clearing flags on attachment: 107607 Committed r95351: <http://trac.webkit.org/changeset/95351> 468979 5 webkit.review.bot 2011-09-16 18:46:48 -0700 All reviewed patches have been landed. Closing bug. 469021 6 abarth 2011-09-16 22:07:20 -0700 I'm going to leave this bug open while I check back with the developer who ran into the problem. 483075 7 abarth 2011-10-13 02:14:26 -0700 I think the original reporter was confused about how cache interacts with non-anonymous CORS requests, which is non-intuitive. 107607 2011-09-15 22:58:20 -0700 2011-09-16 18:46:44 -0700 Patch bug-68011-20110915225819.patch text/plain 3676 abarth U3VidmVyc2lvbiBSZXZpc2lvbjogOTUyNjkKZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL0NoYW5n ZUxvZyBiL0xheW91dFRlc3RzL0NoYW5nZUxvZwppbmRleCA1YjY3OTgwOWVjYjU2MjUzNjYzNjYw Mzg0OWM5ZmIxYjVkY2VmMzQ3Li4zYmUzZWE2NGU2ZDNkM2JkOTE1NDg5NTI5YjM5ZGNkYjMzYmMw Yzc4IDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0cy9DaGFuZ2VMb2cKKysrIGIvTGF5b3V0VGVzdHMv Q2hhbmdlTG9nCkBAIC0xLDMgKzEsMTcgQEAKKzIwMTEtMDktMTUgIEFkYW0gQmFydGggIDxhYmFy dGhAd2Via2l0Lm9yZz4KKworICAgICAgICBDT1JTIGltYWdlcyB2aWV3ZWQgZnJvbSBkaWZmZXJl bnQgZG9tYWlucyBmYWlsIHNlY3VyaXR5IGNoZWNrcworICAgICAgICBodHRwczovL2J1Z3Mud2Vi a2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9NjgwMTEKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JP RFkgKE9PUFMhKS4KKworICAgICAgICBJIGFtIHVuYWJsZSB0byByZXByb2R1Y2UgdGhlIGJ1Zywg YnV0IHRoZSB0ZXN0IEkgd3JvdGUgaW4gdGhlIHByb2Nlc3MKKyAgICAgICAgbWlnaHQgYmUgd29y dGggaGF2aW5nIGFueXdheS4KKworICAgICAgICAqIGh0dHAvdGVzdHMvc2VjdXJpdHkvY2FudmFz LWNvcnMtd2l0aC10d28taG9zdHMtZXhwZWN0ZWQudHh0OiBBZGRlZC4KKyAgICAgICAgKiBodHRw L3Rlc3RzL3NlY3VyaXR5L2NhbnZhcy1jb3JzLXdpdGgtdHdvLWhvc3RzLmh0bWw6IEFkZGVkLgor ICAgICAgICAqIGh0dHAvdGVzdHMvc2VjdXJpdHkvcmVzb3VyY2VzL2NhbnZhcy1jb3JzLXN1YnRl c3QuaHRtbDogQWRkZWQuCisKIDIwMTEtMDktMTUgIEtlaXNoaSBIYXR0b3JpICA8a2Vpc2hpQHdl YmtpdC5vcmc+CiAKICAgICAgICAgW2Nocm9taXVtXSBhZGQgdGltZW91dCB0byB0ZXN0IGV4cGVj dGF0aW9uIG9mIHN0eWxlcy1uZXctQVBJLmh0bWwKZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL2h0 dHAvdGVzdHMvc2VjdXJpdHkvY2FudmFzLWNvcnMtd2l0aC10d28taG9zdHMtZXhwZWN0ZWQudHh0 IGIvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS9jYW52YXMtY29ycy13aXRoLXR3by1o b3N0cy1leHBlY3RlZC50eHQKbmV3IGZpbGUgbW9kZSAxMDA2NDQKaW5kZXggMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMC4uZWQ3MTA5ZGY1NGIwY2JjOGQyZDA5NDhiOTNj YjBmMmNkZTNhMTM4MgotLS0gL2Rldi9udWxsCisrKyBiL0xheW91dFRlc3RzL2h0dHAvdGVzdHMv c2VjdXJpdHkvY2FudmFzLWNvcnMtd2l0aC10d28taG9zdHMtZXhwZWN0ZWQudHh0CkBAIC0wLDAg KzEsMTMgQEAKKyAKKworLS0tLS0tLS0KK0ZyYW1lOiAnPCEtLWZyYW1lUGF0aCAvLzwhLS1mcmFt ZTAtLT4tLT4nCistLS0tLS0tLQorUEFTUworCisKKy0tLS0tLS0tCitGcmFtZTogJzwhLS1mcmFt ZVBhdGggLy88IS0tZnJhbWUxLS0+LS0+JworLS0tLS0tLS0KK1BBU1MKKwpkaWZmIC0tZ2l0IGEv TGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS9jYW52YXMtY29ycy13aXRoLXR3by1ob3N0 cy5odG1sIGIvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS9jYW52YXMtY29ycy13aXRo LXR3by1ob3N0cy5odG1sCm5ldyBmaWxlIG1vZGUgMTAwNjQ0CmluZGV4IDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAuLjczNDAzY2Y1Njg3NDJhYWJmZGQ3MDE4OTBhZThj ZGY4NzMxNzQwNmYKLS0tIC9kZXYvbnVsbAorKysgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3Nl Y3VyaXR5L2NhbnZhcy1jb3JzLXdpdGgtdHdvLWhvc3RzLmh0bWwKQEAgLTAsMCArMSwyNiBAQAor PHNjcmlwdD4KK2lmICh3aW5kb3cubGF5b3V0VGVzdENvbnRyb2xsZXIpIHsKKyAgICBsYXlvdXRU ZXN0Q29udHJvbGxlci5kdW1wQXNUZXh0KCk7CisgICAgbGF5b3V0VGVzdENvbnRyb2xsZXIuZHVt cENoaWxkRnJhbWVzQXNUZXh0KCk7CisgICAgbGF5b3V0VGVzdENvbnRyb2xsZXIud2FpdFVudGls RG9uZSgpOworfQorCitkb25lQ291bnQgPSAwOworCit3aW5kb3cuYWRkRXZlbnRMaXN0ZW5lcign bWVzc2FnZScsIGZ1bmN0aW9uKGV2dCkgeworICAgIGlmIChldnQuZGF0YSA9PSAnZG9uZScpIHsK KyAgICAgICAgKytkb25lQ291bnQ7CisKKyAgICAgICAgaWYgKGRvbmVDb3VudCA+IDEpIHsKKyAg ICAgICAgICAgIGlmICh3aW5kb3cubGF5b3V0VGVzdENvbnRyb2xsZXIpCisgICAgICAgICAgICAg ICAgbGF5b3V0VGVzdENvbnRyb2xsZXIubm90aWZ5RG9uZSgpOworICAgICAgICAgICAgcmV0dXJu OworICAgICAgICB9CisKKyAgICAgICAgdmFyIGlmcmFtZSA9IGRvY3VtZW50LmNyZWF0ZUVsZW1l bnQoJ2lmcmFtZScpOworICAgICAgICBpZnJhbWUuc3JjID0gImh0dHA6Ly8xMjcuMC4wLjE6ODA4 MC9zZWN1cml0eS9yZXNvdXJjZXMvY2FudmFzLWNvcnMtc3VidGVzdC5odG1sIjsKKyAgICAgICAg ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChpZnJhbWUpOworICAgIH0KK30pOworPC9zY3JpcHQ+ Cis8aWZyYW1lIHNyYz0iaHR0cDovLzEyNy4wLjAuMTo4MDAwL3NlY3VyaXR5L3Jlc291cmNlcy9j YW52YXMtY29ycy1zdWJ0ZXN0Lmh0bWwiPjwvaWZyYW1lPgpkaWZmIC0tZ2l0IGEvTGF5b3V0VGVz dHMvaHR0cC90ZXN0cy9zZWN1cml0eS9yZXNvdXJjZXMvY2FudmFzLWNvcnMtc3VidGVzdC5odG1s IGIvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS9yZXNvdXJjZXMvY2FudmFzLWNvcnMt c3VidGVzdC5odG1sCm5ldyBmaWxlIG1vZGUgMTAwNjQ0CmluZGV4IDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAuLmE3MjAzNTM3MDYzZTg1NWU0MzRkMjBiZDFmNzNkOGJk YjVkZTI5N2IKLS0tIC9kZXYvbnVsbAorKysgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3Vy aXR5L3Jlc291cmNlcy9jYW52YXMtY29ycy1zdWJ0ZXN0Lmh0bWwKQEAgLTAsMCArMSwyOSBAQAor PHByZSBpZD0iY29uc29sZSI+PC9wcmU+Cis8c2NyaXB0PgorbG9nID0gZnVuY3Rpb24obXNnKSB7 CisgICAgZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ2NvbnNvbGUnKS5hcHBlbmRDaGlsZChkb2N1 bWVudC5jcmVhdGVUZXh0Tm9kZShtc2cgKyAiXG4iKSk7Cit9CisKK3ZhciBpbWFnZSA9IG5ldyBJ bWFnZSgpOworCitpbWFnZS5vbmxvYWQgPSBmdW5jdGlvbigpIHsKKyAgICB2YXIgY2FudmFzID0g ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgiY2FudmFzIik7CisgICAgY2FudmFzLndpZHRoID0gMTAw OworICAgIGNhbnZhcy5oZWlnaHQgPSAxMDA7CisgICAgdmFyIGNvbnRleHQgPSBjYW52YXMuZ2V0 Q29udGV4dCgiMmQiKTsKKworICAgIGNvbnRleHQuZHJhd0ltYWdlKGltYWdlLCAwLCAwLCAxMDAs IDEwMCk7CisKKyAgICB0cnkgeworICAgICAgICB2YXIgaW1hZ2VEYXRhID0gY29udGV4dC5nZXRJ bWFnZURhdGEoMCwwLDEwMCwxMDApOworICAgICAgICBsb2coIlBBU1MiKTsKKyAgICB9IGNhdGNo IChlKSB7CisgICAgICAgIGxvZygiRkFJTCIpOworICAgIH0KKworICAgIHRvcC5wb3N0TWVzc2Fn ZSgnZG9uZScsICcqJyk7Cit9CisKK2ltYWdlLmNyb3NzT3JpZ2luID0gImFub255bW91cyI7Citp bWFnZS5zcmMgPSAiaHR0cDovL2xvY2FsaG9zdDo4MDAwL3NlY3VyaXR5L3Jlc291cmNlcy9hYmUt YWxsb3ctc3Rhci5waHAiOworPC9zY3JpcHQ+Cg==