Summary: | Origin header is not included in CORS requests for preloaded cross-origin resources | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Josh Dover <me> | ||||||||
Component: | Page Loading | Assignee: | youenn fablet <youennf> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | Normal | CC: | achristensen, ap, beidson, cdumez, commit-queue, dbates, esprehn+autocc, gyuyoung.kim, japhet, koivisto, ryanhaddad, webkit-bug-importer, youennf | ||||||||
Priority: | P2 | Keywords: | InRadar | ||||||||
Version: | Safari 9 | ||||||||||
Hardware: | All | ||||||||||
OS: | All | ||||||||||
Attachments: |
|
Description
Josh Dover
2016-03-22 11:46:38 PDT
This is also a bug that many others have experienced. A good list of related issues on github: https://github.com/photonstorm/phaser/issues/1355#issuecomment-64144909 Anyone looking for a SAFE workaround should not be using `Access-Control-Allow-Origin: *`. What I used that worked: - Find the CSSStyleSheet in the `tainted` state (`styleSheet.cssRules` will be null). - Make an XHR for the stylesheet's `href` - Add a new <style> node to the document's head with the contents of the XHR. - Optionally, remove the original style tag This method will be safe since you are still relying on the browser's CORS protections when you make the XHR. > While WebKit does still accept the resource as valid, it is marked as 'tainted' which prevents JavaScript on the page from accessing the CSSRuleList object on the CSSStyleSheet
Do you have a complete test case demonstrating that CSSRuleList cannot be accessed from a script in WebKit?
I also confirm the issue. Created attachment 280913 [details]
Patch
(In reply to comment #6) > Created attachment 280913 [details] > --no-review This patch makes preload scanner use CORS mode for all preloaded resources that have crossorigin attribute, not only CSS stylesheets. HTMLLinkElement is also updated to make use of the attribute. Comment on attachment 280913 [details] Patch Attachment 280913 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/1472290 New failing tests: editing/selection/selection-in-iframe-removed-crash.html Created attachment 280917 [details]
Archive of layout-test-results from ews117 for mac-yosemite
The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews117 Port: mac-yosemite Platform: Mac OS X 10.10.5
(In reply to comment #8) > Comment on attachment 280913 [details] > Patch > > Attachment 280913 [details] did not pass mac-debug-ews (mac): > Output: http://webkit-queues.webkit.org/results/1472290 > > New failing tests: > editing/selection/selection-in-iframe-removed-crash.html Failing test seems not relevant to the changes. I'll check further though. (In reply to comment #10) > (In reply to comment #8) > > Comment on attachment 280913 [details] > > Patch > > > > Attachment 280913 [details] did not pass mac-debug-ews (mac): > > Output: http://webkit-queues.webkit.org/results/1472290 > > > > New failing tests: > > editing/selection/selection-in-iframe-removed-crash.html > > Failing test seems not relevant to the changes. > I'll check further though. The failure may be related to http://trac.webkit.org/changeset/201823 > it is marked as 'tainted' which prevents JavaScript on the page from accessing the CSSRuleList object on the CSSStyleSheet (it will be `null` for tainted stylesheets)
This doesn't seem to be tested in the test. Is this really the case? If we can just get the computed style of an element effected by the stylesheet, what is the point of not being able to access the CSSRuleList?
(In reply to comment #12) > > it is marked as 'tainted' which prevents JavaScript on the page from accessing the CSSRuleList object on the CSSStyleSheet (it will be `null` for tainted stylesheets) > This doesn't seem to be tested in the test. Is this really the case? If we > can just get the computed style of an element effected by the stylesheet, > what is the point of not being able to access the CSSRuleList? I can add such test but I guess there are already tests somewhere ensuring that tainted stylesheets are not accessible in details through JS, similarly to tainted images in canvas. (In reply to comment #13) > (In reply to comment #12) > > > it is marked as 'tainted' which prevents JavaScript on the page from accessing the CSSRuleList object on the CSSStyleSheet (it will be `null` for tainted stylesheets) > > This doesn't seem to be tested in the test. Is this really the case? If we > > can just get the computed style of an element effected by the stylesheet, > > what is the point of not being able to access the CSSRuleList? > > I can add such test but I guess there are already tests somewhere ensuring > that tainted stylesheets are not accessible in details through JS, similarly > to tainted images in canvas. I was too optimistic. Access to cssRules is governed by CSSStyleSheet::canAccessRules. This routine is checking whether the stylesheet URL is same-origin as the owner document origin. It does not take into account CORS. This issue being different and specific to CSS, I think it would be best tackled as a follow-up bug. I'll upload a patch with an updated test. Created attachment 281006 [details]
Updating test
(In reply to comment #15) > Created attachment 281006 [details] > Updating test To show the cssRules specific issue, one can just uncomment line 25 of the new test. (In reply to comment #16) > (In reply to comment #15) > > Created attachment 281006 [details] > > Updating test > > To show the cssRules specific issue, one can just uncomment line 25 of the > new test. Note also that the patch is not enforcing full cross origin checks yet. Loading should fail if cross origin is set but Allow-Control-Allow-Origin is not in the response headers. This is the target of another bug. Comment on attachment 281006 [details] Updating test Clearing flags on attachment: 281006 Committed r201930: <http://trac.webkit.org/changeset/201930> All reviewed patches have been landed. Closing bug. (In reply to comment #14) > (In reply to comment #13) > > (In reply to comment #12) > > > > it is marked as 'tainted' which prevents JavaScript on the page from accessing the CSSRuleList object on the CSSStyleSheet (it will be `null` for tainted stylesheets) > > > This doesn't seem to be tested in the test. Is this really the case? If we > > > can just get the computed style of an element effected by the stylesheet, > > > what is the point of not being able to access the CSSRuleList? > > > > I can add such test but I guess there are already tests somewhere ensuring > > that tainted stylesheets are not accessible in details through JS, similarly > > to tainted images in canvas. > > I was too optimistic. > Access to cssRules is governed by CSSStyleSheet::canAccessRules. > This routine is checking whether the stylesheet URL is same-origin as the > owner document origin. > It does not take into account CORS. > > This issue being different and specific to CSS, I think it would be best > tackled as a follow-up bug. > I'll upload a patch with an updated test. I filed bug 158728 for that purpose. |