Bug 32309 - noAccess url schemes block access to inline stylesheets
Summary: noAccess url schemes block access to inline stylesheets
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore JavaScript (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC OS X 10.5
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-12-09 00:47 PST by Jochen Eisinger
Modified: 2010-06-18 03:29 PDT (History)
3 users (show)

See Also:


Attachments
test case (311 bytes, text/html)
2009-12-09 00:49 PST, Jochen Eisinger
no flags Details
Patch (4.06 KB, patch)
2010-03-29 18:09 PDT, Adam Barth
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jochen Eisinger 2009-12-09 00:47:10 PST
url schemes that are listed as noAccess block access from javascripts to inline stylesheets. The description of the noAccess feature suggests that javascripts in such a document should be allowed to access itself.

This is also an issue in Chrome, see http://code.google.com/p/chromium/issues/detail?id=29422
Comment 1 Jochen Eisinger 2009-12-09 00:49:25 PST
Created attachment 44516 [details]
test case

The following html file is a small test case. The javascript announces the number of CSS rules found in the inline css stylesheet. When you encode this file as a data: link, the variable rules will be null and rules.length results into an error:

data:text/html;base64,PGh0bWw+CiAgPHN0eWxlPgogICAgYm9keSB7CiAgICAgIGJhY2tncm91bmQ6IGdyZWVuOwogICAgfQogIDwvc3R5bGU+CiAgPGJvZHk+CiAgICA8c2NyaXB0PgogICAgICB2YXIgc3R5bGVzaGVldHMgPSBkb2N1bWVudC5zdHlsZVNoZWV0czsKICAgICAgdmFyIHN0eWxlc2hlZXQgPSBzdHlsZXNoZWV0c1tzdHlsZXNoZWV0cy5sZW5ndGgtMV07CiAgICAgIHZhciBydWxlcyA9IHN0eWxlc2hlZXQuY3NzUnVsZXM7CiAgICAgIGFsZXJ0KHJ1bGVzLmxlbmd0aCArICcgcnVsZXMgZm91bmQnKTsKICAgIDwvc2NyaXB0PgogIDwvYm9keT4KPC9odG1sPgo=
Comment 2 Adam Barth 2009-12-09 01:54:05 PST
This is likely a regression from my patch in this area.  I'll look at this unless someone beats me to it.
Comment 3 Adam Barth 2010-03-29 18:09:06 PDT
Created attachment 51990 [details]
Patch
Comment 4 Darin Adler 2010-03-30 13:24:46 PDT
Comment on attachment 51990 [details]
Patch

The test covers the isEmpty case, but does not cover cases where baseURL != finalURL. Since you are making both changes, I think we need to test both.
Comment 5 Adam Barth 2010-03-30 13:38:30 PDT
> The test covers the isEmpty case, but does not cover cases where baseURL !=
> finalURL. Since you are making both changes, I think we need to test both.

Looking at the implementation of baseURL(), I think the only case where they are different is when finalURL is empty:

http://trac.webkit.org/browser/trunk/WebCore/css/StyleBase.cpp#L51
Comment 6 Adam Barth 2010-06-18 01:38:03 PDT
Comment on attachment 51990 [details]
Patch

Thanks.
Comment 7 WebKit Commit Bot 2010-06-18 03:28:56 PDT
Comment on attachment 51990 [details]
Patch

Clearing flags on attachment: 51990

Committed r61391: <http://trac.webkit.org/changeset/61391>
Comment 8 WebKit Commit Bot 2010-06-18 03:29:01 PDT
All reviewed patches have been landed.  Closing bug.