WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
69732
<img crossorigin> should fail to load when CORS check fails
https://bugs.webkit.org/show_bug.cgi?id=69732
Summary
<img crossorigin> should fail to load when CORS check fails
WebKit Review Bot
Reported
2011-10-09 13:53:42 PDT
<img crossorigin> should fail to load when CORS check fails Requested by abarth on #webkit.
Attachments
work in progress
(731 bytes, patch)
2011-10-23 10:54 PDT
,
Adam Barth
no flags
Details
Formatted Diff
Diff
Patch
(4.44 KB, patch)
2011-10-23 16:58 PDT
,
Adam Barth
no flags
Details
Formatted Diff
Diff
Show Obsolete
(1)
View All
Add attachment
proposed patch, testcase, etc.
Adam Barth
Comment 1
2011-10-23 10:54:59 PDT
Created
attachment 112119
[details]
work in progress
Adam Barth
Comment 2
2011-10-23 16:58:07 PDT
Created
attachment 112130
[details]
Patch
Darin Adler
Comment 3
2011-10-23 20:31:21 PDT
Comment on
attachment 112130
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=112130&action=review
It seems a little strange to do the entire load and then report it as if it was a failure once the load is done. It seems the load should instead fail as soon as we get the HTTP header before reading any more data, loosely speaking.
> Source/WebCore/loader/ImageLoader.cpp:243 > + if (m_element->fastHasAttribute(HTMLNames::crossoriginAttr) && !resource->passesAccessControlCheck(m_element->document()->securityOrigin())) {
We normally do "using namespace HTMLNames" at the top of the file, and leave off the prefix.
Adam Barth
Comment 4
2011-10-23 20:33:51 PDT
> It seems a little strange to do the entire load and then report it as if it was a failure once the load is done. It seems the load should instead fail as soon as we get the HTTP header before reading any more data, loosely speaking.
Yeah, we could do that. It's easier to do at this layer because it handles the cache-hit and cache-miss cases uniformly. I'd imagine the common case is for the check to pass though.
WebKit Review Bot
Comment 5
2011-10-23 21:35:47 PDT
Comment on
attachment 112130
[details]
Patch Clearing flags on attachment: 112130 Committed
r98215
: <
http://trac.webkit.org/changeset/98215
>
WebKit Review Bot
Comment 6
2011-10-23 21:35:52 PDT
All reviewed patches have been landed. Closing bug.
Darin Adler
Comment 7
2011-10-23 22:05:54 PDT
(In reply to
comment #4
)
> > It seems a little strange to do the entire load and then report it as if it was a failure once the load is done. It seems the load should instead fail as soon as we get the HTTP header before reading any more data, loosely speaking. > > Yeah, we could do that. It's easier to do at this layer because it handles the cache-hit and cache-miss cases uniformly. I'd imagine the common case is for the check to pass though.
The CachedResource class could be changed call a function that says “we have the header but not the data” for both the cache-miss case and the cache-hit case. For the cache-hit case it would be called right before the call to notifyFinished. What I like about this is not just the performance but the clarity that processing of the header goes in the header function and processing of the complete data and header goes in the data function and processing of partial data goes in the partial data function. Obviously notifyFinished could use a better name too.
Adam Barth
Comment 8
2011-10-23 22:13:17 PDT
Yeah, that approach is consistent with CachedResource's design of synchronously generating the various callbacks during a cache hit in addClient. I'll keep this issue in mind when looking at Nate's patch to make XMLHttpRequest over to the CachedResourceLoader pipeline. XMLHttpRequest needs a full-featured CORS implementation, so it should be easier for ImageLoader to do this work once that's done.
Boris Zbarsky
Comment 9
2011-11-18 04:28:08 PST
Adam, should I expect the fix for this bug to show up in this Chrome version: Google Chrome 17.0.942.0 (Official Build 110446) dev OS Mac OS X WebKit 535.8 (@100508) ? As far as I can tell that Chrome version is loading the various images linked from the list on the left of
http://maps.google.it/maps/ms?msid=211095647232644570760.00047466b28e95f25449b&msa=0
that use @crossorigin but don't send CORS headers....
Adam Barth
Comment 10
2011-11-18 23:59:57 PST
Thanks Boris. I'll investigate.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug