[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
commit-queue at webkit.org
commit-queue at webkit.org
Wed Dec 22 16:38:30 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 0bc7ea9293caaaab14f487c686c1c82cc571644a
Author: commit-queue at webkit.org <commit-queue at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Mon Nov 29 19:45:27 2010 +0000
2010-11-29 Gavin Peters <gavinp at chromium.org>
Reviewed by Adam Barth.
Web page can prevent WebKit from loading subresources on other
pages (cache poisoning)
https://bugs.webkit.org/show_bug.cgi?id=35404
* http/tests/misc/unloadable-script-expected.txt: Renamed from LayoutTests/fast/loader/unloadable-script-expected.txt.
* http/tests/misc/unloadable-script.html: Renamed from LayoutTests/fast/loader/unloadable-script.html.
* loader/reload-subresource-when-type-changes-expected.txt: Added.
* loader/reload-subresource-when-type-changes.html: Added.
* loader/resources/image1.png: Added.
* loader/resources/image2.png: Added.
* loader/resources/reload-subresource-when-type-changes.js: Added.
2010-11-29 Gavin Peters <gavinp at chromium.org>
Reviewed by Adam Barth.
Web page can prevent WebKit from loading subresources on other
pages (cache poisoning)
https://bugs.webkit.org/show_bug.cgi?id=35404
Tests: http/tests/misc/unloadable-script.html
loader/reload-subresource-when-type-changes.html
* loader/cache/MemoryCache.cpp:
(WebCore::MemoryCache::requestResource):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@72817 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 6b455d6..1315ebd 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,19 @@
+2010-11-29 Gavin Peters <gavinp at chromium.org>
+
+ Reviewed by Adam Barth.
+
+ Web page can prevent WebKit from loading subresources on other
+ pages (cache poisoning)
+ https://bugs.webkit.org/show_bug.cgi?id=35404
+
+ * http/tests/misc/unloadable-script-expected.txt: Renamed from LayoutTests/fast/loader/unloadable-script-expected.txt.
+ * http/tests/misc/unloadable-script.html: Renamed from LayoutTests/fast/loader/unloadable-script.html.
+ * loader/reload-subresource-when-type-changes-expected.txt: Added.
+ * loader/reload-subresource-when-type-changes.html: Added.
+ * loader/resources/image1.png: Added.
+ * loader/resources/image2.png: Added.
+ * loader/resources/reload-subresource-when-type-changes.js: Added.
+
2010-11-29 Adam Roben <aroben at apple.com>
Check in new Windows results after r72678
diff --git a/LayoutTests/fast/loader/unloadable-script-expected.txt b/LayoutTests/fast/loader/unloadable-script-expected.txt
deleted file mode 100644
index 7e064cb..0000000
--- a/LayoutTests/fast/loader/unloadable-script-expected.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-Test for bug 13584: <script> code wrongly assumes requests can't fail.
-
-No crash == SUCCESS.
-
-onerror called (good!)
-
-onerror called (good!)
-
-
diff --git a/LayoutTests/fast/loader/unloadable-script.html b/LayoutTests/fast/loader/unloadable-script.html
deleted file mode 100644
index f607bac..0000000
--- a/LayoutTests/fast/loader/unloadable-script.html
+++ /dev/null
@@ -1,32 +0,0 @@
-<html>
-<head>
-<script>
-function log(message) {
- var p = document.createElement("p");
- p.appendChild(document.createTextNode(message));
- document.getElementById("console").appendChild(p);
-}
-</script>
-</head>
-<body onerror="log('onerror called (good!)')">
- <p>Test for <a href="http://bugs.webkit.org/show_bug.cgi?id=13584">bug 13584</a>:
- <script> code wrongly assumes requests can't fail.</p>
- <p>No crash == SUCCESS.</p>
-
- <div id=console></div>
-
- <img src="resources/foobar">
- <script id=test_script></script>
-
- <script>
- if (window.layoutTestController)
- layoutTestController.dumpAsText();
-
- document.getElementById('test_script').src = "resources/foobar";
-
- script = document.createElement("script");
- script.setAttribute("src", "resources/foobar");
- document.body.appendChild(script);
- </script>
-</body>
-</html>
diff --git a/LayoutTests/http/tests/misc/unloadable-script-expected.txt b/LayoutTests/http/tests/misc/unloadable-script-expected.txt
new file mode 100644
index 0000000..fbe11b0
--- /dev/null
+++ b/LayoutTests/http/tests/misc/unloadable-script-expected.txt
@@ -0,0 +1,6 @@
+CONSOLE MESSAGE: line 0: Not allowed to load local resource: foobar
+Test for bug 13584: <script> code wrongly assumes requests can't fail.
+
+No crash == SUCCESS.
+
+onerror called (good!)
diff --git a/LayoutTests/http/tests/misc/unloadable-script.html b/LayoutTests/http/tests/misc/unloadable-script.html
new file mode 100644
index 0000000..fbc4096
--- /dev/null
+++ b/LayoutTests/http/tests/misc/unloadable-script.html
@@ -0,0 +1,32 @@
+<html>
+<head>
+<script>
+function log(message) {
+ var p = document.createElement("p");
+ p.appendChild(document.createTextNode(message));
+ document.getElementById("console").appendChild(p);
+}
+</script>
+</head>
+<body onerror="log('onerror called (good!)')">
+ <p>Test for <a href="http://bugs.webkit.org/show_bug.cgi?id=13584">bug 13584</a>:
+ <script> code wrongly assumes requests can't fail.</p>
+ <p>No crash == SUCCESS.</p>
+
+ <div id=console></div>
+
+ <script id=test_script></script>
+
+ <script>
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+ <!-- we are an HTTP test so the security origin will fail the file method -->
+ document.getElementById('test_script').src = "file:///foobar";
+
+ script = document.createElement("script");
+ script.setAttribute("src", "resources/foobar");
+ document.body.appendChild(script);
+ </script>
+</body>
+</html>
diff --git a/LayoutTests/loader/reload-subresource-when-type-changes-expected.txt b/LayoutTests/loader/reload-subresource-when-type-changes-expected.txt
new file mode 100644
index 0000000..49d7618
--- /dev/null
+++ b/LayoutTests/loader/reload-subresource-when-type-changes-expected.txt
@@ -0,0 +1,5 @@
+CONSOLE MESSAGE: line 1: SyntaxError: Parse error
+PASS 1 of 3
+PASS 2 of 3
+PASS 3 of 3
+
diff --git a/LayoutTests/loader/reload-subresource-when-type-changes.html b/LayoutTests/loader/reload-subresource-when-type-changes.html
new file mode 100644
index 0000000..0cdaade
--- /dev/null
+++ b/LayoutTests/loader/reload-subresource-when-type-changes.html
@@ -0,0 +1,35 @@
+<div id="logDiv">FAILED</div>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+var logDiv = document.getElementById("logDiv");
+
+function clearLog()
+{
+ logDiv.innerHTML = "";
+}
+
+function log(string)
+{
+ logDiv.appendChild(document.createTextNode(string));
+ logDiv.appendChild(document.createElement("br"));
+}
+
+function checkLoadedImage(event, testNumber) {
+ var imageWidth = event.target.width;
+ if (imageWidth == 25)
+ log("PASS " + testNumber + " of 3");
+ else
+ log("IMAGE SIZE " + imageWidth + " FAIL - " + testNumber + " of 2");
+}
+</script>
+
+<img src="resources/reload-subresource-when-type-changes.js">
+<script src="resources/reload-subresource-when-type-changes.js"></script>
+
+<link rel="prefetch" href="resources/image1.png">
+<img src="resources/image1.png" onerror="log('LOAD ERROR - FAIL 2 of 3)" onload="checkLoadedImage(event, 2)">
+
+<script src="resources/image2.png"></script>
+<img src="resources/image2.png" onerror="log('LOAD ERROR - FAIL 2 of 3)" onload="checkLoadedImage(event, 3)">
diff --git a/LayoutTests/loader/resources/reload-subresource-when-type-changes.js b/LayoutTests/loader/resources/reload-subresource-when-type-changes.js
new file mode 100644
index 0000000..1dddb98
--- /dev/null
+++ b/LayoutTests/loader/resources/reload-subresource-when-type-changes.js
@@ -0,0 +1,2 @@
+clearLog();
+log("PASS 1 of 3");
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 32994e4..de53492 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,17 @@
+2010-11-29 Gavin Peters <gavinp at chromium.org>
+
+ Reviewed by Adam Barth.
+
+ Web page can prevent WebKit from loading subresources on other
+ pages (cache poisoning)
+ https://bugs.webkit.org/show_bug.cgi?id=35404
+
+ Tests: http/tests/misc/unloadable-script.html
+ loader/reload-subresource-when-type-changes.html
+
+ * loader/cache/MemoryCache.cpp:
+ (WebCore::MemoryCache::requestResource):
+
2010-11-29 Simon Fraser <simon.fraser at apple.com>
Reviewed by Dan Bernstein.
diff --git a/WebCore/loader/cache/MemoryCache.cpp b/WebCore/loader/cache/MemoryCache.cpp
index 79dfc03..2f45b5d 100644
--- a/WebCore/loader/cache/MemoryCache.cpp
+++ b/WebCore/loader/cache/MemoryCache.cpp
@@ -126,7 +126,13 @@ CachedResource* MemoryCache::requestResource(CachedResourceLoader* cachedResourc
FrameLoader::reportLocalLoadFailed(cachedResourceLoader->document()->frame(), url.string());
return 0;
}
-
+
+ if (resource && resource->type() != type) {
+ LOG(ResourceLoading, "Cache::requestResource found a cache resource with matching url but different type, evicting and loading with new type.");
+ evict(resource);
+ resource = 0;
+ }
+
if (!resource) {
LOG(ResourceLoading, "CachedResource for '%s' wasn't found in cache. Creating it", url.string().latin1().data());
// The resource does not exist. Create it.
@@ -157,11 +163,6 @@ CachedResource* MemoryCache::requestResource(CachedResourceLoader* cachedResourc
}
}
- if (resource->type() != type) {
- LOG(ResourceLoading, "MemoryCache::requestResource cannot use cached resource for '%s' due to type mismatch", url.string().latin1().data());
- return 0;
- }
-
if (!disabled()) {
// This will move the resource to the front of its LRU list and increase its access count.
resourceAccessed(resource);
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list