Handle PotentiallyDanglingMarkup() for CSSImageValue

The flag was lost in the KURL -> String -> KURL conversions. Store the flag on CSSImageValue and always re-resolve from the original relative url before fetching when that flag is set. The blocking happens in BaseFetchContext::CanRequestInternal(). Bug: 1039885 Change-Id: Ia5777739a0ee0bee591163873926d19e0ea014bf Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3226142 Reviewed-by: Anders Hartvoll Ruud <[email protected]> Reviewed-by: Mike West <[email protected]> Commit-Queue: Rune Lillesveen <[email protected]> Cr-Commit-Position: refs/heads/main@{#932004}
AryanGitHub · Oct 15, 2021 · 349a35b · 349a35b
1 parent 2da68a0
commit 349a35b
Show file tree

Hide file tree

Showing 4 changed files with 69 additions and 2 deletions.
diff --git a/third_party/blink/renderer/core/css/build.gni b/third_party/blink/renderer/core/css/build.gni
@@ -649,6 +649,7 @@ blink_core_tests_css = [
   "css_font_family_webkit_prefix_test.cc",
   "css_gradient_value_test.cc",
   "css_id_selector_value_test.cc",
+  "css_image_value_test.cc",
   "css_invalid_variable_value_test.cc",
   "css_light_dark_value_pair_test.cc",
   "css_math_expression_node_test.cc",

diff --git a/third_party/blink/renderer/core/css/css_image_value.cc b/third_party/blink/renderer/core/css/css_image_value.cc
@@ -51,15 +51,26 @@ CSSImageValue::CSSImageValue(const AtomicString& raw_value,
       absolute_url_(url.GetString()),
       cached_image_(image),
       origin_clean_(origin_clean),
-      is_ad_related_(is_ad_related) {}
+      is_ad_related_(is_ad_related),
+      potentially_dangling_markup_(url.PotentiallyDanglingMarkup()) {}
 
 CSSImageValue::~CSSImageValue() = default;
 
 FetchParameters CSSImageValue::PrepareFetch(
     const Document& document,
     FetchParameters::ImageRequestBehavior image_request_behavior,
     CrossOriginAttributeValue cross_origin) const {
-  ResourceRequest resource_request(absolute_url_);
+  // The PotentiallyDanglingMarkup() flag is lost when storing the absolute url
+  // as a string from which the KURL is constructed here.
+  // The url passed into the constructor had the PotentiallyDanglingMarkup flag
+  // set. That information needs to be passed on to the fetch code to block such
+  // resources from loading.
+  KURL request_url = potentially_dangling_markup_
+                         ? document.CompleteURL(relative_url_)
+                         : KURL(absolute_url_);
+  SECURITY_CHECK(request_url.PotentiallyDanglingMarkup() ==
+                 potentially_dangling_markup_);
+  ResourceRequest resource_request(request_url);
   resource_request.SetReferrerPolicy(
       ReferrerUtils::MojoReferrerPolicyResolveDefault(
           referrer_.referrer_policy));

diff --git a/third_party/blink/renderer/core/css/css_image_value.h b/third_party/blink/renderer/core/css/css_image_value.h
@@ -102,6 +102,11 @@ class CORE_EXPORT CSSImageValue : public CSSValue {
 
   // Whether this was created by an ad-related CSSParserContext.
   const bool is_ad_related_;
+
+  // The url passed into the constructor had the PotentiallyDanglingMarkup flag
+  // set. That information needs to be passed on to the fetch code to block such
+  // resources from loading.
+  const bool potentially_dangling_markup_;
 };
 
 template <>

diff --git a/third_party/blink/renderer/core/css/css_image_value_test.cc b/third_party/blink/renderer/core/css/css_image_value_test.cc
@@ -0,0 +1,50 @@
+// Copyright 2021 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "third_party/blink/renderer/core/css/css_image_value.h"
+
+#include "testing/gtest/include/gtest/gtest.h"
+#include "third_party/blink/renderer/core/dom/document.h"
+#include "third_party/blink/renderer/core/dom/element.h"
+#include "third_party/blink/renderer/core/dom/node_computed_style.h"
+#include "third_party/blink/renderer/core/loader/resource/image_resource_content.h"
+#include "third_party/blink/renderer/core/style/computed_style.h"
+#include "third_party/blink/renderer/core/testing/sim/sim_request.h"
+#include "third_party/blink/renderer/core/testing/sim/sim_test.h"
+#include "third_party/blink/renderer/platform/testing/unit_test_helpers.h"
+
+namespace blink {
+
+class CSSImageValueTest : public SimTest {};
+
+TEST_F(CSSImageValueTest, BlockPotentiallyDanglingMarkup) {
+  SimRequest main_resource("https://example.com", "text/html");
+
+  LoadURL("https://example.com");
+
+  main_resource.Complete(R"HTML(
+    <!doctype html>
+    <table id="t1" background="ht
+    tps://example.com/y<ay?foo"><td>XXX</td></table>
+    <table id="t2" background="ht
+    tps://example.com/y<ay?bar#boo"><td>XXX</td></table>
+  )HTML");
+
+  test::RunPendingTasks();
+  Compositor().BeginFrame();
+
+  auto* t1 = GetDocument().getElementById("t1");
+  ImageResourceContent* content1 =
+      t1->ComputedStyleRef().BackgroundLayers().GetImage()->CachedImage();
+  ASSERT_TRUE(content1);
+  EXPECT_TRUE(content1->ErrorOccurred());
+
+  auto* t2 = GetDocument().getElementById("t2");
+  ImageResourceContent* content2 =
+      t2->ComputedStyleRef().BackgroundLayers().GetImage()->CachedImage();
+  ASSERT_TRUE(content2);
+  EXPECT_TRUE(content2->ErrorOccurred());
+}
+
+}  // namespace blink