From 31c765b050fdbe361a02cf5aae1eb7f6efc8ffff Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Wed, 14 Aug 2019 00:29:44 +0200 Subject: Issue #1211: Allow the loading of TYPE_FONT from file: URLs. This bypasses the CORS restriction of unique file: URLs in the case of fonts loaded through CSS. Resolves #1211. --- layout/style/FontFaceSet.cpp | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/layout/style/FontFaceSet.cpp b/layout/style/FontFaceSet.cpp index 1645adfefe..81c5ede0ec 100644 --- a/layout/style/FontFaceSet.cpp +++ b/layout/style/FontFaceSet.cpp @@ -583,6 +583,19 @@ FontFaceSet::StartLoad(gfxUserFontEntry* aUserFontEntry, nsCOMPtr streamLoader; nsCOMPtr loadGroup(mDocument->GetDocumentLoadGroup()); + // We're determining the security flags for font loading here based on + // scheme, because we want to allow fonts to be loaded using file: + // even if unique origins for file: access is enforced (allow CORS + // bypass in this case). + uint32_t securityFlags = 0; + bool isFile = false; + if (NS_SUCCEEDED(aFontFaceSrc->mURI->SchemeIs("file", &isFile)) && + isFile) { + securityFlags = nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_INHERITS; + } else { + securityFlags = nsILoadInfo::SEC_REQUIRE_CORS_DATA_INHERITS; + } + nsCOMPtr channel; // Note we are calling NS_NewChannelWithTriggeringPrincipal() with both a // node and a principal. This is because the document where the font is @@ -592,7 +605,7 @@ FontFaceSet::StartLoad(gfxUserFontEntry* aUserFontEntry, aFontFaceSrc->mURI, mDocument, aUserFontEntry->GetPrincipal(), - nsILoadInfo::SEC_REQUIRE_CORS_DATA_INHERITS, + securityFlags, nsIContentPolicy::TYPE_FONT, loadGroup); NS_ENSURE_SUCCESS(rv, rv); -- cgit v1.2.3