[Backport] Check the mime type of cross-origin CSS fetched via the Service Worker.

BUG=598077

Review URL: https://codereview.chromium.org/1861243002
(CVE-2016-1692)

Change-Id: I0a105a58cf589ad084915ec7efbefe41619b4313
Reviewed-by: Michael Brüning <michael.bruning@theqtcompany.com>

1 files changed, 10 insertions, 0 deletions

diff --git a/chromium/third_party/WebKit/Source/core/css/StyleSheetContents.cpp b/chromium/third_party/WebKit/Source/core/css/StyleSheetContents.cpp
index 15645ca03bc..86c33bc722d 100644
--- a/chromium/third_party/WebKit/Source/core/css/StyleSheetContents.cpp
+++ b/chromium/third_party/WebKit/Source/core/css/StyleSheetContents.cpp
@@ -282,6 +282,16 @@ void StyleSheetContents::parseAuthorStyleSheet(const CSSStyleSheetResource* cach
     TRACE_EVENT1("blink,devtools.timeline", "ParseAuthorStyleSheet", "data", InspectorParseAuthorStyleSheetEvent::data(cachedStyleSheet));
 
     bool isSameOriginRequest = securityOrigin && securityOrigin->canRequest(baseURL());
+
+    // When the response was fetched via the Service Worker, the original URL may not be same as the base URL.
+    // TODO(horo): When we will use the original URL as the base URL, we can remove this check. crbug.com/553535
+    if (cachedStyleSheet->response().wasFetchedViaServiceWorker()) {
+        const KURL originalURL(cachedStyleSheet->response().originalURLViaServiceWorker());
+        // |originalURL| is empty when the response is created in the SW.
+        if (!originalURL.isEmpty() && !securityOrigin->canRequest(originalURL))
+            isSameOriginRequest = false;
+    }
+
     CSSStyleSheetResource::MIMETypeCheck mimeTypeCheck = isQuirksModeBehavior(m_parserContext.mode()) && isSameOriginRequest ? CSSStyleSheetResource::MIMETypeCheck::Lax : CSSStyleSheetResource::MIMETypeCheck::Strict;
     String sheetText = cachedStyleSheet->sheetText(mimeTypeCheck);