Changeset 206009 in webkit

Timestamp:

Sep 16, 2016 12:33:44 AM (8 years ago)

Author:

commit-queue@webkit.org

Message:

[Fetch API] Referrer and Origin header should not be considered as safe request headers
​https://bugs.webkit.org/show_bug.cgi?id=161902

Patch by Youenn Fablet <​youenn@apple.com> on 2016-09-16
Reviewed by Sam Weinig.

LayoutTests/imported/w3c:

• web-platform-tests/fetch/api/cors/cors-preflight-referrer-expected.txt:
• web-platform-tests/fetch/api/cors/cors-preflight-referrer-worker-expected.txt:
• web-platform-tests/fetch/api/cors/cors-preflight-referrer.js:

(corsPreflightReferrer): Adding check of the preflight Access-Control-Request-Headers header value.
Added new tests to check for non-default referrer values.

Source/WebCore:

Test: http/tests/fetch/fetch-cors-with-referrer.html and updated WPT tests.

Removing Origin and Referrer from safe request headers.
Making referrer header setting after preflight for fetch API code path.

Ensuring that no ThreadableLoader client sets Origin or Referrer headers of the ResourceRequest, as they should use the proper mechanisms for that.

Handling no-referrer referrer special value by setting the referrer-policy to NoReferrer in FetchLoader.

• Modules/fetch/FetchLoader.cpp:

(WebCore::FetchLoader::start): Computing referrer value and handling special "client"and "no-referrer" cases.
Passing the value directly to ThreadableLoader.

• Modules/fetch/FetchRequest.cpp:

(WebCore::FetchRequest::internalRequest): Removing setting of ResourceRequest referrer header.
(WebCore::FetchRequest::clone): Removing obsolete FIXME.

• Modules/fetch/FetchRequest.h:
• loader/CrossOriginAccessControl.cpp:

(WebCore::isOnAccessControlSimpleRequestHeaderWhitelist): Removing Origin and Referrer headers.

• loader/DocumentThreadableLoader.cpp:

(WebCore::DocumentThreadableLoader::create): Updated to take a referrer as parameter.
(WebCore::DocumentThreadableLoader::DocumentThreadableLoader): Ditto.

• loader/DocumentThreadableLoader.h: Ditto.
• loader/ThreadableLoader.cpp: Ditto.

(WebCore::ThreadableLoader::create): Ditto.

• loader/ThreadableLoader.h: Ditto.
• loader/WorkerThreadableLoader.cpp: Ditto.

(WebCore::WorkerThreadableLoader::WorkerThreadableLoader): Ditto.
(WebCore::WorkerThreadableLoader::loadResourceSynchronously): Ditto.

• loader/WorkerThreadableLoader.h: Ditto.

(WebCore::WorkerThreadableLoader::create): Ditto.

• platform/network/ResourceRequestBase.cpp:

(WebCore::ResourceRequestBase::hasHTTPReferrer): Added to enable asserting that no threadable loader client sets the referrer in the request.

• platform/network/ResourceRequestBase.h:

LayoutTests:

• http/tests/fetch/fetch-cors-with-referrer-expected.txt: Added.
• http/tests/fetch/fetch-cors-with-referrer.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/fetch/fetch-cors-with-referrer-expected.txt (added)
• LayoutTests/http/tests/fetch/fetch-cors-with-referrer.html (added)
• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-referrer-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-referrer-worker-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-referrer.js (modified) (2 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/Modules/fetch/FetchLoader.cpp (modified) (1 diff)
• Source/WebCore/Modules/fetch/FetchRequest.cpp (modified) (2 diffs)
• Source/WebCore/Modules/fetch/FetchRequest.h (modified) (1 diff)
• Source/WebCore/loader/CrossOriginAccessControl.cpp (modified) (1 diff)
• Source/WebCore/loader/DocumentThreadableLoader.cpp (modified) (2 diffs)
• Source/WebCore/loader/DocumentThreadableLoader.h (modified) (1 diff)
• Source/WebCore/loader/ThreadableLoader.cpp (modified) (1 diff)
• Source/WebCore/loader/ThreadableLoader.h (modified) (1 diff)
• Source/WebCore/loader/WorkerThreadableLoader.cpp (modified) (2 diffs)
• Source/WebCore/loader/WorkerThreadableLoader.h (modified) (2 diffs)
• Source/WebCore/platform/network/ResourceRequestBase.cpp (modified) (1 diff)
• Source/WebCore/platform/network/ResourceRequestBase.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-09-16  Youenn Fablet  <youenn@apple.com>
+
+        [Fetch API] Referrer and Origin header should not be considered as safe request headers
+        https://bugs.webkit.org/show_bug.cgi?id=161902
+
+        Reviewed by Sam Weinig.
+
+        * http/tests/fetch/fetch-cors-with-referrer-expected.txt: Added.
+        * http/tests/fetch/fetch-cors-with-referrer.html: Added.
+
 2016-09-13  Jer Noble  <jer.noble@apple.com>
 

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2016-09-16  Youenn Fablet  <youenn@apple.com>
+
+        [Fetch API] Referrer and Origin header should not be considered as safe request headers
+        https://bugs.webkit.org/show_bug.cgi?id=161902
+
+        Reviewed by Sam Weinig.
+
+        * web-platform-tests/fetch/api/cors/cors-preflight-referrer-expected.txt:
+        * web-platform-tests/fetch/api/cors/cors-preflight-referrer-worker-expected.txt:
+        * web-platform-tests/fetch/api/cors/cors-preflight-referrer.js:
+        (corsPreflightReferrer): Adding check of the preflight Access-Control-Request-Headers header value.
+        Added new tests to check for non-default referrer values.
+
 2016-09-14  Chris Dumez  <cdumez@apple.com>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-referrer-expected.txt

@@ -1 +1 @@
 
-PASS Referrer policy: no-referrer 
-PASS Referrer policy: "" 
-PASS Referrer policy: origin 
-PASS Referrer policy: origin-when-cross-origin 
-PASS Referrer policy: unsafe-url 
+PASS Referrer policy: no-referrer ('myreferrer' referrer) 
+PASS Referrer policy: no-referrer (default referrer) 
+PASS Referrer policy: "" ('myreferrer' referrer) 
+PASS Referrer policy: "" (default referrer) 
+PASS Referrer policy: origin ('myreferrer' referrer) 
+PASS Referrer policy: origin (default referrer) 
+PASS Referrer policy: origin-when-cross-origin ('myreferrer' referrer) 
+PASS Referrer policy: origin-when-cross-origin (default referrer) 
+PASS Referrer policy: unsafe-url ('myreferrer' referrer) 
+PASS Referrer policy: unsafe-url (default referrer) 
 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-referrer-worker-expected.txt

@@ -1 +1 @@
 
-PASS Referrer policy: no-referrer 
-PASS Referrer policy: "" 
-PASS Referrer policy: origin 
-PASS Referrer policy: origin-when-cross-origin 
-PASS Referrer policy: unsafe-url 
+PASS Referrer policy: no-referrer ('myreferrer' referrer) 
+PASS Referrer policy: no-referrer (default referrer) 
+PASS Referrer policy: "" ('myreferrer' referrer) 
+PASS Referrer policy: "" (default referrer) 
+PASS Referrer policy: origin ('myreferrer' referrer) 
+PASS Referrer policy: origin (default referrer) 
+PASS Referrer policy: origin-when-cross-origin ('myreferrer' referrer) 
+PASS Referrer policy: origin-when-cross-origin (default referrer) 
+PASS Referrer policy: unsafe-url ('myreferrer' referrer) 
+PASS Referrer policy: unsafe-url (default referrer) 
 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-referrer.js

@@ -6 +6 @@
 }
 
-function corsPreflightReferrer(desc, corsUrl, referrerPolicy, expectedReferrer) {
+function corsPreflightReferrer(desc, corsUrl, referrerPolicy, referrer, expectedReferrer) {
   var uuid_token = token();
   var url = corsUrl;
   var urlParameters = "?token=" + uuid_token + "&max_age=0";
   var requestInit = {"mode": "cors", "referrerPolicy": referrerPolicy};
+
+  if (referrer)
+      requestInit.referrer = referrer;
 
   /* Force preflight */
@@ -24 +27 @@
         assert_equals(resp.headers.get("x-preflight-referrer"), expectedReferrer, "Preflight's referrer is correct");
         assert_equals(resp.headers.get("x-referrer"), expectedReferrer, "Request's referrer is correct");
+        assert_equals(resp.headers.get("x-control-request-headers"), "", "Access-Control-Allow-Headers value");
       });
     });
-  }, desc);
+  }, desc + (referrer ? " (default referrer)" : " ('myreferrer' referrer)"));
 }
-
 var corsUrl = get_host_info().HTTP_REMOTE_ORIGIN  + dirname(location.pathname) + RESOURCES_DIR + "preflight.py";
 var origin = get_host_info().HTTP_ORIGIN + "/";
 
-corsPreflightReferrer("Referrer policy: no-referrer", corsUrl, "no-referrer", "");
-corsPreflightReferrer("Referrer policy: \"\"", corsUrl, "", location.toString())
+corsPreflightReferrer("Referrer policy: no-referrer", corsUrl, "no-referrer", undefined, "");
+corsPreflightReferrer("Referrer policy: no-referrer", corsUrl, "no-referrer", "myreferrer", "");
 
-corsPreflightReferrer("Referrer policy: origin", corsUrl, "origin", origin);
-corsPreflightReferrer("Referrer policy: origin-when-cross-origin", corsUrl, "origin-when-cross-origin", origin);
-corsPreflightReferrer("Referrer policy: unsafe-url", corsUrl, "unsafe-url", location.toString());
+corsPreflightReferrer("Referrer policy: \"\"", corsUrl, "", undefined, location.toString())
+corsPreflightReferrer("Referrer policy: \"\"", corsUrl, "", "myreferrer", new URL("myreferrer", location).toString());
+
+corsPreflightReferrer("Referrer policy: origin", corsUrl, "origin", undefined, origin);
+corsPreflightReferrer("Referrer policy: origin", corsUrl, "origin", "myreferrer", origin);
+
+corsPreflightReferrer("Referrer policy: origin-when-cross-origin", corsUrl, "origin-when-cross-origin", undefined, origin);
+corsPreflightReferrer("Referrer policy: origin-when-cross-origin", corsUrl, "origin-when-cross-origin", "myreferrer", origin);
+
+corsPreflightReferrer("Referrer policy: unsafe-url", corsUrl, "unsafe-url", undefined, location.toString());
+corsPreflightReferrer("Referrer policy: unsafe-url", corsUrl, "unsafe-url", "myreferrer", new URL("myreferrer", location).toString());
 
 done();

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-09-16  Youenn Fablet  <youenn@apple.com>
+
+        [Fetch API] Referrer and Origin header should not be considered as safe request headers
+        https://bugs.webkit.org/show_bug.cgi?id=161902
+
+        Reviewed by Sam Weinig.
+
+        Test: http/tests/fetch/fetch-cors-with-referrer.html and updated WPT tests.
+
+        Removing Origin and Referrer from safe request headers.
+        Making referrer header setting after preflight for fetch API code path.
+
+        Ensuring that no ThreadableLoader client sets Origin or Referrer headers of the ResourceRequest, as they should use the proper mechanisms for that.
+
+        Handling no-referrer referrer special value by setting the referrer-policy to NoReferrer in FetchLoader.
+
+        * Modules/fetch/FetchLoader.cpp:
+        (WebCore::FetchLoader::start): Computing referrer value and handling special "client"and "no-referrer" cases.
+        Passing the value directly to ThreadableLoader.
+        * Modules/fetch/FetchRequest.cpp:
+        (WebCore::FetchRequest::internalRequest): Removing setting of ResourceRequest referrer header.
+        (WebCore::FetchRequest::clone): Removing obsolete FIXME.
+        * Modules/fetch/FetchRequest.h:
+        * loader/CrossOriginAccessControl.cpp:
+        (WebCore::isOnAccessControlSimpleRequestHeaderWhitelist): Removing Origin and Referrer headers.
+        * loader/DocumentThreadableLoader.cpp:
+        (WebCore::DocumentThreadableLoader::create): Updated to take a referrer as parameter.
+        (WebCore::DocumentThreadableLoader::DocumentThreadableLoader): Ditto.
+        * loader/DocumentThreadableLoader.h: Ditto.
+        * loader/ThreadableLoader.cpp: Ditto.
+        (WebCore::ThreadableLoader::create): Ditto.
+        * loader/ThreadableLoader.h: Ditto.
+        * loader/WorkerThreadableLoader.cpp: Ditto.
+        (WebCore::WorkerThreadableLoader::WorkerThreadableLoader): Ditto.
+        (WebCore::WorkerThreadableLoader::loadResourceSynchronously): Ditto.
+        * loader/WorkerThreadableLoader.h: Ditto.
+        (WebCore::WorkerThreadableLoader::create): Ditto.
+        * platform/network/ResourceRequestBase.cpp:
+        (WebCore::ResourceRequestBase::hasHTTPReferrer): Added to enable asserting that no threadable loader client sets the referrer in the request.
+        * platform/network/ResourceRequestBase.h:
+
 2016-09-15  Dave Hyatt  <hyatt@apple.com>
 

trunk/Source/WebCore/Modules/fetch/FetchLoader.cpp

@@ -93 +93 @@
     }
 
-    m_loader = ThreadableLoader::create(context, *this, WTFMove(fetchRequest), options);
+    String referrer = request.internalRequestReferrer();
+    if (referrer == "no-referrer") {
+        options.referrerPolicy = FetchOptions::ReferrerPolicy::NoReferrer;
+        referrer = String();
+    } else
+        referrer = (referrer == "client") ? context.url().strippedForUseAsReferrer() : URL(context.url(), referrer).strippedForUseAsReferrer();
+
+    m_loader = ThreadableLoader::create(context, *this, WTFMove(fetchRequest), options, WTFMove(referrer));
     m_isStarted = m_loader;
 }

trunk/Source/WebCore/Modules/fetch/FetchRequest.cpp

@@ -305 +305 @@
     request.setHTTPBody(body().bodyForInternalRequest(*scriptExecutionContext()));
 
-    // FIXME: Support no-referrer and client. Ensure this case-sensitive comparison is ok.
-    if (m_internalRequest.referrer != "no-referrer" && m_internalRequest.referrer != "client")
-        request.setHTTPReferrer(URL(URL(), m_internalRequest.referrer).strippedForUseAsReferrer());
-
     return request;
 }
@@ -319 +315 @@
     }
 
-    // FIXME: Validate body teeing.
     return adoptRef(*new FetchRequest(context, FetchBody(m_body), FetchHeaders::create(m_headers.get()), FetchRequest::InternalRequest(m_internalRequest)));
 }

trunk/Source/WebCore/Modules/fetch/FetchRequest.h

@@ -93 +93 @@
     ResourceRequest internalRequest() const;
 
+    const String& internalRequestReferrer() const { return m_internalRequest.referrer; }
+
 private:
     FetchRequest(ScriptExecutionContext&, FetchBody&&, Ref<FetchHeaders>&&, InternalRequest&&);

trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp

@@ -52 +52 @@
     case HTTPHeaderName::AcceptLanguage:
     case HTTPHeaderName::ContentLanguage:
-    case HTTPHeaderName::Origin:
-    case HTTPHeaderName::Referer:
         return true;
     case HTTPHeaderName::ContentType: {

trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp

@@ -77 +77 @@
 }
 
-RefPtr<DocumentThreadableLoader> DocumentThreadableLoader::create(Document& document, ThreadableLoaderClient& client, ResourceRequest&& request, const ThreadableLoaderOptions& options)
-{
-    return create(document, client, WTFMove(request), options, nullptr, nullptr, String());
+RefPtr<DocumentThreadableLoader> DocumentThreadableLoader::create(Document& document, ThreadableLoaderClient& client, ResourceRequest&& request, const ThreadableLoaderOptions& options, String&& referrer)
+{
+    return create(document, client, WTFMove(request), options, nullptr, nullptr, WTFMove(referrer));
 }
 
@@ -93 +93 @@
     , m_contentSecurityPolicy(WTFMove(contentSecurityPolicy))
 {
-    // Setting an outgoing referer is only supported in the async code path.
-    ASSERT(m_async || request.httpReferrer().isEmpty());
+    // Setting a referrer header is only supported in the async code path.
+    ASSERT(m_async || m_referrer.isEmpty());
+
+    // Referrer and Origin headers should be set after the preflight if any.
+    ASSERT(!request.hasHTTPReferrer() && !request.hasHTTPOrigin());
 
     ASSERT_WITH_SECURITY_IMPLICATION(isAllowedByContentSecurityPolicy(request.url()));

trunk/Source/WebCore/loader/DocumentThreadableLoader.h

@@ -50 +50 @@
 
         static RefPtr<DocumentThreadableLoader> create(Document&, ThreadableLoaderClient&, ResourceRequest&&, const ThreadableLoaderOptions&, RefPtr<SecurityOrigin>&&, std::unique_ptr<ContentSecurityPolicy>&&, String&& referrer);
-        static RefPtr<DocumentThreadableLoader> create(Document&, ThreadableLoaderClient&, ResourceRequest&&, const ThreadableLoaderOptions&);
+        static RefPtr<DocumentThreadableLoader> create(Document&, ThreadableLoaderClient&, ResourceRequest&&, const ThreadableLoaderOptions&, String&& referrer = String());
 
         virtual ~DocumentThreadableLoader();

trunk/Source/WebCore/loader/ThreadableLoader.cpp

@@ -60 +60 @@
 }
 
-RefPtr<ThreadableLoader> ThreadableLoader::create(ScriptExecutionContext& context, ThreadableLoaderClient& client, ResourceRequest&& request, const ThreadableLoaderOptions& options)
+RefPtr<ThreadableLoader> ThreadableLoader::create(ScriptExecutionContext& context, ThreadableLoaderClient& client, ResourceRequest&& request, const ThreadableLoaderOptions& options, String&& referrer)
 {
     if (is<WorkerGlobalScope>(context))
-        return WorkerThreadableLoader::create(downcast<WorkerGlobalScope>(context), client, WorkerRunLoop::defaultMode(), WTFMove(request), options);
+        return WorkerThreadableLoader::create(downcast<WorkerGlobalScope>(context), client, WorkerRunLoop::defaultMode(), WTFMove(request), options, referrer);
 
-    return DocumentThreadableLoader::create(downcast<Document>(context), client, WTFMove(request), options);
+    return DocumentThreadableLoader::create(downcast<Document>(context), client, WTFMove(request), options, WTFMove(referrer));
 }
 

trunk/Source/WebCore/loader/ThreadableLoader.h

@@ -81 +81 @@
     public:
         static void loadResourceSynchronously(ScriptExecutionContext&, ResourceRequest&&, ThreadableLoaderClient&, const ThreadableLoaderOptions&);
-        static RefPtr<ThreadableLoader> create(ScriptExecutionContext&, ThreadableLoaderClient&, ResourceRequest&&, const ThreadableLoaderOptions&);
+        static RefPtr<ThreadableLoader> create(ScriptExecutionContext&, ThreadableLoaderClient&, ResourceRequest&&, const ThreadableLoaderOptions&, String&& referrer = String());
 
         virtual void cancel() = 0;

trunk/Source/WebCore/loader/WorkerThreadableLoader.cpp

@@ -51 +51 @@
 static const char loadResourceSynchronouslyMode[] = "loadResourceSynchronouslyMode";
 
-WorkerThreadableLoader::WorkerThreadableLoader(WorkerGlobalScope& workerGlobalScope, ThreadableLoaderClient& client, const String& taskMode, ResourceRequest&& request, const ThreadableLoaderOptions& options)
+WorkerThreadableLoader::WorkerThreadableLoader(WorkerGlobalScope& workerGlobalScope, ThreadableLoaderClient& client, const String& taskMode, ResourceRequest&& request, const ThreadableLoaderOptions& options, const String& referrer)
     : m_workerGlobalScope(workerGlobalScope)
     , m_workerClientWrapper(ThreadableLoaderClientWrapper::create(client))
-    , m_bridge(*new MainThreadBridge(m_workerClientWrapper.get(), workerGlobalScope.thread().workerLoaderProxy(), taskMode, WTFMove(request), options, workerGlobalScope.url().strippedForUseAsReferrer(), workerGlobalScope.securityOrigin(), workerGlobalScope.contentSecurityPolicy()))
+    , m_bridge(*new MainThreadBridge(m_workerClientWrapper.get(), workerGlobalScope.thread().workerLoaderProxy(), taskMode, WTFMove(request), options, referrer.isEmpty() ? workerGlobalScope.url().strippedForUseAsReferrer() : referrer, workerGlobalScope.securityOrigin(), workerGlobalScope.contentSecurityPolicy()))
 {
 }
@@ -71 +71 @@
     mode.append(String::number(runLoop.createUniqueId()));
 
-    RefPtr<WorkerThreadableLoader> loader = WorkerThreadableLoader::create(workerGlobalScope, client, mode, WTFMove(request), options);
+    RefPtr<WorkerThreadableLoader> loader = WorkerThreadableLoader::create(workerGlobalScope, client, mode, WTFMove(request), options, String());
     MessageQueueWaitResult result = MessageQueueMessageReceived;
     while (!loader->done() && result != MessageQueueTerminated)

trunk/Source/WebCore/loader/WorkerThreadableLoader.h

@@ -51 +51 @@
     public:
         static void loadResourceSynchronously(WorkerGlobalScope&, ResourceRequest&&, ThreadableLoaderClient&, const ThreadableLoaderOptions&);
-        static Ref<WorkerThreadableLoader> create(WorkerGlobalScope& workerGlobalScope, ThreadableLoaderClient& client, const String& taskMode, ResourceRequest&& request, const ThreadableLoaderOptions& options)
+        static Ref<WorkerThreadableLoader> create(WorkerGlobalScope& workerGlobalScope, ThreadableLoaderClient& client, const String& taskMode, ResourceRequest&& request, const ThreadableLoaderOptions& options, const String& referrer)
         {
-            return adoptRef(*new WorkerThreadableLoader(workerGlobalScope, client, taskMode, WTFMove(request), options));
+            return adoptRef(*new WorkerThreadableLoader(workerGlobalScope, client, taskMode, WTFMove(request), options, referrer));
         }
 
@@ -121 +121 @@
         };
 
-        WorkerThreadableLoader(WorkerGlobalScope&, ThreadableLoaderClient&, const String& taskMode, ResourceRequest&&, const ThreadableLoaderOptions&);
+        WorkerThreadableLoader(WorkerGlobalScope&, ThreadableLoaderClient&, const String& taskMode, ResourceRequest&&, const ThreadableLoaderOptions&, const String& referrer);
 
         Ref<WorkerGlobalScope> m_workerGlobalScope;

trunk/Source/WebCore/platform/network/ResourceRequestBase.cpp

@@ -289 +289 @@
 }
 
+bool ResourceRequestBase::hasHTTPReferrer() const
+{
+    return m_httpHeaderFields.contains(HTTPHeaderName::Referer);
+}
+
 void ResourceRequestBase::setHTTPReferrer(const String& httpReferrer)
 {

trunk/Source/WebCore/platform/network/ResourceRequestBase.h

@@ -99 +99 @@
 
     WEBCORE_EXPORT String httpReferrer() const;
+    bool hasHTTPReferrer() const;
     WEBCORE_EXPORT void setHTTPReferrer(const String&);
     WEBCORE_EXPORT void clearHTTPReferrer();