Changeset 206255 in webkit


Ignore:
Timestamp:
Sep 22, 2016 1:57:12 AM (8 years ago)
Author:
commit-queue@webkit.org
Message:

CachedResourceRequest should store a SecurityOrigin
https://bugs.webkit.org/show_bug.cgi?id=162258

Patch by Youenn Fablet <youenn@apple.com> on 2016-09-22
Reviewed by Sam Weinig.

Source/WebCore:

Test: http/tests/local/script-crossorigin-loads-file-scheme.html

Passing SecurityOrigin from loader clients to CachedResource through CachedResourceRequest.
This ensures that specific origin properties like universal access are well preserved.

  • loader/DocumentThreadableLoader.cpp:

(WebCore::DocumentThreadableLoader::loadRequest): Set origin to the request.

  • loader/cache/CachedResource.cpp:

(WebCore::CachedResource::CachedResource): Setting origin from the request.
Computing CORS state based on that origin.
(WebCore::CachedResource::load): Removing origin computation.
(WebCore::CachedResource::loadFrom): Ditto.
(WebCore::CachedResource::computeOrigin): Deleted.

  • loader/cache/CachedResource.h:
  • loader/cache/CachedResourceLoader.cpp:

(WebCore::CachedResourceLoader::updateCachedResourceWithCurrentRequest):
(WebCore::CachedResourceLoader::prepareFetch): Introduced to implement step 1 to 7 of https://fetch.spec.whatwg.org/#fetching.
(WebCore::CachedResourceLoader::requestResource):

  • loader/cache/CachedResourceLoader.h:
  • loader/cache/CachedResourceRequest.cpp:

(WebCore::CachedResourceRequest::setAsPotentiallyCrossOrigin): Storing origin.

  • loader/cache/CachedResourceRequest.h:

(WebCore::CachedResourceRequest::setOrigin):
(WebCore::CachedResourceRequest::releaseOrigin):
(WebCore::CachedResourceRequest::origin):

LayoutTests:

Updated test to expect load even though CORS checks should fail as the document origin has universal access.

  • http/tests/local/script-crossorigin-loads-fail-origin-expected.txt: Removed.
  • http/tests/local/script-crossorigin-loads-file-scheme-expected.txt: Added.
  • http/tests/local/script-crossorigin-loads-file-scheme.html: Renamed from LayoutTests/http/tests/local/script-crossorigin-loads-fail-origin.html.
Location:
trunk
Files:
1 added
1 deleted
8 edited
1 moved

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r206253 r206255  
     12016-09-22  Youenn Fablet  <youenn@apple.com>
     2
     3        CachedResourceRequest should store a SecurityOrigin
     4        https://bugs.webkit.org/show_bug.cgi?id=162258
     5
     6        Reviewed by Sam Weinig.
     7
     8        Updated test to expect load even though CORS checks should fail as the document origin has universal access.
     9
     10        * http/tests/local/script-crossorigin-loads-fail-origin-expected.txt: Removed.
     11        * http/tests/local/script-crossorigin-loads-file-scheme-expected.txt: Added.
     12        * http/tests/local/script-crossorigin-loads-file-scheme.html: Renamed from LayoutTests/http/tests/local/script-crossorigin-loads-fail-origin.html.
     13
    1142016-09-19  Sergio Villar Senin  <svillar@igalia.com>
    215
  • trunk/LayoutTests/http/tests/local/script-crossorigin-loads-file-scheme.html

    r206254 r206255  
    11<body>
    2 <p>This test fails if the script loads correctly.</p>
     2<p>This test passes if the script loads correctly.</p>
    33<pre></pre>
    44<script>
     
    1616var script = document.createElement("script");
    1717script.crossOrigin = "use-credentials";
    18 // We are serving the test from the filesystem, so it should fail as authorized origin is 127.0.0.1:8000.
     18// We are serving the test from the filesystem and file URLs are granted universal access.
     19// This bypasses CORS checks and will allow access to 127.0.0.1:8000.
    1920script.src = "http://localhost:8000/security/resources/cors-script.php?credentials=true";
    20 script.onload = function() { done("FAIL"); }
    21 script.onerror = function() { done("PASS");}
     21script.onload = function() { done("PASS"); }
     22script.onerror = function() { done("FAIL");}
    2223document.body.appendChild(script);
    2324</script>
  • trunk/Source/WebCore/ChangeLog

    r206254 r206255  
     12016-09-22  Youenn Fablet  <youenn@apple.com>
     2
     3        CachedResourceRequest should store a SecurityOrigin
     4        https://bugs.webkit.org/show_bug.cgi?id=162258
     5
     6        Reviewed by Sam Weinig.
     7
     8        Test: http/tests/local/script-crossorigin-loads-file-scheme.html
     9
     10        Passing SecurityOrigin from loader clients to CachedResource through CachedResourceRequest.
     11        This ensures that specific origin properties like universal access are well preserved.
     12
     13        * loader/DocumentThreadableLoader.cpp:
     14        (WebCore::DocumentThreadableLoader::loadRequest): Set origin to the request.
     15        * loader/cache/CachedResource.cpp:
     16        (WebCore::CachedResource::CachedResource): Setting origin from the request.
     17        Computing CORS state based on that origin.
     18        (WebCore::CachedResource::load): Removing origin computation.
     19        (WebCore::CachedResource::loadFrom): Ditto.
     20        (WebCore::CachedResource::computeOrigin): Deleted.
     21        * loader/cache/CachedResource.h:
     22        * loader/cache/CachedResourceLoader.cpp:
     23        (WebCore::CachedResourceLoader::updateCachedResourceWithCurrentRequest):
     24        (WebCore::CachedResourceLoader::prepareFetch): Introduced to implement step 1 to 7 of https://fetch.spec.whatwg.org/#fetching.
     25        (WebCore::CachedResourceLoader::requestResource):
     26        * loader/cache/CachedResourceLoader.h:
     27        * loader/cache/CachedResourceRequest.cpp:
     28        (WebCore::CachedResourceRequest::setAsPotentiallyCrossOrigin): Storing origin.
     29        * loader/cache/CachedResourceRequest.h:
     30        (WebCore::CachedResourceRequest::setOrigin):
     31        (WebCore::CachedResourceRequest::releaseOrigin):
     32        (WebCore::CachedResourceRequest::origin):
     33
    1342016-09-22  Youenn Fablet  <youenn@apple.com>
    235
  • trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp

    r206254 r206255  
    371371            newRequest.setInitiator(m_options.initiator);
    372372        newRequest.mutableResourceRequest().setAllowCookies(m_options.allowCredentials == AllowStoredCredentials);
     373        newRequest.setOrigin(&securityOrigin());
    373374
    374375        ASSERT(!m_resource);
  • trunk/Source/WebCore/loader/cache/CachedResource.cpp

    r206206 r206255  
    122122    , m_loadPriority(defaultPriorityForResourceType(type))
    123123    , m_responseTimestamp(std::chrono::system_clock::now())
     124    , m_origin(request.releaseOrigin())
    124125    , m_lastDecodedAccessTime(0)
    125126    , m_loadFinishTime(0)
     
    149150    cachedResourceLeakCounter.increment();
    150151#endif
     152    // FIXME: We should have a better way of checking for Navigation loads, maybe FetchMode::Options::Navigate.
     153    ASSERT(m_origin || m_type == CachedResource::MainResource);
     154
     155    if (m_options.mode != FetchOptions::Mode::SameOrigin && m_origin
     156        && !(m_resourceRequest.url().protocolIsData() && m_options.sameOriginDataURLFlag == SameOriginDataURLFlag::Set)
     157        && !m_origin->canRequest(m_resourceRequest.url()))
     158        setCrossOrigin();
    151159
    152160    if (!m_resourceRequest.url().hasFragmentIdentifier())
     
    245253}
    246254
    247 void CachedResource::computeOrigin(CachedResourceLoader& loader)
    248 {
    249     if (type() == MainResource)
    250         return;
    251 
    252     ASSERT(loader.document());
    253     if (m_resourceRequest.hasHTTPOrigin())
    254         m_origin = SecurityOrigin::createFromString(m_resourceRequest.httpOrigin());
    255     else
    256         m_origin = loader.document()->securityOrigin();
    257     ASSERT(m_origin);
    258 
    259     if (!(m_resourceRequest.url().protocolIsData() && m_options.sameOriginDataURLFlag == SameOriginDataURLFlag::Set) && !m_origin->canRequest(m_resourceRequest.url()))
    260         setCrossOrigin();
    261 
    262     addAdditionalRequestHeaders(loader);
    263 }
    264 
    265255void CachedResource::load(CachedResourceLoader& cachedResourceLoader)
    266256{
     
    331321    m_resourceRequest.setPriority(loadPriority());
    332322
    333     computeOrigin(cachedResourceLoader);
     323    addAdditionalRequestHeaders(cachedResourceLoader);
    334324
    335325    // FIXME: It's unfortunate that the cache layer and below get to know anything about fragment identifiers.
     
    353343}
    354344
    355 void CachedResource::loadFrom(const CachedResource& resource, CachedResourceLoader& cachedResourceLoader)
     345void CachedResource::loadFrom(const CachedResource& resource)
    356346{
    357347    ASSERT(url() == resource.url());
    358348    ASSERT(type() == resource.type());
    359349    ASSERT(resource.status() == Status::Cached);
    360 
    361     computeOrigin(cachedResourceLoader);
    362350
    363351    if (isCrossOrigin() && m_options.mode == FetchOptions::Mode::Cors) {
  • trunk/Source/WebCore/loader/cache/CachedResource.h

    r206206 r206255  
    212212    ResourceResponse::Tainting responseTainting() const { return m_responseTainting; }
    213213
    214     void loadFrom(const CachedResource&, CachedResourceLoader&);
     214    void loadFrom(const CachedResource&);
    215215
    216216    SecurityOrigin* origin() const { return m_origin.get(); }
     
    310310
    311311    void addAdditionalRequestHeaders(CachedResourceLoader&);
    312     void computeOrigin(CachedResourceLoader&);
    313312    void failBeforeStarting();
    314313
  • trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp

    r206254 r206255  
    557557
    558558    auto resourceHandle = createResource(resource.type(), WTFMove(request), sessionID());
    559     resourceHandle->loadFrom(resource, *this);
     559    resourceHandle->loadFrom(resource);
    560560    return resourceHandle;
    561561}
     
    595595{
    596596    // Implementing step 1 to 7 of https://fetch.spec.whatwg.org/#fetching
     597
     598    if (!request.origin() && document())
     599        request.setOrigin(document()->securityOrigin());
    597600
    598601    if (!request.resourceRequest().hasHTTPHeader(HTTPHeaderName::Accept))
  • trunk/Source/WebCore/loader/cache/CachedResourceRequest.cpp

    r206203 r206255  
    8080{
    8181    ASSERT(m_options.mode == FetchOptions::Mode::NoCors);
     82    ASSERT(document.securityOrigin());
     83
     84    m_origin = document.securityOrigin();
     85
    8286    if (mode.isNull())
    8387        return;
     
    8690    m_options.allowCredentials = equalLettersIgnoringASCIICase(mode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
    8791
    88     ASSERT(document.securityOrigin());
    8992    updateRequestForAccessControl(m_resourceRequest, *document.securityOrigin(), m_options.allowCredentials);
    9093}
  • trunk/Source/WebCore/loader/cache/CachedResourceRequest.h

    r206203 r206255  
    3232#include "ResourceLoaderOptions.h"
    3333#include "ResourceRequest.h"
     34#include "SecurityOrigin.h"
    3435#include <wtf/RefPtr.h>
    3536#include <wtf/text/AtomicString.h>
     
    6364
    6465    void setAsPotentiallyCrossOrigin(const String&, Document&);
     66    void setOrigin(RefPtr<SecurityOrigin>&& origin) { ASSERT(!m_origin); m_origin = WTFMove(origin); }
     67    RefPtr<SecurityOrigin> releaseOrigin() { return WTFMove(m_origin); }
     68    SecurityOrigin* origin() const { return m_origin.get(); }
    6569
    6670private:
     
    7377    RefPtr<Element> m_initiatorElement;
    7478    AtomicString m_initiatorName;
     79    RefPtr<SecurityOrigin> m_origin;
    7580};
    7681
Note: See TracChangeset for help on using the changeset viewer.