Changeset 206255 in webkit
- Timestamp:
- Sep 22, 2016 1:57:12 AM (8 years ago)
- Location:
- trunk
- Files:
-
- 1 added
- 1 deleted
- 8 edited
- 1 moved
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r206253 r206255 1 2016-09-22 Youenn Fablet <youenn@apple.com> 2 3 CachedResourceRequest should store a SecurityOrigin 4 https://bugs.webkit.org/show_bug.cgi?id=162258 5 6 Reviewed by Sam Weinig. 7 8 Updated test to expect load even though CORS checks should fail as the document origin has universal access. 9 10 * http/tests/local/script-crossorigin-loads-fail-origin-expected.txt: Removed. 11 * http/tests/local/script-crossorigin-loads-file-scheme-expected.txt: Added. 12 * http/tests/local/script-crossorigin-loads-file-scheme.html: Renamed from LayoutTests/http/tests/local/script-crossorigin-loads-fail-origin.html. 13 1 14 2016-09-19 Sergio Villar Senin <svillar@igalia.com> 2 15 -
trunk/LayoutTests/http/tests/local/script-crossorigin-loads-file-scheme.html
r206254 r206255 1 1 <body> 2 <p>This test fails if the script loads correctly.</p>2 <p>This test passes if the script loads correctly.</p> 3 3 <pre></pre> 4 4 <script> … … 16 16 var script = document.createElement("script"); 17 17 script.crossOrigin = "use-credentials"; 18 // We are serving the test from the filesystem, so it should fail as authorized origin is 127.0.0.1:8000. 18 // We are serving the test from the filesystem and file URLs are granted universal access. 19 // This bypasses CORS checks and will allow access to 127.0.0.1:8000. 19 20 script.src = "http://localhost:8000/security/resources/cors-script.php?credentials=true"; 20 script.onload = function() { done(" FAIL"); }21 script.onerror = function() { done(" PASS");}21 script.onload = function() { done("PASS"); } 22 script.onerror = function() { done("FAIL");} 22 23 document.body.appendChild(script); 23 24 </script> -
trunk/Source/WebCore/ChangeLog
r206254 r206255 1 2016-09-22 Youenn Fablet <youenn@apple.com> 2 3 CachedResourceRequest should store a SecurityOrigin 4 https://bugs.webkit.org/show_bug.cgi?id=162258 5 6 Reviewed by Sam Weinig. 7 8 Test: http/tests/local/script-crossorigin-loads-file-scheme.html 9 10 Passing SecurityOrigin from loader clients to CachedResource through CachedResourceRequest. 11 This ensures that specific origin properties like universal access are well preserved. 12 13 * loader/DocumentThreadableLoader.cpp: 14 (WebCore::DocumentThreadableLoader::loadRequest): Set origin to the request. 15 * loader/cache/CachedResource.cpp: 16 (WebCore::CachedResource::CachedResource): Setting origin from the request. 17 Computing CORS state based on that origin. 18 (WebCore::CachedResource::load): Removing origin computation. 19 (WebCore::CachedResource::loadFrom): Ditto. 20 (WebCore::CachedResource::computeOrigin): Deleted. 21 * loader/cache/CachedResource.h: 22 * loader/cache/CachedResourceLoader.cpp: 23 (WebCore::CachedResourceLoader::updateCachedResourceWithCurrentRequest): 24 (WebCore::CachedResourceLoader::prepareFetch): Introduced to implement step 1 to 7 of https://fetch.spec.whatwg.org/#fetching. 25 (WebCore::CachedResourceLoader::requestResource): 26 * loader/cache/CachedResourceLoader.h: 27 * loader/cache/CachedResourceRequest.cpp: 28 (WebCore::CachedResourceRequest::setAsPotentiallyCrossOrigin): Storing origin. 29 * loader/cache/CachedResourceRequest.h: 30 (WebCore::CachedResourceRequest::setOrigin): 31 (WebCore::CachedResourceRequest::releaseOrigin): 32 (WebCore::CachedResourceRequest::origin): 33 1 34 2016-09-22 Youenn Fablet <youenn@apple.com> 2 35 -
trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp
r206254 r206255 371 371 newRequest.setInitiator(m_options.initiator); 372 372 newRequest.mutableResourceRequest().setAllowCookies(m_options.allowCredentials == AllowStoredCredentials); 373 newRequest.setOrigin(&securityOrigin()); 373 374 374 375 ASSERT(!m_resource); -
trunk/Source/WebCore/loader/cache/CachedResource.cpp
r206206 r206255 122 122 , m_loadPriority(defaultPriorityForResourceType(type)) 123 123 , m_responseTimestamp(std::chrono::system_clock::now()) 124 , m_origin(request.releaseOrigin()) 124 125 , m_lastDecodedAccessTime(0) 125 126 , m_loadFinishTime(0) … … 149 150 cachedResourceLeakCounter.increment(); 150 151 #endif 152 // FIXME: We should have a better way of checking for Navigation loads, maybe FetchMode::Options::Navigate. 153 ASSERT(m_origin || m_type == CachedResource::MainResource); 154 155 if (m_options.mode != FetchOptions::Mode::SameOrigin && m_origin 156 && !(m_resourceRequest.url().protocolIsData() && m_options.sameOriginDataURLFlag == SameOriginDataURLFlag::Set) 157 && !m_origin->canRequest(m_resourceRequest.url())) 158 setCrossOrigin(); 151 159 152 160 if (!m_resourceRequest.url().hasFragmentIdentifier()) … … 245 253 } 246 254 247 void CachedResource::computeOrigin(CachedResourceLoader& loader)248 {249 if (type() == MainResource)250 return;251 252 ASSERT(loader.document());253 if (m_resourceRequest.hasHTTPOrigin())254 m_origin = SecurityOrigin::createFromString(m_resourceRequest.httpOrigin());255 else256 m_origin = loader.document()->securityOrigin();257 ASSERT(m_origin);258 259 if (!(m_resourceRequest.url().protocolIsData() && m_options.sameOriginDataURLFlag == SameOriginDataURLFlag::Set) && !m_origin->canRequest(m_resourceRequest.url()))260 setCrossOrigin();261 262 addAdditionalRequestHeaders(loader);263 }264 265 255 void CachedResource::load(CachedResourceLoader& cachedResourceLoader) 266 256 { … … 331 321 m_resourceRequest.setPriority(loadPriority()); 332 322 333 computeOrigin(cachedResourceLoader);323 addAdditionalRequestHeaders(cachedResourceLoader); 334 324 335 325 // FIXME: It's unfortunate that the cache layer and below get to know anything about fragment identifiers. … … 353 343 } 354 344 355 void CachedResource::loadFrom(const CachedResource& resource , CachedResourceLoader& cachedResourceLoader)345 void CachedResource::loadFrom(const CachedResource& resource) 356 346 { 357 347 ASSERT(url() == resource.url()); 358 348 ASSERT(type() == resource.type()); 359 349 ASSERT(resource.status() == Status::Cached); 360 361 computeOrigin(cachedResourceLoader);362 350 363 351 if (isCrossOrigin() && m_options.mode == FetchOptions::Mode::Cors) { -
trunk/Source/WebCore/loader/cache/CachedResource.h
r206206 r206255 212 212 ResourceResponse::Tainting responseTainting() const { return m_responseTainting; } 213 213 214 void loadFrom(const CachedResource& , CachedResourceLoader&);214 void loadFrom(const CachedResource&); 215 215 216 216 SecurityOrigin* origin() const { return m_origin.get(); } … … 310 310 311 311 void addAdditionalRequestHeaders(CachedResourceLoader&); 312 void computeOrigin(CachedResourceLoader&);313 312 void failBeforeStarting(); 314 313 -
trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp
r206254 r206255 557 557 558 558 auto resourceHandle = createResource(resource.type(), WTFMove(request), sessionID()); 559 resourceHandle->loadFrom(resource , *this);559 resourceHandle->loadFrom(resource); 560 560 return resourceHandle; 561 561 } … … 595 595 { 596 596 // Implementing step 1 to 7 of https://fetch.spec.whatwg.org/#fetching 597 598 if (!request.origin() && document()) 599 request.setOrigin(document()->securityOrigin()); 597 600 598 601 if (!request.resourceRequest().hasHTTPHeader(HTTPHeaderName::Accept)) -
trunk/Source/WebCore/loader/cache/CachedResourceRequest.cpp
r206203 r206255 80 80 { 81 81 ASSERT(m_options.mode == FetchOptions::Mode::NoCors); 82 ASSERT(document.securityOrigin()); 83 84 m_origin = document.securityOrigin(); 85 82 86 if (mode.isNull()) 83 87 return; … … 86 90 m_options.allowCredentials = equalLettersIgnoringASCIICase(mode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials; 87 91 88 ASSERT(document.securityOrigin());89 92 updateRequestForAccessControl(m_resourceRequest, *document.securityOrigin(), m_options.allowCredentials); 90 93 } -
trunk/Source/WebCore/loader/cache/CachedResourceRequest.h
r206203 r206255 32 32 #include "ResourceLoaderOptions.h" 33 33 #include "ResourceRequest.h" 34 #include "SecurityOrigin.h" 34 35 #include <wtf/RefPtr.h> 35 36 #include <wtf/text/AtomicString.h> … … 63 64 64 65 void setAsPotentiallyCrossOrigin(const String&, Document&); 66 void setOrigin(RefPtr<SecurityOrigin>&& origin) { ASSERT(!m_origin); m_origin = WTFMove(origin); } 67 RefPtr<SecurityOrigin> releaseOrigin() { return WTFMove(m_origin); } 68 SecurityOrigin* origin() const { return m_origin.get(); } 65 69 66 70 private: … … 73 77 RefPtr<Element> m_initiatorElement; 74 78 AtomicString m_initiatorName; 79 RefPtr<SecurityOrigin> m_origin; 75 80 }; 76 81
Note: See TracChangeset
for help on using the changeset viewer.