Context Navigation

← Previous Changeset
Next Changeset →

Changeset 228486 in webkit

Timestamp:

Feb 14, 2018 2:27:52 PM (6 years ago)

Author:

dbates@webkit.org

Message:

Disallow cross-origin subresources from asking for credentials
https://bugs.webkit.org/show_bug.cgi?id=182579
<rdar://problem/36162271>

Reviewed by Andy Estes.

Source/WebCore:

Prompts for credentials to load cross-origin subresources are typically seen as unexpected
by a person that navigates to- or interacts with- a web page. The cross-origin and implicit
loading nature of these subresources makes asking for credentials questionable because they
are not being served by the same origin of the page a person explicitly loaded and are not
guaranteed to correspond to an explicit user interaction other than the initial load of the
page. We know that subresources that ask for credentials can be abused as part of a phishing
attack. It seems reasonable to disallow cross-origin subresources from asking for credentials
due to their questionable nature and the risk for abuse. This will also make the behavior
of WebKit match the behavior of Chrome.

Tests: http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials.html

http/tests/security/basic-auth-subresource.html
http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html
http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.html
http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html
http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html
http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html

loader/ResourceLoader.cpp:

(WebCore::ResourceLoader::isSubresourceLoader const): Formerly non-const.
(WebCore::ResourceLoader::shouldAllowResourceToAskForCredentials const): Added.
(WebCore::ResourceLoader::didBlockAuthenticationChallenge): Emit Web Inspector console message if
the authentication challenge was blocked because the request is cross origin.
(WebCore::ResourceLoader::isAllowedToAskUserForCredentials const): Disallow a cross-origin
request from prompting for credentials.
(WebCore::ResourceLoader::isSubresourceLoader): Deleted; made const.

loader/ResourceLoader.h:
loader/SubresourceLoader.cpp:

(WebCore::SubresourceLoader::SubresourceLoader): Update ResourceLoader state so that block cross-origin
subresources from prompting for credentials, if applicable.
(WebCore::SubresourceLoader::isSubresourceLoader const): Formerly non-const.
(WebCore::SubresourceLoader::isSubresourceLoader): Deleted; made const.

loader/SubresourceLoader.h:
page/Settings.yaml: Add setting allowCrossOriginSubresourcesToAskForCredentials (defaults: false -

do not allow cross origin subresources to ask for credentials).

Source/WebKit:

Add a private preference to toggle allowing non-mixed content cross-origin subresources to load.
WebKitTestRunner toggles this preference when it sees the test option allowCrossOriginSubresourcesToAskForCredential.

Shared/WebPreferences.yaml:
UIProcess/API/C/WKPreferences.cpp:

(WKPreferencesSetAllowCrossOriginSubresourcesToAskForCredentials):
(WKPreferencesGetAllowCrossOriginSubresourcesToAskForCredentials):

UIProcess/API/C/WKPreferencesRefPrivate.h:

Source/WebKitLegacy/mac:

Add a private preference to toggle allowing non-mixed content cross-origin subresources to load.
DumpRenderTree toggles this preference when it sees the test option allowCrossOriginSubresourcesToAskForCredential.

WebView/WebPreferenceKeysPrivate.h:
WebView/WebPreferences.mm:

(+[WebPreferences initialize]):
(-[WebPreferences allowCrossOriginSubresourcesToAskForCredentials]):
(-[WebPreferences setAllowCrossOriginSubresourcesToAskForCredentials:]):

WebView/WebPreferencesPrivate.h:
WebView/WebView.mm:

(-[WebView _preferencesChanged:]):

Tools:

Add test option allowCrossOriginSubresourcesToAskForCredential (defaults to false)
so that tests can toggle between the old behavior and new behavior.

DumpRenderTree/TestOptions.h:
DumpRenderTree/TestOptions.mm:

(TestOptions::TestOptions):

DumpRenderTree/mac/DumpRenderTree.mm:

(setWebPreferencesForTestOptions):

WebKitTestRunner/TestController.cpp:

(WTR::TestController::resetPreferencesToConsistentValues):
(WTR::updateTestOptionsFromTestHeader):

WebKitTestRunner/TestOptions.h:

(WTR::TestOptions::hasSameInitializationOptions const):

LayoutTests:

Copied existing tests that depended on cross-origin subresources being able prompt for credentials
to files with suffix allowCrossOriginSubresourcesToAskForCredentials. These copies were modified
to set allowCrossOriginSubresourcesToAskForCredentials to false so as to opt-into the behavior
before this change. Updated existing tests to reflect the new behavior and added new tests to
ensure that we do not regress the new behavior.

http/tests/media/video-auth-expected.txt:
http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Copied from LayoutTests/http/tests/media/video-auth-expected.txt.
http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials.html: Copied from LayoutTests/http/tests/media/video-auth.html.
http/tests/media/video-auth.html:
http/tests/security/basic-auth-subresource-expected.txt: Added.
http/tests/security/basic-auth-subresource.html: Added.
http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Renamed from LayoutTests/platform/mac-wk1/http/tests/security/credentials-iframes-expected.txt.
http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials.html: Added.
http/tests/security/credentials-iframes-expected.txt:
http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image.https-expected.txt.
http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html.
http/tests/security/mixedContent/insecure-basic-auth-image.https-expected.txt:
http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-expected.txt.
http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.html: Added.
http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-expected.txt:
http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image.https-expected.txt.
http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html.
http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image.https-expected.txt:
http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image.https-expected.txt.
http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html.
http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image.https-expected.txt:
http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Renamed from LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt.
http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html.
http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt:
http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html:
http/tests/security/resources/basic-auth-subresource.html: Added.
http/tests/security/resources/subresource1/protected-image.php: Added.
http/tests/security/resources/subresource2/protected-image.php: Added.
platform/win/TestExpectations: Skip allowCrossOriginSubresourcesToAskForCredentials-suffixed tests as

DumpRenderTree on Windows does not support parsing test options. See <https://bugs.webkit.org/show_bug.cgi?id=173281>.

platform/win/http/tests/security/basic-auth-subresource-expected.txt: Added Windows-specific result. For some reason

connections to localhost:8443 are not allowed. See <https://bugs.webkit.org/show_bug.cgi?id=182609> for more details.

platform/wk2/http/tests/media/video-auth-expected.txt:
platform/wk2/http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Copied from LayoutTests/platform/wk2/http/tests/media/video-auth-expected.txt.
platform/wk2/http/tests/security/basic-auth-subresource-expected.txt: Added.
platform/wk2/http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Copied from LayoutTests/http/tests/security/credentials-iframes-expected.txt.
platform/wk2/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt.

Location:

trunk

Files:

: 12 added
: 1 deleted
: 33 edited
: 15 copied

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r228484
+                      r228486
+-02-14  Daniel Bates  <dabates@apple.com>
+        Disallow cross-origin subresources from asking for credentials
+        https://bugs.webkit.org/show_bug.cgi?id=182579
+        <rdar://problem/36162271>
+        Reviewed by Andy Estes.
+        Copied existing tests that depended on cross-origin subresources being able prompt for credentials
+        to files with suffix allowCrossOriginSubresourcesToAskForCredentials. These copies were modified
+        to set allowCrossOriginSubresourcesToAskForCredentials to false so as to opt-into the behavior
+        before this change. Updated existing tests to reflect the new behavior and added new tests to
+        ensure that we do not regress the new behavior.
+        * http/tests/media/video-auth-expected.txt:
+        * http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Copied from LayoutTests/http/tests/media/video-auth-expected.txt.
+        * http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials.html: Copied from LayoutTests/http/tests/media/video-auth.html.
+        * http/tests/media/video-auth.html:
+        * http/tests/security/basic-auth-subresource-expected.txt: Added.
+        * http/tests/security/basic-auth-subresource.html: Added.
+        * http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Renamed from LayoutTests/platform/mac-wk1/http/tests/security/credentials-iframes-expected.txt.
+        * http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials.html: Added.
+        * http/tests/security/credentials-iframes-expected.txt:
+        * http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image.https-expected.txt.
+        * http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html.
+        * http/tests/security/mixedContent/insecure-basic-auth-image.https-expected.txt:
+        * http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-expected.txt.
+        * http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.html: Added.
+        * http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-expected.txt:
+        * http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image.https-expected.txt.
+        * http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html.
+        * http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image.https-expected.txt:
+        * http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image.https-expected.txt.
+        * http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html.
+        * http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image.https-expected.txt:
+        * http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Renamed from LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt.
+        * http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html.
+        * http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt:
+        * http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html:
+        * http/tests/security/resources/basic-auth-subresource.html: Added.
+        * http/tests/security/resources/subresource1/protected-image.php: Added.
+        * http/tests/security/resources/subresource2/protected-image.php: Added.
+        * platform/win/TestExpectations: Skip allowCrossOriginSubresourcesToAskForCredentials-suffixed tests as
+        DumpRenderTree on Windows does not support parsing test options. See <https://bugs.webkit.org/show_bug.cgi?id=173281>.
+        * platform/win/http/tests/security/basic-auth-subresource-expected.txt: Added Windows-specific result. For some reason
+        connections to localhost:8443 are not allowed. See <https://bugs.webkit.org/show_bug.cgi?id=182609> for more details.
+        * platform/wk2/http/tests/media/video-auth-expected.txt:
+        * platform/wk2/http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Copied from LayoutTests/platform/wk2/http/tests/media/video-auth-expected.txt.
+        * platform/wk2/http/tests/security/basic-auth-subresource-expected.txt: Added.
+        * platform/wk2/http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Copied from LayoutTests/http/tests/security/credentials-iframes-expected.txt.
+        * platform/wk2/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt.
 -02-14  Matt Lewis  <jlewis3@apple.com>

trunk/LayoutTests/http/tests/media/video-auth-expected.txt

-                      r202579
+                      r228486
 http://127.0.0.1:8000/media/resources/video-auth.php?name=test.mp4&type=video/mp4 - didReceiveAuthenticationChallenge - Responding with username:password
-http://localhost:8000/media/resources/video-auth.php?name=test.mp4&type=video/mp4 - didReceiveAuthenticationChallenge - Responding with username:password
 Tests that the media player sends authorization credentials when requesting a media file.
 Testing same domain (127.0.0.1)
 EVENT(canplay)
-Testing cross domain (localhost)
-EVENT(canplay)
 END OF TEST

trunk/LayoutTests/http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials.html

r228484	r228486
	1	<!DOCTYPE html><!-- webkit-test-runner [ allowCrossOriginSubresourcesToAskForCredentials=true ] -->
1	2	<html>
2	3	<head>

trunk/LayoutTests/http/tests/media/video-auth.html

-                      r202579
+                      r228486
+<!DOCTYPE html>
 <html>
     <head>
 …
                 findMediaElement();
                 waitForEventAndFail('error');
                 waitForEvent('canplay', runNextTest);
+                waitForEventAndEnd('canplay');
+                tests = [
+                    testSameDomain,
+                    testCrossDomain,
+                ];
+                runNextTest();
+            }
+            function runNextTest()
+            {
+                var test = tests.shift();
+                if (test)
+                    test();
+                else
+                    endTest();
+                testSameDomain();
+            }
 …
                 consoleWrite('Testing same domain (127.0.0.1)');
                 video.src = 'http://127.0.0.1:8000/media/resources/video-auth.php?name=' + media + '&type=' + type;
-                video.load();
+            }
-            function testCrossDomain()
+            {
-                consoleWrite('Testing cross domain (localhost)');
-                video.src = 'http://localhost:8000/media/resources/video-auth.php?name=' + media + '&type=' + type;
                 video.load();
+            }

trunk/LayoutTests/http/tests/security/credentials-iframes-expected.txt

r211751	r228486
1	1	ALERT: parent host: 127.0.0.1 iframe host: 127.0.0.1 credentials:User: same-domain-user, password: same-domain-password.
2		127.0.0.1:8000 - didReceiveAuthenticationChallenge - Simulating cancelled authentication sheet
	2	CONSOLE MESSAGE: Blocked http://127.0.0.1:8000/security/resources/cors-basic-auth.php from asking for credentials because it is a cross-origin request.
3	3	ALERT: parent host: localhost iframe host: 127.0.0.1 credentials:Authentication canceled
4	4

trunk/LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt

r228484	r228486
1		CONSOLE MESSAGE: line 33: The page at https://127.0.0.1:8443/security/mixedContent/insecure-basic-auth-image.https.html was allowed to display insecure content from http://localhost:8000/security/mixedContent/resources/subresource2/protected-image.php.
	1	CONSOLE MESSAGE: line 33: The page at https://127.0.0.1:8443/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html was allowed to display insecure content from http://localhost:8000/security/mixedContent/resources/subresource2/protected-image.php.
2	2
3	3	CONSOLE MESSAGE: Blocked http://localhost:8000/security/mixedContent/resources/subresource2/protected-image.php from asking for credentials because it is insecure content.

trunk/LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html

-                      r228484
+                      r228486
 <!DOCTYPE html>
+<!DOCTYPE html><!-- webkit-test-runner [ allowCrossOriginSubresourcesToAskForCredentials=true ] -->
 <html>
 <body>
+<head>
 <script src="/js-test-resources/js-test.js"></script>
 <script>
 …
 function pass()
+{
     testPassed("did load image.");
+    testPassed("did not load image.");
     finishJSTest();
+}
 …
 function fail()
+{
     testFailed("did not load image.");
+    testFailed("did load image.");
     finishJSTest();
+}
 …
     // the preload scanner performing mixed content checks as part of preloading the image.
     let image = new Image;
     image.onload = pass;
     image.onerror = fail;
     image.src = "https://127.0.0.1:8443/resources/redirect.php?url=https%3A//127.0.0.1%3A8443/resources/redirect.php%3Furl%3Dhttps%3A//localhost%3A8443/security/mixedContent/resources/subresource/protected-image.php";
+    image.onload = fail;
+    image.onerror = pass;
+    image.src = "http://localhost:8000/security/mixedContent/resources/subresource2/protected-image.php";
     document.body.appendChild(image);
+}
 …
 window.onload = runTest;
 </script>
+</head>
+<body>
 <script>
 description("This test loads a secure image that redirects to a secure image that redirects to a secure image guarded by basic authentication. The secure image should load.");
+description("Tests that we do not ask for credentials when loading an insecure image that requires basic authentication.");
 </script>
 </body>

trunk/LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image.https-expected.txt

r228231	r228486
1	1	CONSOLE MESSAGE: line 33: The page at https://127.0.0.1:8443/security/mixedContent/insecure-basic-auth-image.https.html was allowed to display insecure content from http://localhost:8000/security/mixedContent/resources/subresource2/protected-image.php.
2	2
3		CONSOLE MESSAGE: Blocked http://localhost:8000/security/mixedContent/resources/subresource2/protected-image.php from asking for credentials because it is ~~insecure conten~~t.
	3	CONSOLE MESSAGE: Blocked http://localhost:8000/security/mixedContent/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
4	4	Tests that we do not ask for credentials when loading an insecure image that requires basic authentication.
5	5

trunk/LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-expected.txt

r228231	r228486
1	1	CONSOLE MESSAGE: line 17: The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image-redirects-to-basic-auth-secure-image.html was allowed to display insecure content from http://127.0.0.1:8080/resources/redirect.php?url=https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php.
2	2
3		CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it ~~was loaded via an insecure redirect from http://127.0.0.1:8080/resources/redirect.php?url=https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php~~.
	3	CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it is a cross-origin request.
4	4	This test opens a new window to a secure page that loads an insecure image that redirects to a secure image guarded by basic authentication. The secure image should be blocked because it requires credentials and was loaded via an insecure redirect.
5	5

trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt

r228484	r228486
1		CONSOLE MESSAGE: The page at https://127.0.0.1:8443/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image.https.html was allowed to display insecure content from http://127.0.0.1:8080/resources/redirect.php?url=https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php.
	1	CONSOLE MESSAGE: The page at https://127.0.0.1:8443/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html was allowed to display insecure content from http://127.0.0.1:8080/resources/redirect.php?url=https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php.
2	2
3	3	CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it was loaded via an insecure redirect from https://127.0.0.1:8443/resources/redirect.php?url=http%3A//127.0.0.1%3A8080/resources/redirect.php%3Furl%3Dhttps%3A//localhost%3A8443/security/mixedContent/resources/subresource/protected-image.php.

trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html

-                      r228484
+                      r228486
 <!DOCTYPE html>
+<!DOCTYPE html><!-- webkit-test-runner [ allowCrossOriginSubresourcesToAskForCredentials=true ] -->
 <html>
 <body>
 …
 function pass()
+{
     testPassed("did load image.");
+    testPassed("did not load image.");
     finishJSTest();
+}
 …
 function fail()
+{
     testFailed("did not load image.");
+    testFailed("did load image.");
     finishJSTest();
+}
 …
     // the preload scanner performing mixed content checks as part of preloading the image.
     let image = new Image;
     image.onload = pass;
     image.onerror = fail;
     image.src = "https://127.0.0.1:8443/resources/redirect.php?url=https%3A//127.0.0.1%3A8443/resources/redirect.php%3Furl%3Dhttps%3A//localhost%3A8443/security/mixedContent/resources/subresource/protected-image.php";
+    image.onload = fail;
+    image.onerror = pass;
+    image.src = "https://127.0.0.1:8443/resources/redirect.php?url=http%3A//127.0.0.1%3A8080/resources/redirect.php%3Furl%3Dhttps%3A//localhost%3A8443/security/mixedContent/resources/subresource/protected-image.php";
     document.body.appendChild(image);
+}
 …
 </script>
 <script>
 description("This test loads a secure image that redirects to a secure image that redirects to a secure image guarded by basic authentication. The secure image should load.");
+description("This test loads a secure image that redirects to an insecure image that redirects to a secure image guarded by basic authentication. The secure image should be blocked because it requires credentials and was loaded via an insecure redirect.");
 </script>
 </body>

trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image.https-expected.txt

r228231	r228486
1	1	CONSOLE MESSAGE: The page at https://127.0.0.1:8443/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image.https.html was allowed to display insecure content from http://127.0.0.1:8080/resources/redirect.php?url=https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php.
2	2
3		CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it was loaded via an insecure redirect from https://127.0.0.1:8443/resources/redirect.php?url=http%3A//127.0.0.1%3A8080/resources/redirect.php%3Furl%3Dhttps%3A//localhost%3A8443/security/mixedContent/resources/subresource/protected-image.php.
	3	CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it is a cross-origin request.
4	4	This test loads a secure image that redirects to an insecure image that redirects to a secure image guarded by basic authentication. The secure image should be blocked because it requires credentials and was loaded via an insecure redirect.
5	5

trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt

r228484	r228486
1		CONSOLE MESSAGE: The page at https://127.0.0.1:8443/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image.https.html was allowed to display insecure content from http://localhost:8080/security/mixedContent/resources/subresource/protected-image.php.
	1	CONSOLE MESSAGE: The page at https://127.0.0.1:8443/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html was allowed to display insecure content from http://localhost:8080/security/mixedContent/resources/subresource/protected-image.php.
2	2
3	3	CONSOLE MESSAGE: Blocked http://localhost:8080/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it is insecure content that was loaded via a redirect from https://127.0.0.1:8443/resources/redirect.php?url=https%3A//localhost%3A8443/resources/redirect.php%3Furl%3Dhttp%3A//localhost%3A8080/security/mixedContent/resources/subresource/protected-image.php.

trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html

-                      r228484
+                      r228486
 <!DOCTYPE html>
+<!DOCTYPE html><!-- webkit-test-runner [ allowCrossOriginSubresourcesToAskForCredentials=true ] -->
 <html>
 <body>
 …
 function pass()
+{
     testPassed("did load image.");
+    testPassed("did not load image.");
     finishJSTest();
+}
 …
 function fail()
+{
     testFailed("did not load image.");
+    testFailed("did load image.");
     finishJSTest();
+}
 …
     // the preload scanner performing mixed content checks as part of preloading the image.
     let image = new Image;
     image.onload = pass;
     image.onerror = fail;
     image.src = "https://127.0.0.1:8443/resources/redirect.php?url=https%3A//127.0.0.1%3A8443/resources/redirect.php%3Furl%3Dhttps%3A//localhost%3A8443/security/mixedContent/resources/subresource/protected-image.php";
+    image.onload = fail;
+    image.onerror = pass;
+    image.src = "https://127.0.0.1:8443/resources/redirect.php?url=https%3A//localhost%3A8443/resources/redirect.php%3Furl%3Dhttp%3A//localhost%3A8080/security/mixedContent/resources/subresource/protected-image.php";
     document.body.appendChild(image);
+}
 …
 </script>
 <script>
 description("This test loads a secure image that redirects to a secure image that redirects to a secure image guarded by basic authentication. The secure image should load.");
+description("This test loads a secure image that redirects to an secure image that redirects to an insecure image guarded by basic authentication. The insecure image should be blocked because it requires credentials.");
 </script>
 </body>

trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image.https-expected.txt

r228231	r228486
1	1	CONSOLE MESSAGE: The page at https://127.0.0.1:8443/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image.https.html was allowed to display insecure content from http://localhost:8080/security/mixedContent/resources/subresource/protected-image.php.
2	2
3		CONSOLE MESSAGE: Blocked http://localhost:8080/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it is insecure content that was loaded via a redirect from https://127.0.0.1:8443/resources/redirect.php?url=https%3A//localhost%3A8443/resources/redirect.php%3Furl%3Dhttp%3A//localhost%3A8080/security/mixedContent/resources/subresource/protected-image.php.
	3	CONSOLE MESSAGE: Blocked http://localhost:8080/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it is a cross-origin request.
4	4	This test loads a secure image that redirects to an secure image that redirects to an insecure image guarded by basic authentication. The insecure image should be blocked because it requires credentials.
5	5

trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html

r228484	r228486
1		<!DOCTYPE html>
	1	<!DOCTYPE html><!-- webkit-test-runner [ allowCrossOriginSubresourcesToAskForCredentials=true ] -->
2	2	<html>
3	3	<body>

trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt

-                      r224134
+                      r228486
+localhost:8443 - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
 This test loads a secure image that redirects to a secure image that redirects to a secure image guarded by basic authentication. The secure image should load.
+CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it is a cross-origin request.
+This test loads a secure image that redirects to a secure image that redirects to a secure image guarded by basic authentication. The secure image should not load because it is cross-origin.
 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
 PASS did load image.
+PASS did not load image.
 PASS successfullyParsed is true

trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html

-                      r228187
+                      r228486
 function pass()
+{
     testPassed("did load image.");
+    testPassed("did not load image.");
     finishJSTest();
+}
 …
 function fail()
+{
     testFailed("did not load image.");
+    testFailed("did load image.");
     finishJSTest();
+}
 …
     // the preload scanner performing mixed content checks as part of preloading the image.
     let image = new Image;
     image.onload = pass;
     image.onerror = fail;
+    image.onload = fail;
+    image.onerror = pass;
     image.src = "https://127.0.0.1:8443/resources/redirect.php?url=https%3A//127.0.0.1%3A8443/resources/redirect.php%3Furl%3Dhttps%3A//localhost%3A8443/security/mixedContent/resources/subresource/protected-image.php";
     document.body.appendChild(image);
 …
 </script>
 <script>
 description("This test loads a secure image that redirects to a secure image that redirects to a secure image guarded by basic authentication. The secure image should load.");
+description("This test loads a secure image that redirects to a secure image that redirects to a secure image guarded by basic authentication. The secure image should not load because it is cross-origin.");
 </script>
 </body>

trunk/LayoutTests/platform/win/TestExpectations

-                      r228427
+                      r228486
 # FIXME: Implement test options parsing (<!-- webkit-test-runner [ ... ] -->).
 webkit.org/b/173281 security/isSecureContext-disabled.html [ Skip ]
+webkit.org/b/173281 http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials.html [ Skip ]
+webkit.org/b/173281 http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials.html [ Skip ]
+webkit.org/b/173281 http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html [ Skip ]
+webkit.org/b/173281 http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.html [ Skip ]
+webkit.org/b/173281 http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html [ Skip ]
+webkit.org/b/173281 http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html [ Skip ]
+webkit.org/b/173281 http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html [ Skip ]
 # TODO HW filters not yet supported on Windows

trunk/LayoutTests/platform/wk2/http/tests/media/video-auth-expected.txt

-                      r202587
+                      r228486
 .0.0.1:8000 - didReceiveAuthenticationChallenge - Responding with username:password
-localhost:8000 - didReceiveAuthenticationChallenge - Responding with username:password
 Tests that the media player sends authorization credentials when requesting a media file.
 Testing same domain (127.0.0.1)
 EVENT(canplay)
-Testing cross domain (localhost)
-EVENT(canplay)
 END OF TEST

trunk/Source/WebCore/ChangeLog

-                      r228483
+                      r228486
+-02-14  Daniel Bates  <dabates@apple.com>
+        Disallow cross-origin subresources from asking for credentials
+        https://bugs.webkit.org/show_bug.cgi?id=182579
+        <rdar://problem/36162271>
+        Reviewed by Andy Estes.
+        Prompts for credentials to load cross-origin subresources are typically seen as unexpected
+        by a person that navigates to- or interacts with- a web page. The cross-origin and implicit
+        loading nature of these subresources makes asking for credentials questionable because they
+        are not being served by the same origin of the page a person explicitly loaded and are not
+        guaranteed to correspond to an explicit user interaction other than the initial load of the
+        page. We know that subresources that ask for credentials can be abused as part of a phishing
+        attack. It seems reasonable to disallow cross-origin subresources from asking for credentials
+        due to their questionable nature and the risk for abuse. This will also make the behavior
+        of WebKit match the behavior of Chrome.
+        Tests: http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials.html
+               http/tests/security/basic-auth-subresource.html
+               http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html
+               http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.html
+               http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html
+               http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html
+               http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html
+        * loader/ResourceLoader.cpp:
+        (WebCore::ResourceLoader::isSubresourceLoader const): Formerly non-const.
+        (WebCore::ResourceLoader::shouldAllowResourceToAskForCredentials const): Added.
+        (WebCore::ResourceLoader::didBlockAuthenticationChallenge): Emit Web Inspector console message if
+        the authentication challenge was blocked because the request is cross origin.
+        (WebCore::ResourceLoader::isAllowedToAskUserForCredentials const): Disallow a cross-origin
+        request from prompting for credentials.
+        (WebCore::ResourceLoader::isSubresourceLoader): Deleted; made const.
+        * loader/ResourceLoader.h:
+        * loader/SubresourceLoader.cpp:
+        (WebCore::SubresourceLoader::SubresourceLoader): Update ResourceLoader state so that block cross-origin
+        subresources from prompting for credentials, if applicable.
+        (WebCore::SubresourceLoader::isSubresourceLoader const): Formerly non-const.
+        (WebCore::SubresourceLoader::isSubresourceLoader): Deleted; made const.
+        * loader/SubresourceLoader.h:
+        * page/Settings.yaml: Add setting allowCrossOriginSubresourcesToAskForCredentials (defaults: false -
+        do not allow cross origin subresources to ask for credentials).
 -02-14  Don Olmstead  <don.olmstead@sony.com>

trunk/Source/WebCore/loader/ResourceLoader.cpp

-                      r228231
+                      r228486
 /*
  * Copyright (C) 2006-2007, 2010-2011, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2018 Apple Inc. All rights reserved.
  *           (C) 2007 Graham Dennis (graham.dennis@gmail.com)
+ *
 …
+}
 bool ResourceLoader::isSubresourceLoader()
+bool ResourceLoader::isSubresourceLoader() const
+{
     return false;
 …
+}
+bool ResourceLoader::shouldAllowResourceToAskForCredentials() const
+{
+    return m_canCrossOriginRequestsAskUserForCredentials || m_frame->tree().top().document()->securityOrigin().canRequest(m_request.url());
+}
 void ResourceLoader::didBlockAuthenticationChallenge()
+{
 …
     if (!m_canAskClientForCredentials)
         return;
+    if (!shouldAllowResourceToAskForCredentials()) {
+        FrameLoader::reportAuthenticationChallengeBlocked(m_frame.get(), m_request.url(), ASCIILiteral("it is a cross-origin request"));
+        return;
+    }
     if (!m_wasInsecureRequestSeen)
 …
     if (!m_canAskClientForCredentials)
         return false;
+    if (!shouldAllowResourceToAskForCredentials())
+        return false;
     if (m_wasInsecureRequestSeen)
         return false;

trunk/Source/WebCore/loader/ResourceLoader.h

-                      r228231
+                      r228486
     void clearResourceData();
     virtual bool isSubresourceLoader();
+    virtual bool isSubresourceLoader() const;
     virtual void willSendRequest(ResourceRequest&&, const ResourceResponse& redirectResponse, CompletionHandler<void(ResourceRequest&&)>&& callback);
 …
     std::unique_ptr<PreviewLoader> m_previewLoader;
 #endif
+    bool m_canCrossOriginRequestsAskUserForCredentials { true };
 private:
 …
     void loadDataURL();
     void finishNetworkLoad();
+    bool shouldAllowResourceToAskForCredentials() const;
     // ResourceHandleClient

trunk/Source/WebCore/loader/SubresourceLoader.cpp

-                      r227680
+                      r228486
 #include "ResourceTiming.h"
 #include "RuntimeEnabledFeatures.h"
+#include "Settings.h"
 #include <wtf/CompletionHandler.h>
 #include <wtf/Ref.h>
 …
     m_resourceType = toResourceType(resource.type());
 #endif
+    m_canCrossOriginRequestsAskUserForCredentials = resource.type() == CachedResource::MainResource || frame.settings().allowCrossOriginSubresourcesToAskForCredentials();
+}
 …
+}
 bool SubresourceLoader::isSubresourceLoader()
+bool SubresourceLoader::isSubresourceLoader() const
+{
     return true;

trunk/Source/WebCore/loader/SubresourceLoader.h

r226508	r228486
48	48
49	49	void cancelIfNotFinishing();
50		bool isSubresourceLoader() override;
	50	bool isSubresourceLoader() const override;
51	51	CachedResource* cachedResource();
52	52

trunk/Source/WebCore/page/Settings.yaml

r227762	r228486
102	102	allowSettingAnyXHRHeaderFromFileURLs:
103	103	initial: false
	104	allowCrossOriginSubresourcesToAskForCredentials:
	105	initial: false
104	106	needsStorageAccessFromFileURLsQuirk:
105	107	initial: true

trunk/Source/WebKit/ChangeLog

-                      r228478
+                      r228486
+-02-14  Daniel Bates  <dabates@apple.com>
+        Disallow cross-origin subresources from asking for credentials
+        https://bugs.webkit.org/show_bug.cgi?id=182579
+        <rdar://problem/36162271>
+        Reviewed by Andy Estes.
+        Add a private preference to toggle allowing non-mixed content cross-origin subresources to load.
+        WebKitTestRunner toggles this preference when it sees the test option allowCrossOriginSubresourcesToAskForCredential.
+        * Shared/WebPreferences.yaml:
+        * UIProcess/API/C/WKPreferences.cpp:
+        (WKPreferencesSetAllowCrossOriginSubresourcesToAskForCredentials):
+        (WKPreferencesGetAllowCrossOriginSubresourcesToAskForCredentials):
+        * UIProcess/API/C/WKPreferencesRefPrivate.h:
 -02-14  John Wilander  <wilander@apple.com>

trunk/Source/WebKit/Shared/WebPreferences.yaml

-                      r227873
+                      r228486
 AllowSettingAnyXHRHeaderFromFileURLs:
+  type: bool
+  defaultValue: false
+AllowCrossOriginSubresourcesToAskForCredentials:
   type: bool
   defaultValue: false

trunk/Source/WebKit/UIProcess/API/C/WKPreferences.cpp

-                      r227535
+                      r228486
+}
+void WKPreferencesSetAllowCrossOriginSubresourcesToAskForCredentials(WKPreferencesRef preferencesRef, bool flag)
+{
+    toImpl(preferencesRef)->setAllowCrossOriginSubresourcesToAskForCredentials(flag);
+}
+bool WKPreferencesGetAllowCrossOriginSubresourcesToAskForCredentials(WKPreferencesRef preferencesRef)
+{
+    return toImpl(preferencesRef)->allowCrossOriginSubresourcesToAskForCredentials();
+}

trunk/Source/WebKit/UIProcess/API/C/WKPreferencesRefPrivate.h

-                      r227079
+                      r228486
 WK_EXPORT void WKPreferencesSetShouldAllowUserInstalledFonts(WKPreferencesRef, bool flag);
 WK_EXPORT bool WKPreferencesGetShouldAllowUserInstalledFonts(WKPreferencesRef);
+// Defaults to false.
+WK_EXPORT void WKPreferencesSetAllowCrossOriginSubresourcesToAskForCredentials(WKPreferencesRef, bool flag);
+WK_EXPORT bool WKPreferencesGetAllowCrossOriginSubresourcesToAskForCredentials(WKPreferencesRef);
 #ifdef __cplusplus
+}

trunk/Source/WebKitLegacy/mac/ChangeLog

-                      r228463
+                      r228486
+-02-14  Daniel Bates  <dabates@apple.com>
+        Disallow cross-origin subresources from asking for credentials
+        https://bugs.webkit.org/show_bug.cgi?id=182579
+        <rdar://problem/36162271>
+        Reviewed by Andy Estes.
+        Add a private preference to toggle allowing non-mixed content cross-origin subresources to load.
+        DumpRenderTree toggles this preference when it sees the test option allowCrossOriginSubresourcesToAskForCredential.
+        * WebView/WebPreferenceKeysPrivate.h:
+        * WebView/WebPreferences.mm:
+        (+[WebPreferences initialize]):
+        (-[WebPreferences allowCrossOriginSubresourcesToAskForCredentials]):
+        (-[WebPreferences setAllowCrossOriginSubresourcesToAskForCredentials:]):
+        * WebView/WebPreferencesPrivate.h:
+        * WebView/WebView.mm:
+        (-[WebView _preferencesChanged:]):
 -02-14  Ross Kirsling  <ross.kirsling@sony.com>

trunk/Source/WebKitLegacy/mac/WebView/WebPreferenceKeysPrivate.h

r227535	r228486
57	57	#define WebKitAllowUniversalAccessFromFileURLsPreferenceKey @"WebKitAllowUniversalAccessFromFileURLs"
58	58	#define WebKitAllowFileAccessFromFileURLsPreferenceKey @"WebKitAllowFileAccessFromFileURLs"
	59	#define WebKitAllowCrossOriginSubresourcesToAskForCredentialsKey @"WebKitAllowCrossOriginSubresourcesToAskForCredentials"
59	60	#define WebKitNeedsStorageAccessFromFileURLsQuirkKey @"WebKitNeedsStorageAccessFromFileURLsQuirk"
60	61	#define WebKitJavaScriptCanOpenWindowsAutomaticallyPreferenceKey @"WebKitJavaScriptCanOpenWindowsAutomatically"

trunk/Source/WebKitLegacy/mac/WebView/WebPreferences.mm

-                      r228218
+                      r228486
         [NSNumber numberWithBool:YES], WebKitNeedsStorageAccessFromFileURLsQuirkKey,
+        [NSNumber numberWithBool:NO], WebKitAllowCrossOriginSubresourcesToAskForCredentialsKey,
 #if ENABLE(MEDIA_STREAM)
         [NSNumber numberWithBool:NO], WebKitMediaDevicesEnabledPreferenceKey,
 …
+{
     [self _setBoolValue: flag forKey: WebKitAllowFileAccessFromFileURLsPreferenceKey];
+}
+- (BOOL)allowCrossOriginSubresourcesToAskForCredentials
+{
+    return [self _boolValueForKey:WebKitAllowCrossOriginSubresourcesToAskForCredentialsKey];
+}
+- (void)setAllowCrossOriginSubresourcesToAskForCredentials:(BOOL)flag
+{
+    [self _setBoolValue:flag forKey:WebKitAllowCrossOriginSubresourcesToAskForCredentialsKey];
+}

trunk/Source/WebKitLegacy/mac/WebView/WebPreferencesPrivate.h

-                      r227535
+                      r228486
 - (void)setAllowFileAccessFromFileURLs:(BOOL)flag;
+- (BOOL)allowCrossOriginSubresourcesToAskForCredentials;
+- (void)setAllowCrossOriginSubresourcesToAskForCredentials:(BOOL)flag;
 - (BOOL)needsStorageAccessFromFileURLsQuirk;
 - (void)setNeedsStorageAccessFromFileURLsQuirk:(BOOL)flag;
 …
 @property (nonatomic) BOOL accessibilityObjectModelEnabled;
 @property (nonatomic) BOOL mediaCapabilitiesEnabled;
+@property (nonatomic) BOOL allowCrossOriginSubresourcesToAskForCredentials;
 #if TARGET_OS_IPHONE

trunk/Source/WebKitLegacy/mac/WebView/WebView.mm

r228308	r228486
2761	2761	settings.setAllowUniversalAccessFromFileURLs([preferences allowUniversalAccessFromFileURLs]);
2762	2762	settings.setAllowFileAccessFromFileURLs([preferences allowFileAccessFromFileURLs]);
	2763	settings.setAllowCrossOriginSubresourcesToAskForCredentials([preferences allowCrossOriginSubresourcesToAskForCredentials]);
2763	2764	settings.setNeedsStorageAccessFromFileURLsQuirk([preferences needsStorageAccessFromFileURLsQuirk]);
2764	2765	settings.setMinimumFontSize([preferences minimumFontSize]);

trunk/Tools/ChangeLog

-                      r228482
+                      r228486
+-02-14  Daniel Bates  <dabates@apple.com>
+        Disallow cross-origin subresources from asking for credentials
+        https://bugs.webkit.org/show_bug.cgi?id=182579
+        <rdar://problem/36162271>
+        Reviewed by Andy Estes.
+        Add test option allowCrossOriginSubresourcesToAskForCredential (defaults to false)
+        so that tests can toggle between the old behavior and new behavior.
+        * DumpRenderTree/TestOptions.h:
+        * DumpRenderTree/TestOptions.mm:
+        (TestOptions::TestOptions):
+        * DumpRenderTree/mac/DumpRenderTree.mm:
+        (setWebPreferencesForTestOptions):
+        * WebKitTestRunner/TestController.cpp:
+        (WTR::TestController::resetPreferencesToConsistentValues):
+        (WTR::updateTestOptionsFromTestHeader):
+        * WebKitTestRunner/TestOptions.h:
+        (WTR::TestOptions::hasSameInitializationOptions const):
 -02-12  Ryosuke Niwa  <rniwa@webkit.org>

trunk/Tools/DumpRenderTree/TestOptions.h

r226341	r228486
42	42	bool enableInspectorAdditions { false };
43	43	bool dumpJSConsoleLogInStdErr { false };
	44	bool allowCrossOriginSubresourcesToAskForCredentials { false };
44	45
45	46	TestOptions(NSURL*, const TestCommand&);

trunk/Tools/DumpRenderTree/TestOptions.mm

r226341	r228486
103	103	else if (key == "dumpJSConsoleLogInStdErr")
104	104	this->dumpJSConsoleLogInStdErr = parseBooleanTestHeaderValue(value);
	105	else if (key == "allowCrossOriginSubresourcesToAskForCredentials")
	106	this->allowCrossOriginSubresourcesToAskForCredentials = parseBooleanTestHeaderValue(value);
105	107	pairStart = pairEnd + 1;
106	108	}

trunk/Tools/DumpRenderTree/mac/DumpRenderTree.mm

r227551	r228486
995	995	preferences.isSecureContextAttributeEnabled = options.enableIsSecureContextAttribute;
996	996	preferences.inspectorAdditionsEnabled = options.enableInspectorAdditions;
	997	preferences.allowCrossOriginSubresourcesToAskForCredentials = options.allowCrossOriginSubresourcesToAskForCredentials;
997	998	}
998	999

trunk/Tools/WebKitTestRunner/TestController.cpp

-                      r228416
+                      r228486
     WKPreferencesSetWebAuthenticationEnabled(preferences, options.enableWebAuthentication);
     WKPreferencesSetIsSecureContextAttributeEnabled(preferences, options.enableIsSecureContextAttribute);
+    WKPreferencesSetAllowCrossOriginSubresourcesToAskForCredentials(preferences, options.allowCrossOriginSubresourcesToAskForCredentials);
     static WKStringRef defaultTextEncoding = WKStringCreateWithUTF8CString("ISO-8859-1");
 …
         if (key == "applicationManifest")
             testOptions.applicationManifest = parseStringTestHeaderValueAsRelativePath(value, pathOrURL);
+        if (key == "allowCrossOriginSubresourcesToAskForCredentials")
+            testOptions.allowCrossOriginSubresourcesToAskForCredentials = parseBooleanTestHeaderValue(value);
         pairStart = pairEnd + 1;
+    }

trunk/Tools/WebKitTestRunner/TestOptions.h

-                      r226341
+                      r228486
     bool shouldShowTouches { false };
     bool dumpJSConsoleLogInStdErr { false };
+    bool allowCrossOriginSubresourcesToAskForCredentials { false };
     float deviceScaleFactor { 1 };
 …
             || enableInspectorAdditions != options.enableInspectorAdditions
             || dumpJSConsoleLogInStdErr != options.dumpJSConsoleLogInStdErr
+            || applicationManifest != options.applicationManifest)
+            || applicationManifest != options.applicationManifest
+            || allowCrossOriginSubresourcesToAskForCredentials != options.allowCrossOriginSubresourcesToAskForCredentials)
             return false;

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 228486 in webkit

Legend:

Download in other formats: