Changeset 228486 in webkit
- Timestamp:
- Feb 14, 2018 2:27:52 PM (6 years ago)
- Location:
- trunk
- Files:
-
- 12 added
- 1 deleted
- 33 edited
- 15 copied
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r228484 r228486 1 2018-02-14 Daniel Bates <dabates@apple.com> 2 3 Disallow cross-origin subresources from asking for credentials 4 https://bugs.webkit.org/show_bug.cgi?id=182579 5 <rdar://problem/36162271> 6 7 Reviewed by Andy Estes. 8 9 Copied existing tests that depended on cross-origin subresources being able prompt for credentials 10 to files with suffix allowCrossOriginSubresourcesToAskForCredentials. These copies were modified 11 to set allowCrossOriginSubresourcesToAskForCredentials to false so as to opt-into the behavior 12 before this change. Updated existing tests to reflect the new behavior and added new tests to 13 ensure that we do not regress the new behavior. 14 15 * http/tests/media/video-auth-expected.txt: 16 * http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Copied from LayoutTests/http/tests/media/video-auth-expected.txt. 17 * http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials.html: Copied from LayoutTests/http/tests/media/video-auth.html. 18 * http/tests/media/video-auth.html: 19 * http/tests/security/basic-auth-subresource-expected.txt: Added. 20 * http/tests/security/basic-auth-subresource.html: Added. 21 * http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Renamed from LayoutTests/platform/mac-wk1/http/tests/security/credentials-iframes-expected.txt. 22 * http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials.html: Added. 23 * http/tests/security/credentials-iframes-expected.txt: 24 * http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image.https-expected.txt. 25 * http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html. 26 * http/tests/security/mixedContent/insecure-basic-auth-image.https-expected.txt: 27 * http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-expected.txt. 28 * http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.html: Added. 29 * http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-expected.txt: 30 * http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image.https-expected.txt. 31 * http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html. 32 * http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image.https-expected.txt: 33 * http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image.https-expected.txt. 34 * http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html. 35 * http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image.https-expected.txt: 36 * http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Renamed from LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt. 37 * http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html. 38 * http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt: 39 * http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html: 40 * http/tests/security/resources/basic-auth-subresource.html: Added. 41 * http/tests/security/resources/subresource1/protected-image.php: Added. 42 * http/tests/security/resources/subresource2/protected-image.php: Added. 43 * platform/win/TestExpectations: Skip allowCrossOriginSubresourcesToAskForCredentials-suffixed tests as 44 DumpRenderTree on Windows does not support parsing test options. See <https://bugs.webkit.org/show_bug.cgi?id=173281>. 45 * platform/win/http/tests/security/basic-auth-subresource-expected.txt: Added Windows-specific result. For some reason 46 connections to localhost:8443 are not allowed. See <https://bugs.webkit.org/show_bug.cgi?id=182609> for more details. 47 * platform/wk2/http/tests/media/video-auth-expected.txt: 48 * platform/wk2/http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Copied from LayoutTests/platform/wk2/http/tests/media/video-auth-expected.txt. 49 * platform/wk2/http/tests/security/basic-auth-subresource-expected.txt: Added. 50 * platform/wk2/http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Copied from LayoutTests/http/tests/security/credentials-iframes-expected.txt. 51 * platform/wk2/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt. 52 1 53 2018-02-14 Matt Lewis <jlewis3@apple.com> 2 54 -
trunk/LayoutTests/http/tests/media/video-auth-expected.txt
r202579 r228486 1 1 http://127.0.0.1:8000/media/resources/video-auth.php?name=test.mp4&type=video/mp4 - didReceiveAuthenticationChallenge - Responding with username:password 2 http://localhost:8000/media/resources/video-auth.php?name=test.mp4&type=video/mp4 - didReceiveAuthenticationChallenge - Responding with username:password3 2 4 3 Tests that the media player sends authorization credentials when requesting a media file. 5 4 Testing same domain (127.0.0.1) 6 5 EVENT(canplay) 7 Testing cross domain (localhost)8 EVENT(canplay)9 6 END OF TEST 10 7 -
trunk/LayoutTests/http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials.html
r228484 r228486 1 <!DOCTYPE html><!-- webkit-test-runner [ allowCrossOriginSubresourcesToAskForCredentials=true ] --> 1 2 <html> 2 3 <head> -
trunk/LayoutTests/http/tests/media/video-auth.html
r202579 r228486 1 <!DOCTYPE html> 1 2 <html> 2 3 <head> … … 19 20 findMediaElement(); 20 21 waitForEventAndFail('error'); 21 waitForEvent ('canplay', runNextTest);22 waitForEventAndEnd('canplay'); 22 23 23 tests = [ 24 testSameDomain, 25 testCrossDomain, 26 ]; 27 28 runNextTest(); 29 } 30 31 function runNextTest() 32 { 33 var test = tests.shift(); 34 if (test) 35 test(); 36 else 37 endTest(); 24 testSameDomain(); 38 25 } 39 26 … … 42 29 consoleWrite('Testing same domain (127.0.0.1)'); 43 30 video.src = 'http://127.0.0.1:8000/media/resources/video-auth.php?name=' + media + '&type=' + type; 44 video.load();45 }46 47 function testCrossDomain()48 {49 consoleWrite('Testing cross domain (localhost)');50 video.src = 'http://localhost:8000/media/resources/video-auth.php?name=' + media + '&type=' + type;51 31 video.load(); 52 32 } -
trunk/LayoutTests/http/tests/security/credentials-iframes-expected.txt
r211751 r228486 1 1 ALERT: parent host: 127.0.0.1 iframe host: 127.0.0.1 credentials:User: same-domain-user, password: same-domain-password. 2 127.0.0.1:8000 - didReceiveAuthenticationChallenge - Simulating cancelled authentication sheet 2 CONSOLE MESSAGE: Blocked http://127.0.0.1:8000/security/resources/cors-basic-auth.php from asking for credentials because it is a cross-origin request. 3 3 ALERT: parent host: localhost iframe host: 127.0.0.1 credentials:Authentication canceled 4 4 -
trunk/LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt
r228484 r228486 1 CONSOLE MESSAGE: line 33: The page at https://127.0.0.1:8443/security/mixedContent/insecure-basic-auth-image .https.html was allowed to display insecure content from http://localhost:8000/security/mixedContent/resources/subresource2/protected-image.php.1 CONSOLE MESSAGE: line 33: The page at https://127.0.0.1:8443/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html was allowed to display insecure content from http://localhost:8000/security/mixedContent/resources/subresource2/protected-image.php. 2 2 3 3 CONSOLE MESSAGE: Blocked http://localhost:8000/security/mixedContent/resources/subresource2/protected-image.php from asking for credentials because it is insecure content. -
trunk/LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html
r228484 r228486 1 <!DOCTYPE html> 1 <!DOCTYPE html><!-- webkit-test-runner [ allowCrossOriginSubresourcesToAskForCredentials=true ] --> 2 2 <html> 3 < body>3 <head> 4 4 <script src="/js-test-resources/js-test.js"></script> 5 5 <script> … … 14 14 function pass() 15 15 { 16 testPassed("did load image.");16 testPassed("did not load image."); 17 17 finishJSTest(); 18 18 } … … 20 20 function fail() 21 21 { 22 testFailed("did notload image.");22 testFailed("did load image."); 23 23 finishJSTest(); 24 24 } … … 29 29 // the preload scanner performing mixed content checks as part of preloading the image. 30 30 let image = new Image; 31 image.onload = pass;32 image.onerror = fail;33 image.src = "http s://127.0.0.1:8443/resources/redirect.php?url=https%3A//127.0.0.1%3A8443/resources/redirect.php%3Furl%3Dhttps%3A//localhost%3A8443/security/mixedContent/resources/subresource/protected-image.php";31 image.onload = fail; 32 image.onerror = pass; 33 image.src = "http://localhost:8000/security/mixedContent/resources/subresource2/protected-image.php"; 34 34 document.body.appendChild(image); 35 35 } … … 37 37 window.onload = runTest; 38 38 </script> 39 </head> 40 <body> 39 41 <script> 40 description("T his test loads a secure image that redirects to a secure image that redirects to a secure image guarded by basic authentication. The secure image should load.");42 description("Tests that we do not ask for credentials when loading an insecure image that requires basic authentication."); 41 43 </script> 42 44 </body> -
trunk/LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image.https-expected.txt
r228231 r228486 1 1 CONSOLE MESSAGE: line 33: The page at https://127.0.0.1:8443/security/mixedContent/insecure-basic-auth-image.https.html was allowed to display insecure content from http://localhost:8000/security/mixedContent/resources/subresource2/protected-image.php. 2 2 3 CONSOLE MESSAGE: Blocked http://localhost:8000/security/mixedContent/resources/subresource2/protected-image.php from asking for credentials because it is insecure content.3 CONSOLE MESSAGE: Blocked http://localhost:8000/security/mixedContent/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request. 4 4 Tests that we do not ask for credentials when loading an insecure image that requires basic authentication. 5 5 -
trunk/LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-expected.txt
r228231 r228486 1 1 CONSOLE MESSAGE: line 17: The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image-redirects-to-basic-auth-secure-image.html was allowed to display insecure content from http://127.0.0.1:8080/resources/redirect.php?url=https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php. 2 2 3 CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it was loaded via an insecure redirect from http://127.0.0.1:8080/resources/redirect.php?url=https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php.3 CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it is a cross-origin request. 4 4 This test opens a new window to a secure page that loads an insecure image that redirects to a secure image guarded by basic authentication. The secure image should be blocked because it requires credentials and was loaded via an insecure redirect. 5 5 -
trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt
r228484 r228486 1 CONSOLE MESSAGE: The page at https://127.0.0.1:8443/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image .https.html was allowed to display insecure content from http://127.0.0.1:8080/resources/redirect.php?url=https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php.1 CONSOLE MESSAGE: The page at https://127.0.0.1:8443/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html was allowed to display insecure content from http://127.0.0.1:8080/resources/redirect.php?url=https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php. 2 2 3 3 CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it was loaded via an insecure redirect from https://127.0.0.1:8443/resources/redirect.php?url=http%3A//127.0.0.1%3A8080/resources/redirect.php%3Furl%3Dhttps%3A//localhost%3A8443/security/mixedContent/resources/subresource/protected-image.php. -
trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html
r228484 r228486 1 <!DOCTYPE html> 1 <!DOCTYPE html><!-- webkit-test-runner [ allowCrossOriginSubresourcesToAskForCredentials=true ] --> 2 2 <html> 3 3 <body> … … 14 14 function pass() 15 15 { 16 testPassed("did load image.");16 testPassed("did not load image."); 17 17 finishJSTest(); 18 18 } … … 20 20 function fail() 21 21 { 22 testFailed("did notload image.");22 testFailed("did load image."); 23 23 finishJSTest(); 24 24 } … … 29 29 // the preload scanner performing mixed content checks as part of preloading the image. 30 30 let image = new Image; 31 image.onload = pass;32 image.onerror = fail;33 image.src = "https://127.0.0.1:8443/resources/redirect.php?url=http s%3A//127.0.0.1%3A8443/resources/redirect.php%3Furl%3Dhttps%3A//localhost%3A8443/security/mixedContent/resources/subresource/protected-image.php";31 image.onload = fail; 32 image.onerror = pass; 33 image.src = "https://127.0.0.1:8443/resources/redirect.php?url=http%3A//127.0.0.1%3A8080/resources/redirect.php%3Furl%3Dhttps%3A//localhost%3A8443/security/mixedContent/resources/subresource/protected-image.php"; 34 34 document.body.appendChild(image); 35 35 } … … 38 38 </script> 39 39 <script> 40 description("This test loads a secure image that redirects to a secure image that redirects to a secure image guarded by basic authentication. The secure image should load.");40 description("This test loads a secure image that redirects to an insecure image that redirects to a secure image guarded by basic authentication. The secure image should be blocked because it requires credentials and was loaded via an insecure redirect."); 41 41 </script> 42 42 </body> -
trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image.https-expected.txt
r228231 r228486 1 1 CONSOLE MESSAGE: The page at https://127.0.0.1:8443/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image.https.html was allowed to display insecure content from http://127.0.0.1:8080/resources/redirect.php?url=https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php. 2 2 3 CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it was loaded via an insecure redirect from https://127.0.0.1:8443/resources/redirect.php?url=http%3A//127.0.0.1%3A8080/resources/redirect.php%3Furl%3Dhttps%3A//localhost%3A8443/security/mixedContent/resources/subresource/protected-image.php.3 CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it is a cross-origin request. 4 4 This test loads a secure image that redirects to an insecure image that redirects to a secure image guarded by basic authentication. The secure image should be blocked because it requires credentials and was loaded via an insecure redirect. 5 5 -
trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt
r228484 r228486 1 CONSOLE MESSAGE: The page at https://127.0.0.1:8443/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image .https.html was allowed to display insecure content from http://localhost:8080/security/mixedContent/resources/subresource/protected-image.php.1 CONSOLE MESSAGE: The page at https://127.0.0.1:8443/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html was allowed to display insecure content from http://localhost:8080/security/mixedContent/resources/subresource/protected-image.php. 2 2 3 3 CONSOLE MESSAGE: Blocked http://localhost:8080/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it is insecure content that was loaded via a redirect from https://127.0.0.1:8443/resources/redirect.php?url=https%3A//localhost%3A8443/resources/redirect.php%3Furl%3Dhttp%3A//localhost%3A8080/security/mixedContent/resources/subresource/protected-image.php. -
trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html
r228484 r228486 1 <!DOCTYPE html> 1 <!DOCTYPE html><!-- webkit-test-runner [ allowCrossOriginSubresourcesToAskForCredentials=true ] --> 2 2 <html> 3 3 <body> … … 14 14 function pass() 15 15 { 16 testPassed("did load image.");16 testPassed("did not load image."); 17 17 finishJSTest(); 18 18 } … … 20 20 function fail() 21 21 { 22 testFailed("did notload image.");22 testFailed("did load image."); 23 23 finishJSTest(); 24 24 } … … 29 29 // the preload scanner performing mixed content checks as part of preloading the image. 30 30 let image = new Image; 31 image.onload = pass;32 image.onerror = fail;33 image.src = "https://127.0.0.1:8443/resources/redirect.php?url=https%3A// 127.0.0.1%3A8443/resources/redirect.php%3Furl%3Dhttps%3A//localhost%3A8443/security/mixedContent/resources/subresource/protected-image.php";31 image.onload = fail; 32 image.onerror = pass; 33 image.src = "https://127.0.0.1:8443/resources/redirect.php?url=https%3A//localhost%3A8443/resources/redirect.php%3Furl%3Dhttp%3A//localhost%3A8080/security/mixedContent/resources/subresource/protected-image.php"; 34 34 document.body.appendChild(image); 35 35 } … … 38 38 </script> 39 39 <script> 40 description("This test loads a secure image that redirects to a secure image that redirects to a secure image guarded by basic authentication. The secure image should load.");40 description("This test loads a secure image that redirects to an secure image that redirects to an insecure image guarded by basic authentication. The insecure image should be blocked because it requires credentials."); 41 41 </script> 42 42 </body> -
trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image.https-expected.txt
r228231 r228486 1 1 CONSOLE MESSAGE: The page at https://127.0.0.1:8443/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image.https.html was allowed to display insecure content from http://localhost:8080/security/mixedContent/resources/subresource/protected-image.php. 2 2 3 CONSOLE MESSAGE: Blocked http://localhost:8080/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it is insecure content that was loaded via a redirect from https://127.0.0.1:8443/resources/redirect.php?url=https%3A//localhost%3A8443/resources/redirect.php%3Furl%3Dhttp%3A//localhost%3A8080/security/mixedContent/resources/subresource/protected-image.php.3 CONSOLE MESSAGE: Blocked http://localhost:8080/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it is a cross-origin request. 4 4 This test loads a secure image that redirects to an secure image that redirects to an insecure image guarded by basic authentication. The insecure image should be blocked because it requires credentials. 5 5 -
trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html
r228484 r228486 1 <!DOCTYPE html> 1 <!DOCTYPE html><!-- webkit-test-runner [ allowCrossOriginSubresourcesToAskForCredentials=true ] --> 2 2 <html> 3 3 <body> -
trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt
r224134 r228486 1 localhost:8443 - didReceiveAuthenticationChallenge - Responding with testUser:testPassword 2 This test loads a secure image that redirects to a secure image that redirects to a secure image guarded by basic authentication. The secure image should load.1 CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it is a cross-origin request. 2 This test loads a secure image that redirects to a secure image that redirects to a secure image guarded by basic authentication. The secure image should not load because it is cross-origin. 3 3 4 4 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". 5 5 6 6 7 PASS did load image.7 PASS did not load image. 8 8 PASS successfullyParsed is true 9 9 -
trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html
r228187 r228486 14 14 function pass() 15 15 { 16 testPassed("did load image.");16 testPassed("did not load image."); 17 17 finishJSTest(); 18 18 } … … 20 20 function fail() 21 21 { 22 testFailed("did notload image.");22 testFailed("did load image."); 23 23 finishJSTest(); 24 24 } … … 29 29 // the preload scanner performing mixed content checks as part of preloading the image. 30 30 let image = new Image; 31 image.onload = pass;32 image.onerror = fail;31 image.onload = fail; 32 image.onerror = pass; 33 33 image.src = "https://127.0.0.1:8443/resources/redirect.php?url=https%3A//127.0.0.1%3A8443/resources/redirect.php%3Furl%3Dhttps%3A//localhost%3A8443/security/mixedContent/resources/subresource/protected-image.php"; 34 34 document.body.appendChild(image); … … 38 38 </script> 39 39 <script> 40 description("This test loads a secure image that redirects to a secure image that redirects to a secure image guarded by basic authentication. The secure image should load.");40 description("This test loads a secure image that redirects to a secure image that redirects to a secure image guarded by basic authentication. The secure image should not load because it is cross-origin."); 41 41 </script> 42 42 </body> -
trunk/LayoutTests/platform/win/TestExpectations
r228427 r228486 92 92 # FIXME: Implement test options parsing (<!-- webkit-test-runner [ ... ] -->). 93 93 webkit.org/b/173281 security/isSecureContext-disabled.html [ Skip ] 94 webkit.org/b/173281 http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials.html [ Skip ] 95 webkit.org/b/173281 http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials.html [ Skip ] 96 webkit.org/b/173281 http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html [ Skip ] 97 webkit.org/b/173281 http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.html [ Skip ] 98 webkit.org/b/173281 http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html [ Skip ] 99 webkit.org/b/173281 http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html [ Skip ] 100 webkit.org/b/173281 http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html [ Skip ] 94 101 95 102 # TODO HW filters not yet supported on Windows -
trunk/LayoutTests/platform/wk2/http/tests/media/video-auth-expected.txt
r202587 r228486 1 1 127.0.0.1:8000 - didReceiveAuthenticationChallenge - Responding with username:password 2 localhost:8000 - didReceiveAuthenticationChallenge - Responding with username:password3 2 4 3 Tests that the media player sends authorization credentials when requesting a media file. 5 4 Testing same domain (127.0.0.1) 6 5 EVENT(canplay) 7 Testing cross domain (localhost)8 EVENT(canplay)9 6 END OF TEST 10 7 -
trunk/Source/WebCore/ChangeLog
r228483 r228486 1 2018-02-14 Daniel Bates <dabates@apple.com> 2 3 Disallow cross-origin subresources from asking for credentials 4 https://bugs.webkit.org/show_bug.cgi?id=182579 5 <rdar://problem/36162271> 6 7 Reviewed by Andy Estes. 8 9 Prompts for credentials to load cross-origin subresources are typically seen as unexpected 10 by a person that navigates to- or interacts with- a web page. The cross-origin and implicit 11 loading nature of these subresources makes asking for credentials questionable because they 12 are not being served by the same origin of the page a person explicitly loaded and are not 13 guaranteed to correspond to an explicit user interaction other than the initial load of the 14 page. We know that subresources that ask for credentials can be abused as part of a phishing 15 attack. It seems reasonable to disallow cross-origin subresources from asking for credentials 16 due to their questionable nature and the risk for abuse. This will also make the behavior 17 of WebKit match the behavior of Chrome. 18 19 Tests: http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials.html 20 http/tests/security/basic-auth-subresource.html 21 http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html 22 http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.html 23 http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html 24 http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html 25 http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html 26 27 * loader/ResourceLoader.cpp: 28 (WebCore::ResourceLoader::isSubresourceLoader const): Formerly non-const. 29 (WebCore::ResourceLoader::shouldAllowResourceToAskForCredentials const): Added. 30 (WebCore::ResourceLoader::didBlockAuthenticationChallenge): Emit Web Inspector console message if 31 the authentication challenge was blocked because the request is cross origin. 32 (WebCore::ResourceLoader::isAllowedToAskUserForCredentials const): Disallow a cross-origin 33 request from prompting for credentials. 34 (WebCore::ResourceLoader::isSubresourceLoader): Deleted; made const. 35 * loader/ResourceLoader.h: 36 * loader/SubresourceLoader.cpp: 37 (WebCore::SubresourceLoader::SubresourceLoader): Update ResourceLoader state so that block cross-origin 38 subresources from prompting for credentials, if applicable. 39 (WebCore::SubresourceLoader::isSubresourceLoader const): Formerly non-const. 40 (WebCore::SubresourceLoader::isSubresourceLoader): Deleted; made const. 41 * loader/SubresourceLoader.h: 42 * page/Settings.yaml: Add setting allowCrossOriginSubresourcesToAskForCredentials (defaults: false - 43 do not allow cross origin subresources to ask for credentials). 44 1 45 2018-02-14 Don Olmstead <don.olmstead@sony.com> 2 46 -
trunk/Source/WebCore/loader/ResourceLoader.cpp
r228231 r228486 1 1 /* 2 * Copyright (C) 2006-20 07, 2010-2011, 2016Apple Inc. All rights reserved.2 * Copyright (C) 2006-2018 Apple Inc. All rights reserved. 3 3 * (C) 2007 Graham Dennis (graham.dennis@gmail.com) 4 4 * … … 327 327 } 328 328 329 bool ResourceLoader::isSubresourceLoader() 329 bool ResourceLoader::isSubresourceLoader() const 330 330 { 331 331 return false; … … 464 464 } 465 465 466 bool ResourceLoader::shouldAllowResourceToAskForCredentials() const 467 { 468 return m_canCrossOriginRequestsAskUserForCredentials || m_frame->tree().top().document()->securityOrigin().canRequest(m_request.url()); 469 } 470 466 471 void ResourceLoader::didBlockAuthenticationChallenge() 467 472 { … … 470 475 if (!m_canAskClientForCredentials) 471 476 return; 477 478 if (!shouldAllowResourceToAskForCredentials()) { 479 FrameLoader::reportAuthenticationChallengeBlocked(m_frame.get(), m_request.url(), ASCIILiteral("it is a cross-origin request")); 480 return; 481 } 472 482 473 483 if (!m_wasInsecureRequestSeen) … … 740 750 if (!m_canAskClientForCredentials) 741 751 return false; 752 if (!shouldAllowResourceToAskForCredentials()) 753 return false; 742 754 if (m_wasInsecureRequestSeen) 743 755 return false; -
trunk/Source/WebCore/loader/ResourceLoader.h
r228231 r228486 99 99 void clearResourceData(); 100 100 101 virtual bool isSubresourceLoader() ;101 virtual bool isSubresourceLoader() const; 102 102 103 103 virtual void willSendRequest(ResourceRequest&&, const ResourceResponse& redirectResponse, CompletionHandler<void(ResourceRequest&&)>&& callback); … … 178 178 std::unique_ptr<PreviewLoader> m_previewLoader; 179 179 #endif 180 bool m_canCrossOriginRequestsAskUserForCredentials { true }; 180 181 181 182 private: … … 186 187 void loadDataURL(); 187 188 void finishNetworkLoad(); 189 190 bool shouldAllowResourceToAskForCredentials() const; 188 191 189 192 // ResourceHandleClient -
trunk/Source/WebCore/loader/SubresourceLoader.cpp
r227680 r228486 46 46 #include "ResourceTiming.h" 47 47 #include "RuntimeEnabledFeatures.h" 48 #include "Settings.h" 48 49 #include <wtf/CompletionHandler.h> 49 50 #include <wtf/Ref.h> … … 93 94 m_resourceType = toResourceType(resource.type()); 94 95 #endif 96 m_canCrossOriginRequestsAskUserForCredentials = resource.type() == CachedResource::MainResource || frame.settings().allowCrossOriginSubresourcesToAskForCredentials(); 95 97 } 96 98 … … 163 165 } 164 166 165 bool SubresourceLoader::isSubresourceLoader() 167 bool SubresourceLoader::isSubresourceLoader() const 166 168 { 167 169 return true; -
trunk/Source/WebCore/loader/SubresourceLoader.h
r226508 r228486 48 48 49 49 void cancelIfNotFinishing(); 50 bool isSubresourceLoader() override;50 bool isSubresourceLoader() const override; 51 51 CachedResource* cachedResource(); 52 52 -
trunk/Source/WebCore/page/Settings.yaml
r227762 r228486 102 102 allowSettingAnyXHRHeaderFromFileURLs: 103 103 initial: false 104 allowCrossOriginSubresourcesToAskForCredentials: 105 initial: false 104 106 needsStorageAccessFromFileURLsQuirk: 105 107 initial: true -
trunk/Source/WebKit/ChangeLog
r228478 r228486 1 2018-02-14 Daniel Bates <dabates@apple.com> 2 3 Disallow cross-origin subresources from asking for credentials 4 https://bugs.webkit.org/show_bug.cgi?id=182579 5 <rdar://problem/36162271> 6 7 Reviewed by Andy Estes. 8 9 Add a private preference to toggle allowing non-mixed content cross-origin subresources to load. 10 WebKitTestRunner toggles this preference when it sees the test option allowCrossOriginSubresourcesToAskForCredential. 11 12 * Shared/WebPreferences.yaml: 13 * UIProcess/API/C/WKPreferences.cpp: 14 (WKPreferencesSetAllowCrossOriginSubresourcesToAskForCredentials): 15 (WKPreferencesGetAllowCrossOriginSubresourcesToAskForCredentials): 16 * UIProcess/API/C/WKPreferencesRefPrivate.h: 17 1 18 2018-02-14 John Wilander <wilander@apple.com> 2 19 -
trunk/Source/WebKit/Shared/WebPreferences.yaml
r227873 r228486 181 181 182 182 AllowSettingAnyXHRHeaderFromFileURLs: 183 type: bool 184 defaultValue: false 185 186 AllowCrossOriginSubresourcesToAskForCredentials: 183 187 type: bool 184 188 defaultValue: false -
trunk/Source/WebKit/UIProcess/API/C/WKPreferences.cpp
r227535 r228486 1935 1935 } 1936 1936 1937 void WKPreferencesSetAllowCrossOriginSubresourcesToAskForCredentials(WKPreferencesRef preferencesRef, bool flag) 1938 { 1939 toImpl(preferencesRef)->setAllowCrossOriginSubresourcesToAskForCredentials(flag); 1940 } 1941 1942 bool WKPreferencesGetAllowCrossOriginSubresourcesToAskForCredentials(WKPreferencesRef preferencesRef) 1943 { 1944 return toImpl(preferencesRef)->allowCrossOriginSubresourcesToAskForCredentials(); 1945 } -
trunk/Source/WebKit/UIProcess/API/C/WKPreferencesRefPrivate.h
r227079 r228486 553 553 WK_EXPORT void WKPreferencesSetShouldAllowUserInstalledFonts(WKPreferencesRef, bool flag); 554 554 WK_EXPORT bool WKPreferencesGetShouldAllowUserInstalledFonts(WKPreferencesRef); 555 555 556 // Defaults to false. 557 WK_EXPORT void WKPreferencesSetAllowCrossOriginSubresourcesToAskForCredentials(WKPreferencesRef, bool flag); 558 WK_EXPORT bool WKPreferencesGetAllowCrossOriginSubresourcesToAskForCredentials(WKPreferencesRef); 559 556 560 #ifdef __cplusplus 557 561 } -
trunk/Source/WebKitLegacy/mac/ChangeLog
r228463 r228486 1 2018-02-14 Daniel Bates <dabates@apple.com> 2 3 Disallow cross-origin subresources from asking for credentials 4 https://bugs.webkit.org/show_bug.cgi?id=182579 5 <rdar://problem/36162271> 6 7 Reviewed by Andy Estes. 8 9 Add a private preference to toggle allowing non-mixed content cross-origin subresources to load. 10 DumpRenderTree toggles this preference when it sees the test option allowCrossOriginSubresourcesToAskForCredential. 11 12 * WebView/WebPreferenceKeysPrivate.h: 13 * WebView/WebPreferences.mm: 14 (+[WebPreferences initialize]): 15 (-[WebPreferences allowCrossOriginSubresourcesToAskForCredentials]): 16 (-[WebPreferences setAllowCrossOriginSubresourcesToAskForCredentials:]): 17 * WebView/WebPreferencesPrivate.h: 18 * WebView/WebView.mm: 19 (-[WebView _preferencesChanged:]): 20 1 21 2018-02-14 Ross Kirsling <ross.kirsling@sony.com> 2 22 -
trunk/Source/WebKitLegacy/mac/WebView/WebPreferenceKeysPrivate.h
r227535 r228486 57 57 #define WebKitAllowUniversalAccessFromFileURLsPreferenceKey @"WebKitAllowUniversalAccessFromFileURLs" 58 58 #define WebKitAllowFileAccessFromFileURLsPreferenceKey @"WebKitAllowFileAccessFromFileURLs" 59 #define WebKitAllowCrossOriginSubresourcesToAskForCredentialsKey @"WebKitAllowCrossOriginSubresourcesToAskForCredentials" 59 60 #define WebKitNeedsStorageAccessFromFileURLsQuirkKey @"WebKitNeedsStorageAccessFromFileURLsQuirk" 60 61 #define WebKitJavaScriptCanOpenWindowsAutomaticallyPreferenceKey @"WebKitJavaScriptCanOpenWindowsAutomatically" -
trunk/Source/WebKitLegacy/mac/WebView/WebPreferences.mm
r228218 r228486 651 651 652 652 [NSNumber numberWithBool:YES], WebKitNeedsStorageAccessFromFileURLsQuirkKey, 653 [NSNumber numberWithBool:NO], WebKitAllowCrossOriginSubresourcesToAskForCredentialsKey, 653 654 #if ENABLE(MEDIA_STREAM) 654 655 [NSNumber numberWithBool:NO], WebKitMediaDevicesEnabledPreferenceKey, … … 1498 1499 { 1499 1500 [self _setBoolValue: flag forKey: WebKitAllowFileAccessFromFileURLsPreferenceKey]; 1501 } 1502 1503 - (BOOL)allowCrossOriginSubresourcesToAskForCredentials 1504 { 1505 return [self _boolValueForKey:WebKitAllowCrossOriginSubresourcesToAskForCredentialsKey]; 1506 } 1507 1508 - (void)setAllowCrossOriginSubresourcesToAskForCredentials:(BOOL)flag 1509 { 1510 [self _setBoolValue:flag forKey:WebKitAllowCrossOriginSubresourcesToAskForCredentialsKey]; 1500 1511 } 1501 1512 -
trunk/Source/WebKitLegacy/mac/WebView/WebPreferencesPrivate.h
r227535 r228486 145 145 - (void)setAllowFileAccessFromFileURLs:(BOOL)flag; 146 146 147 - (BOOL)allowCrossOriginSubresourcesToAskForCredentials; 148 - (void)setAllowCrossOriginSubresourcesToAskForCredentials:(BOOL)flag; 149 147 150 - (BOOL)needsStorageAccessFromFileURLsQuirk; 148 151 - (void)setNeedsStorageAccessFromFileURLsQuirk:(BOOL)flag; … … 599 602 @property (nonatomic) BOOL accessibilityObjectModelEnabled; 600 603 @property (nonatomic) BOOL mediaCapabilitiesEnabled; 604 @property (nonatomic) BOOL allowCrossOriginSubresourcesToAskForCredentials; 601 605 602 606 #if TARGET_OS_IPHONE -
trunk/Source/WebKitLegacy/mac/WebView/WebView.mm
r228308 r228486 2761 2761 settings.setAllowUniversalAccessFromFileURLs([preferences allowUniversalAccessFromFileURLs]); 2762 2762 settings.setAllowFileAccessFromFileURLs([preferences allowFileAccessFromFileURLs]); 2763 settings.setAllowCrossOriginSubresourcesToAskForCredentials([preferences allowCrossOriginSubresourcesToAskForCredentials]); 2763 2764 settings.setNeedsStorageAccessFromFileURLsQuirk([preferences needsStorageAccessFromFileURLsQuirk]); 2764 2765 settings.setMinimumFontSize([preferences minimumFontSize]); -
trunk/Tools/ChangeLog
r228482 r228486 1 2018-02-14 Daniel Bates <dabates@apple.com> 2 3 Disallow cross-origin subresources from asking for credentials 4 https://bugs.webkit.org/show_bug.cgi?id=182579 5 <rdar://problem/36162271> 6 7 Reviewed by Andy Estes. 8 9 Add test option allowCrossOriginSubresourcesToAskForCredential (defaults to false) 10 so that tests can toggle between the old behavior and new behavior. 11 12 * DumpRenderTree/TestOptions.h: 13 * DumpRenderTree/TestOptions.mm: 14 (TestOptions::TestOptions): 15 * DumpRenderTree/mac/DumpRenderTree.mm: 16 (setWebPreferencesForTestOptions): 17 * WebKitTestRunner/TestController.cpp: 18 (WTR::TestController::resetPreferencesToConsistentValues): 19 (WTR::updateTestOptionsFromTestHeader): 20 * WebKitTestRunner/TestOptions.h: 21 (WTR::TestOptions::hasSameInitializationOptions const): 22 1 23 2018-02-12 Ryosuke Niwa <rniwa@webkit.org> 2 24 -
trunk/Tools/DumpRenderTree/TestOptions.h
r226341 r228486 42 42 bool enableInspectorAdditions { false }; 43 43 bool dumpJSConsoleLogInStdErr { false }; 44 bool allowCrossOriginSubresourcesToAskForCredentials { false }; 44 45 45 46 TestOptions(NSURL*, const TestCommand&); -
trunk/Tools/DumpRenderTree/TestOptions.mm
r226341 r228486 103 103 else if (key == "dumpJSConsoleLogInStdErr") 104 104 this->dumpJSConsoleLogInStdErr = parseBooleanTestHeaderValue(value); 105 else if (key == "allowCrossOriginSubresourcesToAskForCredentials") 106 this->allowCrossOriginSubresourcesToAskForCredentials = parseBooleanTestHeaderValue(value); 105 107 pairStart = pairEnd + 1; 106 108 } -
trunk/Tools/DumpRenderTree/mac/DumpRenderTree.mm
r227551 r228486 995 995 preferences.isSecureContextAttributeEnabled = options.enableIsSecureContextAttribute; 996 996 preferences.inspectorAdditionsEnabled = options.enableInspectorAdditions; 997 preferences.allowCrossOriginSubresourcesToAskForCredentials = options.allowCrossOriginSubresourcesToAskForCredentials; 997 998 } 998 999 -
trunk/Tools/WebKitTestRunner/TestController.cpp
r228416 r228486 693 693 WKPreferencesSetWebAuthenticationEnabled(preferences, options.enableWebAuthentication); 694 694 WKPreferencesSetIsSecureContextAttributeEnabled(preferences, options.enableIsSecureContextAttribute); 695 WKPreferencesSetAllowCrossOriginSubresourcesToAskForCredentials(preferences, options.allowCrossOriginSubresourcesToAskForCredentials); 695 696 696 697 static WKStringRef defaultTextEncoding = WKStringCreateWithUTF8CString("ISO-8859-1"); … … 1069 1070 if (key == "applicationManifest") 1070 1071 testOptions.applicationManifest = parseStringTestHeaderValueAsRelativePath(value, pathOrURL); 1072 if (key == "allowCrossOriginSubresourcesToAskForCredentials") 1073 testOptions.allowCrossOriginSubresourcesToAskForCredentials = parseBooleanTestHeaderValue(value); 1071 1074 pairStart = pairEnd + 1; 1072 1075 } -
trunk/Tools/WebKitTestRunner/TestOptions.h
r226341 r228486 55 55 bool shouldShowTouches { false }; 56 56 bool dumpJSConsoleLogInStdErr { false }; 57 bool allowCrossOriginSubresourcesToAskForCredentials { false }; 57 58 58 59 float deviceScaleFactor { 1 }; … … 83 84 || enableInspectorAdditions != options.enableInspectorAdditions 84 85 || dumpJSConsoleLogInStdErr != options.dumpJSConsoleLogInStdErr 85 || applicationManifest != options.applicationManifest) 86 || applicationManifest != options.applicationManifest 87 || allowCrossOriginSubresourcesToAskForCredentials != options.allowCrossOriginSubresourcesToAskForCredentials) 86 88 return false; 87 89
Note: See TracChangeset
for help on using the changeset viewer.