Changeset 230365 in webkit
- Timestamp:
- Apr 6, 2018 8:48:55 PM (6 years ago)
- Location:
- trunk
- Files:
-
- 8 added
- 19 edited
- 4 copied
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r230364 r230365 1 2018-04-06 Youenn Fablet <youenn@apple.com> 2 3 Response headers should be filtered when sent from NetworkProcess to WebProcess 4 https://bugs.webkit.org/show_bug.cgi?id=184310 5 6 Reviewed by Ryosuke Niwa. 7 8 Rebased tests for WK2 as Server response header is now filtered out for cross-origin and not fetch/XHR loads. 9 10 * http/wpt/service-workers/header-filtering-worker.js: Added. 11 * http/wpt/service-workers/header-filtering.https-expected.txt: Added. 12 Some tests are failing as navigation loads are not yet filtered and we 13 have no good way yet to detect cross origin loads. 14 * http/wpt/service-workers/header-filtering.https.html: Added. 15 * http/wpt/service-workers/resources/header-filtering-iframe.html: Added. 16 * http/wpt/service-workers/resources/response-full-of-headers.py: Added. 17 * http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt: Added. 18 * http/tests/webarchive/test-preload-resources-expected.txt: Added. 19 * platform/mac-wk1/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt: Added. 20 * platform/mac-wk1/http/tests/webarchive/test-preload-resources-expected.txt: Added. 21 * platform/win/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt: Added. 22 * platform/win/http/tests/webarchive/test-preload-resources-expected.txt: Added. 23 1 24 2018-04-06 Ryan Haddad <ryanhaddad@apple.com> 2 25 -
trunk/LayoutTests/platform/mac/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt
r180441 r230365 56 56 <key>Last-Modified</key> 57 57 <string>Sun, 16 Nov 2008 16:55:00 GMT</string> 58 <key>Server</key>59 <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>60 58 </dict> 61 59 <key>expectedContentLength</key> -
trunk/LayoutTests/platform/mac/http/tests/webarchive/test-preload-resources-expected.txt
r180441 r230365 66 66 <key>Last-Modified</key> 67 67 <string>Sun, 16 Nov 2008 16:55:00 GMT</string> 68 <key>Server</key>69 <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>70 68 </dict> 71 69 <key>expectedContentLength</key> … … 103 101 <key>Last-Modified</key> 104 102 <string>Sun, 16 Nov 2008 16:55:00 GMT</string> 105 <key>Server</key>106 <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>107 103 </dict> 108 104 <key>expectedContentLength</key> … … 140 136 <key>Last-Modified</key> 141 137 <string>Sun, 16 Nov 2008 16:55:00 GMT</string> 142 <key>Server</key>143 <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>144 138 </dict> 145 139 <key>expectedContentLength</key> … … 177 171 <key>Last-Modified</key> 178 172 <string>Sun, 16 Nov 2008 16:55:00 GMT</string> 179 <key>Server</key>180 <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>181 173 </dict> 182 174 <key>expectedContentLength</key> … … 214 206 <key>Last-Modified</key> 215 207 <string>Sun, 16 Nov 2008 16:55:00 GMT</string> 216 <key>Server</key>217 <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>218 208 </dict> 219 209 <key>expectedContentLength</key> … … 251 241 <key>Last-Modified</key> 252 242 <string>Sun, 16 Nov 2008 16:55:00 GMT</string> 253 <key>Server</key>254 <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>255 243 </dict> 256 244 <key>expectedContentLength</key> … … 288 276 <key>Last-Modified</key> 289 277 <string>Sun, 16 Nov 2008 16:55:00 GMT</string> 290 <key>Server</key>291 <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>292 278 </dict> 293 279 <key>expectedContentLength</key> -
trunk/Source/WebCore/ChangeLog
r230358 r230365 1 2018-04-06 Youenn Fablet <youenn@apple.com> 2 3 Response headers should be filtered when sent from NetworkProcess to WebProcess 4 https://bugs.webkit.org/show_bug.cgi?id=184310 5 6 Reviewed by Ryosuke Niwa. 7 8 Did some refactoring to allow ResourceResponse to use header value parsing routines. 9 We add sanitization levels for regular responses in case responses might be exposed to scripts or not. 10 If not exposed to scripts, additional filtering is done. 11 12 Add internal API to get unfiltered response headers from a fetch response. 13 Test: http/wpt/service-workers/header-filtering.https.html 14 15 * Modules/fetch/FetchResponse.h: 16 * loader/CrossOriginPreflightResultCache.cpp: 17 (WebCore::CrossOriginPreflightResultCacheItem::parse): 18 * platform/network/HTTPParsers.h: 19 (WebCore::addToAccessControlAllowList): 20 (WebCore::parseAccessControlAllowList): 21 * platform/network/ResourceResponseBase.cpp: 22 (WebCore::isSafeToKeepRedirectionResponseHeader): 23 (WebCore::isCrossOriginSafeToKeepResponseHeader): 24 (WebCore::ResourceResponseBase::sanitizeHTTPHeaderFields): 25 * platform/network/ResourceResponseBase.h: 26 * testing/ServiceWorkerInternals.cpp: 27 (WebCore::ServiceWorkerInternals::fetchResponseHeaderList): 28 * testing/ServiceWorkerInternals.h: 29 * testing/ServiceWorkerInternals.idl: 30 1 31 2018-04-06 Michael Catanzaro <mcatanzaro@igalia.com> 2 32 -
trunk/Source/WebCore/Modules/fetch/FetchResponse.h
r228326 r230365 110 110 const std::optional<ResourceError>& loadingError() const { return m_loadingError; } 111 111 112 const HTTPHeaderMap& internalResponseHeaders() const { return m_internalResponse.httpHeaderFields(); } 113 112 114 private: 113 115 FetchResponse(ScriptExecutionContext&, std::optional<FetchBody>&&, Ref<FetchHeaders>&&, ResourceResponse&&); -
trunk/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp
r226349 r230365 53 53 } 54 54 55 template<class HashType>56 static void addToAccessControlAllowList(const String& string, unsigned start, unsigned end, HashSet<String, HashType>& set)57 {58 StringImpl* stringImpl = string.impl();59 if (!stringImpl)60 return;61 62 // Skip white space from start.63 while (start <= end && isSpaceOrNewline((*stringImpl)[start]))64 ++start;65 66 // only white space67 if (start > end)68 return;69 70 // Skip white space from end.71 while (end && isSpaceOrNewline((*stringImpl)[end]))72 --end;73 74 set.add(string.substring(start, end - start + 1));75 }76 77 template<class HashType>78 static bool parseAccessControlAllowList(const String& string, HashSet<String, HashType>& set)79 {80 unsigned start = 0;81 size_t end;82 while ((end = string.find(',', start)) != notFound) {83 if (start != end)84 addToAccessControlAllowList(string, start, end - 1, set);85 start = end + 1;86 }87 if (start != string.length())88 addToAccessControlAllowList(string, start, string.length() - 1, set);89 90 return true;91 }92 93 55 bool CrossOriginPreflightResultCacheItem::parse(const ResourceResponse& response, String& errorDescription) 94 56 { 95 57 m_methods.clear(); 96 if (!parseAccessControlAllowList(response.httpHeaderField(HTTPHeaderName::AccessControlAllowMethods), m_methods)) { 58 auto methods = parseAccessControlAllowList(response.httpHeaderField(HTTPHeaderName::AccessControlAllowMethods)); 59 if (!methods) { 97 60 errorDescription = "Cannot parse Access-Control-Allow-Methods response header field."; 98 61 return false; 99 62 } 63 m_methods = WTFMove(methods.value()); 100 64 101 65 m_headers.clear(); 102 if (!parseAccessControlAllowList(response.httpHeaderField(HTTPHeaderName::AccessControlAllowHeaders), m_headers)) { 66 auto headers = parseAccessControlAllowList<ASCIICaseInsensitiveHash>(response.httpHeaderField(HTTPHeaderName::AccessControlAllowHeaders)); 67 if (!headers) { 103 68 errorDescription = "Cannot parse Access-Control-Allow-Headers response header field."; 104 69 return false; 105 70 } 71 m_headers = WTFMove(headers.value()); 106 72 107 73 Seconds expiryDelta = 0_s; -
trunk/Source/WebCore/platform/network/HTTPParsers.h
r226349 r230365 120 120 } 121 121 122 template<class HashType> 123 void addToAccessControlAllowList(const String& string, unsigned start, unsigned end, HashSet<String, HashType>& set) 124 { 125 StringImpl* stringImpl = string.impl(); 126 if (!stringImpl) 127 return; 128 129 // Skip white space from start. 130 while (start <= end && isSpaceOrNewline((*stringImpl)[start])) 131 ++start; 132 133 // only white space 134 if (start > end) 135 return; 136 137 // Skip white space from end. 138 while (end && isSpaceOrNewline((*stringImpl)[end])) 139 --end; 140 141 set.add(string.substring(start, end - start + 1)); 122 142 } 143 144 template<class HashType = DefaultHash<String>::Hash> 145 std::optional<HashSet<String, HashType>> parseAccessControlAllowList(const String& string) 146 { 147 HashSet<String, HashType> set; 148 unsigned start = 0; 149 size_t end; 150 while ((end = string.find(',', start)) != notFound) { 151 if (start != end) 152 addToAccessControlAllowList(string, start, end - 1, set); 153 start = end + 1; 154 } 155 if (start != string.length()) 156 addToAccessControlAllowList(string, start, string.length() - 1, set); 157 158 return set; 159 } 160 161 } -
trunk/Source/WebCore/platform/network/ResourceResponseBase.cpp
r230224 r230365 318 318 } 319 319 320 static bool isSafe ToKeepRedirectionHeader(HTTPHeaderName name)320 static bool isSafeRedirectionResponseHeader(HTTPHeaderName name) 321 321 { 322 322 // WebCore needs to keep location and cache related headers as it does caching. … … 331 331 || name == HTTPHeaderName::Age 332 332 || name == HTTPHeaderName::Pragma 333 || name == HTTPHeaderName::ReferrerPolicy 333 334 || name == HTTPHeaderName::Refresh 334 335 || name == HTTPHeaderName::Vary … … 342 343 } 343 344 344 void ResourceResponseBase::sanitizeRedirectionHTTPHeaderFields() 345 { 346 lazyInit(AllFields); 347 348 auto commonHeaders = WTFMove(m_httpHeaderFields.commonHeaders()); 349 for (auto& header : commonHeaders) { 350 if (isSafeToKeepRedirectionHeader(header.key)) 351 m_httpHeaderFields.add(header.key, WTFMove(header.value)); 352 } 353 m_httpHeaderFields.uncommonHeaders().clear(); 345 static bool isSafeCrossOriginResponseHeader(HTTPHeaderName name) 346 { 347 // All known response headers used in WebProcesses. 348 return name == HTTPHeaderName::AcceptRanges 349 || name == HTTPHeaderName::AccessControlAllowCredentials 350 || name == HTTPHeaderName::AccessControlAllowHeaders 351 || name == HTTPHeaderName::AccessControlAllowMethods 352 || name == HTTPHeaderName::AccessControlAllowOrigin 353 || name == HTTPHeaderName::AccessControlExposeHeaders 354 || name == HTTPHeaderName::AccessControlMaxAge 355 || name == HTTPHeaderName::AccessControlRequestHeaders 356 || name == HTTPHeaderName::AccessControlRequestMethod 357 || name == HTTPHeaderName::Age 358 || name == HTTPHeaderName::CacheControl 359 || name == HTTPHeaderName::ContentDisposition 360 || name == HTTPHeaderName::ContentEncoding 361 || name == HTTPHeaderName::ContentLanguage 362 || name == HTTPHeaderName::ContentLength 363 || name == HTTPHeaderName::ContentRange 364 || name == HTTPHeaderName::ContentSecurityPolicy 365 || name == HTTPHeaderName::ContentSecurityPolicyReportOnly 366 || name == HTTPHeaderName::ContentType 367 || name == HTTPHeaderName::Date 368 || name == HTTPHeaderName::ETag 369 || name == HTTPHeaderName::Expires 370 || name == HTTPHeaderName::IcyMetaInt 371 || name == HTTPHeaderName::IcyMetadata 372 || name == HTTPHeaderName::LastEventID 373 || name == HTTPHeaderName::LastModified 374 || name == HTTPHeaderName::Link 375 || name == HTTPHeaderName::Pragma 376 || name == HTTPHeaderName::Range 377 || name == HTTPHeaderName::ReferrerPolicy 378 || name == HTTPHeaderName::Refresh 379 || name == HTTPHeaderName::SourceMap 380 || name == HTTPHeaderName::XSourceMap 381 || name == HTTPHeaderName::TimingAllowOrigin 382 || name == HTTPHeaderName::Trailer 383 || name == HTTPHeaderName::Vary 384 || name == HTTPHeaderName::XContentTypeOptions 385 || name == HTTPHeaderName::XDNSPrefetchControl 386 || name == HTTPHeaderName::XFrameOptions 387 || name == HTTPHeaderName::XWebKitCSP 388 || name == HTTPHeaderName::XWebKitCSPReportOnly 389 || name == HTTPHeaderName::XXSSProtection; 390 } 391 392 void ResourceResponseBase::sanitizeHTTPHeaderFields(SanitizationType type) 393 { 394 lazyInit(AllFields); 395 396 m_httpHeaderFields.commonHeaders().remove(HTTPHeaderName::SetCookie); 397 m_httpHeaderFields.commonHeaders().remove(HTTPHeaderName::SetCookie2); 398 399 switch (type) { 400 case SanitizationType::RemoveCookies: 401 return; 402 case SanitizationType::Redirection: { 403 auto commonHeaders = WTFMove(m_httpHeaderFields.commonHeaders()); 404 for (auto& header : commonHeaders) { 405 if (isSafeRedirectionResponseHeader(header.key)) 406 m_httpHeaderFields.add(header.key, WTFMove(header.value)); 407 } 408 m_httpHeaderFields.uncommonHeaders().clear(); 409 return; 410 } 411 case SanitizationType::CrossOriginSafe: { 412 HTTPHeaderMap filteredHeaders; 413 for (auto& header : m_httpHeaderFields.commonHeaders()) { 414 if (isSafeCrossOriginResponseHeader(header.key)) 415 filteredHeaders.add(header.key, WTFMove(header.value)); 416 } 417 if (auto corsSafeHeaderSet = parseAccessControlAllowList(httpHeaderField(HTTPHeaderName::AccessControlExposeHeaders))) { 418 for (auto& headerName : *corsSafeHeaderSet) { 419 if (!filteredHeaders.contains(headerName)) { 420 auto value = m_httpHeaderFields.get(headerName); 421 if (!value.isNull()) 422 filteredHeaders.add(headerName, value); 423 } 424 } 425 } 426 m_httpHeaderFields = WTFMove(filteredHeaders); 427 } 428 } 354 429 } 355 430 -
trunk/Source/WebCore/platform/network/ResourceResponseBase.h
r230229 r230365 103 103 WEBCORE_EXPORT const HTTPHeaderMap& httpHeaderFields() const; 104 104 void setHTTPHeaderFields(HTTPHeaderMap&&); 105 WEBCORE_EXPORT void sanitizeRedirectionHTTPHeaderFields(); 105 106 enum class SanitizationType { Redirection, RemoveCookies, CrossOriginSafe }; 107 WEBCORE_EXPORT void sanitizeHTTPHeaderFields(SanitizationType); 106 108 107 109 String httpHeaderField(const String& name) const; -
trunk/Source/WebCore/testing/ServiceWorkerInternals.cpp
r227339 r230365 81 81 } 82 82 83 Vector<String> ServiceWorkerInternals::fetchResponseHeaderList(FetchResponse& response) 84 { 85 Vector<String> headerNames; 86 headerNames.reserveInitialCapacity(response.internalResponseHeaders().size()); 87 for (auto keyValue : response.internalResponseHeaders()) 88 headerNames.uncheckedAppend(keyValue.key); 89 return headerNames; 90 } 91 83 92 } // namespace WebCore 84 93 -
trunk/Source/WebCore/testing/ServiceWorkerInternals.h
r226906 r230365 48 48 Ref<FetchResponse> createOpaqueWithBlobBodyResponse(ScriptExecutionContext&); 49 49 50 Vector<String> fetchResponseHeaderList(FetchResponse&); 51 50 52 private: 51 53 explicit ServiceWorkerInternals(ServiceWorkerIdentifier); -
trunk/Source/WebCore/testing/ServiceWorkerInternals.idl
r226906 r230365 34 34 [CallWith=ScriptExecutionContext] FetchEvent createBeingDispatchedFetchEvent(); 35 35 [CallWith=ScriptExecutionContext] FetchResponse createOpaqueWithBlobBodyResponse(); 36 37 sequence<ByteString> fetchResponseHeaderList(FetchResponse response); 36 38 }; -
trunk/Source/WebKit/ChangeLog
r230359 r230365 1 2018-04-06 Youenn Fablet <youenn@apple.com> 2 3 Response headers should be filtered when sent from NetworkProcess to WebProcess 4 https://bugs.webkit.org/show_bug.cgi?id=184310 5 6 Reviewed by Ryosuke Niwa. 7 8 Pass destination parameter to NetworkResourceLoader. 9 Use new sanitization routine to filter response headers as needed: 10 - Cross-origin routines are filtered by removing any non CORS allowed headers. 11 - Same-origin responses are filtered by removing non used headers, except when filtering would be visible by JS (XHR, fetch). 12 In all cases, Set-Cookie/Set-Cookie2 headers are filtered out. 13 14 * NetworkProcess/NetworkResourceLoadParameters.cpp: 15 (WebKit::NetworkResourceLoadParameters::encode const): 16 (WebKit::NetworkResourceLoadParameters::decode): 17 * NetworkProcess/NetworkResourceLoadParameters.h: 18 * NetworkProcess/NetworkResourceLoader.cpp: 19 (WebKit::NetworkResourceLoader::didReceiveResponse): 20 (WebKit::NetworkResourceLoader::willSendRedirectedRequest): 21 (WebKit::NetworkResourceLoader::sanitizeResponseIfPossible): 22 (WebKit::NetworkResourceLoader::didRetrieveCacheEntry): 23 (WebKit::NetworkResourceLoader::dispatchWillSendRequestForCacheEntry): 24 * NetworkProcess/NetworkResourceLoader.h: 25 * WebProcess/Network/WebLoaderStrategy.cpp: 26 (WebKit::WebLoaderStrategy::scheduleLoadFromNetworkProcess): 27 * WebProcess/Storage/WebSWContextManagerConnection.cpp: 28 (WebKit::WebSWContextManagerConnection::updatePreferencesStore): 29 1 30 2018-04-05 Ryosuke Niwa <rniwa@webkit.org> 2 31 -
trunk/Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.cpp
r230224 r230365 90 90 encoder << sourceOrigin->data(); 91 91 encoder.encodeEnum(mode); 92 encoder.encodeEnum(destination); 92 93 encoder << cspResponseHeaders; 93 94 … … 180 181 if (!decoder.decodeEnum(result.mode)) 181 182 return false; 183 if (!decoder.decodeEnum(result.destination)) 184 return false; 182 185 if (!decoder.decode(result.cspResponseHeaders)) 183 186 return false; -
trunk/Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.h
r230224 r230365 58 58 RefPtr<WebCore::SecurityOrigin> sourceOrigin; 59 59 WebCore::FetchOptions::Mode mode; 60 WebCore::FetchOptions::Destination destination; 60 61 std::optional<WebCore::ContentSecurityPolicyResponseHeaders> cspResponseHeaders; 61 62 bool shouldRestrictHTTPResponseAccess { false }; -
trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp
r230293 r230365 336 336 bool shouldWaitContinueDidReceiveResponse = isMainResource(); 337 337 if (shouldSendDidReceiveResponse) { 338 // FIXME: Sanitize response. 339 auto response = sanitizeResponseIfPossible(ResourceResponse { m_response }, ResourceResponse::SanitizationType::CrossOriginSafe); 338 340 if (isSynchronous()) 339 m_synchronousLoadData->response = m_response;341 m_synchronousLoadData->response = WTFMove(response); 340 342 else 341 send(Messages::WebResourceLoader::DidReceiveResponse (m_response, shouldWaitContinueDidReceiveResponse));343 send(Messages::WebResourceLoader::DidReceiveResponse { response, shouldWaitContinueDidReceiveResponse }); 342 344 } 343 345 … … 460 462 m_cache->storeRedirect(request, redirectResponse, redirectRequest); 461 463 462 send(Messages::WebResourceLoader::WillSendRequest(redirectRequest, sanitizeRedirectResponseIfPossible(WTFMove(redirectResponse)))); 463 } 464 465 ResourceResponse NetworkResourceLoader::sanitizeRedirectResponseIfPossible(ResourceResponse&& response) 466 { 467 if (m_parameters.shouldRestrictHTTPResponseAccess) 468 response.sanitizeRedirectionHTTPHeaderFields(); 464 send(Messages::WebResourceLoader::WillSendRequest(redirectRequest, sanitizeResponseIfPossible(WTFMove(redirectResponse), ResourceResponse::SanitizationType::Redirection))); 465 } 466 467 ResourceResponse NetworkResourceLoader::sanitizeResponseIfPossible(ResourceResponse&& response, ResourceResponse::SanitizationType type) 468 { 469 if (m_parameters.shouldRestrictHTTPResponseAccess) { 470 if (type == ResourceResponse::SanitizationType::CrossOriginSafe) { 471 // We reduce filtering when it would otherwise be visible to scripts. 472 // FIXME: We should use response tainting once computed in Network Process. 473 bool isSameOrigin = m_parameters.sourceOrigin ? m_parameters.sourceOrigin->canRequest(response.url()) : protocolHostAndPortAreEqual(response.url(), m_parameters.request.url()); 474 if (isSameOrigin && m_parameters.destination == FetchOptions::Destination::EmptyString) 475 type = ResourceResponse::SanitizationType::RemoveCookies; 476 } 477 response.sanitizeHTTPHeaderFields(type); 478 } 469 479 return WTFMove(response); 470 480 } … … 569 579 void NetworkResourceLoader::didRetrieveCacheEntry(std::unique_ptr<NetworkCache::Entry> entry) 570 580 { 581 auto response = sanitizeResponseIfPossible(ResourceResponse { entry->response() }, ResourceResponse::SanitizationType::CrossOriginSafe); 571 582 if (isSynchronous()) { 572 m_synchronousLoadData->response = entry->response();583 m_synchronousLoadData->response = WTFMove(response); 573 584 sendReplyToSynchronousRequest(*m_synchronousLoadData, entry->buffer()); 574 585 cleanup(); … … 577 588 578 589 bool needsContinueDidReceiveResponseMessage = isMainResource(); 579 send(Messages::WebResourceLoader::DidReceiveResponse (entry->response(), needsContinueDidReceiveResponseMessage));590 send(Messages::WebResourceLoader::DidReceiveResponse { response, needsContinueDidReceiveResponseMessage }); 580 591 581 592 if (needsContinueDidReceiveResponseMessage) … … 673 684 674 685 ++m_redirectCount; 675 send(Messages::WebResourceLoader::WillSendRequest { *entry->redirectRequest(), sanitizeRe directResponseIfPossible(ResourceResponse { entry->response() }) });686 send(Messages::WebResourceLoader::WillSendRequest { *entry->redirectRequest(), sanitizeResponseIfPossible(ResourceResponse { entry->response() }, ResourceResponse::SanitizationType::Redirection) }); 676 687 m_isWaitingContinueWillSendRequestForCachedRedirect = true; 677 688 } -
trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.h
r230293 r230365 33 33 #include "NetworkResourceLoadParameters.h" 34 34 #include "ShareableResource.h" 35 #include <WebCore/ResourceResponse.h> 35 36 #include <WebCore/Timer.h> 36 37 … … 147 148 #endif 148 149 149 WebCore::ResourceResponse sanitizeRe directResponseIfPossible(WebCore::ResourceResponse&&);150 WebCore::ResourceResponse sanitizeResponseIfPossible(WebCore::ResourceResponse&&, WebCore::ResourceResponse::SanitizationType); 150 151 151 152 const NetworkResourceLoadParameters m_parameters; -
trunk/Source/WebKit/WebProcess/Network/WebLoaderStrategy.cpp
r230224 r230365 274 274 loadParameters.maximumBufferingTime = maximumBufferingTime; 275 275 loadParameters.derivedCachedDataTypesToRetrieve = resourceLoader.options().derivedCachedDataTypesToRetrieve; 276 loadParameters.destination = resourceLoader.options().destination; 276 277 277 278 // FIXME: We should also sanitize redirect response for navigations. … … 433 434 loadParameters.shouldClearReferrerOnHTTPSToHTTPRedirect = shouldClearReferrerOnHTTPSToHTTPRedirect(webFrame ? webFrame->coreFrame() : nullptr); 434 435 loadParameters.shouldRestrictHTTPResponseAccess = RuntimeEnabledFeatures::sharedFeatures().restrictedHTTPResponseAccess(); 436 // FIXME: Use the proper destination once all fetch options are passed. 437 loadParameters.destination = FetchOptions::Destination::EmptyString; 435 438 436 439 data.shrink(0); … … 529 532 parameters.shouldPreconnectOnly = PreconnectOnly::Yes; 530 533 parameters.shouldRestrictHTTPResponseAccess = RuntimeEnabledFeatures::sharedFeatures().restrictedHTTPResponseAccess(); 534 // FIXME: Use the proper destination once all fetch options are passed. 535 parameters.destination = FetchOptions::Destination::EmptyString; 531 536 532 537 WebProcess::singleton().ensureNetworkProcessConnection().connection().send(Messages::NetworkConnectionToWebProcess::PreconnectTo(preconnectionIdentifier, WTFMove(parameters)), 0); -
trunk/Source/WebKit/WebProcess/Storage/WebSWContextManagerConnection.cpp
r230293 r230365 129 129 RuntimeEnabledFeatures::sharedFeatures().setResourceTimingEnabled(store.getBoolValueForKey(WebPreferencesKey::resourceTimingEnabledKey())); 130 130 RuntimeEnabledFeatures::sharedFeatures().setFetchAPIKeepAliveEnabled(store.getBoolValueForKey(WebPreferencesKey::fetchAPIKeepAliveEnabledKey())); 131 RuntimeEnabledFeatures::sharedFeatures().setRestrictedHTTPResponseAccess(store.getBoolValueForKey(WebPreferencesKey::restrictedHTTPResponseAccessKey())); 131 132 132 133 m_storageBlockingPolicy = static_cast<SecurityOrigin::StorageBlockingPolicy>(store.getUInt32ValueForKey(WebPreferencesKey::storageBlockingPolicyKey()));
Note: See TracChangeset
for help on using the changeset viewer.