Changeset 233739 in webkit


Ignore:
Timestamp:
Jul 11, 2018 12:36:16 PM (6 years ago)
Author:
youenn@apple.com
Message:

Fix remaining Cross-Origin-Resource-Policy failures, if any
https://bugs.webkit.org/show_bug.cgi?id=186761
<rdar://problem/41209829>

Reviewed by Alex Christensen.

LayoutTests/imported/w3c:

Fixed some tests for correctness.

  • web-platform-tests/fetch/cross-origin-resource-policy/fetch-in-service-worker-expected.txt:
  • web-platform-tests/fetch/cross-origin-resource-policy/fetch.any-expected.txt:
  • web-platform-tests/fetch/cross-origin-resource-policy/fetch.any.js:

(promise_test):

  • web-platform-tests/fetch/cross-origin-resource-policy/fetch.any.worker-expected.txt:
  • web-platform-tests/fetch/cross-origin-resource-policy/scheme-restriction.https.window-expected.txt: Added.
  • web-platform-tests/fetch/cross-origin-resource-policy/scheme-restriction.https.window.html: Added.
  • web-platform-tests/fetch/cross-origin-resource-policy/scheme-restriction.https.window.js:
  • web-platform-tests/fetch/cross-origin-resource-policy/syntax.any-expected.txt:
  • web-platform-tests/fetch/cross-origin-resource-policy/syntax.any.worker-expected.txt:

Source/WebCore:

Add case-sensitive check for CORP header value, as per fetch specification.
Add HTTP->HTTPS check for same-site case, as per fetch specification.
https://fetch.spec.whatwg.org/#cross-origin-resource-policy-check

Test: imported/w3c/web-platform-tests/fetch/cross-origin-resource-policy/scheme-restriction.https.window.html

  • loader/CrossOriginAccessControl.cpp:

(WebCore::shouldCrossOriginResourcePolicyCancelLoad):

  • platform/network/HTTPParsers.cpp:

(WebCore::parseCrossOriginResourcePolicyHeader):

Tools:

  • TestWebKitAPI/Tests/WebCore/HTTPParsers.cpp:

(TestWebKitAPI::TEST):

2018-07-11 Aakash Jain <aakash_jain@apple.com>

[ews-build] EWS should unapply the patch and build ToT when patch fails to build
https://bugs.webkit.org/show_bug.cgi?id=187358

Reviewed by Alexey Proskuryakov.

  • BuildSlaveSupport/ews-build/factories.py:

(BuildFactory.init):

  • BuildSlaveSupport/ews-build/steps.py:

(CompileWebKit): Set haltOnFailure to false so as to run next steps (e.g.: un-apply patch, compile ToT).
(CompileWebKit.evaluateCommand): Set patchFailedToBuild property.
(CompileWebKitToT): Build ToT without patch.
(CompileWebKitToT.doStepIf): Run this step only if patch failed to build.

  • BuildSlaveSupport/ews-build/steps_unittest.py: Added unit-tests. Also lower-cased Release and Debug.

LayoutTests:

Remove redundant tests with WPT.

  • http/wpt/cross-origin-resource-policy/fetch-expected.txt: Removed.
  • http/wpt/cross-origin-resource-policy/fetch-in-iframe-expected.txt: Removed.
  • http/wpt/cross-origin-resource-policy/fetch-in-iframe.html: Removed.
  • http/wpt/cross-origin-resource-policy/fetch.html: Removed.
  • http/wpt/cross-origin-resource-policy/iframe-loads-expected.txt: Removed.
  • http/wpt/cross-origin-resource-policy/iframe-loads.html: Removed.
  • http/wpt/cross-origin-resource-policy/image-loads-expected.txt: Removed.
  • http/wpt/cross-origin-resource-policy/image-loads.html: Removed.
  • http/wpt/cross-origin-resource-policy/resources/hello.py: Removed.
  • http/wpt/cross-origin-resource-policy/resources/iframe.py: Removed.
  • http/wpt/cross-origin-resource-policy/resources/iframeFetch.html: Removed.
  • http/wpt/cross-origin-resource-policy/resources/redirect.py: Removed.
  • http/wpt/cross-origin-resource-policy/resources/script.py: Removed.
  • http/wpt/cross-origin-resource-policy/script-loads-expected.txt: Removed.
  • http/wpt/cross-origin-resource-policy/script-loads.html: Removed.
Location:
trunk
Files:
2 added
15 deleted
14 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r233738 r233739  
     12018-07-11  Youenn Fablet  <youenn@apple.com>
     2
     3        Fix remaining Cross-Origin-Resource-Policy failures, if any
     4        https://bugs.webkit.org/show_bug.cgi?id=186761
     5        <rdar://problem/41209829>
     6
     7        Reviewed by Alex Christensen.
     8
     9        Remove redundant tests with WPT.
     10
     11        * http/wpt/cross-origin-resource-policy/fetch-expected.txt: Removed.
     12        * http/wpt/cross-origin-resource-policy/fetch-in-iframe-expected.txt: Removed.
     13        * http/wpt/cross-origin-resource-policy/fetch-in-iframe.html: Removed.
     14        * http/wpt/cross-origin-resource-policy/fetch.html: Removed.
     15        * http/wpt/cross-origin-resource-policy/iframe-loads-expected.txt: Removed.
     16        * http/wpt/cross-origin-resource-policy/iframe-loads.html: Removed.
     17        * http/wpt/cross-origin-resource-policy/image-loads-expected.txt: Removed.
     18        * http/wpt/cross-origin-resource-policy/image-loads.html: Removed.
     19        * http/wpt/cross-origin-resource-policy/resources/hello.py: Removed.
     20        * http/wpt/cross-origin-resource-policy/resources/iframe.py: Removed.
     21        * http/wpt/cross-origin-resource-policy/resources/iframeFetch.html: Removed.
     22        * http/wpt/cross-origin-resource-policy/resources/redirect.py: Removed.
     23        * http/wpt/cross-origin-resource-policy/resources/script.py: Removed.
     24        * http/wpt/cross-origin-resource-policy/script-loads-expected.txt: Removed.
     25        * http/wpt/cross-origin-resource-policy/script-loads.html: Removed.
     26
    1272018-07-11  Jer Noble  <jer.noble@apple.com>
    228
  • trunk/LayoutTests/imported/w3c/ChangeLog

    r233729 r233739  
     12018-07-11  Youenn Fablet  <youenn@apple.com>
     2
     3        Fix remaining Cross-Origin-Resource-Policy failures, if any
     4        https://bugs.webkit.org/show_bug.cgi?id=186761
     5        <rdar://problem/41209829>
     6
     7        Reviewed by Alex Christensen.
     8
     9        Fixed some tests for correctness.
     10
     11        * web-platform-tests/fetch/cross-origin-resource-policy/fetch-in-service-worker-expected.txt:
     12        * web-platform-tests/fetch/cross-origin-resource-policy/fetch.any-expected.txt:
     13        * web-platform-tests/fetch/cross-origin-resource-policy/fetch.any.js:
     14        (promise_test):
     15        * web-platform-tests/fetch/cross-origin-resource-policy/fetch.any.worker-expected.txt:
     16        * web-platform-tests/fetch/cross-origin-resource-policy/scheme-restriction.https.window-expected.txt: Added.
     17        * web-platform-tests/fetch/cross-origin-resource-policy/scheme-restriction.https.window.html: Added.
     18        * web-platform-tests/fetch/cross-origin-resource-policy/scheme-restriction.https.window.js:
     19        * web-platform-tests/fetch/cross-origin-resource-policy/syntax.any-expected.txt:
     20        * web-platform-tests/fetch/cross-origin-resource-policy/syntax.any.worker-expected.txt:
     21
    1222018-07-10  Antoine Quint  <graouts@apple.com>
    223
  • trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/cross-origin-resource-policy/fetch-in-service-worker-expected.txt

    r233273 r233739  
    77PASS Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-origin' response header.
    88PASS Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-site' response header.
    9 PASS Cross-origin no-cors fetch to a same-site URL with a 'Cross-Origin-Resource-Policy: same-site' response header.
     9PASS Cross-origin no-cors fetch to a same-site URL with a 'Cross-Origin-Resource-Policy: same-site' response header, HTTP context, HTTPS resource.
    1010PASS Cross-origin no-cors fetch to a same-site URL with a 'Cross-Origin-Resource-Policy: same-origin' response header.
    1111PASS Valid cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-site' response header.
  • trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/cross-origin-resource-policy/fetch.any-expected.txt

    r233273 r233739  
    33CONSOLE MESSAGE: Cancelled load to http://127.0.0.1:8800/fetch/cross-origin-resource-policy/resources/hello.py?corp=same-site because it violates the resource's Cross-Origin-Resource-Policy response header.
    44CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/fetch/cross-origin-resource-policy/resources/hello.py?corp=same-site due to access control checks.
     5CONSOLE MESSAGE: Cancelled load to https://localhost:9443/fetch/cross-origin-resource-policy/resources/hello.py?corp=same-site because it violates the resource's Cross-Origin-Resource-Policy response header.
     6CONSOLE MESSAGE: Fetch API cannot load https://localhost:9443/fetch/cross-origin-resource-policy/resources/hello.py?corp=same-site due to access control checks.
    57CONSOLE MESSAGE: Cancelled load to https://localhost:9443/fetch/cross-origin-resource-policy/resources/hello.py?corp=same-origin because it violates the resource's Cross-Origin-Resource-Policy response header.
    68CONSOLE MESSAGE: Fetch API cannot load https://localhost:9443/fetch/cross-origin-resource-policy/resources/hello.py?corp=same-origin due to access control checks.
     
    1820PASS Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-origin' response header.
    1921PASS Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-site' response header.
    20 PASS Cross-origin no-cors fetch to a same-site URL with a 'Cross-Origin-Resource-Policy: same-site' response header.
     22PASS Cross-origin no-cors fetch to a same-site URL with a 'Cross-Origin-Resource-Policy: same-site' response header, HTTP context, HTTPS resource.
    2123PASS Cross-origin no-cors fetch to a same-site URL with a 'Cross-Origin-Resource-Policy: same-origin' response header.
    2224PASS Valid cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-site' response header.
  • trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/cross-origin-resource-policy/fetch.any.js

    r233273 r233739  
    4646promise_test((test) => {
    4747    const remoteURL = httpsBaseURL + "resources/hello.py?corp=same-site";
    48     return fetch(remoteURL, { mode: "no-cors" });
    49 }, "Cross-origin no-cors fetch to a same-site URL with a 'Cross-Origin-Resource-Policy: same-site' response header.");
     48    return promise_rejects(test, new TypeError, fetch(remoteURL, { mode: "no-cors" }));
     49}, "Cross-origin no-cors fetch to a same-site URL with a 'Cross-Origin-Resource-Policy: same-site' response header, HTTP context, HTTPS resource.");
    5050
    5151promise_test((test) => {
  • trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/cross-origin-resource-policy/fetch.any.worker-expected.txt

    r233273 r233739  
    11CONSOLE MESSAGE: Cancelled load to http://127.0.0.1:8800/fetch/cross-origin-resource-policy/resources/hello.py?corp=same-origin because it violates the resource's Cross-Origin-Resource-Policy response header.
    22CONSOLE MESSAGE: Cancelled load to http://127.0.0.1:8800/fetch/cross-origin-resource-policy/resources/hello.py?corp=same-site because it violates the resource's Cross-Origin-Resource-Policy response header.
     3CONSOLE MESSAGE: Cancelled load to https://localhost:9443/fetch/cross-origin-resource-policy/resources/hello.py?corp=same-site because it violates the resource's Cross-Origin-Resource-Policy response header.
    34CONSOLE MESSAGE: Cancelled load to https://localhost:9443/fetch/cross-origin-resource-policy/resources/hello.py?corp=same-origin because it violates the resource's Cross-Origin-Resource-Policy response header.
    45CONSOLE MESSAGE: Cancelled load to http://localhost:8801/fetch/cross-origin-resource-policy/resources/hello.py?corp=same-origin because it violates the resource's Cross-Origin-Resource-Policy response header.
     
    1213PASS Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-origin' response header.
    1314PASS Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-site' response header.
    14 PASS Cross-origin no-cors fetch to a same-site URL with a 'Cross-Origin-Resource-Policy: same-site' response header.
     15PASS Cross-origin no-cors fetch to a same-site URL with a 'Cross-Origin-Resource-Policy: same-site' response header, HTTP context, HTTPS resource.
    1516PASS Cross-origin no-cors fetch to a same-site URL with a 'Cross-Origin-Resource-Policy: same-origin' response header.
    1617PASS Valid cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-site' response header.
  • trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/cross-origin-resource-policy/scheme-restriction.https.window.js

    r233238 r233739  
    33promise_test(t => {
    44  const img = new Image();
    5   img.src = get_host_info().HTTP_REMOTE_ORIGIN + "/fetch/cross-origin-resource-policy/resources/image.py?corp=same-site";
     5  img.src = get_host_info().HTTP_ORIGIN + "/fetch/cross-origin-resource-policy/resources/image.py?corp=same-site";
    66  return new Promise((resolve, reject) => {
    77    img.onload = resolve;
  • trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/cross-origin-resource-policy/syntax.any-expected.txt

    r233238 r233739  
    1 CONSOLE MESSAGE: Cancelled load to http://127.0.0.1:8800/fetch/cross-origin-resource-policy/resources/hello.py?corp=SAME-ORIGIN because it violates the resource's Cross-Origin-Resource-Policy response header.
    2 CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/fetch/cross-origin-resource-policy/resources/hello.py?corp=SAME-ORIGIN due to access control checks.
    3 CONSOLE MESSAGE: Cancelled load to http://127.0.0.1:8800/fetch/cross-origin-resource-policy/resources/hello.py?corp=Same-Origin because it violates the resource's Cross-Origin-Resource-Policy response header.
    4 CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/fetch/cross-origin-resource-policy/resources/hello.py?corp=Same-Origin due to access control checks.
    51
    62PASS Parsing Cross-Origin-Resource-Policy: same
    73PASS Parsing Cross-Origin-Resource-Policy: same, same-origin
    8 FAIL Parsing Cross-Origin-Resource-Policy: SAME-ORIGIN promise_test: Unhandled rejection with value: object "TypeError: Cancelled load to http://127.0.0.1:8800/fetch/cross-origin-resource-policy/resources/hello.py?corp=SAME-ORIGIN because it violates the resource's Cross-Origin-Resource-Policy response header."
    9 FAIL Parsing Cross-Origin-Resource-Policy: Same-Origin promise_test: Unhandled rejection with value: object "TypeError: Cancelled load to http://127.0.0.1:8800/fetch/cross-origin-resource-policy/resources/hello.py?corp=Same-Origin because it violates the resource's Cross-Origin-Resource-Policy response header."
     4PASS Parsing Cross-Origin-Resource-Policy: SAME-ORIGIN
     5PASS Parsing Cross-Origin-Resource-Policy: Same-Origin
    106PASS Parsing Cross-Origin-Resource-Policy: same-origin, <>
    117PASS Parsing Cross-Origin-Resource-Policy: same-origin, same-origin
  • trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/cross-origin-resource-policy/syntax.any.worker-expected.txt

    r233238 r233739  
    1 CONSOLE MESSAGE: Cancelled load to http://127.0.0.1:8800/fetch/cross-origin-resource-policy/resources/hello.py?corp=SAME-ORIGIN because it violates the resource's Cross-Origin-Resource-Policy response header.
    2 CONSOLE MESSAGE: Cancelled load to http://127.0.0.1:8800/fetch/cross-origin-resource-policy/resources/hello.py?corp=Same-Origin because it violates the resource's Cross-Origin-Resource-Policy response header.
    31
    42PASS Parsing Cross-Origin-Resource-Policy: same
    53PASS Parsing Cross-Origin-Resource-Policy: same, same-origin
    6 FAIL Parsing Cross-Origin-Resource-Policy: SAME-ORIGIN promise_test: Unhandled rejection with value: object "TypeError: Cancelled load to http://127.0.0.1:8800/fetch/cross-origin-resource-policy/resources/hello.py?corp=SAME-ORIGIN because it violates the resource's Cross-Origin-Resource-Policy response header."
    7 FAIL Parsing Cross-Origin-Resource-Policy: Same-Origin promise_test: Unhandled rejection with value: object "TypeError: Cancelled load to http://127.0.0.1:8800/fetch/cross-origin-resource-policy/resources/hello.py?corp=Same-Origin because it violates the resource's Cross-Origin-Resource-Policy response header."
     4PASS Parsing Cross-Origin-Resource-Policy: SAME-ORIGIN
     5PASS Parsing Cross-Origin-Resource-Policy: Same-Origin
    86PASS Parsing Cross-Origin-Resource-Policy: same-origin, <>
    97PASS Parsing Cross-Origin-Resource-Policy: same-origin, same-origin
  • trunk/Source/WebCore/ChangeLog

    r233737 r233739  
     12018-07-11  Youenn Fablet  <youenn@apple.com>
     2
     3        Fix remaining Cross-Origin-Resource-Policy failures, if any
     4        https://bugs.webkit.org/show_bug.cgi?id=186761
     5        <rdar://problem/41209829>
     6
     7        Reviewed by Alex Christensen.
     8
     9        Add case-sensitive check for CORP header value, as per fetch specification.
     10        Add HTTP->HTTPS check for same-site case, as per fetch specification.
     11        https://fetch.spec.whatwg.org/#cross-origin-resource-policy-check
     12
     13        Test: imported/w3c/web-platform-tests/fetch/cross-origin-resource-policy/scheme-restriction.https.window.html
     14
     15        * loader/CrossOriginAccessControl.cpp:
     16        (WebCore::shouldCrossOriginResourcePolicyCancelLoad):
     17        * platform/network/HTTPParsers.cpp:
     18        (WebCore::parseCrossOriginResourcePolicyHeader):
     19
    1202018-07-11  Ross Kirsling  <ross.kirsling@sony.com>
    221
  • trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp

    r233122 r233739  
    213213
    214214    auto policy = parseCrossOriginResourcePolicyHeader(response.httpHeaderField(HTTPHeaderName::CrossOriginResourcePolicy));
    215     switch (policy) {
    216     case CrossOriginResourcePolicy::None:
    217     case CrossOriginResourcePolicy::Invalid:
    218         return false;
    219     case CrossOriginResourcePolicy::SameOrigin:
     215
     216    if (policy == CrossOriginResourcePolicy::SameOrigin)
    220217        return true;
    221     case CrossOriginResourcePolicy::SameSite: {
     218
     219    if (policy == CrossOriginResourcePolicy::SameSite) {
     220        if (origin.isUnique())
     221            return true;
    222222#if ENABLE(PUBLIC_SUFFIX_LIST)
    223         return origin.isUnique() || !registrableDomainsAreEqual(response.url(), ResourceRequest::partitionName(origin.host()));
    224 #else
    225         return true;
     223        if (!registrableDomainsAreEqual(response.url(), ResourceRequest::partitionName(origin.host())))
     224            return true;
    226225#endif
    227     }}
    228 
    229     RELEASE_ASSERT_NOT_REACHED();
     226        if (origin.protocol() == "http" && response.url().protocol() == "https")
     227            return true;
     228    }
     229
     230    return false;
    230231}
    231232
  • trunk/Source/WebCore/platform/network/HTTPParsers.cpp

    r233122 r233739  
    912912        return CrossOriginResourcePolicy::None;
    913913
    914     if (equalLettersIgnoringASCIICase(strippedHeader, "same-origin"))
     914    if (strippedHeader == "same-origin")
    915915        return CrossOriginResourcePolicy::SameOrigin;
    916916
    917     if (equalLettersIgnoringASCIICase(strippedHeader, "same-site"))
     917    if (strippedHeader == "same-site")
    918918        return CrossOriginResourcePolicy::SameSite;
    919919
  • trunk/Tools/ChangeLog

    r233734 r233739  
     12018-07-11  Youenn Fablet  <youenn@apple.com>
     2
     3        Fix remaining Cross-Origin-Resource-Policy failures, if any
     4        https://bugs.webkit.org/show_bug.cgi?id=186761
     5        <rdar://problem/41209829>
     6
     7        Reviewed by Alex Christensen.
     8
     9        * TestWebKitAPI/Tests/WebCore/HTTPParsers.cpp:
     10        (TestWebKitAPI::TEST):
     11
    112 2018-07-11  Aakash Jain  <aakash_jain@apple.com>
    213 
  • trunk/Tools/TestWebKitAPI/Tests/WebCore/HTTPParsers.cpp

    r232309 r233739  
    3939
    4040    EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("same-origin") == CrossOriginResourcePolicy::SameOrigin);
    41     EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("Same-Origin") == CrossOriginResourcePolicy::SameOrigin);
    42     EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("SAME-ORIGIN") == CrossOriginResourcePolicy::SameOrigin);
    43     EXPECT_TRUE(parseCrossOriginResourcePolicyHeader(" same-orIGIN ") == CrossOriginResourcePolicy::SameOrigin);
     41    EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("Same-Origin") == CrossOriginResourcePolicy::Invalid);
     42    EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("SAME-ORIGIN") == CrossOriginResourcePolicy::Invalid);
     43    EXPECT_TRUE(parseCrossOriginResourcePolicyHeader(" same-orIGIN ") == CrossOriginResourcePolicy::Invalid);
    4444
    4545    EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("same-site") == CrossOriginResourcePolicy::SameSite);
    46     EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("Same-Site") == CrossOriginResourcePolicy::SameSite);
    47     EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("SAME-SITE") == CrossOriginResourcePolicy::SameSite);
     46    EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("Same-Site") == CrossOriginResourcePolicy::Invalid);
     47    EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("SAME-SITE") == CrossOriginResourcePolicy::Invalid);
    4848    EXPECT_TRUE(parseCrossOriginResourcePolicyHeader(" same-site ") == CrossOriginResourcePolicy::SameSite);
    4949
Note: See TracChangeset for help on using the changeset viewer.