Changeset 279755 in webkit

Timestamp:

Jul 8, 2021, 3:13:59 PM (4 years ago)

Author:

Brent Fulgham

Message:

[Cocoa] Expose SPI to opt out of Extensible SSO authentication
​https://bugs.webkit.org/show_bug.cgi?id=227729
<rdar://problem/75647892>

Reviewed by Tim Horton.

Source/WebKit:

WKWebView clients should be able to disable Extensible SSO authentication flows, so exposing the internal
mechanism as SPI. This is especially important for use cases where a WKWebView will be used to load content
without being attached to a Window, since a Window is required to present the Extensible SSO authentication
UI. Without a Window, WebKit will wait for a Window to be attached causing loads to timeout. By adopting this
API, developers can opt out of Extensible SSO, allowing loads to fail quickly rather than waiting for a timeout.

Tested by a new TestWebKitAPI test case: SOAuthorizationRedirect.DisableSSO

• UIProcess/API/Cocoa/WKPreferences.h:
• UIProcess/API/Cocoa/WKPreferences.mm:

(-[WKPreferences _extensibleSSOEnabled]): Add getter for new preference.
(-[WKPreferences _setExtensibleSSOEnabled:]): Add setter.

• UIProcess/Cocoa/SOAuthorization/NavigationSOAuthorizationSession.mm:

(WebKit::NavigationSOAuthorizationSession::shouldStartInternal): Add new logging so developers can see when a WKWebView
without a Window is attempting to participate in Extensible SSO flows.

• UIProcess/Cocoa/SOAuthorization/PopUpSOAuthorizationSession.mm:

(WebKit::PopUpSOAuthorizationSession::initSecretWebView): Switch from SPI to API.

• UIProcess/WebPageProxy.cpp:

(WebKit::WebPageProxy::decidePolicyForNavigationAction): Ditto.

• UIProcess/WebPageProxy.h:

Source/WTF:

Create new WKPreference to allow WebKit clients to opt out of Extensible SSO authentication.

• Scripts/Preferences/WebPreferences.yaml:

Tools:

Add a new test to confirm that Extenstible SSO authentication flows are bypassed when the new WKPreference
is used. Updated other tests to confirm that the SSO delegate is called when expected.

• TestWebKitAPI/Tests/WebKitCocoa/TestSOAuthorization.mm:

(-[TestSOAuthorizationDelegate _webView:decidePolicyForSOAuthorizationLoadWithCurrentPolicy:forExtension:completionHandler:]):
(resetState):
(TestWebKitAPI::TEST):

Location:

trunk

Files:

• Source/WTF/ChangeLog (modified) (1 diff)
• Source/WTF/Scripts/Preferences/WebPreferences.yaml (modified) (1 diff)
• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/UIProcess/API/Cocoa/WKPreferences.mm (modified) (1 diff)
• Source/WebKit/UIProcess/API/Cocoa/WKPreferencesPrivate.h (modified) (1 diff)
• Source/WebKit/UIProcess/Cocoa/SOAuthorization/NavigationSOAuthorizationSession.mm (modified) (1 diff)
• Source/WebKit/UIProcess/Cocoa/SOAuthorization/PopUpSOAuthorizationSession.mm (modified) (1 diff)
• Source/WebKit/UIProcess/WebPageProxy.cpp (modified) (1 diff)
• Source/WebKit/UIProcess/WebPageProxy.h (modified) (2 diffs)
• Tools/ChangeLog (modified) (1 diff)
• Tools/TestWebKitAPI/Tests/WebKitCocoa/TestSOAuthorization.mm (modified) (89 diffs)

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2021-07-08  Brent Fulgham  <bfulgham@apple.com>
+
+        [Cocoa] Expose SPI to opt out of Extensible SSO authentication
+        https://bugs.webkit.org/show_bug.cgi?id=227729
+        <rdar://problem/75647892>
+
+        Reviewed by Tim Horton.
+
+        Create new WKPreference to allow WebKit clients to opt out of Extensible SSO authentication.
+
+        * Scripts/Preferences/WebPreferences.yaml:
+
 2021-07-07  Alex Christensen  <achristensen@webkit.org>
 

trunk/Source/WTF/Scripts/Preferences/WebPreferences.yaml

@@ -760 +760 @@
       default: false
 
+ExtensibleSSOEnabled:
+  type: bool
+  getter: isExtensibleSSOEnabled
+  webcoreBinding: none
+  condition: HAVE(APP_SSO)
+  exposed: [ WebKit ]
+  defaultValue:
+    WebKit:
+      default: true
+
 FTPDirectoryTemplatePath:
   type: String

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2021-07-08  Brent Fulgham  <bfulgham@apple.com>
+
+        [Cocoa] Expose SPI to opt out of Extensible SSO authentication
+        https://bugs.webkit.org/show_bug.cgi?id=227729
+        <rdar://problem/75647892>
+
+        Reviewed by Tim Horton.
+
+        WKWebView clients should be able to disable Extensible SSO authentication flows, so exposing the internal
+        mechanism as SPI. This is especially important for use cases where a WKWebView will be used to load content
+        without being attached to a Window, since a Window is required to present the Extensible SSO authentication
+        UI. Without a Window, WebKit will wait for a Window to be attached causing loads to timeout. By adopting this
+        API, developers can opt out of Extensible SSO, allowing loads to fail quickly rather than waiting for a timeout.
+
+        Tested by a new TestWebKitAPI test case: SOAuthorizationRedirect.DisableSSO
+
+        * UIProcess/API/Cocoa/WKPreferences.h:
+        * UIProcess/API/Cocoa/WKPreferences.mm:
+        (-[WKPreferences _extensibleSSOEnabled]): Add getter for new preference.
+        (-[WKPreferences _setExtensibleSSOEnabled:]): Add setter.
+        * UIProcess/Cocoa/SOAuthorization/NavigationSOAuthorizationSession.mm:
+        (WebKit::NavigationSOAuthorizationSession::shouldStartInternal): Add new logging so developers can see when a WKWebView
+        without a Window is attempting to participate in Extensible SSO flows.
+        * UIProcess/Cocoa/SOAuthorization/PopUpSOAuthorizationSession.mm:
+        (WebKit::PopUpSOAuthorizationSession::initSecretWebView): Switch from SPI to API.
+        * UIProcess/WebPageProxy.cpp:
+        (WebKit::WebPageProxy::decidePolicyForNavigationAction): Ditto.
+        * UIProcess/WebPageProxy.h:
+
 2021-07-08  Wenson Hsieh  <wenson_hsieh@apple.com>
 

trunk/Source/WebKit/UIProcess/API/Cocoa/WKPreferences.mm

@@ -1492 +1492 @@
 }
 
+- (BOOL)_isExtensibleSSOEnabled
+{
+#if HAVE(APP_SSO)
+    return _preferences->isExtensibleSSOEnabled();
+#else
+    return false;
+#endif
+}
+
+- (void)_setExtensibleSSOEnabled:(BOOL)extensibleSSOEnabled
+{
+#if HAVE(APP_SSO)
+    _preferences->setExtensibleSSOEnabled(extensibleSSOEnabled);
+#endif
+}
+
 @end
 

trunk/Source/WebKit/UIProcess/API/Cocoa/WKPreferencesPrivate.h

@@ -172 +172 @@
 @property (nonatomic, setter=_setPitchCorrectionAlgorithm:) _WKPitchCorrectionAlgorithm _pitchCorrectionAlgorithm WK_API_AVAILABLE(macos(12.0), ios(15.0));
 @property (nonatomic, setter=_setMediaSessionEnabled:) BOOL _mediaSessionEnabled WK_API_AVAILABLE(macos(12.0), ios(15.0));
+@property (nonatomic, getter=_isExtensibleSSOEnabled, setter=_setExtensibleSSOEnabled:) BOOL _extensibleSSOEnabled WK_API_AVAILABLE(macos(12.0), ios(15.0));
+
 
 #if !TARGET_OS_IPHONE

trunk/Source/WebKit/UIProcess/Cocoa/SOAuthorization/NavigationSOAuthorizationSession.mm

@@ -58 +58 @@
     beforeStart();
     if (!page->isInWindow()) {
+        AUTHORIZATIONSESSION_RELEASE_LOG("shouldStartInternal: Starting Extensible SSO authentication for a web view that is not attached to a window. Loading will pause until a window is attached.");
         setState(State::Waiting);
         page->addObserver(*this);

trunk/Source/WebKit/UIProcess/Cocoa/SOAuthorization/PopUpSOAuthorizationSession.mm

@@ -190 +190 @@
     [m_secretWebView setNavigationDelegate:m_secretDelegate.get()];
 
-    m_secretWebView->_page->setShouldSuppressSOAuthorizationInAllNavigationPolicyDecision();
+    m_secretWebView->_page->preferences().setExtensibleSSOEnabled(false);
     WTFLogAlways("SecretWebView is created.");
 }

trunk/Source/WebKit/UIProcess/WebPageProxy.cpp

@@ -5434 +5434 @@
     else {
 #if HAVE(APP_SSO)
-        if (m_shouldSuppressSOAuthorizationInNextNavigationPolicyDecision || m_shouldSuppressSOAuthorizationInAllNavigationPolicyDecision)
+        if (m_shouldSuppressSOAuthorizationInNextNavigationPolicyDecision || !m_preferences->isExtensibleSSOEnabled())
             navigationAction->unsetShouldPerformSOAuthorization();
 #endif

trunk/Source/WebKit/UIProcess/WebPageProxy.h

@@ -1779 +1779 @@
 
 #if HAVE(APP_SSO)
-    void setShouldSuppressSOAuthorizationInAllNavigationPolicyDecision() { m_shouldSuppressSOAuthorizationInAllNavigationPolicyDecision = true; }
     void setShouldSuppressSOAuthorizationInNextNavigationPolicyDecision() { m_shouldSuppressSOAuthorizationInNextNavigationPolicyDecision = true; }
     void decidePolicyForSOAuthorizationLoad(const String&, CompletionHandler<void(SOAuthorizationLoadPolicy)>&&);
@@ -2733 +2732 @@
 #if HAVE(APP_SSO)
     bool m_shouldSuppressSOAuthorizationInNextNavigationPolicyDecision { false };
-    bool m_shouldSuppressSOAuthorizationInAllNavigationPolicyDecision { false };
 #endif
 

trunk/Tools/ChangeLog

@@ +1 @@
+2021-07-08  Brent Fulgham  <bfulgham@apple.com>
+
+        [Cocoa] Expose SPI to opt out of Extensible SSO authentication
+        https://bugs.webkit.org/show_bug.cgi?id=227729
+        <rdar://problem/75647892>
+
+        Reviewed by Tim Horton.
+
+        Add a new test to confirm that Extenstible SSO authentication flows are bypassed when the new WKPreference
+        is used. Updated other tests to confirm that the SSO delegate is called when expected.
+
+        * TestWebKitAPI/Tests/WebKitCocoa/TestSOAuthorization.mm:
+        (-[TestSOAuthorizationDelegate _webView:decidePolicyForSOAuthorizationLoadWithCurrentPolicy:forExtension:completionHandler:]):
+        (resetState):
+        (TestWebKitAPI::TEST):
+
 2021-07-08  Kate Cheney  <katherine_cheney@apple.com>
 

trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/TestSOAuthorization.mm

@@ -1 +1 @@
 /*
- * Copyright (C) 2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2019-2021 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -37 +37 @@
 #import <WebKit/WKNavigationDelegatePrivate.h>
 #import <WebKit/WKNavigationPrivate.h>
+#import <WebKit/WKPreferencesPrivate.h>
 #import <WebKit/WKWebViewPrivate.h>
 #import <pal/cocoa/AppSSOSoftLink.h>
@@ -48 +49 @@
 
 static bool navigationCompleted = false;
+static bool policyForAppSSOPerformed = false;
 static bool authorizationPerformed = false;
 static bool authorizationCancelled = false;
@@ -194 +196 @@
     EXPECT_EQ(policy, _WKSOAuthorizationLoadPolicyAllow);
     EXPECT_TRUE([extension isEqual:@"Test"]);
+    policyForAppSSOPerformed = true;
     if (!self.isAsyncExecution) {
         if (self.allowSOAuthorizationLoad)
@@ -328 +331 @@
 {
     navigationCompleted = false;
+    policyForAppSSOPerformed = false;
     authorizationPerformed = false;
     authorizationCancelled = false;
@@ -385 +389 @@
     Util::run(&navigationCompleted);
 
+    EXPECT_FALSE(policyForAppSSOPerformed);
     EXPECT_WK_STREQ(testURL.get().absoluteString, finalURL);
 }
 
+TEST(SOAuthorizationRedirect, DisableSSO)
+{
+    resetState();
+    ClassMethodSwizzler swizzler1(PAL::getSOAuthorizationClass(), @selector(canPerformAuthorizationWithURL:responseCode:), reinterpret_cast<IMP>(overrideCanPerformAuthorizationWithURL));
+    InstanceMethodSwizzler swizzler2(PAL::getSOAuthorizationClass(), @selector(setDelegate:), reinterpret_cast<IMP>(overrideSetDelegate));
+    InstanceMethodSwizzler swizzler3(PAL::getSOAuthorizationClass(), @selector(beginAuthorizationWithURL:httpHeaders:httpBody:), reinterpret_cast<IMP>(overrideBeginAuthorizationWithURL));
+    InstanceMethodSwizzler swizzler4(PAL::getSOAuthorizationClass(), @selector(getAuthorizationHintsWithURL:responseCode:completion:), reinterpret_cast<IMP>(overrideGetAuthorizationHintsWithURL));
+
+    RetainPtr<NSURL> testURL = [[NSBundle mainBundle] URLForResource:@"simple" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];
+
+    auto configuration = adoptNS([[WKWebViewConfiguration alloc] init]);
+    auto preferences = configuration.get().preferences;
+    EXPECT_TRUE(preferences._isExtensibleSSOEnabled);
+
+    preferences._extensibleSSOEnabled = NO;
+
+    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:CGRectMake(0, 0, 320, 500) configuration:configuration.get()]);
+    auto delegate = adoptNS([[TestSOAuthorizationDelegate alloc] init]);
+    configureSOAuthorizationWebView(webView.get(), delegate.get(), OpenExternalSchemesPolicy::Allow);
+
+    [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
+    Util::run(&navigationCompleted);
+
+    EXPECT_FALSE(policyForAppSSOPerformed);
+    EXPECT_WK_STREQ(testURL.get().absoluteString, finalURL);
+}
+
 TEST(SOAuthorizationRedirect, InterceptionError)
 {
@@ -403 +435 @@
     Util::run(&navigationCompleted);
 
+    EXPECT_TRUE(policyForAppSSOPerformed);
     EXPECT_WK_STREQ(testURL.get().absoluteString, finalURL);
 }
@@ -423 +456 @@
     Util::run(&authorizationPerformed);
     checkAuthorizationOptions(false, "", 0);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     [gDelegate authorizationDidNotHandle:gAuthorization];
@@ -447 +481 @@
     Util::run(&authorizationPerformed);
     checkAuthorizationOptions(false, "", 0);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     [gDelegate authorizationDidCancel:gAuthorization];
@@ -471 +506 @@
     Util::run(&authorizationPerformed);
     checkAuthorizationOptions(false, "", 0);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     [gDelegate authorizationDidComplete:gAuthorization];
@@ -495 +531 @@
     Util::run(&authorizationPerformed);
     checkAuthorizationOptions(false, "", 0);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     [gDelegate authorization:gAuthorization didCompleteWithHTTPAuthorizationHeaders:adoptNS([[NSDictionary alloc] init]).get()];
@@ -520 +557 @@
     Util::run(&authorizationPerformed);
     checkAuthorizationOptions(false, "", 0);
+    EXPECT_FALSE(policyForAppSSOPerformed); // The delegate isn't registered, so this won't be set.
 #if PLATFORM(MAC)
     EXPECT_TRUE(gAuthorization.enableEmbeddedAuthorizationViewController);
@@ -564 +602 @@
     checkAuthorizationOptions(true, "null", 0);
 #endif
+    EXPECT_FALSE(policyForAppSSOPerformed); // The delegate isn't registered, so this won't be set.
 
     RetainPtr<NSURL> redirectURL = [[NSBundle mainBundle] URLForResource:@"simple2" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];
@@ -600 +639 @@
     checkAuthorizationOptions(true, "null", 0);
 #endif
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     RetainPtr<NSURL> redirectURL = [[NSBundle mainBundle] URLForResource:@"simple2" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];
@@ -628 +668 @@
     Util::run(&authorizationPerformed);
     checkAuthorizationOptions(false, "", 0);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     RetainPtr<NSURL> redirectURL = [[NSBundle mainBundle] URLForResource:@"simple2" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];
@@ -657 +698 @@
     Util::run(&authorizationPerformed);
     checkAuthorizationOptions(false, "", 0);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     RetainPtr<NSURL> redirectURL = [[NSBundle mainBundle] URLForResource:@"simple2" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];
@@ -682 +724 @@
     Util::run(&authorizationPerformed);
     checkAuthorizationOptions(false, "", 0);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     RetainPtr<NSURL> redirectURL = [[NSBundle mainBundle] URLForResource:@"simple2" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];
@@ -718 +761 @@
     Util::run(&authorizationPerformed);
     checkAuthorizationOptions(false, "", 0);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     RetainPtr<NSURL> redirectURL = [[NSBundle mainBundle] URLForResource:@"simple2" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];
@@ -763 +807 @@
     checkAuthorizationOptions(true, "null", 0);
 #endif
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     RetainPtr<NSURL> redirectURL = [[NSBundle mainBundle] URLForResource:@"simple2" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];
@@ -795 +840 @@
     Util::run(&authorizationPerformed);
     checkAuthorizationOptions(false, "", 0);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     auto redirectURL = URL(URL(), "https://www.example.com");
@@ -821 +867 @@
     [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
     Util::run(&navigationPolicyDecided);
+    EXPECT_FALSE(policyForAppSSOPerformed);
     EXPECT_FALSE(authorizationPerformed);
 
@@ -827 +874 @@
     Util::run(&authorizationPerformed);
     checkAuthorizationOptions(false, "", 0);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     RetainPtr<NSURL> redirectURL = [[NSBundle mainBundle] URLForResource:@"simple2" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];
@@ -858 +906 @@
     [webView loadRequest:[NSURLRequest requestWithURL:testURL1.get()]];
     Util::run(&navigationPolicyDecided);
+    EXPECT_FALSE(policyForAppSSOPerformed);
     EXPECT_FALSE(authorizationPerformed);
 
@@ -866 +915 @@
     // The waiting session should be aborted as the previous navigation is overwritten by a new navigation.
     Util::run(&navigationCompleted);
+    EXPECT_FALSE(policyForAppSSOPerformed);
     EXPECT_FALSE(authorizationPerformed);
 }
@@ -886 +936 @@
     Util::run(&authorizationPerformed);
     checkAuthorizationOptions(false, "", 0);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     // Should be a no op.
@@ -917 +968 @@
     for (int i = 0; i < 2; i++) {
         authorizationPerformed = false;
+        policyForAppSSOPerformed = false;
         [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
         Util::run(&authorizationPerformed);
         checkAuthorizationOptions(false, "", 0);
+        EXPECT_TRUE(policyForAppSSOPerformed);
 
         navigationCompleted = false;
@@ -952 +1005 @@
     Util::run(&authorizationPerformed);
     checkAuthorizationOptions(false, "", 0);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     // Suppress the last active session.
     authorizationPerformed = false;
+    policyForAppSSOPerformed = false;
     [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
     Util::run(&authorizationCancelled);
     Util::run(&authorizationPerformed);
     checkAuthorizationOptions(false, "", 0);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     RetainPtr<NSURL> redirectURL = [[NSBundle mainBundle] URLForResource:@"simple2" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];
@@ -990 +1046 @@
     Util::run(&navigationPolicyDecided);
     EXPECT_FALSE(authorizationPerformed);
+    EXPECT_FALSE(policyForAppSSOPerformed);
 
     // Suppress the last waiting session.
@@ -996 +1053 @@
     Util::run(&navigationPolicyDecided);
     EXPECT_FALSE(authorizationPerformed);
+    EXPECT_FALSE(policyForAppSSOPerformed);
 
     // Activate the last session.
@@ -1001 +1059 @@
     Util::run(&authorizationPerformed);
     checkAuthorizationOptions(false, "", 0);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     RetainPtr<NSURL> redirectURL = [[NSBundle mainBundle] URLForResource:@"simple2" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];
@@ -1035 +1094 @@
     Util::run(&authorizationPerformed);
     checkAuthorizationOptions(false, "", 0);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     // Pass a HTTP 200 response with a html to mimic a SAML response.
@@ -1063 +1123 @@
     [webView loadRequest:[NSURLRequest requestWithURL:(NSURL *)testURL]];
     Util::run(&authorizationPerformed);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     navigationCompleted = false;
@@ -1072 +1133 @@
     authorizationPerformed = false;
     navigationPolicyDecided = false;
+    policyForAppSSOPerformed = false;
     [webView _evaluateJavaScriptWithoutUserGesture:@"location = 'http://www.example.com'" completionHandler:nil];
     Util::run(&navigationPolicyDecided);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 }
 
@@ -1095 +1158 @@
     Util::run(&authorizationPerformed);
     checkAuthorizationOptions(true, "http://www.webkit.org", 0);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 }
 
@@ -1113 +1177 @@
     [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
     Util::run(&authorizationPerformed);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     // Test passes if no crashes.
@@ -1135 +1200 @@
     [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
     Util::run(&authorizationPerformed);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     // Test passes if no crashes.
@@ -1159 +1225 @@
     Util::run(&navigationCompleted);
 
+    EXPECT_TRUE(policyForAppSSOPerformed);
     EXPECT_WK_STREQ(testURL.get().absoluteString, finalURL);
 }
@@ -1179 +1246 @@
     Util::run(&authorizationPerformed);
     checkAuthorizationOptions(false, "", 0);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     RetainPtr<NSURL> redirectURL = [[NSBundle mainBundle] URLForResource:@"simple2" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];
@@ -1208 +1276 @@
     Util::run(&navigationCompleted);
 
+    EXPECT_TRUE(policyForAppSSOPerformed);
     EXPECT_WK_STREQ(testURL.get().absoluteString, finalURL);
 }
@@ -1230 +1299 @@
     [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
     Util::run(&authorizationPerformed);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     auto viewController = adoptNS([[TestSOAuthorizationViewController alloc] init]);
@@ -1264 +1334 @@
     [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
     Util::run(&authorizationPerformed);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     auto viewController = adoptNS([[TestSOAuthorizationViewController alloc] init]);
@@ -1297 +1368 @@
     [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
     Util::run(&authorizationPerformed);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     auto viewController = adoptNS([[TestSOAuthorizationViewController alloc] init]);
@@ -1330 +1402 @@
     [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
     Util::run(&authorizationPerformed);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     auto viewController = adoptNS([[TestSOAuthorizationViewController alloc] init]);
@@ -1344 +1417 @@
     [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
     Util::run(&authorizationCancelled);
+    EXPECT_TRUE(policyForAppSSOPerformed);
     Util::run(&authorizationPerformed);
     EXPECT_FALSE(uiShowed);
@@ -1370 +1444 @@
     [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
     Util::run(&authorizationPerformed);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     auto viewController = adoptNS([[TestSOAuthorizationViewController alloc] init]);
@@ -1408 +1483 @@
     [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
     Util::run(&authorizationPerformed);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     auto viewController = adoptNS([[TestSOAuthorizationViewController alloc] init]);
@@ -1440 +1516 @@
     [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
     Util::run(&authorizationPerformed);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     auto viewController = adoptNS([[TestSOAuthorizationViewController alloc] init]);
@@ -1482 +1559 @@
     [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
     Util::run(&authorizationPerformed);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     auto viewController = adoptNS([[TestSOAuthorizationViewController alloc] init]);
@@ -1524 +1602 @@
     [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
     Util::run(&authorizationPerformed);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     auto viewController1 = adoptNS([[TestSOAuthorizationViewController alloc] init]);
@@ -1547 +1626 @@
     // Load another AppSSO request.
     authorizationPerformed = false;
-    [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
-    Util::run(&authorizationPerformed);
+    policyForAppSSOPerformed = false;
+    [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
+    Util::run(&authorizationPerformed);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     // UI is only dimissed after the hostApp is unhidden.
@@ -1571 +1652 @@
     [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
     Util::run(&authorizationPerformed);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     auto viewController = adoptNS([[TestSOAuthorizationViewController alloc] init]);
@@ -1594 +1676 @@
     // Load another AppSSO request.
     authorizationPerformed = false;
-    [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
-    Util::run(&authorizationPerformed);
+    policyForAppSSOPerformed = false;
+    [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
+    Util::run(&authorizationPerformed);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     // UI is only dimissed after the hostApp is unhidden.
@@ -1626 +1710 @@
     Util::run(&newWindowCreated);
     Util::run(&navigationCompleted);
+    EXPECT_FALSE(policyForAppSSOPerformed);
     EXPECT_WK_STREQ(testURL.get().absoluteString, finalURL);
 }
@@ -1654 +1739 @@
     [webView sendClicksAtPoint:NSMakePoint(200, 200) numberOfClicks:1];
     Util::run(&newWindowCreated);
+    EXPECT_FALSE(policyForAppSSOPerformed);
     EXPECT_FALSE(authorizationPerformed);
 }
@@ -1677 +1763 @@
     Util::run(&newWindowCreated);
     EXPECT_FALSE(authorizationPerformed);
+    EXPECT_FALSE(policyForAppSSOPerformed);
 }
 
@@ -1706 +1793 @@
     Util::run(&authorizationPerformed);
     checkAuthorizationOptions(true, "file://", 1);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     authorizationPerformed = false;
     navigationCompleted = false;
+    policyForAppSSOPerformed = false;
     [gDelegate authorization:gAuthorization didCompleteWithError:adoptNS([[NSError alloc] initWithDomain:NSCocoaErrorDomain code:0 userInfo:nil]).get()];
     Util::run(&newWindowCreated);
@@ -1714 +1803 @@
     EXPECT_WK_STREQ(testURL.get().absoluteString, finalURL);
     EXPECT_FALSE(authorizationPerformed); // Don't intercept the first navigation in the new window.
+    EXPECT_FALSE(policyForAppSSOPerformed);
 }
 
@@ -1742 +1832 @@
     Util::run(&authorizationPerformed);
     checkAuthorizationOptions(true, "file://", 1);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     // The secret WKWebView needs to be destroyed right the way.
@@ -1776 +1867 @@
     Util::run(&authorizationPerformed);
     checkAuthorizationOptions(true, "file://", 1);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     auto response = adoptNS([[NSHTTPURLResponse alloc] initWithURL:testURL statusCode:200 HTTPVersion:@"HTTP/1.1" headerFields:nil]);
@@ -1813 +1905 @@
     Util::run(&authorizationPerformed);
     checkAuthorizationOptions(true, "file://", 1);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     auto response = adoptNS([[NSHTTPURLResponse alloc] initWithURL:testURL statusCode:200 HTTPVersion:@"HTTP/1.1" headerFields:nil]);
@@ -1850 +1943 @@
     Util::run(&authorizationPerformed);
     checkAuthorizationOptions(true, "file://", 1);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     auto response = adoptNS([[NSHTTPURLResponse alloc] initWithURL:testURL statusCode:200 HTTPVersion:@"HTTP/1.1" headerFields:nil]);
@@ -1888 +1982 @@
     Util::run(&authorizationPerformed);
     checkAuthorizationOptions(true, "file://", 1);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     // Will fallback to web path.
     navigationCompleted = false;
     authorizationPerformed = false;
+    policyForAppSSOPerformed = false;
     auto response = adoptNS([[NSHTTPURLResponse alloc] initWithURL:testURL.get() statusCode:400 HTTPVersion:@"HTTP/1.1" headerFields:nil]);
     auto resonseHtmlCString = generateHtml(newWindowResponseTemplate, "").utf8();
@@ -1899 +1995 @@
     EXPECT_WK_STREQ(testURL.get().absoluteString, finalURL);
     EXPECT_FALSE(authorizationPerformed);
+    EXPECT_FALSE(policyForAppSSOPerformed);
 }
 
@@ -1928 +2025 @@
     Util::run(&authorizationPerformed);
     checkAuthorizationOptions(true, "file://", 1);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     auto response = adoptNS([[NSHTTPURLResponse alloc] initWithURL:testURL statusCode:200 HTTPVersion:@"HTTP/1.1" headerFields:@{ @"Set-Cookie" : @"sessionid=38afes7a8;"}]);
@@ -1960 +2058 @@
     for (int i = 0; i < 2; i++) {
         authorizationPerformed = false;
+        policyForAppSSOPerformed = false;
 #if PLATFORM(MAC)
         [webView sendClicksAtPoint:NSMakePoint(200, 200) numberOfClicks:1];
@@ -1967 +2066 @@
         Util::run(&authorizationPerformed);
         checkAuthorizationOptions(true, "file://", 1);
+        EXPECT_TRUE(policyForAppSSOPerformed);
 
         auto response = adoptNS([[NSHTTPURLResponse alloc] initWithURL:testURL statusCode:200 HTTPVersion:@"HTTP/1.1" headerFields:nil]);
@@ -2006 +2106 @@
     Util::run(&authorizationPerformed);
     checkAuthorizationOptions(true, "file://", 1);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     // Suppress the last active session.
@@ -2016 +2117 @@
 
     authorizationPerformed = false;
+    policyForAppSSOPerformed = false;
 #if PLATFORM(MAC)
     [newWebView sendClicksAtPoint:NSMakePoint(200, 200) numberOfClicks:1];
@@ -2024 +2126 @@
     Util::run(&authorizationPerformed);
     checkAuthorizationOptions(true, "file://", 1);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     navigationCompleted = false;
@@ -2068 +2171 @@
     Util::run(&authorizationPerformed);
     checkAuthorizationOptions(true, "file://", 1);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     auto response = adoptNS([[NSHTTPURLResponse alloc] initWithURL:testURL statusCode:200 HTTPVersion:@"HTTP/1.1" headerFields:nil]);
@@ -2104 +2208 @@
     Util::run(&authorizationPerformed);
     checkAuthorizationOptions(true, "http://www.webkit.org", 1);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 }
 
@@ -2130 +2235 @@
     Util::run(&newWindowCreated);
     EXPECT_FALSE(authorizationPerformed);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 }
 
@@ -2159 +2265 @@
     Util::run(&authorizationPerformed);
     checkAuthorizationOptions(true, "file://", 1);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     auto response = adoptNS([[NSHTTPURLResponse alloc] initWithURL:testURL statusCode:200 HTTPVersion:@"HTTP/1.1" headerFields:nil]);
@@ -2196 +2303 @@
     Util::run(&newWindowCreated);
     EXPECT_FALSE(authorizationPerformed);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 }
 
@@ -2211 +2319 @@
     [webView loadHTMLString:testHtml baseURL:baseURL.get()];
     [webView waitForMessage:@""];
+    EXPECT_FALSE(policyForAppSSOPerformed);
 }
 
@@ -2232 +2341 @@
     // Make sure we don't intercept the iframe.
     EXPECT_FALSE(authorizationPerformed);
+    EXPECT_FALSE(policyForAppSSOPerformed);
 }
 
@@ -2255 +2365 @@
     [webView waitForMessage:@"SOAuthorizationDidStart"];
     checkAuthorizationOptions(false, "file://", 2);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     [gDelegate authorization:gAuthorization didCompleteWithError:adoptNS([[NSError alloc] initWithDomain:NSCocoaErrorDomain code:0 userInfo:nil]).get()];
@@ -2287 +2398 @@
     [webView waitForMessage:@"SOAuthorizationDidStart"];
     checkAuthorizationOptions(false, "file://", 2);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     [gDelegate authorizationDidCancel:gAuthorization];
@@ -2318 +2430 @@
     [webView waitForMessage:@"SOAuthorizationDidStart"];
     checkAuthorizationOptions(false, "null", 2);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     auto response = adoptNS([[NSHTTPURLResponse alloc] initWithURL:testURL statusCode:200 HTTPVersion:@"HTTP/1.1" headerFields:nil]);
@@ -2347 +2460 @@
     [webView waitForMessage:@"SOAuthorizationDidStart"];
     checkAuthorizationOptions(false, "file://", 2);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     // Will fallback to web path.
@@ -2382 +2496 @@
     [webView waitForMessage:@"SOAuthorizationDidStart"];
     checkAuthorizationOptions(false, "null", 2);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     auto response = adoptNS([[NSHTTPURLResponse alloc] initWithURL:testURL statusCode:200 HTTPVersion:@"HTTP/1.1" headerFields:@{ @"Set-Cookie" : @"sessionid=38afes7a8;"}]);
@@ -2409 +2524 @@
         authorizationPerformed = false;
         navigationCompleted = false;
+        policyForAppSSOPerformed = false;
 
         [webView loadHTMLString:testHtml baseURL:nil];
@@ -2414 +2530 @@
         [webView waitForMessage:@"SOAuthorizationDidStart"];
         checkAuthorizationOptions(false, "null", 2);
+        EXPECT_TRUE(policyForAppSSOPerformed);
 
         auto response = adoptNS([[NSHTTPURLResponse alloc] initWithURL:testURL statusCode:200 HTTPVersion:@"HTTP/1.1" headerFields:nil]);
@@ -2464 +2581 @@
     // Make sure we don't intercept the iframe.
     EXPECT_FALSE(authorizationPerformed);
+#if PLATFORM(MAC)
+    EXPECT_TRUE(policyForAppSSOPerformed);
+#else
+    EXPECT_FALSE(policyForAppSSOPerformed);
+#endif
 }
 
@@ -2487 +2609 @@
     [webView waitForMessage:@"SOAuthorizationDidStart"];
     checkAuthorizationOptions(false, "null", 2);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     auto response = adoptNS([[NSHTTPURLResponse alloc] initWithURL:testURL statusCode:200 HTTPVersion:@"HTTP/1.1" headerFields:nil]);
@@ -2515 +2638 @@
     // Make sure we don't intercept the iframe.
     EXPECT_FALSE(authorizationPerformed);
+#if PLATFORM(MAC)
+    EXPECT_TRUE(policyForAppSSOPerformed);
+#else
+    EXPECT_FALSE(policyForAppSSOPerformed);
+#endif
 }
 
@@ -2556 +2684 @@
     [webView waitForMessage:(id)origin];
     [webView waitForMessage:@"SOAuthorizationDidStart"];
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     [gDelegate authorization:gAuthorization didCompleteWithError:adoptNS([[NSError alloc] initWithDomain:NSCocoaErrorDomain code:0 userInfo:nil]).get()];
@@ -2586 +2715 @@
     [webView loadHTMLString:testHtml baseURL:baseURL.get()];
     Util::run(&authorizationPerformed);
+    EXPECT_TRUE(policyForAppSSOPerformed);
     [gDelegate authorization:gAuthorization didCompleteWithError:adoptNS([[NSError alloc] initWithDomain:NSCocoaErrorDomain code:0 userInfo:nil]).get()];
     Util::run(&allMessagesReceived);
@@ -2612 +2742 @@
     [webView loadHTMLString:testHtml baseURL:nil];
     Util::run(&authorizationPerformed);
+    EXPECT_TRUE(policyForAppSSOPerformed);
 
     auto response = adoptNS([[NSHTTPURLResponse alloc] initWithURL:testURL statusCode:200 HTTPVersion:@"HTTP/1.1" headerFields:nil]);