Changeset 279602 in webkit

Timestamp:

Jul 6, 2021 12:02:03 PM (13 months ago)

Author:

youenn@apple.com

Message:

Unable to use 'data:application/javascript' url for Worker
​https://bugs.webkit.org/show_bug.cgi?id=225716
<rdar://problem/78222538>

Reviewed by Alex Christensen.

LayoutTests/imported/w3c:

• web-platform-tests/fetch/api/cors/data-url-worker-expected.txt:
• web-platform-tests/html/cross-origin-embedder-policy/cross-origin-isolated-permission.https-expected.txt:
• web-platform-tests/html/webappapis/the-windoworworkerglobalscope-mixin/Worker_Self_Origin-expected.txt:
• web-platform-tests/service-workers/service-worker/local-url-inherit-controller.https-expected.txt:
• web-platform-tests/workers/Worker_script_mimetype-expected.txt:
• web-platform-tests/workers/constructors/Worker/same-origin-expected.txt:
• web-platform-tests/workers/data-url-expected.txt:
• web-platform-tests/workers/dedicated-worker-in-data-url-context.window-expected.txt:
• web-platform-tests/workers/modules/dedicated-worker-import-data-url-cross-origin-expected.txt:
• web-platform-tests/workers/modules/dedicated-worker-import-data-url.any-expected.txt:

Source/WebCore:

As per ​https://fetch.spec.whatwg.org/#main-fetch step 11, same origin fetch for data URL should succeed.
Update AbstractWorker to let such URLs trigger loads and update WorkerScriptLoader to enable those loads.

Covered by rebased tests.

• workers/AbstractWorker.cpp:

(WebCore::AbstractWorker::resolveURL):

• workers/WorkerScriptLoader.cpp:

(WebCore::WorkerScriptLoader::loadAsynchronously):

LayoutTests:

• TestExpectations:

Some tests are showing progress but are timing out. Skipping them for now.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/TestExpectations (modified) (1 diff)
• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/data-url-worker-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/cross-origin-isolated-permission.https-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/html/webappapis/the-windoworworkerglobalscope-mixin/Worker_Self_Origin-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/local-url-inherit-controller.https-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/workers/Worker_script_mimetype-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/workers/constructors/Worker/same-origin-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/workers/data-url-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/workers/dedicated-worker-in-data-url-context.window-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/workers/modules/dedicated-worker-import-data-url-cross-origin-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/workers/modules/dedicated-worker-import-data-url.any-expected.txt (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/workers/AbstractWorker.cpp (modified) (1 diff)
• Source/WebCore/workers/WorkerScriptLoader.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2021-07-06  Youenn Fablet  <youenn@apple.com>
+
+        Unable to use 'data:application/javascript' url for Worker
+        https://bugs.webkit.org/show_bug.cgi?id=225716
+        <rdar://problem/78222538>
+
+        Reviewed by Alex Christensen.
+
+        * TestExpectations:
+        Some tests are showing progress but are timing out. Skipping them for now.
+
 2021-07-06  Eric Hutchison  <ehutchison@apple.com>
 

trunk/LayoutTests/TestExpectations

@@ -551 +551 @@
 [ Debug ] imported/w3c/web-platform-tests/css/css-properties-values-api/registered-property-revert.html [ Skip ]
 [ Debug ] imported/w3c/web-platform-tests/css/css-scoping/slotted-matches.html [ Skip ]
+
+# Timing out tests
+imported/w3c/web-platform-tests/workers/modules/dedicated-worker-import-data-url.any.html [ Skip ]
+imported/w3c/web-platform-tests/workers/modules/dedicated-worker-import-data-url-cross-origin.html [ Skip ]
 
 # Newly imported WPT ref tests failures.

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2021-07-06  Youenn Fablet  <youenn@apple.com>
+
+        Unable to use 'data:application/javascript' url for Worker
+        https://bugs.webkit.org/show_bug.cgi?id=225716
+        <rdar://problem/78222538>
+
+        Reviewed by Alex Christensen.
+
+        * web-platform-tests/fetch/api/cors/data-url-worker-expected.txt:
+        * web-platform-tests/html/cross-origin-embedder-policy/cross-origin-isolated-permission.https-expected.txt:
+        * web-platform-tests/html/webappapis/the-windoworworkerglobalscope-mixin/Worker_Self_Origin-expected.txt:
+        * web-platform-tests/service-workers/service-worker/local-url-inherit-controller.https-expected.txt:
+        * web-platform-tests/workers/Worker_script_mimetype-expected.txt:
+        * web-platform-tests/workers/constructors/Worker/same-origin-expected.txt:
+        * web-platform-tests/workers/data-url-expected.txt:
+        * web-platform-tests/workers/dedicated-worker-in-data-url-context.window-expected.txt:
+        * web-platform-tests/workers/modules/dedicated-worker-import-data-url-cross-origin-expected.txt:
+        * web-platform-tests/workers/modules/dedicated-worker-import-data-url.any-expected.txt:
+
 2021-07-06  Chris Dumez  <cdumez@apple.com>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/data-url-worker-expected.txt

@@ -1 +1 @@
 
-FAIL fetching "top.txt" without ACAO should be rejected. promise_test: Unhandled rejection with value: object "SecurityError: The operation is insecure."
-FAIL fetching "top.txt" with CORS allowing null origin should be allowed. promise_test: Unhandled rejection with value: object "SecurityError: The operation is insecure."
-FAIL fetching data url script should be allowed. promise_test: Unhandled rejection with value: object "SecurityError: The operation is insecure."
+PASS fetching "top.txt" without ACAO should be rejected.
+PASS fetching "top.txt" with CORS allowing null origin should be allowed.
+PASS fetching data url script should be allowed.
 

trunk/LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-embedder-policy/cross-origin-isolated-permission.https-expected.txt

@@ -12 +12 @@
 FAIL dedicated worker: scheme = https, value = self assert_equals: expected (boolean) true but got (undefined) undefined
 FAIL dedicated worker: scheme = https, value = (\) assert_equals: expected (boolean) false but got (undefined) undefined
-FAIL dedicated worker: scheme = data, value = undefined The operation is insecure.
-FAIL dedicated worker: scheme = data, value = * The operation is insecure.
-FAIL dedicated worker: scheme = data, value = self The operation is insecure.
-FAIL dedicated worker: scheme = data, value = (\) The operation is insecure.
+FAIL dedicated worker: scheme = data, value = undefined assert_equals: expected (boolean) false but got (undefined) undefined
+FAIL dedicated worker: scheme = data, value = * assert_equals: expected (boolean) false but got (undefined) undefined
+FAIL dedicated worker: scheme = data, value = self assert_equals: expected (boolean) false but got (undefined) undefined
+FAIL dedicated worker: scheme = data, value = (\) assert_equals: expected (boolean) false but got (undefined) undefined
 FAIL dedicated worker: scheme = blob, value = undefined assert_equals: expected (boolean) true but got (undefined) undefined
 FAIL dedicated worker: scheme = blob, value = * assert_equals: expected (boolean) true but got (undefined) undefined

trunk/LayoutTests/imported/w3c/web-platform-tests/html/webappapis/the-windoworworkerglobalscope-mixin/Worker_Self_Origin-expected.txt

@@ -2 +2 @@
 PASS Same Origin Worker
 FAIL Same Origin SharedWorker Can't find variable: SharedWorker
-FAIL Data Url Worker The operation is insecure.
+PASS Data Url Worker
 FAIL Data Url SharedWorker Can't find variable: SharedWorker
 PASS Blob Url Worker

trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/local-url-inherit-controller.https-expected.txt

@@ -5 +5 @@
 PASS Same-origin blob URL worker should intercept fetch().
 PASS Data URL iframe should not intercept fetch().
-FAIL Data URL worker should not inherit service worker controller. promise_test: Unhandled rejection with value: object "SecurityError: The operation is insecure."
-FAIL Data URL worker should not intercept fetch(). promise_test: Unhandled rejection with value: object "SecurityError: The operation is insecure."
+FAIL Data URL worker should not inherit service worker controller. promise_test: Unhandled rejection with value: "Error: Script error."
+FAIL Data URL worker should not intercept fetch(). assert_equals: data URL worker should not intercept fetch expected "" but got "intercepted"
 

trunk/LayoutTests/imported/w3c/web-platform-tests/workers/Worker_script_mimetype-expected.txt

@@ -3 +3 @@
 PASS blob: URLs should load, despite no MIME type for the backing Blob
 PASS blob: URLs should load, despite the wrong MIME type for the backing Blob
-FAIL data: URLs should load, despite the wrong MIME type The operation is insecure.
+PASS data: URLs should load, despite the wrong MIME type
 

trunk/LayoutTests/imported/w3c/web-platform-tests/workers/constructors/Worker/same-origin-expected.txt

@@ -1 +1 @@
 
 PASS unsupported_scheme
-FAIL data_url The operation is insecure.
+PASS data_url
 PASS about_blank
 PASS example_invalid

trunk/LayoutTests/imported/w3c/web-platform-tests/workers/data-url-expected.txt

@@ -1 +1 @@
 
-FAIL application/javascript MIME allowed The operation is insecure.
-FAIL text/plain MIME allowed The operation is insecure.
-FAIL empty MIME allowed The operation is insecure.
-FAIL communication goes both ways The operation is insecure.
-FAIL indexedDB is present The operation is insecure.
-FAIL indexedDB is inaccessible The operation is insecure.
-FAIL cross-origin worker The operation is insecure.
-FAIL worker has opaque origin The operation is insecure.
-FAIL invalid javascript produces error The operation is insecure.
+PASS application/javascript MIME allowed
+PASS text/plain MIME allowed
+PASS empty MIME allowed
+PASS communication goes both ways
+PASS indexedDB is present
+PASS indexedDB is inaccessible
+PASS cross-origin worker
+PASS worker has opaque origin
+PASS invalid javascript produces error
 

trunk/LayoutTests/imported/w3c/web-platform-tests/workers/dedicated-worker-in-data-url-context.window-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: SecurityError: The operation is insecure.
-
-Harness Error (TIMEOUT), message = null
+CONSOLE MESSAGE: Error: Script error.
 
 FAIL Create a dedicated worker in a data url frame assert_equals: expected "PASS" but got "Worker construction unexpectedly synchronously failed"
-FAIL Create a dedicated worker in a data url dedicated worker promise_test: Unhandled rejection with value: object "SecurityError: The operation is insecure."
-TIMEOUT Create a data url dedicated worker in a data url frame Test timed out
-NOTRUN Create a data url dedicated worker in a data url dedicated worker
+FAIL Create a dedicated worker in a data url dedicated worker assert_equals: expected "PASS" but got "Worker construction unexpectedly synchronously failed"
+PASS Create a data url dedicated worker in a data url frame
+FAIL Create a data url dedicated worker in a data url dedicated worker promise_test: Unhandled rejection with value: "Error: Script error."
 

trunk/LayoutTests/imported/w3c/web-platform-tests/workers/modules/dedicated-worker-import-data-url-cross-origin-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Origin null is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Importing a module script failed.
 
-FAIL static import data url from data: URL should be allowed. promise_test: Unhandled rejection with value: object "SecurityError: The operation is insecure."
-FAIL static import script from data: URL should be allowed. promise_test: Unhandled rejection with value: object "SecurityError: The operation is insecure."
-FAIL dynamic import data url from data: URL should be allowed. promise_test: Unhandled rejection with value: object "SecurityError: The operation is insecure."
-FAIL dynamic import script from data: URL should be blocked. promise_test: Unhandled rejection with value: object "SecurityError: The operation is insecure."
+Harness Error (FAIL), message = Script error.
 
+PASS static import data url from data: URL should be allowed.
+TIMEOUT static import script from data: URL should be allowed. Test timed out
+NOTRUN dynamic import data url from data: URL should be allowed.
+NOTRUN dynamic import script from data: URL should be blocked.
+

trunk/LayoutTests/imported/w3c/web-platform-tests/workers/modules/dedicated-worker-import-data-url.any-expected.txt

@@ +1 @@
+Blocked access to external URL https://www1.localhost:9443/workers/modules/resources/export-on-load-script.py
+CONSOLE MESSAGE: Importing a module script failed.
 
-FAIL Static import. promise_test: Unhandled rejection with value: object "SecurityError: The operation is insecure."
-FAIL Static import (cross-origin). promise_test: Unhandled rejection with value: object "SecurityError: The operation is insecure."
-FAIL Static import (redirect). promise_test: Unhandled rejection with value: object "SecurityError: The operation is insecure."
-FAIL Nested static import. promise_test: Unhandled rejection with value: object "SecurityError: The operation is insecure."
-FAIL Static import and then dynamic import. promise_test: Unhandled rejection with value: object "SecurityError: The operation is insecure."
-FAIL Dynamic import. promise_test: Unhandled rejection with value: object "SecurityError: The operation is insecure."
-FAIL Nested dynamic import. promise_test: Unhandled rejection with value: object "SecurityError: The operation is insecure."
-FAIL Dynamic import and then static import. promise_test: Unhandled rejection with value: object "SecurityError: The operation is insecure."
-FAIL eval(import()). promise_test: Unhandled rejection with value: object "SecurityError: The operation is insecure."
+Harness Error (FAIL), message = Script error.
 
+PASS Static import.
+TIMEOUT Static import (cross-origin). Test timed out
+NOTRUN Static import (redirect).
+NOTRUN Nested static import.
+NOTRUN Static import and then dynamic import.
+NOTRUN Dynamic import.
+NOTRUN Nested dynamic import.
+NOTRUN Dynamic import and then static import.
+NOTRUN eval(import()).
+

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2021-07-06  Youenn Fablet  <youenn@apple.com>
+
+        Unable to use 'data:application/javascript' url for Worker
+        https://bugs.webkit.org/show_bug.cgi?id=225716
+        <rdar://problem/78222538>
+
+        Reviewed by Alex Christensen.
+
+        As per https://fetch.spec.whatwg.org/#main-fetch step 11, same origin fetch for data URL should succeed.
+        Update AbstractWorker to let such URLs trigger loads and update WorkerScriptLoader to enable those loads.
+
+        Covered by rebased tests.
+
+        * workers/AbstractWorker.cpp:
+        (WebCore::AbstractWorker::resolveURL):
+        * workers/WorkerScriptLoader.cpp:
+        (WebCore::WorkerScriptLoader::loadAsynchronously):
+
 2021-07-06  Alex Christensen  <achristensen@webkit.org>
 

trunk/Source/WebCore/workers/AbstractWorker.cpp

@@ -50 +50 @@
         return Exception { SyntaxError };
 
-    if (!context.securityOrigin()->canRequest(scriptURL))
+    if (!context.securityOrigin()->canRequest(scriptURL) && !scriptURL.protocolIsData())
         return Exception { SecurityError };
 

trunk/Source/WebCore/workers/WorkerScriptLoader.cpp

@@ -131 +131 @@
 
     // FIXME: We should drop the sameOriginDataURLFlag flag and implement the latest Fetch specification.
-    if (fetchOptions.destination != FetchOptions::Destination::Worker)
-        options.sameOriginDataURLFlag = SameOriginDataURLFlag::Set;
+    options.sameOriginDataURLFlag = SameOriginDataURLFlag::Set;
 
     // A service worker job can be executed from a worker context or a document context.