Changeset 112485 in webkit

Timestamp:

Mar 28, 2012 6:14:05 PM (12 years ago)

Author:

bbudge@chromium.org

Message:

AssociatedURLLoader does not support Cross Origin Redirects when using
Access Control.
​https://bugs.webkit.org/show_bug.cgi?id=82354

AssociatedURLLoader's internal adapter now overrides didFailRedirectCheck,
which cancels the load, causing didFail to notify the client that the
load failed. AssociatedURLLoaderTest adds test cases for CORS requests
that receive redirects and pass or fail the redirect access check.

Reviewed by Adam Barth.

• src/AssociatedURLLoader.cpp:

(AssociatedURLLoader::ClientAdapter):
(WebKit::AssociatedURLLoader::ClientAdapter::didFailRedirectCheck):
(WebKit):

• tests/AssociatedURLLoaderTest.cpp:

(WebKit):
(WebKit::TEST_F):

Location:

trunk/Source/WebKit/chromium

Files:

• ChangeLog (modified) (1 diff)
• src/AssociatedURLLoader.cpp (modified) (2 diffs)
• tests/AssociatedURLLoaderTest.cpp (modified) (4 diffs)

trunk/Source/WebKit/chromium/ChangeLog

@@ +1 @@
+2012-03-28  Bill Budge  <bbudge@chromium.org>
+
+        AssociatedURLLoader does not support Cross Origin Redirects when using
+        Access Control.
+        https://bugs.webkit.org/show_bug.cgi?id=82354
+
+        AssociatedURLLoader's internal adapter now overrides didFailRedirectCheck,
+        which cancels the load, causing didFail to notify the client that the
+        load failed. AssociatedURLLoaderTest adds test cases for CORS requests
+        that receive redirects and pass or fail the redirect access check.
+
+        Reviewed by Adam Barth.
+
+        * src/AssociatedURLLoader.cpp:
+        (AssociatedURLLoader::ClientAdapter):
+        (WebKit::AssociatedURLLoader::ClientAdapter::didFailRedirectCheck):
+        (WebKit):
+        * tests/AssociatedURLLoaderTest.cpp:
+        (WebKit):
+        (WebKit::TEST_F):
+
 2012-03-28  Adrienne Walker  <enne@google.com>
 

trunk/Source/WebKit/chromium/src/AssociatedURLLoader.cpp

@@ -141 +141 @@
     virtual void didFinishLoading(unsigned long /*identifier*/, double /*finishTime*/);
     virtual void didFail(const ResourceError&);
+    virtual void didFailRedirectCheck();
 
     virtual bool isDocumentThreadableLoaderClient() { return true; }
@@ -264 +265 @@
 }
 
+void AssociatedURLLoader::ClientAdapter::didFailRedirectCheck()
+{
+    m_loader->cancel();
+}
+
 void AssociatedURLLoader::ClientAdapter::setDelayedError(const ResourceError& error)
 {

trunk/Source/WebKit/chromium/tests/AssociatedURLLoaderTest.cpp

@@ -433 +433 @@
 }
 
-// Test a successful redirect and cross-origin load using CORS.
-// FIXME: Enable this when DocumentThreadableLoader supports cross-origin redirects.
-TEST_F(AssociatedURLLoaderTest, DISABLED_RedirectCrossOriginWithAccessControlSuccess)
-{
-    GURL url = GURL("http://www.test.com/RedirectCrossOriginWithAccessControlSuccess.html");
-    char redirect[] = "http://www.other.com/RedirectCrossOriginWithAccessControlSuccess.html";  // Cross-origin
+// Test that a cross origin redirect response without CORS headers fails.
+TEST_F(AssociatedURLLoaderTest, RedirectCrossOriginWithAccessControlFailure)
+{
+    GURL url = GURL("http://www.test.com/RedirectCrossOriginWithAccessControlFailure.html");
+    char redirect[] = "http://www.other.com/RedirectCrossOriginWithAccessControlFailure.html";  // Cross-origin
     GURL redirectURL = GURL(redirect);
 
@@ -445 +444 @@
     request.setURL(url);
 
+    // Create a redirect response without CORS headers.
     m_expectedRedirectResponse = WebURLResponse();
     m_expectedRedirectResponse.initialize();
@@ -452 +452 @@
     webkit_support::RegisterMockedURL(url, m_expectedRedirectResponse, m_frameFilePath);
 
+    WebURLLoaderOptions options;
+    options.crossOriginRequestPolicy = WebURLLoaderOptions::CrossOriginRequestPolicyUseAccessControl;
+    m_expectedLoader = createAssociatedURLLoader(options);
+    EXPECT_TRUE(m_expectedLoader);
+    m_expectedLoader->loadAsynchronously(request, this);
+    serveRequests();
+    // We should not receive a notification for the redirect or any response.
+    EXPECT_FALSE(m_willSendRequest);
+    EXPECT_FALSE(m_didReceiveResponse);
+    EXPECT_FALSE(m_didReceiveData);
+    EXPECT_FALSE(m_didFail);
+}
+
+// Test that a cross origin redirect response with CORS headers that allow the requesting origin succeeds.
+TEST_F(AssociatedURLLoaderTest, RedirectCrossOriginWithAccessControlSuccess)
+{
+    GURL url = GURL("http://www.test.com/RedirectCrossOriginWithAccessControlSuccess.html");
+    char redirect[] = "http://www.other.com/RedirectCrossOriginWithAccessControlSuccess.html";  // Cross-origin
+    GURL redirectURL = GURL(redirect);
+
+    WebURLRequest request;
+    request.initialize();
+    request.setURL(url);
+
+    // Create a redirect response that allows the redirect to pass the access control checks.
+    m_expectedRedirectResponse = WebURLResponse();
+    m_expectedRedirectResponse.initialize();
+    m_expectedRedirectResponse.setMIMEType("text/html");
+    m_expectedRedirectResponse.setHTTPStatusCode(301);
+    m_expectedRedirectResponse.setHTTPHeaderField("Location", redirect);
+    m_expectedRedirectResponse.addHTTPHeaderField("access-control-allow-origin", "*");
+    webkit_support::RegisterMockedURL(url, m_expectedRedirectResponse, m_frameFilePath);
+
     m_expectedNewRequest = WebURLRequest();
     m_expectedNewRequest.initialize();
@@ -468 +501 @@
     m_expectedLoader->loadAsynchronously(request, this);
     serveRequests();
-    EXPECT_TRUE(m_willSendRequest);
+    // We should not receive a notification for the redirect.
+    EXPECT_FALSE(m_willSendRequest);
     EXPECT_TRUE(m_didReceiveResponse);
     EXPECT_TRUE(m_didReceiveData);