Changeset 142068 in webkit


Ignore:
Timestamp:
Feb 6, 2013 11:41:18 PM (11 years ago)
Author:
mkwst@chromium.org
Message:

Entity-header extension headers honored on 304 responses.
https://bugs.webkit.org/show_bug.cgi?id=72414

Reviewed by Alexey Proskuryakov.

Source/WebCore:

This patch ports Chromium's network stack logic governing header
updates after resource revalidation. Generally, headers sent with 304
responses ought to update the original cached resource's headers.
Certain headers should never be sent with 304 responses, and we should
ignore them if a misconfigured server sends them anyway.

Currently, WebCore ignores all headers prefixed with 'content-'. This
patch adds 'x-content-' and 'x-webkit-' to the list, as well as specific
headers like 'upgrade', 'trailer', and others that the Chromium network
stack currently ignores.

The tests verify that those headers with visible effect are correctly
handled: 'x-frame-options', 'content-security-policy', and
'x-xss-protection'.

Tests: http/tests/security/XFrameOptions/x-frame-options-cached.html

http/tests/security/contentSecurityPolicy/cached-frame-csp.html
http/tests/security/xssAuditor/cached-frame.html

  • loader/cache/CachedResource.cpp:

(WebCore):
(WebCore::CachedResource::updateResponseAfterRevalidation):

This patch adds two arrays containing the specific headers to
ignore and the prefixes to ignore. These lists are processed in
shouldUpdateHeaderAfterRevalidation.
CachedResource::updateResponseAfterRevalidation relies on this new
method when processing revalidated resources.

  • loader/cache/CachedResource.cpp:

(WebCore):
(WebCore::shouldUpdateHeaderAfterRevalidation):
(WebCore::CachedResource::updateResponseAfterRevalidation):

LayoutTests:

  • http/tests/security/XFrameOptions/resources/nph-cached-xfo.pl: Added.
  • http/tests/security/XFrameOptions/x-frame-options-cached-expected.txt: Added.
  • http/tests/security/XFrameOptions/x-frame-options-cached.html: Added.
  • http/tests/security/contentSecurityPolicy/cached-frame-csp-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/cached-frame-csp.html: Added.
  • http/tests/security/contentSecurityPolicy/resources/nph-cached-csp.pl: Added.
  • http/tests/security/xssAuditor/cached-frame-expected.txt: Added.
  • http/tests/security/xssAuditor/cached-frame.html: Added.
  • http/tests/security/xssAuditor/resources/nph-cached.pl: Added.
Location:
trunk
Files:
9 added
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r142067 r142068  
     12013-02-06  Mike West  <mkwst@chromium.org>
     2
     3        Entity-header extension headers honored on 304 responses.
     4        https://bugs.webkit.org/show_bug.cgi?id=72414
     5
     6        Reviewed by Alexey Proskuryakov.
     7
     8        * http/tests/security/XFrameOptions/resources/nph-cached-xfo.pl: Added.
     9        * http/tests/security/XFrameOptions/x-frame-options-cached-expected.txt: Added.
     10        * http/tests/security/XFrameOptions/x-frame-options-cached.html: Added.
     11        * http/tests/security/contentSecurityPolicy/cached-frame-csp-expected.txt: Added.
     12        * http/tests/security/contentSecurityPolicy/cached-frame-csp.html: Added.
     13        * http/tests/security/contentSecurityPolicy/resources/nph-cached-csp.pl: Added.
     14        * http/tests/security/xssAuditor/cached-frame-expected.txt: Added.
     15        * http/tests/security/xssAuditor/cached-frame.html: Added.
     16        * http/tests/security/xssAuditor/resources/nph-cached.pl: Added.
     17
    1182013-02-06  Matt Falkenhagen  <falken@chromium.org>
    219
  • trunk/Source/WebCore/ChangeLog

    r142063 r142068  
     12013-02-06  Mike West  <mkwst@chromium.org>
     2
     3        Entity-header extension headers honored on 304 responses.
     4        https://bugs.webkit.org/show_bug.cgi?id=72414
     5
     6        Reviewed by Alexey Proskuryakov.
     7
     8        This patch ports Chromium's network stack logic governing header
     9        updates after resource revalidation. Generally, headers sent with 304
     10        responses ought to update the original cached resource's headers.
     11        Certain headers should never be sent with 304 responses, and we should
     12        ignore them if a misconfigured server sends them anyway.
     13
     14        Currently, WebCore ignores all headers prefixed with 'content-'. This
     15        patch adds 'x-content-' and 'x-webkit-' to the list, as well as specific
     16        headers like 'upgrade', 'trailer', and others that the Chromium network
     17        stack currently ignores.
     18
     19        The tests verify that those headers with visible effect are correctly
     20        handled: 'x-frame-options', 'content-security-policy', and
     21        'x-xss-protection'.
     22
     23        Tests: http/tests/security/XFrameOptions/x-frame-options-cached.html
     24               http/tests/security/contentSecurityPolicy/cached-frame-csp.html
     25               http/tests/security/xssAuditor/cached-frame.html
     26
     27        * loader/cache/CachedResource.cpp:
     28        (WebCore):
     29        (WebCore::CachedResource::updateResponseAfterRevalidation):
     30            This patch adds two arrays containing the specific headers to
     31            ignore and the prefixes to ignore. These lists are processed in
     32            shouldUpdateHeaderAfterRevalidation.
     33            CachedResource::updateResponseAfterRevalidation relies on this new
     34            method when processing revalidated resources.
     35
     36        * loader/cache/CachedResource.cpp:
     37        (WebCore):
     38        (WebCore::shouldUpdateHeaderAfterRevalidation):
     39        (WebCore::CachedResource::updateResponseAfterRevalidation):
     40
    1412013-02-06  Tom Sepez  <tsepez@chromium.org>
    242
  • trunk/Source/WebCore/loader/cache/CachedResource.cpp

    r141684 r142068  
    6969
    7070namespace WebCore {
    71    
     71
     72// These response headers are not copied from a revalidated response to the
     73// cached response headers. For compatibility, this list is based on Chromium's
     74// net/http/http_response_headers.cc.
     75const char* const headersToIgnoreAfterRevalidation[] = {
     76    "allow",
     77    "connection",
     78    "etag",
     79    "expires",
     80    "keep-alive",
     81    "last-modified"
     82    "proxy-authenticate",
     83    "proxy-connection",
     84    "trailer",
     85    "transfer-encoding",
     86    "upgrade",
     87    "www-authenticate",
     88    "x-frame-options",
     89    "x-xss-protection",
     90};
     91
     92// Some header prefixes mean "Don't copy this header from a 304 response.".
     93// Rather than listing all the relevant headers, we can consolidate them into
     94// this list, also grabbed from Chromium's net/http/http_response_headers.cc.
     95const char* const headerPrefixesToIgnoreAfterRevalidation[] = {
     96    "content-",
     97    "x-content-",
     98    "x-webkit-"
     99};
     100
     101static inline bool shouldUpdateHeaderAfterRevalidation(const AtomicString& header)
     102{
     103    for (size_t i = 0; i < WTF_ARRAY_LENGTH(headersToIgnoreAfterRevalidation); i++) {
     104        if (header == headersToIgnoreAfterRevalidation[i])
     105            return false;
     106    }
     107    for (size_t i = 0; i < WTF_ARRAY_LENGTH(headerPrefixesToIgnoreAfterRevalidation); i++) {
     108        if (header.startsWith(headerPrefixesToIgnoreAfterRevalidation[i]))
     109            return false;
     110    }
     111    return true;
     112}
     113
    72114static ResourceLoadPriority defaultPriorityForResourceType(CachedResource::Type type)
    73115{
     
    729771    m_switchingClientsToRevalidatedResource = false;
    730772}
    731    
     773
    732774void CachedResource::updateResponseAfterRevalidation(const ResourceResponse& validatingResponse)
    733775{
    734776    m_responseTimestamp = currentTime();
    735777
    736     DEFINE_STATIC_LOCAL(const AtomicString, contentHeaderPrefix, ("content-", AtomicString::ConstructFromLiteral));
    737778    // RFC2616 10.3.5
    738779    // Update cached headers from the 304 response
     
    740781    HTTPHeaderMap::const_iterator end = newHeaders.end();
    741782    for (HTTPHeaderMap::const_iterator it = newHeaders.begin(); it != end; ++it) {
    742         // Don't allow 304 response to update content headers, these can't change but some servers send wrong values.
    743         if (it->key.startsWith(contentHeaderPrefix, false))
     783        // Entity headers should not be sent by servers when generating a 304
     784        // response; misconfigured servers send them anyway. We shouldn't allow
     785        // such headers to update the original request. We'll base this on the
     786        // list defined by RFC2616 7.1, with a few additions for extension headers
     787        // we care about.
     788        if (!shouldUpdateHeaderAfterRevalidation(it->key))
    744789            continue;
    745790        m_response.setHTTPHeaderField(it->key, it->value);
Note: See TracChangeset for help on using the changeset viewer.