Changeset 142068 in webkit
- Timestamp:
- Feb 6, 2013 11:41:18 PM (11 years ago)
- Location:
- trunk
- Files:
-
- 9 added
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r142067 r142068 1 2013-02-06 Mike West <mkwst@chromium.org> 2 3 Entity-header extension headers honored on 304 responses. 4 https://bugs.webkit.org/show_bug.cgi?id=72414 5 6 Reviewed by Alexey Proskuryakov. 7 8 * http/tests/security/XFrameOptions/resources/nph-cached-xfo.pl: Added. 9 * http/tests/security/XFrameOptions/x-frame-options-cached-expected.txt: Added. 10 * http/tests/security/XFrameOptions/x-frame-options-cached.html: Added. 11 * http/tests/security/contentSecurityPolicy/cached-frame-csp-expected.txt: Added. 12 * http/tests/security/contentSecurityPolicy/cached-frame-csp.html: Added. 13 * http/tests/security/contentSecurityPolicy/resources/nph-cached-csp.pl: Added. 14 * http/tests/security/xssAuditor/cached-frame-expected.txt: Added. 15 * http/tests/security/xssAuditor/cached-frame.html: Added. 16 * http/tests/security/xssAuditor/resources/nph-cached.pl: Added. 17 1 18 2013-02-06 Matt Falkenhagen <falken@chromium.org> 2 19 -
trunk/Source/WebCore/ChangeLog
r142063 r142068 1 2013-02-06 Mike West <mkwst@chromium.org> 2 3 Entity-header extension headers honored on 304 responses. 4 https://bugs.webkit.org/show_bug.cgi?id=72414 5 6 Reviewed by Alexey Proskuryakov. 7 8 This patch ports Chromium's network stack logic governing header 9 updates after resource revalidation. Generally, headers sent with 304 10 responses ought to update the original cached resource's headers. 11 Certain headers should never be sent with 304 responses, and we should 12 ignore them if a misconfigured server sends them anyway. 13 14 Currently, WebCore ignores all headers prefixed with 'content-'. This 15 patch adds 'x-content-' and 'x-webkit-' to the list, as well as specific 16 headers like 'upgrade', 'trailer', and others that the Chromium network 17 stack currently ignores. 18 19 The tests verify that those headers with visible effect are correctly 20 handled: 'x-frame-options', 'content-security-policy', and 21 'x-xss-protection'. 22 23 Tests: http/tests/security/XFrameOptions/x-frame-options-cached.html 24 http/tests/security/contentSecurityPolicy/cached-frame-csp.html 25 http/tests/security/xssAuditor/cached-frame.html 26 27 * loader/cache/CachedResource.cpp: 28 (WebCore): 29 (WebCore::CachedResource::updateResponseAfterRevalidation): 30 This patch adds two arrays containing the specific headers to 31 ignore and the prefixes to ignore. These lists are processed in 32 shouldUpdateHeaderAfterRevalidation. 33 CachedResource::updateResponseAfterRevalidation relies on this new 34 method when processing revalidated resources. 35 36 * loader/cache/CachedResource.cpp: 37 (WebCore): 38 (WebCore::shouldUpdateHeaderAfterRevalidation): 39 (WebCore::CachedResource::updateResponseAfterRevalidation): 40 1 41 2013-02-06 Tom Sepez <tsepez@chromium.org> 2 42 -
trunk/Source/WebCore/loader/cache/CachedResource.cpp
r141684 r142068 69 69 70 70 namespace WebCore { 71 71 72 // These response headers are not copied from a revalidated response to the 73 // cached response headers. For compatibility, this list is based on Chromium's 74 // net/http/http_response_headers.cc. 75 const char* const headersToIgnoreAfterRevalidation[] = { 76 "allow", 77 "connection", 78 "etag", 79 "expires", 80 "keep-alive", 81 "last-modified" 82 "proxy-authenticate", 83 "proxy-connection", 84 "trailer", 85 "transfer-encoding", 86 "upgrade", 87 "www-authenticate", 88 "x-frame-options", 89 "x-xss-protection", 90 }; 91 92 // Some header prefixes mean "Don't copy this header from a 304 response.". 93 // Rather than listing all the relevant headers, we can consolidate them into 94 // this list, also grabbed from Chromium's net/http/http_response_headers.cc. 95 const char* const headerPrefixesToIgnoreAfterRevalidation[] = { 96 "content-", 97 "x-content-", 98 "x-webkit-" 99 }; 100 101 static inline bool shouldUpdateHeaderAfterRevalidation(const AtomicString& header) 102 { 103 for (size_t i = 0; i < WTF_ARRAY_LENGTH(headersToIgnoreAfterRevalidation); i++) { 104 if (header == headersToIgnoreAfterRevalidation[i]) 105 return false; 106 } 107 for (size_t i = 0; i < WTF_ARRAY_LENGTH(headerPrefixesToIgnoreAfterRevalidation); i++) { 108 if (header.startsWith(headerPrefixesToIgnoreAfterRevalidation[i])) 109 return false; 110 } 111 return true; 112 } 113 72 114 static ResourceLoadPriority defaultPriorityForResourceType(CachedResource::Type type) 73 115 { … … 729 771 m_switchingClientsToRevalidatedResource = false; 730 772 } 731 773 732 774 void CachedResource::updateResponseAfterRevalidation(const ResourceResponse& validatingResponse) 733 775 { 734 776 m_responseTimestamp = currentTime(); 735 777 736 DEFINE_STATIC_LOCAL(const AtomicString, contentHeaderPrefix, ("content-", AtomicString::ConstructFromLiteral));737 778 // RFC2616 10.3.5 738 779 // Update cached headers from the 304 response … … 740 781 HTTPHeaderMap::const_iterator end = newHeaders.end(); 741 782 for (HTTPHeaderMap::const_iterator it = newHeaders.begin(); it != end; ++it) { 742 // Don't allow 304 response to update content headers, these can't change but some servers send wrong values. 743 if (it->key.startsWith(contentHeaderPrefix, false)) 783 // Entity headers should not be sent by servers when generating a 304 784 // response; misconfigured servers send them anyway. We shouldn't allow 785 // such headers to update the original request. We'll base this on the 786 // list defined by RFC2616 7.1, with a few additions for extension headers 787 // we care about. 788 if (!shouldUpdateHeaderAfterRevalidation(it->key)) 744 789 continue; 745 790 m_response.setHTTPHeaderField(it->key, it->value);
Note: See TracChangeset
for help on using the changeset viewer.