Changeset 195010 in webkit
- Timestamp:
- Jan 14, 2016 12:39:13 AM (8 years ago)
- Location:
- trunk
- Files:
-
- 3 added
- 28 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r195003 r195010 1 2016-01-14 Youenn Fablet <youenn.fablet@crf.canon.fr> 2 3 Fix problems with cross-origin redirects 4 https://bugs.webkit.org/show_bug.cgi?id=116075 5 6 Reviewed by Daniel Bates. 7 8 Merging https://chromium.googlesource.com/chromium/blink/+/7ea774e478f84f355748108d2aaabca15355d512 by Ken Russell 9 This merge adds tests for cross origin requests triggered from same origin redirection responses with and without credentials). 10 Rebaseline of some tests due to console error messages generated from newly hit CORS checks. 11 12 * TestExpectations: Disabled WPT tests that require access to non localhost URLs which are currently blocked by DTR/WTR. 13 * http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt: 14 * http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin-expected.txt: Added. 15 * http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin.html: Added. 16 * http/tests/xmlhttprequest/access-control-and-redirects-async.html: 17 * http/tests/xmlhttprequest/access-control-and-redirects-expected.txt: 18 * http/tests/xmlhttprequest/access-control-and-redirects.html: 19 * http/tests/xmlhttprequest/redirect-cross-origin-2-expected.txt: 20 * http/tests/xmlhttprequest/redirect-cross-origin-expected.txt: 21 * http/tests/xmlhttprequest/redirect-cross-origin-post-expected.txt: 22 * http/tests/xmlhttprequest/redirect-cross-origin-tripmine-expected.txt: 23 * http/tests/xmlhttprequest/resources/access-control-basic-allow-no-credentials.cgi: Added. 24 * http/tests/xmlhttprequest/xmlhttprequest-unsafe-redirect-expected.txt: 25 1 26 2016-01-13 Ryan Haddad <ryanhaddad@apple.com> 2 27 -
trunk/LayoutTests/TestExpectations
r194867 r195010 300 300 imported/w3c/web-platform-tests/XMLHttpRequest/xmlhttprequest-timeout-worker-synconworker.html [ Slow ] 301 301 imported/w3c/web-platform-tests/XMLHttpRequest/xmlhttprequest-timeout-worker-twice.html [ Slow ] 302 # XMLHttpRequest tests requiring DTR/WTR to allow other URLs than localhost to not be blocked and be reachable (www2.localhost) 303 imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-bogus.htm [ Skip ] 304 imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-to-cors.htm [ Skip ] 305 imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-to-non-cors.htm [ Skip ] 306 302 307 303 308 # New W3C ref tests that are failing. -
trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt
r112997 r195010 1 1 Tests that asynchronous XMLHttpRequests handle redirects according to the CORS standard. 2 2 3 Testing resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi3 Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi without credentials 4 4 Expecting success: false 5 5 PASS: 0 6 Testing resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi& access-control-allow-origin=http://localhost:8000& access-control-allow-credentials=true 6 Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi& access-control-allow-origin=http://localhost:8000 without credentials 7 Expecting success: true 8 FAIL: 0 9 Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://username:password@localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi& access-control-allow-origin=http://localhost:8000 without credentials 7 10 Expecting success: false 8 11 PASS: 0 9 Testing resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi& access-control-allow-origin=http://localhost:8000& access-control-allow-credentials=true12 Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi& access-control-allow-origin=http://localhost:8000 without credentials 10 13 Expecting success: false 11 14 PASS: 0 12 Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php? url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi15 Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true& url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi& access-control-allow-origin=* without credentials 13 16 Expecting success: false 14 17 PASS: 0 15 Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi& access-control-allow-origin=http://localhost:8000 16 Expecting success: true 17 FAIL: 0 18 Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://username:password@localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi& access-control-allow-origin=http://localhost:8000 18 Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=false& url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi& access-control-allow-origin=*& access-control-allow-headers=x-webkit without credentials 19 19 Expecting success: false 20 20 PASS: 0 21 Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi& access-control-allow-origin=http://localhost:8000 22 Expecting success: false 23 PASS: 0 24 Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true& url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi& access-control-allow-origin=* 25 Expecting success: false 26 PASS: 0 27 Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=false& url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi& access-control-allow-origin=*& access-control-allow-headers=x-webkit 28 Expecting success: false 29 PASS: 0 30 Testing resources/redirect-cors.php?url=http://127.0.0.1:8000/xmlhttprequest/resources/get.txt 21 Testing resources/redirect-cors.php?url=http://127.0.0.1:8000/xmlhttprequest/resources/get.txt without credentials 31 22 Expecting success: true 32 23 PASS: PASS -
trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async.html
r120167 r195010 13 13 } 14 14 15 function runTestAsync(url, addCustomHeader, expectSuccess) {16 log("Testing " + url );15 function runTestAsync(url, credentials, addCustomHeader, expectSuccess) { 16 log("Testing " + url + (credentials ? " with " : " without ") + "credentials"); 17 17 log("Expecting success: " + expectSuccess); 18 18 19 19 xhr = new XMLHttpRequest(); 20 xhr.withCredentials = credentials; 20 21 xhr.open("GET", url, true); 21 22 if (addCustomHeader) … … 33 34 } 34 35 36 var withoutCredentials = false; 37 var withCredentials = true; 35 38 var noCustomHeader = false; 36 39 var addCustomHeader = true; … … 39 42 40 43 var tests = [ 41 // 1) Test simple same origin requests that receive cross origin redirects. 42 43 // Request receives a cross-origin redirect response without CORS headers. The redirect response fails the access check. 44 ["resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi", 45 noCustomHeader, fails], 46 47 // Request receives a cross-origin redirect response with CORS headers. The redirect response passes the access check, 48 // but the resource response fails its access check because the security origin is a globally unique identifier after 49 // the redirect and the same origin XHR has 'allowCredentials' true. 50 ["resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&\ 51 access-control-allow-origin=http://localhost:8000&\ 52 access-control-allow-credentials=true", 53 noCustomHeader, fails], 54 55 // Same as above, but to a less permissive resource that only allows the requesting origin. 56 ["resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi&\ 57 access-control-allow-origin=http://localhost:8000&\ 58 access-control-allow-credentials=true", 59 noCustomHeader, fails], 60 61 // 2) Test simple cross origin requests that receive redirects. 44 // 1) Test simple cross origin requests that receive redirects. 62 45 63 46 // Receives a redirect response without CORS headers. The redirect response fails the access check. 64 47 ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi", 65 noCustomHeader, fails],48 withoutCredentials, noCustomHeader, fails], 66 49 67 50 // Receives a redirect response with CORS headers. The redirect response passes the access check and the resource response 68 51 // passes the access check. 52 // FIXME: this test fails because the redirect is vetoed. There are continued bugs with redirects when the original 53 // request was cross-origin. 69 54 ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&\ 70 55 access-control-allow-origin=http://localhost:8000", 71 noCustomHeader, succeeds],56 withoutCredentials, noCustomHeader, succeeds], 72 57 73 58 // Receives a redirect response with a URL containing the userinfo production. 74 59 ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://username:password@localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&\ 75 60 access-control-allow-origin=http://localhost:8000", 76 noCustomHeader, fails],61 withoutCredentials, noCustomHeader, fails], 77 62 78 63 // Receives a redirect response with a URL with an unsupported scheme. 79 64 ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi&\ 80 65 access-control-allow-origin=http://localhost:8000", 81 noCustomHeader, fails],66 withoutCredentials, noCustomHeader, fails], 82 67 83 // 3) Test preflighted cross origin requests that receive redirects.68 // 2) Test preflighted cross origin requests that receive redirects. 84 69 85 70 // Receives a redirect response to the preflight request and fails. … … 87 72 url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&\ 88 73 access-control-allow-origin=*", 89 addCustomHeader, fails],74 withoutCredentials, addCustomHeader, fails], 90 75 91 76 // Successful preflight and receives a redirect response to the actual request and fails. … … 94 79 access-control-allow-origin=*&\ 95 80 access-control-allow-headers=x-webkit", 96 addCustomHeader, fails],81 withoutCredentials, addCustomHeader, fails], 97 82 98 // 4) Test same origin requests with a custom header that receive a same origin redirect.83 // 3) Test same origin requests with a custom header that receive a same origin redirect. 99 84 ["resources/redirect-cors.php?url=http://127.0.0.1:8000/xmlhttprequest/resources/get.txt", 100 addCustomHeader, succeeds], 85 withoutCredentials, addCustomHeader, succeeds], 86 101 87 ] 102 88 -
trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-expected.txt
r47388 r195010 7 7 PASS: Error: NETWORK_ERR: XMLHttpRequest Exception 101 8 8 Testing /resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi(async) 9 Expecting success: false 10 PASS: 0 9 Expecting success: true 10 PASS: PASS: Cross-domain access allowed. 11 11 12 Testing http://localhost:8000/resources/redirect.php?url=http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi (sync) 12 13 Expecting success: false -
trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects.html
r120167 r195010 46 46 47 47 var tests = [ 48 ["/resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi", false, false],48 ["/resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi", false, true], 49 49 ["http://localhost:8000/resources/redirect.php?url=http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi", false, false], 50 50 ["http://localhost:8000/resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi", false, false] -
trunk/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-2-expected.txt
r41810 r195010 1 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/reply.xml. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin. 1 2 Test that a cross-origin redirect to a server that responds is indistinguishable from one that does not. Should say PASS: 2 3 -
trunk/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-expected.txt
r41810 r195010 1 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/reply.xml. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin. 1 2 Test that a cross-origin redirect to a server that responds is indistinguishable from one that does not. Should say PASS: 2 3 -
trunk/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-post-expected.txt
r41810 r195010 1 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/reply.xml. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin. 1 2 Test that a cross-origin redirect to a server that responds is indistinguishable from one that does not. Should say PASS: 2 3 -
trunk/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-tripmine-expected.txt
r42078 r195010 1 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cross-origin-tripmine.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin. 2 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cross-origin-tripmine.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin. 3 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cross-origin-tripmine.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin. 4 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cross-origin-tripmine.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin. 5 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cross-origin-tripmine.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin. 6 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cross-origin-tripmine.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin. 7 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cross-origin-tripmine.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin. 8 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cross-origin-tripmine.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin. 9 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cross-origin-tripmine.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin. 10 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cross-origin-tripmine.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin. 1 11 Test that a cross-origin redirect does not result in a non-simple request being sent to the target. 2 12 -
trunk/LayoutTests/http/tests/xmlhttprequest/xmlhttprequest-unsafe-redirect-expected.txt
r42164 r195010 1 CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8080/xmlhttprequest/resources/forbidden.txt. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin. 1 2 This tests that unsafe redirects won't be allowed when making an XMLHttpRequest. 2 3 Sync XHR started. -
trunk/LayoutTests/imported/w3c/ChangeLog
r194999 r195010 1 2016-01-14 Youenn Fablet <youenn.fablet@crf.canon.fr> 2 3 Fix problems with cross-origin redirects 4 https://bugs.webkit.org/show_bug.cgi?id=116075 5 6 Reviewed by Daniel Bates. 7 8 Rebasing test expectations. 9 These tests cannot work as expected as WTR/DRT block access to www2.localhost and example.not. 10 11 * web-platform-tests/XMLHttpRequest/send-redirect-bogus-expected.txt: 12 * web-platform-tests/XMLHttpRequest/send-redirect-to-cors-expected.txt: 13 * web-platform-tests/XMLHttpRequest/send-redirect-to-non-cors-expected.txt: 14 1 15 2016-01-12 Ryosuke Niwa <rniwa@webkit.org> 2 16 -
trunk/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-to-cors-expected.txt
r191546 r195010 1 1 2 FAIL XMLHttpRequest: send() - Redirect to CORS-enabled resource (301) assert_equals: expected (string) "GET" but got (object) null 3 FAIL XMLHttpRequest: send() - Redirect to CORS-enabled resource (302) assert_equals: expected (string) "GET" but got (object) null 4 FAIL XMLHttpRequest: send() - Redirect to CORS-enabled resource (303) assert_equals: expected (string) "GET" but got (object) null 5 FAIL XMLHttpRequest: send() - Redirect to CORS-enabled resource (307) assert_equals: expected (string) "GET" but got (object) null 2 PASS XMLHttpRequest: send() - Redirect to CORS-enabled resource (301) 3 PASS XMLHttpRequest: send() - Redirect to CORS-enabled resource (302) 4 PASS XMLHttpRequest: send() - Redirect to CORS-enabled resource (303) 5 PASS XMLHttpRequest: send() - Redirect to CORS-enabled resource (307) 6 6 -
trunk/Source/WebCore/ChangeLog
r195006 r195010 1 2016-01-14 Youenn Fablet <youenn.fablet@crf.canon.fr> 2 3 Fix problems with cross-origin redirects 4 https://bugs.webkit.org/show_bug.cgi?id=116075 5 6 Reviewed by Daniel Bates. 7 8 Merging https://chromium.googlesource.com/chromium/blink/+/7ea774e478f84f355748108d2aaabca15355d512 by Ken Russell 9 Same origin redirect responses leading to cross-origin requests were checked as cross-origin redirect responses. 10 Introduced ClientRequestedCredentials to manage whether credentials are needed or not in the cross-origin request. 11 12 In addition to Blink patch, it was needed to update some loaders with the newly introduced ClientRequestedCredentials parameter. 13 Added the clearing of "Accept-Encoding" header from cross-origin requests as Mac HTTP network layer is adding it for same-origin requests. 14 15 Test: http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin.html 16 17 * loader/DocumentLoader.cpp: 18 (WebCore::DocumentLoader::startLoadingMainResource): Added new security parameter (from Blink patch). 19 * loader/DocumentThreadableLoader.cpp: 20 (WebCore::DocumentThreadableLoader::redirectReceived): Updated checks so that same origin redirections are not treated as cross origin redirections (from Blink patch). 21 * loader/MediaResourceLoader.cpp: 22 (WebCore::MediaResourceLoader::start): 23 * loader/NetscapePlugInStreamLoader.cpp: 24 (WebCore::NetscapePlugInStreamLoader::NetscapePlugInStreamLoader): Added new security parameter. 25 * loader/ResourceLoaderOptions.h: 26 (WebCore::ResourceLoaderOptions::ResourceLoaderOptions): Added new security parameter (from Blink patch). 27 (WebCore::ResourceLoaderOptions::credentialRequest): 28 (WebCore::ResourceLoaderOptions::setCredentialRequest): 29 * loader/cache/CachedResourceLoader.cpp: 30 (WebCore::CachedResourceLoader::requestUserCSSStyleSheet): Ditto. 31 (WebCore::CachedResourceLoader::defaultCachedResourceOptions): Ditto. 32 * loader/icon/IconLoader.cpp: 33 (WebCore::IconLoader::startLoading): Added new security parameter. 34 * page/EventSource.cpp: 35 (WebCore::EventSource::connect): Added new security parameter (from Blink patch). 36 * platform/graphics/avfoundation/cf/WebCoreAVCFResourceLoader.cpp: 37 (WebCore::WebCoreAVCFResourceLoader::startLoading): Added new security parameter. 38 * platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm: 39 (WebCore::WebCoreAVFResourceLoader::startLoading): Ditto. 40 * platform/network/ResourceHandleTypes.h: Added new security parameter constants (from Blink patch). 41 * platform/network/ResourceRequestBase.cpp: 42 (WebCore::ResourceRequestBase::clearHTTPAcceptEncoding): Function to remove "Accept-Encoding" header. 43 * platform/network/ResourceRequestBase.h: Ditto. 44 * xml/XMLHttpRequest.cpp: 45 (WebCore::XMLHttpRequest::createRequest): Added new security parameter. 46 1 47 2016-01-13 Myles C. Maxfield <mmaxfield@apple.com> 2 48 -
trunk/Source/WebCore/loader/DocumentLoader.cpp
r195004 r195010 1472 1472 request.makeUnconditional(); 1473 1473 1474 static NeverDestroyed<ResourceLoaderOptions> mainResourceLoadOptions(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForAllCredentials, SkipSecurityCheck, UseDefaultOriginRestrictionsForType, IncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading);1474 static NeverDestroyed<ResourceLoaderOptions> mainResourceLoadOptions(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForAllCredentials, ClientRequestedCredentials, SkipSecurityCheck, UseDefaultOriginRestrictionsForType, IncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading); 1475 1475 CachedResourceRequest cachedResourceRequest(request, mainResourceLoadOptions); 1476 1476 cachedResourceRequest.setInitiator(*this); -
trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp
r194496 r195010 183 183 184 184 // When using access control, only simple cross origin requests are allowed to redirect. The new request URL must have a supported 185 // scheme and not contain the userinfo production. In addition, the redirect response must pass the access control check. 185 // scheme and not contain the userinfo production. In addition, the redirect response must pass the access control check if the 186 // original request was not same-origin. 186 187 if (m_options.crossOriginRequestPolicy == UseAccessControl) { 187 188 bool allowRedirect = false; … … 191 192 && request.url().user().isEmpty() 192 193 && request.url().pass().isEmpty() 193 && passesAccessControlCheck(redirectResponse, m_options.allowCredentials(), securityOrigin(), accessControlErrorDescription);194 && (m_sameOriginRequest || passesAccessControlCheck(redirectResponse, m_options.allowCredentials(), securityOrigin(), accessControlErrorDescription)); 194 195 } 195 196 … … 200 201 RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::createFromString(redirectResponse.url()); 201 202 RefPtr<SecurityOrigin> requestOrigin = SecurityOrigin::createFromString(request.url()); 202 // If the request URL origin is not same origin with the original URL origin, set source origin to a globally unique identifier. 203 if (!originalOrigin->isSameSchemeHostPort(requestOrigin.get())) 203 // If the original request wasn't same-origin, then if the request URL origin is not same origin with the original URL origin, 204 // set the source origin to a globally unique identifier. (If the original request was same-origin, the origin of the new request 205 // should be the original URL origin.) 206 if (!m_sameOriginRequest && !originalOrigin->isSameSchemeHostPort(requestOrigin.get())) 204 207 m_options.securityOrigin = SecurityOrigin::createUnique(); 205 // Force any subsequent request sto use these checks.208 // Force any subsequent request to use these checks. 206 209 m_sameOriginRequest = false; 210 211 // Since the request is no longer same-origin, if the user didn't request credentials in 212 // the first place, update our state so we neither request them nor expect they must be allowed. 213 if (m_options.credentialRequest() == ClientDidNotRequestCredentials) 214 m_options.setAllowCredentials(DoNotAllowStoredCredentials); 207 215 208 216 // Remove any headers that may have been added by the network layer that cause access control to fail. … … 212 220 request.clearHTTPUserAgent(); 213 221 request.clearHTTPAccept(); 222 request.clearHTTPAcceptEncoding(); 214 223 makeCrossOriginAccessRequest(request); 215 224 return; -
trunk/Source/WebCore/loader/MediaResourceLoader.cpp
r194496 r195010 62 62 63 63 // ContentSecurityPolicyImposition::DoPolicyCheck is a placeholder value. It does not affect the request since Content Security Policy does not apply to raw resources. 64 CachedResourceRequest cacheRequest(request, ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, bufferingPolicy, allowCredentials, DoNotAskClientForCrossOriginCredentials, DoSecurityCheck, corsPolicy, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading));64 CachedResourceRequest cacheRequest(request, ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, bufferingPolicy, allowCredentials, DoNotAskClientForCrossOriginCredentials, ClientDidNotRequestCredentials, DoSecurityCheck, corsPolicy, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading)); 65 65 66 66 if (!m_crossOriginMode.isNull()) -
trunk/Source/WebCore/loader/NetscapePlugInStreamLoader.cpp
r194496 r195010 44 44 // See <https://bugs.webkit.org/show_bug.cgi?id=146663>. 45 45 NetscapePlugInStreamLoader::NetscapePlugInStreamLoader(Frame* frame, NetscapePlugInStreamLoaderClient* client) 46 : ResourceLoader(frame, ResourceLoaderOptions(SendCallbacks, SniffContent, DoNotBufferData, AllowStoredCredentials, AskClientForAllCredentials, SkipSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading))46 : ResourceLoader(frame, ResourceLoaderOptions(SendCallbacks, SniffContent, DoNotBufferData, AllowStoredCredentials, AskClientForAllCredentials, ClientRequestedCredentials, SkipSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading)) 47 47 , m_client(client) 48 48 { -
trunk/Source/WebCore/loader/ResourceLoaderOptions.h
r189432 r195010 84 84 , m_allowCredentials(DoNotAllowStoredCredentials) 85 85 , m_clientCredentialPolicy(DoNotAskClientForAnyCredentials) 86 , m_credentialRequest(ClientDidNotRequestCredentials) 86 87 , m_securityCheck(DoSecurityCheck) 87 88 , m_requestOriginPolicy(UseDefaultOriginRestrictionsForType) … … 90 91 } 91 92 92 ResourceLoaderOptions(SendCallbackPolicy sendLoadCallbacks, ContentSniffingPolicy sniffContent, DataBufferingPolicy dataBufferingPolicy, StoredCredentials allowCredentials, ClientCredentialPolicy credentialPolicy, SecurityCheckPolicy securityCheck, RequestOriginPolicy requestOriginPolicy, CertificateInfoPolicy certificateInfoPolicy, ContentSecurityPolicyImposition contentSecurityPolicyImposition, DefersLoadingPolicy defersLoadingPolicy)93 ResourceLoaderOptions(SendCallbackPolicy sendLoadCallbacks, ContentSniffingPolicy sniffContent, DataBufferingPolicy dataBufferingPolicy, StoredCredentials allowCredentials, ClientCredentialPolicy credentialPolicy, CredentialRequest credentialRequest, SecurityCheckPolicy securityCheck, RequestOriginPolicy requestOriginPolicy, CertificateInfoPolicy certificateInfoPolicy, ContentSecurityPolicyImposition contentSecurityPolicyImposition, DefersLoadingPolicy defersLoadingPolicy) 93 94 : m_sendLoadCallbacks(sendLoadCallbacks) 94 95 , m_sniffContent(sniffContent) … … 96 97 , m_allowCredentials(allowCredentials) 97 98 , m_clientCredentialPolicy(credentialPolicy) 99 , m_credentialRequest(credentialRequest) 98 100 , m_securityCheck(securityCheck) 99 101 , m_requestOriginPolicy(requestOriginPolicy) … … 114 116 ClientCredentialPolicy clientCredentialPolicy() const { return static_cast<ClientCredentialPolicy>(m_clientCredentialPolicy); } 115 117 void setClientCredentialPolicy(ClientCredentialPolicy policy) { m_clientCredentialPolicy = policy; } 118 CredentialRequest credentialRequest() { return static_cast<CredentialRequest>(m_credentialRequest); } 119 void setCredentialRequest(CredentialRequest credentialRequest) { m_credentialRequest = credentialRequest; } 116 120 SecurityCheckPolicy securityCheck() const { return static_cast<SecurityCheckPolicy>(m_securityCheck); } 117 121 void setSecurityCheck(SecurityCheckPolicy check) { m_securityCheck = check; } … … 130 134 unsigned m_allowCredentials : 1; // Whether HTTP credentials and cookies are sent with the request. 131 135 unsigned m_clientCredentialPolicy : 2; // When we should ask the client for credentials (if we allow credentials at all). 136 unsigned m_credentialRequest: 1; // Whether the client (e.g. XHR) wanted credentials in the first place. 132 137 unsigned m_securityCheck : 1; 133 138 unsigned m_requestOriginPolicy : 2; -
trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp
r194898 r195010 235 235 // FIXME: loadResource calls setOwningCachedResourceLoader() if the resource couldn't be added to cache. Does this function need to call it, too? 236 236 237 userSheet->load(*this, ResourceLoaderOptions(DoNotSendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForAllCredentials, SkipSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::SkipPolicyCheck, DefersLoadingPolicy::AllowDefersLoading));237 userSheet->load(*this, ResourceLoaderOptions(DoNotSendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForAllCredentials, ClientRequestedCredentials, SkipSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::SkipPolicyCheck, DefersLoadingPolicy::AllowDefersLoading)); 238 238 239 239 return userSheet; … … 1170 1170 const ResourceLoaderOptions& CachedResourceLoader::defaultCachedResourceOptions() 1171 1171 { 1172 static ResourceLoaderOptions options(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForAllCredentials, DoSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading);1172 static ResourceLoaderOptions options(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForAllCredentials, ClientRequestedCredentials, DoSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading); 1173 1173 return options; 1174 1174 } -
trunk/Source/WebCore/loader/icon/IconLoader.cpp
r189432 r195010 60 60 61 61 // ContentSecurityPolicyImposition::DoPolicyCheck is a placeholder value. It does not affect the request since Content Security Policy does not apply to raw resources. 62 CachedResourceRequest request(ResourceRequest(m_frame.loader().icon().url()), ResourceLoaderOptions(SendCallbacks, SniffContent, BufferData, DoNotAllowStoredCredentials, DoNotAskClientForAnyCredentials, DoSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading));62 CachedResourceRequest request(ResourceRequest(m_frame.loader().icon().url()), ResourceLoaderOptions(SendCallbacks, SniffContent, BufferData, DoNotAllowStoredCredentials, DoNotAskClientForAnyCredentials, ClientDidNotRequestCredentials, DoSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading)); 63 63 64 64 request.mutableResourceRequest().setPriority(ResourceLoadPriority::Low); -
trunk/Source/WebCore/page/EventSource.cpp
r194419 r195010 126 126 options.setSniffContent(DoNotSniffContent); 127 127 options.setAllowCredentials((origin->canRequest(m_url) || m_withCredentials) ? AllowStoredCredentials : DoNotAllowStoredCredentials); 128 options.setCredentialRequest(m_withCredentials ? ClientRequestedCredentials : ClientDidNotRequestCredentials); 128 129 options.preflightPolicy = PreventPreflight; 129 130 options.crossOriginRequestPolicy = UseAccessControl; -
trunk/Source/WebCore/platform/graphics/avfoundation/cf/WebCoreAVCFResourceLoader.cpp
r189432 r195010 73 73 74 74 // ContentSecurityPolicyImposition::DoPolicyCheck is a placeholder value. It does not affect the request since Content Security Policy does not apply to raw resources. 75 CachedResourceRequest request(ResourceRequest(requestURL), ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, BufferData, DoNotAllowStoredCredentials, DoNotAskClientForCrossOriginCredentials, DoSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading));75 CachedResourceRequest request(ResourceRequest(requestURL), ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, BufferData, DoNotAllowStoredCredentials, DoNotAskClientForCrossOriginCredentials, ClientDidNotRequestCredentials, DoSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading)); 76 76 77 77 request.mutableResourceRequest().setPriority(ResourceLoadPriority::Low); -
trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm
r189432 r195010 69 69 70 70 // ContentSecurityPolicyImposition::DoPolicyCheck is a placeholder value. It does not affect the request since Content Security Policy does not apply to raw resources. 71 CachedResourceRequest request(ResourceRequest(requestURL), ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, BufferData, DoNotAllowStoredCredentials, DoNotAskClientForCrossOriginCredentials, DoSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading));71 CachedResourceRequest request(ResourceRequest(requestURL), ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, BufferData, DoNotAllowStoredCredentials, DoNotAskClientForCrossOriginCredentials, ClientDidNotRequestCredentials, DoSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading)); 72 72 73 73 request.mutableResourceRequest().setPriority(ResourceLoadPriority::Low); -
trunk/Source/WebCore/platform/network/ResourceHandleTypes.h
r149303 r195010 40 40 }; 41 41 42 // APIs like XMLHttpRequest and EventSource let the user decide 43 // whether to send credentials, but they're always sent for 44 // same-origin requests. Additional information is needed to handle 45 // cross-origin redirects correctly. 46 enum CredentialRequest { 47 ClientRequestedCredentials, 48 ClientDidNotRequestCredentials 49 }; 50 42 51 } // namespace WebCore 43 52 -
trunk/Source/WebCore/platform/network/ResourceRequestBase.cpp
r194496 r195010 380 380 } 381 381 382 void ResourceRequestBase::clearHTTPAcceptEncoding() 383 { 384 updateResourceRequest(); 385 386 m_httpHeaderFields.remove(HTTPHeaderName::AcceptEncoding); 387 388 if (url().protocolIsInHTTPFamily()) 389 m_platformRequestUpdated = false; 390 } 391 382 392 void ResourceRequestBase::setResponseContentDispositionEncodingFallbackArray(const String& encoding1, const String& encoding2, const String& encoding3) 383 393 { -
trunk/Source/WebCore/platform/network/ResourceRequestBase.h
r194313 r195010 116 116 void clearHTTPAccept(); 117 117 118 void clearHTTPAcceptEncoding(); 119 118 120 const Vector<String>& responseContentDispositionEncodingFallbackArray() const { return m_responseContentDispositionEncodingFallbackArray; } 119 121 WEBCORE_EXPORT void setResponseContentDispositionEncodingFallbackArray(const String& encoding1, const String& encoding2 = String(), const String& encoding3 = String()); -
trunk/Source/WebCore/xml/XMLHttpRequest.cpp
r194496 r195010 755 755 options.preflightPolicy = uploadEvents ? ForcePreflight : ConsiderPreflight; 756 756 options.setAllowCredentials((m_sameOriginRequest || m_includeCredentials) ? AllowStoredCredentials : DoNotAllowStoredCredentials); 757 options.setCredentialRequest(m_includeCredentials ? ClientRequestedCredentials : ClientDidNotRequestCredentials); 757 758 options.crossOriginRequestPolicy = UseAccessControl; 758 759 options.securityOrigin = securityOrigin();
Note: See TracChangeset
for help on using the changeset viewer.