Changeset 200493 in webkit
- Timestamp:
- May 5, 2016 4:27:08 PM (8 years ago)
- Location:
- trunk
- Files:
-
- 4 added
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r200492 r200493 1 2016-05-05 Chris Dumez <cdumez@apple.com> 2 3 CORS check is sometimes incorrectly failing for media loads 4 https://bugs.webkit.org/show_bug.cgi?id=157370 5 <rdar://problem/26071607> 6 7 Reviewed by Alex Christensen. 8 9 Add a regression test for <rdar://problem/26071607>. 10 11 * http/tests/media/resources/reference.mov: Added. 12 * http/tests/security/resources/reference-movie-cross-origin-allow.php: Added. 13 * http/tests/security/video-cross-origin-caching-expected.txt: Added. 14 * http/tests/security/video-cross-origin-caching.html: Added. 15 1 16 2016-05-05 Zalan Bujtas <zalan@apple.com> 2 17 -
trunk/Source/WebCore/ChangeLog
r200492 r200493 1 2016-05-05 Chris Dumez <cdumez@apple.com> 2 3 CORS check is sometimes incorrectly failing for media loads 4 https://bugs.webkit.org/show_bug.cgi?id=157370 5 <rdar://problem/26071607> 6 7 Reviewed by Alex Christensen. 8 9 When the media library is issuing a conditional request for a media 10 element that had the 'crossorigin' attribute, we would fail the CORS 11 check and log an error if the server were to respond with a "304 Not 12 Modified" response because the 304 response usually does not have 13 the necessary "Access-Control-Allow-Origin: *" header (At least for 14 Apache) and we cannot use the cached headers either since WebKit 15 does not have them. 16 17 To work around the problem in the short term, we now drop the 18 conditional headers from the request that the media library is 19 giving us when the media element has the 'crossorigin' attribute 20 set. As a result, the server will never respond with a 304 and we 21 will be able to do a CORS check on the full (e.g. 206) response. 22 23 In the long term, we need to deal with this better as this means 24 we may sometimes fail to reuse cached data. For now, this is only 25 potentially inefficient in the cases that were broken (i.e. no 26 video would play and we would log an error in the console). 27 28 Test: http/tests/security/video-cross-origin-caching.html 29 30 * loader/MediaResourceLoader.cpp: 31 (WebCore::MediaResourceLoader::requestResource): 32 Make the request unconditional if the media element has the 33 'crossorigin' attribute set. 34 35 * platform/network/ResourceRequestBase.cpp: 36 (WebCore::ResourceRequestBase::isConditional): 37 (WebCore::ResourceRequestBase::makeUnconditional): 38 When fixing the bug above, I noticed that those method do not do 39 the right thing if the m_httpHeaderFields data member has not 40 been populated yet. m_httpHeaderFields is lazily initialized so 41 we need to call updateResourceRequest() before using it. 42 1 43 2016-05-05 Zalan Bujtas <zalan@apple.com> 2 44 -
trunk/Source/WebCore/loader/MediaResourceLoader.cpp
r198549 r200493 67 67 StoredCredentials allowCredentials = m_crossOriginMode.isNull() || equalLettersIgnoringASCIICase(m_crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials; 68 68 69 auto updatedRequest = request; 70 #if HAVE(AVFOUNDATION_LOADER_DELEGATE) && PLATFORM(MAC) 71 // FIXME: Workaround for <rdar://problem/26071607>. We are not able to do CORS checking on 304 responses because they 72 // are usually missing the headers we need. 73 if (corsPolicy == PotentiallyCrossOriginEnabled) 74 updatedRequest.makeUnconditional(); 75 #endif 76 69 77 // FIXME: Skip Content Security Policy check if the element that inititated this request 70 78 // is in a user-agent shadow tree. See <https://bugs.webkit.org/show_bug.cgi?id=155505>. 71 CachedResourceRequest cacheRequest( request, ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, bufferingPolicy, allowCredentials, DoNotAskClientForCrossOriginCredentials, ClientDidNotRequestCredentials, DoSecurityCheck, corsPolicy, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading, CachingPolicy::AllowCaching));79 CachedResourceRequest cacheRequest(updatedRequest, ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, bufferingPolicy, allowCredentials, DoNotAskClientForCrossOriginCredentials, ClientDidNotRequestCredentials, DoSecurityCheck, corsPolicy, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading, CachingPolicy::AllowCaching)); 72 80 73 81 if (!m_crossOriginMode.isNull()) -
trunk/Source/WebCore/platform/network/ResourceRequestBase.cpp
r199590 r200493 546 546 bool ResourceRequestBase::isConditional() const 547 547 { 548 updateResourceRequest(); 549 548 550 for (auto headerName : conditionalHeaderNames) { 549 551 if (m_httpHeaderFields.contains(headerName)) … … 556 558 void ResourceRequestBase::makeUnconditional() 557 559 { 560 updateResourceRequest(); 561 558 562 for (auto headerName : conditionalHeaderNames) 559 563 m_httpHeaderFields.remove(headerName);
Note: See TracChangeset
for help on using the changeset viewer.