Changeset 203815 in webkit

Timestamp:

Jul 28, 2016 1:30:14 AM (8 years ago)

Author:

commit-queue@webkit.org

Message:

Compute fetch response type in case of cross-origin requests
​https://bugs.webkit.org/show_bug.cgi?id=158565

Patch by Youenn Fablet <​youenn@apple.com> on 2016-07-28
Reviewed by Alex Christensen.

LayoutTests/imported/w3c:

Rebasing fetch API tests as filtering is now done.
Rebasing XHR tests as console messages are no longer available when trying to access non-exposed headers.

• web-platform-tests/XMLHttpRequest/getresponseheader-cookies-and-more-expected.txt:
• web-platform-tests/fetch/api/basic/mode-no-cors-expected.txt:
• web-platform-tests/fetch/api/basic/mode-no-cors-worker-expected.txt:
• web-platform-tests/fetch/api/cors/cors-basic-expected.txt:
• web-platform-tests/fetch/api/cors/cors-filtering-expected.txt:
• web-platform-tests/fetch/api/request/request-cache-expected.txt:

Source/WebCore:

Covered by rebased tests.

Implementing Response filtering based on Response tainting in ResourceResponse.
Refactoring code in FetchHeaders and CrossOriginAccessControl.cpp accordingly.

Computing response tainting in SubresourceLoader for all resources.
This is used by DocumentThreadableLoader which now filters responses accordingly for all its clients including fetch and XHR.

Response tainting notably allows computing the response type and filtering out headers in case of cross origin responses.

Removing the filtering implemented in XMLHttpRequest as this is done before it gets access to the headers.
This is triggering some rebasing in the XHR tests as error messages triggered by trying to access unsafe headers no longer happen.

This filtering currently requires creating a new ResourceResponse object from the one sent from CachedResource.
This is done so as the same ResourceResponse may be reused accross loads and may be filtered differently by given to two different DocumentThreadableLoader
This can be mitigated in the future by changing ThreadableLoaderClient API to pass a ResourceResponse&&.

• Modules/fetch/FetchHeaders.cpp: Moving header checking in HTTParsers.h/.cpp

(WebCore::isForbiddenHeaderName): Deleted.
(WebCore::isForbiddenResponseHeaderName): Deleted.
(WebCore::isSimpleHeader): Deleted.

• loader/CrossOriginAccessControl.cpp:

(WebCore::parseAccessControlExposeHeadersAllowList): Deleted.

• loader/CrossOriginAccessControl.h: Moving header checking in HTTParsers.h/.cpp
• loader/DocumentThreadableLoader.cpp:

(WebCore::DocumentThreadableLoader::responseReceived):
(WebCore::DocumentThreadableLoader::didReceiveResponse): Doing response filtering. Since underlying loaders are
not yet aware that fetch mode may be cors (it is always no-cors currently), the tainting needs to be updated.
(WebCore::DocumentThreadableLoader::loadRequest): Computing response tainting in case of synchronous calls to ensure headers are filtered for synchronous XHR.

• loader/DocumentThreadableLoader.h:
• loader/SubresourceLoader.cpp:

(WebCore::SubresourceLoader::init): Getting origin from its resource and setting response tainting accordingly
(WebCore::SubresourceLoader::willSendRequestInternal): Always calling checkRedirectionCrossOriginAccessControl
to ensure response tainting is computed, even for no-cors resources.
(WebCore::SubresourceLoader::didReceiveResponse):
(WebCore::SubresourceLoader::checkRedirectionCrossOriginAccessControl): Computing response tainting in case of redirection.

• loader/SubresourceLoader.h:
• loader/cache/CachedResource.cpp:

(WebCore::CachedResource::load): Computing resource origin from the HTTP headers or from the document if none is
set in the HTTP headers.
(WebCore::CachedResource::setCrossOrigin): Helper routine to set response tainting.
(WebCore::CachedResource::isCrossOrigin): Helper routine to know whether resource is cross origin
(WebCore::CachedResource::isClean):
(WebCore::CachedResource::setResponse): Removing m_responseType

• loader/cache/CachedResource.h:

(WebCore::CachedResource::responseTainting):
(WebCore::CachedResource::origin):
(WebCore::CachedResource::setOpaqueRedirect): Deleted.

• platform/network/HTTPParsers.cpp: Implementing safe response header checking

(WebCore::parseAccessControlExposeHeadersAllowList):
(WebCore::isForbiddenHeaderName):
(WebCore::isForbiddenResponseHeaderName):
(WebCore::isSimpleHeader):
(WebCore::isCrossOriginSafeHeader):

• platform/network/HTTPParsers.h:
• platform/network/ResourceRequestBase.cpp:

(WebCore::ResourceRequestBase::hasHTTPOrigin): Added.
(WebCore::ResourceRequestBase::clearHTTPOrigin):

• platform/network/ResourceRequestBase.h:
• platform/network/ResourceResponseBase.cpp: Implementation of response filtering.

(WebCore::ResourceResponseBase::filterResponse):

• platform/network/ResourceResponseBase.h:
• xml/XMLHttpRequest.cpp:

(WebCore::isSetCookieHeader): Deleted.
(WebCore::XMLHttpRequest::getAllResponseHeaders): Removing header filtering since DocumentThreadableLoader does it.
(WebCore::XMLHttpRequest::getResponseHeader): Ditto.

LayoutTests:

Rebasing fetch API tests as filtering is now done.
Rebasing XHR tests as console messages are no longer available when trying to access non-exposed headers.

• http/tests/xmlhttprequest/access-control-basic-whitelist-response-headers-expected.txt:
• http/tests/xmlhttprequest/access-control-response-with-expose-headers-expected.txt:
• http/tests/xmlhttprequest/get-dangerous-headers-expected.txt:
• http/tests/xmlhttprequest/getResponseHeader-expected.txt:
• platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/basic/mode-no-cors-expected.txt:
• platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/basic/mode-no-cors-worker-expected.txt:
• platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-expected.txt:
• platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/basic/mode-no-cors-expected.txt:
• platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/basic/mode-no-cors-worker-expected.txt:
• platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-expected.txt:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/xmlhttprequest/access-control-basic-whitelist-response-headers-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/xmlhttprequest/access-control-response-with-expose-headers-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/xmlhttprequest/get-dangerous-headers-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/xmlhttprequest/getResponseHeader-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/getresponseheader-cookies-and-more-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/mode-no-cors-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/mode-no-cors-worker-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-filtering-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/request/request-cache-expected.txt (modified) (3 diffs)
• LayoutTests/platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/basic/mode-no-cors-expected.txt (modified) (1 diff)
• LayoutTests/platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/basic/mode-no-cors-worker-expected.txt (modified) (1 diff)
• LayoutTests/platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-expected.txt (modified) (1 diff)
• LayoutTests/platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/basic/mode-no-cors-expected.txt (modified) (1 diff)
• LayoutTests/platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/basic/mode-no-cors-worker-expected.txt (modified) (1 diff)
• LayoutTests/platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-expected.txt (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/Modules/fetch/FetchHeaders.cpp (modified) (1 diff)
• Source/WebCore/loader/CrossOriginAccessControl.cpp (modified) (1 diff)
• Source/WebCore/loader/CrossOriginAccessControl.h (modified) (2 diffs)
• Source/WebCore/loader/DocumentThreadableLoader.cpp (modified) (4 diffs)
• Source/WebCore/loader/DocumentThreadableLoader.h (modified) (2 diffs)
• Source/WebCore/loader/SubresourceLoader.cpp (modified) (6 diffs)
• Source/WebCore/loader/SubresourceLoader.h (modified) (2 diffs)
• Source/WebCore/loader/cache/CachedResource.cpp (modified) (3 diffs)
• Source/WebCore/loader/cache/CachedResource.h (modified) (4 diffs)
• Source/WebCore/platform/network/HTTPParsers.cpp (modified) (2 diffs)
• Source/WebCore/platform/network/HTTPParsers.h (modified) (2 diffs)
• Source/WebCore/platform/network/ResourceRequestBase.cpp (modified) (1 diff)
• Source/WebCore/platform/network/ResourceRequestBase.h (modified) (2 diffs)
• Source/WebCore/platform/network/ResourceResponseBase.cpp (modified) (2 diffs)
• Source/WebCore/platform/network/ResourceResponseBase.h (modified) (1 diff)
• Source/WebCore/xml/XMLHttpRequest.cpp (modified) (3 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-07-28  Youenn Fablet  <youenn@apple.com>
+
+        Compute fetch response type in case of cross-origin requests
+        https://bugs.webkit.org/show_bug.cgi?id=158565
+
+        Reviewed by Alex Christensen.
+
+        Rebasing fetch API tests as filtering is now done.
+        Rebasing XHR tests as console messages are no longer available when trying to access non-exposed headers.
+
+        * http/tests/xmlhttprequest/access-control-basic-whitelist-response-headers-expected.txt:
+        * http/tests/xmlhttprequest/access-control-response-with-expose-headers-expected.txt:
+        * http/tests/xmlhttprequest/get-dangerous-headers-expected.txt:
+        * http/tests/xmlhttprequest/getResponseHeader-expected.txt:
+        * platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/basic/mode-no-cors-expected.txt:
+        * platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/basic/mode-no-cors-worker-expected.txt:
+        * platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-expected.txt:
+        * platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/basic/mode-no-cors-expected.txt:
+        * platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/basic/mode-no-cors-worker-expected.txt:
+        * platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-expected.txt:
+
 2016-07-27  Ryan Haddad  <ryanhaddad@apple.com>
 

trunk/LayoutTests/http/tests/xmlhttprequest/access-control-basic-whitelist-response-headers-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 25: Refused to get unsafe header "x-webkit"
 PASS: Response header cache-control allowed.
 PASS: Response header content-language allowed.

trunk/LayoutTests/http/tests/xmlhttprequest/access-control-response-with-expose-headers-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 1: Refused to get unsafe header "X-TEST"
 Test for bug 41210: Cross Origin XMLHttpRequest can not expose headers indicated in Access-Control-Expose-Headers HTTP Response Header.
 

trunk/LayoutTests/http/tests/xmlhttprequest/get-dangerous-headers-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 15: Refused to get unsafe header "Set-Cookie"
-CONSOLE MESSAGE: line 17: Refused to get unsafe header "set-cookie"
-CONSOLE MESSAGE: line 19: Refused to get unsafe header "Set-Cookie2"
-CONSOLE MESSAGE: line 21: Refused to get unsafe header "set-cookie2"
 Test that getResponseHeader and getAllResponseHeaders cannot be used to get the cookie header fields.
 

trunk/LayoutTests/http/tests/xmlhttprequest/getResponseHeader-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 1: Refused to get unsafe header "SeT-COoKie"
-CONSOLE MESSAGE: line 1: Refused to get unsafe header "sEt-coOkIE2"
-CONSOLE MESSAGE: line 1: Refused to get unsafe header "SeT-COoKie"
-CONSOLE MESSAGE: line 1: Refused to get unsafe header "sEt-coOkIE2"
-CONSOLE MESSAGE: line 1: Refused to get unsafe header "SeT-COoKie"
-CONSOLE MESSAGE: line 1: Refused to get unsafe header "sEt-coOkIE2"
 Test the required behavior of XMLHttpRequest.getResponseHeader()
 

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2016-07-28  Youenn Fablet  <youenn@apple.com>
+
+        Compute fetch response type in case of cross-origin requests
+        https://bugs.webkit.org/show_bug.cgi?id=158565
+
+        Reviewed by Alex Christensen.
+
+        Rebasing fetch API tests as filtering is now done.
+        Rebasing XHR tests as console messages are no longer available when trying to access non-exposed headers.
+
+        * web-platform-tests/XMLHttpRequest/getresponseheader-cookies-and-more-expected.txt:
+        * web-platform-tests/fetch/api/basic/mode-no-cors-expected.txt:
+        * web-platform-tests/fetch/api/basic/mode-no-cors-worker-expected.txt:
+        * web-platform-tests/fetch/api/cors/cors-basic-expected.txt:
+        * web-platform-tests/fetch/api/cors/cors-filtering-expected.txt:
+        * web-platform-tests/fetch/api/request/request-cache-expected.txt:
+
 2016-07-27  Chris Dumez  <cdumez@apple.com>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/getresponseheader-cookies-and-more-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 23: Refused to get unsafe header "set-cookie"
-CONSOLE MESSAGE: line 24: Refused to get unsafe header "set-cookie2"
-CONSOLE MESSAGE: line 23: Refused to get unsafe header "set-cookie"
-CONSOLE MESSAGE: line 24: Refused to get unsafe header "set-cookie2"
-CONSOLE MESSAGE: line 23: Refused to get unsafe header "set-cookie"
-CONSOLE MESSAGE: line 24: Refused to get unsafe header "set-cookie2"
 
 PASS XMLHttpRequest: getResponseHeader() custom/non-existent headers and cookies 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/mode-no-cors-expected.txt

@@ -2 +2 @@
 PASS Fetch ../resources/top.txt with no-cors mode 
 PASS Fetch http://localhost:8800/fetch/api/resources/top.txt with no-cors mode 
-FAIL Fetch https://localhost:9443/fetch/api/resources/top.txt with no-cors mode assert_equals: Opaque filter: status is 0 expected 0 but got 200
-FAIL Fetch http://localhost:8801/fetch/api/resources/top.txt with no-cors mode assert_equals: Opaque filter: status is 0 expected 0 but got 200
+PASS Fetch https://localhost:9443/fetch/api/resources/top.txt with no-cors mode 
+PASS Fetch http://localhost:8801/fetch/api/resources/top.txt with no-cors mode 
 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/mode-no-cors-worker-expected.txt

@@ -2 +2 @@
 PASS Fetch ../resources/top.txt with no-cors mode 
 PASS Fetch http://localhost:8800/fetch/api/resources/top.txt with no-cors mode 
-FAIL Fetch https://localhost:9443/fetch/api/resources/top.txt with no-cors mode assert_equals: Opaque filter: status is 0 expected 0 but got 200
-FAIL Fetch http://localhost:8801/fetch/api/resources/top.txt with no-cors mode assert_equals: Opaque filter: status is 0 expected 0 but got 200
+PASS Fetch https://localhost:9443/fetch/api/resources/top.txt with no-cors mode 
+PASS Fetch http://localhost:8801/fetch/api/resources/top.txt with no-cors mode 
 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-expected.txt

@@ -1 +1 @@
 
-FAIL Same domain different port [no-cors mode] assert_equals: Opaque filter: status is 0 expected 0 but got 200
+PASS Same domain different port [no-cors mode] 
 PASS Same domain different port [server forbid CORS] 
-FAIL Same domain different port [cors mode] assert_equals: CORS response's type is cors expected "cors" but got "basic"
-FAIL Same domain different protocol different port [no-cors mode] assert_equals: Opaque filter: status is 0 expected 0 but got 200
+PASS Same domain different port [cors mode] 
+PASS Same domain different protocol different port [no-cors mode] 
 PASS Same domain different protocol different port [server forbid CORS] 
-FAIL Same domain different protocol different port [cors mode] assert_equals: CORS response's type is cors expected "cors" but got "basic"
-FAIL Cross domain basic usage [no-cors mode] assert_equals: Opaque filter: status is 0 expected 0 but got 200
+PASS Same domain different protocol different port [cors mode] 
+PASS Cross domain basic usage [no-cors mode] 
 PASS Cross domain basic usage [server forbid CORS] 
-FAIL Cross domain basic usage [cors mode] assert_equals: CORS response's type is cors expected "cors" but got "basic"
-FAIL Cross domain different port [no-cors mode] assert_equals: Opaque filter: status is 0 expected 0 but got 200
+PASS Cross domain basic usage [cors mode] 
+PASS Cross domain different port [no-cors mode] 
 PASS Cross domain different port [server forbid CORS] 
-FAIL Cross domain different port [cors mode] assert_equals: CORS response's type is cors expected "cors" but got "basic"
-FAIL Cross domain different protocol [no-cors mode] assert_equals: Opaque filter: status is 0 expected 0 but got 200
+PASS Cross domain different port [cors mode] 
+PASS Cross domain different protocol [no-cors mode] 
 PASS Cross domain different protocol [server forbid CORS] 
-FAIL Cross domain different protocol [cors mode] assert_equals: CORS response's type is cors expected "cors" but got "basic"
+PASS Cross domain different protocol [cors mode] 
 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-filtering-expected.txt

@@ -1 +1 @@
 
-FAIL CORS filter on Cache-Control header assert_equals: CORS fetch's response has cors type expected "cors" but got "basic"
-FAIL CORS filter on Content-Language header assert_equals: CORS fetch's response has cors type expected "cors" but got "basic"
-FAIL CORS filter on Content-Type header assert_equals: CORS fetch's response has cors type expected "cors" but got "basic"
-FAIL CORS filter on Expires header assert_equals: CORS fetch's response has cors type expected "cors" but got "basic"
-FAIL CORS filter on Last-Modified header assert_equals: CORS fetch's response has cors type expected "cors" but got "basic"
-FAIL CORS filter on Pragma header assert_equals: CORS fetch's response has cors type expected "cors" but got "basic"
-FAIL CORS filter on Age header assert_equals: CORS fetch's response has cors type expected "cors" but got "basic"
-FAIL CORS filter on Server header assert_equals: CORS fetch's response has cors type expected "cors" but got "basic"
-FAIL CORS filter on Warning header assert_equals: CORS fetch's response has cors type expected "cors" but got "basic"
-FAIL CORS filter on Content-Length header assert_equals: CORS fetch's response has cors type expected "cors" but got "basic"
-FAIL CORS filter on Set-Cookie header assert_equals: CORS fetch's response has cors type expected "cors" but got "basic"
-FAIL CORS filter on Set-Cookie2 header assert_equals: CORS fetch's response has cors type expected "cors" but got "basic"
-FAIL CORS filter on Age header, header is exposed assert_equals: CORS fetch's response has cors type expected "cors" but got "basic"
-FAIL CORS filter on Server header, header is exposed assert_equals: CORS fetch's response has cors type expected "cors" but got "basic"
-FAIL CORS filter on Warning header, header is exposed assert_equals: CORS fetch's response has cors type expected "cors" but got "basic"
-FAIL CORS filter on Content-Length header, header is exposed assert_equals: CORS fetch's response has cors type expected "cors" but got "basic"
-FAIL CORS filter on Set-Cookie header, header is exposed assert_equals: CORS fetch's response has cors type expected "cors" but got "basic"
-FAIL CORS filter on Set-Cookie2 header, header is exposed assert_equals: CORS fetch's response has cors type expected "cors" but got "basic"
+PASS CORS filter on Cache-Control header 
+PASS CORS filter on Content-Language header 
+PASS CORS filter on Content-Type header 
+PASS CORS filter on Expires header 
+PASS CORS filter on Last-Modified header 
+PASS CORS filter on Pragma header 
+PASS CORS filter on Age header 
+PASS CORS filter on Server header 
+PASS CORS filter on Warning header 
+PASS CORS filter on Content-Length header 
+PASS CORS filter on Set-Cookie header 
+PASS CORS filter on Set-Cookie2 header 
+PASS CORS filter on Age header, header is exposed 
+PASS CORS filter on Server header, header is exposed 
+PASS CORS filter on Warning header, header is exposed 
+PASS CORS filter on Content-Length header, header is exposed 
+PASS CORS filter on Set-Cookie header, header is exposed 
+PASS CORS filter on Set-Cookie2 header, header is exposed 
 

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/request/request-cache-expected.txt

@@ -38 +38 @@
 PASS RequestCache "only-if-cached" (with "same-origin") does not follow redirects across origins and rejects with Etag and stale response 
 PASS RequestCache "only-if-cached" (with "same-origin") does not follow redirects across origins and rejects with date and stale response 
-FAIL RequestCache "no-store" mode does not check the cache for previously cached content and goes to the network regardless with Etag and stale response assert_equals: expected (undefined) undefined but got (string) "\"0.5708867760543104\""
-FAIL RequestCache "no-store" mode does not check the cache for previously cached content and goes to the network regardless with date and stale response assert_equals: expected (undefined) undefined but got (string) "Tue, 26 Jul 2016 18:03:51 GMT"
+FAIL RequestCache "no-store" mode does not check the cache for previously cached content and goes to the network regardless with Etag and stale response assert_equals: expected (undefined) undefined but got (string) "\"0.5142751701087829\""
+FAIL RequestCache "no-store" mode does not check the cache for previously cached content and goes to the network regardless with date and stale response assert_equals: expected (undefined) undefined but got (string) "Wed, 27 Jul 2016 15:14:16 GMT"
 FAIL RequestCache "no-store" mode does not check the cache for previously cached content and goes to the network regardless with Etag and fresh response assert_equals: expected 2 but got 1
 FAIL RequestCache "no-store" mode does not check the cache for previously cached content and goes to the network regardless with date and fresh response assert_equals: expected 2 but got 1
-FAIL RequestCache "no-store" mode does not store the response in the cache with Etag and stale response assert_equals: expected (undefined) undefined but got (string) "\"0.03236160265570209\""
-FAIL RequestCache "no-store" mode does not store the response in the cache with date and stale response assert_equals: expected (undefined) undefined but got (string) "Tue, 26 Jul 2016 18:03:51 GMT"
+FAIL RequestCache "no-store" mode does not store the response in the cache with Etag and stale response assert_equals: expected (undefined) undefined but got (string) "\"0.8439838765231941\""
+FAIL RequestCache "no-store" mode does not store the response in the cache with date and stale response assert_equals: expected (undefined) undefined but got (string) "Wed, 27 Jul 2016 15:14:16 GMT"
 FAIL RequestCache "no-store" mode does not store the response in the cache with Etag and fresh response assert_equals: expected 2 but got 1
 FAIL RequestCache "no-store" mode does not store the response in the cache with date and fresh response assert_equals: expected 2 but got 1
@@ -90 +90 @@
 PASS Responses with the "Cache-Control: no-store" header are not stored in the cache with Etag and fresh response 
 PASS Responses with the "Cache-Control: no-store" header are not stored in the cache with date and fresh response 
-FAIL RequestCache "reload" mode does not check the cache for previously cached content and goes to the network regardless with Etag and stale response assert_equals: expected (undefined) undefined but got (string) "\"0.32037580965802115\""
-FAIL RequestCache "reload" mode does not check the cache for previously cached content and goes to the network regardless with date and stale response assert_equals: expected (undefined) undefined but got (string) "Tue, 26 Jul 2016 18:03:51 GMT"
+FAIL RequestCache "reload" mode does not check the cache for previously cached content and goes to the network regardless with Etag and stale response assert_equals: expected (undefined) undefined but got (string) "\"0.7100561973865757\""
+FAIL RequestCache "reload" mode does not check the cache for previously cached content and goes to the network regardless with date and stale response assert_equals: expected (undefined) undefined but got (string) "Wed, 27 Jul 2016 15:14:16 GMT"
 FAIL RequestCache "reload" mode does not check the cache for previously cached content and goes to the network regardless with Etag and fresh response assert_equals: expected 2 but got 1
 FAIL RequestCache "reload" mode does not check the cache for previously cached content and goes to the network regardless with date and fresh response assert_equals: expected 2 but got 1
@@ -98 +98 @@
 PASS RequestCache "reload" mode does store the response in the cache with Etag and fresh response 
 PASS RequestCache "reload" mode does store the response in the cache with date and fresh response 
-FAIL RequestCache "reload" mode does store the response in the cache even if a previous response is already stored with Etag and stale response assert_equals: expected (undefined) undefined but got (string) "\"0.702774010433134\""
-FAIL RequestCache "reload" mode does store the response in the cache even if a previous response is already stored with date and stale response assert_equals: expected (undefined) undefined but got (string) "Tue, 26 Jul 2016 18:03:51 GMT"
+FAIL RequestCache "reload" mode does store the response in the cache even if a previous response is already stored with Etag and stale response assert_equals: expected (undefined) undefined but got (string) "\"0.45824924441966697\""
+FAIL RequestCache "reload" mode does store the response in the cache even if a previous response is already stored with date and stale response assert_equals: expected (undefined) undefined but got (string) "Wed, 27 Jul 2016 15:14:16 GMT"
 FAIL RequestCache "reload" mode does store the response in the cache even if a previous response is already stored with Etag and fresh response assert_equals: expected 2 but got 1
 FAIL RequestCache "reload" mode does store the response in the cache even if a previous response is already stored with date and fresh response assert_equals: expected 2 but got 1

trunk/LayoutTests/platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/basic/mode-no-cors-expected.txt

@@ -3 +3 @@
 PASS Fetch http://localhost:8800/fetch/api/resources/top.txt with no-cors mode 
 FAIL Fetch https://localhost:9443/fetch/api/resources/top.txt with no-cors mode promise_test: Unhandled rejection with value: object "TypeError: Type error"
-FAIL Fetch http://localhost:8801/fetch/api/resources/top.txt with no-cors mode assert_equals: Opaque filter: status is 0 expected 0 but got 200
+PASS Fetch http://localhost:8801/fetch/api/resources/top.txt with no-cors mode 
 

trunk/LayoutTests/platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/basic/mode-no-cors-worker-expected.txt

@@ -3 +3 @@
 PASS Fetch http://localhost:8800/fetch/api/resources/top.txt with no-cors mode 
 FAIL Fetch https://localhost:9443/fetch/api/resources/top.txt with no-cors mode promise_test: Unhandled rejection with value: object "TypeError: Type error"
-FAIL Fetch http://localhost:8801/fetch/api/resources/top.txt with no-cors mode assert_equals: Opaque filter: status is 0 expected 0 but got 200
+PASS Fetch http://localhost:8801/fetch/api/resources/top.txt with no-cors mode 
 

trunk/LayoutTests/platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-expected.txt

@@ -1 +1 @@
 
-FAIL Same domain different port [no-cors mode] assert_equals: Opaque filter: status is 0 expected 0 but got 200
+PASS Same domain different port [no-cors mode] 
 PASS Same domain different port [server forbid CORS] 
-FAIL Same domain different port [cors mode] assert_equals: CORS response's type is cors expected "cors" but got "basic"
+PASS Same domain different port [cors mode] 
 FAIL Same domain different protocol different port [no-cors mode] promise_test: Unhandled rejection with value: object "TypeError: Type error"
 PASS Same domain different protocol different port [server forbid CORS] 
 FAIL Same domain different protocol different port [cors mode] promise_test: Unhandled rejection with value: object "TypeError: Type error"
-FAIL Cross domain basic usage [no-cors mode] assert_equals: Opaque filter: status is 0 expected 0 but got 200
+PASS Cross domain basic usage [no-cors mode] 
 PASS Cross domain basic usage [server forbid CORS] 
-FAIL Cross domain basic usage [cors mode] assert_equals: CORS response's type is cors expected "cors" but got "basic"
-FAIL Cross domain different port [no-cors mode] assert_equals: Opaque filter: status is 0 expected 0 but got 200
+PASS Cross domain basic usage [cors mode] 
+PASS Cross domain different port [no-cors mode] 
 PASS Cross domain different port [server forbid CORS] 
-FAIL Cross domain different port [cors mode] assert_equals: CORS response's type is cors expected "cors" but got "basic"
+PASS Cross domain different port [cors mode] 
 FAIL Cross domain different protocol [no-cors mode] promise_test: Unhandled rejection with value: object "TypeError: Type error"
 PASS Cross domain different protocol [server forbid CORS] 

trunk/LayoutTests/platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/basic/mode-no-cors-expected.txt

@@ -3 +3 @@
 PASS Fetch http://localhost:8800/fetch/api/resources/top.txt with no-cors mode 
 FAIL Fetch https://localhost:9443/fetch/api/resources/top.txt with no-cors mode promise_test: Unhandled rejection with value: object "TypeError: Type error"
-FAIL Fetch http://localhost:8801/fetch/api/resources/top.txt with no-cors mode assert_equals: Opaque filter: status is 0 expected 0 but got 200
+PASS Fetch http://localhost:8801/fetch/api/resources/top.txt with no-cors mode 
 

trunk/LayoutTests/platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/basic/mode-no-cors-worker-expected.txt

@@ -3 +3 @@
 PASS Fetch http://localhost:8800/fetch/api/resources/top.txt with no-cors mode 
 FAIL Fetch https://localhost:9443/fetch/api/resources/top.txt with no-cors mode promise_test: Unhandled rejection with value: object "TypeError: Type error"
-FAIL Fetch http://localhost:8801/fetch/api/resources/top.txt with no-cors mode assert_equals: Opaque filter: status is 0 expected 0 but got 200
+PASS Fetch http://localhost:8801/fetch/api/resources/top.txt with no-cors mode 
 

trunk/LayoutTests/platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-expected.txt

@@ -1 +1 @@
 
-FAIL Same domain different port [no-cors mode] assert_equals: Opaque filter: status is 0 expected 0 but got 200
+PASS Same domain different port [no-cors mode] 
 PASS Same domain different port [server forbid CORS] 
-FAIL Same domain different port [cors mode] assert_equals: CORS response's type is cors expected "cors" but got "basic"
+PASS Same domain different port [cors mode] 
 FAIL Same domain different protocol different port [no-cors mode] promise_test: Unhandled rejection with value: object "TypeError: Type error"
 PASS Same domain different protocol different port [server forbid CORS] 
 FAIL Same domain different protocol different port [cors mode] promise_test: Unhandled rejection with value: object "TypeError: Type error"
-FAIL Cross domain basic usage [no-cors mode] assert_equals: Opaque filter: status is 0 expected 0 but got 200
+PASS Cross domain basic usage [no-cors mode] 
 PASS Cross domain basic usage [server forbid CORS] 
-FAIL Cross domain basic usage [cors mode] assert_equals: CORS response's type is cors expected "cors" but got "basic"
-FAIL Cross domain different port [no-cors mode] assert_equals: Opaque filter: status is 0 expected 0 but got 200
+PASS Cross domain basic usage [cors mode] 
+PASS Cross domain different port [no-cors mode] 
 PASS Cross domain different port [server forbid CORS] 
-FAIL Cross domain different port [cors mode] assert_equals: CORS response's type is cors expected "cors" but got "basic"
+PASS Cross domain different port [cors mode] 
 FAIL Cross domain different protocol [no-cors mode] promise_test: Unhandled rejection with value: object "TypeError: Type error"
 PASS Cross domain different protocol [server forbid CORS] 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-07-28  Youenn Fablet  <youenn@apple.com>
+
+        Compute fetch response type in case of cross-origin requests
+        https://bugs.webkit.org/show_bug.cgi?id=158565
+
+        Reviewed by Alex Christensen.
+
+        Covered by rebased tests.
+
+        Implementing Response filtering based on Response tainting in ResourceResponse.
+        Refactoring code in FetchHeaders and CrossOriginAccessControl.cpp accordingly.
+
+        Computing response tainting in SubresourceLoader for all resources.
+        This is used by DocumentThreadableLoader which now filters responses accordingly for all its clients including fetch and XHR.
+
+        Response tainting notably allows computing the response type and filtering out headers in case of cross origin responses.
+
+        Removing the filtering implemented in XMLHttpRequest as this is done before it gets access to the headers.
+        This is triggering some rebasing in the XHR tests as error messages triggered by trying to access unsafe headers no longer happen.
+
+        This filtering currently requires creating a new ResourceResponse object from the one sent from CachedResource.
+        This is done so as the same ResourceResponse may be reused accross loads and may be filtered differently by given to two different DocumentThreadableLoader
+        This can be mitigated in the future by changing ThreadableLoaderClient API to pass a ResourceResponse&&.
+
+        * Modules/fetch/FetchHeaders.cpp: Moving header checking in HTTParsers.h/.cpp
+        (WebCore::isForbiddenHeaderName): Deleted.
+        (WebCore::isForbiddenResponseHeaderName): Deleted.
+        (WebCore::isSimpleHeader): Deleted.
+        * loader/CrossOriginAccessControl.cpp:
+        (WebCore::parseAccessControlExposeHeadersAllowList): Deleted.
+        * loader/CrossOriginAccessControl.h: Moving header checking in HTTParsers.h/.cpp
+        * loader/DocumentThreadableLoader.cpp:
+        (WebCore::DocumentThreadableLoader::responseReceived):
+        (WebCore::DocumentThreadableLoader::didReceiveResponse): Doing response filtering. Since underlying loaders are
+        not yet aware that fetch mode may be cors (it is always no-cors currently), the tainting needs to be updated.
+        (WebCore::DocumentThreadableLoader::loadRequest): Computing response tainting in case of synchronous calls to ensure headers are filtered for synchronous XHR.
+        * loader/DocumentThreadableLoader.h:
+        * loader/SubresourceLoader.cpp:
+        (WebCore::SubresourceLoader::init): Getting origin from its resource and setting response tainting accordingly
+        (WebCore::SubresourceLoader::willSendRequestInternal): Always calling checkRedirectionCrossOriginAccessControl
+        to ensure response tainting is computed, even for no-cors resources.
+        (WebCore::SubresourceLoader::didReceiveResponse):
+        (WebCore::SubresourceLoader::checkRedirectionCrossOriginAccessControl): Computing response tainting in case of redirection.
+        * loader/SubresourceLoader.h:
+        * loader/cache/CachedResource.cpp:
+        (WebCore::CachedResource::load): Computing resource origin from the HTTP headers or from the document if none is
+        set in the HTTP headers.
+        (WebCore::CachedResource::setCrossOrigin): Helper routine to set response tainting.
+        (WebCore::CachedResource::isCrossOrigin): Helper routine to know whether resource is cross origin
+        (WebCore::CachedResource::isClean):
+        (WebCore::CachedResource::setResponse): Removing m_responseType
+        * loader/cache/CachedResource.h:
+        (WebCore::CachedResource::responseTainting):
+        (WebCore::CachedResource::origin):
+        (WebCore::CachedResource::setOpaqueRedirect): Deleted.
+        * platform/network/HTTPParsers.cpp: Implementing safe response header checking
+        (WebCore::parseAccessControlExposeHeadersAllowList):
+        (WebCore::isForbiddenHeaderName):
+        (WebCore::isForbiddenResponseHeaderName):
+        (WebCore::isSimpleHeader):
+        (WebCore::isCrossOriginSafeHeader):
+        * platform/network/HTTPParsers.h:
+        * platform/network/ResourceRequestBase.cpp:
+        (WebCore::ResourceRequestBase::hasHTTPOrigin): Added.
+        (WebCore::ResourceRequestBase::clearHTTPOrigin):
+        * platform/network/ResourceRequestBase.h:
+        * platform/network/ResourceResponseBase.cpp: Implementation of response filtering.
+        (WebCore::ResourceResponseBase::filterResponse):
+        * platform/network/ResourceResponseBase.h:
+        * xml/XMLHttpRequest.cpp:
+        (WebCore::isSetCookieHeader): Deleted.
+        (WebCore::XMLHttpRequest::getAllResponseHeaders): Removing header filtering since DocumentThreadableLoader does it.
+        (WebCore::XMLHttpRequest::getResponseHeader): Ditto.
+
 2016-07-27  Romain Bellessort  <romain.bellessort@crf.canon.fr>
 

trunk/Source/WebCore/Modules/fetch/FetchHeaders.cpp

@@ -36 +36 @@
 
 namespace WebCore {
-
-// FIXME: Optimize these routines for HTTPHeaderMap keys and/or refactor them with XMLHttpRequest code.
-static bool isForbiddenHeaderName(const String& name)
-{
-    HTTPHeaderName headerName;
-    if (findHTTPHeaderName(name, headerName)) {
-        switch (headerName) {
-        case HTTPHeaderName::AcceptCharset:
-        case HTTPHeaderName::AcceptEncoding:
-        case HTTPHeaderName::AccessControlRequestHeaders:
-        case HTTPHeaderName::AccessControlRequestMethod:
-        case HTTPHeaderName::Connection:
-        case HTTPHeaderName::ContentLength:
-        case HTTPHeaderName::Cookie:
-        case HTTPHeaderName::Cookie2:
-        case HTTPHeaderName::Date:
-        case HTTPHeaderName::DNT:
-        case HTTPHeaderName::Expect:
-        case HTTPHeaderName::Host:
-        case HTTPHeaderName::KeepAlive:
-        case HTTPHeaderName::Origin:
-        case HTTPHeaderName::Referer:
-        case HTTPHeaderName::TE:
-        case HTTPHeaderName::Trailer:
-        case HTTPHeaderName::TransferEncoding:
-        case HTTPHeaderName::Upgrade:
-        case HTTPHeaderName::Via:
-            return true;
-        default:
-            break;
-        }
-    }
-    return startsWithLettersIgnoringASCIICase(name, "sec-") || startsWithLettersIgnoringASCIICase(name, "proxy-");
-}
-
-static bool isForbiddenResponseHeaderName(const String& name)
-{
-    return equalLettersIgnoringASCIICase(name, "set-cookie") || equalLettersIgnoringASCIICase(name, "set-cookie2");
-}
-
-static bool isSimpleHeader(const String& name, const String& value)
-{
-    HTTPHeaderName headerName;
-    if (!findHTTPHeaderName(name, headerName))
-        return false;
-    switch (headerName) {
-    case HTTPHeaderName::Accept:
-    case HTTPHeaderName::AcceptLanguage:
-    case HTTPHeaderName::ContentLanguage:
-        return true;
-    case HTTPHeaderName::ContentType: {
-        String mimeType = extractMIMETypeFromMediaType(value);
-        return equalLettersIgnoringASCIICase(mimeType, "application/x-www-form-urlencoded") || equalLettersIgnoringASCIICase(mimeType, "multipart/form-data") || equalLettersIgnoringASCIICase(mimeType, "text/plain");
-    }
-    default:
-        return false;
-    }
-}
 
 static bool canWriteHeader(const String& name, const String& value, FetchHeaders::Guard guard, ExceptionCode& ec)

trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp

@@ -181 +181 @@
 }
 
-void parseAccessControlExposeHeadersAllowList(const String& headerValue, HTTPHeaderSet& headerSet)
-{
-    Vector<String> headers;
-    headerValue.split(',', false, headers);
-    for (auto& header : headers) {
-        String strippedHeader = header.stripWhiteSpace();
-        if (!strippedHeader.isEmpty())
-            headerSet.add(strippedHeader);
-    }
-}
-
 } // namespace WebCore

trunk/Source/WebCore/loader/CrossOriginAccessControl.h

@@ -30 +30 @@
 #include "ResourceHandleTypes.h"
 #include <wtf/Forward.h>
-#include <wtf/HashSet.h>
-#include <wtf/text/StringHash.h>
 
 namespace WebCore {
-
-typedef HashSet<String, ASCIICaseInsensitiveHash> HTTPHeaderSet;
 
 class HTTPHeaderMap;
@@ -56 +52 @@
 
 bool passesAccessControlCheck(const ResourceResponse&, StoredCredentials, SecurityOrigin&, String& errorDescription);
-void parseAccessControlExposeHeadersAllowList(const String& headerValue, HTTPHeaderSet&);
 
 } // namespace WebCore

trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp

@@ -269 +269 @@
 {
     ASSERT_UNUSED(resource, resource == m_resource);
-    didReceiveResponse(m_resource->identifier(), response);
-}
-
-void DocumentThreadableLoader::didReceiveResponse(unsigned long identifier, const ResourceResponse& response)
+    didReceiveResponse(m_resource->identifier(), response, m_resource->responseTainting());
+}
+
+void DocumentThreadableLoader::didReceiveResponse(unsigned long identifier, const ResourceResponse& response, ResourceResponse::Tainting tainting)
 {
     ASSERT(m_client);
@@ -284 +284 @@
     }
 
-    m_client->didReceiveResponse(identifier, response);
+    ASSERT(response.type() != ResourceResponse::Type::Error);
+    if (response.type() == ResourceResponse::Type::Default) {
+        // FIXME: To be removed once the real fetch mode is passed to underlying loaders.
+        if (options().mode == FetchOptions::Mode::Cors && tainting == ResourceResponse::Tainting::Opaque)
+            tainting = ResourceResponse::Tainting::Cors;
+        m_client->didReceiveResponse(identifier, ResourceResponse::filterResponse(response, tainting));
+    } else {
+        ASSERT(response.isNull() && response.type() == ResourceResponse::Type::Opaqueredirect);
+        m_client->didReceiveResponse(identifier, response);
+    }
 }
 
@@ -387 +396 @@
             // We don't want XMLHttpRequest to raise an exception for file:// resources, see <rdar://problem/4962298>.
             // FIXME: XMLHttpRequest quirks should be in XMLHttpRequest code, not in DocumentThreadableLoader.cpp.
-            didReceiveResponse(identifier, response);
+            didReceiveResponse(identifier, response, ResourceResponse::Tainting::Basic);
             didFinishLoading(identifier, 0.0);
             return;
@@ -410 +419 @@
     }
 
-    didReceiveResponse(identifier, response);
+    ResourceResponse::Tainting tainting = ResourceResponse::Tainting::Basic;
+    if (!m_sameOriginRequest)
+        tainting = m_options.mode == FetchOptions::Mode::Cors ? ResourceResponse::Tainting::Cors : ResourceResponse::Tainting::Opaque;
+    didReceiveResponse(identifier, response, tainting);
 
     if (data)

trunk/Source/WebCore/loader/DocumentThreadableLoader.h

@@ -33 +33 @@
 
 #include "CrossOriginPreflightChecker.h"
+#include "ResourceResponse.h"
 #include "SecurityOrigin.h"
 #include "ThreadableLoader.h"
@@ -82 +83 @@
         void notifyFinished(CachedResource*) override;
 
-        void didReceiveResponse(unsigned long identifier, const ResourceResponse&);
+        void didReceiveResponse(unsigned long identifier, const ResourceResponse&, ResourceResponse::Tainting);
         void didReceiveData(unsigned long identifier, const char* data, int dataLength);
         void didFinishLoading(unsigned long identifier, double finishTime);

trunk/Source/WebCore/loader/SubresourceLoader.cpp

@@ -7 +7 @@
  *
  * 1.  Redistributions of source code must retain the above copyright
- *     notice, this list of conditions and the following disclaimer. 
+ *     notice, this list of conditions and the following disclaimer.
  * 2.  Redistributions in binary form must reproduce the above copyright
  *     notice, this list of conditions and the following disclaimer in the
- *     documentation and/or other materials provided with the distribution. 
+ *     documentation and/or other materials provided with the distribution.
  * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
  *     its contributors may be used to endorse or promote products derived
- *     from this software without specific prior written permission. 
+ *     from this software without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
@@ -152 +152 @@
     // SubresourceLoader could use the document origin as a default and set PotentiallyCrossOriginEnabled requests accordingly.
     // This would simplify resource loader users as they would only need to set fetch mode to Cors.
-    if (options().mode == FetchOptions::Mode::Cors)
-        m_origin = SecurityOrigin::createFromString(request.httpOrigin());
+    m_origin = m_resource->origin();
+    // https://fetch.spec.whatwg.org/#main-fetch, step 11, data URL here is considered not cross origin.
+    if (!request.url().protocolIsData() && m_origin && !m_origin->canRequest(request.url()))
+        m_resource->setCrossOrigin();
 
     return true;
@@ -181 +183 @@
                 return;
             }
-            m_resource->setOpaqueRedirect();
-            m_resource->responseReceived({ });
+
+            ResourceResponse opaqueRedirectedResponse;
+            opaqueRedirectedResponse.setType(ResourceResponse::Type::Opaqueredirect);
+            m_resource->responseReceived(opaqueRedirectedResponse);
             didFinishLoading(currentTime());
             return;
@@ -203 +207 @@
         }
 
-        if (options().mode == FetchOptions::Mode::Cors && !checkCrossOriginAccessControl(request(), redirectResponse, newRequest)) {
+        if (!checkRedirectionCrossOriginAccessControl(request(), redirectResponse, newRequest)) {
             cancel();
             return;
@@ -296 +300 @@
         m_resource->finishLoading(buffer->copy().ptr());
         clearResourceData();
-        // Since a subresource loader does not load multipart sections progressively, data was delivered to the loader all at once.        
-        // After the first multipart section is complete, signal to delegates that this load is "finished" 
+        // Since a subresource loader does not load multipart sections progressively, data was delivered to the loader all at once.
+        // After the first multipart section is complete, signal to delegates that this load is "finished"
         m_documentLoader->subresourceLoaderFinishedLoadingOnePart(this);
         didFinishLoadingOnePart(0);
@@ -397 +401 @@
 }
 
-bool SubresourceLoader::checkCrossOriginAccessControl(const ResourceRequest& previousRequest, const ResourceResponse& redirectResponse, ResourceRequest& newRequest)
-{
-    if (m_origin->canRequest(newRequest.url()))
+bool SubresourceLoader::checkRedirectionCrossOriginAccessControl(const ResourceRequest& previousRequest, const ResourceResponse& redirectResponse, ResourceRequest& newRequest)
+{
+    ASSERT(options().mode != FetchOptions::Mode::SameOrigin);
+
+    bool shouldCheckCrossOrigin = options().mode == FetchOptions::Mode::Cors && m_resource->isCrossOrigin();
+
+    if (!(m_origin && m_origin->canRequest(newRequest.url())))
+        m_resource->setCrossOrigin();
+
+    if (!shouldCheckCrossOrigin)
         return true;
 
+    ASSERT(m_origin);
     String errorDescription;
     bool responsePassesCORS = m_origin->canRequest(previousRequest.url())

trunk/Source/WebCore/loader/SubresourceLoader.h

@@ -7 +7 @@
  *
  * 1.  Redistributions of source code must retain the above copyright
- *     notice, this list of conditions and the following disclaimer. 
+ *     notice, this list of conditions and the following disclaimer.
  * 2.  Redistributions in binary form must reproduce the above copyright
  *     notice, this list of conditions and the following disclaimer in the
- *     documentation and/or other materials provided with the distribution. 
+ *     documentation and/or other materials provided with the distribution.
  * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
  *     its contributors may be used to endorse or promote products derived
- *     from this software without specific prior written permission. 
+ *     from this software without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
@@ -92 +92 @@
 
     bool checkForHTTPStatusCodeError();
-    bool checkCrossOriginAccessControl(const ResourceRequest&, const ResourceResponse&, ResourceRequest& newRequest);
+    bool checkRedirectionCrossOriginAccessControl(const ResourceRequest&, const ResourceResponse&, ResourceRequest& newRequest);
 
     void didReceiveDataOrBuffer(const char*, int, RefPtr<SharedBuffer>&&, long long encodedDataLength, DataPayloadType);

trunk/Source/WebCore/loader/cache/CachedResource.cpp

@@ -282 +282 @@
     m_resourceRequest.setPriority(loadPriority());
 
-    addAdditionalRequestHeaders(cachedResourceLoader);
+    if (type() != MainResource) {
+        if (m_resourceRequest.hasHTTPOrigin())
+            m_origin = SecurityOrigin::createFromString(m_resourceRequest.httpOrigin());
+        else
+            m_origin = cachedResourceLoader.document()->securityOrigin();
+        ASSERT(m_origin);
+        addAdditionalRequestHeaders(cachedResourceLoader);
+    }
 
     // FIXME: It's unfortunate that the cache layer and below get to know anything about fragment identifiers.
@@ -366 +373 @@
         return true;
     return passesAccessControlCheck(securityOrigin);
+}
+
+void CachedResource::setCrossOrigin()
+{
+    ASSERT(m_options.mode != FetchOptions::Mode::SameOrigin);
+    m_responseTainting = (m_options.mode == FetchOptions::Mode::Cors) ? ResourceResponse::Tainting::Cors : ResourceResponse::Tainting::Opaque;
+}
+
+bool CachedResource::isCrossOrigin() const
+{
+    return m_responseTainting != ResourceResponse::Tainting::Basic;
+}
+
+bool CachedResource::isClean() const
+{
+    // https://html.spec.whatwg.org/multipage/infrastructure.html#cors-same-origin
+    return !loadFailedOrCanceled() && m_responseTainting != ResourceResponse::Tainting::Opaque;
 }
 
@@ -427 +451 @@
 void CachedResource::setResponse(const ResourceResponse& response)
 {
+    ASSERT(m_response.type() == ResourceResponse::Type::Default);
     m_response = response;
-    m_response.setType(m_responseType);
     m_response.setRedirected(m_redirectChainCacheStatus.status != RedirectChainCacheStatus::NoRedirection);
 

trunk/Source/WebCore/loader/cache/CachedResource.h

@@ -201 +201 @@
     virtual bool shouldCacheResponse(const ResourceResponse&) { return true; }
     void setResponse(const ResourceResponse&);
-    void setOpaqueRedirect() { m_responseType = ResourceResponseBase::Type::Opaqueredirect; }
     const ResourceResponse& response() const { return m_response; }
     // This is the same as response() except after HTTP redirect to data: URL.
     const ResourceResponse& responseForSameOriginPolicyChecks() const;
+
+    void setCrossOrigin();
+    bool isCrossOrigin() const;
+    bool isClean() const;
+    ResourceResponse::Tainting responseTainting() const { return m_responseTainting; }
+
+    SecurityOrigin* origin() const { return m_origin.get(); }
 
     bool canDelete() const { return !hasClients() && !m_loader && !m_preloadCount && !m_handleCount && !m_resourceToRevalidate && !m_proxyResource; }
@@ -225 +231 @@
 
     bool allowsCaching() const { return m_options.cachingPolicy() == CachingPolicy::AllowCaching; }
-    
+
     virtual void destroyDecodedData() { }
 
@@ -285 +291 @@
     ResourceLoaderOptions m_options;
     ResourceResponse m_response;
-    ResourceResponseBase::Type m_responseType { ResourceResponseBase::Type::Basic };
+    ResourceResponse::Tainting m_responseTainting { ResourceResponse::Tainting::Basic };
     ResourceResponse m_redirectResponseForSameOriginPolicyChecks;
     RefPtr<SharedBuffer> m_data;
@@ -314 +320 @@
 
     ResourceError m_error;
+    RefPtr<SecurityOrigin> m_origin;
 
     double m_lastDecodedAccessTime; // Used as a "thrash guard" in the cache

trunk/Source/WebCore/platform/network/HTTPParsers.cpp

@@ -34 +34 @@
 #include "HTTPParsers.h"
 
+#include "HTTPHeaderNames.h"
 #include <wtf/DateMath.h>
 #include <wtf/NeverDestroyed.h>
@@ -756 +757 @@
 }
 
-}
+void parseAccessControlExposeHeadersAllowList(const String& headerValue, HTTPHeaderSet& headerSet)
+{
+    Vector<String> headers;
+    headerValue.split(',', false, headers);
+    for (auto& header : headers) {
+        String strippedHeader = header.stripWhiteSpace();
+        if (!strippedHeader.isEmpty())
+            headerSet.add(strippedHeader);
+    }
+}
+
+// Implememtnation of https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name
+bool isForbiddenHeaderName(const String& name)
+{
+    HTTPHeaderName headerName;
+    if (findHTTPHeaderName(name, headerName)) {
+        switch (headerName) {
+        case HTTPHeaderName::AcceptCharset:
+        case HTTPHeaderName::AcceptEncoding:
+        case HTTPHeaderName::AccessControlRequestHeaders:
+        case HTTPHeaderName::AccessControlRequestMethod:
+        case HTTPHeaderName::Connection:
+        case HTTPHeaderName::ContentLength:
+        case HTTPHeaderName::Cookie:
+        case HTTPHeaderName::Cookie2:
+        case HTTPHeaderName::Date:
+        case HTTPHeaderName::DNT:
+        case HTTPHeaderName::Expect:
+        case HTTPHeaderName::Host:
+        case HTTPHeaderName::KeepAlive:
+        case HTTPHeaderName::Origin:
+        case HTTPHeaderName::Referer:
+        case HTTPHeaderName::TE:
+        case HTTPHeaderName::Trailer:
+        case HTTPHeaderName::TransferEncoding:
+        case HTTPHeaderName::Upgrade:
+        case HTTPHeaderName::Via:
+            return true;
+        default:
+            break;
+        }
+    }
+    return startsWithLettersIgnoringASCIICase(name, "sec-") || startsWithLettersIgnoringASCIICase(name, "proxy-");
+}
+
+bool isForbiddenResponseHeaderName(const String& name)
+{
+    return equalLettersIgnoringASCIICase(name, "set-cookie") || equalLettersIgnoringASCIICase(name, "set-cookie2");
+}
+
+bool isSimpleHeader(const String& name, const String& value)
+{
+    HTTPHeaderName headerName;
+    if (!findHTTPHeaderName(name, headerName))
+        return false;
+    switch (headerName) {
+    case HTTPHeaderName::Accept:
+    case HTTPHeaderName::AcceptLanguage:
+    case HTTPHeaderName::ContentLanguage:
+        return true;
+    case HTTPHeaderName::ContentType: {
+        String mimeType = extractMIMETypeFromMediaType(value);
+        return equalLettersIgnoringASCIICase(mimeType, "application/x-www-form-urlencoded") || equalLettersIgnoringASCIICase(mimeType, "multipart/form-data") || equalLettersIgnoringASCIICase(mimeType, "text/plain");
+    }
+    default:
+        return false;
+    }
+}
+
+bool isCrossOriginSafeHeader(HTTPHeaderName name, const HTTPHeaderSet& accessControlExposeHeaderSet)
+{
+    switch (name) {
+    case HTTPHeaderName::CacheControl:
+    case HTTPHeaderName::ContentLanguage:
+    case HTTPHeaderName::ContentType:
+    case HTTPHeaderName::Expires:
+    case HTTPHeaderName::LastModified:
+    case HTTPHeaderName::Pragma:
+    case HTTPHeaderName::Accept:
+        return true;
+    case HTTPHeaderName::SetCookie:
+    case HTTPHeaderName::SetCookie2:
+        return false;
+    default:
+        break;
+    }
+    return accessControlExposeHeaderSet.contains(httpHeaderNameString(name).toStringWithoutCopying());
+}
+
+bool isCrossOriginSafeHeader(const String& name, const HTTPHeaderSet& accessControlExposeHeaderSet)
+{
+#ifndef ASSERT_DISABLED
+    HTTPHeaderName headerName;
+    ASSERT(!findHTTPHeaderName(name, headerName));
+#endif
+    return accessControlExposeHeaderSet.contains(name);
+}
+
+}

trunk/Source/WebCore/platform/network/HTTPParsers.h

@@ -33 +33 @@
 
 #include <wtf/Forward.h>
+#include <wtf/HashSet.h>
 #include <wtf/Optional.h>
 #include <wtf/Vector.h>
+#include <wtf/text/StringHash.h>
 #include <wtf/text/WTFString.h>
 
 namespace WebCore {
+
+typedef HashSet<String, ASCIICaseInsensitiveHash> HTTPHeaderSet;
+
+enum class HTTPHeaderName;
 
 enum class XSSProtectionDisposition {
@@ -96 +102 @@
 size_t parseHTTPRequestBody(const char* data, size_t length, Vector<unsigned char>& body);
 
+void parseAccessControlExposeHeadersAllowList(const String& headerValue, HTTPHeaderSet&);
+
+// HTTP Header routine as per https://fetch.spec.whatwg.org/#terminology-headers
+bool isForbiddenHeaderName(const String&);
+bool isForbiddenResponseHeaderName(const String&);
+bool isSimpleHeader(const String& name, const String& value);
+bool isCrossOriginSafeHeader(HTTPHeaderName, const HTTPHeaderSet&);
+bool isCrossOriginSafeHeader(const String&, const HTTPHeaderSet&);
+
 inline bool isHTTPSpace(UChar character)
 {

trunk/Source/WebCore/platform/network/ResourceRequestBase.cpp

@@ -314 +314 @@
 }
 
+bool ResourceRequestBase::hasHTTPOrigin() const
+{
+    return m_httpHeaderFields.contains(HTTPHeaderName::Origin);
+}
+
 void ResourceRequestBase::clearHTTPOrigin()
 {
-    updateResourceRequest(); 
+    updateResourceRequest();
 
     m_httpHeaderFields.remove(HTTPHeaderName::Origin);

trunk/Source/WebCore/platform/network/ResourceRequestBase.h

@@ -23 +23 @@
  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
@@ -101 +101 @@
     WEBCORE_EXPORT void setHTTPReferrer(const String&);
     WEBCORE_EXPORT void clearHTTPReferrer();
-    
+
     String httpOrigin() const;
+    bool hasHTTPOrigin() const;
     void setHTTPOrigin(const String&);
     WEBCORE_EXPORT void clearHTTPOrigin();

trunk/Source/WebCore/platform/network/ResourceResponseBase.cpp

@@ -100 +100 @@
 }
 
+ResourceResponse ResourceResponseBase::filterResponse(const ResourceResponse& response, ResourceResponse::Tainting tainting)
+{
+    if (tainting == ResourceResponse::Tainting::Opaque) {
+        ResourceResponse opaqueResponse;
+        opaqueResponse.setType(ResourceResponse::Type::Opaque);
+        return opaqueResponse;
+    }
+
+    ResourceResponse filteredResponse = response;
+    // Let's initialize filteredResponse to remove some header fields.
+    filteredResponse.lazyInit(AllFields);
+
+    if (tainting == ResourceResponse::Tainting::Basic) {
+        filteredResponse.setType(ResourceResponse::Type::Basic);
+        filteredResponse.m_httpHeaderFields.remove(HTTPHeaderName::SetCookie);
+        filteredResponse.m_httpHeaderFields.remove(HTTPHeaderName::SetCookie2);
+        return filteredResponse;
+    }
+
+    ASSERT(tainting == ResourceResponse::Tainting::Cors);
+    filteredResponse.setType(ResourceResponse::Type::Cors);
+
+    HTTPHeaderSet accessControlExposeHeaderSet;
+    parseAccessControlExposeHeadersAllowList(response.httpHeaderField(HTTPHeaderName::AccessControlExposeHeaders), accessControlExposeHeaderSet);
+    filteredResponse.m_httpHeaderFields.uncommonHeaders().removeIf([&](auto& entry) {
+        return !isCrossOriginSafeHeader(entry.key, accessControlExposeHeaderSet);
+    });
+    filteredResponse.m_httpHeaderFields.commonHeaders().removeIf([&](auto& entry) {
+        return !isCrossOriginSafeHeader(entry.key, accessControlExposeHeaderSet);
+    });
+
+    return filteredResponse;
+}
+
 // FIXME: Name does not make it clear this is true for HTTPS!
 bool ResourceResponseBase::isHTTP() const
@@ -112 +146 @@
     lazyInit(CommonFieldsOnly);
 
-    return m_url; 
+    return m_url;
 }
 

trunk/Source/WebCore/platform/network/ResourceResponseBase.h

@@ -66 +66 @@
     static ResourceResponse fromCrossThreadData(CrossThreadData&&);
 
+    enum class Tainting { Basic, Cors, Opaque };
+    static ResourceResponse filterResponse(const ResourceResponse&, Tainting);
+
     bool isNull() const { return m_isNull; }
     WEBCORE_EXPORT bool isHTTP() const;

trunk/Source/WebCore/xml/XMLHttpRequest.cpp

@@ -76 +76 @@
 };
 
-static bool isSetCookieHeader(const String& name)
-{
-    return equalLettersIgnoringASCIICase(name, "set-cookie") || equalLettersIgnoringASCIICase(name, "set-cookie2");
-}
-
 static void replaceCharsetInMediaType(String& mediaType, const String& charsetValue)
 {
@@ -907 +902 @@
     StringBuilder stringBuilder;
 
-    HTTPHeaderSet accessControlExposeHeaderSet;
-    parseAccessControlExposeHeadersAllowList(m_response.httpHeaderField(HTTPHeaderName::AccessControlExposeHeaders), accessControlExposeHeaderSet);
-    
     for (const auto& header : m_response.httpHeaderFields()) {
-        // Hide Set-Cookie header fields from the XMLHttpRequest client for these reasons:
-        //     1) If the client did have access to the fields, then it could read HTTP-only
-        //        cookies; those cookies are supposed to be hidden from scripts.
-        //     2) There's no known harm in hiding Set-Cookie header fields entirely; we don't
-        //        know any widely used technique that requires access to them.
-        //     3) Firefox has implemented this policy.
-        if (isSetCookieHeader(header.key) && !securityOrigin()->canLoadLocalResources())
-            continue;
-
-        if (!m_sameOriginRequest && !isOnAccessControlResponseHeaderWhitelist(header.key) && !accessControlExposeHeaderSet.contains(header.key))
-            continue;
-
         stringBuilder.append(header.key);
         stringBuilder.append(':');
@@ -939 +919 @@
         return String();
 
-    // See comment in getAllResponseHeaders above.
-    if (isSetCookieHeader(name) && !securityOrigin()->canLoadLocalResources()) {
-        logConsoleError(scriptExecutionContext(), "Refused to get unsafe header \"" + name + "\"");
-        return String();
-    }
-
-    HTTPHeaderSet accessControlExposeHeaderSet;
-    parseAccessControlExposeHeadersAllowList(m_response.httpHeaderField(HTTPHeaderName::AccessControlExposeHeaders), accessControlExposeHeaderSet);
-
-    if (!m_sameOriginRequest && !isOnAccessControlResponseHeaderWhitelist(name) && !accessControlExposeHeaderSet.contains(name)) {
-        logConsoleError(scriptExecutionContext(), "Refused to get unsafe header \"" + name + "\"");
-        return String();
-    }
     return m_response.httpHeaderField(name);
 }