Changeset 217445 in webkit
- Timestamp:
- May 25, 2017 1:53:49 PM (7 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r217439 r217445 1 2017-05-25 Chris Dumez <cdumez@apple.com> 2 3 DocumentThreadableLoader::redirectReceived() should not rely on the resource's loader 4 https://bugs.webkit.org/show_bug.cgi?id=172578 5 <rdar://problem/30754582> 6 7 Reviewed by Youenn Fablet. 8 9 Add layout test coverage. 10 11 * http/tests/xmlhttprequest/cacheable-cross-origin-redirect-crash-expected.txt: Added. 12 * http/tests/xmlhttprequest/cacheable-cross-origin-redirect-crash.html: Added. 13 1 14 2017-05-24 Jiewen Tan <jiewen_tan@apple.com> 2 15 -
trunk/Source/WebCore/ChangeLog
r217441 r217445 1 2017-05-25 Chris Dumez <cdumez@apple.com> 2 3 DocumentThreadableLoader::redirectReceived() should not rely on the resource's loader 4 https://bugs.webkit.org/show_bug.cgi?id=172578 5 <rdar://problem/30754582> 6 7 Reviewed by Youenn Fablet. 8 9 DocumentThreadableLoader::redirectReceived() should not rely on the resource's loader. The rest of the methods do not. 10 It is unsafe for it to rely on the resource's loader because it gets cleared when the load completes. A CachedRawresource 11 may be reused from the memory cache once its load has completed. 12 13 This would cause crashes in CachedRawResource::didAddClient() when replaying the redirects because it would call 14 DocumentThreadableLoader::redirectReceived() and potentially not have a loader anymore. To hit this exact code path, 15 you would need to make repeated XHR to a cacheable simple cross-origin resource that has cacheable redirect. 16 17 Test: http/tests/xmlhttprequest/cacheable-cross-origin-redirect-crash.html 18 19 * loader/DocumentThreadableLoader.cpp: 20 (WebCore::DocumentThreadableLoader::redirectReceived): 21 * loader/DocumentThreadableLoader.h: 22 1 23 2017-05-25 Zalan Bujtas <zalan@apple.com> 2 24 -
trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp
r216553 r217445 229 229 230 230 Ref<DocumentThreadableLoader> protectedThis(*this); 231 ++m_redirectCount; 231 232 232 233 // FIXME: We restrict this check to Fetch API for the moment, as this might disrupt WorkerScriptLoader. … … 253 254 254 255 ASSERT(m_resource); 255 ASSERT(m_resource->loader()); 256 ASSERT(m_originalHeaders); 257 258 // Use a unique for subsequent loads if needed. 259 // https://fetch.spec.whatwg.org/#concept-http-redirect-fetch (Step 10). 256 260 ASSERT(m_options.mode == FetchOptions::Mode::Cors); 257 ASSERT(m_originalHeaders); 258 259 // Loader might have modified the origin to a unique one, let's reuse it for subsequent loads. 260 m_origin = m_resource->loader()->origin(); 261 if (!securityOrigin().canRequest(redirectResponse.url()) && !SecurityOrigin::create(redirectResponse.url())->canRequest(request.url())) 262 m_origin = SecurityOrigin::createUnique(); 261 263 262 264 // Except in case where preflight is needed, loading should be able to continue on its own. … … 266 268 267 269 m_options.allowCredentials = DoNotAllowStoredCredentials; 268 m_options.maxRedirectCount -= m_resource->loader()->redirectCount(); 270 m_options.maxRedirectCount -= m_redirectCount; 271 m_redirectCount = 0; 269 272 270 273 clearResource(); -
trunk/Source/WebCore/loader/DocumentThreadableLoader.h
r216553 r217445 135 135 std::optional<CrossOriginPreflightChecker> m_preflightChecker; 136 136 std::optional<HTTPHeaderMap> m_originalHeaders; 137 unsigned m_redirectCount { 0 }; 137 138 138 139 ShouldLogError m_shouldLogError;
Note: See TracChangeset
for help on using the changeset viewer.