Changeset 227270 in webkit


Ignore:
Timestamp:
Jan 20, 2018 2:45:25 AM (6 years ago)
Author:
commit-queue@webkit.org
Message:

fetch redirect is incompatible with "no-cors" mode
https://bugs.webkit.org/show_bug.cgi?id=181866
<rdar://problem/35827140>

Patch by Youenn Fablet <youenn@apple.com> on 2018-01-20
Reviewed by Chris Dumez.

LayoutTests/imported/w3c:

  • web-platform-tests/fetch/api/redirect/redirect-mode-expected.txt:
  • web-platform-tests/fetch/api/redirect/redirect-mode-worker-expected.txt:
  • web-platform-tests/fetch/api/redirect/redirect-mode.js:

(redirectMode):

  • web-platform-tests/service-workers/service-worker/fetch-event-redirect.https-expected.txt:
  • web-platform-tests/service-workers/service-worker/fetch-event-redirect.https.html:
  • web-platform-tests/service-workers/service-worker/fetch-request-redirect.https-expected.txt:

Source/WebCore:

Covered by updated tests.

Return a network error when no-cors mode and redirect mode is manual or error.
Update preflight implementation to no longer use manual redirect mode to simulate https://fetch.spec.whatwg.org/#http-network-or-cache-fetch.
Instead implement redirectReceived callback to treat any redirect response as the preflight response.

  • loader/cache/CachedResourceLoader.cpp:

(WebCore::CachedResourceLoader::canRequest):

  • loader/CrossOriginPreflightChecker.cpp:

(WebCore::CrossOriginPreflightChecker::redirectReceived):
(WebCore::CrossOriginPreflightChecker::startPreflight):

  • loader/CrossOriginPreflightChecker.h:

LayoutTests:

  • http/tests/fetch/redirectmode-and-preload-expected.txt:
  • http/tests/fetch/redirectmode-and-preload.html:
Location:
trunk
Files:
14 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r227264 r227270  
     12018-01-20  Youenn Fablet  <youenn@apple.com>
     2
     3        fetch redirect is incompatible with "no-cors" mode
     4        https://bugs.webkit.org/show_bug.cgi?id=181866
     5        <rdar://problem/35827140>
     6
     7        Reviewed by Chris Dumez.
     8
     9        * http/tests/fetch/redirectmode-and-preload-expected.txt:
     10        * http/tests/fetch/redirectmode-and-preload.html:
     11
    1122018-01-19  Ryan Haddad  <ryanhaddad@apple.com>
    213
  • trunk/LayoutTests/http/tests/fetch/redirectmode-and-preload-expected.txt

    r226087 r227270  
    1 CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8000/fetch/resources/redirect-with-cache.php?enableCaching&url=http://localhost:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2F127.0.0.1%3A8000&name=alert-fail.js&contentType=text/ascii. Redirections are not allowed
     1CONSOLE MESSAGE: line 19: No-Cors mode requires follow redirect mode
     2CONSOLE MESSAGE: line 19: Fetch API cannot load http://127.0.0.1:8000/fetch/resources/redirect-with-cache.php?enableCaching&url=http://localhost:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2F127.0.0.1%3A8000&name=alert-fail.js&contentType=text/ascii. Not allowed to request resource
     3CONSOLE MESSAGE: line 32: No-Cors mode requires follow redirect mode
     4CONSOLE MESSAGE: line 32: Fetch API cannot load http://127.0.0.1:8000/fetch/resources/redirect-with-cache.php?enableCaching&url=http://localhost:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2F127.0.0.1%3A8000&name=alert-fail.js&contentType=text/ascii. Not allowed to request resource
    25CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8000/fetch/resources/redirect-with-cache.php?enableCaching&url=http://localhost:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2F127.0.0.1%3A8000&name=alert-fail.js&contentType=text/ascii. Redirections are not allowed
    36
  • trunk/LayoutTests/http/tests/fetch/redirectmode-and-preload.html

    r217962 r227270  
    1717    var preloadUrl = "./resources/redirect-with-cache.php?enableCaching&url=http://localhost:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2F127.0.0.1%3A8000&name=alert-fail.js&contentType=text/ascii";
    1818    promise_test(function(test) {
    19         return fetch(preloadUrl, {redirect: "manual", mode: "no-cors", credentials: "include"}).then((response) => {
    20             assert_equals(response.type, "opaqueredirect", "Response's type should be opaqueRedirect");
    21             return response.text();
    22         }).then((text) => {
    23             assert_equals(text, "");
    24         });
     19        return promise_rejects(test,new TypeError(), fetch(preloadUrl, {redirect: "manual", mode: "no-cors", credentials: "include"}));
    2520    }, "Fetch should check for redirections even if resource is preloaded (same fetch options except for redirect mode)");
    2621
  • trunk/LayoutTests/imported/w3c/ChangeLog

    r227225 r227270  
     12018-01-20  Youenn Fablet  <youenn@apple.com>
     2
     3        fetch redirect is incompatible with "no-cors" mode
     4        https://bugs.webkit.org/show_bug.cgi?id=181866
     5        <rdar://problem/35827140>
     6
     7        Reviewed by Chris Dumez.
     8
     9        * web-platform-tests/fetch/api/redirect/redirect-mode-expected.txt:
     10        * web-platform-tests/fetch/api/redirect/redirect-mode-worker-expected.txt:
     11        * web-platform-tests/fetch/api/redirect/redirect-mode.js:
     12        (redirectMode):
     13        * web-platform-tests/service-workers/service-worker/fetch-event-redirect.https-expected.txt:
     14        * web-platform-tests/service-workers/service-worker/fetch-event-redirect.https.html:
     15        * web-platform-tests/service-workers/service-worker/fetch-request-redirect.https-expected.txt:
     16
    1172018-01-19  Joseph Pecoraro  <pecoraro@apple.com>
    218
  • trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-mode-expected.txt

    r201324 r227270  
    11
    2 PASS Redirect 301 in "error" mode 
    3 PASS Redirect 301 in "follow" mode 
    4 PASS Redirect 301 in "manual" mode 
    5 PASS Redirect 302 in "error" mode 
    6 PASS Redirect 302 in "follow" mode 
    7 PASS Redirect 302 in "manual" mode 
    8 PASS Redirect 303 in "error" mode 
    9 PASS Redirect 303 in "follow" mode 
    10 PASS Redirect 303 in "manual" mode 
    11 PASS Redirect 307 in "error" mode 
    12 PASS Redirect 307 in "follow" mode 
    13 PASS Redirect 307 in "manual" mode 
    14 PASS Redirect 308 in "error" mode 
    15 PASS Redirect 308 in "follow" mode 
    16 PASS Redirect 308 in "manual" mode 
     2PASS Redirect 301 in "error" redirect, cors mode
     3PASS Redirect 301 in "follow" redirect, cors mode
     4PASS Redirect 301 in "manual" redirect, cors mode
     5PASS Redirect 302 in "error" redirect, cors mode
     6PASS Redirect 302 in "follow" redirect, cors mode
     7PASS Redirect 302 in "manual" redirect, cors mode
     8PASS Redirect 303 in "error" redirect, cors mode
     9PASS Redirect 303 in "follow" redirect, cors mode
     10PASS Redirect 303 in "manual" redirect, cors mode
     11PASS Redirect 307 in "error" redirect, cors mode
     12PASS Redirect 307 in "follow" redirect, cors mode
     13PASS Redirect 307 in "manual" redirect, cors mode
     14PASS Redirect 308 in "error" redirect, cors mode
     15PASS Redirect 308 in "follow" redirect, cors mode
     16PASS Redirect 308 in "manual" redirect, cors mode
     17PASS Redirect in "error" redirect, no cors mode
     18PASS Redirect in "manual" redirect, no cors mode
    1719
  • trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-mode-worker-expected.txt

    r203164 r227270  
     1CONSOLE MESSAGE: No-Cors mode requires follow redirect mode
     2CONSOLE MESSAGE: No-Cors mode requires follow redirect mode
    13
    2 PASS Redirect 301 in "error" mode 
    3 PASS Redirect 301 in "follow" mode 
    4 PASS Redirect 301 in "manual" mode 
    5 PASS Redirect 302 in "error" mode 
    6 PASS Redirect 302 in "follow" mode 
    7 PASS Redirect 302 in "manual" mode 
    8 PASS Redirect 303 in "error" mode 
    9 PASS Redirect 303 in "follow" mode 
    10 PASS Redirect 303 in "manual" mode 
    11 PASS Redirect 307 in "error" mode 
    12 PASS Redirect 307 in "follow" mode 
    13 PASS Redirect 307 in "manual" mode 
    14 PASS Redirect 308 in "error" mode 
    15 PASS Redirect 308 in "follow" mode 
    16 PASS Redirect 308 in "manual" mode 
     4PASS Redirect 301 in "error" redirect, cors mode
     5PASS Redirect 301 in "follow" redirect, cors mode
     6PASS Redirect 301 in "manual" redirect, cors mode
     7PASS Redirect 302 in "error" redirect, cors mode
     8PASS Redirect 302 in "follow" redirect, cors mode
     9PASS Redirect 302 in "manual" redirect, cors mode
     10PASS Redirect 303 in "error" redirect, cors mode
     11PASS Redirect 303 in "follow" redirect, cors mode
     12PASS Redirect 303 in "manual" redirect, cors mode
     13PASS Redirect 307 in "error" redirect, cors mode
     14PASS Redirect 307 in "follow" redirect, cors mode
     15PASS Redirect 307 in "manual" redirect, cors mode
     16PASS Redirect 308 in "error" redirect, cors mode
     17PASS Redirect 308 in "follow" redirect, cors mode
     18PASS Redirect 308 in "manual" redirect, cors mode
     19PASS Redirect in "error" redirect, no cors mode
     20PASS Redirect in "manual" redirect, no cors mode
    1721
  • trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-mode.js

    r205743 r227270  
    44}
    55
    6 function redirectMode(desc, redirectUrl, redirectLocation, redirectStatus, redirectMode) {
     6function redirectMode(desc, redirectUrl, redirectLocation, redirectStatus, redirectMode, corsMode) {
    77  var url = redirectUrl;
    88  var urlParameters = "?redirect_status=" + redirectStatus;
    99  urlParameters += "&location=" + encodeURIComponent(redirectLocation);
    1010
    11   var requestInit = {"redirect": redirectMode};
     11  var requestInit = {"redirect": redirectMode, mode: corsMode};
    1212
    1313  promise_test(function(test) {
    14     if (redirectMode === "error")
     14    if (redirectMode === "error" || (corsMode === "no-cors" && redirectMode !== "follow"))
    1515      return promise_rejects(test, new TypeError(), fetch(url + urlParameters, requestInit));
    1616    if (redirectMode === "manual")
     
    3434
    3535for (var statusCode of [301, 302, 303, 307, 308]) {
    36   redirectMode("Redirect " + statusCode + " in \"error\" mode ", redirUrl, locationUrl, statusCode, "error");
    37   redirectMode("Redirect " + statusCode + " in \"follow\" mode ", redirUrl, locationUrl, statusCode, "follow");
    38   redirectMode("Redirect " + statusCode + " in \"manual\" mode ", redirUrl, locationUrl, statusCode, "manual");
     36  redirectMode("Redirect " + statusCode + " in \"error\" redirect, cors mode", redirUrl, locationUrl, statusCode, "error", "cors");
     37  redirectMode("Redirect " + statusCode + " in \"follow\" redirect, cors mode", redirUrl, locationUrl, statusCode, "follow", "cors");
     38  redirectMode("Redirect " + statusCode + " in \"manual\" redirect, cors mode", redirUrl, locationUrl, statusCode, "manual", "cors");
    3939}
     40redirectMode("Redirect in \"error\" redirect, no cors mode", redirUrl, locationUrl, 301, "error", "no-cors");
     41redirectMode("Redirect in \"manual\" redirect, no cors mode", redirUrl, locationUrl, 301, "manual", "no-cors");
    4042
    4143done();
  • trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-event-redirect.https-expected.txt

    r226090 r227270  
     1CONSOLE MESSAGE: line 51: No-Cors mode requires follow redirect mode
     2CONSOLE MESSAGE: line 51: Fetch API cannot load https://localhost:9443/nonav-manual-nocors-redirects-to-sameorigin-nocreds?url=redirect.py%3FRedirect%3Dhttps%253A%252F%252Flocalhost%253A9443%252Fservice-workers%252Fservice-worker%252Fresources%252Fsuccess.py&expected_type=opaqueredirect. Not allowed to request resource
     3CONSOLE MESSAGE: line 51: No-Cors mode requires follow redirect mode
     4CONSOLE MESSAGE: line 51: Fetch API cannot load https://localhost:9443/nonav-error-nocors-redirects-to-sameorigin-nocreds?url=redirect.py%3FRedirect%3Dhttps%253A%252F%252Flocalhost%253A9443%252Fservice-workers%252Fservice-worker%252Fresources%252Fsuccess.py. Not allowed to request resource
    15
    26PASS initialize global state
     
    711PASS Non-navigation, manual redirect, same-origin mode Request redirected to no-cors without credentials should succeed opaqueredirect interception and response should not be redirected
    812PASS Non-navigation, manual redirect, same-origin mode Request redirected to cors without credentials should succeed opaqueredirect interception and response should not be redirected
    9 PASS Non-navigation, manual redirect, no-cors mode Request redirected to same-origin without credentials should succeed opaqueredirect interception and response should not be redirected
    10 PASS Non-navigation, manual redirect, no-cors mode Request redirected to no-cors without credentials should succeed interception and response should not be redirected
    11 PASS Non-navigation, manual redirect, no-cors mode Request redirected to cors without credentials should succeed interception and response should not be redirected
     13PASS Non-navigation, manual redirect, no-cors mode Request should fail
    1214PASS Non-navigation, manual redirect, cors mode Request redirected to same-origin with credentials should succeed opaqueredirect interception and response should not be redirected
    1315PASS Non-navigation, manual redirect, cors mode Request redirected to no-cors with credentials should succeed opaqueredirect interception and response should not be redirected
     
    1618PASS Non-navigation, manual redirect, same-origin mode Request redirected to no-cors with credentials should succeed opaqueredirect interception and response should not be redirected
    1719PASS Non-navigation, manual redirect, same-origin mode Request redirected to cors with credentials should succeed opaqueredirect interception and response should not be redirected
    18 PASS Non-navigation, manual redirect, no-cors mode Request redirected to same-origin with credentials should succeed opaqueredirect interception and response should not be redirected
    19 PASS Non-navigation, manual redirect, no-cors mode Request redirected to no-cors with credentials should succeed interception and response should not be redirected
    20 PASS Non-navigation, manual redirect, no-cors mode Request redirected to cors with credentials should succeed interception and response should not be redirected
    2120PASS Non-navigation, follow redirect, cors mode Request redirected to same-origin without credentials should succeed interception and response should be redirected
    2221PASS Non-navigation, follow redirect, cors mode Request redirected to no-cors without credentials should fail interception and response should not be redirected
     
    4342PASS Non-navigation, error redirect, same-origin mode Request redirected to no-cors without credentials should fail interception and response should not be redirected
    4443PASS Non-navigation, error redirect, same-origin mode Request redirected to cors without credentials should fail interception and response should not be redirected
    45 PASS Non-navigation, error redirect, no-cors mode Request redirected to same-origin without credentials should fail interception and response should not be redirected
    46 PASS Non-navigation, error redirect, no-cors mode Request redirected to no-cors without credentials should fail interception and response should not be redirected
    47 PASS Non-navigation, error redirect, no-cors mode Request redirected to cors without credentials should fail interception and response should not be redirected
     44PASS Non-navigation, error redirect, no-cors mode Request should fail
    4845PASS Non-navigation, error redirect, cors mode Request redirected to same-origin with credentials should fail interception and response should not be redirected
    4946PASS Non-navigation, error redirect, cors mode Request redirected to no-cors with credentials should fail interception and response should not be redirected
     
    5249PASS Non-navigation, error redirect, same-origin mode Request redirected to no-cors with credentials should fail interception and response should not be redirected
    5350PASS Non-navigation, error redirect, same-origin mode Request redirected to cors with credentials should fail interception and response should not be redirected
    54 PASS Non-navigation, error redirect, no-cors mode Request redirected to same-origin with credentials should fail interception and response should not be redirected
    55 PASS Non-navigation, error redirect, no-cors mode Request redirected to no-cors with credentials should fail interception and response should not be redirected
    56 PASS Non-navigation, error redirect, no-cors mode Request redirected to cors with credentials should fail interception and response should not be redirected
    5751PASS restore global state
    5852
  • trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-event-redirect.https.html

    r223327 r227270  
    213213      mode: 'no-cors'
    214214    },
    215     should_reject: false
    216   });
    217 }, 'Non-navigation, manual redirect, no-cors mode Request redirected to ' +
    218    'same-origin without credentials should succeed opaqueredirect interception ' +
    219    'and response should not be redirected');
    220 
    221 promise_test(function(t) {
    222   return redirect_fetch_test(t, {
    223     name: 'nonav-manual-nocors-redirects-to-nocors-nocreds',
    224     redirect_dest: 'no-cors',
    225     url_credentials: false,
    226     expected_type: 'opaqueredirect',
    227     expected_redirected: false,
    228     request_init: {
    229       redirect: 'manual',
    230       mode: 'no-cors'
    231     },
    232     should_reject: false
    233   });
    234 }, 'Non-navigation, manual redirect, no-cors mode Request redirected to ' +
    235    'no-cors without credentials should succeed interception ' +
    236    'and response should not be redirected');
    237 
    238 promise_test(function(t) {
    239   return redirect_fetch_test(t, {
    240     name: 'nonav-manual-nocors-redirects-to-cors-nocreds',
    241     redirect_dest: 'cors',
    242     url_credentials: false,
    243     expected_type: 'opaqueredirect',
    244     expected_redirected: false,
    245     request_init: {
    246       redirect: 'manual',
    247       mode: 'no-cors'
    248     },
    249     should_reject: false
    250   });
    251 }, 'Non-navigation, manual redirect, no-cors mode Request redirected to ' +
    252    'cors without credentials should succeed interception ' +
    253    'and response should not be redirected');
     215    should_reject: true
     216  });
     217}, 'Non-navigation, manual redirect, no-cors mode Request should fail');
    254218
    255219promise_test(function(t) {
     
    353317}, 'Non-navigation, manual redirect, same-origin mode Request redirected to ' +
    354318   'cors with credentials should succeed opaqueredirect interception ' +
    355    'and response should not be redirected');
    356 
    357 promise_test(function(t) {
    358   return redirect_fetch_test(t, {
    359     name: 'nonav-manual-nocors-redirects-to-sameorigin-creds',
    360     redirect_dest: 'same-origin',
    361     url_credentials: true,
    362     expected_type: 'opaqueredirect',
    363     expected_redirected: false,
    364     request_init: {
    365       redirect: 'manual',
    366       mode: 'no-cors'
    367     },
    368     should_reject: false
    369   });
    370 }, 'Non-navigation, manual redirect, no-cors mode Request redirected to ' +
    371    'same-origin with credentials should succeed opaqueredirect interception ' +
    372    'and response should not be redirected');
    373 
    374 promise_test(function(t) {
    375   return redirect_fetch_test(t, {
    376     name: 'nonav-manual-nocors-redirects-to-nocors-creds',
    377     redirect_dest: 'no-cors',
    378     url_credentials: true,
    379     expected_type: 'opaqueredirect',
    380     expected_redirected: false,
    381     request_init: {
    382       redirect: 'manual',
    383       mode: 'no-cors'
    384     },
    385     should_reject: false
    386   });
    387 }, 'Non-navigation, manual redirect, no-cors mode Request redirected to ' +
    388    'no-cors with credentials should succeed interception ' +
    389    'and response should not be redirected');
    390 
    391 promise_test(function(t) {
    392   return redirect_fetch_test(t, {
    393     name: 'nonav-manual-nocors-redirects-to-cors-creds',
    394     redirect_dest: 'cors',
    395     url_credentials: true,
    396     expected_type: 'opaqueredirect',
    397     expected_redirected: false,
    398     request_init: {
    399       redirect: 'manual',
    400       mode: 'no-cors'
    401     },
    402     should_reject: false
    403   });
    404 }, 'Non-navigation, manual redirect, no-cors mode Request redirected to ' +
    405    'cors with credentials should succeed interception ' +
    406319   'and response should not be redirected');
    407320
     
    824737      mode: 'no-cors'
    825738    },
    826     // should reject because requests with 'error' RequestRedirect cannot be
    827     // redirected.
    828     should_reject: true
    829   });
    830 }, 'Non-navigation, error redirect, no-cors mode Request redirected to ' +
    831    'same-origin without credentials should fail interception ' +
    832    'and response should not be redirected');
    833 
    834 promise_test(function(t) {
    835   return redirect_fetch_test(t, {
    836     name: 'nonav-error-nocors-redirects-to-nocors-nocreds',
    837     redirect_dest: 'no-cors',
    838     url_credentials: false,
    839     request_init: {
    840       redirect: 'error',
    841       mode: 'no-cors'
    842     },
    843     // should reject because requests with 'error' RequestRedirect cannot be
    844     // redirected.
    845     should_reject: true
    846   });
    847 }, 'Non-navigation, error redirect, no-cors mode Request redirected to ' +
    848    'no-cors without credentials should fail interception ' +
    849    'and response should not be redirected');
    850 
    851 promise_test(function(t) {
    852   return redirect_fetch_test(t, {
    853     name: 'nonav-error-nocors-redirects-to-cors-nocreds',
    854     redirect_dest: 'cors',
    855     url_credentials: false,
    856     request_init: {
    857       redirect: 'error',
    858       mode: 'no-cors'
    859     },
    860     // should reject because requests with 'error' RequestRedirect cannot be
    861     // redirected.
    862     should_reject: true
    863   });
    864 }, 'Non-navigation, error redirect, no-cors mode Request redirected to ' +
    865    'cors without credentials should fail interception ' +
    866    'and response should not be redirected');
     739    // should reject because error + no-cors is not allowed.
     740    should_reject: true
     741  });
     742}, 'Non-navigation, error redirect, no-cors mode Request should fail');
    867743
    868744promise_test(function(t) {
     
    967843   'cors with credentials should fail interception ' +
    968844   'and response should not be redirected');
    969 
    970 promise_test(function(t) {
    971   return redirect_fetch_test(t, {
    972     name: 'nonav-error-nocors-redirects-to-sameorigin-creds',
    973     redirect_dest: 'same-origin',
    974     url_credentials: true,
    975     request_init: {
    976       redirect: 'error',
    977       mode: 'no-cors'
    978     },
    979     // should reject because requests with 'error' RequestRedirect cannot be
    980     // redirected.
    981     should_reject: true
    982   });
    983 }, 'Non-navigation, error redirect, no-cors mode Request redirected to ' +
    984    'same-origin with credentials should fail interception ' +
    985    'and response should not be redirected');
    986 
    987 promise_test(function(t) {
    988   return redirect_fetch_test(t, {
    989     name: 'nonav-error-nocors-redirects-to-nocors-creds',
    990     redirect_dest: 'no-cors',
    991     url_credentials: true,
    992     request_init: {
    993       redirect: 'error',
    994       mode: 'no-cors'
    995     },
    996     // should reject because requests with 'error' RequestRedirect cannot be
    997     // redirected.
    998     should_reject: true
    999   });
    1000 }, 'Non-navigation, error redirect, no-cors mode Request redirected to ' +
    1001    'no-cors with credentials should fail interception ' +
    1002    'and response should not be redirected');
    1003 
    1004 promise_test(function(t) {
    1005   return redirect_fetch_test(t, {
    1006     name: 'nonav-error-nocors-redirects-to-cors-creds',
    1007     redirect_dest: 'cors',
    1008     url_credentials: true,
    1009     request_init: {
    1010       redirect: 'error',
    1011       mode: 'no-cors'
    1012     },
    1013     // should reject because requests with 'error' RequestRedirect cannot be
    1014     // redirected.
    1015     should_reject: true
    1016   });
    1017 }, 'Non-navigation, error redirect, no-cors mode Request redirected to ' +
    1018    'cors with credentials should fail interception and response should not ' +
    1019    'be redirected');
    1020845</script>
    1021846</body>
  • trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-redirect.https-expected.txt

    r226792 r227270  
    1 CONSOLE MESSAGE: XMLHttpRequest cannot load https://localhost:9443/service-workers/service-worker/resources/redirect.py?Redirect=%2Fservice-workers%2Fservice-worker%2Fresources%2Fsimple.txt. Response served by service worker is opaque redirect
    2 CONSOLE MESSAGE: Cross-origin image load denied by Cross-Origin Resource Sharing policy.
    3 CONSOLE MESSAGE: XMLHttpRequest cannot load https://localhost:9443/service-workers/service-worker/resources/redirect.py?Redirect=%2Fservice-workers%2Fservice-worker%2Fresources%2Fsimple.txt. Response served by service worker is opaque redirect
    41CONSOLE MESSAGE: XMLHttpRequest cannot load https://localhost:9443/service-workers/service-worker/resources/redirect.py?Redirect=%2Fservice-workers%2Fservice-worker%2Fresources%2Fsimple.txt. Response served by service worker is opaque redirect
    52
  • trunk/Source/WebCore/ChangeLog

    r227266 r227270  
     12018-01-20  Youenn Fablet  <youenn@apple.com>
     2
     3        fetch redirect is incompatible with "no-cors" mode
     4        https://bugs.webkit.org/show_bug.cgi?id=181866
     5        <rdar://problem/35827140>
     6
     7        Reviewed by Chris Dumez.
     8
     9        Covered by updated tests.
     10
     11        Return a network error when no-cors mode and redirect mode is manual or error.
     12        Update preflight implementation to no longer use manual redirect mode to simulate https://fetch.spec.whatwg.org/#http-network-or-cache-fetch.
     13        Instead implement redirectReceived callback to treat any redirect response as the preflight response.
     14
     15        * loader/cache/CachedResourceLoader.cpp:
     16        (WebCore::CachedResourceLoader::canRequest):
     17        * loader/CrossOriginPreflightChecker.cpp:
     18        (WebCore::CrossOriginPreflightChecker::redirectReceived):
     19        (WebCore::CrossOriginPreflightChecker::startPreflight):
     20        * loader/CrossOriginPreflightChecker.h:
     21
    1222018-01-19  Wenson Hsieh  <wenson_hsieh@apple.com>
    223
  • trunk/Source/WebCore/loader/CrossOriginPreflightChecker.cpp

    r225591 r227270  
    9696}
    9797
     98void CrossOriginPreflightChecker::redirectReceived(CachedResource& resource, ResourceRequest&&, const ResourceResponse& response, CompletionHandler<void(ResourceRequest&&)>&& completionHandler)
     99{
     100    ASSERT_UNUSED(resource, &resource == m_resource);
     101    validatePreflightResponse(m_loader, WTFMove(m_request), m_resource->identifier(), response);
     102    completionHandler(ResourceRequest { });
     103}
     104
    98105void CrossOriginPreflightChecker::startPreflight()
    99106{
    100107    ResourceLoaderOptions options;
    101108    options.referrerPolicy = m_loader.options().referrerPolicy;
    102     options.redirect = FetchOptions::Redirect::Manual;
    103109    options.contentSecurityPolicyImposition = ContentSecurityPolicyImposition::SkipPolicyCheck;
    104110    options.serviceWorkersMode = ServiceWorkersMode::None;
  • trunk/Source/WebCore/loader/CrossOriginPreflightChecker.h

    r206903 r227270  
    5555private:
    5656    void notifyFinished(CachedResource&) final;
     57    void redirectReceived(CachedResource&, ResourceRequest&&, const ResourceResponse&, CompletionHandler<void(ResourceRequest&&)>&&) final;
    5758
    5859    static void handleLoadingFailure(DocumentThreadableLoader&, unsigned long, const ResourceError&);
  • trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp

    r226904 r227270  
    508508}
    509509
     510// Security checks defined in https://fetch.spec.whatwg.org/#main-fetch step 2 and 5.
    510511bool CachedResourceLoader::canRequest(CachedResource::Type type, const URL& url, const CachedResourceRequest& request, ForPreload forPreload)
    511512{
     
    521522    if (options.mode == FetchOptions::Mode::SameOrigin && !m_document->securityOrigin().canRequest(url) && !isSameOriginDataURL(url, options)) {
    522523        printAccessDeniedMessage(url);
     524        return false;
     525    }
     526
     527    if (options.mode == FetchOptions::Mode::NoCors && options.redirect != FetchOptions::Redirect::Follow) {
     528        ASSERT(type != CachedResource::Type::MainResource);
     529        frame()->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, ASCIILiteral("No-Cors mode requires follow redirect mode"));
    523530        return false;
    524531    }
Note: See TracChangeset for help on using the changeset viewer.