Context Navigation

← Previous Changeset
Next Changeset →

Changeset 230968 in webkit

Timestamp:

Apr 24, 2018 12:51:22 PM (6 years ago)

Author:

wilander@apple.com

Message:

From-Origin: Support for 'same' and 'same-site' response header, nested frame origin check
https://bugs.webkit.org/show_bug.cgi?id=184560
<rdar://problem/38901344>

Reviewed by Youenn Fablet and Daniel Bates.

LayoutTests/imported/w3c:

This patch implements significant parts of https://github.com/whatwg/fetch/issues/687.
We consume the From-Origin response header and only load the resource if:

The header is non-existent, empty, or invalid.
The header specifies 'same' and the resource's origin matches the originating document's origin and the origins up the frame tree.
The header specifies 'same-site' and the resource's eTLD+1 matches the originating document's eTLD+1 and the eTLD+1 of the documents up the frame tree.

This feature is experimental and off by default.

web-platform-tests/service-workers/service-worker/fetch-request-redirect.https-expected.txt:

Removed console message since they are now suppressed.

Source/WebCore:

Tests: http/tests/from-origin/document-from-origin-same-accepted.html

http/tests/from-origin/document-from-origin-same-blocked.html
http/tests/from-origin/document-from-origin-same-site-accepted.html
http/tests/from-origin/document-from-origin-same-site-blocked.html
http/tests/from-origin/document-nested-from-origin-same-accepted.html
http/tests/from-origin/document-nested-from-origin-same-blocked.html
http/tests/from-origin/fetch-data-iframe-from-origin-same-blocked.html
http/tests/from-origin/fetch-from-origin-same-accepted.html
http/tests/from-origin/fetch-from-origin-same-blocked.html
http/tests/from-origin/fetch-from-origin-same-site-accepted.html
http/tests/from-origin/fetch-from-origin-same-site-blocked.html
http/tests/from-origin/fetch-iframe-from-origin-same-accepted.html
http/tests/from-origin/fetch-iframe-from-origin-same-blocked.html
http/tests/from-origin/image-about-blank-from-origin-same-blocked.html
http/tests/from-origin/image-from-origin-same-accepted.html
http/tests/from-origin/image-from-origin-same-blocked.html
http/tests/from-origin/image-from-origin-same-site-accepted.html
http/tests/from-origin/image-from-origin-same-site-blocked.html
http/tests/from-origin/redirect-document-from-origin-same-blocked.html
http/tests/from-origin/redirect-fetch-from-origin-same-blocked.html
http/tests/from-origin/redirect-image-from-origin-same-blocked.html
http/tests/from-origin/redirect-script-from-origin-same-blocked.html
http/tests/from-origin/redirect-xhr-from-origin-same-blocked.html
http/tests/from-origin/sandboxed-sub-frame-from-origin-same-blocked.html
http/tests/from-origin/sandboxed-sub-frame-nested-cross-origin-from-origin-same-blocked.html
http/tests/from-origin/sandboxed-sub-frame-nested-same-origin-from-origin-same-blocked.html
http/tests/from-origin/script-from-origin-same-accepted.html
http/tests/from-origin/script-from-origin-same-blocked.html
http/tests/from-origin/script-from-origin-same-site-accepted.html
http/tests/from-origin/script-from-origin-same-site-blocked.html
http/tests/from-origin/top-frame-document-from-origin-same-accepted.php
http/tests/from-origin/xhr-from-origin-same-accepted.html
http/tests/from-origin/xhr-from-origin-same-blocked.html
http/tests/from-origin/xhr-from-origin-same-site-accepted.html
http/tests/from-origin/xhr-from-origin-same-site-blocked.html

loader/SubresourceLoader.cpp:

(WebCore::SubresourceLoader::didFail):

Outputs the error's localized description in a console message except when the destination
is FetchOptions::Destination::Serviceworker or FetchOptions::Destination::EmptyString.

page/RuntimeEnabledFeatures.h:

(WebCore::RuntimeEnabledFeatures::setFromOriginResponseHeaderEnabled):
(WebCore::RuntimeEnabledFeatures::fromOriginResponseHeaderEnabled const):

Added From-Origin support as an experimental feature.

platform/network/HTTPHeaderNames.in:

Added From-Origin.

platform/network/HTTPParsers.cpp:

(WebCore::parseFromOriginHeader):

Parses the From-Origin header, currently supporting 'Same' and 'Same-Site.'

platform/network/HTTPParsers.h:

Source/WebKit:

This patch implements significant parts of https://github.com/whatwg/fetch/issues/687.
We consume the From-Origin response header and only load the resource if:

The header is non-existent, empty, or invalid.
The header specifies 'same' and the resource's origin matches the originating document's origin and the origins up the frame tree.
The header specifies 'same-site' and the resource's eTLD+1 matches the originating document's eTLD+1 and the eTLD+1 of the documents up the frame tree.

This feature is experimental and off by default.

NetworkProcess/NetworkResourceLoadParameters.cpp:

(WebKit::NetworkResourceLoadParameters::encode const):
(WebKit::NetworkResourceLoadParameters::decode):

Support for the two new load parameters:

shouldEnableFromOriginResponseHeader
frameAncestorOrigins

NetworkProcess/NetworkResourceLoadParameters.h:
NetworkProcess/NetworkResourceLoader.cpp:

(WebKit::areFrameAncestorsSameSite):
(WebKit::areFrameAncestorsSameOrigin):
(WebKit::shouldCancelCrossOriginLoad):

The three functions above implement the new blocking logic.

(WebKit::fromOriginResourceError):

Convenience function that returns an error with the From-Origin error message.

(WebKit::NetworkResourceLoader::didReceiveResponse):

Now checks for a From-Origin response header.

(WebKit::NetworkResourceLoader::didFailLoading):

Now checks for a From-Origin response header.

(WebKit::NetworkResourceLoader::continueWillSendRedirectedRequest):

Now checks for a From-Origin response header.

(WebKit::NetworkResourceLoader::didRetrieveCacheEntry):

Now checks for a From-Origin response header.

(WebKit::NetworkResourceLoader::dispatchWillSendRequestForCacheEntry):

Now checks for a From-Origin response header.

Shared/WebCoreArgumentCoders.cpp:

(IPC::ArgumentCoder<Vector<RefPtr<SecurityOrigin>>>::encode):
(IPC::ArgumentCoder<Vector<RefPtr<SecurityOrigin>>>::decode):

Now encodes and decodes vectors of RefPtr<WebCore::SecurityOrigin>.

Shared/WebCoreArgumentCoders.h:
Shared/WebPreferences.yaml:

Added From-Origin support as an experimental feature.

UIProcess/API/C/WKPreferences.cpp:

(WKPreferencesSetFromOriginResponseHeaderEnabled):
(WKPreferencesGetFromOriginResponseHeaderEnabled):

UIProcess/API/C/WKPreferencesRef.h:
WebProcess/Network/WebLoaderStrategy.cpp:

(WebKit::WebLoaderStrategy::scheduleLoadFromNetworkProcess):

Sets the two new load parameters:

shouldEnableFromOriginResponseHeader
frameAncestorOrigins

Tools:

This patch implements significant parts of https://github.com/whatwg/fetch/issues/687.
We consume the From-Origin response header and only load the resource if:

The header is non-existent, empty, or invalid.
The header specifies 'same' and the resource's origin matches the originating document's origin and the origins up the frame tree.
The header specifies 'same-site' and the resource's eTLD+1 matches the originating document's eTLD+1 and the eTLD+1 of the documents up the frame tree.

This feature is experimental and off by default.

TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
TestWebKitAPI/Tests/WebCore/HTTPParsers.cpp: Added.

(TestWebKitAPI::TEST):

Tests for From-Origin header parsing.

LayoutTests:

This patch implements significant parts of https://github.com/whatwg/fetch/issues/687.
We consume the From-Origin response header and only load the resource if:

The header is non-existent, empty, or invalid.
The header specifies 'same' and the resource's origin matches the originating document's origin and the origins up the frame tree.
The header specifies 'same-site' and the resource's eTLD+1 matches the originating document's eTLD+1 and the eTLD+1 of the documents up the frame tree.

This feature is experimental and off by default.

TestExpectations:

The http/tests/from-origin/ directory marked as [ Skip ].
Suppressed console output for imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-redirect.https.html.

http/tests/from-origin: Added.
http/tests/from-origin/document-from-origin-same-accepted-expected.txt: Added.
http/tests/from-origin/document-from-origin-same-accepted.html: Added.
http/tests/from-origin/document-from-origin-same-blocked-expected.txt: Added.
http/tests/from-origin/document-from-origin-same-blocked.html: Added.
http/tests/from-origin/document-from-origin-same-site-accepted-expected.txt: Added.
http/tests/from-origin/document-from-origin-same-site-accepted.html: Added.
http/tests/from-origin/document-from-origin-same-site-blocked-expected.txt: Added.
http/tests/from-origin/document-from-origin-same-site-blocked.html: Added.
http/tests/from-origin/document-nested-from-origin-same-accepted-expected.txt: Added.
http/tests/from-origin/document-nested-from-origin-same-accepted.html: Added.
http/tests/from-origin/document-nested-from-origin-same-blocked-expected.txt: Added.
http/tests/from-origin/document-nested-from-origin-same-blocked.html: Added.
http/tests/from-origin/fetch-data-iframe-from-origin-same-blocked-expected.txt: Added.
http/tests/from-origin/fetch-data-iframe-from-origin-same-blocked.html: Added.
http/tests/from-origin/fetch-from-origin-same-accepted-expected.txt: Added.
http/tests/from-origin/fetch-from-origin-same-accepted.html: Added.
http/tests/from-origin/fetch-from-origin-same-blocked-expected.txt: Added.
http/tests/from-origin/fetch-from-origin-same-blocked.html: Added.
http/tests/from-origin/fetch-from-origin-same-site-accepted-expected.txt: Added.
http/tests/from-origin/fetch-from-origin-same-site-accepted.html: Added.
http/tests/from-origin/fetch-from-origin-same-site-blocked-expected.txt: Added.
http/tests/from-origin/fetch-from-origin-same-site-blocked.html: Added.
http/tests/from-origin/fetch-iframe-from-origin-same-accepted-expected.txt: Added.
http/tests/from-origin/fetch-iframe-from-origin-same-accepted.html: Added.
http/tests/from-origin/fetch-iframe-from-origin-same-blocked-expected.txt: Added.
http/tests/from-origin/fetch-iframe-from-origin-same-blocked.html: Added.
http/tests/from-origin/image-about-blank-from-origin-same-blocked-expected.txt: Added.
http/tests/from-origin/image-about-blank-from-origin-same-blocked.html: Added.
http/tests/from-origin/image-from-origin-same-accepted-expected.txt: Added.
http/tests/from-origin/image-from-origin-same-accepted.html: Added.
http/tests/from-origin/image-from-origin-same-blocked-expected.txt: Added.
http/tests/from-origin/image-from-origin-same-blocked.html: Added.
http/tests/from-origin/image-from-origin-same-site-accepted-expected.txt: Added.
http/tests/from-origin/image-from-origin-same-site-accepted.html: Added.
http/tests/from-origin/image-from-origin-same-site-blocked-expected.txt: Added.
http/tests/from-origin/image-from-origin-same-site-blocked.html: Added.
http/tests/from-origin/redirect-document-from-origin-same-blocked-expected.txt: Added.
http/tests/from-origin/redirect-document-from-origin-same-blocked.html: Added.
http/tests/from-origin/redirect-fetch-from-origin-same-blocked-expected.txt: Added.
http/tests/from-origin/redirect-fetch-from-origin-same-blocked.html: Added.
http/tests/from-origin/redirect-image-from-origin-same-blocked-expected.txt: Added.
http/tests/from-origin/redirect-image-from-origin-same-blocked.html: Added.
http/tests/from-origin/redirect-script-from-origin-same-blocked-expected.txt: Added.
http/tests/from-origin/redirect-script-from-origin-same-blocked.html: Added.
http/tests/from-origin/redirect-xhr-from-origin-same-blocked-expected.txt: Added.
http/tests/from-origin/redirect-xhr-from-origin-same-blocked.html: Added.
http/tests/from-origin/resources: Added.
http/tests/from-origin/resources/fetch.php: Added.
http/tests/from-origin/resources/iframe.php: Added.
http/tests/from-origin/resources/iframeIPAddressFetch.html: Added.
http/tests/from-origin/resources/iframeLocalhostFetch.html: Added.
http/tests/from-origin/resources/image.php: Added.
http/tests/from-origin/resources/nestedIPAddressIframe.html: Added.
http/tests/from-origin/resources/nestedLocalhostIframe.html: Added.
http/tests/from-origin/resources/redirect.php: Added.
http/tests/from-origin/resources/script.php: Added.
http/tests/from-origin/resources/xhr.php: Added.
http/tests/from-origin/sandboxed-sub-frame-from-origin-same-blocked-expected.txt: Added.
http/tests/from-origin/sandboxed-sub-frame-from-origin-same-blocked.html: Added.
http/tests/from-origin/sandboxed-sub-frame-nested-cross-origin-from-origin-same-blocked-expected.txt: Added.
http/tests/from-origin/sandboxed-sub-frame-nested-cross-origin-from-origin-same-blocked.html: Added.
http/tests/from-origin/sandboxed-sub-frame-nested-same-origin-from-origin-same-blocked-expected.txt: Added.
http/tests/from-origin/sandboxed-sub-frame-nested-same-origin-from-origin-same-blocked.html: Added.
http/tests/from-origin/script-from-origin-same-accepted-expected.txt: Added.
http/tests/from-origin/script-from-origin-same-accepted.html: Added.
http/tests/from-origin/script-from-origin-same-blocked-expected.txt: Added.
http/tests/from-origin/script-from-origin-same-blocked.html: Added.
http/tests/from-origin/script-from-origin-same-site-accepted-expected.txt: Added.
http/tests/from-origin/script-from-origin-same-site-accepted.html: Added.
http/tests/from-origin/script-from-origin-same-site-blocked-expected.txt: Added.
http/tests/from-origin/script-from-origin-same-site-blocked.html: Added.
http/tests/from-origin/top-frame-document-from-origin-same-accepted-expected.txt: Added.
http/tests/from-origin/top-frame-document-from-origin-same-accepted.php: Added.
http/tests/from-origin/xhr-from-origin-same-accepted-expected.txt: Added.
http/tests/from-origin/xhr-from-origin-same-accepted.html: Added.
http/tests/from-origin/xhr-from-origin-same-blocked-expected.txt: Added.
http/tests/from-origin/xhr-from-origin-same-blocked.html: Added.
http/tests/from-origin/xhr-from-origin-same-site-accepted-expected.txt: Added.
http/tests/from-origin/xhr-from-origin-same-site-accepted.html: Added.
http/tests/from-origin/xhr-from-origin-same-site-blocked-expected.txt: Added.
http/tests/from-origin/xhr-from-origin-same-site-blocked.html: Added.
platform/mac-wk2/TestExpectations:

Suppressed console output for imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-redirect.https.html.

platform/wk2/TestExpectations:

The http/tests/from-origin/ directory marked as [ Pass ].

Location:

trunk

Files:

: 83 added
: 24 edited

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r230963
+                      r230968
+-04-24  John Wilander  <wilander@apple.com>
+        From-Origin: Support for 'same' and 'same-site' response header, nested frame origin check
+        https://bugs.webkit.org/show_bug.cgi?id=184560
+        <rdar://problem/38901344>
+        Reviewed by Youenn Fablet and Daniel Bates.
+        This patch implements significant parts of https://github.com/whatwg/fetch/issues/687.
+        We consume the From-Origin response header and only load the resource if:
+        - The header is non-existent, empty, or invalid.
+        - The header specifies 'same' and the resource's origin matches the originating
+          document's origin and the origins up the frame tree.
+        - The header specifies 'same-site' and the resource's eTLD+1 matches the originating
+          document's eTLD+1 and the eTLD+1 of the documents up the frame tree.
+        This feature is experimental and off by default.
+        * TestExpectations:
+            The http/tests/from-origin/ directory marked as [ Skip ].
+            Suppressed console output for imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-redirect.https.html.
+        * http/tests/from-origin: Added.
+        * http/tests/from-origin/document-from-origin-same-accepted-expected.txt: Added.
+        * http/tests/from-origin/document-from-origin-same-accepted.html: Added.
+        * http/tests/from-origin/document-from-origin-same-blocked-expected.txt: Added.
+        * http/tests/from-origin/document-from-origin-same-blocked.html: Added.
+        * http/tests/from-origin/document-from-origin-same-site-accepted-expected.txt: Added.
+        * http/tests/from-origin/document-from-origin-same-site-accepted.html: Added.
+        * http/tests/from-origin/document-from-origin-same-site-blocked-expected.txt: Added.
+        * http/tests/from-origin/document-from-origin-same-site-blocked.html: Added.
+        * http/tests/from-origin/document-nested-from-origin-same-accepted-expected.txt: Added.
+        * http/tests/from-origin/document-nested-from-origin-same-accepted.html: Added.
+        * http/tests/from-origin/document-nested-from-origin-same-blocked-expected.txt: Added.
+        * http/tests/from-origin/document-nested-from-origin-same-blocked.html: Added.
+        * http/tests/from-origin/fetch-data-iframe-from-origin-same-blocked-expected.txt: Added.
+        * http/tests/from-origin/fetch-data-iframe-from-origin-same-blocked.html: Added.
+        * http/tests/from-origin/fetch-from-origin-same-accepted-expected.txt: Added.
+        * http/tests/from-origin/fetch-from-origin-same-accepted.html: Added.
+        * http/tests/from-origin/fetch-from-origin-same-blocked-expected.txt: Added.
+        * http/tests/from-origin/fetch-from-origin-same-blocked.html: Added.
+        * http/tests/from-origin/fetch-from-origin-same-site-accepted-expected.txt: Added.
+        * http/tests/from-origin/fetch-from-origin-same-site-accepted.html: Added.
+        * http/tests/from-origin/fetch-from-origin-same-site-blocked-expected.txt: Added.
+        * http/tests/from-origin/fetch-from-origin-same-site-blocked.html: Added.
+        * http/tests/from-origin/fetch-iframe-from-origin-same-accepted-expected.txt: Added.
+        * http/tests/from-origin/fetch-iframe-from-origin-same-accepted.html: Added.
+        * http/tests/from-origin/fetch-iframe-from-origin-same-blocked-expected.txt: Added.
+        * http/tests/from-origin/fetch-iframe-from-origin-same-blocked.html: Added.
+        * http/tests/from-origin/image-about-blank-from-origin-same-blocked-expected.txt: Added.
+        * http/tests/from-origin/image-about-blank-from-origin-same-blocked.html: Added.
+        * http/tests/from-origin/image-from-origin-same-accepted-expected.txt: Added.
+        * http/tests/from-origin/image-from-origin-same-accepted.html: Added.
+        * http/tests/from-origin/image-from-origin-same-blocked-expected.txt: Added.
+        * http/tests/from-origin/image-from-origin-same-blocked.html: Added.
+        * http/tests/from-origin/image-from-origin-same-site-accepted-expected.txt: Added.
+        * http/tests/from-origin/image-from-origin-same-site-accepted.html: Added.
+        * http/tests/from-origin/image-from-origin-same-site-blocked-expected.txt: Added.
+        * http/tests/from-origin/image-from-origin-same-site-blocked.html: Added.
+        * http/tests/from-origin/redirect-document-from-origin-same-blocked-expected.txt: Added.
+        * http/tests/from-origin/redirect-document-from-origin-same-blocked.html: Added.
+        * http/tests/from-origin/redirect-fetch-from-origin-same-blocked-expected.txt: Added.
+        * http/tests/from-origin/redirect-fetch-from-origin-same-blocked.html: Added.
+        * http/tests/from-origin/redirect-image-from-origin-same-blocked-expected.txt: Added.
+        * http/tests/from-origin/redirect-image-from-origin-same-blocked.html: Added.
+        * http/tests/from-origin/redirect-script-from-origin-same-blocked-expected.txt: Added.
+        * http/tests/from-origin/redirect-script-from-origin-same-blocked.html: Added.
+        * http/tests/from-origin/redirect-xhr-from-origin-same-blocked-expected.txt: Added.
+        * http/tests/from-origin/redirect-xhr-from-origin-same-blocked.html: Added.
+        * http/tests/from-origin/resources: Added.
+        * http/tests/from-origin/resources/fetch.php: Added.
+        * http/tests/from-origin/resources/iframe.php: Added.
+        * http/tests/from-origin/resources/iframeIPAddressFetch.html: Added.
+        * http/tests/from-origin/resources/iframeLocalhostFetch.html: Added.
+        * http/tests/from-origin/resources/image.php: Added.
+        * http/tests/from-origin/resources/nestedIPAddressIframe.html: Added.
+        * http/tests/from-origin/resources/nestedLocalhostIframe.html: Added.
+        * http/tests/from-origin/resources/redirect.php: Added.
+        * http/tests/from-origin/resources/script.php: Added.
+        * http/tests/from-origin/resources/xhr.php: Added.
+        * http/tests/from-origin/sandboxed-sub-frame-from-origin-same-blocked-expected.txt: Added.
+        * http/tests/from-origin/sandboxed-sub-frame-from-origin-same-blocked.html: Added.
+        * http/tests/from-origin/sandboxed-sub-frame-nested-cross-origin-from-origin-same-blocked-expected.txt: Added.
+        * http/tests/from-origin/sandboxed-sub-frame-nested-cross-origin-from-origin-same-blocked.html: Added.
+        * http/tests/from-origin/sandboxed-sub-frame-nested-same-origin-from-origin-same-blocked-expected.txt: Added.
+        * http/tests/from-origin/sandboxed-sub-frame-nested-same-origin-from-origin-same-blocked.html: Added.
+        * http/tests/from-origin/script-from-origin-same-accepted-expected.txt: Added.
+        * http/tests/from-origin/script-from-origin-same-accepted.html: Added.
+        * http/tests/from-origin/script-from-origin-same-blocked-expected.txt: Added.
+        * http/tests/from-origin/script-from-origin-same-blocked.html: Added.
+        * http/tests/from-origin/script-from-origin-same-site-accepted-expected.txt: Added.
+        * http/tests/from-origin/script-from-origin-same-site-accepted.html: Added.
+        * http/tests/from-origin/script-from-origin-same-site-blocked-expected.txt: Added.
+        * http/tests/from-origin/script-from-origin-same-site-blocked.html: Added.
+        * http/tests/from-origin/top-frame-document-from-origin-same-accepted-expected.txt: Added.
+        * http/tests/from-origin/top-frame-document-from-origin-same-accepted.php: Added.
+        * http/tests/from-origin/xhr-from-origin-same-accepted-expected.txt: Added.
+        * http/tests/from-origin/xhr-from-origin-same-accepted.html: Added.
+        * http/tests/from-origin/xhr-from-origin-same-blocked-expected.txt: Added.
+        * http/tests/from-origin/xhr-from-origin-same-blocked.html: Added.
+        * http/tests/from-origin/xhr-from-origin-same-site-accepted-expected.txt: Added.
+        * http/tests/from-origin/xhr-from-origin-same-site-accepted.html: Added.
+        * http/tests/from-origin/xhr-from-origin-same-site-blocked-expected.txt: Added.
+        * http/tests/from-origin/xhr-from-origin-same-site-blocked.html: Added.
+        * platform/mac-wk2/TestExpectations:
+            Suppressed console output for imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-redirect.https.html.
+        * platform/wk2/TestExpectations:
+            The http/tests/from-origin/ directory marked as [ Pass ].
 -04-24  Tadeu Zagallo  <tzagallo@apple.com>

trunk/LayoutTests/TestExpectations

-                      r230944
+                      r230968
 imported/w3c/web-platform-tests/service-workers/service-worker/fetch-response-taint.https.html [ DumpJSConsoleLogInStdErr ]
 imported/w3c/web-platform-tests/service-workers/service-worker/register-closed-window.https.html [ DumpJSConsoleLogInStdErr ]
 imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-redirect.https.html [ Slow ]
+imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-redirect.https.html [ DumpJSConsoleLogInStdErr Slow ]
 [ Debug ] imported/w3c/web-platform-tests/service-workers/service-worker/clients-matchall-order.https.html [ Slow ]
 [ Debug ] imported/w3c/web-platform-tests/service-workers/service-worker/getregistrations.https.html [ Slow ]
 …
 # Content encoding sniffing is only supported by CFNetwork.
 http/tests/xmlhttprequest/gzip-content-type-no-content-encoding.html [ Skip ]
+# Only supported in WebKit2.
+http/tests/from-origin/ [ Skip ]
 #//////////////////////////////////////////////////////////////////////////////////////////

trunk/LayoutTests/imported/w3c/ChangeLog

-                      r230907
+                      r230968
+-04-24  John Wilander  <wilander@apple.com>
+        From-Origin: Support for 'same' and 'same-site' response header, nested frame origin check
+        https://bugs.webkit.org/show_bug.cgi?id=184560
+        <rdar://problem/38901344>
+        Reviewed by Youenn Fablet and Daniel Bates.
+        This patch implements significant parts of https://github.com/whatwg/fetch/issues/687.
+        We consume the From-Origin response header and only load the resource if:
+        - The header is non-existent, empty, or invalid.
+        - The header specifies 'same' and the resource's origin matches the originating
+          document's origin and the origins up the frame tree.
+        - The header specifies 'same-site' and the resource's eTLD+1 matches the originating
+          document's eTLD+1 and the eTLD+1 of the documents up the frame tree.
+        This feature is experimental and off by default.
+        * web-platform-tests/service-workers/service-worker/fetch-request-redirect.https-expected.txt:
+            Removed console message since they are now suppressed.
 -04-23  Ms2ger  <Ms2ger@igalia.com>

trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-redirect.https-expected.txt

r227270	r230968
1		CONSOLE MESSAGE: XMLHttpRequest cannot load https://localhost:9443/service-workers/service-worker/resources/redirect.py?Redirect=%2Fservice-workers%2Fservice-worker%2Fresources%2Fsimple.txt. Response served by service worker is opaque redirect
2	1
3	2	PASS Verify redirect mode of Fetch API and ServiceWorker FetchEvent.

trunk/LayoutTests/platform/mac-wk2/TestExpectations

r230703	r230968
855	855	webkit.org/b/181502 swipe/pushstate-with-manual-scrollrestoration.html [ Failure ]
856	856
857		webkit.org/b/181750 imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-redirect.https.html [ Pass Failure ]
	857	webkit.org/b/181750 imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-redirect.https.html [ DumpJSConsoleLogInStdErr Pass Failure ]
858	858
859	859	webkit.org/b/181839 [ Debug ] inspector/debugger/breakpoint-action-log.html [ Pass Timeout ]

trunk/LayoutTests/platform/wk2/TestExpectations

-                      r230764
+                      r230968
 http/tests/navigation/process-swap-window-open.html [ Pass ]
+# From-Origin response header is only implemented in WebKit2.
+http/tests/from-origin/ [ Pass ]
 ### END OF (5) Progressions, expected successes that are expected failures in WebKit1.
 ########################################

trunk/Source/WebCore/ChangeLog

-                      r230966
+                      r230968
+-04-24  John Wilander  <wilander@apple.com>
+        From-Origin: Support for 'same' and 'same-site' response header, nested frame origin check
+        https://bugs.webkit.org/show_bug.cgi?id=184560
+        <rdar://problem/38901344>
+        Reviewed by Youenn Fablet and Daniel Bates.
+        Tests: http/tests/from-origin/document-from-origin-same-accepted.html
+               http/tests/from-origin/document-from-origin-same-blocked.html
+               http/tests/from-origin/document-from-origin-same-site-accepted.html
+               http/tests/from-origin/document-from-origin-same-site-blocked.html
+               http/tests/from-origin/document-nested-from-origin-same-accepted.html
+               http/tests/from-origin/document-nested-from-origin-same-blocked.html
+               http/tests/from-origin/fetch-data-iframe-from-origin-same-blocked.html
+               http/tests/from-origin/fetch-from-origin-same-accepted.html
+               http/tests/from-origin/fetch-from-origin-same-blocked.html
+               http/tests/from-origin/fetch-from-origin-same-site-accepted.html
+               http/tests/from-origin/fetch-from-origin-same-site-blocked.html
+               http/tests/from-origin/fetch-iframe-from-origin-same-accepted.html
+               http/tests/from-origin/fetch-iframe-from-origin-same-blocked.html
+               http/tests/from-origin/image-about-blank-from-origin-same-blocked.html
+               http/tests/from-origin/image-from-origin-same-accepted.html
+               http/tests/from-origin/image-from-origin-same-blocked.html
+               http/tests/from-origin/image-from-origin-same-site-accepted.html
+               http/tests/from-origin/image-from-origin-same-site-blocked.html
+               http/tests/from-origin/redirect-document-from-origin-same-blocked.html
+               http/tests/from-origin/redirect-fetch-from-origin-same-blocked.html
+               http/tests/from-origin/redirect-image-from-origin-same-blocked.html
+               http/tests/from-origin/redirect-script-from-origin-same-blocked.html
+               http/tests/from-origin/redirect-xhr-from-origin-same-blocked.html
+               http/tests/from-origin/sandboxed-sub-frame-from-origin-same-blocked.html
+               http/tests/from-origin/sandboxed-sub-frame-nested-cross-origin-from-origin-same-blocked.html
+               http/tests/from-origin/sandboxed-sub-frame-nested-same-origin-from-origin-same-blocked.html
+               http/tests/from-origin/script-from-origin-same-accepted.html
+               http/tests/from-origin/script-from-origin-same-blocked.html
+               http/tests/from-origin/script-from-origin-same-site-accepted.html
+               http/tests/from-origin/script-from-origin-same-site-blocked.html
+               http/tests/from-origin/top-frame-document-from-origin-same-accepted.php
+               http/tests/from-origin/xhr-from-origin-same-accepted.html
+               http/tests/from-origin/xhr-from-origin-same-blocked.html
+               http/tests/from-origin/xhr-from-origin-same-site-accepted.html
+               http/tests/from-origin/xhr-from-origin-same-site-blocked.html
+        * loader/SubresourceLoader.cpp:
+        (WebCore::SubresourceLoader::didFail):
+            Outputs the error's localized description in a console message except when the destination
+            is FetchOptions::Destination::Serviceworker or FetchOptions::Destination::EmptyString.
+        * page/RuntimeEnabledFeatures.h:
+        (WebCore::RuntimeEnabledFeatures::setFromOriginResponseHeaderEnabled):
+        (WebCore::RuntimeEnabledFeatures::fromOriginResponseHeaderEnabled const):
+            Added From-Origin support as an experimental feature.
+        * platform/network/HTTPHeaderNames.in:
+            Added From-Origin.
+        * platform/network/HTTPParsers.cpp:
+        (WebCore::parseFromOriginHeader):
+            Parses the From-Origin header, currently supporting 'Same' and 'Same-Site.'
+        * platform/network/HTTPParsers.h:
 -04-24  Antti Koivisto  <antti@apple.com>

trunk/Source/WebCore/loader/SubresourceLoader.cpp

-                      r230942
+                      r230968
 void SubresourceLoader::didFail(const ResourceError& error)
+{
+    if (m_frame && m_frame->document() && error.isAccessControl() && options().destination != FetchOptions::Destination::Serviceworker && options().destination != FetchOptions::Destination::EmptyString)
+        m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, error.localizedDescription());
 #if USE(QUICK_LOOK)
     if (auto previewLoader = m_previewLoader.get())

trunk/Source/WebCore/page/RuntimeEnabledFeatures.h

-                      r230736
+                      r230968
     bool restrictedHTTPResponseAccess() const { return m_isRestrictedHTTPResponseAccess; }
+    void setFromOriginResponseHeaderEnabled(bool isEnabled) { m_fromOriginResponseHeaderEnabled = isEnabled; }
+    bool fromOriginResponseHeaderEnabled() const { return m_fromOriginResponseHeaderEnabled; }
     WEBCORE_EXPORT static RuntimeEnabledFeatures& sharedFeatures();
 …
     bool m_isRestrictedHTTPResponseAccess { false };
+    bool m_fromOriginResponseHeaderEnabled { false };
     friend class WTF::NeverDestroyed<RuntimeEnabledFeatures>;
 };

trunk/Source/WebCore/platform/network/HTTPHeaderNames.in

r230267	r230968
57	57	Expect
58	58	Expires
	59	From-Origin
59	60	Host
60	61	If-Match

trunk/Source/WebCore/platform/network/HTTPParsers.cpp

-                      r226349
+                      r230968
+}
+}
+FromOriginDisposition parseFromOriginHeader(const String& header)
+{
+    auto strippedHeader = stripLeadingAndTrailingHTTPSpaces(header);
+    if (strippedHeader.isEmpty())
+        return FromOriginDisposition::None;
+    if (equalLettersIgnoringASCIICase(strippedHeader, "same"))
+        return FromOriginDisposition::Same;
+    if (equalLettersIgnoringASCIICase(strippedHeader, "same-site"))
+        return FromOriginDisposition::SameSite;
+    return FromOriginDisposition::Invalid;
+}
+}

trunk/Source/WebCore/platform/network/HTTPParsers.h

-                      r230365
+                      r230968
 };
+enum class FromOriginDisposition {
+    None,
+    Same,
+    SameSite,
+    Invalid
+};
 bool isValidReasonPhrase(const String&);
 bool isValidHTTPHeaderValue(const String&);
 …
 String normalizeHTTPMethod(const String&);
+WEBCORE_EXPORT FromOriginDisposition parseFromOriginHeader(const String&);
 inline bool isHTTPSpace(UChar character)

trunk/Source/WebKit/ChangeLog

-                      r230958
+                      r230968
+-04-24  John Wilander  <wilander@apple.com>
+        From-Origin: Support for 'same' and 'same-site' response header, nested frame origin check
+        https://bugs.webkit.org/show_bug.cgi?id=184560
+        <rdar://problem/38901344>
+        Reviewed by Youenn Fablet and Daniel Bates.
+        This patch implements significant parts of https://github.com/whatwg/fetch/issues/687.
+        We consume the From-Origin response header and only load the resource if:
+        - The header is non-existent, empty, or invalid.
+        - The header specifies 'same' and the resource's origin matches the originating
+          document's origin and the origins up the frame tree.
+        - The header specifies 'same-site' and the resource's eTLD+1 matches the originating
+          document's eTLD+1 and the eTLD+1 of the documents up the frame tree.
+        This feature is experimental and off by default.
+        * NetworkProcess/NetworkResourceLoadParameters.cpp:
+        (WebKit::NetworkResourceLoadParameters::encode const):
+        (WebKit::NetworkResourceLoadParameters::decode):
+            Support for the two new load parameters:
+            - shouldEnableFromOriginResponseHeader
+            - frameAncestorOrigins
+        * NetworkProcess/NetworkResourceLoadParameters.h:
+        * NetworkProcess/NetworkResourceLoader.cpp:
+        (WebKit::areFrameAncestorsSameSite):
+        (WebKit::areFrameAncestorsSameOrigin):
+        (WebKit::shouldCancelCrossOriginLoad):
+            The three functions above implement the new blocking logic.
+        (WebKit::fromOriginResourceError):
+            Convenience function that returns an error with the From-Origin error message.
+        (WebKit::NetworkResourceLoader::didReceiveResponse):
+            Now checks for a From-Origin response header.
+        (WebKit::NetworkResourceLoader::didFailLoading):
+            Now checks for a From-Origin response header.
+        (WebKit::NetworkResourceLoader::continueWillSendRedirectedRequest):
+            Now checks for a From-Origin response header.
+        (WebKit::NetworkResourceLoader::didRetrieveCacheEntry):
+            Now checks for a From-Origin response header.
+        (WebKit::NetworkResourceLoader::dispatchWillSendRequestForCacheEntry):
+            Now checks for a From-Origin response header.
+        * Shared/WebCoreArgumentCoders.cpp:
+        (IPC::ArgumentCoder<Vector<RefPtr<SecurityOrigin>>>::encode):
+        (IPC::ArgumentCoder<Vector<RefPtr<SecurityOrigin>>>::decode):
+            Now encodes and decodes vectors of RefPtr<WebCore::SecurityOrigin>.
+        * Shared/WebCoreArgumentCoders.h:
+        * Shared/WebPreferences.yaml:
+            Added From-Origin support as an experimental feature.
+        * UIProcess/API/C/WKPreferences.cpp:
+        (WKPreferencesSetFromOriginResponseHeaderEnabled):
+        (WKPreferencesGetFromOriginResponseHeaderEnabled):
+        * UIProcess/API/C/WKPreferencesRef.h:
+        * WebProcess/Network/WebLoaderStrategy.cpp:
+        (WebKit::WebLoaderStrategy::scheduleLoadFromNetworkProcess):
+            Sets the two new load parameters:
+            - shouldEnableFromOriginResponseHeader
+            - frameAncestorOrigins
 -04-24  Jer Noble  <jer.noble@apple.com>

trunk/Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.cpp

-                      r230942
+                      r230968
     encoder.encodeEnum(preflightPolicy);
+    encoder << shouldEnableFromOriginResponseHeader;
+    if (shouldEnableFromOriginResponseHeader)
+        encoder << frameAncestorOrigins;
 #if ENABLE(CONTENT_EXTENSIONS)
     encoder << mainDocumentURL;
 …
         return false;
+    std::optional<bool> shouldEnableFromOriginResponseHeader;
+    decoder >> shouldEnableFromOriginResponseHeader;
+    if (!shouldEnableFromOriginResponseHeader)
+        return false;
+    result.shouldEnableFromOriginResponseHeader = *shouldEnableFromOriginResponseHeader;
+    if (result.shouldEnableFromOriginResponseHeader) {
+        if (!decoder.decode(result.frameAncestorOrigins))
+            return false;
+    }
 #if ENABLE(CONTENT_EXTENSIONS)
     if (!decoder.decode(result.mainDocumentURL))

trunk/Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.h

r230942	r230968
62	62	bool shouldRestrictHTTPResponseAccess { false };
63	63	WebCore::PreflightPolicy preflightPolicy { WebCore::PreflightPolicy::Consider };
	64	bool shouldEnableFromOriginResponseHeader { false };
	65	Vector<RefPtr<WebCore::SecurityOrigin>> frameAncestorOrigins;
64	66
65	67	#if ENABLE(CONTENT_EXTENSIONS)

trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp

-                      r230944
+                      r230968
 #include <WebCore/DiagnosticLoggingKeys.h>
 #include <WebCore/HTTPHeaderNames.h>
+#include <WebCore/HTTPParsers.h>
 #include <WebCore/NetworkLoadMetrics.h>
 #include <WebCore/ProtectionSpace.h>
 #include <WebCore/SameSiteInfo.h>
+#include <WebCore/SecurityOrigin.h>
 #include <WebCore/SharedBuffer.h>
 #include <WebCore/SynchronousLoaderClient.h>
 …
+}
+static bool areFrameAncestorsSameSite(const ResourceResponse& response, const Vector<RefPtr<SecurityOrigin>>& frameAncestorOrigins)
+{
+#if ENABLE(PUBLIC_SUFFIX_LIST)
+    auto responsePartition = ResourceRequest::partitionName(response.url().host());
+    return frameAncestorOrigins.findMatching([&](const auto& item) {
+        return item->isUnique() || ResourceRequest::partitionName(item->host()) != responsePartition;
+    }) == notFound;
+#else
+    UNUSED_PARAM(response);
+    UNUSED_PARAM(frameAncestorOrigins);
+    return false;
+#endif
+}
+static bool areFrameAncestorsSameOrigin(const ResourceResponse& response, const Vector<RefPtr<SecurityOrigin>>& frameAncestorOrigins)
+{
+    return frameAncestorOrigins.findMatching([responseOrigin = SecurityOrigin::create(response.url())](const auto& item) {
+        return !item->isSameOriginAs(responseOrigin);
+    }) == notFound;
+}
+static bool shouldCancelCrossOriginLoad(const ResourceResponse& response, const Vector<RefPtr<SecurityOrigin>>& frameAncestorOrigins)
+{
+    auto fromOriginDirective = WebCore::parseFromOriginHeader(response.httpHeaderField(WebCore::HTTPHeaderName::FromOrigin));
+    switch (fromOriginDirective) {
+    case WebCore::FromOriginDisposition::None:
+    case WebCore::FromOriginDisposition::Invalid:
+        return false;
+    case WebCore::FromOriginDisposition::Same:
+        return !areFrameAncestorsSameOrigin(response, frameAncestorOrigins);
+    case WebCore::FromOriginDisposition::SameSite:
+        return !areFrameAncestorsSameSite(response, frameAncestorOrigins);
+    }
+}
+static ResourceError fromOriginResourceError(const URL& url)
+{
+    return { errorDomainWebKitInternal, 0, url, ASCIILiteral { "Cancelled load because it violates the resource's From-Origin response header." }, ResourceError::Type::AccessControl };
+}
 auto NetworkResourceLoader::didReceiveResponse(ResourceResponse&& receivedResponse) -> ShouldContinueDidReceiveResponse
+{
 …
     bool shouldWaitContinueDidReceiveResponse = isMainResource();
     if (shouldSendDidReceiveResponse) {
+        if (m_networkLoadChecker) {
+            auto error = m_networkLoadChecker->validateResponse(m_response);
+            if (!error.isNull()) {
+                RunLoop::main().dispatch([protectedThis = makeRef(*this), error = WTFMove(error)] {
+                    if (protectedThis->m_networkLoad)
+                        protectedThis->didFailLoading(error);
+                });
+                return ShouldContinueDidReceiveResponse::No;
+            }
+        ResourceError error;
+        if (m_parameters.shouldEnableFromOriginResponseHeader && shouldCancelCrossOriginLoad(m_response, m_parameters.frameAncestorOrigins))
+            error = fromOriginResourceError(m_response.url());
+        if (error.isNull() && m_networkLoadChecker)
+            error = m_networkLoadChecker->validateResponse(m_response);
+        if (!error.isNull()) {
+            RunLoop::main().dispatch([protectedThis = makeRef(*this), error = WTFMove(error)] {
+                if (protectedThis->m_networkLoad)
+                    protectedThis->didFailLoading(error);
+            });
+            return ShouldContinueDidReceiveResponse::No;
+        }
 …
 void NetworkResourceLoader::didFailLoading(const ResourceError& error)
+{
     RELEASE_LOG_IF_ALLOWED("didFailLoading: (pageID = %" PRIu64 ", frameID = %" PRIu64 ", resourceID = %" PRIu64 ", isTimeout = %d, isCancellation = %d, errCode = %d)", m_parameters.webPageID, m_parameters.webFrameID, m_parameters.identifier, error.isTimeout(), error.isCancellation(), error.errorCode());
+    RELEASE_LOG_IF_ALLOWED("didFailLoading: (pageID = %" PRIu64 ", frameID = %" PRIu64 ", resourceID = %" PRIu64 ", isTimeout = %d, isCancellation = %d, isAccessControl = %d, errCode = %d)", m_parameters.webPageID, m_parameters.webFrameID, m_parameters.identifier, error.isTimeout(), error.isCancellation(), error.isAccessControl(), error.errorCode());
     if (shouldCaptureExtraNetworkLoadMetrics())
 …
     if (canUseCachedRedirect(request))
         m_cache->storeRedirect(request, redirectResponse, redirectRequest);
+    if (m_parameters.shouldEnableFromOriginResponseHeader && shouldCancelCrossOriginLoad(redirectResponse, m_parameters.frameAncestorOrigins) && m_networkLoad) {
+        didFailLoading(fromOriginResourceError(redirectResponse.url()));
+        return;
+    }
     send(Messages::WebResourceLoader::WillSendRequest(redirectRequest, sanitizeResponseIfPossible(WTFMove(redirectResponse), ResourceResponse::SanitizationType::Redirection)));
 …
+{
     auto response = entry->response();
+    auto error = m_networkLoadChecker ? m_networkLoadChecker->validateResponse(response) : ResourceError { };
+    ResourceError error;
+    if (m_parameters.shouldEnableFromOriginResponseHeader && shouldCancelCrossOriginLoad(response, m_parameters.frameAncestorOrigins))
+        error = fromOriginResourceError(response.url());
+    if (error.isNull() && m_networkLoadChecker)
+        error = m_networkLoadChecker->validateResponse(response);
     if (!error.isNull()) {
 …
     LOG(NetworkCache, "(NetworkProcess) Executing cached redirect");
+    auto& response = entry->response();
+    if (m_parameters.shouldEnableFromOriginResponseHeader && shouldCancelCrossOriginLoad(response, m_parameters.frameAncestorOrigins) && m_networkLoad) {
+        didFailLoading(fromOriginResourceError(response.url()));
+        return;
+    }
     ++m_redirectCount;
     send(Messages::WebResourceLoader::WillSendRequest { *entry->redirectRequest(), sanitizeResponseIfPossible(ResourceResponse { entry->response() }, ResourceResponse::SanitizationType::Redirection) });
+    send(Messages::WebResourceLoader::WillSendRequest { *entry->redirectRequest(), sanitizeResponseIfPossible(ResourceResponse { response }, ResourceResponse::SanitizationType::Redirection) });
     m_isWaitingContinueWillSendRequestForCachedRedirect = true;
+}

trunk/Source/WebKit/Shared/WebCoreArgumentCoders.cpp

-                      r230893
+                      r230968
 #include <WebCore/ScrollingCoordinator.h>
 #include <WebCore/SearchPopupMenu.h>
+#include <WebCore/SecurityOrigin.h>
 #include <WebCore/ServiceWorkerClientData.h>
 #include <WebCore/ServiceWorkerClientIdentifier.h>
 …
 #endif // ENABLE(ATTACHMENT_ELEMENT)
+void ArgumentCoder<Vector<RefPtr<SecurityOrigin>>>::encode(Encoder& encoder, const Vector<RefPtr<SecurityOrigin>>& origins)
+{
+    encoder << static_cast<uint64_t>(origins.size());
+    for (auto& origin : origins)
+        encoder << *origin;
+}
+bool ArgumentCoder<Vector<RefPtr<SecurityOrigin>>>::decode(Decoder& decoder, Vector<RefPtr<SecurityOrigin>>& origins)
+{
+    uint64_t dataSize;
+    if (!decoder.decode(dataSize))
+        return false;
+    origins.reserveInitialCapacity(dataSize);
+    for (uint64_t i = 0; i < dataSize; ++i) {
+        auto decodedOriginRefPtr = SecurityOrigin::decode(decoder);
+        if (!decodedOriginRefPtr)
+            return false;
+        origins.uncheckedAppend(decodedOriginRefPtr.releaseNonNull());
+    }
+    return true;
+}
 } // namespace IPC

trunk/Source/WebKit/Shared/WebCoreArgumentCoders.h

-                      r230269
+                      r230968
 class ResourceRequest;
 class ResourceResponse;
+class SecurityOrigin;
 class SpringTimingFunction;
 class StepsTimingFunction;
 …
 #endif
+template<> struct ArgumentCoder<Vector<RefPtr<WebCore::SecurityOrigin>>> {
+    static void encode(Encoder&, const Vector<RefPtr<WebCore::SecurityOrigin>>&);
+    static bool decode(Decoder&, Vector<RefPtr<WebCore::SecurityOrigin>>&);
+};
 } // namespace IPC

trunk/Source/WebKit/Shared/WebPreferences.yaml

-                      r230819
+                      r230968
     category: experimental
     webcoreBinding: RuntimeEnabledFeatures
+FromOriginResponseHeaderEnabled:
+    type: bool
+    defaultValue: false
+    humanReadableName: "From-Origin Response Header"
+    humanReadableDescription: "Support for the From-Origin Response Header"
+    category: experimental
+    webcoreBinding: RuntimeEnabledFeatures

trunk/Source/WebKit/UIProcess/API/C/WKPreferences.cpp

-                      r230290
+                      r230968
+}
+void WKPreferencesSetFromOriginResponseHeaderEnabled(WKPreferencesRef preferencesRef, bool flag)
+{
+    toImpl(preferencesRef)->setFromOriginResponseHeaderEnabled(flag);
+}
+bool WKPreferencesGetFromOriginResponseHeaderEnabled(WKPreferencesRef preferencesRef)
+{
+    return toImpl(preferencesRef)->fromOriginResponseHeaderEnabled();
+}
 void WKPreferencesSetRestrictedHTTPResponseAccess(WKPreferencesRef preferencesRef, bool flag)
+{

trunk/Source/WebKit/UIProcess/API/C/WKPreferencesRef.h

-                      r230290
+                      r230968
 WK_EXPORT void WKPreferencesSetRestrictedHTTPResponseAccess(WKPreferencesRef preferencesRef, bool allow);
+// Defaults to false.
+WK_EXPORT bool WKPreferencesGetFromOriginResponseHeaderEnabled(WKPreferencesRef preferencesRef);
+WK_EXPORT void WKPreferencesSetFromOriginResponseHeaderEnabled(WKPreferencesRef preferencesRef, bool allow);
 #ifdef __cplusplus
+}

trunk/Source/WebKit/WebProcess/Network/WebLoaderStrategy.cpp

-                      r230942
+                      r230968
     loadParameters.shouldRestrictHTTPResponseAccess = RuntimeEnabledFeatures::sharedFeatures().restrictedHTTPResponseAccess() && resourceLoader.options().mode != FetchOptions::Mode::Navigate;
+    bool isMainFrameNavigation = resourceLoader.frame() && resourceLoader.frame()->isMainFrame() && resourceLoader.options().mode == FetchOptions::Mode::Navigate;
+    loadParameters.shouldEnableFromOriginResponseHeader = RuntimeEnabledFeatures::sharedFeatures().fromOriginResponseHeaderEnabled() && !isMainFrameNavigation;
+    if (loadParameters.shouldEnableFromOriginResponseHeader) {
+        Vector<RefPtr<WebCore::SecurityOrigin>> frameAncestorOrigins;
+        for (auto* frame = resourceLoader.frame(); frame; frame = frame->tree().parent()) {
+            if (frame->document())
+                frameAncestorOrigins.append(makeRefPtr(frame->document()->securityOrigin()));
+            if (frame->isMainFrame())
+                break;
+        }
+        loadParameters.frameAncestorOrigins = WTFMove(frameAncestorOrigins);
+    }
     ASSERT((loadParameters.webPageID && loadParameters.webFrameID) || loadParameters.clientCredentialPolicy == ClientCredentialPolicy::CannotAskClientForCredentials);

trunk/Tools/ChangeLog

-                      r230953
+                      r230968
+-04-24  John Wilander  <wilander@apple.com>
+        From-Origin: Support for 'same' and 'same-site' response header, nested frame origin check
+        https://bugs.webkit.org/show_bug.cgi?id=184560
+        <rdar://problem/38901344>
+        Reviewed by Youenn Fablet and Daniel Bates.
+        This patch implements significant parts of https://github.com/whatwg/fetch/issues/687.
+        We consume the From-Origin response header and only load the resource if:
+        - The header is non-existent, empty, or invalid.
+        - The header specifies 'same' and the resource's origin matches the originating
+          document's origin and the origins up the frame tree.
+        - The header specifies 'same-site' and the resource's eTLD+1 matches the originating
+          document's eTLD+1 and the eTLD+1 of the documents up the frame tree.
+        This feature is experimental and off by default.
+        * TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
+        * TestWebKitAPI/Tests/WebCore/HTTPParsers.cpp: Added.
+        (TestWebKitAPI::TEST):
+            Tests for From-Origin header parsing.
 -04-24  Carlos Garcia Campos  <cgarcia@igalia.com>

trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj

-                      r230851
+                      r230968
 A61B8B1FAD251100F06885 /* display-mode.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 63A61B8A1FAD204D00F06885 /* display-mode.html */; };
 F668221F97F7F90032EE51 /* ApplicationManifest.mm in Sources */ = {isa = PBXBuildFile; fileRef = 63F668201F97C3AA0032EE51 /* ApplicationManifest.mm */; };
+B9ABE122086952F00D75DE6 /* HTTPParsers.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 6B9ABE112086952F00D75DE6 /* HTTPParsers.cpp */; };
 BFD294C1D5E6C1D008EC968 /* HashCountedSet.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 7A38D7E51C752D5F004F157D /* HashCountedSet.cpp */; };
 B05D61F8EAC410028A09E /* DatabaseTrackerTest.mm in Sources */ = {isa = PBXBuildFile; fileRef = 751B05D51F8EAC1A0028A09E /* DatabaseTrackerTest.mm */; };
 …
 A61B8A1FAD204D00F06885 /* display-mode.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; path = "display-mode.html"; sourceTree = "<group>"; };
 F668201F97C3AA0032EE51 /* ApplicationManifest.mm */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.objcpp; path = ApplicationManifest.mm; sourceTree = "<group>"; };
+B9ABE112086952F00D75DE6 /* HTTPParsers.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = HTTPParsers.cpp; sourceTree = "<group>"; };
 B05D51F8EAC1A0028A09E /* DatabaseTrackerTest.mm */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.objcpp; path = DatabaseTrackerTest.mm; sourceTree = "<group>"; };
 CEC801F6722DC00D0039A /* AutoFillAvailable.mm */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.objcpp; path = AutoFillAvailable.mm; sourceTree = "<group>"; };
 …
 B88A331C80056D00BB2418 /* HTMLParserIdioms.cpp */,
 CA1DEC71F71F40700E71BD3 /* HTTPHeaderField.cpp */,
+B9ABE112086952F00D75DE6 /* HTTPParsers.cpp */,
 A909A731D877475007E10F8 /* IntPoint.cpp */,
 A909A741D877475007E10F8 /* IntRect.cpp */,
 …
 C83E0501D0A641800FEBCF3 /* HTMLParserIdioms.cpp in Sources */,
 CA1DEC81F71F70100E71BD3 /* HTTPHeaderField.cpp in Sources */,
+B9ABE122086952F00D75DE6 /* HTTPParsers.cpp in Sources */,
 AF23DF1EF1A3730072F281 /* IconLoadingDelegate.mm in Sources */,
                                 510477781D29923B009747EB /* IDBDeleteRecovery.mm in Sources */,

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 230968 in webkit

Legend:

Download in other formats: