Changeset 230968 in webkit
- Timestamp:
- Apr 24, 2018 12:51:22 PM (6 years ago)
- Location:
- trunk
- Files:
-
- 83 added
- 24 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r230963 r230968 1 2018-04-24 John Wilander <wilander@apple.com> 2 3 From-Origin: Support for 'same' and 'same-site' response header, nested frame origin check 4 https://bugs.webkit.org/show_bug.cgi?id=184560 5 <rdar://problem/38901344> 6 7 Reviewed by Youenn Fablet and Daniel Bates. 8 9 This patch implements significant parts of https://github.com/whatwg/fetch/issues/687. 10 We consume the From-Origin response header and only load the resource if: 11 - The header is non-existent, empty, or invalid. 12 - The header specifies 'same' and the resource's origin matches the originating 13 document's origin and the origins up the frame tree. 14 - The header specifies 'same-site' and the resource's eTLD+1 matches the originating 15 document's eTLD+1 and the eTLD+1 of the documents up the frame tree. 16 17 This feature is experimental and off by default. 18 19 * TestExpectations: 20 The http/tests/from-origin/ directory marked as [ Skip ]. 21 Suppressed console output for imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-redirect.https.html. 22 * http/tests/from-origin: Added. 23 * http/tests/from-origin/document-from-origin-same-accepted-expected.txt: Added. 24 * http/tests/from-origin/document-from-origin-same-accepted.html: Added. 25 * http/tests/from-origin/document-from-origin-same-blocked-expected.txt: Added. 26 * http/tests/from-origin/document-from-origin-same-blocked.html: Added. 27 * http/tests/from-origin/document-from-origin-same-site-accepted-expected.txt: Added. 28 * http/tests/from-origin/document-from-origin-same-site-accepted.html: Added. 29 * http/tests/from-origin/document-from-origin-same-site-blocked-expected.txt: Added. 30 * http/tests/from-origin/document-from-origin-same-site-blocked.html: Added. 31 * http/tests/from-origin/document-nested-from-origin-same-accepted-expected.txt: Added. 32 * http/tests/from-origin/document-nested-from-origin-same-accepted.html: Added. 33 * http/tests/from-origin/document-nested-from-origin-same-blocked-expected.txt: Added. 34 * http/tests/from-origin/document-nested-from-origin-same-blocked.html: Added. 35 * http/tests/from-origin/fetch-data-iframe-from-origin-same-blocked-expected.txt: Added. 36 * http/tests/from-origin/fetch-data-iframe-from-origin-same-blocked.html: Added. 37 * http/tests/from-origin/fetch-from-origin-same-accepted-expected.txt: Added. 38 * http/tests/from-origin/fetch-from-origin-same-accepted.html: Added. 39 * http/tests/from-origin/fetch-from-origin-same-blocked-expected.txt: Added. 40 * http/tests/from-origin/fetch-from-origin-same-blocked.html: Added. 41 * http/tests/from-origin/fetch-from-origin-same-site-accepted-expected.txt: Added. 42 * http/tests/from-origin/fetch-from-origin-same-site-accepted.html: Added. 43 * http/tests/from-origin/fetch-from-origin-same-site-blocked-expected.txt: Added. 44 * http/tests/from-origin/fetch-from-origin-same-site-blocked.html: Added. 45 * http/tests/from-origin/fetch-iframe-from-origin-same-accepted-expected.txt: Added. 46 * http/tests/from-origin/fetch-iframe-from-origin-same-accepted.html: Added. 47 * http/tests/from-origin/fetch-iframe-from-origin-same-blocked-expected.txt: Added. 48 * http/tests/from-origin/fetch-iframe-from-origin-same-blocked.html: Added. 49 * http/tests/from-origin/image-about-blank-from-origin-same-blocked-expected.txt: Added. 50 * http/tests/from-origin/image-about-blank-from-origin-same-blocked.html: Added. 51 * http/tests/from-origin/image-from-origin-same-accepted-expected.txt: Added. 52 * http/tests/from-origin/image-from-origin-same-accepted.html: Added. 53 * http/tests/from-origin/image-from-origin-same-blocked-expected.txt: Added. 54 * http/tests/from-origin/image-from-origin-same-blocked.html: Added. 55 * http/tests/from-origin/image-from-origin-same-site-accepted-expected.txt: Added. 56 * http/tests/from-origin/image-from-origin-same-site-accepted.html: Added. 57 * http/tests/from-origin/image-from-origin-same-site-blocked-expected.txt: Added. 58 * http/tests/from-origin/image-from-origin-same-site-blocked.html: Added. 59 * http/tests/from-origin/redirect-document-from-origin-same-blocked-expected.txt: Added. 60 * http/tests/from-origin/redirect-document-from-origin-same-blocked.html: Added. 61 * http/tests/from-origin/redirect-fetch-from-origin-same-blocked-expected.txt: Added. 62 * http/tests/from-origin/redirect-fetch-from-origin-same-blocked.html: Added. 63 * http/tests/from-origin/redirect-image-from-origin-same-blocked-expected.txt: Added. 64 * http/tests/from-origin/redirect-image-from-origin-same-blocked.html: Added. 65 * http/tests/from-origin/redirect-script-from-origin-same-blocked-expected.txt: Added. 66 * http/tests/from-origin/redirect-script-from-origin-same-blocked.html: Added. 67 * http/tests/from-origin/redirect-xhr-from-origin-same-blocked-expected.txt: Added. 68 * http/tests/from-origin/redirect-xhr-from-origin-same-blocked.html: Added. 69 * http/tests/from-origin/resources: Added. 70 * http/tests/from-origin/resources/fetch.php: Added. 71 * http/tests/from-origin/resources/iframe.php: Added. 72 * http/tests/from-origin/resources/iframeIPAddressFetch.html: Added. 73 * http/tests/from-origin/resources/iframeLocalhostFetch.html: Added. 74 * http/tests/from-origin/resources/image.php: Added. 75 * http/tests/from-origin/resources/nestedIPAddressIframe.html: Added. 76 * http/tests/from-origin/resources/nestedLocalhostIframe.html: Added. 77 * http/tests/from-origin/resources/redirect.php: Added. 78 * http/tests/from-origin/resources/script.php: Added. 79 * http/tests/from-origin/resources/xhr.php: Added. 80 * http/tests/from-origin/sandboxed-sub-frame-from-origin-same-blocked-expected.txt: Added. 81 * http/tests/from-origin/sandboxed-sub-frame-from-origin-same-blocked.html: Added. 82 * http/tests/from-origin/sandboxed-sub-frame-nested-cross-origin-from-origin-same-blocked-expected.txt: Added. 83 * http/tests/from-origin/sandboxed-sub-frame-nested-cross-origin-from-origin-same-blocked.html: Added. 84 * http/tests/from-origin/sandboxed-sub-frame-nested-same-origin-from-origin-same-blocked-expected.txt: Added. 85 * http/tests/from-origin/sandboxed-sub-frame-nested-same-origin-from-origin-same-blocked.html: Added. 86 * http/tests/from-origin/script-from-origin-same-accepted-expected.txt: Added. 87 * http/tests/from-origin/script-from-origin-same-accepted.html: Added. 88 * http/tests/from-origin/script-from-origin-same-blocked-expected.txt: Added. 89 * http/tests/from-origin/script-from-origin-same-blocked.html: Added. 90 * http/tests/from-origin/script-from-origin-same-site-accepted-expected.txt: Added. 91 * http/tests/from-origin/script-from-origin-same-site-accepted.html: Added. 92 * http/tests/from-origin/script-from-origin-same-site-blocked-expected.txt: Added. 93 * http/tests/from-origin/script-from-origin-same-site-blocked.html: Added. 94 * http/tests/from-origin/top-frame-document-from-origin-same-accepted-expected.txt: Added. 95 * http/tests/from-origin/top-frame-document-from-origin-same-accepted.php: Added. 96 * http/tests/from-origin/xhr-from-origin-same-accepted-expected.txt: Added. 97 * http/tests/from-origin/xhr-from-origin-same-accepted.html: Added. 98 * http/tests/from-origin/xhr-from-origin-same-blocked-expected.txt: Added. 99 * http/tests/from-origin/xhr-from-origin-same-blocked.html: Added. 100 * http/tests/from-origin/xhr-from-origin-same-site-accepted-expected.txt: Added. 101 * http/tests/from-origin/xhr-from-origin-same-site-accepted.html: Added. 102 * http/tests/from-origin/xhr-from-origin-same-site-blocked-expected.txt: Added. 103 * http/tests/from-origin/xhr-from-origin-same-site-blocked.html: Added. 104 * platform/mac-wk2/TestExpectations: 105 Suppressed console output for imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-redirect.https.html. 106 * platform/wk2/TestExpectations: 107 The http/tests/from-origin/ directory marked as [ Pass ]. 108 1 109 2018-04-24 Tadeu Zagallo <tzagallo@apple.com> 2 110 -
trunk/LayoutTests/TestExpectations
r230944 r230968 207 207 imported/w3c/web-platform-tests/service-workers/service-worker/fetch-response-taint.https.html [ DumpJSConsoleLogInStdErr ] 208 208 imported/w3c/web-platform-tests/service-workers/service-worker/register-closed-window.https.html [ DumpJSConsoleLogInStdErr ] 209 imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-redirect.https.html [ Slow ]209 imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-redirect.https.html [ DumpJSConsoleLogInStdErr Slow ] 210 210 [ Debug ] imported/w3c/web-platform-tests/service-workers/service-worker/clients-matchall-order.https.html [ Slow ] 211 211 [ Debug ] imported/w3c/web-platform-tests/service-workers/service-worker/getregistrations.https.html [ Slow ] … … 346 346 # Content encoding sniffing is only supported by CFNetwork. 347 347 http/tests/xmlhttprequest/gzip-content-type-no-content-encoding.html [ Skip ] 348 349 # Only supported in WebKit2. 350 http/tests/from-origin/ [ Skip ] 348 351 349 352 #////////////////////////////////////////////////////////////////////////////////////////// -
trunk/LayoutTests/imported/w3c/ChangeLog
r230907 r230968 1 2018-04-24 John Wilander <wilander@apple.com> 2 3 From-Origin: Support for 'same' and 'same-site' response header, nested frame origin check 4 https://bugs.webkit.org/show_bug.cgi?id=184560 5 <rdar://problem/38901344> 6 7 Reviewed by Youenn Fablet and Daniel Bates. 8 9 This patch implements significant parts of https://github.com/whatwg/fetch/issues/687. 10 We consume the From-Origin response header and only load the resource if: 11 - The header is non-existent, empty, or invalid. 12 - The header specifies 'same' and the resource's origin matches the originating 13 document's origin and the origins up the frame tree. 14 - The header specifies 'same-site' and the resource's eTLD+1 matches the originating 15 document's eTLD+1 and the eTLD+1 of the documents up the frame tree. 16 17 This feature is experimental and off by default. 18 19 * web-platform-tests/service-workers/service-worker/fetch-request-redirect.https-expected.txt: 20 Removed console message since they are now suppressed. 21 1 22 2018-04-23 Ms2ger <Ms2ger@igalia.com> 2 23 -
trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-redirect.https-expected.txt
r227270 r230968 1 CONSOLE MESSAGE: XMLHttpRequest cannot load https://localhost:9443/service-workers/service-worker/resources/redirect.py?Redirect=%2Fservice-workers%2Fservice-worker%2Fresources%2Fsimple.txt. Response served by service worker is opaque redirect2 1 3 2 PASS Verify redirect mode of Fetch API and ServiceWorker FetchEvent. -
trunk/LayoutTests/platform/mac-wk2/TestExpectations
r230703 r230968 855 855 webkit.org/b/181502 swipe/pushstate-with-manual-scrollrestoration.html [ Failure ] 856 856 857 webkit.org/b/181750 imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-redirect.https.html [ Pass Failure ]857 webkit.org/b/181750 imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-redirect.https.html [ DumpJSConsoleLogInStdErr Pass Failure ] 858 858 859 859 webkit.org/b/181839 [ Debug ] inspector/debugger/breakpoint-action-log.html [ Pass Timeout ] -
trunk/LayoutTests/platform/wk2/TestExpectations
r230764 r230968 711 711 http/tests/navigation/process-swap-window-open.html [ Pass ] 712 712 713 # From-Origin response header is only implemented in WebKit2. 714 http/tests/from-origin/ [ Pass ] 715 713 716 ### END OF (5) Progressions, expected successes that are expected failures in WebKit1. 714 717 ######################################## -
trunk/Source/WebCore/ChangeLog
r230966 r230968 1 2018-04-24 John Wilander <wilander@apple.com> 2 3 From-Origin: Support for 'same' and 'same-site' response header, nested frame origin check 4 https://bugs.webkit.org/show_bug.cgi?id=184560 5 <rdar://problem/38901344> 6 7 Reviewed by Youenn Fablet and Daniel Bates. 8 9 Tests: http/tests/from-origin/document-from-origin-same-accepted.html 10 http/tests/from-origin/document-from-origin-same-blocked.html 11 http/tests/from-origin/document-from-origin-same-site-accepted.html 12 http/tests/from-origin/document-from-origin-same-site-blocked.html 13 http/tests/from-origin/document-nested-from-origin-same-accepted.html 14 http/tests/from-origin/document-nested-from-origin-same-blocked.html 15 http/tests/from-origin/fetch-data-iframe-from-origin-same-blocked.html 16 http/tests/from-origin/fetch-from-origin-same-accepted.html 17 http/tests/from-origin/fetch-from-origin-same-blocked.html 18 http/tests/from-origin/fetch-from-origin-same-site-accepted.html 19 http/tests/from-origin/fetch-from-origin-same-site-blocked.html 20 http/tests/from-origin/fetch-iframe-from-origin-same-accepted.html 21 http/tests/from-origin/fetch-iframe-from-origin-same-blocked.html 22 http/tests/from-origin/image-about-blank-from-origin-same-blocked.html 23 http/tests/from-origin/image-from-origin-same-accepted.html 24 http/tests/from-origin/image-from-origin-same-blocked.html 25 http/tests/from-origin/image-from-origin-same-site-accepted.html 26 http/tests/from-origin/image-from-origin-same-site-blocked.html 27 http/tests/from-origin/redirect-document-from-origin-same-blocked.html 28 http/tests/from-origin/redirect-fetch-from-origin-same-blocked.html 29 http/tests/from-origin/redirect-image-from-origin-same-blocked.html 30 http/tests/from-origin/redirect-script-from-origin-same-blocked.html 31 http/tests/from-origin/redirect-xhr-from-origin-same-blocked.html 32 http/tests/from-origin/sandboxed-sub-frame-from-origin-same-blocked.html 33 http/tests/from-origin/sandboxed-sub-frame-nested-cross-origin-from-origin-same-blocked.html 34 http/tests/from-origin/sandboxed-sub-frame-nested-same-origin-from-origin-same-blocked.html 35 http/tests/from-origin/script-from-origin-same-accepted.html 36 http/tests/from-origin/script-from-origin-same-blocked.html 37 http/tests/from-origin/script-from-origin-same-site-accepted.html 38 http/tests/from-origin/script-from-origin-same-site-blocked.html 39 http/tests/from-origin/top-frame-document-from-origin-same-accepted.php 40 http/tests/from-origin/xhr-from-origin-same-accepted.html 41 http/tests/from-origin/xhr-from-origin-same-blocked.html 42 http/tests/from-origin/xhr-from-origin-same-site-accepted.html 43 http/tests/from-origin/xhr-from-origin-same-site-blocked.html 44 45 * loader/SubresourceLoader.cpp: 46 (WebCore::SubresourceLoader::didFail): 47 Outputs the error's localized description in a console message except when the destination 48 is FetchOptions::Destination::Serviceworker or FetchOptions::Destination::EmptyString. 49 * page/RuntimeEnabledFeatures.h: 50 (WebCore::RuntimeEnabledFeatures::setFromOriginResponseHeaderEnabled): 51 (WebCore::RuntimeEnabledFeatures::fromOriginResponseHeaderEnabled const): 52 Added From-Origin support as an experimental feature. 53 * platform/network/HTTPHeaderNames.in: 54 Added From-Origin. 55 * platform/network/HTTPParsers.cpp: 56 (WebCore::parseFromOriginHeader): 57 Parses the From-Origin header, currently supporting 'Same' and 'Same-Site.' 58 * platform/network/HTTPParsers.h: 59 1 60 2018-04-24 Antti Koivisto <antti@apple.com> 2 61 -
trunk/Source/WebCore/loader/SubresourceLoader.cpp
r230942 r230968 651 651 void SubresourceLoader::didFail(const ResourceError& error) 652 652 { 653 if (m_frame && m_frame->document() && error.isAccessControl() && options().destination != FetchOptions::Destination::Serviceworker && options().destination != FetchOptions::Destination::EmptyString) 654 m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, error.localizedDescription()); 655 653 656 #if USE(QUICK_LOOK) 654 657 if (auto previewLoader = m_previewLoader.get()) -
trunk/Source/WebCore/page/RuntimeEnabledFeatures.h
r230736 r230968 251 251 bool restrictedHTTPResponseAccess() const { return m_isRestrictedHTTPResponseAccess; } 252 252 253 void setFromOriginResponseHeaderEnabled(bool isEnabled) { m_fromOriginResponseHeaderEnabled = isEnabled; } 254 bool fromOriginResponseHeaderEnabled() const { return m_fromOriginResponseHeaderEnabled; } 255 253 256 WEBCORE_EXPORT static RuntimeEnabledFeatures& sharedFeatures(); 254 257 … … 384 387 385 388 bool m_isRestrictedHTTPResponseAccess { false }; 386 389 390 bool m_fromOriginResponseHeaderEnabled { false }; 391 387 392 friend class WTF::NeverDestroyed<RuntimeEnabledFeatures>; 388 393 }; -
trunk/Source/WebCore/platform/network/HTTPHeaderNames.in
r230267 r230968 57 57 Expect 58 58 Expires 59 From-Origin 59 60 Host 60 61 If-Match -
trunk/Source/WebCore/platform/network/HTTPParsers.cpp
r226349 r230968 898 898 } 899 899 900 } 900 FromOriginDisposition parseFromOriginHeader(const String& header) 901 { 902 auto strippedHeader = stripLeadingAndTrailingHTTPSpaces(header); 903 904 if (strippedHeader.isEmpty()) 905 return FromOriginDisposition::None; 906 907 if (equalLettersIgnoringASCIICase(strippedHeader, "same")) 908 return FromOriginDisposition::Same; 909 910 if (equalLettersIgnoringASCIICase(strippedHeader, "same-site")) 911 return FromOriginDisposition::SameSite; 912 913 return FromOriginDisposition::Invalid; 914 } 915 916 } -
trunk/Source/WebCore/platform/network/HTTPParsers.h
r230365 r230968 65 65 }; 66 66 67 enum class FromOriginDisposition { 68 None, 69 Same, 70 SameSite, 71 Invalid 72 }; 73 67 74 bool isValidReasonPhrase(const String&); 68 75 bool isValidHTTPHeaderValue(const String&); … … 103 110 104 111 String normalizeHTTPMethod(const String&); 112 113 WEBCORE_EXPORT FromOriginDisposition parseFromOriginHeader(const String&); 105 114 106 115 inline bool isHTTPSpace(UChar character) -
trunk/Source/WebKit/ChangeLog
r230958 r230968 1 2018-04-24 John Wilander <wilander@apple.com> 2 3 From-Origin: Support for 'same' and 'same-site' response header, nested frame origin check 4 https://bugs.webkit.org/show_bug.cgi?id=184560 5 <rdar://problem/38901344> 6 7 Reviewed by Youenn Fablet and Daniel Bates. 8 9 This patch implements significant parts of https://github.com/whatwg/fetch/issues/687. 10 We consume the From-Origin response header and only load the resource if: 11 - The header is non-existent, empty, or invalid. 12 - The header specifies 'same' and the resource's origin matches the originating 13 document's origin and the origins up the frame tree. 14 - The header specifies 'same-site' and the resource's eTLD+1 matches the originating 15 document's eTLD+1 and the eTLD+1 of the documents up the frame tree. 16 17 This feature is experimental and off by default. 18 19 * NetworkProcess/NetworkResourceLoadParameters.cpp: 20 (WebKit::NetworkResourceLoadParameters::encode const): 21 (WebKit::NetworkResourceLoadParameters::decode): 22 Support for the two new load parameters: 23 - shouldEnableFromOriginResponseHeader 24 - frameAncestorOrigins 25 * NetworkProcess/NetworkResourceLoadParameters.h: 26 * NetworkProcess/NetworkResourceLoader.cpp: 27 (WebKit::areFrameAncestorsSameSite): 28 (WebKit::areFrameAncestorsSameOrigin): 29 (WebKit::shouldCancelCrossOriginLoad): 30 The three functions above implement the new blocking logic. 31 (WebKit::fromOriginResourceError): 32 Convenience function that returns an error with the From-Origin error message. 33 (WebKit::NetworkResourceLoader::didReceiveResponse): 34 Now checks for a From-Origin response header. 35 (WebKit::NetworkResourceLoader::didFailLoading): 36 Now checks for a From-Origin response header. 37 (WebKit::NetworkResourceLoader::continueWillSendRedirectedRequest): 38 Now checks for a From-Origin response header. 39 (WebKit::NetworkResourceLoader::didRetrieveCacheEntry): 40 Now checks for a From-Origin response header. 41 (WebKit::NetworkResourceLoader::dispatchWillSendRequestForCacheEntry): 42 Now checks for a From-Origin response header. 43 * Shared/WebCoreArgumentCoders.cpp: 44 (IPC::ArgumentCoder<Vector<RefPtr<SecurityOrigin>>>::encode): 45 (IPC::ArgumentCoder<Vector<RefPtr<SecurityOrigin>>>::decode): 46 Now encodes and decodes vectors of RefPtr<WebCore::SecurityOrigin>. 47 * Shared/WebCoreArgumentCoders.h: 48 * Shared/WebPreferences.yaml: 49 Added From-Origin support as an experimental feature. 50 * UIProcess/API/C/WKPreferences.cpp: 51 (WKPreferencesSetFromOriginResponseHeaderEnabled): 52 (WKPreferencesGetFromOriginResponseHeaderEnabled): 53 * UIProcess/API/C/WKPreferencesRef.h: 54 * WebProcess/Network/WebLoaderStrategy.cpp: 55 (WebKit::WebLoaderStrategy::scheduleLoadFromNetworkProcess): 56 Sets the two new load parameters: 57 - shouldEnableFromOriginResponseHeader 58 - frameAncestorOrigins 59 1 60 2018-04-24 Jer Noble <jer.noble@apple.com> 2 61 -
trunk/Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.cpp
r230942 r230968 97 97 encoder.encodeEnum(preflightPolicy); 98 98 99 encoder << shouldEnableFromOriginResponseHeader; 100 if (shouldEnableFromOriginResponseHeader) 101 encoder << frameAncestorOrigins; 102 99 103 #if ENABLE(CONTENT_EXTENSIONS) 100 104 encoder << mainDocumentURL; … … 199 203 return false; 200 204 205 std::optional<bool> shouldEnableFromOriginResponseHeader; 206 decoder >> shouldEnableFromOriginResponseHeader; 207 if (!shouldEnableFromOriginResponseHeader) 208 return false; 209 result.shouldEnableFromOriginResponseHeader = *shouldEnableFromOriginResponseHeader; 210 if (result.shouldEnableFromOriginResponseHeader) { 211 if (!decoder.decode(result.frameAncestorOrigins)) 212 return false; 213 } 214 201 215 #if ENABLE(CONTENT_EXTENSIONS) 202 216 if (!decoder.decode(result.mainDocumentURL)) -
trunk/Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.h
r230942 r230968 62 62 bool shouldRestrictHTTPResponseAccess { false }; 63 63 WebCore::PreflightPolicy preflightPolicy { WebCore::PreflightPolicy::Consider }; 64 bool shouldEnableFromOriginResponseHeader { false }; 65 Vector<RefPtr<WebCore::SecurityOrigin>> frameAncestorOrigins; 64 66 65 67 #if ENABLE(CONTENT_EXTENSIONS) -
trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp
r230944 r230968 45 45 #include <WebCore/DiagnosticLoggingKeys.h> 46 46 #include <WebCore/HTTPHeaderNames.h> 47 #include <WebCore/HTTPParsers.h> 47 48 #include <WebCore/NetworkLoadMetrics.h> 48 49 #include <WebCore/ProtectionSpace.h> 49 50 #include <WebCore/SameSiteInfo.h> 51 #include <WebCore/SecurityOrigin.h> 50 52 #include <WebCore/SharedBuffer.h> 51 53 #include <WebCore/SynchronousLoaderClient.h> … … 361 363 } 362 364 365 static bool areFrameAncestorsSameSite(const ResourceResponse& response, const Vector<RefPtr<SecurityOrigin>>& frameAncestorOrigins) 366 { 367 #if ENABLE(PUBLIC_SUFFIX_LIST) 368 auto responsePartition = ResourceRequest::partitionName(response.url().host()); 369 return frameAncestorOrigins.findMatching([&](const auto& item) { 370 return item->isUnique() || ResourceRequest::partitionName(item->host()) != responsePartition; 371 }) == notFound; 372 #else 373 UNUSED_PARAM(response); 374 UNUSED_PARAM(frameAncestorOrigins); 375 return false; 376 #endif 377 } 378 379 static bool areFrameAncestorsSameOrigin(const ResourceResponse& response, const Vector<RefPtr<SecurityOrigin>>& frameAncestorOrigins) 380 { 381 return frameAncestorOrigins.findMatching([responseOrigin = SecurityOrigin::create(response.url())](const auto& item) { 382 return !item->isSameOriginAs(responseOrigin); 383 }) == notFound; 384 } 385 386 static bool shouldCancelCrossOriginLoad(const ResourceResponse& response, const Vector<RefPtr<SecurityOrigin>>& frameAncestorOrigins) 387 { 388 auto fromOriginDirective = WebCore::parseFromOriginHeader(response.httpHeaderField(WebCore::HTTPHeaderName::FromOrigin)); 389 switch (fromOriginDirective) { 390 case WebCore::FromOriginDisposition::None: 391 case WebCore::FromOriginDisposition::Invalid: 392 return false; 393 case WebCore::FromOriginDisposition::Same: 394 return !areFrameAncestorsSameOrigin(response, frameAncestorOrigins); 395 case WebCore::FromOriginDisposition::SameSite: 396 return !areFrameAncestorsSameSite(response, frameAncestorOrigins); 397 } 398 } 399 400 static ResourceError fromOriginResourceError(const URL& url) 401 { 402 return { errorDomainWebKitInternal, 0, url, ASCIILiteral { "Cancelled load because it violates the resource's From-Origin response header." }, ResourceError::Type::AccessControl }; 403 } 404 363 405 auto NetworkResourceLoader::didReceiveResponse(ResourceResponse&& receivedResponse) -> ShouldContinueDidReceiveResponse 364 406 { … … 391 433 bool shouldWaitContinueDidReceiveResponse = isMainResource(); 392 434 if (shouldSendDidReceiveResponse) { 393 if (m_networkLoadChecker) { 394 auto error = m_networkLoadChecker->validateResponse(m_response); 395 if (!error.isNull()) { 396 RunLoop::main().dispatch([protectedThis = makeRef(*this), error = WTFMove(error)] { 397 if (protectedThis->m_networkLoad) 398 protectedThis->didFailLoading(error); 399 }); 400 return ShouldContinueDidReceiveResponse::No; 401 } 435 436 ResourceError error; 437 if (m_parameters.shouldEnableFromOriginResponseHeader && shouldCancelCrossOriginLoad(m_response, m_parameters.frameAncestorOrigins)) 438 error = fromOriginResourceError(m_response.url()); 439 440 if (error.isNull() && m_networkLoadChecker) 441 error = m_networkLoadChecker->validateResponse(m_response); 442 443 if (!error.isNull()) { 444 RunLoop::main().dispatch([protectedThis = makeRef(*this), error = WTFMove(error)] { 445 if (protectedThis->m_networkLoad) 446 protectedThis->didFailLoading(error); 447 }); 448 return ShouldContinueDidReceiveResponse::No; 402 449 } 403 450 … … 488 535 void NetworkResourceLoader::didFailLoading(const ResourceError& error) 489 536 { 490 RELEASE_LOG_IF_ALLOWED("didFailLoading: (pageID = %" PRIu64 ", frameID = %" PRIu64 ", resourceID = %" PRIu64 ", isTimeout = %d, isCancellation = %d, errCode = %d)", m_parameters.webPageID, m_parameters.webFrameID, m_parameters.identifier, error.isTimeout(), error.isCancellation(), error.errorCode());537 RELEASE_LOG_IF_ALLOWED("didFailLoading: (pageID = %" PRIu64 ", frameID = %" PRIu64 ", resourceID = %" PRIu64 ", isTimeout = %d, isCancellation = %d, isAccessControl = %d, errCode = %d)", m_parameters.webPageID, m_parameters.webFrameID, m_parameters.identifier, error.isTimeout(), error.isCancellation(), error.isAccessControl(), error.errorCode()); 491 538 492 539 if (shouldCaptureExtraNetworkLoadMetrics()) … … 551 598 if (canUseCachedRedirect(request)) 552 599 m_cache->storeRedirect(request, redirectResponse, redirectRequest); 600 601 if (m_parameters.shouldEnableFromOriginResponseHeader && shouldCancelCrossOriginLoad(redirectResponse, m_parameters.frameAncestorOrigins) && m_networkLoad) { 602 didFailLoading(fromOriginResourceError(redirectResponse.url())); 603 return; 604 } 553 605 554 606 send(Messages::WebResourceLoader::WillSendRequest(redirectRequest, sanitizeResponseIfPossible(WTFMove(redirectResponse), ResourceResponse::SanitizationType::Redirection))); … … 670 722 { 671 723 auto response = entry->response(); 672 auto error = m_networkLoadChecker ? m_networkLoadChecker->validateResponse(response) : ResourceError { }; 724 725 ResourceError error; 726 if (m_parameters.shouldEnableFromOriginResponseHeader && shouldCancelCrossOriginLoad(response, m_parameters.frameAncestorOrigins)) 727 error = fromOriginResourceError(response.url()); 728 729 if (error.isNull() && m_networkLoadChecker) 730 error = m_networkLoadChecker->validateResponse(response); 673 731 674 732 if (!error.isNull()) { … … 781 839 LOG(NetworkCache, "(NetworkProcess) Executing cached redirect"); 782 840 841 auto& response = entry->response(); 842 if (m_parameters.shouldEnableFromOriginResponseHeader && shouldCancelCrossOriginLoad(response, m_parameters.frameAncestorOrigins) && m_networkLoad) { 843 didFailLoading(fromOriginResourceError(response.url())); 844 return; 845 } 846 783 847 ++m_redirectCount; 784 send(Messages::WebResourceLoader::WillSendRequest { *entry->redirectRequest(), sanitizeResponseIfPossible(ResourceResponse { entry->response()}, ResourceResponse::SanitizationType::Redirection) });848 send(Messages::WebResourceLoader::WillSendRequest { *entry->redirectRequest(), sanitizeResponseIfPossible(ResourceResponse { response }, ResourceResponse::SanitizationType::Redirection) }); 785 849 m_isWaitingContinueWillSendRequestForCachedRedirect = true; 786 850 } -
trunk/Source/WebKit/Shared/WebCoreArgumentCoders.cpp
r230893 r230968 68 68 #include <WebCore/ScrollingCoordinator.h> 69 69 #include <WebCore/SearchPopupMenu.h> 70 #include <WebCore/SecurityOrigin.h> 70 71 #include <WebCore/ServiceWorkerClientData.h> 71 72 #include <WebCore/ServiceWorkerClientIdentifier.h> … … 2834 2835 #endif // ENABLE(ATTACHMENT_ELEMENT) 2835 2836 2837 void ArgumentCoder<Vector<RefPtr<SecurityOrigin>>>::encode(Encoder& encoder, const Vector<RefPtr<SecurityOrigin>>& origins) 2838 { 2839 encoder << static_cast<uint64_t>(origins.size()); 2840 for (auto& origin : origins) 2841 encoder << *origin; 2842 } 2843 2844 bool ArgumentCoder<Vector<RefPtr<SecurityOrigin>>>::decode(Decoder& decoder, Vector<RefPtr<SecurityOrigin>>& origins) 2845 { 2846 uint64_t dataSize; 2847 if (!decoder.decode(dataSize)) 2848 return false; 2849 2850 origins.reserveInitialCapacity(dataSize); 2851 for (uint64_t i = 0; i < dataSize; ++i) { 2852 auto decodedOriginRefPtr = SecurityOrigin::decode(decoder); 2853 if (!decodedOriginRefPtr) 2854 return false; 2855 origins.uncheckedAppend(decodedOriginRefPtr.releaseNonNull()); 2856 } 2857 return true; 2858 } 2859 2836 2860 } // namespace IPC -
trunk/Source/WebKit/Shared/WebCoreArgumentCoders.h
r230269 r230968 86 86 class ResourceRequest; 87 87 class ResourceResponse; 88 class SecurityOrigin; 88 89 class SpringTimingFunction; 89 90 class StepsTimingFunction; … … 699 700 #endif 700 701 702 template<> struct ArgumentCoder<Vector<RefPtr<WebCore::SecurityOrigin>>> { 703 static void encode(Encoder&, const Vector<RefPtr<WebCore::SecurityOrigin>>&); 704 static bool decode(Decoder&, Vector<RefPtr<WebCore::SecurityOrigin>>&); 705 }; 706 701 707 } // namespace IPC 702 708 -
trunk/Source/WebKit/Shared/WebPreferences.yaml
r230819 r230968 1234 1234 category: experimental 1235 1235 webcoreBinding: RuntimeEnabledFeatures 1236 1237 FromOriginResponseHeaderEnabled: 1238 type: bool 1239 defaultValue: false 1240 humanReadableName: "From-Origin Response Header" 1241 humanReadableDescription: "Support for the From-Origin Response Header" 1242 category: experimental 1243 webcoreBinding: RuntimeEnabledFeatures -
trunk/Source/WebKit/UIProcess/API/C/WKPreferences.cpp
r230290 r230968 1965 1965 } 1966 1966 1967 void WKPreferencesSetFromOriginResponseHeaderEnabled(WKPreferencesRef preferencesRef, bool flag) 1968 { 1969 toImpl(preferencesRef)->setFromOriginResponseHeaderEnabled(flag); 1970 } 1971 1972 bool WKPreferencesGetFromOriginResponseHeaderEnabled(WKPreferencesRef preferencesRef) 1973 { 1974 return toImpl(preferencesRef)->fromOriginResponseHeaderEnabled(); 1975 } 1976 1967 1977 void WKPreferencesSetRestrictedHTTPResponseAccess(WKPreferencesRef preferencesRef, bool flag) 1968 1978 { -
trunk/Source/WebKit/UIProcess/API/C/WKPreferencesRef.h
r230290 r230968 316 316 WK_EXPORT void WKPreferencesSetRestrictedHTTPResponseAccess(WKPreferencesRef preferencesRef, bool allow); 317 317 318 // Defaults to false. 319 WK_EXPORT bool WKPreferencesGetFromOriginResponseHeaderEnabled(WKPreferencesRef preferencesRef); 320 WK_EXPORT void WKPreferencesSetFromOriginResponseHeaderEnabled(WKPreferencesRef preferencesRef, bool allow); 321 318 322 #ifdef __cplusplus 319 323 } -
trunk/Source/WebKit/WebProcess/Network/WebLoaderStrategy.cpp
r230942 r230968 326 326 loadParameters.shouldRestrictHTTPResponseAccess = RuntimeEnabledFeatures::sharedFeatures().restrictedHTTPResponseAccess() && resourceLoader.options().mode != FetchOptions::Mode::Navigate; 327 327 328 bool isMainFrameNavigation = resourceLoader.frame() && resourceLoader.frame()->isMainFrame() && resourceLoader.options().mode == FetchOptions::Mode::Navigate; 329 330 loadParameters.shouldEnableFromOriginResponseHeader = RuntimeEnabledFeatures::sharedFeatures().fromOriginResponseHeaderEnabled() && !isMainFrameNavigation; 331 if (loadParameters.shouldEnableFromOriginResponseHeader) { 332 Vector<RefPtr<WebCore::SecurityOrigin>> frameAncestorOrigins; 333 for (auto* frame = resourceLoader.frame(); frame; frame = frame->tree().parent()) { 334 if (frame->document()) 335 frameAncestorOrigins.append(makeRefPtr(frame->document()->securityOrigin())); 336 if (frame->isMainFrame()) 337 break; 338 } 339 loadParameters.frameAncestorOrigins = WTFMove(frameAncestorOrigins); 340 } 341 328 342 ASSERT((loadParameters.webPageID && loadParameters.webFrameID) || loadParameters.clientCredentialPolicy == ClientCredentialPolicy::CannotAskClientForCredentials); 329 343 -
trunk/Tools/ChangeLog
r230953 r230968 1 2018-04-24 John Wilander <wilander@apple.com> 2 3 From-Origin: Support for 'same' and 'same-site' response header, nested frame origin check 4 https://bugs.webkit.org/show_bug.cgi?id=184560 5 <rdar://problem/38901344> 6 7 Reviewed by Youenn Fablet and Daniel Bates. 8 9 This patch implements significant parts of https://github.com/whatwg/fetch/issues/687. 10 We consume the From-Origin response header and only load the resource if: 11 - The header is non-existent, empty, or invalid. 12 - The header specifies 'same' and the resource's origin matches the originating 13 document's origin and the origins up the frame tree. 14 - The header specifies 'same-site' and the resource's eTLD+1 matches the originating 15 document's eTLD+1 and the eTLD+1 of the documents up the frame tree. 16 17 This feature is experimental and off by default. 18 19 * TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj: 20 * TestWebKitAPI/Tests/WebCore/HTTPParsers.cpp: Added. 21 (TestWebKitAPI::TEST): 22 Tests for From-Origin header parsing. 23 1 24 2018-04-24 Carlos Garcia Campos <cgarcia@igalia.com> 2 25 -
trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj
r230851 r230968 285 285 63A61B8B1FAD251100F06885 /* display-mode.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 63A61B8A1FAD204D00F06885 /* display-mode.html */; }; 286 286 63F668221F97F7F90032EE51 /* ApplicationManifest.mm in Sources */ = {isa = PBXBuildFile; fileRef = 63F668201F97C3AA0032EE51 /* ApplicationManifest.mm */; }; 287 6B9ABE122086952F00D75DE6 /* HTTPParsers.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 6B9ABE112086952F00D75DE6 /* HTTPParsers.cpp */; }; 287 288 6BFD294C1D5E6C1D008EC968 /* HashCountedSet.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 7A38D7E51C752D5F004F157D /* HashCountedSet.cpp */; }; 288 289 751B05D61F8EAC410028A09E /* DatabaseTrackerTest.mm in Sources */ = {isa = PBXBuildFile; fileRef = 751B05D51F8EAC1A0028A09E /* DatabaseTrackerTest.mm */; }; … … 1494 1495 63A61B8A1FAD204D00F06885 /* display-mode.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; path = "display-mode.html"; sourceTree = "<group>"; }; 1495 1496 63F668201F97C3AA0032EE51 /* ApplicationManifest.mm */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.objcpp; path = ApplicationManifest.mm; sourceTree = "<group>"; }; 1497 6B9ABE112086952F00D75DE6 /* HTTPParsers.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = HTTPParsers.cpp; sourceTree = "<group>"; }; 1496 1498 751B05D51F8EAC1A0028A09E /* DatabaseTrackerTest.mm */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.objcpp; path = DatabaseTrackerTest.mm; sourceTree = "<group>"; }; 1497 1499 754CEC801F6722DC00D0039A /* AutoFillAvailable.mm */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.objcpp; path = AutoFillAvailable.mm; sourceTree = "<group>"; }; … … 2331 2333 83B88A331C80056D00BB2418 /* HTMLParserIdioms.cpp */, 2332 2334 5CA1DEC71F71F40700E71BD3 /* HTTPHeaderField.cpp */, 2335 6B9ABE112086952F00D75DE6 /* HTTPParsers.cpp */, 2333 2336 7A909A731D877475007E10F8 /* IntPoint.cpp */, 2334 2337 7A909A741D877475007E10F8 /* IntRect.cpp */, … … 3576 3579 7C83E0501D0A641800FEBCF3 /* HTMLParserIdioms.cpp in Sources */, 3577 3580 5CA1DEC81F71F70100E71BD3 /* HTTPHeaderField.cpp in Sources */, 3581 6B9ABE122086952F00D75DE6 /* HTTPParsers.cpp in Sources */, 3578 3582 51AF23DF1EF1A3730072F281 /* IconLoadingDelegate.mm in Sources */, 3579 3583 510477781D29923B009747EB /* IDBDeleteRecovery.mm in Sources */,
Note: See TracChangeset
for help on using the changeset viewer.