Changeset 232217 in webkit
- Timestamp:
- May 25, 2018 5:06:08 PM (6 years ago)
- Location:
- trunk
- Files:
-
- 19 added
- 1 deleted
- 13 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r232213 r232217 1 2018-05-25 Youenn Fablet <youenn@apple.com> 2 3 Migrate From-Origin to Cross-Origin-Resource-Policy 4 https://bugs.webkit.org/show_bug.cgi?id=185840 5 6 Reviewed by Chris Dumez. 7 8 Migrating From-Origin tests to Cross-Origin-Resource-Policy tests. 9 Given the scope of the header is reduced to no-cors and no ancestor checks, 10 We cover the new header with fetch/image/script loads. 11 12 * TestExpectations: 13 * http/tests/from-origin: Removed. 14 * http/wpt/cross-origin-resource-policy/fetch-expected.txt: Added. 15 * http/wpt/cross-origin-resource-policy/fetch-in-iframe-expected.txt: Added. 16 * http/wpt/cross-origin-resource-policy/fetch-in-iframe.html: Added. 17 * http/wpt/cross-origin-resource-policy/fetch.html: Added. 18 * http/wpt/cross-origin-resource-policy/iframe-loads-expected.txt: Added. 19 * http/wpt/cross-origin-resource-policy/iframe-loads.html: Added. 20 * http/wpt/cross-origin-resource-policy/image-loads-expected.txt: Added. 21 * http/wpt/cross-origin-resource-policy/image-loads.html: Added. 22 * http/wpt/cross-origin-resource-policy/resources/green.png: Added. 23 * http/wpt/cross-origin-resource-policy/resources/hello.py: Added. 24 * http/wpt/cross-origin-resource-policy/resources/iframe.py: Added. 25 * http/wpt/cross-origin-resource-policy/resources/iframeFetch.html: Added. 26 * http/wpt/cross-origin-resource-policy/resources/image.py: Added. 27 * http/wpt/cross-origin-resource-policy/resources/redirect.py: Added. 28 * http/wpt/cross-origin-resource-policy/resources/script.py: Added. 29 * http/wpt/cross-origin-resource-policy/script-loads-expected.txt: Added. 30 * http/wpt/cross-origin-resource-policy/script-loads.html: Added. 31 * platform/wk2/TestExpectations: 32 1 33 2018-05-25 David Fenton <david_fenton@apple.com> 2 34 -
trunk/LayoutTests/TestExpectations
r232183 r232217 370 370 371 371 # Only supported in WebKit2. 372 http/ tests/from-origin/ [ Skip ]372 http/wpt/cross-origin-resource-policy/ [ Skip ] 373 373 374 374 #////////////////////////////////////////////////////////////////////////////////////////// -
trunk/LayoutTests/platform/wk2/TestExpectations
r231597 r232217 711 711 http/tests/navigation/process-swap-window-open.html [ Pass ] 712 712 713 # From-Originresponse header is only implemented in WebKit2.714 http/ tests/from-origin/ [ Pass ]713 # Cross-Origin-Resource-Policy response header is only implemented in WebKit2. 714 http/wpt/cross-origin-resource-policy/ [ Pass ] 715 715 716 716 ### END OF (5) Progressions, expected successes that are expected failures in WebKit1. -
trunk/Source/WebCore/ChangeLog
r232216 r232217 1 2018-05-25 Youenn Fablet <youenn@apple.com> 2 3 Migrate From-Origin to Cross-Origin-Resource-Policy 4 https://bugs.webkit.org/show_bug.cgi?id=185840 5 6 Reviewed by Chris Dumez. 7 8 Tests: http/wpt/cross-origin-resource-policy/fetch-in-iframe.html 9 http/wpt/cross-origin-resource-policy/fetch.html 10 http/wpt/cross-origin-resource-policy/iframe-loads.html 11 http/wpt/cross-origin-resource-policy/image-loads.html 12 http/wpt/cross-origin-resource-policy/script-loads.html 13 14 * platform/network/HTTPHeaderNames.in: 15 * platform/network/HTTPParsers.cpp: 16 (WebCore::parseCrossOriginResourcePolicyHeader): 17 * platform/network/HTTPParsers.h: 18 1 19 2018-05-25 Daniel Bates <dabates@apple.com> 2 20 -
trunk/Source/WebCore/platform/network/HTTPHeaderNames.in
r231813 r232217 52 52 Cookie2 53 53 Cross-Origin-Options 54 Cross-Origin-Resource-Policy 54 55 Date 55 56 DNT … … 58 59 Expect 59 60 Expires 60 From-Origin61 61 Host 62 62 If-Match -
trunk/Source/WebCore/platform/network/HTTPParsers.cpp
r231654 r232217 898 898 } 899 899 900 FromOriginDisposition parseFromOriginHeader(const String&header)900 CrossOriginResourcePolicy parseCrossOriginResourcePolicyHeader(StringView header) 901 901 { 902 902 auto strippedHeader = stripLeadingAndTrailingHTTPSpaces(header); 903 903 904 904 if (strippedHeader.isEmpty()) 905 return FromOriginDisposition::None;905 return CrossOriginResourcePolicy::None; 906 906 907 907 if (equalLettersIgnoringASCIICase(strippedHeader, "same")) 908 return FromOriginDisposition::Same;908 return CrossOriginResourcePolicy::Same; 909 909 910 910 if (equalLettersIgnoringASCIICase(strippedHeader, "same-site")) 911 return FromOriginDisposition::SameSite;912 913 return FromOriginDisposition::Invalid;911 return CrossOriginResourcePolicy::SameSite; 912 913 return CrossOriginResourcePolicy::Invalid; 914 914 } 915 915 -
trunk/Source/WebCore/platform/network/HTTPParsers.h
r231622 r232217 65 65 }; 66 66 67 enum class FromOriginDisposition{67 enum class CrossOriginResourcePolicy { 68 68 None, 69 69 Same, … … 118 118 String normalizeHTTPMethod(const String&); 119 119 120 WEBCORE_EXPORT FromOriginDisposition parseFromOriginHeader(const String&);120 WEBCORE_EXPORT CrossOriginResourcePolicy parseCrossOriginResourcePolicyHeader(StringView); 121 121 CrossOriginOptions parseCrossOriginOptionsHeader(StringView); 122 122 -
trunk/Source/WebKit/ChangeLog
r232216 r232217 1 2018-05-25 Youenn Fablet <youenn@apple.com> 2 3 Migrate From-Origin to Cross-Origin-Resource-Policy 4 https://bugs.webkit.org/show_bug.cgi?id=185840 5 6 Reviewed by Chris Dumez. 7 8 Do Cross-Origin-Resource-Policy (CORP) checks in NetworkLoadChecker instead of NetworkResourceLoader directly. 9 Make sure CORP only applies to no-cors loads. 10 Remove ancestor checks and only consider the document origin making the load. 11 This means that in case of cross-origin redirection to same-origin, the redirection will be CORP-checked, 12 the final response will not be CORP-checked but will be opaque. 13 14 * NetworkProcess/NetworkLoadChecker.cpp: 15 (WebKit::NetworkLoadChecker::validateCrossOriginResourcePolicyPolicy): 16 (WebKit::NetworkLoadChecker::validateResponse): 17 * NetworkProcess/NetworkLoadChecker.h: 18 * NetworkProcess/NetworkResourceLoader.cpp: 19 (WebKit::NetworkResourceLoader::retrieveCacheEntry): 20 (WebKit::NetworkResourceLoader::didReceiveResponse): 21 (WebKit::NetworkResourceLoader::continueWillSendRedirectedRequest): 22 (WebKit::NetworkResourceLoader::didRetrieveCacheEntry): 23 (WebKit::NetworkResourceLoader::dispatchWillSendRequestForCacheEntry): 24 * NetworkProcess/NetworkResourceLoader.h: 25 * WebProcess/Network/WebLoaderStrategy.cpp: 26 (WebKit::WebLoaderStrategy::scheduleLoadFromNetworkProcess): 27 Send ancestor information for navigation loads only. 28 1 29 2018-05-25 Daniel Bates <dabates@apple.com> 2 30 -
trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp
r232121 r232217 132 132 } 133 133 134 bool NetworkLoadChecker::shouldCrossOriginResourcePolicyPolicyCancelLoad(const ResourceResponse& response) 135 { 136 if (m_origin->canRequest(response.url())) 137 return false; 138 139 auto policy = parseCrossOriginResourcePolicyHeader(response.httpHeaderField(HTTPHeaderName::CrossOriginResourcePolicy)); 140 switch (policy) { 141 case CrossOriginResourcePolicy::None: 142 case CrossOriginResourcePolicy::Invalid: 143 return false; 144 case CrossOriginResourcePolicy::Same: 145 return true; 146 case CrossOriginResourcePolicy::SameSite: { 147 #if ENABLE(PUBLIC_SUFFIX_LIST) 148 return m_origin->isUnique() || !registrableDomainsAreEqual(response.url(), ResourceRequest::partitionName(m_origin->host())); 149 #else 150 return true; 151 #endif 152 }} 153 154 RELEASE_ASSERT_NOT_REACHED(); 155 } 156 134 157 ResourceError NetworkLoadChecker::validateResponse(ResourceResponse& response) 135 158 { … … 148 171 149 172 if (m_options.mode == FetchOptions::Mode::NoCors) { 173 if (shouldCrossOriginResourcePolicyPolicyCancelLoad(response)) 174 return ResourceError { errorDomainWebKitInternal, 0, m_url, makeString("Cancelled load to ", response.url().stringCenterEllipsizedToLength(), " because it violates the resource's Cross-Origin-Resource-Policy response header."), ResourceError::Type::AccessControl }; 150 175 response.setTainting(ResourceResponse::Tainting::Opaque); 151 176 return { }; -
trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.h
r232032 r232217 111 111 ResourceLoadIdentifier m_loadIdentifier; 112 112 113 bool shouldCrossOriginResourcePolicyPolicyCancelLoad(const WebCore::ResourceResponse&); 114 113 115 WebCore::FetchOptions m_options; 114 116 WebCore::StoredCredentialsPolicy m_storedCredentialsPolicy; -
trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp
r232198 r232217 362 362 } 363 363 364 static bool areFrameAncestorsSameSite(const ResourceResponse& response, const Vector<RefPtr<SecurityOrigin>>& frameAncestorOrigins)365 {366 #if ENABLE(PUBLIC_SUFFIX_LIST)367 auto responsePartition = ResourceRequest::partitionName(response.url().host().toString());368 return frameAncestorOrigins.findMatching([&](const auto& item) {369 return item->isUnique() || ResourceRequest::partitionName(item->host()) != responsePartition;370 }) == notFound;371 #else372 UNUSED_PARAM(response);373 UNUSED_PARAM(frameAncestorOrigins);374 return false;375 #endif376 }377 378 static bool areFrameAncestorsSameOrigin(const ResourceResponse& response, const Vector<RefPtr<SecurityOrigin>>& frameAncestorOrigins)379 {380 return frameAncestorOrigins.findMatching([responseOrigin = SecurityOrigin::create(response.url())](const auto& item) {381 return !item->isSameOriginAs(responseOrigin);382 }) == notFound;383 }384 385 static bool shouldCancelCrossOriginLoad(const ResourceResponse& response, const Vector<RefPtr<SecurityOrigin>>& frameAncestorOrigins)386 {387 auto fromOriginDirective = WebCore::parseFromOriginHeader(response.httpHeaderField(WebCore::HTTPHeaderName::FromOrigin));388 switch (fromOriginDirective) {389 case WebCore::FromOriginDisposition::None:390 case WebCore::FromOriginDisposition::Invalid:391 return false;392 case WebCore::FromOriginDisposition::Same:393 return !areFrameAncestorsSameOrigin(response, frameAncestorOrigins);394 case WebCore::FromOriginDisposition::SameSite:395 return !areFrameAncestorsSameSite(response, frameAncestorOrigins);396 }397 398 RELEASE_ASSERT_NOT_REACHED();399 }400 401 static ResourceError fromOriginResourceError(const URL& url)402 {403 return { errorDomainWebKitInternal, 0, url, ASCIILiteral { "Cancelled load because it violates the resource's From-Origin response header." }, ResourceError::Type::AccessControl };404 }405 406 364 bool NetworkResourceLoader::shouldInterruptLoadForXFrameOptions(const String& xFrameOptions, const URL& url) 407 365 { … … 492 450 return ShouldContinueDidReceiveResponse::Yes; 493 451 494 ResourceError error; 495 if (m_parameters.shouldEnableFromOriginResponseHeader && shouldCancelCrossOriginLoad(m_response, m_parameters.frameAncestorOrigins)) 496 error = fromOriginResourceError(m_response.url()); 497 if (error.isNull() && isMainResource() && shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions(m_response)) { 452 if (isMainResource() && shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions(m_response)) { 498 453 send(Messages::WebResourceLoader::StopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied { }); 499 454 return ShouldContinueDidReceiveResponse::No; 500 455 } 501 if (error.isNull() && m_networkLoadChecker) 502 error = m_networkLoadChecker->validateResponse(m_response); 503 if (!error.isNull()) { 504 RunLoop::main().dispatch([protectedThis = makeRef(*this), error = WTFMove(error)] { 505 if (protectedThis->m_networkLoad) 506 protectedThis->didFailLoading(error); 507 }); 508 return ShouldContinueDidReceiveResponse::No; 456 457 if (m_networkLoadChecker) { 458 auto error = m_networkLoadChecker->validateResponse(m_response); 459 if (!error.isNull()) { 460 RunLoop::main().dispatch([protectedThis = makeRef(*this), error = WTFMove(error)] { 461 if (protectedThis->m_networkLoad) 462 protectedThis->didFailLoading(error); 463 }); 464 return ShouldContinueDidReceiveResponse::No; 465 } 509 466 } 510 467 … … 662 619 { 663 620 ASSERT(!isSynchronous()); 664 665 if (m_parameters.shouldEnableFromOriginResponseHeader && shouldCancelCrossOriginLoad(redirectResponse, m_parameters.frameAncestorOrigins) && m_networkLoad) {666 didFailLoading(fromOriginResourceError(redirectResponse.url()));667 return;668 }669 621 670 622 send(Messages::WebResourceLoader::WillSendRequest(redirectRequest, sanitizeResponseIfPossible(WTFMove(redirectResponse), ResourceResponse::SanitizationType::Redirection))); … … 805 757 auto response = entry->response(); 806 758 807 ResourceError error; 808 if (m_parameters.shouldEnableFromOriginResponseHeader && shouldCancelCrossOriginLoad(response, m_parameters.frameAncestorOrigins)) 809 error = fromOriginResourceError(response.url()); 810 if (error.isNull() && isMainResource() && shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions(response)) { 759 if (isMainResource() && shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions(response)) { 811 760 send(Messages::WebResourceLoader::StopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied { }); 812 761 return; 813 762 } 814 if ( error.isNull() && m_networkLoadChecker)815 error = m_networkLoadChecker->validateResponse(response);816 817 if (!error.isNull()) {818 didFailLoading(error);819 return;763 if (m_networkLoadChecker) { 764 auto error = m_networkLoadChecker->validateResponse(response); 765 if (!error.isNull()) { 766 didFailLoading(error); 767 return; 768 } 820 769 } 821 770 -
trunk/Source/WebKit/WebProcess/Network/WebLoaderStrategy.cpp
r232056 r232217 330 330 loadParameters.shouldEnableFromOriginResponseHeader = RuntimeEnabledFeatures::sharedFeatures().fromOriginResponseHeaderEnabled() && !loadParameters.isMainFrameNavigation; 331 331 332 Vector<RefPtr<SecurityOrigin>> frameAncestorOrigins; 333 for (auto* frame = resourceLoader.frame(); frame; frame = frame->tree().parent()) 334 frameAncestorOrigins.append(makeRefPtr(frame->document()->securityOrigin())); 335 loadParameters.frameAncestorOrigins = WTFMove(frameAncestorOrigins); 332 if (resourceLoader.options().mode == FetchOptions::Mode::Navigate) { 333 Vector<RefPtr<SecurityOrigin>> frameAncestorOrigins; 334 for (auto* frame = resourceLoader.frame(); frame; frame = frame->tree().parent()) 335 frameAncestorOrigins.append(makeRefPtr(frame->document()->securityOrigin())); 336 loadParameters.frameAncestorOrigins = WTFMove(frameAncestorOrigins); 337 } 336 338 337 339 ASSERT((loadParameters.webPageID && loadParameters.webFrameID) || loadParameters.clientCredentialPolicy == ClientCredentialPolicy::CannotAskClientForCredentials); -
trunk/Tools/TestWebKitAPI/Tests/WebCore/HTTPParsers.cpp
r230968 r232217 33 33 namespace TestWebKitAPI { 34 34 35 TEST(HTTPParsers, Parse FromOriginHeader)35 TEST(HTTPParsers, ParseCrossOriginResourcePolicyHeader) 36 36 { 37 EXPECT_TRUE(parse FromOriginHeader("") == FromOriginDisposition::None);38 EXPECT_TRUE(parse FromOriginHeader(" ") == FromOriginDisposition::None);37 EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("") == CrossOriginResourcePolicy::None); 38 EXPECT_TRUE(parseCrossOriginResourcePolicyHeader(" ") == CrossOriginResourcePolicy::None); 39 39 40 EXPECT_TRUE(parse FromOriginHeader("same") == FromOriginDisposition::Same);41 EXPECT_TRUE(parse FromOriginHeader("Same") == FromOriginDisposition::Same);42 EXPECT_TRUE(parse FromOriginHeader("SAME") == FromOriginDisposition::Same);43 EXPECT_TRUE(parse FromOriginHeader(" same ") == FromOriginDisposition::Same);40 EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("same") == CrossOriginResourcePolicy::Same); 41 EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("Same") == CrossOriginResourcePolicy::Same); 42 EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("SAME") == CrossOriginResourcePolicy::Same); 43 EXPECT_TRUE(parseCrossOriginResourcePolicyHeader(" same ") == CrossOriginResourcePolicy::Same); 44 44 45 EXPECT_TRUE(parse FromOriginHeader("same-site") == FromOriginDisposition::SameSite);46 EXPECT_TRUE(parse FromOriginHeader("Same-Site") == FromOriginDisposition::SameSite);47 EXPECT_TRUE(parse FromOriginHeader("SAME-SITE") == FromOriginDisposition::SameSite);48 EXPECT_TRUE(parse FromOriginHeader(" same-site ") == FromOriginDisposition::SameSite);45 EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("same-site") == CrossOriginResourcePolicy::SameSite); 46 EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("Same-Site") == CrossOriginResourcePolicy::SameSite); 47 EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("SAME-SITE") == CrossOriginResourcePolicy::SameSite); 48 EXPECT_TRUE(parseCrossOriginResourcePolicyHeader(" same-site ") == CrossOriginResourcePolicy::SameSite); 49 49 50 EXPECT_TRUE(parse FromOriginHeader("zame") == FromOriginDisposition::Invalid);51 EXPECT_TRUE(parse FromOriginHeader("samesite") == FromOriginDisposition::Invalid);52 EXPECT_TRUE(parse FromOriginHeader("same site") == FromOriginDisposition::Invalid);53 EXPECT_TRUE(parse FromOriginHeader("same–site") == FromOriginDisposition::Invalid);54 EXPECT_TRUE(parse FromOriginHeader("SAMESITE") == FromOriginDisposition::Invalid);55 EXPECT_TRUE(parse FromOriginHeader("") == FromOriginDisposition::Invalid);50 EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("zame") == CrossOriginResourcePolicy::Invalid); 51 EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("samesite") == CrossOriginResourcePolicy::Invalid); 52 EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("same site") == CrossOriginResourcePolicy::Invalid); 53 EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("same–site") == CrossOriginResourcePolicy::Invalid); 54 EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("SAMESITE") == CrossOriginResourcePolicy::Invalid); 55 EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("") == CrossOriginResourcePolicy::Invalid); 56 56 } 57 57
Note: See TracChangeset
for help on using the changeset viewer.