Changeset 249192 in webkit

Timestamp:

Aug 28, 2019 3:15:36 AM (5 years ago)

Author:

Claudio Saavedra

Message:

[GTK][WPE] Implement HSTS for the soup network backend
​https://bugs.webkit.org/show_bug.cgi?id=192074

Reviewed by Carlos Garcia Campos.

libsoup 2.67.1 introduced HSTS support via a SoupSessionFeature.
Add support to the soup network backend by adding the feature to
SoupNetworkSession and handling HSTS protocol upgrades, by
propagating the scheme change further to clients. This patch adds
the HSTS feature unconditionally, but it still possible to add
a boolean property to the web context class if desired.

Additionally, add API to the WebKitWebsiteDataManager to specify
the directory where the HSTS database is saved. If the directory
is not set or if the data manager is ephemeral, use a
non-persistent, memory only HSTS enforcer.

Implement as well the methods needed to clean-up and delete HSTS
Source/WebCore:

policies from the storage and expose the feature in GTK+ MiniBrowser's
about:data.

• platform/network/soup/GUniquePtrSoup.h:
• platform/network/soup/SoupNetworkSession.cpp:

(WebCore::hstsStorageDirectory):
(WebCore::SoupNetworkSession::SoupNetworkSession):
(WebCore::SoupNetworkSession::setHSTSPersistentStorage):
(WebCore::SoupNetworkSession::setupHSTSEnforcer):
(WebCore::SoupNetworkSession::getHostNamesWithHSTSCache):
(WebCore::SoupNetworkSession::deleteHSTSCacheForHostNames):
(WebCore::SoupNetworkSession::clearHSTSCache):

• platform/network/soup/SoupNetworkSession.h:

Source/WebKit:

policies from the storage and expose the feature in GTK+
MiniBrowser's about:data.

• NetworkProcess/NetworkProcess.cpp:

(WebKit::NetworkProcess::fetchWebsiteData):
(WebKit::NetworkProcess::deleteWebsiteData):
(WebKit::NetworkProcess::deleteWebsiteDataForOrigins):
(WebKit::NetworkProcess::deleteWebsiteDataForRegistrableDomains):
(WebKit::NetworkProcess::registrableDomainsWithWebsiteData):

• NetworkProcess/NetworkProcess.h:

(WebKit::NetworkProcess::suppressesConnectionTerminationOnSystemChange const):

• NetworkProcess/soup/NetworkDataTaskSoup.cpp:

(WebKit::NetworkDataTaskSoup::createRequest):
(WebKit::NetworkDataTaskSoup::clearRequest):
(WebKit::NetworkDataTaskSoup::shouldAllowHSTSPolicySetting const):
(WebKit::NetworkDataTaskSoup::shouldAllowHSTSProtocolUpgrade const):
(WebKit::NetworkDataTaskSoup::protocolUpgradedViaHSTS):
(WebKit::NetworkDataTaskSoup::hstsEnforced):

• NetworkProcess/soup/NetworkDataTaskSoup.h:
• NetworkProcess/soup/NetworkProcessSoup.cpp:

(WebKit::NetworkProcess::getHostNamesWithHSTSCache):
(WebKit::NetworkProcess::deleteHSTSCacheForHostNames):
(WebKit::NetworkProcess::clearHSTSCache):
(WebKit::NetworkProcess::platformInitializeNetworkProcess):

• UIProcess/API/APIWebsiteDataStore.h:
• UIProcess/API/glib/APIWebsiteDataStoreGLib.cpp:

(API::WebsiteDataStore::defaultHSTSDirectory):

• UIProcess/API/glib/WebKitWebContext.cpp:

(webkitWebContextConstructed):

• UIProcess/API/glib/WebKitWebsiteData.cpp:

(recordContainsSupportedDataTypes):
(toWebKitWebsiteDataTypes):

• UIProcess/API/glib/WebKitWebsiteDataManager.cpp:

(webkitWebsiteDataManagerGetProperty):
(webkitWebsiteDataManagerSetProperty):
(webkitWebsiteDataManagerConstructed):
(webkit_website_data_manager_class_init):
(webkitWebsiteDataManagerGetDataStore):
(webkit_website_data_manager_get_hsts_cache_directory):
(toWebsiteDataTypes):

• UIProcess/API/gtk/WebKitWebsiteData.h:
• UIProcess/API/gtk/WebKitWebsiteDataManager.h:
• UIProcess/API/gtk/docs/webkit2gtk-4.0-sections.txt:
• UIProcess/API/wpe/WebKitWebsiteData.h:
• UIProcess/API/wpe/WebKitWebsiteDataManager.h:
• UIProcess/API/wpe/docs/wpe-1.0-sections.txt:
• UIProcess/WebsiteData/WebsiteDataStoreConfiguration.cpp:

(WebKit::WebsiteDataStoreConfiguration::copy):

• UIProcess/WebsiteData/WebsiteDataStoreConfiguration.h:

(WebKit::WebsiteDataStoreConfiguration::hstsStorageDirectory const):
(WebKit::WebsiteDataStoreConfiguration::setHSTSStorageDirectory):

Tools:

policies from the storage and expose the feature in GTK+
MiniBrowser's about:data.

• MiniBrowser/gtk/main.c:

(gotWebsiteDataCallback):

• TestWebKitAPI/Tests/WebKitGLib/TestWebsiteData.cpp:

(serverCallback):
(testWebsiteDataConfiguration):
(testWebsiteDataEphemeral):
(prepopulateHstsData):
(testWebsiteDataHsts):
(beforeAll):

• TestWebKitAPI/glib/WebKitGLib/TestMain.h:

(Test::Test):

• gtk/jhbuild.modules: Bump libsoup to 2.67.91 for the new APIs
• wpe/jhbuild.modules: Ditto
• MiniBrowser/gtk/main.c:

(gotWebsiteDataCallback):

Location:

trunk

Files:

• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/platform/network/soup/GUniquePtrSoup.h (modified) (1 diff)
• Source/WebCore/platform/network/soup/SoupNetworkSession.cpp (modified) (5 diffs)
• Source/WebCore/platform/network/soup/SoupNetworkSession.h (modified) (2 diffs)
• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/NetworkProcess/NetworkProcess.cpp (modified) (5 diffs)
• Source/WebKit/NetworkProcess/NetworkProcess.h (modified) (1 diff)
• Source/WebKit/NetworkProcess/soup/NetworkDataTaskSoup.cpp (modified) (4 diffs)
• Source/WebKit/NetworkProcess/soup/NetworkDataTaskSoup.h (modified) (1 diff)
• Source/WebKit/NetworkProcess/soup/NetworkProcessSoup.cpp (modified) (2 diffs)
• Source/WebKit/UIProcess/API/APIWebsiteDataStore.h (modified) (1 diff)
• Source/WebKit/UIProcess/API/glib/APIWebsiteDataStoreGLib.cpp (modified) (1 diff)
• Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp (modified) (1 diff)
• Source/WebKit/UIProcess/API/glib/WebKitWebsiteData.cpp (modified) (2 diffs)
• Source/WebKit/UIProcess/API/glib/WebKitWebsiteDataManager.cpp (modified) (9 diffs)
• Source/WebKit/UIProcess/API/gtk/WebKitWebsiteData.h (modified) (2 diffs)
• Source/WebKit/UIProcess/API/gtk/WebKitWebsiteDataManager.h (modified) (1 diff)
• Source/WebKit/UIProcess/API/gtk/docs/webkit2gtk-4.0-sections.txt (modified) (1 diff)
• Source/WebKit/UIProcess/API/wpe/WebKitWebsiteData.h (modified) (2 diffs)
• Source/WebKit/UIProcess/API/wpe/WebKitWebsiteDataManager.h (modified) (1 diff)
• Source/WebKit/UIProcess/API/wpe/docs/wpe-1.0-sections.txt (modified) (1 diff)
• Source/WebKit/UIProcess/WebsiteData/WebsiteDataStoreConfiguration.cpp (modified) (1 diff)
• Source/WebKit/UIProcess/WebsiteData/WebsiteDataStoreConfiguration.h (modified) (2 diffs)
• Tools/ChangeLog (modified) (1 diff)
• Tools/MiniBrowser/gtk/main.c (modified) (1 diff)
• Tools/TestWebKitAPI/Tests/WebKitGLib/TestWebsiteData.cpp (modified) (8 diffs)
• Tools/TestWebKitAPI/glib/WebKitGLib/TestMain.h (modified) (1 diff)
• Tools/gtk/jhbuild.modules (modified) (1 diff)
• Tools/wpe/jhbuild.modules (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2019-08-28  Claudio Saavedra  <csaavedra@igalia.com>
+
+        [GTK][WPE] Implement HSTS for the soup network backend
+        https://bugs.webkit.org/show_bug.cgi?id=192074
+
+        Reviewed by Carlos Garcia Campos.
+
+        libsoup 2.67.1 introduced HSTS support via a SoupSessionFeature.
+        Add support to the soup network backend by adding the feature to
+        SoupNetworkSession and handling HSTS protocol upgrades, by
+        propagating the scheme change further to clients. This patch adds
+        the HSTS feature unconditionally, but it still possible to add
+        a boolean property to the web context class if desired.
+
+        Additionally, add API to the WebKitWebsiteDataManager to specify
+        the directory where the HSTS database is saved. If the directory
+        is not set or if the data manager is ephemeral, use a
+        non-persistent, memory only HSTS enforcer.
+
+        Implement as well the methods needed to clean-up and delete HSTS
+        policies from the storage and expose the feature in GTK+ MiniBrowser's
+        about:data.
+
+        * platform/network/soup/GUniquePtrSoup.h:
+        * platform/network/soup/SoupNetworkSession.cpp:
+        (WebCore::hstsStorageDirectory):
+        (WebCore::SoupNetworkSession::SoupNetworkSession):
+        (WebCore::SoupNetworkSession::setHSTSPersistentStorage):
+        (WebCore::SoupNetworkSession::setupHSTSEnforcer):
+        (WebCore::SoupNetworkSession::getHostNamesWithHSTSCache):
+        (WebCore::SoupNetworkSession::deleteHSTSCacheForHostNames):
+        (WebCore::SoupNetworkSession::clearHSTSCache):
+        * platform/network/soup/SoupNetworkSession.h:
+
 2019-08-28  Said Abou-Hallawa  <sabouhallawa@apple.com>
 

trunk/Source/WebCore/platform/network/soup/GUniquePtrSoup.h

@@ -33 +33 @@
 WTF_DEFINE_GPTR_DELETER(SoupMessageHeaders, soup_message_headers_free)
 WTF_DEFINE_GPTR_DELETER(SoupBuffer, soup_buffer_free)
+#if SOUP_CHECK_VERSION(2, 67, 1)
+WTF_DEFINE_GPTR_DELETER(SoupHSTSPolicy, soup_hsts_policy_free)
+#endif
 
 } // namespace WTF

trunk/Source/WebCore/platform/network/soup/SoupNetworkSession.cpp

@@ -60 +60 @@
 }
 
+static CString& hstsStorageDirectory()
+{
+    static NeverDestroyed<CString> directory;
+    return directory.get();
+}
+
 #if !LOG_DISABLED
 inline static void soupLogPrinter(SoupLogger*, SoupLoggerLogLevel, char direction, const char* data, gpointer)
@@ -109 +115 @@
 SoupNetworkSession::SoupNetworkSession(PAL::SessionID sessionID)
     : m_soupSession(adoptGRef(soup_session_new()))
+    , m_sessionID(sessionID)
 {
     // Values taken from http://www.browserscope.org/ following
@@ -133 +140 @@
         setAcceptLanguages(initialAcceptLanguages());
 
-    if (soup_auth_negotiate_supported() && !sessionID.isEphemeral()) {
+    if (soup_auth_negotiate_supported() && !m_sessionID.isEphemeral()) {
         g_object_set(m_soupSession.get(),
             SOUP_SESSION_ADD_FEATURE_BY_TYPE, SOUP_TYPE_AUTH_NEGOTIATE,
@@ -142 +149 @@
         setupProxy();
     setupLogger();
+    setupHSTSEnforcer();
 }
 
@@ -168 +176 @@
 {
     return SOUP_COOKIE_JAR(soup_session_get_feature(m_soupSession.get(), SOUP_TYPE_COOKIE_JAR));
+}
+
+void SoupNetworkSession::setHSTSPersistentStorage(const CString& directory)
+{
+    hstsStorageDirectory() = directory;
+}
+
+void SoupNetworkSession::setupHSTSEnforcer()
+{
+#if SOUP_CHECK_VERSION(2, 67, 1)
+    if (soup_session_has_feature(m_soupSession.get(), SOUP_TYPE_HSTS_ENFORCER))
+        soup_session_remove_feature_by_type(m_soupSession.get(), SOUP_TYPE_HSTS_ENFORCER);
+
+    GRefPtr<SoupHSTSEnforcer> enforcer;
+    if (m_sessionID.isEphemeral() || hstsStorageDirectory().isNull())
+        enforcer = adoptGRef(soup_hsts_enforcer_new());
+    else {
+        if (FileSystem::makeAllDirectories(hstsStorageDirectory().data())) {
+            CString storagePath = FileSystem::fileSystemRepresentation(hstsStorageDirectory().data());
+            GUniquePtr<char> dbFilename(g_build_filename(storagePath.data(), "hsts-storage.sqlite", nullptr));
+            enforcer = adoptGRef(soup_hsts_enforcer_db_new(dbFilename.get()));
+        } else {
+            RELEASE_LOG_ERROR("Unable to create the HSTS storage directory \"%s\". Using a memory enforcer instead.", hstsStorageDirectory.data());
+            enforcer = adoptGRef(soup_hsts_enforcer_new());
+        }
+    }
+    soup_session_add_feature(m_soupSession.get(), SOUP_SESSION_FEATURE(enforcer.get()));
+#endif
+}
+
+void SoupNetworkSession::getHostNamesWithHSTSCache(HashSet<String>& hostNames)
+{
+#if SOUP_CHECK_VERSION(2, 67, 91)
+    SoupHSTSEnforcer* enforcer = SOUP_HSTS_ENFORCER(soup_session_get_feature(m_soupSession.get(), SOUP_TYPE_HSTS_ENFORCER));
+    if (!enforcer)
+        return;
+
+    GUniquePtr<GList> domains(soup_hsts_enforcer_get_domains(enforcer, FALSE));
+    for (GList* iter = domains.get(); iter; iter = iter->next) {
+        GUniquePtr<gchar> domain(static_cast<gchar*>(iter->data));
+        hostNames.add(String::fromUTF8(domain.get()));
+    }
+#else
+    UNUSED_PARAM(hostNames);
+#endif
+}
+
+void SoupNetworkSession::deleteHSTSCacheForHostNames(const Vector<String>& hostNames)
+{
+#if SOUP_CHECK_VERSION(2, 67, 1)
+    SoupHSTSEnforcer* enforcer = SOUP_HSTS_ENFORCER(soup_session_get_feature(m_soupSession.get(), SOUP_TYPE_HSTS_ENFORCER));
+    if (!enforcer)
+        return;
+
+    for (const auto& hostName : hostNames) {
+        GUniquePtr<SoupHSTSPolicy> policy(soup_hsts_policy_new(hostName.utf8().data(), SOUP_HSTS_POLICY_MAX_AGE_PAST, FALSE));
+        soup_hsts_enforcer_set_policy(enforcer, policy.get());
+    }
+#else
+    UNUSED_PARAM(hostNames);
+#endif
+}
+
+void SoupNetworkSession::clearHSTSCache(WallTime modifiedSince)
+{
+#if SOUP_CHECK_VERSION(2, 67, 91)
+    SoupHSTSEnforcer* enforcer = SOUP_HSTS_ENFORCER(soup_session_get_feature(m_soupSession.get(), SOUP_TYPE_HSTS_ENFORCER));
+    if (!enforcer)
+        return;
+
+    GUniquePtr<GList> policies(soup_hsts_enforcer_get_policies(enforcer, FALSE));
+    for (GList* iter = policies.get(); iter != nullptr; iter = iter->next) {
+        GUniquePtr<SoupHSTSPolicy> policy(static_cast<SoupHSTSPolicy*>(iter->data));
+        auto modified = soup_date_to_time_t(policy.get()->expires) - policy.get()->max_age;
+        if (modified >= modifiedSince.secondsSinceEpoch().seconds()) {
+            GUniquePtr<SoupHSTSPolicy> newPolicy(soup_hsts_policy_new(policy.get()->domain, SOUP_HSTS_POLICY_MAX_AGE_PAST, FALSE));
+            soup_hsts_enforcer_set_policy(enforcer, newPolicy.get());
+        }
+    }
+#else
+    UNUSED_PARAM(modifiedSince);
+#endif
 }
 

trunk/Source/WebCore/platform/network/soup/SoupNetworkSession.h

@@ -58 +58 @@
     SoupCookieJar* cookieJar() const;
 
+    static void setHSTSPersistentStorage(const CString& hstsStorageDirectory);
+    void setupHSTSEnforcer();
+
     static void clearOldSoupCache(const String& cacheDirectory);
 
@@ -73 +76 @@
     void setupCustomProtocols();
 
+    void getHostNamesWithHSTSCache(HashSet<String>&);
+    void deleteHSTSCacheForHostNames(const Vector<String>&);
+    void clearHSTSCache(WallTime);
+
 private:
     void setupLogger();
 
     GRefPtr<SoupSession> m_soupSession;
+    PAL::SessionID m_sessionID;
 };
 

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2019-08-28  Claudio Saavedra  <csaavedra@igalia.com>
+
+        [GTK][WPE] Implement HSTS for the soup network backend
+        https://bugs.webkit.org/show_bug.cgi?id=192074
+
+        Reviewed by Carlos Garcia Campos.
+
+        libsoup 2.67.1 introduced HSTS support via a SoupSessionFeature.
+        Add support to the soup network backend by adding the feature to
+        SoupNetworkSession and handling HSTS protocol upgrades, by
+        propagating the scheme change further to clients. This patch adds
+        the HSTS feature unconditionally, but it still possible to add
+        a boolean property to the web context class if desired.
+
+        Additionally, add API to the WebKitWebsiteDataManager to specify
+        the directory where the HSTS database is saved. If the directory
+        is not set or if the data manager is ephemeral, use a
+        non-persistent, memory only HSTS enforcer.
+
+        Implement as well the methods needed to clean-up and delete HSTS
+        policies from the storage and expose the feature in GTK+
+        MiniBrowser's about:data.
+
+        * NetworkProcess/NetworkProcess.cpp:
+        (WebKit::NetworkProcess::fetchWebsiteData):
+        (WebKit::NetworkProcess::deleteWebsiteData):
+        (WebKit::NetworkProcess::deleteWebsiteDataForOrigins):
+        (WebKit::NetworkProcess::deleteWebsiteDataForRegistrableDomains):
+        (WebKit::NetworkProcess::registrableDomainsWithWebsiteData):
+        * NetworkProcess/NetworkProcess.h:
+        (WebKit::NetworkProcess::suppressesConnectionTerminationOnSystemChange const):
+        * NetworkProcess/soup/NetworkDataTaskSoup.cpp:
+        (WebKit::NetworkDataTaskSoup::createRequest):
+        (WebKit::NetworkDataTaskSoup::clearRequest):
+        (WebKit::NetworkDataTaskSoup::shouldAllowHSTSPolicySetting const):
+        (WebKit::NetworkDataTaskSoup::shouldAllowHSTSProtocolUpgrade const):
+        (WebKit::NetworkDataTaskSoup::protocolUpgradedViaHSTS):
+        (WebKit::NetworkDataTaskSoup::hstsEnforced):
+        * NetworkProcess/soup/NetworkDataTaskSoup.h:
+        * NetworkProcess/soup/NetworkProcessSoup.cpp:
+        (WebKit::NetworkProcess::getHostNamesWithHSTSCache):
+        (WebKit::NetworkProcess::deleteHSTSCacheForHostNames):
+        (WebKit::NetworkProcess::clearHSTSCache):
+        (WebKit::NetworkProcess::platformInitializeNetworkProcess):
+        * UIProcess/API/APIWebsiteDataStore.h:
+        * UIProcess/API/glib/APIWebsiteDataStoreGLib.cpp:
+        (API::WebsiteDataStore::defaultHSTSDirectory):
+        * UIProcess/API/glib/WebKitWebContext.cpp:
+        (webkitWebContextConstructed):
+        * UIProcess/API/glib/WebKitWebsiteData.cpp:
+        (recordContainsSupportedDataTypes):
+        (toWebKitWebsiteDataTypes):
+        * UIProcess/API/glib/WebKitWebsiteDataManager.cpp:
+        (webkitWebsiteDataManagerGetProperty):
+        (webkitWebsiteDataManagerSetProperty):
+        (webkitWebsiteDataManagerConstructed):
+        (webkit_website_data_manager_class_init):
+        (webkitWebsiteDataManagerGetDataStore):
+        (webkit_website_data_manager_get_hsts_cache_directory):
+        (toWebsiteDataTypes):
+        * UIProcess/API/gtk/WebKitWebsiteData.h:
+        * UIProcess/API/gtk/WebKitWebsiteDataManager.h:
+        * UIProcess/API/gtk/docs/webkit2gtk-4.0-sections.txt:
+        * UIProcess/API/wpe/WebKitWebsiteData.h:
+        * UIProcess/API/wpe/WebKitWebsiteDataManager.h:
+        * UIProcess/API/wpe/docs/wpe-1.0-sections.txt:
+        * UIProcess/WebsiteData/WebsiteDataStoreConfiguration.cpp:
+        (WebKit::WebsiteDataStoreConfiguration::copy):
+        * UIProcess/WebsiteData/WebsiteDataStoreConfiguration.h:
+        (WebKit::WebsiteDataStoreConfiguration::hstsStorageDirectory const):
+        (WebKit::WebsiteDataStoreConfiguration::setHSTSStorageDirectory):
+
 2019-08-27  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/WebKit/NetworkProcess/NetworkProcess.cpp

@@ -1350 +1350 @@
     }
 
-#if PLATFORM(COCOA)
+#if PLATFORM(COCOA) || USE(SOUP)
     if (websiteDataTypes.contains(WebsiteDataType::HSTSCache)) {
         if (auto* networkStorageSession = storageSession(sessionID))
@@ -1390 +1390 @@
 void NetworkProcess::deleteWebsiteData(PAL::SessionID sessionID, OptionSet<WebsiteDataType> websiteDataTypes, WallTime modifiedSince, uint64_t callbackID)
 {
-#if PLATFORM(COCOA)
+#if PLATFORM(COCOA) || USE(SOUP)
     if (websiteDataTypes.contains(WebsiteDataType::HSTSCache)) {
         if (auto* networkStorageSession = storageSession(sessionID))
@@ -1491 +1491 @@
     }
 
-#if PLATFORM(COCOA)
+#if PLATFORM(COCOA) || USE(SOUP)
     if (websiteDataTypes.contains(WebsiteDataType::HSTSCache)) {
         if (auto* networkStorageSession = storageSession(sessionID))
@@ -1673 +1673 @@
 
     Vector<String> hostnamesWithHSTSToDelete;
-#if PLATFORM(COCOA)
+#if PLATFORM(COCOA) || USE(SOUP)
     if (websiteDataTypes.contains(WebsiteDataType::HSTSCache)) {
         if (auto* networkStorageSession = storageSession(sessionID)) {
@@ -1854 +1854 @@
     
     Vector<String> hostnamesWithHSTSToDelete;
-#if PLATFORM(COCOA)
+#if PLATFORM(COCOA) || USE(SOUP)
     if (websiteDataTypes.contains(WebsiteDataType::HSTSCache)) {
         if (auto* networkStorageSession = storageSession(sessionID))

trunk/Source/WebKit/NetworkProcess/NetworkProcess.h

@@ -194 +194 @@
 #if PLATFORM(COCOA)
     RetainPtr<CFDataRef> sourceApplicationAuditData() const;
+    bool suppressesConnectionTerminationOnSystemChange() const { return m_suppressesConnectionTerminationOnSystemChange; }
+#endif
+#if PLATFORM(COCOA) || USE(SOUP)
     void getHostNamesWithHSTSCache(WebCore::NetworkStorageSession&, HashSet<String>&);
     void deleteHSTSCacheForHostNames(WebCore::NetworkStorageSession&, const Vector<String>&);
     void clearHSTSCache(WebCore::NetworkStorageSession&, WallTime modifiedSince);
-    bool suppressesConnectionTerminationOnSystemChange() const { return m_suppressesConnectionTerminationOnSystemChange; }
 #endif
 

trunk/Source/WebKit/NetworkProcess/soup/NetworkDataTaskSoup.cpp

@@ -39 +39 @@
 #include <WebCore/MIMETypeRegistry.h>
 #include <WebCore/NetworkStorageSession.h>
+#include <WebCore/PublicSuffix.h>
 #include <WebCore/SharedBuffer.h>
 #include <WebCore/SoupNetworkSession.h>
@@ -147 +148 @@
 #endif
     }
+
+#if SOUP_CHECK_VERSION(2, 67, 1)
+    if ((m_currentRequest.url().protocolIs("https") && !shouldAllowHSTSPolicySetting()) || (m_currentRequest.url().protocolIs("http") && !shouldAllowHSTSProtocolUpgrade()))
+        soup_message_disable_feature(soupMessage.get(), SOUP_TYPE_HSTS_ENFORCER);
+    else
+        g_signal_connect(soup_session_get_feature(static_cast<NetworkSessionSoup&>(*m_session).soupSession(), SOUP_TYPE_HSTS_ENFORCER), "hsts-enforced", G_CALLBACK(hstsEnforced), this);
+#endif
 
     // Make sure we have an Accept header for subresources; some sites want this to serve some of their subresources.
@@ -193 +201 @@
         m_soupMessage = nullptr;
     }
-    if (m_session)
+    if (m_session) {
         g_signal_handlers_disconnect_matched(static_cast<NetworkSessionSoup&>(*m_session).soupSession(), G_SIGNAL_MATCH_DATA, 0, 0, nullptr, nullptr, this);
+#if SOUP_CHECK_VERSION(2, 67, 1)
+        g_signal_handlers_disconnect_by_data(soup_session_get_feature(static_cast<NetworkSessionSoup&>(*m_session).soupSession(), SOUP_TYPE_HSTS_ENFORCER), this);
+#endif
+    }
 }
 
@@ -1061 +1073 @@
 }
 
+#if SOUP_CHECK_VERSION(2, 67, 1)
+bool NetworkDataTaskSoup::shouldAllowHSTSPolicySetting() const
+{
+    // Follow Apple's HSTS abuse mitigation 1:
+    //  "Limit HSTS State to the Hostname, or the Top Level Domain + 1"
+    if (isTopLevelNavigation() || hostsAreEqual(m_currentRequest.url(), m_currentRequest.firstPartyForCookies()) || isPublicSuffix(m_currentRequest.url().host().toStringWithoutCopying()))
+        return true;
+
+    return false;
+}
+
+bool NetworkDataTaskSoup::shouldAllowHSTSProtocolUpgrade() const
+{
+    // Follow Apple's HSTS abuse mitgation 2:
+    // "Ignore HSTS State for Subresource Requests to Blocked Domains"
+    if (!isTopLevelNavigation() && !m_currentRequest.allowCookies())
+        return false;
+
+    return true;
+}
+
+void NetworkDataTaskSoup::protocolUpgradedViaHSTS(SoupMessage* soupMessage)
+{
+    m_response = ResourceResponse::syntheticRedirectResponse(m_currentRequest.url(), soupURIToURL(soup_message_get_uri(soupMessage)));
+    continueHTTPRedirection();
+}
+
+void NetworkDataTaskSoup::hstsEnforced(SoupHSTSEnforcer*, SoupMessage* soupMessage, NetworkDataTaskSoup* task)
+{
+    if (task->state() == State::Canceling || task->state() == State::Completed || !task->m_client) {
+        task->clearRequest();
+        return;
+    }
+
+    if (soupMessage == task->m_soupMessage.get())
+        task->protocolUpgradedViaHSTS(soupMessage);
+}
+#endif
+
 void NetworkDataTaskSoup::didStartRequest()
 {

trunk/Source/WebKit/NetworkProcess/soup/NetworkDataTaskSoup.h

@@ -113 +113 @@
     static void requestStartedCallback(SoupSession*, SoupMessage*, SoupSocket*, NetworkDataTaskSoup*);
 #endif
+#if SOUP_CHECK_VERSION(2, 67, 1)
+    bool shouldAllowHSTSPolicySetting() const;
+    bool shouldAllowHSTSProtocolUpgrade() const;
+    void protocolUpgradedViaHSTS(SoupMessage*);
+    static void hstsEnforced(SoupHSTSEnforcer*, SoupMessage*, NetworkDataTaskSoup*);
+#endif
     void didStartRequest();
     static void restartedCallback(SoupMessage*, NetworkDataTaskSoup*);

trunk/Source/WebKit/NetworkProcess/soup/NetworkProcessSoup.cpp

@@ -96 +96 @@
 }
 
+void NetworkProcess::getHostNamesWithHSTSCache(WebCore::NetworkStorageSession& storageSession, HashSet<String>& hostNames)
+{
+    const auto* session = static_cast<NetworkSessionSoup*>(networkSession(storageSession.sessionID()));
+    session->soupNetworkSession().getHostNamesWithHSTSCache(hostNames);
+}
+
+void NetworkProcess::deleteHSTSCacheForHostNames(WebCore::NetworkStorageSession& storageSession, const Vector<String>& hostNames)
+{
+    const auto* session = static_cast<NetworkSessionSoup*>(networkSession(storageSession.sessionID()));
+    session->soupNetworkSession().deleteHSTSCacheForHostNames(hostNames);
+}
+
+void NetworkProcess::clearHSTSCache(WebCore::NetworkStorageSession& storageSession, WallTime modifiedSince)
+{
+    const auto* session = static_cast<NetworkSessionSoup*>(networkSession(storageSession.sessionID()));
+    session->soupNetworkSession().clearHSTSCache(modifiedSince);
+}
+
 void NetworkProcess::userPreferredLanguagesChanged(const Vector<String>& languages)
 {
@@ -130 +148 @@
 
     setIgnoreTLSErrors(parameters.ignoreTLSErrors);
+
+    if (!parameters.hstsStorageDirectory.isEmpty())
+        SoupNetworkSession::setHSTSPersistentStorage(parameters.hstsStorageDirectory.utf8());
+    forEachNetworkSession([](const auto& session) {
+        static_cast<const NetworkSessionSoup&>(session).soupNetworkSession().setupHSTSEnforcer();
+    });
 }
 

trunk/Source/WebKit/UIProcess/API/APIWebsiteDataStore.h

@@ -67 +67 @@
     static WTF::String defaultDeviceIdHashSaltsStorageDirectory();
     static WTF::String defaultWebSQLDatabaseDirectory();
+#if USE(GLIB)
+    static WTF::String defaultHSTSDirectory();
+#endif
     static WTF::String defaultResourceLoadStatisticsDirectory();
     static WTF::String defaultJavaScriptConfigurationDirectory();

trunk/Source/WebKit/UIProcess/API/glib/APIWebsiteDataStoreGLib.cpp

@@ -83 +83 @@
 {
     return websiteDataDirectoryFileSystemRepresentation(BASE_DIRECTORY G_DIR_SEPARATOR_S "databases");
+}
+
+WTF::String WebsiteDataStore::defaultHSTSDirectory()
+{
+    return websiteDataDirectoryFileSystemRepresentation(BASE_DIRECTORY G_DIR_SEPARATOR_S);
 }
 

trunk/Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp

@@ -342 +342 @@
         configuration.setApplicationCacheDirectory(FileSystem::stringFromFileSystemRepresentation(webkit_website_data_manager_get_offline_application_cache_directory(priv->websiteDataManager.get())));
         configuration.setIndexedDBDatabaseDirectory(FileSystem::stringFromFileSystemRepresentation(webkit_website_data_manager_get_indexeddb_directory(priv->websiteDataManager.get())));
+        configuration.setHSTSStorageDirectory(FileSystem::stringFromFileSystemRepresentation(webkit_website_data_manager_get_hsts_cache_directory(priv->websiteDataManager.get())));
 ALLOW_DEPRECATED_DECLARATIONS_BEGIN
         configuration.setWebSQLDatabaseDirectory(FileSystem::stringFromFileSystemRepresentation(webkit_website_data_manager_get_websql_directory(priv->websiteDataManager.get())));

trunk/Source/WebKit/UIProcess/API/glib/WebKitWebsiteData.cpp

@@ -74 +74 @@
         WebsiteDataType::WebSQLDatabases,
         WebsiteDataType::IndexedDBDatabases,
+        WebsiteDataType::HSTSCache,
 #if ENABLE(NETSCAPE_PLUGIN_API)
         WebsiteDataType::PlugInData,
@@ -99 +100 @@
     if (types.contains(WebsiteDataType::IndexedDBDatabases))
         returnValue |= WEBKIT_WEBSITE_DATA_INDEXEDDB_DATABASES;
+    if (types.contains(WebsiteDataType::HSTSCache))
+        returnValue |= WEBKIT_WEBSITE_DATA_HSTS_CACHE;
 #if ENABLE(NETSCAPE_PLUGIN_API)
     if (types.contains(WebsiteDataType::PlugInData))

trunk/Source/WebKit/UIProcess/API/glib/WebKitWebsiteDataManager.cpp

@@ -85 +85 @@
     PROP_INDEXEDDB_DIRECTORY,
     PROP_WEBSQL_DIRECTORY,
+    PROP_HSTS_CACHE_DIRECTORY,
     PROP_IS_EPHEMERAL
 };
@@ -102 +103 @@
     GUniquePtr<char> indexedDBDirectory;
     GUniquePtr<char> webSQLDirectory;
+    GUniquePtr<char> hstsCacheDirectory;
 
     GRefPtr<WebKitCookieManager> cookieManager;
@@ -137 +139 @@
         ALLOW_DEPRECATED_DECLARATIONS_END
         break;
+    case PROP_HSTS_CACHE_DIRECTORY:
+        g_value_set_string(value, webkit_website_data_manager_get_hsts_cache_directory(manager));
+        break;
     case PROP_IS_EPHEMERAL:
         g_value_set_boolean(value, webkit_website_data_manager_is_ephemeral(manager));
@@ -170 +175 @@
     case PROP_WEBSQL_DIRECTORY:
         manager->priv->webSQLDirectory.reset(g_value_dup_string(value));
+        break;
+    case PROP_HSTS_CACHE_DIRECTORY:
+        manager->priv->hstsCacheDirectory.reset(g_value_dup_string(value));
         break;
     case PROP_IS_EPHEMERAL:
@@ -199 +207 @@
         if (!priv->applicationCacheDirectory)
             priv->applicationCacheDirectory.reset(g_build_filename(priv->baseCacheDirectory.get(), "applications", nullptr));
+        if (!priv->hstsCacheDirectory)
+            priv->hstsCacheDirectory.reset(g_strdup(priv->baseCacheDirectory.get()));
     }
 }
@@ -334 +344 @@
 
     /**
+     * WebKitWebsiteDataManager:hsts-cache-directory:
+     *
+     * The directory where the HTTP Strict-Transport-Security (HSTS) cache will be stored.
+     *
+     * Since: 2.26
+     */
+    g_object_class_install_property(
+        gObjectClass,
+        PROP_HSTS_CACHE_DIRECTORY,
+        g_param_spec_string(
+            "hsts-cache-directory",
+            _("HSTS Cache Directory"),
+            _("The directory where the HTTP Strict-Transport-Security cache will be stored"),
+            nullptr,
+            static_cast<GParamFlags>(WEBKIT_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY)));
+
+    /**
      * WebKitWebsiteDataManager:is-ephemeral:
      *
@@ -375 +402 @@
         configuration->setWebSQLDatabaseDirectory(!priv->webSQLDirectory ?
             API::WebsiteDataStore::defaultWebSQLDatabaseDirectory() : FileSystem::stringFromFileSystemRepresentation(priv->webSQLDirectory.get()));
+        configuration->setHSTSStorageDirectory(!priv->hstsCacheDirectory ?
+            API::WebsiteDataStore::defaultHSTSDirectory() : FileSystem::stringFromFileSystemRepresentation(priv->hstsCacheDirectory.get()));
         configuration->setMediaKeysStorageDirectory(API::WebsiteDataStore::defaultMediaKeysStorageDirectory());
         priv->websiteDataStore = API::WebsiteDataStore::createLegacy(WTFMove(configuration));
@@ -611 +640 @@
         priv->webSQLDirectory.reset(g_strdup(API::WebsiteDataStore::defaultWebSQLDatabaseDirectory().utf8().data()));
     return priv->webSQLDirectory.get();
+}
+
+/**
+ * webkit_website_data_manager_get_hsts_cache_directory:
+ * @manager: a #WebKitWebsiteDataManager
+ *
+ * Get the #WebKitWebsiteDataManager:hsts-cache-directory property.
+ *
+ * Returns: (allow-none): the directory where the HSTS cache is stored or %NULL if @manager is ephemeral.
+ *
+ * Since: 2.26
+ */
+const gchar* webkit_website_data_manager_get_hsts_cache_directory(WebKitWebsiteDataManager* manager)
+{
+    g_return_val_if_fail(WEBKIT_IS_WEBSITE_DATA_MANAGER(manager), nullptr);
+
+    WebKitWebsiteDataManagerPrivate* priv = manager->priv;
+    if (priv->websiteDataStore && !priv->websiteDataStore->isPersistent())
+        return nullptr;
+
+    if (!priv->hstsCacheDirectory)
+        priv->hstsCacheDirectory.reset(g_strdup(API::WebsiteDataStore::defaultHSTSDirectory().utf8().data()));
+    return priv->hstsCacheDirectory.get();
 }
 
@@ -650 +702 @@
     if (types & WEBKIT_WEBSITE_DATA_INDEXEDDB_DATABASES)
         returnValue.add(WebsiteDataType::IndexedDBDatabases);
+    if (types & WEBKIT_WEBSITE_DATA_HSTS_CACHE)
+        returnValue.add(WebsiteDataType::HSTSCache);
 #if ENABLE(NETSCAPE_PLUGIN_API)
     if (types & WEBKIT_WEBSITE_DATA_PLUGIN_DATA)

trunk/Source/WebKit/UIProcess/API/gtk/WebKitWebsiteData.h

@@ -46 +46 @@
  * @WEBKIT_WEBSITE_DATA_COOKIES: Cookies.
  * @WEBKIT_WEBSITE_DATA_DEVICE_ID_HASH_SALT: Hash salt used to generate the device ids used by webpages. Since 2.24
+ * @WEBKIT_WEBSITE_DATA_HSTS_CACHE: HSTS cache. Since 2.26
  * @WEBKIT_WEBSITE_DATA_ALL: All types.
  *
@@ -63 +64 @@
     WEBKIT_WEBSITE_DATA_COOKIES                   = 1 << 8,
     WEBKIT_WEBSITE_DATA_DEVICE_ID_HASH_SALT       = 1 << 9,
-    WEBKIT_WEBSITE_DATA_ALL                       = (1 << 10) - 1
+    WEBKIT_WEBSITE_DATA_HSTS_CACHE                = 1 << 10,
+    WEBKIT_WEBSITE_DATA_ALL                       = (1 << 11) - 1
 } WebKitWebsiteDataTypes;
 

trunk/Source/WebKit/UIProcess/API/gtk/WebKitWebsiteDataManager.h

@@ -91 +91 @@
 webkit_website_data_manager_get_websql_directory                      (WebKitWebsiteDataManager *manager);
 
+WEBKIT_API const gchar *
+webkit_website_data_manager_get_hsts_cache_directory                  (WebKitWebsiteDataManager *manager);
+
 WEBKIT_API WebKitCookieManager *
 webkit_website_data_manager_get_cookie_manager                        (WebKitWebsiteDataManager *manager);

trunk/Source/WebKit/UIProcess/API/gtk/docs/webkit2gtk-4.0-sections.txt

@@ -1404 +1404 @@
 webkit_website_data_manager_get_indexeddb_directory
 webkit_website_data_manager_get_websql_directory
+webkit_website_data_manager_get_hsts_cache_directory
 webkit_website_data_manager_get_cookie_manager
 webkit_website_data_manager_fetch

trunk/Source/WebKit/UIProcess/API/wpe/WebKitWebsiteData.h

@@ -46 +46 @@
  * @WEBKIT_WEBSITE_DATA_COOKIES: Cookies.
  * @WEBKIT_WEBSITE_DATA_DEVICE_ID_HASH_SALT: Hash salt used to generate the device ids used by webpages. Since 2.24
+ * @WEBKIT_WEBSITE_DATA_HSTS_CACHE: HSTS cache. Since 2.26
  * @WEBKIT_WEBSITE_DATA_ALL: All types.
  *
@@ -63 +64 @@
     WEBKIT_WEBSITE_DATA_COOKIES                   = 1 << 8,
     WEBKIT_WEBSITE_DATA_DEVICE_ID_HASH_SALT       = 1 << 9,
-    WEBKIT_WEBSITE_DATA_ALL                       = (1 << 10) - 1
+    WEBKIT_WEBSITE_DATA_HSTS_CACHE                = 1 << 10,
+    WEBKIT_WEBSITE_DATA_ALL                       = (1 << 11) - 1
 } WebKitWebsiteDataTypes;
 

trunk/Source/WebKit/UIProcess/API/wpe/WebKitWebsiteDataManager.h

@@ -91 +91 @@
 webkit_website_data_manager_get_websql_directory                      (WebKitWebsiteDataManager *manager);
 
+WEBKIT_API const gchar *
+webkit_website_data_manager_get_hsts_cache_directory                  (WebKitWebsiteDataManager *manager);
+
 WEBKIT_API WebKitCookieManager *
 webkit_website_data_manager_get_cookie_manager                        (WebKitWebsiteDataManager *manager);

trunk/Source/WebKit/UIProcess/API/wpe/docs/wpe-1.0-sections.txt

@@ -1278 +1278 @@
 webkit_website_data_manager_get_indexeddb_directory
 webkit_website_data_manager_get_websql_directory
+webkit_website_data_manager_get_hsts_cache_directory
 webkit_website_data_manager_get_cookie_manager
 webkit_website_data_manager_fetch

trunk/Source/WebKit/UIProcess/WebsiteData/WebsiteDataStoreConfiguration.cpp

@@ -51 +51 @@
     copy->m_serviceWorkerRegistrationDirectory = this->m_serviceWorkerRegistrationDirectory;
     copy->m_webSQLDatabaseDirectory = this->m_webSQLDatabaseDirectory;
+#if USE(GLIB)
+    copy->m_hstsStorageDirectory = this->m_hstsStorageDirectory;
+#endif
     copy->m_localStorageDirectory = this->m_localStorageDirectory;
     copy->m_mediaKeysStorageDirectory = this->m_mediaKeysStorageDirectory;

trunk/Source/WebKit/UIProcess/WebsiteData/WebsiteDataStoreConfiguration.h

@@ -62 +62 @@
     const String& webSQLDatabaseDirectory() const { return m_webSQLDatabaseDirectory; }
     void setWebSQLDatabaseDirectory(String&& directory) { m_webSQLDatabaseDirectory = WTFMove(directory); }
-
+#if USE(GLIB) // According to r245075 this will eventually move here.
+    const String& hstsStorageDirectory() const { return m_hstsStorageDirectory; }
+    void setHSTSStorageDirectory(String&& directory) { m_hstsStorageDirectory = WTFMove(directory); }
+#endif
     const String& localStorageDirectory() const { return m_localStorageDirectory; }
     void setLocalStorageDirectory(String&& directory) { m_localStorageDirectory = WTFMove(directory); }
@@ -119 +122 @@
     String m_serviceWorkerRegistrationDirectory;
     String m_webSQLDatabaseDirectory;
+#if USE(GLIB)
+    String m_hstsStorageDirectory;
+#endif
     String m_localStorageDirectory;
     String m_mediaKeysStorageDirectory;

trunk/Tools/ChangeLog

@@ +1 @@
+2019-08-02  Claudio Saavedra  <csaavedra@igalia.com>
+
+        [GTK][WPE] Implement HSTS for the soup network backend
+        https://bugs.webkit.org/show_bug.cgi?id=192074
+
+        Reviewed by Carlos Garcia Campos.
+
+        libsoup 2.67.1 introduced HSTS support via a SoupSessionFeature.
+        Add support to the soup network backend by adding the feature to
+        SoupNetworkSession and handling HSTS protocol upgrades, by
+        propagating the scheme change further to clients. This patch adds
+        the HSTS feature unconditionally, but it still possible to add
+        a boolean property to the web context class if desired.
+
+        Additionally, add API to the WebKitWebsiteDataManager to specify
+        the directory where the HSTS database is saved. If the directory
+        is not set or if the data manager is ephemeral, use a
+        non-persistent, memory only HSTS enforcer.
+
+        Implement as well the methods needed to clean-up and delete HSTS
+        policies from the storage and expose the feature in GTK+
+        MiniBrowser's about:data.
+
+        * MiniBrowser/gtk/main.c:
+        (gotWebsiteDataCallback):
+        * TestWebKitAPI/Tests/WebKitGLib/TestWebsiteData.cpp:
+        (serverCallback):
+        (testWebsiteDataConfiguration):
+        (testWebsiteDataEphemeral):
+        (prepopulateHstsData):
+        (testWebsiteDataHsts):
+        (beforeAll):
+        * TestWebKitAPI/glib/WebKitGLib/TestMain.h:
+        (Test::Test):
+        * gtk/jhbuild.modules: Bump libsoup to 2.67.91 for the new APIs
+        * wpe/jhbuild.modules: Ditto
+        * MiniBrowser/gtk/main.c:
+        (gotWebsiteDataCallback):
+
 2019-08-27  James Darpinian  <jdarpinian@google.com>
 

trunk/Tools/MiniBrowser/gtk/main.c

@@ -419 +419 @@
     aboutDataFillTable(result, dataRequest, dataList, "Plugins Data", WEBKIT_WEBSITE_DATA_PLUGIN_DATA, NULL, pageID);
     aboutDataFillTable(result, dataRequest, dataList, "Offline Web Applications Cache", WEBKIT_WEBSITE_DATA_OFFLINE_APPLICATION_CACHE, webkit_website_data_manager_get_offline_application_cache_directory(manager), pageID);
+    aboutDataFillTable(result, dataRequest, dataList, "HSTS Cache", WEBKIT_WEBSITE_DATA_HSTS_CACHE, webkit_website_data_manager_get_hsts_cache_directory(manager), pageID);
 
     result = g_string_append(result, "</body></html>");

trunk/Tools/TestWebKitAPI/Tests/WebKitGLib/TestWebsiteData.cpp

@@ -20 +20 @@
 #include "config.h"
 
+#include <WebCore/GUniquePtrSoup.h>
 #include "WebKitTestServer.h"
 #include "WebViewTest.h"
@@ -36 +37 @@
         static const char* emptyHTML = "<html><body></body></html>";
         soup_message_headers_replace(message->response_headers, "Set-Cookie", "foo=bar; Max-Age=60");
+        soup_message_headers_replace(message->response_headers, "Strict-Transport-Security", "max-age=3600");
         soup_message_body_append(message->response_body, SOUP_MEMORY_STATIC, emptyHTML, strlen(emptyHTML));
         soup_message_body_complete(message->response_body);
@@ -163 +165 @@
     g_assert_true(g_file_test(diskCacheDirectory.get(), G_FILE_TEST_IS_DIR));
 
-    // Clear all persistent caches, since the data dir is common to all test cases.
+    GUniquePtr<char> hstsCacheDirectory(g_build_filename(Test::dataDirectory(), "hsts", nullptr));
+    g_assert_cmpstr(hstsCacheDirectory.get(), ==, webkit_website_data_manager_get_hsts_cache_directory(test->m_manager));
+    g_assert_true(g_file_test(hstsCacheDirectory.get(), G_FILE_TEST_IS_DIR));
+
+    // Clear all persistent caches, since the data dir is common to all test cases. Note: not cleaning the HSTS cache here as its data
+    // is needed for the HSTS tests, where data cleaning will be tested.
     static const WebKitWebsiteDataTypes persistentCaches = static_cast<WebKitWebsiteDataTypes>(WEBKIT_WEBSITE_DATA_DISK_CACHE | WEBKIT_WEBSITE_DATA_LOCAL_STORAGE
         | WEBKIT_WEBSITE_DATA_INDEXEDDB_DATABASES | WEBKIT_WEBSITE_DATA_OFFLINE_APPLICATION_CACHE | WEBKIT_WEBSITE_DATA_DEVICE_ID_HASH_SALT);
@@ -177 +184 @@
     g_assert_cmpstr(webkit_website_data_manager_get_disk_cache_directory(test->m_manager), !=, webkit_website_data_manager_get_disk_cache_directory(defaultManager));
     g_assert_cmpstr(webkit_website_data_manager_get_offline_application_cache_directory(test->m_manager), !=, webkit_website_data_manager_get_offline_application_cache_directory(defaultManager));
+    g_assert_cmpstr(webkit_website_data_manager_get_hsts_cache_directory(test->m_manager), !=, webkit_website_data_manager_get_hsts_cache_directory(defaultManager));
 
     // Using Test::dataDirectory() we get the default configuration but for a differrent prefix.
@@ -223 +231 @@
     g_assert_null(webkit_website_data_manager_get_offline_application_cache_directory(manager.get()));
     g_assert_null(webkit_website_data_manager_get_indexeddb_directory(manager.get()));
+    g_assert_null(webkit_website_data_manager_get_hsts_cache_directory(manager.get()));
 
     // Configuration is ignored when is-ephemeral is used.
@@ -484 +493 @@
 }
 
+#if SOUP_CHECK_VERSION(2, 67, 91)
+static void prepopulateHstsData()
+{
+    // HSTS headers will be ignored in this test because the spec forbids STS policies from being honored for hosts with
+    // an IP address instead of a domain. In order to be able to test the data manager API with HSTS website data, we
+    // prepopulate the HSTS storage using the libsoup API directly.
+
+    GUniquePtr<char> hstsCacheDirectory(g_build_filename(Test::dataDirectory(), "hsts", nullptr));
+    GUniquePtr<char> hstsDatabase(g_build_filename(hstsCacheDirectory.get(), "hsts-storage.sqlite", nullptr));
+    g_mkdir_with_parents(hstsCacheDirectory.get(), 0700);
+
+    GRefPtr<SoupHSTSEnforcer> enforcer = adoptGRef(soup_hsts_enforcer_db_new(hstsDatabase.get()));
+    GUniquePtr<SoupHSTSPolicy> policy(soup_hsts_policy_new("webkitgtk.org", 3600, true));
+    soup_hsts_enforcer_set_policy(enforcer.get(), policy.get());
+
+    policy.reset(soup_hsts_policy_new("webkit.org", 3600, true));
+    soup_hsts_enforcer_set_policy(enforcer.get(), policy.get());
+}
+
+static void testWebsiteDataHsts(WebsiteDataTest* test, gconstpointer)
+{
+    GList* dataList = test->fetch(WEBKIT_WEBSITE_DATA_HSTS_CACHE);
+    g_assert_cmpuint(g_list_length(dataList), ==, 2);
+    WebKitWebsiteData* data = static_cast<WebKitWebsiteData*>(dataList->data);
+    g_assert_cmpuint(webkit_website_data_get_types(data), ==, WEBKIT_WEBSITE_DATA_HSTS_CACHE);
+    // HSTS data size is unknown.
+    g_assert_cmpuint(webkit_website_data_get_size(data, WEBKIT_WEBSITE_DATA_HSTS_CACHE), ==, 0);
+
+    GList removeList = { data, nullptr, nullptr };
+    test->remove(WEBKIT_WEBSITE_DATA_HSTS_CACHE, &removeList);
+    dataList = test->fetch(WEBKIT_WEBSITE_DATA_HSTS_CACHE);
+    g_assert_cmpuint(g_list_length(dataList), ==, 1);
+    data = static_cast<WebKitWebsiteData*>(dataList->data);
+    g_assert_cmpuint(webkit_website_data_get_types(data), ==, WEBKIT_WEBSITE_DATA_HSTS_CACHE);
+
+    // Remove all HSTS data.
+    test->clear(WEBKIT_WEBSITE_DATA_HSTS_CACHE, 0);
+    g_assert_null(test->fetch(WEBKIT_WEBSITE_DATA_HSTS_CACHE));
+}
+#endif
+
 static void testWebsiteDataCookies(WebsiteDataTest* test, gconstpointer)
 {
@@ -571 +621 @@
     kServer = new WebKitTestServer();
     kServer->run(serverCallback);
+
+#if SOUP_CHECK_VERSION(2, 67, 91)
+    prepopulateHstsData();
+#endif
 
     WebsiteDataTest::add("WebKitWebsiteData", "configuration", testWebsiteDataConfiguration);
@@ -579 +633 @@
     WebsiteDataTest::add("WebKitWebsiteData", "appcache", testWebsiteDataAppcache);
     WebsiteDataTest::add("WebKitWebsiteData", "cookies", testWebsiteDataCookies);
+#if SOUP_CHECK_VERSION(2, 67, 91)
+    WebsiteDataTest::add("WebKitWebsiteData", "hsts", testWebsiteDataHsts);
+#endif
     WebsiteDataTest::add("WebKitWebsiteData", "deviceidhashsalt", testWebsiteDataDeviceIdHashSalt);
 }

trunk/Tools/TestWebKitAPI/glib/WebKitGLib/TestMain.h

@@ -122 +122 @@
         GUniquePtr<char> applicationCacheDirectory(g_build_filename(dataDirectory(), "appcache", nullptr));
         GUniquePtr<char> webSQLDirectory(g_build_filename(dataDirectory(), "websql", nullptr));
+        GUniquePtr<char> hstsDirectory(g_build_filename(dataDirectory(), "hsts", nullptr));
         GRefPtr<WebKitWebsiteDataManager> websiteDataManager = adoptGRef(webkit_website_data_manager_new(
             "local-storage-directory", localStorageDirectory.get(), "indexeddb-directory", indexedDBDirectory.get(),
             "disk-cache-directory", diskCacheDirectory.get(), "offline-application-cache-directory", applicationCacheDirectory.get(),
-            "websql-directory", webSQLDirectory.get(), nullptr));
+            "websql-directory", webSQLDirectory.get(), "hsts-cache-directory", hstsDirectory.get(), nullptr));
 
         m_webContext = adoptGRef(webkit_web_context_new_with_website_data_manager(websiteDataManager.get()));

trunk/Tools/gtk/jhbuild.modules

@@ -239 +239 @@
       <dep package="libpsl"/>
     </dependencies>
-    <branch module="/pub/GNOME/sources/libsoup/2.67/libsoup-${version}.tar.xz" version="2.67.90"
-            repo="ftp.gnome.org"
-            hash="sha256:303686002bd7d7bf93204eebe0d5ec9f5d57d071e3411e2304d6f8bcfa97ef79">
+    <branch module="/pub/GNOME/sources/libsoup/2.67/libsoup-${version}.tar.xz" version="2.67.91"
+            repo="ftp.gnome.org"
+            hash="sha256:390b5b28263d3bdf9866fa694346caa5e4bcb986e014e3383e9b6130b706f3da">
     </branch>
   </meson>

trunk/Tools/wpe/jhbuild.modules

@@ -101 +101 @@
       <dep package="libpsl"/>
     </dependencies>
-    <branch module="/pub/GNOME/sources/libsoup/2.67/libsoup-${version}.tar.xz" version="2.67.90"
-            repo="ftp.gnome.org"
-            hash="sha256:303686002bd7d7bf93204eebe0d5ec9f5d57d071e3411e2304d6f8bcfa97ef79">
+    <branch module="/pub/GNOME/sources/libsoup/2.67/libsoup-${version}.tar.xz" version="2.67.91"
+            repo="ftp.gnome.org"
+            hash="sha256:390b5b28263d3bdf9866fa694346caa5e4bcb986e014e3383e9b6130b706f3da">
     </branch>
   </meson>