Changeset 58371 in webkit

Timestamp:

Apr 27, 2010 7:44:39 PM (14 years ago)

Author:

jchaffraix@webkit.org

Message:

[XHR] Cross-Origin synchronous request with credential raises NETWORK_ERR
​https://bugs.webkit.org/show_bug.cgi?id=37781
<rdar://problem/7905150>

Reviewed by Alexey Proskuryakov.

WebCore:

Tests: http/tests/xmlhttprequest/access-control-preflight-credential-async.html

http/tests/xmlhttprequest/access-control-preflight-credential-sync.html

• loader/DocumentThreadableLoader.cpp:

(WebCore::DocumentThreadableLoader::DocumentThreadableLoader): Now we remove the
credential from the request here to avoid forgetting to do so in the different code path.
(WebCore::DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest): Just add the
"Origin" header.
(WebCore::DocumentThreadableLoader::loadRequest): Check here the the credential have
been removed so that we don't leak them. Also tweaked a comment to make it clear that
the URL check has issue when credential is involved.

LayoutTests:

Test that doing a cross-origin request with a preflight check does
not raise a NETWORK_ERR exception and does not send the credentials.

• http/tests/xmlhttprequest/access-control-preflight-credential-async-expected.txt: Added.
• http/tests/xmlhttprequest/access-control-preflight-credential-async.html: Added.
• http/tests/xmlhttprequest/access-control-preflight-credential-sync-expected.txt: Added.
• http/tests/xmlhttprequest/access-control-preflight-credential-sync.html: Added.
• http/tests/xmlhttprequest/resources/basic-auth/access-control-auth-basic.php: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/xmlhttprequest/access-control-preflight-credential-async-expected.txt (added)
• LayoutTests/http/tests/xmlhttprequest/access-control-preflight-credential-async.html (added)
• LayoutTests/http/tests/xmlhttprequest/access-control-preflight-credential-sync-expected.txt (added)
• LayoutTests/http/tests/xmlhttprequest/access-control-preflight-credential-sync.html (added)
• LayoutTests/http/tests/xmlhttprequest/resources/basic-auth/access-control-auth-basic.php (added)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/loader/DocumentThreadableLoader.cpp (modified) (5 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2010-04-27  Julien Chaffraix  <jchaffraix@webkit.org>
+
+        Reviewed by Alexey Proskuryakov.
+
+        [XHR] Cross-Origin synchronous request with credential raises NETWORK_ERR
+        https://bugs.webkit.org/show_bug.cgi?id=37781
+        <rdar://problem/7905150>
+
+        Test that doing a cross-origin request with a preflight check does
+        not raise a NETWORK_ERR exception and does not send the credentials.
+
+        * http/tests/xmlhttprequest/access-control-preflight-credential-async-expected.txt: Added.
+        * http/tests/xmlhttprequest/access-control-preflight-credential-async.html: Added.
+        * http/tests/xmlhttprequest/access-control-preflight-credential-sync-expected.txt: Added.
+        * http/tests/xmlhttprequest/access-control-preflight-credential-sync.html: Added.
+        * http/tests/xmlhttprequest/resources/basic-auth/access-control-auth-basic.php: Added.
+
 2010-04-27  Dumitru Daniliuc  <dumi@chromium.org>
 

trunk/WebCore/ChangeLog

@@ +1 @@
+2010-04-27  Julien Chaffraix  <jchaffraix@webkit.org>
+
+        Reviewed by Alexey Proskuryakov.
+
+        [XHR] Cross-Origin synchronous request with credential raises NETWORK_ERR
+        https://bugs.webkit.org/show_bug.cgi?id=37781
+        <rdar://problem/7905150>
+
+        Tests: http/tests/xmlhttprequest/access-control-preflight-credential-async.html
+               http/tests/xmlhttprequest/access-control-preflight-credential-sync.html
+
+        * loader/DocumentThreadableLoader.cpp:
+        (WebCore::DocumentThreadableLoader::DocumentThreadableLoader): Now we remove the
+        credential from the request here to avoid forgetting to do so in the different code path.
+        (WebCore::DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest): Just add the
+        "Origin" header.
+        (WebCore::DocumentThreadableLoader::loadRequest): Check here the the credential have
+        been removed so that we don't leak them. Also tweaked a comment to make it clear that
+        the URL check has issue when credential is involved.
+
 2010-04-27  Sam Weinig  <sam@webkit.org>
 

trunk/WebCore/loader/DocumentThreadableLoader.cpp

@@ -82 +82 @@
     ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl);
 
-    if (!m_options.forcePreflight && isSimpleCrossOriginAccessRequest(request.httpMethod(), request.httpHeaderFields()))
-        makeSimpleCrossOriginAccessRequest(request);
+    OwnPtr<ResourceRequest> crossOriginRequest(new ResourceRequest(request));
+    crossOriginRequest->removeCredentials();
+    crossOriginRequest->setAllowCookies(m_options.allowCredentials);
+
+    if (!m_options.forcePreflight && isSimpleCrossOriginAccessRequest(crossOriginRequest->httpMethod(), crossOriginRequest->httpHeaderFields()))
+        makeSimpleCrossOriginAccessRequest(*crossOriginRequest);
     else {
-        m_actualRequest.set(new ResourceRequest(request));
-        m_actualRequest->setAllowCookies(m_options.allowCredentials);
-
-        if (CrossOriginPreflightResultCache::shared().canSkipPreflight(document->securityOrigin()->toString(), request.url(), m_options.allowCredentials, request.httpMethod(), request.httpHeaderFields()))
+        m_actualRequest.set(crossOriginRequest.release());
+
+        if (CrossOriginPreflightResultCache::shared().canSkipPreflight(document->securityOrigin()->toString(), m_actualRequest->url(), m_options.allowCredentials, m_actualRequest->httpMethod(), m_actualRequest->httpHeaderFields()))
             preflightSuccess();
         else
-            makeCrossOriginAccessRequestWithPreflight(request);
+            makeCrossOriginAccessRequestWithPreflight(*m_actualRequest);
     }
 }
@@ -107 +110 @@
     // Make a copy of the passed request so that we can modify some details.
     ResourceRequest crossOriginRequest(request);
-    crossOriginRequest.removeCredentials();
-    crossOriginRequest.setAllowCookies(m_options.allowCredentials);
     crossOriginRequest.setHTTPOrigin(m_document->securityOrigin()->toString());
 
@@ -298 +299 @@
 void DocumentThreadableLoader::loadRequest(const ResourceRequest& request, SecurityCheckPolicy securityCheck)
 {
+    // Any credential should have been removed from the cross-site requests.
+    const KURL& requestURL = request.url();
+    ASSERT(m_sameOriginRequest || requestURL.user().isEmpty());
+    ASSERT(m_sameOriginRequest || requestURL.pass().isEmpty());
+
     if (m_async) {
         // Don't sniff content or send load callbacks for the preflight request.
@@ -321 +327 @@
     // No exception for file:/// resources, see <rdar://problem/4962298>.
     // Also, if we have an HTTP response, then it wasn't a network error in fact.
-    if (!error.isNull() && !request.url().isLocalFile() && response.httpStatusCode() <= 0) {
+    if (!error.isNull() && !requestURL.isLocalFile() && response.httpStatusCode() <= 0) {
         m_client->didFail(error);
         return;
@@ -328 +334 @@
     // FIXME: FrameLoader::loadSynchronously() does not tell us whether a redirect happened or not, so we guess by comparing the
     // request and response URLs. This isn't a perfect test though, since a server can serve a redirect to the same URL that was
-    // requested.
-    if (request.url() != response.url() && !isAllowedRedirect(response.url())) {
+    // requested. Also comparing the request and response URLs as strings will fail if the requestURL still has its credentials.
+    if (requestURL != response.url() && !isAllowedRedirect(response.url())) {
         m_client->didFailRedirectCheck();
         return;