Changeset 58371 in webkit
- Timestamp:
- Apr 27, 2010 7:44:39 PM (14 years ago)
- Location:
- trunk
- Files:
-
- 5 added
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r58366 r58371 1 2010-04-27 Julien Chaffraix <jchaffraix@webkit.org> 2 3 Reviewed by Alexey Proskuryakov. 4 5 [XHR] Cross-Origin synchronous request with credential raises NETWORK_ERR 6 https://bugs.webkit.org/show_bug.cgi?id=37781 7 <rdar://problem/7905150> 8 9 Test that doing a cross-origin request with a preflight check does 10 not raise a NETWORK_ERR exception and does not send the credentials. 11 12 * http/tests/xmlhttprequest/access-control-preflight-credential-async-expected.txt: Added. 13 * http/tests/xmlhttprequest/access-control-preflight-credential-async.html: Added. 14 * http/tests/xmlhttprequest/access-control-preflight-credential-sync-expected.txt: Added. 15 * http/tests/xmlhttprequest/access-control-preflight-credential-sync.html: Added. 16 * http/tests/xmlhttprequest/resources/basic-auth/access-control-auth-basic.php: Added. 17 1 18 2010-04-27 Dumitru Daniliuc <dumi@chromium.org> 2 19 -
trunk/WebCore/ChangeLog
r58367 r58371 1 2010-04-27 Julien Chaffraix <jchaffraix@webkit.org> 2 3 Reviewed by Alexey Proskuryakov. 4 5 [XHR] Cross-Origin synchronous request with credential raises NETWORK_ERR 6 https://bugs.webkit.org/show_bug.cgi?id=37781 7 <rdar://problem/7905150> 8 9 Tests: http/tests/xmlhttprequest/access-control-preflight-credential-async.html 10 http/tests/xmlhttprequest/access-control-preflight-credential-sync.html 11 12 * loader/DocumentThreadableLoader.cpp: 13 (WebCore::DocumentThreadableLoader::DocumentThreadableLoader): Now we remove the 14 credential from the request here to avoid forgetting to do so in the different code path. 15 (WebCore::DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest): Just add the 16 "Origin" header. 17 (WebCore::DocumentThreadableLoader::loadRequest): Check here the the credential have 18 been removed so that we don't leak them. Also tweaked a comment to make it clear that 19 the URL check has issue when credential is involved. 20 1 21 2010-04-27 Sam Weinig <sam@webkit.org> 2 22 -
trunk/WebCore/loader/DocumentThreadableLoader.cpp
r57041 r58371 82 82 ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl); 83 83 84 if (!m_options.forcePreflight && isSimpleCrossOriginAccessRequest(request.httpMethod(), request.httpHeaderFields())) 85 makeSimpleCrossOriginAccessRequest(request); 84 OwnPtr<ResourceRequest> crossOriginRequest(new ResourceRequest(request)); 85 crossOriginRequest->removeCredentials(); 86 crossOriginRequest->setAllowCookies(m_options.allowCredentials); 87 88 if (!m_options.forcePreflight && isSimpleCrossOriginAccessRequest(crossOriginRequest->httpMethod(), crossOriginRequest->httpHeaderFields())) 89 makeSimpleCrossOriginAccessRequest(*crossOriginRequest); 86 90 else { 87 m_actualRequest.set(new ResourceRequest(request)); 88 m_actualRequest->setAllowCookies(m_options.allowCredentials); 89 90 if (CrossOriginPreflightResultCache::shared().canSkipPreflight(document->securityOrigin()->toString(), request.url(), m_options.allowCredentials, request.httpMethod(), request.httpHeaderFields())) 91 m_actualRequest.set(crossOriginRequest.release()); 92 93 if (CrossOriginPreflightResultCache::shared().canSkipPreflight(document->securityOrigin()->toString(), m_actualRequest->url(), m_options.allowCredentials, m_actualRequest->httpMethod(), m_actualRequest->httpHeaderFields())) 91 94 preflightSuccess(); 92 95 else 93 makeCrossOriginAccessRequestWithPreflight( request);96 makeCrossOriginAccessRequestWithPreflight(*m_actualRequest); 94 97 } 95 98 } … … 107 110 // Make a copy of the passed request so that we can modify some details. 108 111 ResourceRequest crossOriginRequest(request); 109 crossOriginRequest.removeCredentials();110 crossOriginRequest.setAllowCookies(m_options.allowCredentials);111 112 crossOriginRequest.setHTTPOrigin(m_document->securityOrigin()->toString()); 112 113 … … 298 299 void DocumentThreadableLoader::loadRequest(const ResourceRequest& request, SecurityCheckPolicy securityCheck) 299 300 { 301 // Any credential should have been removed from the cross-site requests. 302 const KURL& requestURL = request.url(); 303 ASSERT(m_sameOriginRequest || requestURL.user().isEmpty()); 304 ASSERT(m_sameOriginRequest || requestURL.pass().isEmpty()); 305 300 306 if (m_async) { 301 307 // Don't sniff content or send load callbacks for the preflight request. … … 321 327 // No exception for file:/// resources, see <rdar://problem/4962298>. 322 328 // Also, if we have an HTTP response, then it wasn't a network error in fact. 323 if (!error.isNull() && !request .url().isLocalFile() && response.httpStatusCode() <= 0) {329 if (!error.isNull() && !requestURL.isLocalFile() && response.httpStatusCode() <= 0) { 324 330 m_client->didFail(error); 325 331 return; … … 328 334 // FIXME: FrameLoader::loadSynchronously() does not tell us whether a redirect happened or not, so we guess by comparing the 329 335 // request and response URLs. This isn't a perfect test though, since a server can serve a redirect to the same URL that was 330 // requested. 331 if (request .url()!= response.url() && !isAllowedRedirect(response.url())) {336 // requested. Also comparing the request and response URLs as strings will fail if the requestURL still has its credentials. 337 if (requestURL != response.url() && !isAllowedRedirect(response.url())) { 332 338 m_client->didFailRedirectCheck(); 333 339 return;
Note: See TracChangeset
for help on using the changeset viewer.