Changeset 58409 in webkit
- Timestamp:
- Apr 28, 2010 9:29:22 AM (14 years ago)
- Location:
- trunk
- Files:
-
- 5 added
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r58407 r58409 1 2010-04-28 Julien Chaffraix <jchaffraix@webkit.org> 2 3 Reviewed by Alexey Proskuryakov. 4 5 [XHR] Cross-Origin synchronous request with credential raises NETWORK_ERR 6 https://bugs.webkit.org/show_bug.cgi?id=37781 7 <rdar://problem/7905150> 8 9 Test that doing a cross-origin request with a preflight check does 10 not raise a NETWORK_ERR exception and does not send the credentials. 11 12 * http/tests/xmlhttprequest/access-control-preflight-credential-async-expected.txt: Added. 13 * http/tests/xmlhttprequest/access-control-preflight-credential-async.html: Added. 14 * http/tests/xmlhttprequest/access-control-preflight-credential-sync-expected.txt: Added. 15 * http/tests/xmlhttprequest/access-control-preflight-credential-sync.html: Added. 16 * http/tests/xmlhttprequest/resources/basic-auth/access-control-auth-basic.php: Added. 17 18 * platform/mac-tiger/Skipped: 19 * platform/qt/Skipped: 20 Added those 2 tests to the Skipped lists. 21 1 22 2010-04-28 Marcus Bulach <bulach@chromium.org> 2 23 -
trunk/LayoutTests/platform/mac-tiger/Skipped
r58109 r58409 142 142 http/tests/media/video-play-stall.html 143 143 http/tests/media/video-play-stall-seek.html 144 145 # https://bugs.webkit.org/show_bug.cgi?id=38265 146 # LayoutTests/http/tests/xmlhttprequest/access-control-preflight-credential-[a]sync.html fails on Tiger 147 http/tests/xmlhttprequest/access-control-preflight-credential-async.html 148 http/tests/xmlhttprequest/access-control-preflight-credential-sync.html -
trunk/LayoutTests/platform/qt/Skipped
r58373 r58409 4986 4986 http/tests/xmlhttprequest/access-control-preflight-async-header-denied.html 4987 4987 http/tests/xmlhttprequest/access-control-preflight-async-method-denied.html 4988 http/tests/xmlhttprequest/access-control-preflight-credential-async.html 4989 http/tests/xmlhttprequest/access-control-preflight-credential-sync.html 4988 4990 http/tests/xmlhttprequest/access-control-preflight-headers-async.html 4989 4991 http/tests/xmlhttprequest/access-control-preflight-headers-sync.html -
trunk/WebCore/ChangeLog
r58408 r58409 1 2010-04-28 Julien Chaffraix <jchaffraix@webkit.org> 2 3 Reviewed by Alexey Proskuryakov. 4 5 [XHR] Cross-Origin synchronous request with credential raises NETWORK_ERR 6 https://bugs.webkit.org/show_bug.cgi?id=37781 7 <rdar://problem/7905150> 8 9 Tests: http/tests/xmlhttprequest/access-control-preflight-credential-async.html 10 http/tests/xmlhttprequest/access-control-preflight-credential-sync.html 11 12 Rolling the patch in as I could not reproduce Qt results locally. 13 14 * loader/DocumentThreadableLoader.cpp: 15 (WebCore::DocumentThreadableLoader::DocumentThreadableLoader): Now we remove the 16 credential from the request here to avoid forgetting to do so in the different code path. 17 (WebCore::DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest): Just add the 18 "Origin" header. 19 (WebCore::DocumentThreadableLoader::loadRequest): Check here the the credential have 20 been removed so that we don't leak them. Also tweaked a comment to make it clear that 21 the URL check has issue when credential is involved. 22 1 23 2010-04-28 Noam Rosenthal <noam.rosenthal@nokia.com> 2 24 -
trunk/WebCore/loader/DocumentThreadableLoader.cpp
r58373 r58409 82 82 ASSERT(m_options.crossOriginRequestPolicy == UseAccessControl); 83 83 84 if (!m_options.forcePreflight && isSimpleCrossOriginAccessRequest(request.httpMethod(), request.httpHeaderFields())) 85 makeSimpleCrossOriginAccessRequest(request); 84 OwnPtr<ResourceRequest> crossOriginRequest(new ResourceRequest(request)); 85 crossOriginRequest->removeCredentials(); 86 crossOriginRequest->setAllowCookies(m_options.allowCredentials); 87 88 if (!m_options.forcePreflight && isSimpleCrossOriginAccessRequest(crossOriginRequest->httpMethod(), crossOriginRequest->httpHeaderFields())) 89 makeSimpleCrossOriginAccessRequest(*crossOriginRequest); 86 90 else { 87 m_actualRequest.set(new ResourceRequest(request)); 88 m_actualRequest->setAllowCookies(m_options.allowCredentials); 89 90 if (CrossOriginPreflightResultCache::shared().canSkipPreflight(document->securityOrigin()->toString(), request.url(), m_options.allowCredentials, request.httpMethod(), request.httpHeaderFields())) 91 m_actualRequest.set(crossOriginRequest.release()); 92 93 if (CrossOriginPreflightResultCache::shared().canSkipPreflight(document->securityOrigin()->toString(), m_actualRequest->url(), m_options.allowCredentials, m_actualRequest->httpMethod(), m_actualRequest->httpHeaderFields())) 91 94 preflightSuccess(); 92 95 else 93 makeCrossOriginAccessRequestWithPreflight( request);96 makeCrossOriginAccessRequestWithPreflight(*m_actualRequest); 94 97 } 95 98 } … … 107 110 // Make a copy of the passed request so that we can modify some details. 108 111 ResourceRequest crossOriginRequest(request); 109 crossOriginRequest.removeCredentials();110 crossOriginRequest.setAllowCookies(m_options.allowCredentials);111 112 crossOriginRequest.setHTTPOrigin(m_document->securityOrigin()->toString()); 112 113 … … 298 299 void DocumentThreadableLoader::loadRequest(const ResourceRequest& request, SecurityCheckPolicy securityCheck) 299 300 { 301 // Any credential should have been removed from the cross-site requests. 302 const KURL& requestURL = request.url(); 303 ASSERT(m_sameOriginRequest || requestURL.user().isEmpty()); 304 ASSERT(m_sameOriginRequest || requestURL.pass().isEmpty()); 305 300 306 if (m_async) { 301 307 // Don't sniff content or send load callbacks for the preflight request. … … 321 327 // No exception for file:/// resources, see <rdar://problem/4962298>. 322 328 // Also, if we have an HTTP response, then it wasn't a network error in fact. 323 if (!error.isNull() && !request .url().isLocalFile() && response.httpStatusCode() <= 0) {329 if (!error.isNull() && !requestURL.isLocalFile() && response.httpStatusCode() <= 0) { 324 330 m_client->didFail(error); 325 331 return; … … 328 334 // FIXME: FrameLoader::loadSynchronously() does not tell us whether a redirect happened or not, so we guess by comparing the 329 335 // request and response URLs. This isn't a perfect test though, since a server can serve a redirect to the same URL that was 330 // requested. 331 if (request .url()!= response.url() && !isAllowedRedirect(response.url())) {336 // requested. Also comparing the request and response URLs as strings will fail if the requestURL still has its credentials. 337 if (requestURL != response.url() && !isAllowedRedirect(response.url())) { 332 338 m_client->didFailRedirectCheck(); 333 339 return;
Note: See TracChangeset
for help on using the changeset viewer.