Diff
Modified: trunk/LayoutTests/ChangeLog (230809 => 230810)
--- trunk/LayoutTests/ChangeLog 2018-04-19 17:49:21 UTC (rev 230809)
+++ trunk/LayoutTests/ChangeLog 2018-04-19 17:54:35 UTC (rev 230810)
@@ -1,3 +1,19 @@
+2018-04-19 Youenn Fablet <you...@apple.com>
+
+ NetworkProcess should use CSP/content blockers for sync XHR
+ https://bugs.webkit.org/show_bug.cgi?id=184760
+
+ Reviewed by Chris Dumez.
+
+ * http/tests/contentextensions/sync-xhr-redirection-blocked-expected.txt: Added.
+ * http/tests/contentextensions/sync-xhr-redirection-blocked.html: Added.
+ * http/tests/contentextensions/sync-xhr-redirection-blocked.html.json: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-sync-xhr-in-main-frame-window.html: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-sync-xhr-in-main-frame-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-sync-xhr-in-main-frame.html: Added.
+ * platform/mac-wk1/TestExpectations:
+ * platform/win/TestExpectations:
+
2018-04-19 Ryan Haddad <ryanhad...@apple.com>
Unreviewed test gardening for iOS simulator.
Added: trunk/LayoutTests/http/tests/contentextensions/sync-xhr-redirection-blocked-expected.txt (0 => 230810)
--- trunk/LayoutTests/http/tests/contentextensions/sync-xhr-redirection-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/contentextensions/sync-xhr-redirection-blocked-expected.txt 2018-04-19 17:54:35 UTC (rev 230810)
@@ -0,0 +1,6 @@
+CONSOLE MESSAGE: line 22: Content blocker prevented frame displaying http://127.0.0.1:8000/contentextensions/sync-xhr-redirection-blocked.html from loading a resource from http://127.0.0.1:8000/resources/redirect.php?url=""
+CONSOLE MESSAGE: line 22: XMLHttpRequest cannot load http://127.0.0.1:8000/resources/redirect.php?url=""
+Synchronous status: 0, readyState:1, responseText:
+Synchronous status: 0, readyState:4, responseText:
+Synchronous error: NetworkError: A network error occurred.
+
Added: trunk/LayoutTests/http/tests/contentextensions/sync-xhr-redirection-blocked.html (0 => 230810)
--- trunk/LayoutTests/http/tests/contentextensions/sync-xhr-redirection-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/contentextensions/sync-xhr-redirection-blocked.html 2018-04-19 17:54:35 UTC (rev 230810)
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+function log(text) {
+ document.body.appendChild(document.createTextNode(text));
+ document.body.appendChild(document.createElement("br"));
+}
+
+function runTest() {
+ var xhr = new XMLHttpRequest();
+ xhr._onreadystatechange_ = function() {
+ log("Synchronous status: " + xhr.status + ", readyState:" + xhr.readyState + ", responseText: " + xhr.responseText);
+ }
+
+ xhr.open("GET", "/resources/redirect.php?url="" false);
+ try {
+ xhr.send();
+ } catch (error) {
+ log("Synchronous error: " + error);
+ }
+
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+</script>
+</head>
+<body _onload_="runTest()">
+</body>
Added: trunk/LayoutTests/http/tests/contentextensions/sync-xhr-redirection-blocked.html.json (0 => 230810)
--- trunk/LayoutTests/http/tests/contentextensions/sync-xhr-redirection-blocked.html.json (rev 0)
+++ trunk/LayoutTests/http/tests/contentextensions/sync-xhr-redirection-blocked.html.json 2018-04-19 17:54:35 UTC (rev 230810)
@@ -0,0 +1,10 @@
+[
+ {
+ "action": {
+ "type": "block"
+ },
+ "trigger": {
+ "url-filter": "url-blocking-test"
+ }
+ }
+]
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-sync-xhr-in-main-frame-window.html (0 => 230810)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-sync-xhr-in-main-frame-window.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-sync-xhr-in-main-frame-window.html 2018-04-19 17:54:35 UTC (rev 230810)
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
+</head>
+<body>
+<script>
+window._onload_ = function() {
+ const xhr = new XMLHttpRequest();
+ xhr.open("GET", "/resources/redirect.php?url="" false);
+ xhr.send();
+ alert("PASS: upgraded sync XHR after redirection");
+
+ if (window.testRunner)
+ testRunner.notifyDone();
+};
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-sync-xhr-in-main-frame-expected.txt (0 => 230810)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-sync-xhr-in-main-frame-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-sync-xhr-in-main-frame-expected.txt 2018-04-19 17:54:35 UTC (rev 230810)
@@ -0,0 +1,2 @@
+ALERT: PASS: upgraded sync XHR after redirection
+This test opens a HTTPS window that loads insecure data via XHR. We should upgrade this request and thereby avoid a mixed content callback.
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-sync-xhr-in-main-frame.html (0 => 230810)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-sync-xhr-in-main-frame.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-sync-xhr-in-main-frame.html 2018-04-19 17:54:35 UTC (rev 230810)
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+ testRunner.setCanOpenWindows();
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+
+</script>
+<p>This test opens a HTTPS window that loads insecure data via XHR. We should upgrade
+this request and thereby avoid a mixed content callback.</p>
+<script>
+_onload_ = function() {
+ window.open("https://127.0.0.1:8443/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-sync-xhr-in-main-frame-window.html");
+}
+</script>
+</body>
+</html>
Modified: trunk/LayoutTests/platform/mac-wk1/TestExpectations (230809 => 230810)
--- trunk/LayoutTests/platform/mac-wk1/TestExpectations 2018-04-19 17:49:21 UTC (rev 230809)
+++ trunk/LayoutTests/platform/mac-wk1/TestExpectations 2018-04-19 17:54:35 UTC (rev 230810)
@@ -97,6 +97,9 @@
# rdar://problem/34716163 Breaks subsequent tests using response.xml
[ HighSierra+ ] http/tests/xmlhttprequest/range-test.html [ Skip ]
+# WK1 does not support sync XHR redirections as does WK2
+http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-sync-xhr-in-main-frame.html [ Skip ]
+
### END OF (1) Failures with bug reports
########################################
Modified: trunk/LayoutTests/platform/win/TestExpectations (230809 => 230810)
--- trunk/LayoutTests/platform/win/TestExpectations 2018-04-19 17:49:21 UTC (rev 230809)
+++ trunk/LayoutTests/platform/win/TestExpectations 2018-04-19 17:54:35 UTC (rev 230810)
@@ -2211,6 +2211,9 @@
webkit.org/b/140703 http/tests/xmlhttprequest/remember-bad-password.html [ Failure ]
webkit.org/b/140703 http/tests/xmlhttprequest/failed-auth.html [ Failure ]
+# WK1 does not support sync XHR redirections as does WK2
+http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-sync-xhr-in-main-frame.html [ Skip ]
+
# CSP Stuff
http/tests/security/contentSecurityPolicy/block-mixed-content-hides-warning.html [ Failure ]
http/tests/security/contentSecurityPolicy/object-src-url-allowed.html [ Failure ]
Modified: trunk/Source/WebKit/ChangeLog (230809 => 230810)
--- trunk/Source/WebKit/ChangeLog 2018-04-19 17:49:21 UTC (rev 230809)
+++ trunk/Source/WebKit/ChangeLog 2018-04-19 17:54:35 UTC (rev 230810)
@@ -1,3 +1,13 @@
+2018-04-19 Youenn Fablet <you...@apple.com>
+
+ NetworkProcess should use CSP/content blockers for sync XHR
+ https://bugs.webkit.org/show_bug.cgi?id=184760
+
+ Reviewed by Chris Dumez.
+
+ Setting CSP/ContentBlockers parameters for sync XHR loads.
+ * NetworkProcess/NetworkResourceLoader.cpp:
+
2018-04-19 Nan Wang <n_w...@apple.com>
AX: AOM: respect the accessibility setting for dispatching the accessible events
Modified: trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp (230809 => 230810)
--- trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp 2018-04-19 17:49:21 UTC (rev 230809)
+++ trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp 2018-04-19 17:54:35 UTC (rev 230810)
@@ -109,6 +109,11 @@
if (synchronousReply) {
m_networkLoadChecker = NetworkLoadChecker::create(FetchOptions { m_parameters.options }, m_parameters.sessionID, HTTPHeaderMap { m_parameters.originalRequestHeaders }, URL { m_parameters.request.url() }, m_parameters.sourceOrigin.copyRef());
+ if (m_parameters.cspResponseHeaders)
+ m_networkLoadChecker->setCSPResponseHeaders(ContentSecurityPolicyResponseHeaders { m_parameters.cspResponseHeaders.value() });
+#if ENABLE(CONTENT_EXTENSIONS)
+ m_networkLoadChecker->setContentExtensionController(URL { m_parameters.mainDocumentURL }, m_parameters.userContentControllerIdentifier);
+#endif
m_synchronousLoadData = std::make_unique<SynchronousLoadData>(WTFMove(synchronousReply));
}
}