[webkit-changes] [229907] trunk

Fri, 23 Mar 2018 11:07:35 -0700

Title: [229907] trunk
Revision
229907
Author
you...@apple.com
Date
2018-03-23 11:06:34 -0700 (Fri, 23 Mar 2018)

Log Message

DocumentThreadableLoader should send credentials after redirections and preflight if fetch option credentials is include
https://bugs.webkit.org/show_bug.cgi?id=183928

Reviewed by Chris Dumez.

LayoutTests/imported/w3c:

* web-platform-tests/fetch/api/cors/cors-cookies-redirect.any.html: Added.
* web-platform-tests/fetch/api/cors/cors-cookies-redirect.any.js: Added.
* web-platform-tests/fetch/api/cors/cors-cookies-redirect.any.worker.html: Added.
* web-platform-tests/fetch/api/resources/inspect-headers.py:
* web-platform-tests/fetch/api/resources/redirect.py:

Source/WebCore:

Tests: imported/w3c/web-platform-tests/fetch/api/cors/cors-cookies-redirect.any.html
       imported/w3c/web-platform-tests/fetch/api/cors/cors-cookies-redirect.any.worker.html

In case mode is include, keep sending credentials even after redirection with preflight.

* loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::redirectReceived):

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/imported/w3c/ChangeLog (229906 => 229907)


--- trunk/LayoutTests/imported/w3c/ChangeLog	2018-03-23 18:06:08 UTC (rev 229906)
+++ trunk/LayoutTests/imported/w3c/ChangeLog	2018-03-23 18:06:34 UTC (rev 229907)
@@ -1,3 +1,16 @@
+2018-03-23  Youenn Fablet  <you...@apple.com>
+
+        DocumentThreadableLoader should send credentials after redirections and preflight if fetch option credentials is include
+        https://bugs.webkit.org/show_bug.cgi?id=183928
+
+        Reviewed by Chris Dumez.
+
+        * web-platform-tests/fetch/api/cors/cors-cookies-redirect.any.html: Added.
+        * web-platform-tests/fetch/api/cors/cors-cookies-redirect.any.js: Added.
+        * web-platform-tests/fetch/api/cors/cors-cookies-redirect.any.worker.html: Added.
+        * web-platform-tests/fetch/api/resources/inspect-headers.py:
+        * web-platform-tests/fetch/api/resources/redirect.py:
+
 2018-03-23  Sergio Villar Senin  <svil...@igalia.com>
 
         [css-grid] Fix auto repeat tracks computation with definite min sizes

Added: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-cookies-redirect.any-expected.txt (0 => 229907)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-cookies-redirect.any-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-cookies-redirect.any-expected.txt	2018-03-23 18:06:34 UTC (rev 229907)
@@ -0,0 +1,6 @@
+
+PASS Set cookies 
+PASS Testing credentials after cross-origin redirection with CORS and no preflight 
+PASS Testing credentials after cross-origin redirection with CORS and preflight 
+PASS Clean cookies 
+

Added: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-cookies-redirect.any.html (0 => 229907)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-cookies-redirect.any.html	                        (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-cookies-redirect.any.html	2018-03-23 18:06:34 UTC (rev 229907)
@@ -0,0 +1 @@
+<!-- This file is required for WebKit test infrastructure to run the templated test -->
\ No newline at end of file

Added: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-cookies-redirect.any.js (0 => 229907)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-cookies-redirect.any.js	                        (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-cookies-redirect.any.js	2018-03-23 18:06:34 UTC (rev 229907)
@@ -0,0 +1,49 @@
+// META: script=/common/utils.js
+// META: script=../resources/utils.js
+// META: script=/common/get-host-info.sub.js
+
+var redirectUrl = get_host_info().HTTP_REMOTE_ORIGIN + dirname(location.pathname) + RESOURCES_DIR + "redirect.py";
+var urlSetCookies1 = get_host_info().HTTP_REMOTE_ORIGIN + dirname(location.pathname) + RESOURCES_DIR + "top.txt";
+var urlSetCookies2 = get_host_info().HTTP_ORIGIN_WITH_DIFFERENT_PORT + dirname(location.pathname) + RESOURCES_DIR + "top.txt";
+var urlCheckCookies = get_host_info().HTTP_ORIGIN_WITH_DIFFERENT_PORT + dirname(location.pathname) + RESOURCES_DIR + "inspect-headers.py?cors&headers=cookie";
+
+var urlSetCookiesParameters = "?pipe=header(Access-Control-Allow-Origin," + location.origin + ")";
+urlSetCookiesParameters += "|header(Access-Control-Allow-Credentials,true)";
+
+urlSetCookiesParameters1 = urlSetCookiesParameters + "|header(Set-Cookie,a=1)";
+urlSetCookiesParameters2 = urlSetCookiesParameters + "|header(Set-Cookie,a=2)";
+
+urlClearCookiesParameters1 = urlSetCookiesParameters + "|header(Set-Cookie,a=1%3B%20max-age=0)";
+urlClearCookiesParameters2 = urlSetCookiesParameters + "|header(Set-Cookie,a=2%3B%20max-age=0)";
+
+promise_test(async (test) => {
+    await fetch(urlSetCookies1 + urlSetCookiesParameters1, {"credentials": "include", "mode": "cors"});
+    await fetch(urlSetCookies2 + urlSetCookiesParameters2, {"credentials": "include", "mode": "cors"});
+}, "Set cookies");
+
+function doTest(usePreflight) {
+    promise_test(async (test) => {
+        var url = ""
+        var uuid_token = token();
+        var urlParameters = "?token=" + uuid_token + "&max_age=0";
+        urlParameters += "&redirect_status=301";
+        urlParameters += "&location=" + encodeURIComponent(urlCheckCookies);
+        urlParameters += "&allow_headers=a&headers=Cookie";
+        headers = [];
+        if (usePreflight)
+            headers.push(["a", "b"]);
+
+        var requestInit = {"credentials": "include", "mode": "cors", "headers": headers};
+        var response = await fetch(url + urlParameters, requestInit);
+
+        assert_equals(response.headers.get("x-request-cookie") , "a=2", "Request includes cookie(s)");
+    }, "Testing credentials after cross-origin redirection with CORS and " + (usePreflight ? "" : "no ") + "preflight");
+}
+
+doTest(false);
+doTest(true);
+
+promise_test(async (test) => {
+    await fetch(urlSetCookies1 + urlClearCookiesParameters1, {"credentials": "include", "mode": "cors"});
+    await fetch(urlSetCookies2 + urlClearCookiesParameters2, {"credentials": "include", "mode": "cors"});
+}, "Clean cookies");

Added: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-cookies-redirect.any.worker-expected.txt (0 => 229907)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-cookies-redirect.any.worker-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-cookies-redirect.any.worker-expected.txt	2018-03-23 18:06:34 UTC (rev 229907)
@@ -0,0 +1,6 @@
+
+PASS Set cookies 
+PASS Testing credentials after cross-origin redirection with CORS and no preflight 
+PASS Testing credentials after cross-origin redirection with CORS and preflight 
+PASS Clean cookies 
+

Added: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-cookies-redirect.any.worker.html (0 => 229907)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-cookies-redirect.any.worker.html	                        (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-cookies-redirect.any.worker.html	2018-03-23 18:06:34 UTC (rev 229907)
@@ -0,0 +1 @@
+<!-- This file is required for WebKit test infrastructure to run the templated test -->
\ No newline at end of file

Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/resources/inspect-headers.py (229906 => 229907)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/resources/inspect-headers.py	2018-03-23 18:06:08 UTC (rev 229906)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/resources/inspect-headers.py	2018-03-23 18:06:34 UTC (rev 229907)
@@ -16,7 +16,10 @@
         headers.append(("Access-Control-Allow-Methods", "GET, POST, HEAD"))
         exposed_headers = ["x-request-" + header for header in checked_headers]
         headers.append(("Access-Control-Expose-Headers", ", ".join(exposed_headers)))
-        headers.append(("Access-Control-Allow-Headers", ", ".join(request.headers)))
+        if "allow_headers" in request.GET:
+            headers.append(("Access-Control-Allow-Headers", request.GET['allow_headers']))
+        else:
+            headers.append(("Access-Control-Allow-Headers", ", ".join(request.headers)))
 
     headers.append(("content-type", "text/plain"))
     return headers, ""

Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/resources/redirect.py (229906 => 229907)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/resources/redirect.py	2018-03-23 18:06:08 UTC (rev 229906)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/resources/redirect.py	2018-03-23 18:06:34 UTC (rev 229907)
@@ -6,10 +6,14 @@
     status = 302
     headers = [("Content-Type", "text/plain"),
                ("Cache-Control", "no-cache"),
-               ("Pragma", "no-cache"),
-               ("Access-Control-Allow-Origin", "*")]
+               ("Pragma", "no-cache")]
+    if "Origin" in request.headers:
+        headers.append(("Access-Control-Allow-Origin", request.headers.get("Origin", "")))
+        headers.append(("Access-Control-Allow-Credentials", "true"))
+    else:
+        headers.append(("Access-Control-Allow-Origin", "*"))
+
     token = None
-
     if "token" in request.GET:
         token = request.GET.first("token")
         data = ""

Modified: trunk/Source/WebCore/ChangeLog (229906 => 229907)


--- trunk/Source/WebCore/ChangeLog	2018-03-23 18:06:08 UTC (rev 229906)
+++ trunk/Source/WebCore/ChangeLog	2018-03-23 18:06:34 UTC (rev 229907)
@@ -1,3 +1,18 @@
+2018-03-23  Youenn Fablet  <you...@apple.com>
+
+        DocumentThreadableLoader should send credentials after redirections and preflight if fetch option credentials is include
+        https://bugs.webkit.org/show_bug.cgi?id=183928
+
+        Reviewed by Chris Dumez.
+
+        Tests: imported/w3c/web-platform-tests/fetch/api/cors/cors-cookies-redirect.any.html
+               imported/w3c/web-platform-tests/fetch/api/cors/cors-cookies-redirect.any.worker.html
+
+        In case mode is include, keep sending credentials even after redirection with preflight.
+
+        * loader/DocumentThreadableLoader.cpp:
+        (WebCore::DocumentThreadableLoader::redirectReceived):
+
 2018-03-23  Tim Horton  <timothy_hor...@apple.com>
 
         Fix the build after r229858

Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp (229906 => 229907)


--- trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp	2018-03-23 18:06:08 UTC (rev 229906)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp	2018-03-23 18:06:34 UTC (rev 229907)
@@ -283,7 +283,8 @@
     if (m_options.credentials != FetchOptions::Credentials::SameOrigin && m_simpleRequest && isSimpleCrossOriginAccessRequest(request.httpMethod(), *m_originalHeaders))
         return completionHandler(WTFMove(request));
 
-    m_options.storedCredentialsPolicy = StoredCredentialsPolicy::DoNotUse;
+    if (m_options.credentials == FetchOptions::Credentials::SameOrigin)
+        m_options.storedCredentialsPolicy = StoredCredentialsPolicy::DoNotUse;
 
     clearResource();
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to