Diff
Modified: trunk/LayoutTests/ChangeLog (236626 => 236627)
--- trunk/LayoutTests/ChangeLog 2018-09-29 00:15:57 UTC (rev 236626)
+++ trunk/LayoutTests/ChangeLog 2018-09-29 00:22:08 UTC (rev 236627)
@@ -1,3 +1,14 @@
+2018-09-28 Devin Rousso <drou...@apple.com>
+
+ Web Inspector: crash in InspectorNetworkAgent::didReceiveResponse when loading denied x-frame resources
+ https://bugs.webkit.org/show_bug.cgi?id=190046
+
+ Reviewed by Joseph Pecoraro.
+
+ * http/tests/inspector/network/resources/x-frame-options.php: Added.
+ * http/tests/inspector/network/x-frame-options-expected.txt: Added.
+ * http/tests/inspector/network/x-frame-options.html: Added.
+
2018-09-28 Jiewen Tan <jiewen_...@apple.com>
[WebAuthN] Polish WebAuthN auto-test environment
Added: trunk/LayoutTests/http/tests/inspector/network/resources/x-frame-options.php (0 => 236627)
--- trunk/LayoutTests/http/tests/inspector/network/resources/x-frame-options.php (rev 0)
+++ trunk/LayoutTests/http/tests/inspector/network/resources/x-frame-options.php 2018-09-29 00:22:08 UTC (rev 236627)
@@ -0,0 +1,9 @@
+<?php
+
+$option = isset($_GET['option']) ? $_GET['option'] : 'DENY';
+
+header('X-Frame-Options: ' . $option);
+
+echo $option;
+
+?>
Added: trunk/LayoutTests/http/tests/inspector/network/x-frame-options-expected.txt (0 => 236627)
--- trunk/LayoutTests/http/tests/inspector/network/x-frame-options-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/inspector/network/x-frame-options-expected.txt 2018-09-29 00:22:08 UTC (rev 236627)
@@ -0,0 +1,11 @@
+CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/inspector/network/resources/x-frame-options.php?option=DENY' in a frame because it set 'X-Frame-Options' to 'DENY'.
+Tests for various X-Frame-Options headers.
+
+
+== Running test suite: Network.XFrameOptions
+-- Running test case: Network.XFrameOptions.Denied
+PASS: X-Frame-Options headers should match.
+
+-- Running test case: Network.XFrameOptions.Sameorigin
+PASS: X-Frame-Options headers should match.
+
Added: trunk/LayoutTests/http/tests/inspector/network/x-frame-options.html (0 => 236627)
--- trunk/LayoutTests/http/tests/inspector/network/x-frame-options.html (rev 0)
+++ trunk/LayoutTests/http/tests/inspector/network/x-frame-options.html 2018-09-29 00:22:08 UTC (rev 236627)
@@ -0,0 +1,51 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script>
+function createIFrame(option) {
+ let iframe = document.createElement("iframe");
+ iframe.src = ""
+ document.body.appendChild(iframe);
+}
+
+function test()
+{
+ let suite = InspectorTest.createAsyncSuite("Network.XFrameOptions");
+
+ suite.addTestCase({
+ name: "Network.XFrameOptions.Denied",
+ description: "Ensure that X-Frame-Options/CSP denials are recieved.",
+ async test() {
+ const option = "DENY";
+ InspectorTest.evaluateInPage(`createIFrame("${option}")`);
+
+ let event = await WI.Resource.awaitEvent(WI.Resource.Event.ResponseReceived);
+
+ let resource = event.target;
+ InspectorTest.expectEqual(resource.responseHeaders["X-Frame-Options"], option, "X-Frame-Options headers should match.");
+ }
+ });
+
+ suite.addTestCase({
+ name: "Network.XFrameOptions.Sameorigin",
+ description: "Ensure that X-Frame-Options/CSP denials are recieved.",
+ async test() {
+ const option = "SAMEORIGIN";
+ InspectorTest.evaluateInPage(`createIFrame("${option}")`);
+
+ let event = await WI.Resource.awaitEvent(WI.Resource.Event.ResponseReceived);
+
+ let resource = event.target;
+ InspectorTest.expectEqual(resource.responseHeaders["X-Frame-Options"], option, "X-Frame-Options headers should match.");
+ }
+ });
+
+ suite.runTestCasesAndFinish();
+}
+</script>
+</head>
+<body _onload_="runTest()">
+<p>Tests for various X-Frame-Options headers.</p>
+</body>
+</html>
Modified: trunk/Source/WebKit/ChangeLog (236626 => 236627)
--- trunk/Source/WebKit/ChangeLog 2018-09-29 00:15:57 UTC (rev 236626)
+++ trunk/Source/WebKit/ChangeLog 2018-09-29 00:22:08 UTC (rev 236627)
@@ -1,3 +1,20 @@
+2018-09-28 Devin Rousso <drou...@apple.com>
+
+ Web Inspector: crash in InspectorNetworkAgent::didReceiveResponse when loading denied x-frame resources
+ https://bugs.webkit.org/show_bug.cgi?id=190046
+
+ Reviewed by Joseph Pecoraro.
+
+ * NetworkProcess/NetworkResourceLoader.cpp:
+ (WebKit::NetworkResourceLoader::didReceiveResponse):
+ (WebKit::NetworkResourceLoader::didRetrieveCacheEntry):
+ Send the sanitized `ResourceResponse` with the message so WebInspector is able to access it.
+
+ * WebProcess/Network/WebResourceLoader.h:
+ * WebProcess/Network/WebResourceLoader.cpp:
+ * WebProcess/Network/WebResourceLoader.messages.in:
+ (WebKit::WebResourceLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied):
+
2018-09-28 Jiewen Tan <jiewen_...@apple.com>
[WebAuthN] Polish WebAuthN auto-test environment
Modified: trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp (236626 => 236627)
--- trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp 2018-09-29 00:15:57 UTC (rev 236626)
+++ trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp 2018-09-29 00:22:08 UTC (rev 236627)
@@ -462,7 +462,8 @@
return completionHandler(PolicyAction::Use);
if (isMainResource() && shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions(m_response)) {
- send(Messages::WebResourceLoader::StopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied { });
+ auto response = sanitizeResponseIfPossible(ResourceResponse { m_response }, ResourceResponse::SanitizationType::CrossOriginSafe);
+ send(Messages::WebResourceLoader::StopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied { response });
return completionHandler(PolicyAction::Ignore);
}
@@ -779,7 +780,8 @@
auto response = entry->response();
if (isMainResource() && shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions(response)) {
- send(Messages::WebResourceLoader::StopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied { });
+ response = sanitizeResponseIfPossible(WTFMove(response), ResourceResponse::SanitizationType::CrossOriginSafe);
+ send(Messages::WebResourceLoader::StopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied { response });
return;
}
if (m_networkLoadChecker) {
Modified: trunk/Source/WebKit/WebProcess/Network/WebResourceLoader.cpp (236626 => 236627)
--- trunk/Source/WebKit/WebProcess/Network/WebResourceLoader.cpp 2018-09-29 00:15:57 UTC (rev 236626)
+++ trunk/Source/WebKit/WebProcess/Network/WebResourceLoader.cpp 2018-09-29 00:22:08 UTC (rev 236627)
@@ -182,12 +182,12 @@
m_coreLoader->didBlockAuthenticationChallenge();
}
-void WebResourceLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied()
+void WebResourceLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied(const ResourceResponse& response)
{
LOG(Network, "(WebProcess) WebResourceLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied for '%s'", m_coreLoader->url().string().latin1().data());
RELEASE_LOG_IF_ALLOWED("stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied: (pageID = %" PRIu64 ", frameID = %" PRIu64 ", resourceID = %" PRIu64 ")", m_trackingParameters.pageID, m_trackingParameters.frameID, m_trackingParameters.resourceID);
- m_coreLoader->documentLoader()->stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied(m_coreLoader->identifier(), ResourceResponse { });
+ m_coreLoader->documentLoader()->stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied(m_coreLoader->identifier(), response);
}
#if ENABLE(SHAREABLE_RESOURCE)
Modified: trunk/Source/WebKit/WebProcess/Network/WebResourceLoader.h (236626 => 236627)
--- trunk/Source/WebKit/WebProcess/Network/WebResourceLoader.h 2018-09-29 00:15:57 UTC (rev 236626)
+++ trunk/Source/WebKit/WebProcess/Network/WebResourceLoader.h 2018-09-29 00:22:08 UTC (rev 236627)
@@ -83,7 +83,7 @@
void didFailResourceLoad(const WebCore::ResourceError&);
void didBlockAuthenticationChallenge();
- void stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied();
+ void stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied(const WebCore::ResourceResponse&);
#if ENABLE(SHAREABLE_RESOURCE)
void didReceiveResource(const ShareableResource::Handle&);
Modified: trunk/Source/WebKit/WebProcess/Network/WebResourceLoader.messages.in (236626 => 236627)
--- trunk/Source/WebKit/WebProcess/Network/WebResourceLoader.messages.in 2018-09-29 00:15:57 UTC (rev 236626)
+++ trunk/Source/WebKit/WebProcess/Network/WebResourceLoader.messages.in 2018-09-29 00:22:08 UTC (rev 236627)
@@ -30,7 +30,7 @@
DidFailResourceLoad(WebCore::ResourceError error)
DidBlockAuthenticationChallenge()
- StopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied()
+ StopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied(WebCore::ResourceResponse response)
#if ENABLE(SHAREABLE_RESOURCE)
// DidReceiveResource is for when we have the entire resource data available at once, such as when the resource is cached in memory
