- Revision
- 258465
- Author
- [email protected]
- Date
- 2020-03-14 03:22:51 -0700 (Sat, 14 Mar 2020)
Log Message
Set Origin header value to null rather than omitting it
https://bugs.webkit.org/show_bug.cgi?id=186030
Patch by Rob Buis <[email protected]> on 2020-03-14
Reviewed by Youenn Fablet.
LayoutTests/imported/w3c:
Update improved test result.
* web-platform-tests/fetch/origin/assorted.window-expected.txt:
Source/WebCore:
For every redirect, addHTTPOriginIfNeeded should be called to
make sure that the tainted origin logic is applied [1, Step 10] and
thus the request after redirect has the correct Origin header.
Make AppleWin treat 308 redirects like 307 and so keeping http
methods across redirects. This is similar to
https://bugs.webkit.org/show_bug.cgi?id=154348.
[1] https://fetch.spec.whatwg.org/#concept-http-network-or-cache-fetch
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::addHTTPOriginIfNeeded):
* loader/SubresourceLoader.cpp:
(WebCore::SubresourceLoader::checkRedirectionCrossOriginAccessControl):
* platform/network/cf/ResourceHandleCFURLConnectionDelegate.cpp:
(WebCore::ResourceHandleCFURLConnectionDelegate::createResourceRequest):
LayoutTests:
Update improved test result.
* http/tests/security/cors-post-redirect-307-expected.txt:
* http/tests/security/cors-post-redirect-307-pson-expected.txt:
* http/tests/security/cors-post-redirect-308-expected.txt:
Modified Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (258464 => 258465)
--- trunk/LayoutTests/ChangeLog 2020-03-14 07:15:14 UTC (rev 258464)
+++ trunk/LayoutTests/ChangeLog 2020-03-14 10:22:51 UTC (rev 258465)
@@ -1,3 +1,16 @@
+2020-03-14 Rob Buis <[email protected]>
+
+ Set Origin header value to null rather than omitting it
+ https://bugs.webkit.org/show_bug.cgi?id=186030
+
+ Reviewed by Youenn Fablet.
+
+ Update improved test result.
+
+ * http/tests/security/cors-post-redirect-307-expected.txt:
+ * http/tests/security/cors-post-redirect-307-pson-expected.txt:
+ * http/tests/security/cors-post-redirect-308-expected.txt:
+
2020-03-13 Justin Fan <[email protected]>
PROGRESSION: webgl/1.0.3/conformance/textures/copy-tex-image-2d-formats.html is failing
Modified: trunk/LayoutTests/http/tests/security/cors-post-redirect-307-expected.txt (258464 => 258465)
--- trunk/LayoutTests/http/tests/security/cors-post-redirect-307-expected.txt 2020-03-14 07:15:14 UTC (rev 258464)
+++ trunk/LayoutTests/http/tests/security/cors-post-redirect-307-expected.txt 2020-03-14 10:22:51 UTC (rev 258465)
@@ -1 +1 @@
-There was no origin header
+Origin header value: null
Modified: trunk/LayoutTests/http/tests/security/cors-post-redirect-307-pson-expected.txt (258464 => 258465)
--- trunk/LayoutTests/http/tests/security/cors-post-redirect-307-pson-expected.txt 2020-03-14 07:15:14 UTC (rev 258464)
+++ trunk/LayoutTests/http/tests/security/cors-post-redirect-307-pson-expected.txt 2020-03-14 10:22:51 UTC (rev 258465)
@@ -1 +1 @@
-There was no origin header
+Origin header value: null
Modified: trunk/LayoutTests/http/tests/security/cors-post-redirect-308-expected.txt (258464 => 258465)
--- trunk/LayoutTests/http/tests/security/cors-post-redirect-308-expected.txt 2020-03-14 07:15:14 UTC (rev 258464)
+++ trunk/LayoutTests/http/tests/security/cors-post-redirect-308-expected.txt 2020-03-14 10:22:51 UTC (rev 258465)
@@ -1 +1 @@
-There was no origin header
+Origin header value: null
Modified: trunk/LayoutTests/imported/w3c/ChangeLog (258464 => 258465)
--- trunk/LayoutTests/imported/w3c/ChangeLog 2020-03-14 07:15:14 UTC (rev 258464)
+++ trunk/LayoutTests/imported/w3c/ChangeLog 2020-03-14 10:22:51 UTC (rev 258465)
@@ -1,3 +1,14 @@
+2020-03-14 Rob Buis <[email protected]>
+
+ Set Origin header value to null rather than omitting it
+ https://bugs.webkit.org/show_bug.cgi?id=186030
+
+ Reviewed by Youenn Fablet.
+
+ Update improved test result.
+
+ * web-platform-tests/fetch/origin/assorted.window-expected.txt:
+
2020-03-13 Antoine Quint <[email protected]>
[iOS] 9 imported/w3c/web-platform-tests/pointerevents/pointerevent tests are failing since import in r253630
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/origin/assorted.window-expected.txt (258464 => 258465)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/origin/assorted.window-expected.txt 2020-03-14 07:15:14 UTC (rev 258464)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/origin/assorted.window-expected.txt 2020-03-14 10:22:51 UTC (rev 258465)
@@ -1,7 +1,7 @@
-FAIL Origin header and 308 redirect assert_equals: expected "null" but got "no Origin header"
+PASS Origin header and 308 redirect
PASS Origin header and GET navigation
-FAIL Origin header and POST navigation assert_equals: expected "null" but got "no Origin header"
+PASS Origin header and POST navigation
PASS Origin header and POST same-origin navigation with Referrer-Policy no-referrer
PASS Origin header and POST same-origin fetch no-cors mode with Referrer-Policy no-referrer
PASS Origin header and POST same-origin fetch cors mode with Referrer-Policy no-referrer
Modified: trunk/Source/WebCore/ChangeLog (258464 => 258465)
--- trunk/Source/WebCore/ChangeLog 2020-03-14 07:15:14 UTC (rev 258464)
+++ trunk/Source/WebCore/ChangeLog 2020-03-14 10:22:51 UTC (rev 258465)
@@ -1,3 +1,27 @@
+2020-03-14 Rob Buis <[email protected]>
+
+ Set Origin header value to null rather than omitting it
+ https://bugs.webkit.org/show_bug.cgi?id=186030
+
+ Reviewed by Youenn Fablet.
+
+ For every redirect, addHTTPOriginIfNeeded should be called to
+ make sure that the tainted origin logic is applied [1, Step 10] and
+ thus the request after redirect has the correct Origin header.
+
+ Make AppleWin treat 308 redirects like 307 and so keeping http
+ methods across redirects. This is similar to
+ https://bugs.webkit.org/show_bug.cgi?id=154348.
+
+ [1] https://fetch.spec.whatwg.org/#concept-http-network-or-cache-fetch
+
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::addHTTPOriginIfNeeded):
+ * loader/SubresourceLoader.cpp:
+ (WebCore::SubresourceLoader::checkRedirectionCrossOriginAccessControl):
+ * platform/network/cf/ResourceHandleCFURLConnectionDelegate.cpp:
+ (WebCore::ResourceHandleCFURLConnectionDelegate::createResourceRequest):
+
2020-03-14 Ryosuke Niwa <[email protected]>
Call SVGTRefElement::buildPendingResource in SVGElement::didFinishInsertingNode
Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (258464 => 258465)
--- trunk/Source/WebCore/loader/FrameLoader.cpp 2020-03-14 07:15:14 UTC (rev 258464)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2020-03-14 10:22:51 UTC (rev 258465)
@@ -3002,6 +3002,9 @@
if (request.httpMethod() == "GET" || request.httpMethod() == "HEAD")
return;
+ // FIXME: take referrer-policy into account.
+ // https://bugs.webkit.org/show_bug.cgi?id=209066
+
// For non-GET and non-HEAD methods, always send an Origin header so the
// server knows we support this feature.
Modified: trunk/Source/WebCore/loader/SubresourceLoader.cpp (258464 => 258465)
--- trunk/Source/WebCore/loader/SubresourceLoader.cpp 2020-03-14 07:15:14 UTC (rev 258464)
+++ trunk/Source/WebCore/loader/SubresourceLoader.cpp 2020-03-14 10:22:51 UTC (rev 258465)
@@ -669,6 +669,8 @@
updateRequestReferrer(newRequest, referrerPolicy(), previousRequest.httpReferrer());
+ FrameLoader::addHTTPOriginIfNeeded(newRequest, m_origin ? m_origin->toString() : String());
+
return { };
}
Modified: trunk/Source/WebCore/platform/network/cf/ResourceHandleCFURLConnectionDelegate.cpp (258464 => 258465)
--- trunk/Source/WebCore/platform/network/cf/ResourceHandleCFURLConnectionDelegate.cpp 2020-03-14 07:15:14 UTC (rev 258464)
+++ trunk/Source/WebCore/platform/network/cf/ResourceHandleCFURLConnectionDelegate.cpp 2020-03-14 10:22:51 UTC (rev 258465)
@@ -138,7 +138,7 @@
{
ResourceRequest request;
CFHTTPMessageRef httpMessage = CFURLResponseGetHTTPResponse(redirectResponse);
- if (httpMessage && CFHTTPMessageGetResponseStatusCode(httpMessage) == 307) {
+ if (httpMessage && (CFHTTPMessageGetResponseStatusCode(httpMessage) == 307 || CFHTTPMessageGetResponseStatusCode(httpMessage) == 308)) {
RetainPtr<CFStringRef> lastHTTPMethod = m_handle->lastHTTPMethod().createCFString();
RetainPtr<CFStringRef> newMethod = adoptCF(CFURLRequestCopyHTTPRequestMethod(cfRequest));
if (CFStringCompareWithOptions(lastHTTPMethod.get(), newMethod.get(), CFRangeMake(0, CFStringGetLength(lastHTTPMethod.get())), kCFCompareCaseInsensitive)) {
