- Revision
- 259308
- Author
- commit-qu...@webkit.org
- Date
- 2020-03-31 13:21:48 -0700 (Tue, 31 Mar 2020)
Log Message
Append Upgrade-Insecure-Requests header in CachedResourceLoader
https://bugs.webkit.org/show_bug.cgi?id=209664
Patch by Rob Buis <rb...@igalia.com> on 2020-03-31
Reviewed by Youenn Fablet.
Append Upgrade-Insecure-Requests header in CachedResourceLoader, following
the fetch spec [1, step 3].
[1] https://fetch.spec.whatwg.org/#concept-main-fetch
* loader/FormSubmission.cpp:
(WebCore::FormSubmission::populateFrameLoadRequest):
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::addExtraFieldsToMainResourceRequest):
(WebCore::FrameLoader::loadDifferentDocumentItem):
(WebCore::createWindow):
(WebCore::FrameLoader::addHTTPUpgradeInsecureRequestsIfNeeded): Deleted.
* loader/FrameLoader.h:
* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::requestResource):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (259307 => 259308)
--- trunk/Source/WebCore/ChangeLog 2020-03-31 20:13:48 UTC (rev 259307)
+++ trunk/Source/WebCore/ChangeLog 2020-03-31 20:21:48 UTC (rev 259308)
@@ -1,3 +1,26 @@
+2020-03-31 Rob Buis <rb...@igalia.com>
+
+ Append Upgrade-Insecure-Requests header in CachedResourceLoader
+ https://bugs.webkit.org/show_bug.cgi?id=209664
+
+ Reviewed by Youenn Fablet.
+
+ Append Upgrade-Insecure-Requests header in CachedResourceLoader, following
+ the fetch spec [1, step 3].
+
+ [1] https://fetch.spec.whatwg.org/#concept-main-fetch
+
+ * loader/FormSubmission.cpp:
+ (WebCore::FormSubmission::populateFrameLoadRequest):
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::addExtraFieldsToMainResourceRequest):
+ (WebCore::FrameLoader::loadDifferentDocumentItem):
+ (WebCore::createWindow):
+ (WebCore::FrameLoader::addHTTPUpgradeInsecureRequestsIfNeeded): Deleted.
+ * loader/FrameLoader.h:
+ * loader/cache/CachedResourceLoader.cpp:
+ (WebCore::CachedResourceLoader::requestResource):
+
2020-03-31 Pinki Gyanchandani <pgyanchand...@apple.com>
Invalid memory access @ WebCore::FrameLoader::dispatchDidCommitLoad
Modified: trunk/Source/WebCore/loader/FormSubmission.cpp (259307 => 259308)
--- trunk/Source/WebCore/loader/FormSubmission.cpp 2020-03-31 20:13:48 UTC (rev 259307)
+++ trunk/Source/WebCore/loader/FormSubmission.cpp 2020-03-31 20:21:48 UTC (rev 259308)
@@ -253,7 +253,6 @@
auto origin = SecurityPolicy::generateOriginHeader(frameRequest.requester().referrerPolicy(), frameRequest.resourceRequest().url(), securityOrigin);
frameRequest.resourceRequest().setHTTPOrigin(origin);
}
- FrameLoader::addHTTPUpgradeInsecureRequestsIfNeeded(frameRequest.resourceRequest());
}
}
Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (259307 => 259308)
--- trunk/Source/WebCore/loader/FrameLoader.cpp 2020-03-31 20:13:48 UTC (rev 259307)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2020-03-31 20:21:48 UTC (rev 259308)
@@ -2885,9 +2885,6 @@
// FIXME: Using m_loadType seems wrong for some callers.
// If we are only preparing to load the main resource, that is previous load's load type!
addExtraFieldsToRequest(request, m_loadType, true);
-
- // Upgrade-Insecure-Requests should only be added to main resource requests
- addHTTPUpgradeInsecureRequestsIfNeeded(request);
}
ResourceRequestCachePolicy FrameLoader::defaultRequestCachingPolicy(const ResourceRequest& request, FrameLoadType loadType, bool isMainResource)
@@ -3002,16 +2999,6 @@
request.setIsSameSite(areRegistrableDomainsEqual(initiator->siteForCookies(), request.url()));
}
-void FrameLoader::addHTTPUpgradeInsecureRequestsIfNeeded(ResourceRequest& request)
-{
- if (request.url().protocolIs("https")) {
- // FIXME: Identify HSTS cases and avoid adding the header. <https://bugs.webkit.org/show_bug.cgi?id=157885>
- return;
- }
-
- request.setHTTPHeaderField(HTTPHeaderName::UpgradeInsecureRequests, "1"_s);
-}
-
void FrameLoader::loadPostRequest(FrameLoadRequest&& request, const String& referrer, FrameLoadType loadType, Event* event, RefPtr<FormState>&& formState, CompletionHandler<void()>&& completionHandler)
{
FRAMELOADER_RELEASE_LOG_IF_ALLOWED(ResourceLoading, "loadPostRequest: frame load started");
@@ -3785,7 +3772,6 @@
auto origin = SecurityPolicy::generateOriginHeader(m_frame.document()->referrerPolicy(), request.url(), securityOrigin);
request.setHTTPOrigin(origin);
}
- addHTTPUpgradeInsecureRequestsIfNeeded(request);
// Make sure to add extra fields to the request after the Origin header is added for the FormData case.
// See https://bugs.webkit.org/show_bug.cgi?id=22194 for more discussion.
@@ -4101,7 +4087,6 @@
String referrer = SecurityPolicy::generateReferrerHeader(openerFrame.document()->referrerPolicy(), request.resourceRequest().url(), openerFrame.loader().outgoingReferrer());
if (!referrer.isEmpty())
request.resourceRequest().setHTTPReferrer(referrer);
- FrameLoader::addHTTPUpgradeInsecureRequestsIfNeeded(request.resourceRequest());
FrameLoader::addSameSiteInfoToRequestIfNeeded(request.resourceRequest(), openerFrame.document());
Page* oldPage = openerFrame.page();
Modified: trunk/Source/WebCore/loader/FrameLoader.h (259307 => 259308)
--- trunk/Source/WebCore/loader/FrameLoader.h 2020-03-31 20:13:48 UTC (rev 259307)
+++ trunk/Source/WebCore/loader/FrameLoader.h 2020-03-31 20:21:48 UTC (rev 259308)
@@ -224,7 +224,6 @@
void addExtraFieldsToSubresourceRequest(ResourceRequest&);
void addExtraFieldsToMainResourceRequest(ResourceRequest&);
- static void addHTTPUpgradeInsecureRequestsIfNeeded(ResourceRequest&);
static void addSameSiteInfoToRequestIfNeeded(ResourceRequest&, const Document* initiator = nullptr);
const FrameLoaderClient& client() const { return m_client.get(); }
Modified: trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp (259307 => 259308)
--- trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2020-03-31 20:13:48 UTC (rev 259307)
+++ trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2020-03-31 20:21:48 UTC (rev 259308)
@@ -813,9 +813,15 @@
if (InspectorInstrumentation::willInterceptRequest(&frame, request.resourceRequest()))
request.setCachingPolicy(CachingPolicy::DisallowCaching);
- request.updateReferrerPolicy(document() ? document()->referrerPolicy() : ReferrerPolicy::NoReferrerWhenDowngrade);
URL url = ""
+ if (request.options().destination == FetchOptions::Destination::Document) {
+ // FIXME: Identify HSTS cases and avoid adding the header. <https://bugs.webkit.org/show_bug.cgi?id=157885>
+ if (!url.protocolIs("https"))
+ request.resourceRequest().setHTTPHeaderField(HTTPHeaderName::UpgradeInsecureRequests, "1"_s);
+ }
+ request.updateReferrerPolicy(document() ? document()->referrerPolicy() : ReferrerPolicy::NoReferrerWhenDowngrade);
+
LOG(ResourceLoading, "CachedResourceLoader::requestResource '%.255s', charset '%s', priority=%d, forPreload=%u", url.stringCenterEllipsizedToLength().latin1().data(), request.charset().latin1().data(), request.priority() ? static_cast<int>(request.priority().value()) : -1, forPreload == ForPreload::Yes);
if (!url.isValid()) {