Title: [287627] branches/safari-612-branch
- Revision
- 287627
- Author
- repst...@apple.com
- Date
- 2022-01-05 10:21:03 -0800 (Wed, 05 Jan 2022)
Log Message
Cherry-pick r286940. rdar://problem/85388372
Implement step 17 of main fetch algorithm
https://bugs.webkit.org/show_bug.cgi?id=234140
Reviewed by Brent Fulgham.
LayoutTests/imported/w3c:
* web-platform-tests/service-workers/service-worker/fetch-csp.https.html:
* web-platform-tests/service-workers/service-worker/resources/fetch-csp-iframe.html.sub.headers:
Source/WebCore:
The step was implemented for non DocumentThreadableLoader resources, we need to also do the same step within DocumentThreadableLoader.
Covered by existing updated tests.
* loader/DocumentThreadableLoader.cpp:
* loader/DocumentThreadableLoader.h:
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286940 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-612-branch/LayoutTests/imported/w3c/ChangeLog (287626 => 287627)
--- branches/safari-612-branch/LayoutTests/imported/w3c/ChangeLog 2022-01-05 18:20:59 UTC (rev 287626)
+++ branches/safari-612-branch/LayoutTests/imported/w3c/ChangeLog 2022-01-05 18:21:03 UTC (rev 287627)
@@ -1,3 +1,39 @@
+2022-01-05 Russell Epstein <repst...@apple.com>
+
+ Cherry-pick r286940. rdar://problem/85388372
+
+ Implement step 17 of main fetch algorithm
+ https://bugs.webkit.org/show_bug.cgi?id=234140
+
+ Reviewed by Brent Fulgham.
+
+ LayoutTests/imported/w3c:
+
+ * web-platform-tests/service-workers/service-worker/fetch-csp.https.html:
+ * web-platform-tests/service-workers/service-worker/resources/fetch-csp-iframe.html.sub.headers:
+
+ Source/WebCore:
+
+ The step was implemented for non DocumentThreadableLoader resources, we need to also do the same step within DocumentThreadableLoader.
+
+ Covered by existing updated tests.
+
+ * loader/DocumentThreadableLoader.cpp:
+ * loader/DocumentThreadableLoader.h:
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286940 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-12-13 Youenn Fablet <you...@apple.com>
+
+ Implement step 17 of main fetch algorithm
+ https://bugs.webkit.org/show_bug.cgi?id=234140
+
+ Reviewed by Brent Fulgham.
+
+ * web-platform-tests/service-workers/service-worker/fetch-csp.https.html:
+ * web-platform-tests/service-workers/service-worker/resources/fetch-csp-iframe.html.sub.headers:
+
2021-11-04 Russell Epstein <repst...@apple.com>
Cherry-pick r282379. rdar://problem/85039227
Modified: branches/safari-612-branch/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-csp.https.html (287626 => 287627)
--- branches/safari-612-branch/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-csp.https.html 2022-01-05 18:20:59 UTC (rev 287626)
+++ branches/safari-612-branch/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-csp.https.html 2022-01-05 18:21:03 UTC (rev 287627)
@@ -108,6 +108,30 @@
'should ignore the path component of the URL.');
})
.then(function() {
+ return assert_resolves(
+ frame.contentWindow.fetch(IMAGE_URL + "&fetch1", { mode: 'no-cors'}),
+ 'Allowed scope fetch resource should be loaded.');
+ })
+ .then(function() {
+ return assert_resolves(
+ frame.contentWindow.fetch(
+ // The request for IMAGE_URL will be fetched in SW.
+ './sample?url=''&fetch2'), { mode: 'no-cors'}),
+ 'Allowed scope fetch resource which was fetched via SW should be loaded.');
+ })
+ .then(function() {
+ return assert_rejects(
+ frame.contentWindow.fetch(REMOTE_IMAGE_URL + "&fetch3", { mode: 'no-cors'}),
+ 'Disallowed scope fetch resource should not be loaded.');
+ })
+ .then(function() {
+ return assert_rejects(
+ frame.contentWindow.fetch(
+ // The request for REMOTE_IMAGE_URL will be fetched in SW.
+ './sample?url=''&fetch4'), { mode: 'no-cors'}),
+ 'Disallowed scope fetch resource which was fetched via SW should not be loaded.');
+ })
+ .then(function() {
frame.remove();
});
}, 'Verify CSP control of fetch() in a Service Worker');
Modified: branches/safari-612-branch/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/resources/fetch-csp-iframe.html.sub.headers (287626 => 287627)
--- branches/safari-612-branch/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/resources/fetch-csp-iframe.html.sub.headers 2022-01-05 18:20:59 UTC (rev 287626)
+++ branches/safari-612-branch/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/resources/fetch-csp-iframe.html.sub.headers 2022-01-05 18:21:03 UTC (rev 287627)
@@ -1 +1 @@
-Content-Security-Policy: img-src https://{{host}}:{{ports[https][0]}}
+Content-Security-Policy: img-src https://{{host}}:{{ports[https][0]}}; connect-src 'unsafe-inline' 'self'
Modified: branches/safari-612-branch/Source/WebCore/ChangeLog (287626 => 287627)
--- branches/safari-612-branch/Source/WebCore/ChangeLog 2022-01-05 18:20:59 UTC (rev 287626)
+++ branches/safari-612-branch/Source/WebCore/ChangeLog 2022-01-05 18:21:03 UTC (rev 287627)
@@ -1,5 +1,45 @@
2022-01-05 Russell Epstein <repst...@apple.com>
+ Cherry-pick r286940. rdar://problem/85388372
+
+ Implement step 17 of main fetch algorithm
+ https://bugs.webkit.org/show_bug.cgi?id=234140
+
+ Reviewed by Brent Fulgham.
+
+ LayoutTests/imported/w3c:
+
+ * web-platform-tests/service-workers/service-worker/fetch-csp.https.html:
+ * web-platform-tests/service-workers/service-worker/resources/fetch-csp-iframe.html.sub.headers:
+
+ Source/WebCore:
+
+ The step was implemented for non DocumentThreadableLoader resources, we need to also do the same step within DocumentThreadableLoader.
+
+ Covered by existing updated tests.
+
+ * loader/DocumentThreadableLoader.cpp:
+ * loader/DocumentThreadableLoader.h:
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286940 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-12-13 Youenn Fablet <you...@apple.com>
+
+ Implement step 17 of main fetch algorithm
+ https://bugs.webkit.org/show_bug.cgi?id=234140
+
+ Reviewed by Brent Fulgham.
+
+ The step was implemented for non DocumentThreadableLoader resources, we need to also do the same step within DocumentThreadableLoader.
+
+ Covered by existing updated tests.
+
+ * loader/DocumentThreadableLoader.cpp:
+ * loader/DocumentThreadableLoader.h:
+
+2022-01-05 Russell Epstein <repst...@apple.com>
+
Cherry-pick r285710. rdar://problem/87125070
REGRESSION(r285624) Using revert keyword with a css variable hits assert
Modified: branches/safari-612-branch/Source/WebCore/loader/DocumentThreadableLoader.cpp (287626 => 287627)
--- branches/safari-612-branch/Source/WebCore/loader/DocumentThreadableLoader.cpp 2022-01-05 18:20:59 UTC (rev 287626)
+++ branches/safari-612-branch/Source/WebCore/loader/DocumentThreadableLoader.cpp 2022-01-05 18:21:03 UTC (rev 287627)
@@ -404,6 +404,16 @@
ASSERT(m_client);
ASSERT(response.type() != ResourceResponse::Type::Error);
+#if ENABLE(SERVICE_WORKER)
+ // https://fetch.spec.whatwg.org/commit-snapshots/6257e220d70f560a037e46f1b4206325400db8dc/#main-fetch step 17.
+ if (response.source() == ResourceResponse::Source::ServiceWorker && response.url() != m_resource->url()) {
+ if (!isResponseAllowedByContentSecurityPolicy(response)) {
+ reportContentSecurityPolicyError(response.url());
+ return;
+ }
+ }
+#endif
+
InspectorInstrumentation::didReceiveThreadableLoaderResponse(*this, identifier);
if (m_delayCallbacksForIntegrityCheck)
@@ -691,6 +701,11 @@
return false;
}
+bool DocumentThreadableLoader::isResponseAllowedByContentSecurityPolicy(const ResourceResponse& response)
+{
+ return isAllowedByContentSecurityPolicy(response.url(), ContentSecurityPolicy::RedirectResponseReceived::Yes, { });
+}
+
bool DocumentThreadableLoader::isAllowedRedirect(const URL& url)
{
if (m_options.mode == FetchOptions::Mode::NoCors)
Modified: branches/safari-612-branch/Source/WebCore/loader/DocumentThreadableLoader.h (287626 => 287627)
--- branches/safari-612-branch/Source/WebCore/loader/DocumentThreadableLoader.h 2022-01-05 18:20:59 UTC (rev 287626)
+++ branches/safari-612-branch/Source/WebCore/loader/DocumentThreadableLoader.h 2022-01-05 18:21:03 UTC (rev 287627)
@@ -104,6 +104,7 @@
void loadRequest(ResourceRequest&&, SecurityCheckPolicy);
bool isAllowedRedirect(const URL&);
bool isAllowedByContentSecurityPolicy(const URL&, ContentSecurityPolicy::RedirectResponseReceived, const URL& preRedirectURL = URL());
+ bool isResponseAllowedByContentSecurityPolicy(const ResourceResponse&);
SecurityOrigin& securityOrigin() const;
const ContentSecurityPolicy& contentSecurityPolicy() const;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes