[webkit-changes] [295473] trunk

Fri, 10 Jun 2022 23:24:32 -0700

Title: [295473] trunk
Revision
295473
Author
[email protected]
Date
2022-06-10 23:23:41 -0700 (Fri, 10 Jun 2022)

Log Message

CORS checks shouldn't unblock cookies
https://bugs.webkit.org/show_bug.cgi?id=241527

Reviewed by Brent Fulgham.

If cookies have been blocked, a request that has been made with {credentials: 'include'} shouldn't un-block the cookies.

* Source/WebCore/loader/CrossOriginAccessControl.cpp:
(WebCore::updateRequestForAccessControl):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/WKContentExtensionStore.mm:
(TEST_F):

Canonical link: https://commits.webkit.org/251478@main

Modified Paths

Diff

Modified: trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp (295472 => 295473)


--- trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp	2022-06-11 05:34:43 UTC (rev 295472)
+++ trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp	2022-06-11 06:23:41 UTC (rev 295473)
@@ -77,7 +77,8 @@
 void updateRequestForAccessControl(ResourceRequest& request, SecurityOrigin& securityOrigin, StoredCredentialsPolicy storedCredentialsPolicy)
 {
     request.removeCredentials();
-    request.setAllowCookies(storedCredentialsPolicy == StoredCredentialsPolicy::Use);
+    if (request.allowCookies())
+        request.setAllowCookies(storedCredentialsPolicy == StoredCredentialsPolicy::Use);
     request.setHTTPOrigin(securityOrigin.toString());
 }

Modified: trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/WKContentExtensionStore.mm (295472 => 295473)


--- trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/WKContentExtensionStore.mm	2022-06-11 05:34:43 UTC (rev 295472)
+++ trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/WKContentExtensionStore.mm	2022-06-11 06:23:41 UTC (rev 295473)
@@ -24,19 +24,24 @@
  */
 
 #import "config.h"
-#import <WebKit/WKFoundation.h>
 
+#import "HTTPServer.h"
 #import "PlatformUtilities.h"
 #import "Test.h"
 #import "TestNavigationDelegate.h"
+#import "TestUIDelegate.h"
 #import "TestURLSchemeHandler.h"
 #import <WebKit/WKContentRuleList.h>
 #import <WebKit/WKContentRuleListStorePrivate.h>
+#import <WebKit/WKFoundation.h>
+#import <WebKit/WKHTTPCookieStorePrivate.h>
 #import <WebKit/WKUserContentControllerPrivate.h>
 #import <WebKit/WKWebpagePreferencesPrivate.h>
+#import <WebKit/WKWebsiteDataStorePrivate.h>
 #import <WebKit/_WKContentRuleListAction.h>
 #import <WebKit/_WKUserContentExtensionStore.h>
 #import <WebKit/_WKUserContentFilter.h>
+#import <WebKit/_WKWebsiteDataStoreConfiguration.h>
 #import <wtf/RetainPtr.h>
 #import <wtf/Vector.h>
 #import <wtf/text/WTFString.h>
@@ -206,6 +211,83 @@
     TestWebKitAPI::Util::run(&doneRemoving);
 }
 
+TEST_F(WKContentRuleListStoreTest, CrossOriginCookieBlocking)
+{
+    using namespace TestWebKitAPI;
+
+    auto cookiePresentWhenBlocking = [] (bool blockCookies) {
+
+        std::optional<bool> requestHadCookieResult;
+
+        HTTPServer server(HTTPServer::UseCoroutines::Yes, [&] (Connection connection) -> Task {
+            while (true) {
+                auto request = co_await connection.awaitableReceiveHTTPRequest();
+                auto path = HTTPServer::parsePath(request);
+                auto response = [&] {
+                    if (path == "/com"_s)
+                        return HTTPResponse({ { "Set-Cookie"_s, "testCookie=42; Path=/; SameSite=None; Secure"_s } }, "<script>alert('hi')</script>"_s);
+                    if (path == "/org"_s)
+                        return HTTPResponse("<script>fetch('https://example.com/cookie-check', {credentials: 'include'})</script>"_s);
+                    if (path == "/cookie-check"_s) {
+                        auto cookieHeader = "Cookie: testCookie=42";
+                        requestHadCookieResult = memmem(request.data(), request.size(), cookieHeader, strlen(cookieHeader));
+                        return HTTPResponse("hi"_s);
+                    }
+                    RELEASE_ASSERT_NOT_REACHED();
+                }();
+                co_await connection.awaitableSend(response.serialize());
+            }
+        }, HTTPServer::Protocol::HttpsProxy);
+
+        auto storeConfiguration = adoptNS([[_WKWebsiteDataStoreConfiguration alloc] initNonPersistentConfiguration]);
+        [storeConfiguration setAllowsServerPreconnect:NO];
+        [storeConfiguration setProxyConfiguration:@{
+            (NSString *)kCFStreamPropertyHTTPSProxyHost: @"127.0.0.1",
+            (NSString *)kCFStreamPropertyHTTPSProxyPort: @(server.port())
+        }];
+
+        auto dataStore = adoptNS([[WKWebsiteDataStore alloc] _initWithConfiguration:storeConfiguration.get()]);
+        [dataStore _setResourceLoadStatisticsEnabled:NO];
+        __block bool setPolicy { false };
+        [dataStore.get().httpCookieStore _setCookieAcceptPolicy:NSHTTPCookieAcceptPolicyAlways completionHandler:^{
+            setPolicy = true;
+        }];
+        Util::run(&setPolicy);
+
+        auto viewConfiguration = adoptNS([WKWebViewConfiguration new]);
+        [viewConfiguration setWebsiteDataStore:dataStore.get()];
+
+        if (blockCookies) {
+            __block bool doneCompiling { false };
+            NSString *json = @"[{\"action\":{\"type\":\"block-cookies\"},\"trigger\":{\"url-filter\":\"cookie-check\"}}]";
+            [[WKContentRuleListStore defaultStore] compileContentRuleListForIdentifier:@"TestBlockCookies" encodedContentRuleList:json completionHandler:^(WKContentRuleList *compiledRuleList, NSError *error) {
+                EXPECT_FALSE(error);
+                [[viewConfiguration userContentController] addContentRuleList:compiledRuleList];
+                doneCompiling = true;
+            }];
+            TestWebKitAPI::Util::run(&doneCompiling);
+        }
+
+        auto webView = adoptNS([[WKWebView alloc] initWithFrame:CGRectZero configuration:viewConfiguration.get()]);
+        auto delegate = adoptNS([TestNavigationDelegate new]);
+        delegate.get().didReceiveAuthenticationChallenge = ^(WKWebView *, NSURLAuthenticationChallenge *challenge, void (^completionHandler)(NSURLSessionAuthChallengeDisposition, NSURLCredential *)) {
+            completionHandler(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]);
+        };
+        webView.get().navigationDelegate = delegate.get();
+
+        [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:@"https://example.com/com"]]];
+        [delegate waitForDidFinishNavigation];
+
+        [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:@"https://example.org/org"]]];
+        while (!requestHadCookieResult)
+            Util::spinRunLoop();
+        return *requestHadCookieResult;
+    };
+
+    EXPECT_FALSE(cookiePresentWhenBlocking(true));
+    EXPECT_TRUE(cookiePresentWhenBlocking(false));
+}
+
 TEST_F(WKContentRuleListStoreTest, NonExistingIdentifierRemove)
 {
     __block bool doneRemoving = false;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to