Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 25f31b9f2734664450d1c78cd144bb37cab55f88
https://github.com/WebKit/WebKit/commit/25f31b9f2734664450d1c78cd144bb37cab55f88
Author: Chris Dumez <[email protected]>
Date: 2026-05-30 (Sat, 30 May 2026)
Changed paths:
R
LayoutTests/http/tests/websocket/tests/hybi/secure-cookie-insecure-connection-expected.txt
R
LayoutTests/http/tests/websocket/tests/hybi/secure-cookie-insecure-connection.pl
R
LayoutTests/http/tests/websocket/tests/hybi/secure-cookie-secure-connection-expected.txt
R
LayoutTests/http/tests/websocket/tests/hybi/secure-cookie-secure-connection.pl
R LayoutTests/http/tests/xmlhttprequest/cookies-expected.txt
R LayoutTests/http/tests/xmlhttprequest/cookies.html
A
LayoutTests/http/wpt/websockets/secure-cookie-insecure-connection.https-expected.txt
A LayoutTests/http/wpt/websockets/secure-cookie-insecure-connection.https.py
A
LayoutTests/http/wpt/websockets/secure-cookie-secure-connection.https-expected.txt
A LayoutTests/http/wpt/websockets/secure-cookie-secure-connection.https.py
A LayoutTests/http/wpt/xhr/cookies.https-expected.txt
A LayoutTests/http/wpt/xhr/cookies.https.html
A LayoutTests/http/wpt/xhr/resources/get-set-cookie.py
M LayoutTests/imported/w3c/resources/config.json
R
LayoutTests/platform/glib/http/tests/websocket/tests/hybi/secure-cookie-secure-connection-expected.txt
R
LayoutTests/platform/ios/http/tests/websocket/tests/hybi/secure-cookie-secure-connection-expected.txt
R
LayoutTests/platform/mac/http/tests/websocket/tests/hybi/secure-cookie-secure-connection-expected.txt
M Tools/Scripts/webkitpy/layout_tests/servers/web_platform_test_server.py
Log Message:
-----------
Several layout tests assume Secure cookies are filtered on http/ws to
127.0.0.1
https://bugs.webkit.org/show_bug.cgi?id=315652
rdar://178016328
Reviewed
by
Alex
Christensen and Jonathan Bedard.
CFNetwork now treats loopback hosts (127.0.0.0/8, ::1, localhost,
*.localhost) as "potentially trustworthy" for cookie purposes
(rdar://168179921). On a loopback URL, the scheme no longer matters: a
Secure cookie can be set from an http response and is also sent on
plain ws/http requests. Three layout tests that asserted the opposite
behavior on 127.0.0.1 broke as a result:
- http/tests/websocket/tests/hybi/secure-cookie-insecure-connection
now sees the Secure cookie leak through ws://.
- http/tests/websocket/tests/hybi/secure-cookie-secure-connection
now actually passes its cross-platform expected output and no
longer matches the platform-specific FAIL baselines that were
written when the Secure cookie could not be set over http.
- http/tests/xmlhttprequest/cookies now sees the Secure cookie sent
on a plain http XHR.
Fix by moving each test under LayoutTests/http/wpt/ and bouncing
off
localhost
to
web-platform.test. CFNetwork's isLoopbackHost() checks
the literal hostname string, so web-platform.test is treated as truly
insecure on http/ws and the original assertions hold on both the old
and the new CFNetwork. Tests under http/wpt/ are flagged as
is_wpt_test by the layout test infrastructure, which guarantees the
WPT server (and its DNS resolver for web-platform.test) is started --
this is what allowed an earlier attempt that left the tests in
http/tests/ to time out on EWS, since the runner did not start the
WPT DNS server when only HTTP tests were in the test set.
The test pages bounce through
https://flagged.apple.com:443/proxy?t2=DH2P1c6Cz1&o=aHR0cHM6Ly93ZWItcGxhdGZvcm0udGVzdDo5NDQz&emid=88703dfb-b436-47ac-93a3-982d7c807854&c=11
(the WPT
HTTPS port, which honors the Secure attribute regardless of
CFNetwork's loopback rule), then redirect to plain http or open the
ws/wss connection for the verification step. The deleted platform-
specific
expected files baked in a stale "FAIL" message that referred
to a now-fixed pywebsocket Secure-cookie
quirk.
*
LayoutTests/http/wpt/websockets/secure-cookie-insecure-connection.https.py:
Added. Python WPT handler in three phases. Phase 1 (loaded via
localhost) bounces to
https://flagged.apple.com:443/proxy?t2=DH2P1c6Cz1&o=aHR0cHM6Ly93ZWItcGxhdGZvcm0udGVzdDo5NDQz&emid=88703dfb-b436-47ac-93a3-982d7c807854&c=11.
Phase 2 sets
both cookies on the https response and bounces to
https://flagged.apple.com:443/proxy?t2=DJ4X4O9fy5&o=aHR0cDovL3dlYi1wbGF0Zm9ybS50ZXN0Ojg4MDA=&emid=88703dfb-b436-47ac-93a3-982d7c807854&c=11.
Phase 3 opens ws://web-platform.test:49001
and asserts only the non-Secure cookie is sent. Cleanup XHR carries
CORS headers so the cross-origin clear works.
*
LayoutTests/http/wpt/websockets/secure-cookie-insecure-connection.https-expected.txt:
Renamed from
LayoutTests/http/tests/websocket/tests/hybi/secure-cookie-insecure-connection-expected.txt.
*
LayoutTests/http/wpt/websockets/secure-cookie-secure-connection.https.py:
Added. Python WPT handler in two phases. Phase 1 (loaded via
localhost) bounces to
https://flagged.apple.com:443/proxy?t2=DH2P1c6Cz1&o=aHR0cHM6Ly93ZWItcGxhdGZvcm0udGVzdDo5NDQz&emid=88703dfb-b436-47ac-93a3-982d7c807854&c=11.
Phase 2 sets
both
cookies on the https response and opens
wss://web-platform.test:49002, asserting both cookies are sent.
*
LayoutTests/http/wpt/websockets/secure-cookie-secure-connection.https-expected.txt:
Renamed from
LayoutTests/http/tests/websocket/tests/hybi/secure-cookie-secure-connection-expected.txt
and updated to reflect that both cookies are now expected on wss.
*
LayoutTests/http/tests/websocket/tests/hybi/secure-cookie-insecure-connection.pl:
Removed.
*
LayoutTests/http/tests/websocket/tests/hybi/secure-cookie-secure-connection.pl:
Removed.
Replaced by the .https.py WPT handlers above.
*
LayoutTests/platform/glib/http/tests/websocket/tests/hybi/secure-cookie-secure-connection-expected.txt:
Removed.
*
LayoutTests/platform/ios/http/tests/websocket/tests/hybi/secure-cookie-secure-connection-expected.txt:
Removed.
*
LayoutTests/platform/mac/http/tests/websocket/tests/hybi/secure-cookie-secure-connection-expected.txt:
Removed.
The platform-specific FAIL baselines are obsolete;
the cross-platform
expected file matches actual behavior on every port.
*
LayoutTests/http/wpt/xhr/cookies.https.html:
Added. Three-phase HTML test mirroring the websocket insecure-
connection test: bounce localhost ->
https://flagged.apple.com:443/proxy?t2=DH2P1c6Cz1&o=aHR0cHM6Ly93ZWItcGxhdGZvcm0udGVzdDo5NDQz&emid=88703dfb-b436-47ac-93a3-982d7c807854&c=11
->
https://flagged.apple.com:443/proxy?t2=DJ4X4O9fy5&o=aHR0cDovL3dlYi1wbGF0Zm9ybS50ZXN0Ojg4MDA=&emid=88703dfb-b436-47ac-93a3-982d7c807854&c=11
so the Secure cookie is set in the
jar by the https phase and the http XHR still asserts it is
filtered
out.
* LayoutTests/http/wpt/xhr/cookies.https-expected.txt:
Renamed from LayoutTests/http/tests/xmlhttprequest/cookies-expected.txt.
* LayoutTests/http/tests/xmlhttprequest/cookies.html: Removed.
* LayoutTests/http/wpt/xhr/resources/get-set-cookie.py: Added. Python
WPT handler that returns Set-Cookie response headers for WK-test and
WK-test-secure, with CORS headers on the clear path so the
cross-origin cleanup XHR from the http verify phase succeeds.
*
LayoutTests/imported/w3c/resources/config.json:
Add a wss port (49002) so the secure-connection test can open wss://
against the WPT server. The config previously declared only
ws
(49001).
* Tools/Scripts/webkitpy/layout_tests/servers/web_platform_test_server.py:
Mark wss ports as needing an SSL cert when building the port mapping
list, alongside the existing https handling.
Canonical link:
https://flagged.apple.com:443/proxy?t2=dR6K2e4Ig8&o=aHR0cHM6Ly9jb21taXRzLndlYmtpdC5vcmcvMzE0MjA2QG1haW4=&emid=88703dfb-b436-47ac-93a3-982d7c807854&c=11
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
