Attachment 356815 Details for Bug 165508 – Patch

[patch] Patch

bug-165508-20181207175359.patch (text/plain), 12.04 KB, created by Rob Buis on 2018-12-07 08:53:59 PST

(hide)

Description:

Filename:

MIME Type:

Creator: Rob Buis

Created: 2018-12-07 08:53:59 PST

Size: 12.04 KB

patch

obsolete

>Subversion Revision: 238951
>diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
>index cfd3fe4b3a060b505fda1f947e5006592b03e384..3a138f28dfccfac95e7540c190442d75e7c1e26c 100644
>--- a/Source/WebCore/ChangeLog
>+++ b/Source/WebCore/ChangeLog
>@@ -1,3 +1,27 @@
>+2018-12-07  Rob Buis  <rbuis@igalia.com>
>+
>+        Add wildcard to Access-Control-Expose-Headers, Access-Control-Allow-Methods, and Access-Control-Allow-Headers
>+        https://bugs.webkit.org/show_bug.cgi?id=165508
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        According to the spec [1] step 6.5, a wildcard for method
>+        and request's credentials mode should be taken into account, so
>+        add this to the check. Same for ccess-Control-Allow-Headers (step 6.7).
>+
>+        [1] https://fetch.spec.whatwg.org/#cors-preflight-fetch
>+
>+        Tests: web-platform-tests/fetch/api/cors/cors-preflight-star.any.html
>+               web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker.html
>+
>+        * loader/CrossOriginAccessControl.cpp:
>+        (WebCore::validatePreflightResponse):
>+        * loader/CrossOriginPreflightResultCache.cpp:
>+        (WebCore::CrossOriginPreflightResultCacheItem::allowsCrossOriginMethod const):
>+        (WebCore::CrossOriginPreflightResultCacheItem::allowsCrossOriginHeaders const):
>+        (WebCore::CrossOriginPreflightResultCacheItem::allowsRequest const):
>+        * loader/CrossOriginPreflightResultCache.h:
>+
> 2018-12-07  Thibault Saunier  <tsaunier@igalia.com>
> 
>         [WPE][GTK] Implement WebAudioSourceProviderGStreamer to allow bridging MediaStream and the WebAudio APIs
>diff --git a/Source/WebCore/loader/CrossOriginAccessControl.cpp b/Source/WebCore/loader/CrossOriginAccessControl.cpp
>index 0d26a1faac183574043faa7b4a9ec6d11180b817..976fe5a24cba817ce49643def05e9b772c0cda0c 100644
>--- a/Source/WebCore/loader/CrossOriginAccessControl.cpp
>+++ b/Source/WebCore/loader/CrossOriginAccessControl.cpp
>@@ -207,8 +207,8 @@ bool validatePreflightResponse(const ResourceRequest& request, const ResourceRes
> 
>     auto result = std::make_unique<CrossOriginPreflightResultCacheItem>(storedCredentialsPolicy);
>     if (!result->parse(response, errorDescription)
>-        || !result->allowsCrossOriginMethod(request.httpMethod(), errorDescription)
>-        || !result->allowsCrossOriginHeaders(request.httpHeaderFields(), errorDescription)) {
>+        || !result->allowsCrossOriginMethod(request.httpMethod(), storedCredentialsPolicy, errorDescription)
>+        || !result->allowsCrossOriginHeaders(request.httpHeaderFields(), storedCredentialsPolicy, errorDescription)) {
>         return false;
>     }
> 
>diff --git a/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp b/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp
>index 632b68daa8085982d212a472ce74ed5cff578f4c..acb309712639a05d4b1a86bac262209942c370bf 100644
>--- a/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp
>+++ b/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp
>@@ -81,21 +81,22 @@ bool CrossOriginPreflightResultCacheItem::parse(const ResourceResponse& response
>     return true;
> }
> 
>-bool CrossOriginPreflightResultCacheItem::allowsCrossOriginMethod(const String& method, String& errorDescription) const
>+bool CrossOriginPreflightResultCacheItem::allowsCrossOriginMethod(const String& method, StoredCredentialsPolicy storedCredentialsPolicy, String& errorDescription) const
> {
>-    if (m_methods.contains(method) || isOnAccessControlSimpleRequestMethodWhitelist(method))
>+    if (m_methods.contains(method) || (m_methods.contains("*") && storedCredentialsPolicy == StoredCredentialsPolicy::DoNotUse) || isOnAccessControlSimpleRequestMethodWhitelist(method))
>         return true;
> 
>     errorDescription = "Method " + method + " is not allowed by Access-Control-Allow-Methods.";
>     return false;
> }
> 
>-bool CrossOriginPreflightResultCacheItem::allowsCrossOriginHeaders(const HTTPHeaderMap& requestHeaders, String& errorDescription) const
>+bool CrossOriginPreflightResultCacheItem::allowsCrossOriginHeaders(const HTTPHeaderMap& requestHeaders, StoredCredentialsPolicy storedCredentialsPolicy, String& errorDescription) const
> {
>+    bool validWildcard = m_headers.contains("*") && storedCredentialsPolicy == StoredCredentialsPolicy::DoNotUse;
>     for (const auto& header : requestHeaders) {
>         if (header.keyAsHTTPHeaderName && isCrossOriginSafeRequestHeader(header.keyAsHTTPHeaderName.value(), header.value))
>             continue;
>-        if (!m_headers.contains(header.key)) {
>+        if (!m_headers.contains(header.key) && !validWildcard) {
>             errorDescription = "Request header field " + header.key + " is not allowed by Access-Control-Allow-Headers.";
>             return false;
>         }
>@@ -110,9 +111,9 @@ bool CrossOriginPreflightResultCacheItem::allowsRequest(StoredCredentialsPolicy
>         return false;
>     if (storedCredentialsPolicy == StoredCredentialsPolicy::Use && m_storedCredentialsPolicy == StoredCredentialsPolicy::DoNotUse)
>         return false;
>-    if (!allowsCrossOriginMethod(method, ignoredExplanation))
>+    if (!allowsCrossOriginMethod(method, storedCredentialsPolicy, ignoredExplanation))
>         return false;
>-    if (!allowsCrossOriginHeaders(requestHeaders, ignoredExplanation))
>+    if (!allowsCrossOriginHeaders(requestHeaders, storedCredentialsPolicy, ignoredExplanation))
>         return false;
>     return true;
> }
>diff --git a/Source/WebCore/loader/CrossOriginPreflightResultCache.h b/Source/WebCore/loader/CrossOriginPreflightResultCache.h
>index 965de6f8a07bdc78c08e0f1c2e7219e1eda40473..6111160bab555a35194f5cf0c32630518378281c 100644
>--- a/Source/WebCore/loader/CrossOriginPreflightResultCache.h
>+++ b/Source/WebCore/loader/CrossOriginPreflightResultCache.h
>@@ -46,8 +46,8 @@ public:
>     }
> 
>     WEBCORE_EXPORT bool parse(const ResourceResponse&, String& errorDescription);
>-    WEBCORE_EXPORT bool allowsCrossOriginMethod(const String&, String& errorDescription) const;
>-    WEBCORE_EXPORT bool allowsCrossOriginHeaders(const HTTPHeaderMap&, String& errorDescription) const;
>+    WEBCORE_EXPORT bool allowsCrossOriginMethod(const String&, StoredCredentialsPolicy, String& errorDescription) const;
>+    WEBCORE_EXPORT bool allowsCrossOriginHeaders(const HTTPHeaderMap&, StoredCredentialsPolicy, String& errorDescription) const;
>     bool allowsRequest(StoredCredentialsPolicy, const String& method, const HTTPHeaderMap& requestHeaders) const;
> 
> private:
>diff --git a/LayoutTests/imported/w3c/ChangeLog b/LayoutTests/imported/w3c/ChangeLog
>index c9bfe6214271411a524d66dc09a3d6975b12cdbf..62ccc08bc14b55075adef1a5d8c899f4f8447725 100644
>--- a/LayoutTests/imported/w3c/ChangeLog
>+++ b/LayoutTests/imported/w3c/ChangeLog
>@@ -1,3 +1,13 @@
>+2018-12-07  Rob Buis  <rbuis@igalia.com>
>+
>+        Add wildcard to Access-Control-Expose-Headers, Access-Control-Allow-Methods, and Access-Control-Allow-Headers
>+        https://bugs.webkit.org/show_bug.cgi?id=165508
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        * web-platform-tests/fetch/api/cors/cors-preflight-star.any-expected.txt:
>+        * web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker-expected.txt:
>+
> 2018-12-05  Youenn Fablet  <youenn@apple.com>
> 
>         [iOS] Layout Test imported/w3c/web-platform-tests/service-workers/service-worker/fetch-cors-xhr.https.html is a flaky failure
>diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any-expected.txt
>index 5fd22b933dfe59afcbae26e6cc162cade1364314..43ddf79028e68b33573da7c7091cacc257d6b46b 100644
>--- a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any-expected.txt
>+++ b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any-expected.txt
>@@ -1,7 +1,3 @@
>-CONSOLE MESSAGE: Method SUPER is not allowed by Access-Control-Allow-Methods.
>-CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/fetch/api/resources/preflight.py?allow_methods=*&allow_headers=x-test& due to access control checks.
>-CONSOLE MESSAGE: Method OK is not allowed by Access-Control-Allow-Methods.
>-CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/fetch/api/resources/preflight.py?allow_methods=*&allow_headers=*& due to access control checks.
> CONSOLE MESSAGE: Method OK is not allowed by Access-Control-Allow-Methods.
> CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/fetch/api/resources/preflight.py?origin=http://localhost:8800&credentials&allow_methods=*&allow_headers=*& due to access control checks.
> CONSOLE MESSAGE: Method PUT is not allowed by Access-Control-Allow-Methods.
>@@ -14,8 +10,8 @@ CONSOLE MESSAGE: Method PUT is not allowed by Access-Control-Allow-Methods.
> CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/fetch/api/resources/preflight.py?origin=http://localhost:8800&credentials&allow_methods=put&allow_headers=*& due to access control checks.
> 
> PASS CORS that succeeds with credentials: false; method: GET (allowed: get); header: X-Test,1 (allowed: x-test) 
>-FAIL CORS that succeeds with credentials: false; method: SUPER (allowed: *); header: X-Test,1 (allowed: x-test) promise_test: Unhandled rejection with value: object "TypeError: Method SUPER is not allowed by Access-Control-Allow-Methods."
>-FAIL CORS that succeeds with credentials: false; method: OK (allowed: *); header: X-Test,1 (allowed: *) promise_test: Unhandled rejection with value: object "TypeError: Method OK is not allowed by Access-Control-Allow-Methods."
>+PASS CORS that succeeds with credentials: false; method: SUPER (allowed: *); header: X-Test,1 (allowed: x-test) 
>+PASS CORS that succeeds with credentials: false; method: OK (allowed: *); header: X-Test,1 (allowed: *) 
> PASS CORS that fails with credentials: true; method: OK (allowed: *); header: X-Test,1 (allowed: *) 
> PASS CORS that fails with credentials: true; method: PUT (allowed: *); header:  (allowed: ) 
> PASS CORS that succeeds with credentials: true; method: PUT (allowed: PUT); header:  (allowed: *) 
>diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker-expected.txt
>index 3afb4fb0d77e74db949680834389874fb2b51acd..ec24c35ca1c5ea85948e543bb64a2275fba20e45 100644
>--- a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker-expected.txt
>+++ b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-star.any.worker-expected.txt
>@@ -1,5 +1,3 @@
>-CONSOLE MESSAGE: Method SUPER is not allowed by Access-Control-Allow-Methods.
>-CONSOLE MESSAGE: Method OK is not allowed by Access-Control-Allow-Methods.
> CONSOLE MESSAGE: Method OK is not allowed by Access-Control-Allow-Methods.
> CONSOLE MESSAGE: Method PUT is not allowed by Access-Control-Allow-Methods.
> CONSOLE MESSAGE: Request header field X-Test is not allowed by Access-Control-Allow-Headers.
>@@ -7,8 +5,8 @@ CONSOLE MESSAGE: Request header field X-Test is not allowed by Access-Control-Al
> CONSOLE MESSAGE: Method PUT is not allowed by Access-Control-Allow-Methods.
> 
> PASS CORS that succeeds with credentials: false; method: GET (allowed: get); header: X-Test,1 (allowed: x-test) 
>-FAIL CORS that succeeds with credentials: false; method: SUPER (allowed: *); header: X-Test,1 (allowed: x-test) promise_test: Unhandled rejection with value: object "TypeError: Method SUPER is not allowed by Access-Control-Allow-Methods."
>-FAIL CORS that succeeds with credentials: false; method: OK (allowed: *); header: X-Test,1 (allowed: *) promise_test: Unhandled rejection with value: object "TypeError: Method OK is not allowed by Access-Control-Allow-Methods."
>+PASS CORS that succeeds with credentials: false; method: SUPER (allowed: *); header: X-Test,1 (allowed: x-test) 
>+PASS CORS that succeeds with credentials: false; method: OK (allowed: *); header: X-Test,1 (allowed: *) 
> PASS CORS that fails with credentials: true; method: OK (allowed: *); header: X-Test,1 (allowed: *) 
> PASS CORS that fails with credentials: true; method: PUT (allowed: *); header:  (allowed: ) 
> PASS CORS that succeeds with credentials: true; method: PUT (allowed: PUT); header:  (allowed: *)

Actions: View | Formatted Diff | Diff

Attachments on bug 165508: 355603 | 355604 | 355605 | 355610 | 355611 | 355638 | 356153 | 356162 | 356163 | 356165 | 356179 | 356187 | 356193 | 356209 | 356815 | 357565 | 371657 | 371667 | 371706