WebKit Bugzilla
Attachment 359611 Details for
Bug 186030
: Set Origin header value to null rather than omitting it
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-186030-20190119173204.patch (text/plain), 9.47 KB, created by
Rob Buis
on 2019-01-19 08:32:04 PST
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Rob Buis
Created:
2019-01-19 08:32:04 PST
Size:
9.47 KB
patch
obsolete
>Subversion Revision: 240151 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index d87b9c076a3b9c17a9e4f7577c742169192e321c..d7a90eebac09bf6fc69eeed4cad0e54a1fd5f32a 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,23 @@ >+2019-01-19 Rob Buis <rbuis@igalia.com> >+ >+ Set Origin header value to null rather than omitting it >+ https://bugs.webkit.org/show_bug.cgi?id=186030 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ In HTTP-network-or-cache fetch [1] step 10 should be performed (besides >+ CORS mode) also if the request method is not 'GET' or 'HEAD'. >+ Since the serializing of the request origin depends on the tainted >+ origin flag, determine the flag before serializing. >+ >+ Test: web-platform-tests/fetch/origin/no-cors.any.js >+ >+ [1] https://fetch.spec.whatwg.org/#concept-http-network-or-cache-fetch >+ >+ * loader/SubresourceLoader.cpp: >+ * loader/SubresourceLoader.cpp: >+ (WebCore::SubresourceLoader::checkRedirectionCrossOriginAccessControl): >+ > 2019-01-18 Charlie Turner <cturner@igalia.com> > > [GStreamer][EME][ClearKey] Request keys from CDMInstance rather than passing via bus messages >diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog >index 927032f3b170c207eb385a98aab9de74eabf284a..a27ef82e48858647cbf29449c7201b0e6333e21a 100644 >--- a/Source/WebKit/ChangeLog >+++ b/Source/WebKit/ChangeLog >@@ -1,3 +1,25 @@ >+2019-01-19 Rob Buis <rbuis@igalia.com> >+ >+ Set Origin header value to null rather than omitting it >+ https://bugs.webkit.org/show_bug.cgi?id=186030 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ In HTTP-network-or-cache fetch [1] step 10 should be performed (besides >+ CORS mode) also if the request method is not 'GET' or 'HEAD'. >+ Since the serializing of the request origin depends on the tainted >+ origin flag, determine the flag before serializing. >+ >+ Test: web-platform-tests/fetch/origin/no-cors.any.js >+ >+ [1] https://fetch.spec.whatwg.org/#concept-http-network-or-cache-fetch >+ >+ * NetworkProcess/NetworkLoadChecker.cpp: >+ (WebKit::NetworkLoadChecker::continueCheckingRequest): >+ (WebKit::NetworkLoadChecker::updateOriginIfNeeded): >+ (WebKit::NetworkLoadChecker::checkCORSRedirectedRequest): >+ * NetworkProcess/NetworkLoadChecker.h: >+ > 2019-01-18 Philippe Normand <pnormand@igalia.com> > > [WPE] Add Qt extension >diff --git a/Source/WebCore/loader/SubresourceLoader.cpp b/Source/WebCore/loader/SubresourceLoader.cpp >index 483ecd3c13d61e69a358eb81cca6e364cc452009..4131c9226f08711db9ce34353e0678fa3563e826 100644 >--- a/Source/WebCore/loader/SubresourceLoader.cpp >+++ b/Source/WebCore/loader/SubresourceLoader.cpp >@@ -593,12 +593,15 @@ bool SubresourceLoader::checkRedirectionCrossOriginAccessControl(const ResourceR > > // Implementing https://fetch.spec.whatwg.org/#concept-http-redirect-fetch step 14. > updateReferrerPolicy(redirectResponse.httpHeaderField(HTTPHeaderName::ReferrerPolicy)); >- >- if (options().mode == FetchOptions::Mode::Cors && redirectingToNewOrigin) { >- cleanHTTPRequestHeadersForAccessControl(newRequest, options().httpHeadersToKeep); >- updateRequestForAccessControl(newRequest, *m_origin, options().storedCredentialsPolicy); >- } >- >+ >+ if (options().mode == FetchOptions::Mode::Cors) { >+ if (redirectingToNewOrigin) { >+ cleanHTTPRequestHeadersForAccessControl(newRequest, options().httpHeadersToKeep); >+ updateRequestForAccessControl(newRequest, *m_origin, options().storedCredentialsPolicy); >+ } >+ } else if (newRequest.httpMethod() != "GET" && newRequest.httpMethod() != "HEAD") >+ newRequest.setHTTPOrigin(m_origin->toString()); >+ > updateRequestReferrer(newRequest, referrerPolicy(), previousRequest.httpReferrer()); > > return true; >diff --git a/Source/WebCore/platform/network/ResourceRequestBase.h b/Source/WebCore/platform/network/ResourceRequestBase.h >index b470274b115dffda108118d146844b2c7668d23f..623b3174f4a3b2c1857868c0ae794bf948e6c5e6 100644 >--- a/Source/WebCore/platform/network/ResourceRequestBase.h >+++ b/Source/WebCore/platform/network/ResourceRequestBase.h >@@ -127,7 +127,7 @@ public: > > WEBCORE_EXPORT String httpOrigin() const; > bool hasHTTPOrigin() const; >- void setHTTPOrigin(const String&); >+ WEBCORE_EXPORT void setHTTPOrigin(const String&); > WEBCORE_EXPORT void clearHTTPOrigin(); > > WEBCORE_EXPORT String httpUserAgent() const; >diff --git a/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp b/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp >index 0ec8ff17dc70d0e472e410a0a5c6428465ead6a0..516182c3d39136384fafd4099fba9efe1ee494dc 100644 >--- a/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp >+++ b/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp >@@ -316,6 +316,10 @@ void NetworkLoadChecker::continueCheckingRequest(ResourceRequest&& request, Vali > m_isSameOriginRequest = m_isSameOriginRequest && isSameOrigin(request.url(), m_origin.get()); > > if (doesNotNeedCORSCheck(request.url())) { >+ if (isRedirected() && request.httpMethod() != "GET" && request.httpMethod() != "HEAD") { >+ updateOriginIfNeeded(request.url()); >+ request.setHTTPOrigin(m_origin->toString()); >+ } > handler(WTFMove(request)); > return; > } >@@ -357,6 +361,16 @@ void NetworkLoadChecker::checkCORSRequest(ResourceRequest&& request, ValidationH > } > } > >+void NetworkLoadChecker::updateOriginIfNeeded(const URL& redirectUrl) >+{ >+ if (!m_origin->canRequest(m_previousURL) && !protocolHostAndPortAreEqual(m_previousURL, redirectUrl)) { >+ // Use a unique origin for subsequent loads if needed. >+ // https://fetch.spec.whatwg.org/#concept-http-redirect-fetch (Step 10). >+ if (!m_origin || !m_origin->isUnique()) >+ m_origin = SecurityOrigin::createUnique(); >+ } >+} >+ > void NetworkLoadChecker::checkCORSRedirectedRequest(ResourceRequest&& request, ValidationHandler&& handler) > { > ASSERT(m_options.mode == FetchOptions::Mode::Cors); >@@ -365,12 +379,7 @@ void NetworkLoadChecker::checkCORSRedirectedRequest(ResourceRequest&& request, V > // Force any subsequent request to use these checks. > m_isSameOriginRequest = false; > >- if (!m_origin->canRequest(m_previousURL) && !protocolHostAndPortAreEqual(m_previousURL, request.url())) { >- // Use a unique origin for subsequent loads if needed. >- // https://fetch.spec.whatwg.org/#concept-http-redirect-fetch (Step 10). >- if (!m_origin || !m_origin->isUnique()) >- m_origin = SecurityOrigin::createUnique(); >- } >+ updateOriginIfNeeded(request.url()); > > // FIXME: We should set the request referrer according the referrer policy. > >diff --git a/Source/WebKit/NetworkProcess/NetworkLoadChecker.h b/Source/WebKit/NetworkProcess/NetworkLoadChecker.h >index c95cd4c3ef7e4553d9d7df70a2bf20a6f7c01442..37015ece1cbe8ee4915723d657b5073fad70d66c 100644 >--- a/Source/WebKit/NetworkProcess/NetworkLoadChecker.h >+++ b/Source/WebKit/NetworkProcess/NetworkLoadChecker.h >@@ -105,6 +105,7 @@ private: > void checkCORSRequest(WebCore::ResourceRequest&&, ValidationHandler&&); > void checkCORSRedirectedRequest(WebCore::ResourceRequest&&, ValidationHandler&&); > void checkCORSRequestWithPreflight(WebCore::ResourceRequest&&, ValidationHandler&&); >+ void updateOriginIfNeeded(const URL&); > > RequestOrRedirectionTripletOrError accessControlErrorForValidationHandler(String&&); > >diff --git a/LayoutTests/imported/w3c/ChangeLog b/LayoutTests/imported/w3c/ChangeLog >index 02d3c2e4b3d975456db164f4f3fa52b039a17b3e..172df9eb0b49fc6249bacf6a469e0b2ed00be4b1 100644 >--- a/LayoutTests/imported/w3c/ChangeLog >+++ b/LayoutTests/imported/w3c/ChangeLog >@@ -1,3 +1,15 @@ >+2019-01-19 Rob Buis <rbuis@igalia.com> >+ >+ Set Origin header value to null rather than omitting it >+ https://bugs.webkit.org/show_bug.cgi?id=186030 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Update improved test result. >+ >+ * web-platform-tests/fetch/origin/no-cors.any-expected.txt: >+ * web-platform-tests/fetch/origin/no-cors.any.worker-expected.txt: >+ > 2019-01-14 Charles Vazac <cvazac@akamai.com> > > Import current Resource-Timing WPTs >diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/origin/no-cors.any-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/fetch/origin/no-cors.any-expected.txt >index e3205bfc8be9b56fbb6f770d6f675cc5afca8423..7ab29f621390cbedccf8d23d84e3de493eed7d0d 100644 >--- a/LayoutTests/imported/w3c/web-platform-tests/fetch/origin/no-cors.any-expected.txt >+++ b/LayoutTests/imported/w3c/web-platform-tests/fetch/origin/no-cors.any-expected.txt >@@ -1,3 +1,3 @@ > >-FAIL Origin header and 308 redirect assert_equals: second origin should be opaque and therefore null expected "null" but got "no Origin header" >+PASS Origin header and 308 redirect > >diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/origin/no-cors.any.worker-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/fetch/origin/no-cors.any.worker-expected.txt >index e3205bfc8be9b56fbb6f770d6f675cc5afca8423..7ab29f621390cbedccf8d23d84e3de493eed7d0d 100644 >--- a/LayoutTests/imported/w3c/web-platform-tests/fetch/origin/no-cors.any.worker-expected.txt >+++ b/LayoutTests/imported/w3c/web-platform-tests/fetch/origin/no-cors.any.worker-expected.txt >@@ -1,3 +1,3 @@ > >-FAIL Origin header and 308 redirect assert_equals: second origin should be opaque and therefore null expected "null" but got "no Origin header" >+PASS Origin header and 308 redirect >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=359611">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 186030
:
359515
|
359611
|
359613
|
359614
|
359615
|
359616
|
359617
|
359618
|
359619
|
359620
|
359621
|
359622
|
359624
|
359638
|
359640
|
359642
|
359654
|
377817
|
377819
|
377821
|
379342
|
379345
|
385964
|
386542
|
386552
|
386557
|
393465
|
393469
|
393492
|
393505
|
393580