186202 2018-06-01 11:59:36 -0700 [QuickLook] Add a test to ensure that a same-origin XHR for a non-existent QuickLook attachment is allowed 2018-06-29 16:38:01 -0700 1 1 1 Unclassified WebKit Tools / Tests WebKit Nightly Build Unspecified Unspecified ASSIGNED https://bugs.webkit.org/show_bug.cgi?id=185807 P2 Normal --- 1 dbates dbates aestes bfulgham lforschler youennf oldest_to_newest 1429303 0 dbates 2018-06-01 11:59:36 -0700 Add a test to ensure that a same-origin XHR for a non-existent QuickLook attachment is allowed. That is, it is not blocked by the CSP policy of the QuickLook sandbox. 1429305 1 341776 dbates 2018-06-01 12:02:40 -0700 Created attachment 341776 For EWS 1429306 2 dbates 2018-06-01 12:03:59 -0700 For convenience, here is the pretty-printed JavaScript URL embedded in the RTF included in the proposed patch (attachment #341776): javascript: (function() { function logMessageAndDone(message) { console.log(message); window.testRunner && window.testRunner.notifyDone(); }; var xhr = new XMLHttpRequest; xhr.onload = () => logMessageAndDone("PASS: XMLHttpRequest allowed."); xhr.onerror = () => logMessageAndDone("FAIL: XMLHttpRequest blocked."); xhr.open("GET", document.origin + "/x-apple-ql-magic/non-existent-quicklook-attachment.rtf"); xhr.send(); })(); 1429826 3 youennf 2018-06-04 08:42:11 -0700 *** Bug 186165 has been marked as a duplicate of this bug. *** 1429828 4 youennf 2018-06-04 08:50:20 -0700 (In reply to youenn fablet from comment #3) > *** Bug 186165 has been marked as a duplicate of this bug. *** Made a mistake there in marking as duplicate. 1429829 5 youennf 2018-06-04 08:50:44 -0700 (In reply to Daniel Bates from comment #0) > Add a test to ensure that a same-origin XHR for a non-existent QuickLook > attachment is allowed. That is, it is not blocked by the CSP policy of the > QuickLook sandbox. I am not sure to understand. After https://trac.webkit.org/changeset/231107, we make this load fails. After discussion, it seems to me that we are ok with this change of behavior. If so, shouldn't we make the test to expect failure and rename it accordingly? 1429842 6 dbates 2018-06-04 09:41:21 -0700 (In reply to youenn fablet from comment #5) > (In reply to Daniel Bates from comment #0) > > Add a test to ensure that a same-origin XHR for a non-existent QuickLook > > attachment is allowed. That is, it is not blocked by the CSP policy of the > > QuickLook sandbox. > > I am not sure to understand. > After https://trac.webkit.org/changeset/231107, we make this load fails. > After discussion, it seems to me that we are ok with this change of behavior. > If so, shouldn't we make the test to expect failure and rename it > accordingly? I did not have the impression that blocking the load is an acceptable change of behavior. 1429963 7 aestes 2018-06-04 16:42:45 -0700 (In reply to Daniel Bates from comment #6) > (In reply to youenn fablet from comment #5) > > (In reply to Daniel Bates from comment #0) > > > Add a test to ensure that a same-origin XHR for a non-existent QuickLook > > > attachment is allowed. That is, it is not blocked by the CSP policy of the > > > QuickLook sandbox. > > > > I am not sure to understand. > > After https://trac.webkit.org/changeset/231107, we make this load fails. > > After discussion, it seems to me that we are ok with this change of behavior. > > If so, shouldn't we make the test to expect failure and rename it > > accordingly? > > I did not have the impression that blocking the load is an acceptable change > of behavior. The intent of Quick Look converting invalid x-apple-ql-id: URLs to about: is to block the load, so I think this behavior change is acceptable, although ideally we'd retain the original behavior of successfully loading about:. It would be unacceptable if *valid* x-apple-ql-id: URLs were blocked, of course. 1429993 8 youennf 2018-06-04 19:07:58 -0700 > The intent of Quick Look converting invalid x-apple-ql-id: URLs to about: is > to block the load, so I think this behavior change is acceptable, although > ideally we'd retain the original behavior of successfully loading about:. I am not sure to see the benefit of keeping the original behavior. Isn't it better to stop failing silently if invalid x-apple-ql-id means a bug in the generation of these URLs? 1430451 9 youennf 2018-06-06 08:55:21 -0700 > I am not sure to see the benefit of keeping the original behavior. > Isn't it better to stop failing silently if invalid x-apple-ql-id means a > bug in the generation of these URLs? Instead of relying on CSP/CORS to fail the load, we could be cancelling the load in ResourceLoader with a comprehensive message when the request URL is converted to "about:". 1437983 10 341776 bfulgham 2018-06-29 16:38:01 -0700 Comment on attachment 341776 For EWS r=me 341776 2018-06-01 12:02:40 -0700 2018-06-29 16:38:01 -0700 For EWS bug-186202-20180601120214.patch text/plain 5426 dbates U3VidmVyc2lvbiBSZXZpc2lvbjogMjMyMzY0CmRpZmYgLS1naXQgYS9MYXlvdXRUZXN0cy9DaGFu Z2VMb2cgYi9MYXlvdXRUZXN0cy9DaGFuZ2VMb2cKaW5kZXggMTE2NzU4NzMxZGUzMTRmOWVlOTFj Mzg5NDE4M2U5ZTJkZmY3YzYzYi4uNTA4MjJjMDhmZDRjZDIyNTg2YjJkNTlhNjkzMjdiZWI1NWU5 Y2E5ZiAxMDA2NDQKLS0tIGEvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCisrKyBiL0xheW91dFRlc3Rz L0NoYW5nZUxvZwpAQCAtMSwzICsxLDE3IEBACisyMDE4LTA2LTAxICBEYW5pZWwgQmF0ZXMgIDxk YWJhdGVzQGFwcGxlLmNvbT4KKworICAgICAgICBbUXVpY2tMb29rXSBBZGQgYSB0ZXN0IHRvIGVu c3VyZSB0aGF0IGEgc2FtZS1vcmlnaW4gWEhSIGZvciBhIG5vbi1leGlzdGVudCBRdWlja0xvb2sg YXR0YWNobWVudCBpcyBhbGxvd2VkCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3No b3dfYnVnLmNnaT9pZD0xODYyMDIKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMh KS4KKworICAgICAgICBGb2xsb3dpbmcgcjIzMTEwNyB0aGlzIHRlc3QgZmFpbHMgaW4gV2ViS2l0 MiB3aXRoIGEgIkJsb2NrZWQgYnkgQ29udGVudCBTZWN1cml0eSBQb2xpY3kiIGVycm9yLgorCisg ICAgICAgICogaHR0cC90ZXN0cy9xdWlja2xvb2svcmVzb3VyY2VzL3NhbWUtb3JpZ2luLXhtbGh0 dHByZXF1ZXN0LWFsbG93ZWQtdG8tbm9uLWV4aXN0ZW50LXF1aWNrbG9vay1hdHRhY2htZW50LnJ0 ZjogQWRkZWQuCisgICAgICAgICogaHR0cC90ZXN0cy9xdWlja2xvb2svc2FtZS1vcmlnaW4teG1s aHR0cHJlcXVlc3QtYWxsb3dlZC10by1ub24tZXhpc3RlbnQtcXVpY2tsb29rLWF0dGFjaG1lbnQt ZXhwZWN0ZWQudHh0OiBBZGRlZC4KKyAgICAgICAgKiBodHRwL3Rlc3RzL3F1aWNrbG9vay9zYW1l LW9yaWdpbi14bWxodHRwcmVxdWVzdC1hbGxvd2VkLXRvLW5vbi1leGlzdGVudC1xdWlja2xvb2st YXR0YWNobWVudC5odG1sOiBBZGRlZC4KKyAgICAgICAgKiBwbGF0Zm9ybS9pb3Mtc2ltdWxhdG9y LXdrMi9odHRwL3Rlc3RzL3F1aWNrbG9vay9zYW1lLW9yaWdpbi14bWxodHRwcmVxdWVzdC1hbGxv d2VkLXRvLW5vbi1leGlzdGVudC1xdWlja2xvb2stYXR0YWNobWVudC1leHBlY3RlZC50eHQ6IEFk ZGVkLgorCiAyMDE4LTA1LTMxICBDaHJpcyBEdW1leiAgPGNkdW1lekBhcHBsZS5jb20+CiAKICAg ICAgICAgVXBkYXRlIGh0dHAvd3B0L3NlcnZpY2Utd29ya2Vycy9oZWFkZXItZmlsdGVyaW5nLmh0 dHBzLmh0bWwgdG8gdXNlIGEgdmFsaWQgUmVmZXJyZXItUG9saWN5CmRpZmYgLS1naXQgYS9MYXlv dXRUZXN0cy9odHRwL3Rlc3RzL3F1aWNrbG9vay9yZXNvdXJjZXMvc2FtZS1vcmlnaW4teG1saHR0 cHJlcXVlc3QtYWxsb3dlZC10by1ub24tZXhpc3RlbnQtcXVpY2tsb29rLWF0dGFjaG1lbnQucnRm IGIvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9xdWlja2xvb2svcmVzb3VyY2VzL3NhbWUtb3JpZ2lu LXhtbGh0dHByZXF1ZXN0LWFsbG93ZWQtdG8tbm9uLWV4aXN0ZW50LXF1aWNrbG9vay1hdHRhY2ht ZW50LnJ0ZgpuZXcgZmlsZSBtb2RlIDEwMDY0NAppbmRleCAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwLi5mZTdmODFlYmM2MjViNGYwNTBhNjJiYmE2ZmFkYjUyYjQzMjBk ZDhlCi0tLSAvZGV2L251bGwKKysrIGIvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9xdWlja2xvb2sv cmVzb3VyY2VzL3NhbWUtb3JpZ2luLXhtbGh0dHByZXF1ZXN0LWFsbG93ZWQtdG8tbm9uLWV4aXN0 ZW50LXF1aWNrbG9vay1hdHRhY2htZW50LnJ0ZgpAQCAtMCwwICsxLDExIEBACit7XHJ0ZjFcYW5z aVxhbnNpY3BnMTI1Mlxjb2NvYXJ0ZjE2MzlcY29jb2FzdWJydGYxMjAKK3tcZm9udHRibFxmMFxm bW9kZXJuXGZjaGFyc2V0MCBDb3VyaWVyO1xmMVxmcm9tYW5cZmNoYXJzZXQwIFRpbWVzTmV3Um9t YW5QU01UO30KK3tcY29sb3J0Ymw7XHJlZDI1NVxncmVlbjI1NVxibHVlMjU1O30KK3tcKlxleHBh bmRlZGNvbG9ydGJsOzt9CitcbWFyZ2wwXG1hcmdyMFxtYXJnYjBcbWFyZ3QwXHZpZXd3MTQwNDBc dmlld2gxNzY0MFx2aWV3a2luZDEKK1xkZWZ0YWI3MjAKK1xwYXJkXHBhcmRlZnRhYjcyMFxyaTBc cGFydGlnaHRlbmZhY3RvcjAKK3tcZmllbGR7XCpcZmxkaW5zdHtIWVBFUkxJTksgImphdmFzY3Jp cHQ6KGZ1bmN0aW9uJTIwKCklMjAlN0IlMjBmdW5jdGlvbiUyMGxvZ01lc3NhZ2VBbmREb25lKG1l c3NhZ2UpJTIwJTdCJTIwY29uc29sZS5sb2cobWVzc2FnZSk7JTIwd2luZG93LnRlc3RSdW5uZXIl MjAmJiUyMHdpbmRvdy50ZXN0UnVubmVyLm5vdGlmeURvbmUoKTslMjAlN0Q7JTIwdmFyJTIweGhy JTIwPSUyMG5ldyUyMFhNTEh0dHBSZXF1ZXN0OyUyMHhoci5vbmxvYWQlMjA9JTIwKCklMjA9JTNF JTIwbG9nTWVzc2FnZUFuZERvbmUoJTIyUEFTUzolMjBYTUxIdHRwUmVxdWVzdCUyMGFsbG93ZWQu JTIyKTslMjB4aHIub25lcnJvciUyMD0lMjAoKSUyMD0lM0UlMjBsb2dNZXNzYWdlQW5kRG9uZSgl MjJGQUlMOiUyMFhNTEh0dHBSZXF1ZXN0JTIwYmxvY2tlZC4lMjIpOyUyMHhoci5vcGVuKCUyMkdF VCUyMiwlMjBkb2N1bWVudC5vcmlnaW4lMjArJTIwJTIyL3gtYXBwbGUtcWwtbWFnaWMvbm9uLWV4 aXN0ZW50LXF1aWNrbG9vay1hdHRhY2htZW50LnJ0ZiUyMik7JTIweGhyLnNlbmQoKTslMjAlN0Qp KCk7In19e1xmbGRyc2x0IAorXGYwXGZzMzYgXGNmMCBcdWwgXHVsYzAgUnVuIHRlc3R9fQorXGYx XGZzMjIgXAorfQpcIE5vIG5ld2xpbmUgYXQgZW5kIG9mIGZpbGUKZGlmZiAtLWdpdCBhL0xheW91 dFRlc3RzL2h0dHAvdGVzdHMvcXVpY2tsb29rL3NhbWUtb3JpZ2luLXhtbGh0dHByZXF1ZXN0LWFs bG93ZWQtdG8tbm9uLWV4aXN0ZW50LXF1aWNrbG9vay1hdHRhY2htZW50LWV4cGVjdGVkLnR4dCBi L0xheW91dFRlc3RzL2h0dHAvdGVzdHMvcXVpY2tsb29rL3NhbWUtb3JpZ2luLXhtbGh0dHByZXF1 ZXN0LWFsbG93ZWQtdG8tbm9uLWV4aXN0ZW50LXF1aWNrbG9vay1hdHRhY2htZW50LWV4cGVjdGVk LnR4dApuZXcgZmlsZSBtb2RlIDEwMDY0NAppbmRleCAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwLi4wMGVlNTVkYzNkNTY5NjI2ZTFhZThjZGZhMjhjOGJiNjcwODBmZDkx Ci0tLSAvZGV2L251bGwKKysrIGIvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9xdWlja2xvb2svc2Ft ZS1vcmlnaW4teG1saHR0cHJlcXVlc3QtYWxsb3dlZC10by1ub24tZXhpc3RlbnQtcXVpY2tsb29r LWF0dGFjaG1lbnQtZXhwZWN0ZWQudHh0CkBAIC0wLDAgKzEsNyBAQAorQ09OU09MRSBNRVNTQUdF OiBsaW5lIDE6IFBBU1M6IFhNTEh0dHBSZXF1ZXN0IGFsbG93ZWQuCisKKworLS0tLS0tLS0KK0Zy YW1lOiAnPCEtLWZyYW1lMS0tPicKKy0tLS0tLS0tCitSdW4gdGVzdApkaWZmIC0tZ2l0IGEvTGF5 b3V0VGVzdHMvaHR0cC90ZXN0cy9xdWlja2xvb2svc2FtZS1vcmlnaW4teG1saHR0cHJlcXVlc3Qt YWxsb3dlZC10by1ub24tZXhpc3RlbnQtcXVpY2tsb29rLWF0dGFjaG1lbnQuaHRtbCBiL0xheW91 dFRlc3RzL2h0dHAvdGVzdHMvcXVpY2tsb29rL3NhbWUtb3JpZ2luLXhtbGh0dHByZXF1ZXN0LWFs bG93ZWQtdG8tbm9uLWV4aXN0ZW50LXF1aWNrbG9vay1hdHRhY2htZW50Lmh0bWwKbmV3IGZpbGUg bW9kZSAxMDA2NDQKaW5kZXggMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MC4uNmRiYzlkMjExZmRkZWQ1MDRmNmRmNmI0YzFkODc4MWRlYzk5YzBmYQotLS0gL2Rldi9udWxs CisrKyBiL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvcXVpY2tsb29rL3NhbWUtb3JpZ2luLXhtbGh0 dHByZXF1ZXN0LWFsbG93ZWQtdG8tbm9uLWV4aXN0ZW50LXF1aWNrbG9vay1hdHRhY2htZW50Lmh0 bWwKQEAgLTAsMCArMSwxNyBAQAorPCFET0NUWVBFIGh0bWw+Cis8aHRtbD4KKzxoZWFkPgorPHNj cmlwdCBzcmM9Ii9qcy10ZXN0LXJlc291cmNlcy91aS1oZWxwZXIuanMiPjwvc2NyaXB0PgorPHNj cmlwdCBzcmM9InJlc291cmNlcy90YXAtcnVuLXRlc3QtaHlwZXJsaW5rLmpzIj48L3NjcmlwdD4K KzxzY3JpcHQ+CitpZiAod2luZG93LnRlc3RSdW5uZXIpIHsKKyAgICB0ZXN0UnVubmVyLmR1bXBB c1RleHQoKTsKKyAgICB0ZXN0UnVubmVyLmR1bXBDaGlsZEZyYW1lc0FzVGV4dCgpOworICAgIHRl c3RSdW5uZXIud2FpdFVudGlsRG9uZSgpOworfQorPC9zY3JpcHQ+Cis8L2hlYWQ+Cis8Ym9keT4K KzxpZnJhbWUgc3JjPSJyZXNvdXJjZXMvc2FtZS1vcmlnaW4teG1saHR0cHJlcXVlc3QtYWxsb3dl ZC10by1ub24tZXhpc3RlbnQtcXVpY2tsb29rLWF0dGFjaG1lbnQucnRmIiBvbmxvYWQ9InJ1blRl c3QodGhpcywgOCAvKiBvZmZzZXRJbkZyYW1lICovLCB0cnVlIC8qIHJ1bkFzeW5jICovKSI+PC9p ZnJhbWU+Cis8L2JvZHk+Cis8L2h0bWw+CmRpZmYgLS1naXQgYS9MYXlvdXRUZXN0cy9wbGF0Zm9y bS9pb3Mtc2ltdWxhdG9yLXdrMi9odHRwL3Rlc3RzL3F1aWNrbG9vay9zYW1lLW9yaWdpbi14bWxo dHRwcmVxdWVzdC1hbGxvd2VkLXRvLW5vbi1leGlzdGVudC1xdWlja2xvb2stYXR0YWNobWVudC1l eHBlY3RlZC50eHQgYi9MYXlvdXRUZXN0cy9wbGF0Zm9ybS9pb3Mtc2ltdWxhdG9yLXdrMi9odHRw L3Rlc3RzL3F1aWNrbG9vay9zYW1lLW9yaWdpbi14bWxodHRwcmVxdWVzdC1hbGxvd2VkLXRvLW5v bi1leGlzdGVudC1xdWlja2xvb2stYXR0YWNobWVudC1leHBlY3RlZC50eHQKbmV3IGZpbGUgbW9k ZSAxMDA2NDQKaW5kZXggMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMC4u ZGE5NTI3NDZjNjMwNTg3NjE2M2QyOGU3ZjJmYTEyMjEyZDY3OTA5NAotLS0gL2Rldi9udWxsCisr KyBiL0xheW91dFRlc3RzL3BsYXRmb3JtL2lvcy1zaW11bGF0b3Itd2syL2h0dHAvdGVzdHMvcXVp Y2tsb29rL3NhbWUtb3JpZ2luLXhtbGh0dHByZXF1ZXN0LWFsbG93ZWQtdG8tbm9uLWV4aXN0ZW50 LXF1aWNrbG9vay1hdHRhY2htZW50LWV4cGVjdGVkLnR4dApAQCAtMCwwICsxLDEwIEBACitDT05T T0xFIE1FU1NBR0U6IFJlZnVzZWQgdG8gY29ubmVjdCB0byBhYm91dDogYmVjYXVzZSBpdCBhcHBl YXJzIGluIG5laXRoZXIgdGhlIGNvbm5lY3Qtc3JjIGRpcmVjdGl2ZSBub3IgdGhlIGRlZmF1bHQt c3JjIGRpcmVjdGl2ZSBvZiB0aGUgQ29udGVudCBTZWN1cml0eSBQb2xpY3kuCitDT05TT0xFIE1F U1NBR0U6IEJsb2NrZWQgYnkgQ29udGVudCBTZWN1cml0eSBQb2xpY3kuCitDT05TT0xFIE1FU1NB R0U6IFhNTEh0dHBSZXF1ZXN0IGNhbm5vdCBsb2FkIGFib3V0OiBkdWUgdG8gYWNjZXNzIGNvbnRy b2wgY2hlY2tzLgorQ09OU09MRSBNRVNTQUdFOiBsaW5lIDE6IEZBSUw6IFhNTEh0dHBSZXF1ZXN0 IGJsb2NrZWQuCisKKworLS0tLS0tLS0KK0ZyYW1lOiAnPCEtLWZyYW1lMS0tPicKKy0tLS0tLS0t CitSdW4gdGVzdAo=