193508 2019-01-16 13:51:13 -0800 sendBeacon to previously-unvisited https domain always fails 2019-04-25 06:56:25 -0700 1 1 1 Unclassified WebKit Page Loading WebKit Local Build Unspecified Unspecified RESOLVED FIXED https://bugs.chromium.org/p/chromium/issues/detail?id=878562 InRadar P2 Normal --- 1 ajuma achristensen achristensen beidson cdumez ggaren stefan webkit-bug-importer youennf oldest_to_newest 1495218 0 ajuma 2019-01-16 13:51:13 -0800 PingLoad::didReceiveChallenge always returns AuthenticationChallengeDisposition::Cancel, so calls to sendBeacon(url) where url is an https URL for a domain that we're establishing an https connection for the first time will always fail. Once we establish an https connection some other way (e.g. by sending an xhr to the same domain), PingLoads no longer receive a challenge, so beacons are successfully sent. This bug doesn't affect Safari, because in [WKNetworkSessionDelegate URLSession:task:didReceiveChallenge:completionHandler], _session->networkProcess().canHandleHTTPSServerTrustEvaluation() is false, so we always call the completion handler with NSURLSessionAuthChallengeRejectProtectionSpace. However, for other WebKit embedders (e.g., MiniBrowser, and all non-Safari browsers on iOS), canHandleHTTPSServerTrustEvaluation() is true, so we do call into PingLoad::didReceiveChallenge and cancel the network task. A possible fix would making PingLoad::didReceiveChallenge return RejectProtectionSpaceAndContinue, which would have the effect of allowing connections to sites with valid certificates and rejecting otherwise. 1495221 1 achristensen 2019-01-16 14:03:46 -0800 We could fix this by using PerformDefaultHandling if it's for ProtectionSpaceAuthenticationSchemeServerTrustEvaluationRequested 1495284 2 359325 achristensen 2019-01-16 15:48:21 -0800 Created attachment 359325 Patch 1495298 3 359325 ggaren 2019-01-16 15:59:45 -0800 Comment on attachment 359325 Patch Can we add a regression test for this? 1495299 4 359325 youennf 2019-01-16 16:00:53 -0800 Comment on attachment 359325 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=359325&action=review > Source/WebKit/NetworkProcess/PingLoad.cpp:123 > auto weakThis = makeWeakPtr(*this); This line could go after the if check. 1495315 5 achristensen 2019-01-16 16:20:50 -0800 (In reply to Geoffrey Garen from comment #3) > Comment on attachment 359325 [details] > Patch > > Can we add a regression test for this? We currently do not have the infrastructure to do so. I would like to develop such infrastructure. http://trac.webkit.org/r240094 359325 2019-01-16 15:48:21 -0800 2019-01-16 15:59:45 -0800 Patch bug-193508-20190116154820.patch text/plain 1708 achristensen SW5kZXg6IFNvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9XZWJL aXQvQ2hhbmdlTG9nCShyZXZpc2lvbiAyNDAwODcpCisrKyBTb3VyY2UvV2ViS2l0L0NoYW5nZUxv Zwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE0IEBACisyMDE5LTAxLTE2ICBBbGV4IENocmlz dGVuc2VuICA8YWNocmlzdGVuc2VuQHdlYmtpdC5vcmc+CisKKyAgICAgICAgc2VuZEJlYWNvbiB0 byBwcmV2aW91c2x5LXVudmlzaXRlZCBodHRwcyBkb21haW4gYWx3YXlzIGZhaWxzCisgICAgICAg IGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xOTM1MDgKKworICAgICAg ICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICAqIE5ldHdvcmtQcm9jZXNz L1BpbmdMb2FkLmNwcDoKKyAgICAgICAgKFdlYktpdDo6UGluZ0xvYWQ6OmRpZFJlY2VpdmVDaGFs bGVuZ2UpOgorICAgICAgICBJZiBhIHBpbmcgbG9hZCBpcyBkb2luZyBhIFRMUyBoYW5kc2hha2Us IGNvbnRpbnVlIGlmIHRoZSBzZXJ2ZXIgaGFzIGdvb2QgY2VydGlmaWNhdGVzLgorCiAyMDE5LTAx LTE2ICBBbGV4IENocmlzdGVuc2VuICA8YWNocmlzdGVuc2VuQHdlYmtpdC5vcmc+CiAKICAgICAg ICAgUmV2ZXJ0IHIyMzk5MzgKSW5kZXg6IFNvdXJjZS9XZWJLaXQvTmV0d29ya1Byb2Nlc3MvUGlu Z0xvYWQuY3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9XZWJLaXQvTmV0d29ya1Byb2Nlc3MvUGlu Z0xvYWQuY3BwCShyZXZpc2lvbiAyNDAwNDMpCisrKyBTb3VyY2UvV2ViS2l0L05ldHdvcmtQcm9j ZXNzL1BpbmdMb2FkLmNwcAkod29ya2luZyBjb3B5KQpAQCAtMTE3LDEwICsxMTcsMTQgQEAgdm9p ZCBQaW5nTG9hZDo6d2lsbFBlcmZvcm1IVFRQUmVkaXJlY3RpbwogICAgIH0pOwogfQogCi12b2lk IFBpbmdMb2FkOjpkaWRSZWNlaXZlQ2hhbGxlbmdlKEF1dGhlbnRpY2F0aW9uQ2hhbGxlbmdlJiYs IENoYWxsZW5nZUNvbXBsZXRpb25IYW5kbGVyJiYgY29tcGxldGlvbkhhbmRsZXIpCit2b2lkIFBp bmdMb2FkOjpkaWRSZWNlaXZlQ2hhbGxlbmdlKEF1dGhlbnRpY2F0aW9uQ2hhbGxlbmdlJiYgY2hh bGxlbmdlLCBDaGFsbGVuZ2VDb21wbGV0aW9uSGFuZGxlciYmIGNvbXBsZXRpb25IYW5kbGVyKQog ewogICAgIFJFTEVBU0VfTE9HX0lGX0FMTE9XRUQoImRpZFJlY2VpdmVDaGFsbGVuZ2UiKTsKICAg ICBhdXRvIHdlYWtUaGlzID0gbWFrZVdlYWtQdHIoKnRoaXMpOworICAgIGlmIChjaGFsbGVuZ2Uu cHJvdGVjdGlvblNwYWNlKCkuYXV0aGVudGljYXRpb25TY2hlbWUoKSA9PSBQcm90ZWN0aW9uU3Bh Y2VBdXRoZW50aWNhdGlvblNjaGVtZVNlcnZlclRydXN0RXZhbHVhdGlvblJlcXVlc3RlZCkgewor ICAgICAgICBjb21wbGV0aW9uSGFuZGxlcihBdXRoZW50aWNhdGlvbkNoYWxsZW5nZURpc3Bvc2l0 aW9uOjpQZXJmb3JtRGVmYXVsdEhhbmRsaW5nLCB7IH0pOworICAgICAgICByZXR1cm47CisgICAg fQogICAgIGNvbXBsZXRpb25IYW5kbGVyKEF1dGhlbnRpY2F0aW9uQ2hhbGxlbmdlRGlzcG9zaXRp b246OkNhbmNlbCwgeyB9KTsKICAgICBpZiAoIXdlYWtUaGlzKQogICAgICAgICByZXR1cm47Cg==