XMLHttpRequest should not treat file URLs as same origin
authorbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 26 Oct 2017 15:14:33 +0000 (15:14 +0000)
committerbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 26 Oct 2017 15:14:33 +0000 (15:14 +0000)
commit1d53884de6ab4765d780cbd32f0c00179a42fe0f
tree490eee5f46a3c9e3739422f8c48556cb4f639cb2
parent46ef649e3f2c0262ae6b137e594759e21384acdf
XMLHttpRequest should not treat file URLs as same origin
https://bugs.webkit.org/show_bug.cgi?id=178565
<rdar://problem/11115901>

Reviewed by Ryosuke Niwa.

Source/WebCore:

Do not treat file URLs as same-origin for XHR requests.

Test: fast/xmlhttprequest/xmlhttprequest-access-self-as-file.html

* loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::DocumentThreadableLoader): Use new helper method.
* page/SecurityOrigin.cpp:
(WebCore::SecurityOrigin::requestIsSameOrigin): New method to recognize same-origin
requests, with special handling for XHR.
* page/SecurityOrigin.h:

LayoutTests:

* fast/xmlhttprequest/resources/xmlhttprequest-access-self-as-file-real.html: Added.
* fast/xmlhttprequest/xmlhttprequest-access-self-as-file.html: Added.
* fast/xmlhttprequest/xmlhttprequest-access-self-as-file-expected.txt: Added.
* fast/xmlhttprequest/xmlhttprequest-access-self-as-blob-expected.txt: Added.
* fast/xmlhttprequest/xmlhttprequest-access-self-as-blob.html: Added.
* fast/xmlhttprequest/xmlhttprequest-nonexistent-file-expected.txt: Rebaseline test now that we reject
  XHR to local file URLs.
* platform/ios/fast/xmlhttprequest/xmlhttprequest-nonexistent-file-expected.txt: Rebaselined.
* platform/wk2/TestExpectations: Skip test since 'beginDragWithFiles' is not supported in WKTR.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@224019 268f45cc-cd09-0410-ab3c-d52691b4dbfc
14 files changed:
LayoutTests/ChangeLog
LayoutTests/fast/xmlhttprequest/resources/xmlhttprequest-access-self-as-blob-real.html [new file with mode: 0644]
LayoutTests/fast/xmlhttprequest/resources/xmlhttprequest-access-self-as-file-real.html [new file with mode: 0644]
LayoutTests/fast/xmlhttprequest/xmlhttprequest-access-self-as-blob-expected.txt [new file with mode: 0644]
LayoutTests/fast/xmlhttprequest/xmlhttprequest-access-self-as-blob.html [new file with mode: 0644]
LayoutTests/fast/xmlhttprequest/xmlhttprequest-access-self-as-file-expected.txt [new file with mode: 0644]
LayoutTests/fast/xmlhttprequest/xmlhttprequest-access-self-as-file.html [new file with mode: 0644]
LayoutTests/fast/xmlhttprequest/xmlhttprequest-nonexistent-file-expected.txt
LayoutTests/platform/ios/fast/xmlhttprequest/xmlhttprequest-nonexistent-file-expected.txt
LayoutTests/platform/wk2/TestExpectations
Source/WebCore/ChangeLog
Source/WebCore/loader/DocumentThreadableLoader.cpp
Source/WebCore/page/SecurityOrigin.cpp
Source/WebCore/page/SecurityOrigin.h