CachedResourceLoader is not taking into account fetch options to use or not cached...
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 5 Sep 2016 11:02:37 +0000 (11:02 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 5 Sep 2016 11:02:37 +0000 (11:02 +0000)
commit5a0c2b46cdf01dd77f253fe0a304b419aec07bdf
tree27e2e4776877a585b738c0b385351adeefb7c54f
parent46edd1eaff8e84342a1bf1ad6fd929527a022642
CachedResourceLoader is not taking into account fetch options to use or not cached resources
https://bugs.webkit.org/show_bug.cgi?id=161389

Patch by Youenn Fablet <youenn@apple.com> on 2016-09-05
Reviewed by Darin Adler.

LayoutTests/imported/w3c:

Updated as new console log messages appear now that cors checks are done at SubresourceLoader level.

* web-platform-tests/XMLHttpRequest/security-consideration.sub-expected.txt:
* web-platform-tests/fetch/api/cors/cors-basic-expected.txt:
* web-platform-tests/fetch/api/cors/cors-basic-worker-expected.txt:
* web-platform-tests/fetch/api/cors/cors-multiple-origins-expected.txt:
* web-platform-tests/fetch/api/cors/cors-multiple-origins-worker-expected.txt:
* web-platform-tests/fetch/api/cors/cors-origin-expected.txt:
* web-platform-tests/fetch/api/cors/cors-origin-worker-expected.txt:
* web-platform-tests/fetch/api/cors/cors-origin.js:
(corsOrigin): Fixing a typo in the test making the tests always passing, since the fetch promise was not taken into account.
* web-platform-tests/fetch/api/cors/cors-redirect-credentials-expected.txt:
* web-platform-tests/fetch/api/cors/cors-redirect-credentials-worker-expected.txt:

Source/WebCore:

Tests: http/tests/fetch/fetching-same-resource-with-diffferent-options.html
       http/tests/security/cross-origin-cached-resource-parallel.html
       http/tests/security/cross-origin-cached-resource.html
       http/tests/security/load-image-after-redirection-2.html
       http/tests/security/shape-outside-and-cached-resources.html

Adding CORS checks for the response in case of CORS fetch mode, in SubresourceLoader.
Removing the CORS checks in Image and DocumentThreadableLoader.

The direction of this patch is to make CachedResource origin-specific/fetch mode specific.

This will remove the need for CachedResource clients to do CORS checks when receiving the notifyFinished call.
This will also make the computation of whether a resource is clean or not much easier since the CachedResource knowd its origin and its response tainting.

Removing the CORS checks at ImageLoader creates the risk of using some cached resources loaded from previously no-cors mode without doing the actual CORS check.
Note that the risk was already there in case of a resource loaded through redirections.
Reusing a cached resource for a load with different options also leads to bad computation of the resource tainting.

As a first step, improvements are done but only for CachedImage resources.

This patch limits the direct reuse of cached resources as follow:
- If the request and existing resources have different origins.
- If the fetch mode is different between request and existing resource.

In those cases, a new CachedResource is created with the correct options and origin.
The data and response of the CachedResource found in the cache are copied efficiently in the new CachedResource, if the matching CachedResource finished loading (CachedImage specific).

If the matching CachedResource is still loading, we trigger a reload (with caching=false to not disturb the being loaded resource).
This should be made more efficient at some point, especially if the matching CachedResource already has its response set.

This triggers a change of behavior: previously, the CORS checks were done by the ImageLoader when the resource was finished loading.
The CORS checks were controlled by the crossOrigin attribute, which may be set or unset between the load start and the load end.

Now the crossOrigin attribute is checked at load start. If it is set, the CORS checks will happen even if the attribute is unset before the end of the load.
This is more consistent as the actual request was built with CORS enabled.

* loader/CrossOriginPreflightChecker.cpp:
(WebCore::CrossOriginPreflightChecker::startPreflight): Setting correctly the preflight options as per fetch spec.
* loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::didReceiveResponse): Removing CORS check.
(WebCore::DocumentThreadableLoader::loadRequest): Adding CORS check in sync mode.
* loader/ImageLoader.cpp:
(WebCore::ImageLoader::updateFromElement):
(WebCore::ImageLoader::notifyFinished):
* loader/SubresourceLoader.cpp:
(WebCore::SubresourceLoader::didReceiveResponse): Adding CORS checks to the response
(WebCore::SubresourceLoader::checkResponseCrossOriginAccessControl): Helper routine to do CORS checks
* loader/SubresourceLoader.h:
* loader/cache/CachedImage.cpp:
(WebCore::CachedImage::cloneData): Responsible to set image content from another CachedImage.
* loader/cache/CachedImage.h:
* loader/cache/CachedResource.cpp:
(WebCore::CachedResource::computeOrigin): Helper routine to set the origin and whether the resource is cross-origin or not.
(WebCore::CachedResource::load): Using computeOrigin.
(WebCore::CachedResource::loadFrom): Loading from a CachedResource from the same type and which finished loading.
* loader/cache/CachedResource.h:
(WebCore::CachedResource::cloneData):
* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::updateCachedResourceWithCurrentRequest): Helper routine responsible to adapt the CachedResource
that can be reused to the origin and options of a new request.
(WebCore::CachedResourceLoader::requestResource): Calling updateCachedResourceWithCurrentRequest before actually returning the resource.
(WebCore::CachedResourceLoader::determineRevalidationPolicy): Space clean-up.
* loader/cache/CachedResourceLoader.h:
* loader/cache/CachedResourceRequest.h:
(WebCore::CachedResourceRequest::setCachingPolicy):
* style/StylePendingResources.cpp:
(WebCore::Style::loadPendingImage): Allowing data URLs for ShapeOutside data.

LayoutTests:

Added specific expectations for fetch cors-origin* tests for mac-wk2 and ios-simulator-wk2 as these tests use
HTTPS, and the connection is refused.

* http/tests/eventsource/eventsource-cors-basic-expected.txt:
* http/tests/eventsource/eventsource-cors-with-credentials-expected.txt:
* http/tests/fetch/fetching-same-resource-with-diffferent-options-expected.txt: Added.
* http/tests/fetch/fetching-same-resource-with-diffferent-options.html: Added.
* http/tests/loading/cross-origin-XHR-willLoadRequest-expected.txt:
* http/tests/resources/download-json-with-delay.php:
* http/tests/resources/redirect.php:
* http/tests/security/cross-origin-cached-resource-expected.txt: Added.
* http/tests/security/cross-origin-cached-resource-parallel-expected.txt: Added.
* http/tests/security/cross-origin-cached-resource-parallel.html: Added.
* http/tests/security/cross-origin-cached-resource.html: Added.
* http/tests/security/img-with-failed-cors-check-fails-to-load-expected.txt:
* http/tests/security/load-image-after-redirection-2-expected.txt: Added.
* http/tests/security/load-image-after-redirection-2.html: Added.
* http/tests/security/resources/abe-allow-star.php:
* http/tests/security/resources/allow-if-origin.php: Added.
* http/tests/security/resources/cross-origin-cached-resource-iframe.html: Added.
* http/tests/security/resources/rgbalpha.png: Added.
* http/tests/security/shape-outside-and-cached-resources-expected.html: Added.
* http/tests/security/shape-outside-and-cached-resources.html: Added.
* http/tests/security/video-poster-cross-origin-crash-expected.txt:
* http/tests/security/video-poster-cross-origin-crash2-expected.txt:
* http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin-expected.txt:
* http/tests/xmlhttprequest/access-control-repeated-failed-preflight-crash-expected.txt:
* http/tests/xmlhttprequest/cross-origin-no-authorization-expected.txt:
* http/tests/xmlhttprequest/cross-origin-no-credential-prompt-expected.txt:
* http/tests/xmlhttprequest/cross-site-denied-response-expected.txt:
* http/tests/xmlhttprequest/onerror-event-expected.txt:
* http/tests/xmlhttprequest/origin-whitelisting-https-expected.txt:
* http/tests/xmlhttprequest/origin-whitelisting-ip-addresses-with-subdomains-expected.txt:
* http/tests/xmlhttprequest/post-blob-content-type-async-expected.txt:
* http/tests/xmlhttprequest/redirect-cross-origin-2-expected.txt:
* http/tests/xmlhttprequest/redirect-cross-origin-expected.txt:
* http/tests/xmlhttprequest/simple-cross-origin-denied-events-expected.txt:
* http/tests/xmlhttprequest/simple-cross-origin-progress-events-expected.txt:
* http/tests/xmlhttprequest/xmlhttprequest-unsafe-redirect-expected.txt:
* platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-expected.txt:
* platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-worker-expected.txt:
* platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-origin-expected.txt: Added.
* platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-origin-worker-expected.txt: Added.
* platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-expected.txt:
* platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-worker-expected.txt:
* platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-origin-expected.txt: Added.
* platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-origin-worker-expected.txt: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@205450 268f45cc-cd09-0410-ab3c-d52691b4dbfc
70 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/eventsource/eventsource-cors-basic-expected.txt
LayoutTests/http/tests/eventsource/eventsource-cors-with-credentials-expected.txt
LayoutTests/http/tests/fetch/fetching-same-resource-with-diffferent-options-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/fetch/fetching-same-resource-with-diffferent-options.html [new file with mode: 0644]
LayoutTests/http/tests/loading/cross-origin-XHR-willLoadRequest-expected.txt
LayoutTests/http/tests/resources/download-json-with-delay.php
LayoutTests/http/tests/resources/redirect.php
LayoutTests/http/tests/security/cross-origin-cached-resource-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/cross-origin-cached-resource-parallel-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/cross-origin-cached-resource-parallel.html [new file with mode: 0644]
LayoutTests/http/tests/security/cross-origin-cached-resource.html [new file with mode: 0644]
LayoutTests/http/tests/security/img-with-failed-cors-check-fails-to-load-expected.txt
LayoutTests/http/tests/security/load-image-after-redirection-2-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/load-image-after-redirection-2.html [new file with mode: 0644]
LayoutTests/http/tests/security/resources/abe-allow-star.php
LayoutTests/http/tests/security/resources/allow-if-origin.php [new file with mode: 0644]
LayoutTests/http/tests/security/resources/cross-origin-cached-resource-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/resources/rgbalpha.png [new file with mode: 0644]
LayoutTests/http/tests/security/shape-outside-and-cached-resources-expected.html [new file with mode: 0644]
LayoutTests/http/tests/security/shape-outside-and-cached-resources.html [new file with mode: 0644]
LayoutTests/http/tests/security/video-poster-cross-origin-crash-expected.txt
LayoutTests/http/tests/security/video-poster-cross-origin-crash2-expected.txt
LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin-expected.txt
LayoutTests/http/tests/xmlhttprequest/access-control-repeated-failed-preflight-crash-expected.txt
LayoutTests/http/tests/xmlhttprequest/cross-origin-no-authorization-expected.txt
LayoutTests/http/tests/xmlhttprequest/cross-origin-no-credential-prompt-expected.txt
LayoutTests/http/tests/xmlhttprequest/cross-site-denied-response-expected.txt
LayoutTests/http/tests/xmlhttprequest/onerror-event-expected.txt
LayoutTests/http/tests/xmlhttprequest/origin-whitelisting-https-expected.txt
LayoutTests/http/tests/xmlhttprequest/origin-whitelisting-ip-addresses-with-subdomains-expected.txt
LayoutTests/http/tests/xmlhttprequest/post-blob-content-type-async-expected.txt
LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-2-expected.txt
LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-expected.txt
LayoutTests/http/tests/xmlhttprequest/simple-cross-origin-denied-events-expected.txt
LayoutTests/http/tests/xmlhttprequest/simple-cross-origin-progress-events-expected.txt
LayoutTests/http/tests/xmlhttprequest/xmlhttprequest-unsafe-redirect-expected.txt
LayoutTests/imported/w3c/ChangeLog
LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/security-consideration.sub-expected.txt
LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-expected.txt
LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-worker-expected.txt
LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-multiple-origins-expected.txt
LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-multiple-origins-worker-expected.txt
LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-origin-expected.txt
LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-origin-worker-expected.txt
LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-origin.js
LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials-expected.txt
LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials-worker-expected.txt
LayoutTests/platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-expected.txt
LayoutTests/platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-worker-expected.txt
LayoutTests/platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-origin-expected.txt [new file with mode: 0644]
LayoutTests/platform/ios-simulator-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-origin-worker-expected.txt [new file with mode: 0644]
LayoutTests/platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-expected.txt
LayoutTests/platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-basic-worker-expected.txt
LayoutTests/platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-origin-expected.txt [new file with mode: 0644]
LayoutTests/platform/mac-wk2/imported/w3c/web-platform-tests/fetch/api/cors/cors-origin-worker-expected.txt [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/loader/CrossOriginPreflightChecker.cpp
Source/WebCore/loader/DocumentThreadableLoader.cpp
Source/WebCore/loader/ImageLoader.cpp
Source/WebCore/loader/SubresourceLoader.cpp
Source/WebCore/loader/SubresourceLoader.h
Source/WebCore/loader/cache/CachedImage.cpp
Source/WebCore/loader/cache/CachedImage.h
Source/WebCore/loader/cache/CachedResource.cpp
Source/WebCore/loader/cache/CachedResource.h
Source/WebCore/loader/cache/CachedResourceLoader.cpp
Source/WebCore/loader/cache/CachedResourceLoader.h
Source/WebCore/loader/cache/CachedResourceRequest.h
Source/WebCore/style/StylePendingResources.cpp