Ignore HSTS for partitioned, cross-origin subresource requests
authorwilander@apple.com <wilander@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 2 Nov 2017 20:43:22 +0000 (20:43 +0000)
committerwilander@apple.com <wilander@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 2 Nov 2017 20:43:22 +0000 (20:43 +0000)
commit6723384289cf654b4b6367955b23f1c697232b4c
tree18d69b54aedf69b9d8b8f37c54d977dadbec1baa
parent20d9134468e257ab5aadd3047bad6b552a256898
Ignore HSTS for partitioned, cross-origin subresource requests
https://bugs.webkit.org/show_bug.cgi?id=178993
<rdar://problem/34962462>

Reviewed by Brent Fulgham and Alex Christensen.

Source/WebCore:

No new tests. HSTS is not supported in layout tests.
Tested manually.

* platform/network/mac/WebCoreURLResponse.mm:
(WebCore::synthesizeRedirectResponseIfNecessary):
    Now also synthesizes a response if
    _schemeWasUpgradedDueToDynamicHSTS is set on the
    request. Because in such cases the scheme might
    have been downgraded and there the two schemes
    match.

Source/WebCore/PAL:

* pal/spi/cf/CFNetworkSPI.h:
    Added
    - (BOOL)_schemeWasUpgradedDueToDynamicHSTS
    - (BOOL)_preventHSTSStorage
    - (BOOL)_ignoreHSTS
    - (void)_setPreventHSTSStorage:(BOOL)preventHSTSStorage
    - (void)_setIgnoreHSTS:(BOOL)ignoreHSTS

Source/WebKit:

* NetworkProcess/cocoa/NetworkSessionCocoa.mm:
(downgradeRequest):
    Convenience function to downgrade a request if
    CFNetwork as already upgraded it during
    canonicalization. This allows the rest of
    WebKit's processing to function, such as UIR
    and mixed content blocking.
(updateIgnoreStrictTransportSecuritySettingIfNecessary):
    Adds and removed the ignore request accordingly.
(-[WKNetworkSessionDelegate URLSession:task:willPerformHTTPRedirection:newRequest:completionHandler:]):
    Now asks CFNetwork to ignore HSTS on resource loads we
    partition cookies for.
(-[WKNetworkSessionDelegate URLSession:task:_schemeUpgraded:completionHandler:]):
    Now asks CFNetwork to ignore HSTS on resource loads we
    partition cookies for.

Source/WTF:

* wtf/Platform.h:
    Added HAVE_CFNETWORK_IGNORE_HSTS.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@224353 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WTF/ChangeLog
Source/WTF/wtf/Platform.h
Source/WebCore/ChangeLog
Source/WebCore/PAL/ChangeLog
Source/WebCore/PAL/pal/spi/cf/CFNetworkSPI.h
Source/WebCore/platform/network/mac/WebCoreURLResponse.mm
Source/WebKit/ChangeLog
Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm