crossorigin element resource loading should check HTTP redirection
authoryouenn.fablet@crf.canon.fr <youenn.fablet@crf.canon.fr@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 18 Mar 2016 11:17:09 +0000 (11:17 +0000)
committeryouenn.fablet@crf.canon.fr <youenn.fablet@crf.canon.fr@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 18 Mar 2016 11:17:09 +0000 (11:17 +0000)
commit9711deebe92b39ce59139c16bc3404fcb1c7be50
treebb8e6c04006bf95c917525d758ae9d2dcb53fbb1
parent5372472d432182a6ce4498d071cecc7c5109ab75
crossorigin element resource loading should check HTTP redirection
https://bugs.webkit.org/show_bug.cgi?id=130578

Reviewed by Daniel Bates and Brent Fulgham.

Source/WebCore:

Moved part of DocumentThreadableLoader redirection cross origin control code
into functions in CrossOriginAccessControl.cpp. Added cross origin control for
redirections in SubResourceLoader when policy is set to PotentiallyCrossOriginEnabled
using CrossOriginAccessControl.cpp new functions. Added a new test that checks that
cross-origin redirections are checked against CORS.

Test: http/tests/security/shape-image-cors-redirect.html

* loader/CrossOriginAccessControl.cpp:
(WebCore::isValidCrossOriginRedirectionURL): Returns true if the redirected URL is a valid URL for cross-origin requests.
(WebCore::cleanRedirectedRequestForAccessControl): Removes all headers added by the network backend that may cause the response CORS validation to fail.
* loader/CrossOriginAccessControl.h: Added above function prototypes.
* loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::redirectReceived): Used new CORS redirection methods of CrossOriginAccessControl.cpp.
* loader/SubresourceLoader.cpp:
(WebCore::SubresourceLoader::init): Initialize the SecurityOrigin to be used for loading the resource.
(WebCore::SubresourceLoader::willSendRequest): Added cross-origin redirection response check.
(WebCore::SubresourceLoader::checkCrossOriginAccessControl): Checks CORS and update request if needed. Returns true if control checks passed.
* loader/SubresourceLoader.h: Added checkCrossOriginAccessControl declaration and m_origin declaration.

LayoutTests:

shape-image-cors-redirect.html checks that cross-origin redirections are checked against CORS.
It also checks that same-origin redirections are not checked against CORS.

* http/tests/security/resources/redirect-allow-star.php: Added.
* http/tests/security/shape-image-cors-redirect-expected.html: Added.
* http/tests/security/shape-image-cors-redirect.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@198395 268f45cc-cd09-0410-ab3c-d52691b4dbfc
19 files changed:
LayoutTests/ChangeLog
LayoutTests/TestExpectations
LayoutTests/http/tests/security/resources/redirect-allow-star.php [new file with mode: 0755]
LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-1.html [new file with mode: 0644]
LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-2.html [new file with mode: 0644]
LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-3-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-3.html [new file with mode: 0644]
LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-4-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-4.html [new file with mode: 0644]
LayoutTests/http/tests/security/shape-image-cors-redirect-expected.html [new file with mode: 0644]
LayoutTests/http/tests/security/shape-image-cors-redirect.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/loader/CrossOriginAccessControl.cpp
Source/WebCore/loader/CrossOriginAccessControl.h
Source/WebCore/loader/DocumentThreadableLoader.cpp
Source/WebCore/loader/SubresourceLoader.cpp
Source/WebCore/loader/SubresourceLoader.h