Fix problems with cross-origin redirects
authoryouenn.fablet@crf.canon.fr <youenn.fablet@crf.canon.fr@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 14 Jan 2016 08:39:13 +0000 (08:39 +0000)
committeryouenn.fablet@crf.canon.fr <youenn.fablet@crf.canon.fr@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 14 Jan 2016 08:39:13 +0000 (08:39 +0000)
commitaaba1ff85bb116f98a9d4675e9186ac5c7edf79a
tree2499b841798f86cb1a0968ea7f81861e1c3c2fea
parent31075e1f3f8a70a99f1d7281f5972962653f96cc
Fix problems with cross-origin redirects
https://bugs.webkit.org/show_bug.cgi?id=116075

Reviewed by Daniel Bates.

LayoutTests/imported/w3c:

Rebasing test expectations.
These tests cannot work as expected as WTR/DRT block access to www2.localhost and example.not.

* web-platform-tests/XMLHttpRequest/send-redirect-bogus-expected.txt:
* web-platform-tests/XMLHttpRequest/send-redirect-to-cors-expected.txt:
* web-platform-tests/XMLHttpRequest/send-redirect-to-non-cors-expected.txt:

Source/WebCore:

Merging https://chromium.googlesource.com/chromium/blink/+/7ea774e478f84f355748108d2aaabca15355d512 by Ken Russell
Same origin redirect responses leading to cross-origin requests were checked as cross-origin redirect responses.
Introduced ClientRequestedCredentials to manage whether credentials are needed or not in the cross-origin request.

In addition to Blink patch, it was needed to update some loaders with the newly introduced ClientRequestedCredentials parameter.
Added the clearing of "Accept-Encoding" header from cross-origin requests as Mac HTTP network layer is adding it for same-origin requests.

Test: http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin.html

* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::startLoadingMainResource): Added new security parameter (from Blink patch).
* loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::redirectReceived): Updated checks so that same origin redirections are not treated as cross origin redirections (from Blink patch).
* loader/MediaResourceLoader.cpp:
(WebCore::MediaResourceLoader::start):
* loader/NetscapePlugInStreamLoader.cpp:
(WebCore::NetscapePlugInStreamLoader::NetscapePlugInStreamLoader): Added new security parameter.
* loader/ResourceLoaderOptions.h:
(WebCore::ResourceLoaderOptions::ResourceLoaderOptions): Added new security parameter (from Blink patch).
(WebCore::ResourceLoaderOptions::credentialRequest):
(WebCore::ResourceLoaderOptions::setCredentialRequest):
* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::requestUserCSSStyleSheet): Ditto.
(WebCore::CachedResourceLoader::defaultCachedResourceOptions): Ditto.
* loader/icon/IconLoader.cpp:
(WebCore::IconLoader::startLoading): Added new security parameter.
* page/EventSource.cpp:
(WebCore::EventSource::connect): Added new security parameter (from Blink patch).
* platform/graphics/avfoundation/cf/WebCoreAVCFResourceLoader.cpp:
(WebCore::WebCoreAVCFResourceLoader::startLoading): Added new security parameter.
* platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm:
(WebCore::WebCoreAVFResourceLoader::startLoading): Ditto.
* platform/network/ResourceHandleTypes.h: Added new security parameter constants (from Blink patch).
* platform/network/ResourceRequestBase.cpp:
(WebCore::ResourceRequestBase::clearHTTPAcceptEncoding): Function to remove "Accept-Encoding" header.
* platform/network/ResourceRequestBase.h: Ditto.
* xml/XMLHttpRequest.cpp:
(WebCore::XMLHttpRequest::createRequest): Added new security parameter.

LayoutTests:

Merging https://chromium.googlesource.com/chromium/blink/+/7ea774e478f84f355748108d2aaabca15355d512 by Ken Russell
This merge adds tests for cross origin requests triggered from same origin redirection responses with and without credentials).
Rebaseline of some tests due to console error messages generated from newly hit CORS checks.

* TestExpectations: Disabled WPT tests that require access to non localhost URLs which are currently blocked by DTR/WTR.
* http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt:
* http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin-expected.txt: Added.
* http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin.html: Added.
* http/tests/xmlhttprequest/access-control-and-redirects-async.html:
* http/tests/xmlhttprequest/access-control-and-redirects-expected.txt:
* http/tests/xmlhttprequest/access-control-and-redirects.html:
* http/tests/xmlhttprequest/redirect-cross-origin-2-expected.txt:
* http/tests/xmlhttprequest/redirect-cross-origin-expected.txt:
* http/tests/xmlhttprequest/redirect-cross-origin-post-expected.txt:
* http/tests/xmlhttprequest/redirect-cross-origin-tripmine-expected.txt:
* http/tests/xmlhttprequest/resources/access-control-basic-allow-no-credentials.cgi: Added.
* http/tests/xmlhttprequest/xmlhttprequest-unsafe-redirect-expected.txt:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@195010 268f45cc-cd09-0410-ab3c-d52691b4dbfc
31 files changed:
LayoutTests/ChangeLog
LayoutTests/TestExpectations
LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt
LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin.html [new file with mode: 0644]
LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async.html
LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-expected.txt
LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects.html
LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-2-expected.txt
LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-expected.txt
LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-post-expected.txt
LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-tripmine-expected.txt
LayoutTests/http/tests/xmlhttprequest/resources/access-control-basic-allow-no-credentials.cgi [new file with mode: 0755]
LayoutTests/http/tests/xmlhttprequest/xmlhttprequest-unsafe-redirect-expected.txt
LayoutTests/imported/w3c/ChangeLog
LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-to-cors-expected.txt
Source/WebCore/ChangeLog
Source/WebCore/loader/DocumentLoader.cpp
Source/WebCore/loader/DocumentThreadableLoader.cpp
Source/WebCore/loader/MediaResourceLoader.cpp
Source/WebCore/loader/NetscapePlugInStreamLoader.cpp
Source/WebCore/loader/ResourceLoaderOptions.h
Source/WebCore/loader/cache/CachedResourceLoader.cpp
Source/WebCore/loader/icon/IconLoader.cpp
Source/WebCore/page/EventSource.cpp
Source/WebCore/platform/graphics/avfoundation/cf/WebCoreAVCFResourceLoader.cpp
Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm
Source/WebCore/platform/network/ResourceHandleTypes.h
Source/WebCore/platform/network/ResourceRequestBase.cpp
Source/WebCore/platform/network/ResourceRequestBase.h
Source/WebCore/xml/XMLHttpRequest.cpp