CORS: Fix the handling of redirected request containing Origin null.
authoryouenn.fablet@crf.canon.fr <youenn.fablet@crf.canon.fr@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 15 Jan 2016 09:11:52 +0000 (09:11 +0000)
committeryouenn.fablet@crf.canon.fr <youenn.fablet@crf.canon.fr@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 15 Jan 2016 09:11:52 +0000 (09:11 +0000)
https://bugs.webkit.org/show_bug.cgi?id=128816

Reviewed by Brent Fulgham.

Source/WebCore:

Merging Blink patch from George Ancil (https://chromiumcodereview.appspot.com/20735002).

This patch removes the check for securityOrigin->isUnique() in passesAccessControlCheck().
This check prevented a redirected request with "Origin: null" from being
successful even when the response contains "Access-Control-Allow-Origin: null"

Tests: http/tests/xmlhttprequest/access-control-sandboxed-iframe-allow-origin-null.html
       http/tests/xmlhttprequest/redirect-cors-origin-null.html

* loader/CrossOriginAccessControl.cpp:
(WebCore::passesAccessControlCheck):

LayoutTests:

Merging Blink patch from George Ancil (https://chromiumcodereview.appspot.com/20735002)

Added two tests to check CORS with Origin null in HTTP redirect and iframe cases.
Updated two test sandboxed iframes test expectations (requests are still denied but error messages are different).

* http/tests/xmlhttprequest/access-control-sandboxed-iframe-allow-origin-null-expected.txt: Added.
* http/tests/xmlhttprequest/access-control-sandboxed-iframe-allow-origin-null.html: Added.
* http/tests/xmlhttprequest/access-control-sandboxed-iframe-denied-expected.txt:
* http/tests/xmlhttprequest/access-control-sandboxed-iframe-denied-without-wildcard-expected.txt:
* http/tests/xmlhttprequest/redirect-cors-origin-null-expected.txt: Added.
* http/tests/xmlhttprequest/redirect-cors-origin-null.html: Added.
* http/tests/xmlhttprequest/resources/access-control-sandboxed-iframe-allow-origin-null-iframe.html: Added.
* http/tests/xmlhttprequest/resources/access-control-sandboxed-iframe-allow-origin-null.cgi: Added.
* http/tests/xmlhttprequest/resources/redirect-cors-origin-null-pass.php: Added.
* http/tests/xmlhttprequest/resources/redirect-cors-origin-null.php: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@195100 268f45cc-cd09-0410-ab3c-d52691b4dbfc

13 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/xmlhttprequest/access-control-sandboxed-iframe-allow-origin-null-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/xmlhttprequest/access-control-sandboxed-iframe-allow-origin-null.html [new file with mode: 0644]
LayoutTests/http/tests/xmlhttprequest/access-control-sandboxed-iframe-denied-expected.txt
LayoutTests/http/tests/xmlhttprequest/access-control-sandboxed-iframe-denied-without-wildcard-expected.txt
LayoutTests/http/tests/xmlhttprequest/redirect-cors-origin-null-expected.txt [new file with mode: 0755]
LayoutTests/http/tests/xmlhttprequest/redirect-cors-origin-null.html [new file with mode: 0755]
LayoutTests/http/tests/xmlhttprequest/resources/access-control-sandboxed-iframe-allow-origin-null-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/xmlhttprequest/resources/access-control-sandboxed-iframe-allow-origin-null.cgi [new file with mode: 0755]
LayoutTests/http/tests/xmlhttprequest/resources/redirect-cors-origin-null-pass.php [new file with mode: 0755]
LayoutTests/http/tests/xmlhttprequest/resources/redirect-cors-origin-null.php [new file with mode: 0755]
Source/WebCore/ChangeLog
Source/WebCore/loader/CrossOriginAccessControl.cpp

index e14b21b..ac46463 100644 (file)
@@ -1,3 +1,26 @@
+2016-01-15  Youenn Fablet  <youenn.fablet@crf.canon.fr>
+
+        CORS: Fix the handling of redirected request containing Origin null.
+        https://bugs.webkit.org/show_bug.cgi?id=128816
+
+        Reviewed by Brent Fulgham.
+
+        Merging Blink patch from George Ancil (https://chromiumcodereview.appspot.com/20735002)
+
+        Added two tests to check CORS with Origin null in HTTP redirect and iframe cases.
+        Updated two test sandboxed iframes test expectations (requests are still denied but error messages are different).
+
+        * http/tests/xmlhttprequest/access-control-sandboxed-iframe-allow-origin-null-expected.txt: Added.
+        * http/tests/xmlhttprequest/access-control-sandboxed-iframe-allow-origin-null.html: Added.
+        * http/tests/xmlhttprequest/access-control-sandboxed-iframe-denied-expected.txt:
+        * http/tests/xmlhttprequest/access-control-sandboxed-iframe-denied-without-wildcard-expected.txt:
+        * http/tests/xmlhttprequest/redirect-cors-origin-null-expected.txt: Added.
+        * http/tests/xmlhttprequest/redirect-cors-origin-null.html: Added.
+        * http/tests/xmlhttprequest/resources/access-control-sandboxed-iframe-allow-origin-null-iframe.html: Added.
+        * http/tests/xmlhttprequest/resources/access-control-sandboxed-iframe-allow-origin-null.cgi: Added.
+        * http/tests/xmlhttprequest/resources/redirect-cors-origin-null-pass.php: Added.
+        * http/tests/xmlhttprequest/resources/redirect-cors-origin-null.php: Added.
+
 2016-01-14  Commit Queue  <commit-queue@webkit.org>
 
         Unreviewed, rolling out r195064.
diff --git a/LayoutTests/http/tests/xmlhttprequest/access-control-sandboxed-iframe-allow-origin-null-expected.txt b/LayoutTests/http/tests/xmlhttprequest/access-control-sandboxed-iframe-allow-origin-null-expected.txt
new file mode 100644 (file)
index 0000000..420cb74
--- /dev/null
@@ -0,0 +1,9 @@
+This test verifies that sandboxed iframe has XmlHttpRequest access to the server that accepts all domains. It will print "PASS" on success.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS: Sandboxed iframe XHR access allowed.
+
diff --git a/LayoutTests/http/tests/xmlhttprequest/access-control-sandboxed-iframe-allow-origin-null.html b/LayoutTests/http/tests/xmlhttprequest/access-control-sandboxed-iframe-allow-origin-null.html
new file mode 100644 (file)
index 0000000..bf28e52
--- /dev/null
@@ -0,0 +1,18 @@
+<html>
+<script>
+
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+}
+
+</script>
+<body>
+    <p>This test verifies that sandboxed iframe has XmlHttpRequest access
+    to the server that accepts all domains. It will print &quot;PASS&quot; on success.</p>
+
+    <iframe sandbox="allow-scripts" src="http://127.0.0.1:8000/xmlhttprequest/resources/access-control-sandboxed-iframe-allow-origin-null-iframe.html" style="width: 500px;">
+    </iframe>
+
+</body>
+</html>
index 96bd37a..326fd0a 100644 (file)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: line 17: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-sandboxed-iframe-denied.cgi. Cannot make any requests from null.
+CONSOLE MESSAGE: line 17: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-sandboxed-iframe-denied.cgi. Origin null is not allowed by Access-Control-Allow-Origin.
 This test verifies that sandboxed iframe does not have XmlHttpRequest access to its server. It will print "PASS" on success.
 
 
index 515967f..c905789 100644 (file)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: line 16: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-sandboxed-iframe-denied-without-wildcard.cgi. Cannot make any requests from null.
+CONSOLE MESSAGE: line 16: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-sandboxed-iframe-denied-without-wildcard.cgi. Origin null is not allowed by Access-Control-Allow-Origin.
 This test verifies that sandboxed iframe does not have XmlHttpRequest access to its server with "Access-Control-Allow-Origin" set to its own origin (127.0.0.1).
 
 This test will print "PASS" on success.
diff --git a/LayoutTests/http/tests/xmlhttprequest/redirect-cors-origin-null-expected.txt b/LayoutTests/http/tests/xmlhttprequest/redirect-cors-origin-null-expected.txt
new file mode 100755 (executable)
index 0000000..61b5002
--- /dev/null
@@ -0,0 +1,5 @@
+Test opera W3C test suite(http://w3c-test.org/webappsec/tests/cors/submitted/opera/staging/redirect-origin.htm) test case 13 for redirection.
+Request URL origin is not same origin with the original URL origin. Final response contains "Access-Control-Allow-Origin: null". Should print PASS.
+
+PASS
+
diff --git a/LayoutTests/http/tests/xmlhttprequest/redirect-cors-origin-null.html b/LayoutTests/http/tests/xmlhttprequest/redirect-cors-origin-null.html
new file mode 100755 (executable)
index 0000000..3a595f0
--- /dev/null
@@ -0,0 +1,33 @@
+<html>
+<body>
+<p>Test opera W3C test suite(http://w3c-test.org/webappsec/tests/cors/submitted/opera/staging/redirect-origin.htm) test case 13 for redirection.<br>
+Request URL origin is not same origin with the original URL origin. Final response contains "Access-Control-Allow-Origin: null". Should print PASS.</p>
+<div id="log"></div>
+<script>
+function log(message) {
+    document.getElementById("log").innerHTML += message + "<br>";
+}
+
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+var xhr = new XMLHttpRequest();
+xhr.open("GET", "http://localhost:8080/xmlhttprequest/resources/redirect-cors-origin-null.php");
+xhr.onerror = function () {
+    log("FAIL");
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+};
+xhr.onreadystatechange = function () {
+    if (xhr.readyState == 4) {
+        log(xhr.responseText);
+        if (window.testRunner)
+            testRunner.notifyDone();
+    }
+};
+xhr.send();
+
+</script>
+</html>
diff --git a/LayoutTests/http/tests/xmlhttprequest/resources/access-control-sandboxed-iframe-allow-origin-null-iframe.html b/LayoutTests/http/tests/xmlhttprequest/resources/access-control-sandboxed-iframe-allow-origin-null-iframe.html
new file mode 100644 (file)
index 0000000..f71bd3c
--- /dev/null
@@ -0,0 +1,25 @@
+<html>
+<body>
+<pre id='console'></pre>
+<script type="text/javascript">
+
+document.getElementById('console').innerHTML = (function() {
+    var xhr = new XMLHttpRequest;
+
+    try {
+        xhr.open("GET", "http://127.0.0.1:8000/xmlhttprequest/resources/access-control-sandboxed-iframe-allow-origin-null.cgi", false);
+    } catch(e) {
+        return "FAIL: Exception thrown. Sandboxed iframe XHR access is not allowed in 'open'. [" + e.message + "].";
+    }
+
+    try {
+        xhr.send();
+    } catch(e) {
+        return "FAIL: Exception thrown. Sandboxed iframe XHR access is not allowed in 'send'. [" + e.message + "].";
+    }
+
+    return xhr.responseText;
+})();
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/xmlhttprequest/resources/access-control-sandboxed-iframe-allow-origin-null.cgi b/LayoutTests/http/tests/xmlhttprequest/resources/access-control-sandboxed-iframe-allow-origin-null.cgi
new file mode 100755 (executable)
index 0000000..66ca94c
--- /dev/null
@@ -0,0 +1,8 @@
+#!/usr/bin/perl -wT
+use strict;
+
+print "Content-Type: text/plain\n";
+print "Access-Control-Allow-Credentials: true\n";
+print "Access-Control-Allow-Origin: null\n\n";
+
+print "PASS: Sandboxed iframe XHR access allowed.\n";
diff --git a/LayoutTests/http/tests/xmlhttprequest/resources/redirect-cors-origin-null-pass.php b/LayoutTests/http/tests/xmlhttprequest/resources/redirect-cors-origin-null-pass.php
new file mode 100755 (executable)
index 0000000..035ba4d
--- /dev/null
@@ -0,0 +1,7 @@
+<?php
+ $request_origin_value = $_SERVER["HTTP_ORIGIN"];
+ if (!is_null($request_origin_value)) {
+     header("Access-Control-Allow-Origin: null");
+     echo "PASS";
+ }
+?>
diff --git a/LayoutTests/http/tests/xmlhttprequest/resources/redirect-cors-origin-null.php b/LayoutTests/http/tests/xmlhttprequest/resources/redirect-cors-origin-null.php
new file mode 100755 (executable)
index 0000000..52f24e9
--- /dev/null
@@ -0,0 +1,11 @@
+<?php
+    $request_origin_value = $_SERVER["HTTP_ORIGIN"];
+
+    if ($_SERVER['REQUEST_METHOD'] == "GET") {
+     header("HTTP/1.1 302");
+     header("Location: http://localhost:8000/xmlhttprequest/resources/redirect-cors-origin-null-pass.php");
+    }
+    if (!is_null($request_origin_value)) {
+        header("Access-Control-Allow-Origin: $request_origin_value");
+    }
+?>
index 90e33b0..9a4bb11 100644 (file)
@@ -1,3 +1,22 @@
+2016-01-15  Youenn Fablet  <youenn.fablet@crf.canon.fr>
+
+        CORS: Fix the handling of redirected request containing Origin null.
+        https://bugs.webkit.org/show_bug.cgi?id=128816
+
+        Reviewed by Brent Fulgham.
+
+        Merging Blink patch from George Ancil (https://chromiumcodereview.appspot.com/20735002).
+
+        This patch removes the check for securityOrigin->isUnique() in passesAccessControlCheck().
+        This check prevented a redirected request with "Origin: null" from being
+        successful even when the response contains "Access-Control-Allow-Origin: null"
+
+        Tests: http/tests/xmlhttprequest/access-control-sandboxed-iframe-allow-origin-null.html
+               http/tests/xmlhttprequest/redirect-cors-origin-null.html
+
+        * loader/CrossOriginAccessControl.cpp:
+        (WebCore::passesAccessControlCheck):
+
 2016-01-14  Commit Queue  <commit-queue@webkit.org>
 
         Unreviewed, rolling out r195064.
index de5059a..9fef8a7 100644 (file)
@@ -141,11 +141,6 @@ bool passesAccessControlCheck(const ResourceResponse& response, StoredCredential
     if (accessControlOriginString == "*" && includeCredentials == DoNotAllowStoredCredentials)
         return true;
 
-    if (securityOrigin->isUnique()) {
-        errorDescription = "Cannot make any requests from " + securityOrigin->toString() + ".";
-        return false;
-    }
-
     // FIXME: Access-Control-Allow-Origin can contain a list of origins.
     if (accessControlOriginString != securityOrigin->toString()) {
         if (accessControlOriginString == "*")