https://bugs.webkit.org/show_bug.cgi?id=185550
Patch by Rob Buis <rbuis@igalia.com> on 2019-07-17
Reviewed by Youenn Fablet.
Source/WebCore:
This patch adds 'referrerpolicy' attribute support for script elements.
If set, the value is restricted to the ReferrerPolicy enum, and
if valid it is used for the script fetch.
If not set or invalid, the current behavior is kept.
Tests: http/tests/referrer-policy-script/no-referrer-when-downgrade/cross-origin-http-http.html
http/tests/referrer-policy-script/no-referrer-when-downgrade/cross-origin-http.https.html
http/tests/referrer-policy-script/no-referrer-when-downgrade/same-origin.html
http/tests/referrer-policy-script/no-referrer/cross-origin-http-http.html
http/tests/referrer-policy-script/no-referrer/cross-origin-http.https.html
http/tests/referrer-policy-script/no-referrer/same-origin.html
http/tests/referrer-policy-script/origin-when-cross-origin/cross-origin-http-http.html
http/tests/referrer-policy-script/origin-when-cross-origin/cross-origin-http.https.html
http/tests/referrer-policy-script/origin-when-cross-origin/same-origin.html
http/tests/referrer-policy-script/origin/cross-origin-http-http.html
http/tests/referrer-policy-script/origin/cross-origin-http.https.html
http/tests/referrer-policy-script/origin/same-origin.html
http/tests/referrer-policy-script/same-origin/cross-origin-http-http.html
http/tests/referrer-policy-script/same-origin/cross-origin-http.https.html
http/tests/referrer-policy-script/same-origin/same-origin.html
http/tests/referrer-policy-script/strict-origin-when-cross-origin/cross-origin-http-http.html
http/tests/referrer-policy-script/strict-origin-when-cross-origin/cross-origin-http.https.html
http/tests/referrer-policy-script/strict-origin-when-cross-origin/same-origin.html
http/tests/referrer-policy-script/strict-origin/cross-origin-http-http.html
http/tests/referrer-policy-script/strict-origin/cross-origin-http.https.html
http/tests/referrer-policy-script/strict-origin/same-origin.html
http/tests/referrer-policy-script/unsafe-url/cross-origin-http-http.html
http/tests/referrer-policy-script/unsafe-url/cross-origin-http.https.html
http/tests/referrer-policy-script/unsafe-url/same-origin.html
* bindings/js/CachedScriptFetcher.cpp:
(WebCore::CachedScriptFetcher::requestScriptWithCache const):
* bindings/js/CachedScriptFetcher.h:
(WebCore::CachedScriptFetcher::CachedScriptFetcher):
* dom/InlineClassicScript.h:
* dom/LoadableClassicScript.cpp:
(WebCore::LoadableClassicScript::create):
* dom/LoadableClassicScript.h:
* dom/LoadableModuleScript.cpp:
(WebCore::LoadableModuleScript::create):
(WebCore::LoadableModuleScript::LoadableModuleScript):
* dom/LoadableModuleScript.h:
* dom/LoadableScript.h:
(WebCore::LoadableScript::LoadableScript):
* dom/ScriptElement.cpp:
(WebCore::ScriptElement::requestClassicScript):
(WebCore::ScriptElement::requestModuleScript):
* dom/ScriptElement.h:
* dom/ScriptElementCachedScriptFetcher.h:
(WebCore::ScriptElementCachedScriptFetcher::ScriptElementCachedScriptFetcher):
* html/HTMLIFrameElement.cpp:
(WebCore::HTMLIFrameElement::referrerPolicyForBindings const):
* html/HTMLScriptElement.cpp:
(WebCore::HTMLScriptElement::setReferrerPolicyForBindings):
(WebCore::HTMLScriptElement::referrerPolicyForBindings const):
(WebCore::HTMLScriptElement::referrerPolicy const):
* html/HTMLScriptElement.h:
* html/HTMLScriptElement.idl:
* html/parser/CSSPreloadScanner.cpp:
(WebCore::CSSPreloadScanner::emitRule):
* html/parser/HTMLPreloadScanner.cpp:
(WebCore::TokenPreloadScanner::StartTagScanner::createPreloadRequest):
(WebCore::TokenPreloadScanner::StartTagScanner::processAttribute):
* html/parser/HTMLResourcePreloader.cpp:
(WebCore::PreloadRequest::resourceRequest):
* html/parser/HTMLResourcePreloader.h:
(WebCore::PreloadRequest::PreloadRequest):
* platform/ReferrerPolicy.cpp:
(WebCore::referrerPolicyToString):
* platform/ReferrerPolicy.h:
* svg/SVGScriptElement.h:
LayoutTests:
Add tests for scripts with various referrerpolicy attribute values.
* http/tests/referrer-policy-script/no-referrer-when-downgrade/cross-origin-http-http-expected.txt: Added.
* http/tests/referrer-policy-script/no-referrer-when-downgrade/cross-origin-http-http.html: Added.
* http/tests/referrer-policy-script/no-referrer-when-downgrade/cross-origin-http.https-expected.txt: Added.
* http/tests/referrer-policy-script/no-referrer-when-downgrade/cross-origin-http.https.html: Added.
* http/tests/referrer-policy-script/no-referrer-when-downgrade/same-origin-expected.txt: Added.
* http/tests/referrer-policy-script/no-referrer-when-downgrade/same-origin.html: Added.
* http/tests/referrer-policy-script/no-referrer/cross-origin-http-http-expected.txt: Added.
* http/tests/referrer-policy-script/no-referrer/cross-origin-http-http.html: Added.
* http/tests/referrer-policy-script/no-referrer/cross-origin-http.https-expected.txt: Added.
* http/tests/referrer-policy-script/no-referrer/cross-origin-http.https.html: Added.
* http/tests/referrer-policy-script/no-referrer/same-origin-expected.txt: Added.
* http/tests/referrer-policy-script/no-referrer/same-origin.html: Added.
* http/tests/referrer-policy-script/origin-when-cross-origin/cross-origin-http-http-expected.txt: Added.
* http/tests/referrer-policy-script/origin-when-cross-origin/cross-origin-http-http.html: Added.
* http/tests/referrer-policy-script/origin-when-cross-origin/cross-origin-http.https-expected.txt: Added.
* http/tests/referrer-policy-script/origin-when-cross-origin/cross-origin-http.https.html: Added.
* http/tests/referrer-policy-script/origin-when-cross-origin/same-origin-expected.txt: Added.
* http/tests/referrer-policy-script/origin-when-cross-origin/same-origin.html: Added.
* http/tests/referrer-policy-script/origin/cross-origin-http-http-expected.txt: Added.
* http/tests/referrer-policy-script/origin/cross-origin-http-http.html: Added.
* http/tests/referrer-policy-script/origin/cross-origin-http.https-expected.txt: Added.
* http/tests/referrer-policy-script/origin/cross-origin-http.https.html: Added.
* http/tests/referrer-policy-script/origin/same-origin-expected.txt: Added.
* http/tests/referrer-policy-script/origin/same-origin.html: Added.
* http/tests/referrer-policy-script/same-origin/cross-origin-http-http-expected.txt: Added.
* http/tests/referrer-policy-script/same-origin/cross-origin-http-http.html: Added.
* http/tests/referrer-policy-script/same-origin/cross-origin-http.https-expected.txt: Added.
* http/tests/referrer-policy-script/same-origin/cross-origin-http.https.html: Added.
* http/tests/referrer-policy-script/same-origin/same-origin-expected.txt: Added.
* http/tests/referrer-policy-script/same-origin/same-origin.html: Added.
* http/tests/referrer-policy-script/strict-origin-when-cross-origin/cross-origin-http-http-expected.txt: Added.
* http/tests/referrer-policy-script/strict-origin-when-cross-origin/cross-origin-http-http.html: Added.
* http/tests/referrer-policy-script/strict-origin-when-cross-origin/cross-origin-http.https-expected.txt: Added.
* http/tests/referrer-policy-script/strict-origin-when-cross-origin/cross-origin-http.https.html: Added.
* http/tests/referrer-policy-script/strict-origin-when-cross-origin/same-origin-expected.txt: Added.
* http/tests/referrer-policy-script/strict-origin-when-cross-origin/same-origin.html: Added.
* http/tests/referrer-policy-script/strict-origin/cross-origin-http-http-expected.txt: Added.
* http/tests/referrer-policy-script/strict-origin/cross-origin-http-http.html: Added.
* http/tests/referrer-policy-script/strict-origin/cross-origin-http.https-expected.txt: Added.
* http/tests/referrer-policy-script/strict-origin/cross-origin-http.https.html: Added.
* http/tests/referrer-policy-script/strict-origin/same-origin-expected.txt: Added.
* http/tests/referrer-policy-script/strict-origin/same-origin.html: Added.
* http/tests/referrer-policy-script/unsafe-url/cross-origin-http-http-expected.txt: Added.
* http/tests/referrer-policy-script/unsafe-url/cross-origin-http-http.html: Added.
* http/tests/referrer-policy-script/unsafe-url/cross-origin-http.https-expected.txt: Added.
* http/tests/referrer-policy-script/unsafe-url/cross-origin-http.https.html: Added.
* http/tests/referrer-policy-script/unsafe-url/same-origin-expected.txt: Added.
* http/tests/referrer-policy-script/unsafe-url/same-origin.html: Added.
* http/tests/referrer-policy/resources/script.php: Added.
* platform/win/TestExpectations:
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@247509
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2019-07-17 Rob Buis <rbuis@igalia.com>
+
+ Add referrerpolicy attribute support for <script> elements
+ https://bugs.webkit.org/show_bug.cgi?id=185550
+
+ Reviewed by Youenn Fablet.
+
+ Add tests for scripts with various referrerpolicy attribute values.
+
+ * http/tests/referrer-policy-script/no-referrer-when-downgrade/cross-origin-http-http-expected.txt: Added.
+ * http/tests/referrer-policy-script/no-referrer-when-downgrade/cross-origin-http-http.html: Added.
+ * http/tests/referrer-policy-script/no-referrer-when-downgrade/cross-origin-http.https-expected.txt: Added.
+ * http/tests/referrer-policy-script/no-referrer-when-downgrade/cross-origin-http.https.html: Added.
+ * http/tests/referrer-policy-script/no-referrer-when-downgrade/same-origin-expected.txt: Added.
+ * http/tests/referrer-policy-script/no-referrer-when-downgrade/same-origin.html: Added.
+ * http/tests/referrer-policy-script/no-referrer/cross-origin-http-http-expected.txt: Added.
+ * http/tests/referrer-policy-script/no-referrer/cross-origin-http-http.html: Added.
+ * http/tests/referrer-policy-script/no-referrer/cross-origin-http.https-expected.txt: Added.
+ * http/tests/referrer-policy-script/no-referrer/cross-origin-http.https.html: Added.
+ * http/tests/referrer-policy-script/no-referrer/same-origin-expected.txt: Added.
+ * http/tests/referrer-policy-script/no-referrer/same-origin.html: Added.
+ * http/tests/referrer-policy-script/origin-when-cross-origin/cross-origin-http-http-expected.txt: Added.
+ * http/tests/referrer-policy-script/origin-when-cross-origin/cross-origin-http-http.html: Added.
+ * http/tests/referrer-policy-script/origin-when-cross-origin/cross-origin-http.https-expected.txt: Added.
+ * http/tests/referrer-policy-script/origin-when-cross-origin/cross-origin-http.https.html: Added.
+ * http/tests/referrer-policy-script/origin-when-cross-origin/same-origin-expected.txt: Added.
+ * http/tests/referrer-policy-script/origin-when-cross-origin/same-origin.html: Added.
+ * http/tests/referrer-policy-script/origin/cross-origin-http-http-expected.txt: Added.
+ * http/tests/referrer-policy-script/origin/cross-origin-http-http.html: Added.
+ * http/tests/referrer-policy-script/origin/cross-origin-http.https-expected.txt: Added.
+ * http/tests/referrer-policy-script/origin/cross-origin-http.https.html: Added.
+ * http/tests/referrer-policy-script/origin/same-origin-expected.txt: Added.
+ * http/tests/referrer-policy-script/origin/same-origin.html: Added.
+ * http/tests/referrer-policy-script/same-origin/cross-origin-http-http-expected.txt: Added.
+ * http/tests/referrer-policy-script/same-origin/cross-origin-http-http.html: Added.
+ * http/tests/referrer-policy-script/same-origin/cross-origin-http.https-expected.txt: Added.
+ * http/tests/referrer-policy-script/same-origin/cross-origin-http.https.html: Added.
+ * http/tests/referrer-policy-script/same-origin/same-origin-expected.txt: Added.
+ * http/tests/referrer-policy-script/same-origin/same-origin.html: Added.
+ * http/tests/referrer-policy-script/strict-origin-when-cross-origin/cross-origin-http-http-expected.txt: Added.
+ * http/tests/referrer-policy-script/strict-origin-when-cross-origin/cross-origin-http-http.html: Added.
+ * http/tests/referrer-policy-script/strict-origin-when-cross-origin/cross-origin-http.https-expected.txt: Added.
+ * http/tests/referrer-policy-script/strict-origin-when-cross-origin/cross-origin-http.https.html: Added.
+ * http/tests/referrer-policy-script/strict-origin-when-cross-origin/same-origin-expected.txt: Added.
+ * http/tests/referrer-policy-script/strict-origin-when-cross-origin/same-origin.html: Added.
+ * http/tests/referrer-policy-script/strict-origin/cross-origin-http-http-expected.txt: Added.
+ * http/tests/referrer-policy-script/strict-origin/cross-origin-http-http.html: Added.
+ * http/tests/referrer-policy-script/strict-origin/cross-origin-http.https-expected.txt: Added.
+ * http/tests/referrer-policy-script/strict-origin/cross-origin-http.https.html: Added.
+ * http/tests/referrer-policy-script/strict-origin/same-origin-expected.txt: Added.
+ * http/tests/referrer-policy-script/strict-origin/same-origin.html: Added.
+ * http/tests/referrer-policy-script/unsafe-url/cross-origin-http-http-expected.txt: Added.
+ * http/tests/referrer-policy-script/unsafe-url/cross-origin-http-http.html: Added.
+ * http/tests/referrer-policy-script/unsafe-url/cross-origin-http.https-expected.txt: Added.
+ * http/tests/referrer-policy-script/unsafe-url/cross-origin-http.https.html: Added.
+ * http/tests/referrer-policy-script/unsafe-url/same-origin-expected.txt: Added.
+ * http/tests/referrer-policy-script/unsafe-url/same-origin.html: Added.
+ * http/tests/referrer-policy/resources/script.php: Added.
+ * platform/win/TestExpectations:
+
2019-07-16 Myles C. Maxfield <mmaxfield@apple.com>
[WHLSL] Move WHLSL tests to their own folder
--- /dev/null
+Tests the behavior of no-referrer-when-downgrade referrer policy when cross origin.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is "http://127.0.0.1:8000/referrer-policy-script/no-referrer-when-downgrade/cross-origin-http-http.html"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of no-referrer-when-downgrade referrer policy when cross origin.");
+jsTestIsAsync = true;
+
+function checkReferrer(value) {
+ referrer = value;
+ // Should be the full URL
+ shouldBeEqualToString("referrer", "http://127.0.0.1:8000/referrer-policy-script/no-referrer-when-downgrade/cross-origin-http-http.html");
+ finishJSTest();
+}
+</script>
+<script src="http://localhost:8000/referrer-policy/resources/script.php" referrerpolicy="no-referrer-when-downgrade"></script>
+</body>
+</html>
--- /dev/null
+Tests the behavior of no-referrer-when-downgrade referrer policy when cross origin from HTTPS to HTTP.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is ""
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE html><!-- webkit-test-runner [ dumpJSConsoleLogInStdErr=true ] -->
+<html>
+<head>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of no-referrer-when-downgrade referrer policy when cross origin from HTTPS to HTTP.");
+jsTestIsAsync = true;
+
+if (window.internals)
+ internals.settings.setAllowRunningOfInsecureContent(true);
+
+function checkReferrer(value) {
+ referrer = value;
+ // Should be the empty string
+ shouldBeEqualToString("referrer", "");
+ finishJSTest();
+}
+</script>
+<script src="http://localhost:8000/referrer-policy/resources/script.php" referrerpolicy="no-referrer-when-downgrade"></script>
+</body>
+</html>
--- /dev/null
+Tests the behavior of no-referrer-when-downgrade referrer policy when same origin.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is "http://127.0.0.1:8000/referrer-policy-script/no-referrer-when-downgrade/same-origin.html"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of no-referrer-when-downgrade referrer policy when same origin.");
+jsTestIsAsync = true;
+
+function checkReferrer(value) {
+ referrer = value;
+ // Should be the full URL
+ shouldBeEqualToString("referrer", "http://127.0.0.1:8000/referrer-policy-script/no-referrer-when-downgrade/same-origin.html");
+ finishJSTest();
+}
+</script>
+<script src="http://127.0.0.1:8000/referrer-policy/resources/script.php" referrerpolicy=no-referrer-when-downgrade"></script>
+</body>
+</html>
--- /dev/null
+Tests the behavior of no-referrer referrer policy when cross origin.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is ""
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of no-referrer referrer policy when cross origin.");
+jsTestIsAsync = true;
+
+function checkReferrer(value) {
+ referrer = value;
+ // Should be the empty string
+ shouldBeEqualToString("referrer", "");
+ finishJSTest();
+}
+</script>
+<script src="http://localhost:8000/referrer-policy/resources/script.php" referrerpolicy="no-referrer"></script>
+</body>
+</html>
--- /dev/null
+Tests the behavior of no-referrer referrer policy when cross origin from HTTPS to HTTP.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is ""
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE html><!-- webkit-test-runner [ dumpJSConsoleLogInStdErr=true ] -->
+<html>
+<head>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of no-referrer referrer policy when cross origin from HTTPS to HTTP.");
+jsTestIsAsync = true;
+
+if (window.internals)
+ internals.settings.setAllowRunningOfInsecureContent(true);
+
+function checkReferrer(value) {
+ referrer = value;
+ // Should be the empty string
+ shouldBeEqualToString("referrer", "");
+ finishJSTest();
+}
+</script>
+<script src="http://localhost:8000/referrer-policy/resources/script.php" referrerpolicy="no-referrer"></script>
+</body>
+</html>
--- /dev/null
+Tests the behavior of no-referrer referrer policy when same origin.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is ""
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of no-referrer referrer policy when same origin.");
+jsTestIsAsync = true;
+
+function checkReferrer(value) {
+ referrer = value;
+ // Should be the empty string
+ shouldBeEqualToString("referrer", "");
+ finishJSTest();
+}
+</script>
+<script src="http://127.0.0.1:8000/referrer-policy/resources/script.php" referrerpolicy="no-referrer"></script>
+</body>
+</html>
--- /dev/null
+Tests the behavior of origin-when-cross-origin referrer policy when cross origin.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is "http://127.0.0.1:8000/"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of origin-when-cross-origin referrer policy when cross origin.");
+jsTestIsAsync = true;
+
+function checkReferrer(value) {
+ referrer = value;
+ // Should be the origin, not the full URL, because we are cross-origin.
+ shouldBeEqualToString("referrer", "http://127.0.0.1:8000/");
+ finishJSTest();
+}
+</script>
+<script src="http://localhost:8000/referrer-policy/resources/script.php" referrerpolicy="origin-when-cross-origin"></script>
+</body>
+</html>
--- /dev/null
+Tests the behavior of origin-when-cross-origin referrer policy when cross origin from HTTPS to HTTP.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is "https://127.0.0.1:8443/"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE html><!-- webkit-test-runner [ dumpJSConsoleLogInStdErr=true ] -->
+<html>
+<head>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of origin-when-cross-origin referrer policy when cross origin from HTTPS to HTTP.");
+jsTestIsAsync = true;
+
+if (window.internals)
+ internals.settings.setAllowRunningOfInsecureContent(true);
+
+function checkReferrer(value) {
+ referrer = value;
+ // Should be the origin, not the full URL, because we are cross-origin.
+ shouldBeEqualToString("referrer", "https://127.0.0.1:8443/");
+ finishJSTest();
+}
+</script>
+<script src="http://localhost:8000/referrer-policy/resources/script.php" referrerpolicy="origin-when-cross-origin"></script>
+</body>
+</html>
--- /dev/null
+Tests the behavior of origin-when-cross-origin referrer policy when same origin.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is "http://127.0.0.1:8000/referrer-policy-script/origin-when-cross-origin/same-origin.html"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of origin-when-cross-origin referrer policy when same origin.");
+jsTestIsAsync = true;
+
+function checkReferrer(value) {
+ referrer = value;
+ // Should be the full URL because we are same-origin.
+ shouldBeEqualToString("referrer", "http://127.0.0.1:8000/referrer-policy-script/origin-when-cross-origin/same-origin.html");
+ finishJSTest();
+}
+</script>
+<script src="http://127.0.0.1:8000/referrer-policy/resources/script.php" referrerpolicy="origin-when-cross-origin"></script>
+</body>
+</html>
--- /dev/null
+Tests the behavior of origin referrer policy when cross origin.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is "http://127.0.0.1:8000/"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of origin referrer policy when cross origin.");
+jsTestIsAsync = true;
+
+function checkReferrer(value) {
+ referrer = value;
+ // Should be the origin
+ shouldBeEqualToString("referrer", "http://127.0.0.1:8000/");
+ finishJSTest();
+}
+</script>
+<script src="http://localhost:8000/referrer-policy/resources/script.php" referrerpolicy="origin"></script>
+</body>
+</html>
--- /dev/null
+Tests the behavior of origin referrer policy when cross origin from HTTPS to HTTP.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is "https://127.0.0.1:8443/"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE html><!-- webkit-test-runner [ dumpJSConsoleLogInStdErr=true ] -->
+<html>
+<head>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of origin referrer policy when cross origin from HTTPS to HTTP.");
+jsTestIsAsync = true;
+
+if (window.internals)
+ internals.settings.setAllowRunningOfInsecureContent(true);
+
+function checkReferrer(value) {
+ referrer = value;
+ // Should be the origin
+ shouldBeEqualToString("referrer", "https://127.0.0.1:8443/");
+ finishJSTest();
+}
+</script>
+<script src="http://localhost:8000/referrer-policy/resources/script.php" referrerpolicy="origin"></script>
+</body>
+</html>
--- /dev/null
+Tests the behavior of origin referrer policy when same origin.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is "http://127.0.0.1:8000/"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of origin referrer policy when same origin.");
+jsTestIsAsync = true;
+
+function checkReferrer(value) {
+ referrer = value;
+ // Should be the origin
+ shouldBeEqualToString("referrer", "http://127.0.0.1:8000/");
+ finishJSTest();
+}
+</script>
+<script src="http://127.0.0.1:8000/referrer-policy/resources/script.php" referrerpolicy="origin"></script>
+</body>
+</html>
--- /dev/null
+Tests the behavior of same-origin referrer policy when cross origin.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is ""
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of same-origin referrer policy when cross origin.");
+jsTestIsAsync = true;
+
+function checkReferrer(value) {
+ referrer = value;
+ // Should be the empty string because we are cross-origin.
+ shouldBeEqualToString("referrer", "");
+ finishJSTest();
+}
+</script>
+<script src="http://localhost:8000/referrer-policy/resources/script.php" referrerpolicy="same-origin"></script>
+</body>
+</html>
--- /dev/null
+Tests the behavior of same-origin referrer policy when cross origin from HTTPS to HTTP.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is ""
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE html><!-- webkit-test-runner [ dumpJSConsoleLogInStdErr=true ] -->
+<html>
+<head>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of same-origin referrer policy when cross origin from HTTPS to HTTP.");
+jsTestIsAsync = true;
+
+if (window.internals)
+ internals.settings.setAllowRunningOfInsecureContent(true);
+
+function checkReferrer(value) {
+ referrer = value;
+ // Should be the empty string because we are cross-origin.
+ shouldBeEqualToString("referrer", "");
+ finishJSTest();
+}
+</script>
+<script src="http://localhost:8000/referrer-policy/resources/script.php" referrerpolicy="same-origin"></script>
+</body>
+</html>
--- /dev/null
+Tests the behavior of same-origin referrer policy when same origin.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is "http://127.0.0.1:8000/referrer-policy-script/same-origin/same-origin.html"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of same-origin referrer policy when same origin.");
+jsTestIsAsync = true;
+
+function checkReferrer(value) {
+ referrer = value;
+ // Should be the full URL because we are same-origin.
+ shouldBeEqualToString("referrer", "http://127.0.0.1:8000/referrer-policy-script/same-origin/same-origin.html");
+ finishJSTest();
+}
+</script>
+<script src="http://127.0.0.1:8000/referrer-policy/resources/script.php" referrerpolicy="same-origin"></script>
+</body>
+</html>
--- /dev/null
+Tests the behavior of strict-origin-when-cross-origin referrer policy when cross origin.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is "http://127.0.0.1:8000/"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of strict-origin-when-cross-origin referrer policy when cross origin.");
+jsTestIsAsync = true;
+
+function checkReferrer(value) {
+ referrer = value;
+ // Should be the origin, not the full URL, because we are cross-origin.
+ shouldBeEqualToString("referrer", "http://127.0.0.1:8000/");
+ finishJSTest();
+}
+</script>
+<script src="http://localhost:8000/referrer-policy/resources/script.php" referrerpolicy="strict-origin-when-cross-origin"></script>
+</body>
+</html>
--- /dev/null
+Tests the behavior of strict-origin-when-cross-origin referrer policy when cross origin from HTTPS to HTTP.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is ""
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE html><!-- webkit-test-runner [ dumpJSConsoleLogInStdErr=true ] -->
+<html>
+<head>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of strict-origin-when-cross-origin referrer policy when cross origin from HTTPS to HTTP.");
+jsTestIsAsync = true;
+
+if (window.internals)
+ internals.settings.setAllowRunningOfInsecureContent(true);
+
+function checkReferrer(value) {
+ referrer = value;
+ // Should be the empty string because we are cross-origin and going from HTTPS to HTTP.
+ shouldBeEqualToString("referrer", "");
+ finishJSTest();
+}
+</script>
+<script src="http://localhost:8000/referrer-policy/resources/script.php" referrerpolicy="strict-origin-when-cross-origin"></script>
+</body>
+</html>
--- /dev/null
+Tests the behavior of strict-origin-when-cross-origin referrer policy when same origin.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is "http://127.0.0.1:8000/referrer-policy-script/strict-origin-when-cross-origin/same-origin.html"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of strict-origin-when-cross-origin referrer policy when same origin.");
+jsTestIsAsync = true;
+
+function checkReferrer(value) {
+ referrer = value;
+ // Should be the full URL because we are same-origin.
+ shouldBeEqualToString("referrer", "http://127.0.0.1:8000/referrer-policy-script/strict-origin-when-cross-origin/same-origin.html");
+ finishJSTest();
+}
+</script>
+<script src="http://127.0.0.1:8000/referrer-policy/resources/script.php" referrerpolicy="strict-origin-when-cross-origin"></script>
+</body>
+</html>
--- /dev/null
+Tests the behavior of strict-origin referrer policy when cross origin.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is "http://127.0.0.1:8000/"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of strict-origin referrer policy when cross origin.");
+jsTestIsAsync = true;
+
+function checkReferrer(value) {
+ referrer = value;
+ // Should be the origin, not the full URL.
+ shouldBeEqualToString("referrer", "http://127.0.0.1:8000/");
+ finishJSTest();
+}
+</script>
+<script src="http://localhost:8000/referrer-policy/resources/script.php" referrerpolicy="strict-origin"></script>
+</body>
+</html>
--- /dev/null
+Tests the behavior of strict-origin referrer policy when cross origin from HTTPS to HTTP.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is ""
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE html><!-- webkit-test-runner [ dumpJSConsoleLogInStdErr=true ] -->
+<html>
+<head>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of strict-origin referrer policy when cross origin from HTTPS to HTTP.");
+jsTestIsAsync = true;
+
+if (window.internals)
+ internals.settings.setAllowRunningOfInsecureContent(true);
+
+function checkReferrer(value) {
+ referrer = value;
+ // Should be the empty string because we are going from HTTPS to HTTP.
+ shouldBeEqualToString("referrer", "");
+ finishJSTest();
+}
+</script>
+<script src="http://localhost:8000/referrer-policy/resources/script.php" referrerpolicy="strict-origin"></script>
+</body>
+</html>
--- /dev/null
+Tests the behavior of strict-origin referrer policy when same origin.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is "http://127.0.0.1:8000/"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of strict-origin referrer policy when same origin.");
+jsTestIsAsync = true;
+
+function checkReferrer(value) {
+ referrer = value;
+ // Should be the origin, not the full URL.
+ shouldBeEqualToString("referrer", "http://127.0.0.1:8000/");
+ finishJSTest();
+}
+</script>
+<script src="http://127.0.0.1:8000/referrer-policy/resources/script.php" referrerpolicy="strict-origin"></script>
+</body>
+</html>
--- /dev/null
+Tests the behavior of unsafe-url referrer policy when cross origin.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is "http://127.0.0.1:8000/referrer-policy-script/unsafe-url/cross-origin-http-http.html"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of unsafe-url referrer policy when cross origin.");
+jsTestIsAsync = true;
+
+function checkReferrer(value) {
+ referrer = value;
+ // Should be the full URL
+ shouldBeEqualToString("referrer", "http://127.0.0.1:8000/referrer-policy-script/unsafe-url/cross-origin-http-http.html");
+ finishJSTest();
+}
+</script>
+<script src="http://localhost:8000/referrer-policy/resources/script.php" referrerpolicy="unsaf-url"></script>
+</body>
+</html>
--- /dev/null
+Tests the behavior of unsafe-url referrer policy when cross origin from HTTPS to HTTP.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is "https://127.0.0.1:8443/referrer-policy-script/unsafe-url/cross-origin-http.https.html"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE html><!-- webkit-test-runner [ dumpJSConsoleLogInStdErr=true ] -->
+<html>
+<head>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of unsafe-url referrer policy when cross origin from HTTPS to HTTP.");
+jsTestIsAsync = true;
+
+if (window.internals)
+ internals.settings.setAllowRunningOfInsecureContent(true);
+
+function checkReferrer(value) {
+ referrer = value;
+ // Should be the full URL
+ shouldBeEqualToString("referrer", "https://127.0.0.1:8443/referrer-policy-script/unsafe-url/cross-origin-http.https.html");
+ finishJSTest();
+}
+</script>
+<script src="http://localhost:8000/referrer-policy/resources/script.php" referrerpolicy="unsafe-url"></script>
+</body>
+</html>
--- /dev/null
+Tests the behavior of unsafe-url referrer policy when same origin.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS referrer is "http://127.0.0.1:8000/referrer-policy-script/unsafe-url/same-origin.html"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description("Tests the behavior of unsafe-url referrer policy when same origin.");
+jsTestIsAsync = true;
+
+function checkReferrer(value) {
+ referrer = value;
+ // Should be the full URL
+ shouldBeEqualToString("referrer", "http://127.0.0.1:8000/referrer-policy-script/unsafe-url/same-origin.html");
+ finishJSTest();
+}
+</script>
+<script src="http://127.0.0.1:8000/referrer-policy/resources/script.php" referrerpolicy="unsafe-url"></script>
+</body>
+</html>
--- /dev/null
+<?php
+header("Cache: no-cache, no-store");
+$refer = $_SERVER['HTTP_REFERER'];
+print("checkReferrer('$refer');");
+?>
webkit.org/b/195461 http/tests/referrer-policy-iframe/origin/same-origin.html [ Failure ]
webkit.org/b/195461 http/tests/referrer-policy-iframe/unsafe-url/cross-origin-http.https.html [ Failure ]
+webkit.org/b/195461 http/tests/referrer-policy-script [ Skip ]
+
# webkit.org/b/196463
[ Win10 ] fast/css/font-family-pictograph.html [ Failure ]
[ Win10 ] fast/css/font-shorthand-line-height.html [ Failure ]
+2019-07-17 Rob Buis <rbuis@igalia.com>
+
+ Add referrerpolicy attribute support for <script> elements
+ https://bugs.webkit.org/show_bug.cgi?id=185550
+
+ Reviewed by Youenn Fablet.
+
+ This patch adds 'referrerpolicy' attribute support for script elements.
+ If set, the value is restricted to the ReferrerPolicy enum, and
+ if valid it is used for the script fetch.
+ If not set or invalid, the current behavior is kept.
+
+ Tests: http/tests/referrer-policy-script/no-referrer-when-downgrade/cross-origin-http-http.html
+ http/tests/referrer-policy-script/no-referrer-when-downgrade/cross-origin-http.https.html
+ http/tests/referrer-policy-script/no-referrer-when-downgrade/same-origin.html
+ http/tests/referrer-policy-script/no-referrer/cross-origin-http-http.html
+ http/tests/referrer-policy-script/no-referrer/cross-origin-http.https.html
+ http/tests/referrer-policy-script/no-referrer/same-origin.html
+ http/tests/referrer-policy-script/origin-when-cross-origin/cross-origin-http-http.html
+ http/tests/referrer-policy-script/origin-when-cross-origin/cross-origin-http.https.html
+ http/tests/referrer-policy-script/origin-when-cross-origin/same-origin.html
+ http/tests/referrer-policy-script/origin/cross-origin-http-http.html
+ http/tests/referrer-policy-script/origin/cross-origin-http.https.html
+ http/tests/referrer-policy-script/origin/same-origin.html
+ http/tests/referrer-policy-script/same-origin/cross-origin-http-http.html
+ http/tests/referrer-policy-script/same-origin/cross-origin-http.https.html
+ http/tests/referrer-policy-script/same-origin/same-origin.html
+ http/tests/referrer-policy-script/strict-origin-when-cross-origin/cross-origin-http-http.html
+ http/tests/referrer-policy-script/strict-origin-when-cross-origin/cross-origin-http.https.html
+ http/tests/referrer-policy-script/strict-origin-when-cross-origin/same-origin.html
+ http/tests/referrer-policy-script/strict-origin/cross-origin-http-http.html
+ http/tests/referrer-policy-script/strict-origin/cross-origin-http.https.html
+ http/tests/referrer-policy-script/strict-origin/same-origin.html
+ http/tests/referrer-policy-script/unsafe-url/cross-origin-http-http.html
+ http/tests/referrer-policy-script/unsafe-url/cross-origin-http.https.html
+ http/tests/referrer-policy-script/unsafe-url/same-origin.html
+
+ * bindings/js/CachedScriptFetcher.cpp:
+ (WebCore::CachedScriptFetcher::requestScriptWithCache const):
+ * bindings/js/CachedScriptFetcher.h:
+ (WebCore::CachedScriptFetcher::CachedScriptFetcher):
+ * dom/InlineClassicScript.h:
+ * dom/LoadableClassicScript.cpp:
+ (WebCore::LoadableClassicScript::create):
+ * dom/LoadableClassicScript.h:
+ * dom/LoadableModuleScript.cpp:
+ (WebCore::LoadableModuleScript::create):
+ (WebCore::LoadableModuleScript::LoadableModuleScript):
+ * dom/LoadableModuleScript.h:
+ * dom/LoadableScript.h:
+ (WebCore::LoadableScript::LoadableScript):
+ * dom/ScriptElement.cpp:
+ (WebCore::ScriptElement::requestClassicScript):
+ (WebCore::ScriptElement::requestModuleScript):
+ * dom/ScriptElement.h:
+ * dom/ScriptElementCachedScriptFetcher.h:
+ (WebCore::ScriptElementCachedScriptFetcher::ScriptElementCachedScriptFetcher):
+ * html/HTMLIFrameElement.cpp:
+ (WebCore::HTMLIFrameElement::referrerPolicyForBindings const):
+ * html/HTMLScriptElement.cpp:
+ (WebCore::HTMLScriptElement::setReferrerPolicyForBindings):
+ (WebCore::HTMLScriptElement::referrerPolicyForBindings const):
+ (WebCore::HTMLScriptElement::referrerPolicy const):
+ * html/HTMLScriptElement.h:
+ * html/HTMLScriptElement.idl:
+ * html/parser/CSSPreloadScanner.cpp:
+ (WebCore::CSSPreloadScanner::emitRule):
+ * html/parser/HTMLPreloadScanner.cpp:
+ (WebCore::TokenPreloadScanner::StartTagScanner::createPreloadRequest):
+ (WebCore::TokenPreloadScanner::StartTagScanner::processAttribute):
+ * html/parser/HTMLResourcePreloader.cpp:
+ (WebCore::PreloadRequest::resourceRequest):
+ * html/parser/HTMLResourcePreloader.h:
+ (WebCore::PreloadRequest::PreloadRequest):
+ * platform/ReferrerPolicy.cpp:
+ (WebCore::referrerPolicyToString):
+ * platform/ReferrerPolicy.h:
+ * svg/SVGScriptElement.h:
+
2019-07-16 Christopher Reid <chris.reid@sony.com>
Bytecode cache should use FileSystem
options.contentSecurityPolicyImposition = hasKnownNonce ? ContentSecurityPolicyImposition::SkipPolicyCheck : ContentSecurityPolicyImposition::DoPolicyCheck;
options.sameOriginDataURLFlag = SameOriginDataURLFlag::Set;
options.integrity = WTFMove(integrity);
+ options.referrerPolicy = m_referrerPolicy;
auto request = createPotentialAccessControlRequest(sourceURL, document, crossOriginMode, WTFMove(options));
request.upgradeInsecureRequestIfNeeded(document);
#pragma once
#include "CachedResourceHandle.h"
+#include "ReferrerPolicy.h"
#include <JavaScriptCore/ScriptFetcher.h>
#include <wtf/text/WTFString.h>
static Ref<CachedScriptFetcher> create(const String& charset);
protected:
- CachedScriptFetcher(const String& nonce, const String& charset, const AtomString& initiatorName, bool isInUserAgentShadowTree)
+ CachedScriptFetcher(const String& nonce, ReferrerPolicy referrerPolicy, const String& charset, const AtomString& initiatorName, bool isInUserAgentShadowTree)
: m_nonce(nonce)
, m_charset(charset)
, m_initiatorName(initiatorName)
, m_isInUserAgentShadowTree(isInUserAgentShadowTree)
+ , m_referrerPolicy(referrerPolicy)
{
}
String m_charset;
AtomString m_initiatorName;
bool m_isInUserAgentShadowTree { false };
+ ReferrerPolicy m_referrerPolicy { ReferrerPolicy::EmptyString };
};
} // namespace WebCore
private:
InlineClassicScript(const String& nonce, const String& crossOriginMode, const String& charset, const AtomString& initiatorName, bool isInUserAgentShadowTree)
- : ScriptElementCachedScriptFetcher(nonce, crossOriginMode, charset, initiatorName, isInUserAgentShadowTree)
+ : ScriptElementCachedScriptFetcher(nonce, ReferrerPolicy::EmptyString, crossOriginMode, charset, initiatorName, isInUserAgentShadowTree)
{
}
};
namespace WebCore {
-Ref<LoadableClassicScript> LoadableClassicScript::create(const String& nonce, const String& integrityMetadata, const String& crossOriginMode, const String& charset, const AtomString& initiatorName, bool isInUserAgentShadowTree)
+Ref<LoadableClassicScript> LoadableClassicScript::create(const String& nonce, const String& integrityMetadata, ReferrerPolicy policy, const String& crossOriginMode, const String& charset, const AtomString& initiatorName, bool isInUserAgentShadowTree)
{
- return adoptRef(*new LoadableClassicScript(nonce, integrityMetadata, crossOriginMode, charset, initiatorName, isInUserAgentShadowTree));
+ return adoptRef(*new LoadableClassicScript(nonce, integrityMetadata, policy, crossOriginMode, charset, initiatorName, isInUserAgentShadowTree));
}
LoadableClassicScript::~LoadableClassicScript()
#include "CachedResourceHandle.h"
#include "CachedScript.h"
#include "LoadableScript.h"
+#include "ReferrerPolicy.h"
#include <wtf/TypeCasts.h>
namespace WebCore {
public:
virtual ~LoadableClassicScript();
- static Ref<LoadableClassicScript> create(const String& nonce, const String& integrity, const String& crossOriginMode, const String& charset, const AtomString& initiatorName, bool isInUserAgentShadowTree);
+ static Ref<LoadableClassicScript> create(const String& nonce, const String& integrity, ReferrerPolicy, const String& crossOriginMode, const String& charset, const AtomString& initiatorName, bool isInUserAgentShadowTree);
bool isLoaded() const final;
Optional<Error> error() const final;
bool wasCanceled() const final;
bool load(Document&, const URL&);
private:
- LoadableClassicScript(const String& nonce, const String& integrity, const String& crossOriginMode, const String& charset, const AtomString& initiatorName, bool isInUserAgentShadowTree)
- : LoadableScript(nonce, crossOriginMode, charset, initiatorName, isInUserAgentShadowTree)
+ LoadableClassicScript(const String& nonce, const String& integrity, ReferrerPolicy policy, const String& crossOriginMode, const String& charset, const AtomString& initiatorName, bool isInUserAgentShadowTree)
+ : LoadableScript(nonce, policy, crossOriginMode, charset, initiatorName, isInUserAgentShadowTree)
, m_integrity(integrity)
{
}
namespace WebCore {
-Ref<LoadableModuleScript> LoadableModuleScript::create(const String& nonce, const String& integrity, const String& crossOriginMode, const String& charset, const AtomString& initiatorName, bool isInUserAgentShadowTree)
+Ref<LoadableModuleScript> LoadableModuleScript::create(const String& nonce, const String& integrity, ReferrerPolicy policy, const String& crossOriginMode, const String& charset, const AtomString& initiatorName, bool isInUserAgentShadowTree)
{
- return adoptRef(*new LoadableModuleScript(nonce, integrity, crossOriginMode, charset, initiatorName, isInUserAgentShadowTree));
+ return adoptRef(*new LoadableModuleScript(nonce, integrity, policy, crossOriginMode, charset, initiatorName, isInUserAgentShadowTree));
}
-LoadableModuleScript::LoadableModuleScript(const String& nonce, const String& integrity, const String& crossOriginMode, const String& charset, const AtomString& initiatorName, bool isInUserAgentShadowTree)
- : LoadableScript(nonce, crossOriginMode, charset, initiatorName, isInUserAgentShadowTree)
+LoadableModuleScript::LoadableModuleScript(const String& nonce, const String& integrity, ReferrerPolicy policy, const String& crossOriginMode, const String& charset, const AtomString& initiatorName, bool isInUserAgentShadowTree)
+ : LoadableScript(nonce, policy, crossOriginMode, charset, initiatorName, isInUserAgentShadowTree)
, m_parameters(ModuleFetchParameters::create(integrity))
{
}
public:
virtual ~LoadableModuleScript();
- static Ref<LoadableModuleScript> create(const String& nonce, const String& integrity, const String& crossOriginMode, const String& charset, const AtomString& initiatorName, bool isInUserAgentShadowTree);
+ static Ref<LoadableModuleScript> create(const String& nonce, const String& integrity, ReferrerPolicy, const String& crossOriginMode, const String& charset, const AtomString& initiatorName, bool isInUserAgentShadowTree);
bool isLoaded() const final;
Optional<Error> error() const final;
UniquedStringImpl* moduleKey() const { return m_moduleKey.get(); }
private:
- LoadableModuleScript(const String& nonce, const String& integrity, const String& crossOriginMode, const String& charset, const AtomString& initiatorName, bool isInUserAgentShadowTree);
+ LoadableModuleScript(const String& nonce, const String& integrity, ReferrerPolicy, const String& crossOriginMode, const String& charset, const AtomString& initiatorName, bool isInUserAgentShadowTree);
Ref<ModuleFetchParameters> m_parameters;
RefPtr<UniquedStringImpl> m_moduleKey;
void removeClient(LoadableScriptClient&);
protected:
- LoadableScript(const String& nonce, const String& crossOriginMode, const String& charset, const AtomString& initiatorName, bool isInUserAgentShadowTree)
- : ScriptElementCachedScriptFetcher(nonce, crossOriginMode, charset, initiatorName, isInUserAgentShadowTree)
+ LoadableScript(const String& nonce, ReferrerPolicy policy, const String& crossOriginMode, const String& charset, const AtomString& initiatorName, bool isInUserAgentShadowTree)
+ : ScriptElementCachedScriptFetcher(nonce, policy, crossOriginMode, charset, initiatorName, isInUserAgentShadowTree)
{
}
auto script = LoadableClassicScript::create(
m_element.attributeWithoutSynchronization(HTMLNames::nonceAttr),
m_element.document().settings().subresourceIntegrityEnabled() ? m_element.attributeWithoutSynchronization(HTMLNames::integrityAttr).string() : emptyString(),
+ referrerPolicy(),
m_element.attributeWithoutSynchronization(HTMLNames::crossoriginAttr),
scriptCharset(),
m_element.localName(),
auto script = LoadableModuleScript::create(
nonce,
m_element.document().settings().subresourceIntegrityEnabled() ? m_element.attributeWithoutSynchronization(HTMLNames::integrityAttr).string() : emptyString(),
+ referrerPolicy(),
crossOriginMode,
scriptCharset(),
m_element.localName(),
return true;
}
- auto script = LoadableModuleScript::create(nonce, emptyString(), crossOriginMode, scriptCharset(), m_element.localName(), m_element.isInUserAgentShadowTree());
+ auto script = LoadableModuleScript::create(nonce, emptyString(), referrerPolicy(), crossOriginMode, scriptCharset(), m_element.localName(), m_element.isInUserAgentShadowTree());
TextPosition position = m_element.document().isInDocumentWrite() ? TextPosition() : scriptStartPosition;
ScriptSourceCode sourceCode(scriptContent(), URL(m_element.document().url()), position, JSC::SourceProviderSourceType::Module, script.copyRef());
#include "ContainerNode.h"
#include "LoadableScript.h"
+#include "ReferrerPolicy.h"
#include "UserGestureIndicator.h"
#include <wtf/MonotonicTime.h>
#include <wtf/text/TextPosition.h>
virtual bool hasDeferAttribute() const = 0;
virtual bool hasSourceAttribute() const = 0;
virtual bool hasNoModuleAttribute() const = 0;
+ virtual ReferrerPolicy referrerPolicy() const = 0;
Element& m_element;
WTF::OrdinalNumber m_startLineNumber;
const String& crossOriginMode() const { return m_crossOriginMode; }
protected:
- ScriptElementCachedScriptFetcher(const String& nonce, const String& crossOriginMode, const String& charset, const AtomString& initiatorName, bool isInUserAgentShadowTree)
- : CachedScriptFetcher(nonce, charset, initiatorName, isInUserAgentShadowTree)
+ ScriptElementCachedScriptFetcher(const String& nonce, ReferrerPolicy policy, const String& crossOriginMode, const String& charset, const AtomString& initiatorName, bool isInUserAgentShadowTree)
+ : CachedScriptFetcher(nonce, policy, charset, initiatorName, isInUserAgentShadowTree)
, m_crossOriginMode(crossOriginMode)
{
}
String HTMLIFrameElement::referrerPolicyForBindings() const
{
- switch (referrerPolicy()) {
- case ReferrerPolicy::NoReferrer:
- return "no-referrer"_s;
- case ReferrerPolicy::UnsafeUrl:
- return "unsafe-url"_s;
- case ReferrerPolicy::Origin:
- return "origin"_s;
- case ReferrerPolicy::OriginWhenCrossOrigin:
- return "origin-when-cross-origin"_s;
- case ReferrerPolicy::SameOrigin:
- return "same-origin"_s;
- case ReferrerPolicy::StrictOrigin:
- return "strict-origin"_s;
- case ReferrerPolicy::StrictOriginWhenCrossOrigin:
- return "strict-origin-when-cross-origin"_s;
- case ReferrerPolicy::NoReferrerWhenDowngrade:
- return "no-referrer-when-downgrade"_s;
- case ReferrerPolicy::EmptyString:
- return { };
- }
- ASSERT_NOT_REACHED();
- return { };
+ return referrerPolicyToString(referrerPolicy());
}
ReferrerPolicy HTMLIFrameElement::referrerPolicy() const
return adoptRef(*new HTMLScriptElement(tagQName(), targetDocument, false, alreadyStarted()));
}
+void HTMLScriptElement::setReferrerPolicyForBindings(const AtomString& value)
+{
+ setAttributeWithoutSynchronization(referrerpolicyAttr, value);
+}
+
+String HTMLScriptElement::referrerPolicyForBindings() const
+{
+ return referrerPolicyToString(referrerPolicy());
+}
+
+ReferrerPolicy HTMLScriptElement::referrerPolicy() const
+{
+ if (RuntimeEnabledFeatures::sharedFeatures().referrerPolicyAttributeEnabled())
+ return parseReferrerPolicy(attributeWithoutSynchronization(referrerpolicyAttr), ReferrerPolicySource::ReferrerPolicyAttribute).valueOr(ReferrerPolicy::EmptyString);
+ return ReferrerPolicy::EmptyString;
+}
+
}
WEBCORE_EXPORT void setCrossOrigin(const AtomString&);
WEBCORE_EXPORT String crossOrigin() const;
+ void setReferrerPolicyForBindings(const AtomString&);
+ String referrerPolicyForBindings() const;
+ ReferrerPolicy referrerPolicy() const final;
+
using HTMLElement::ref;
using HTMLElement::deref;
[Reflect] attribute DOMString nonce;
[CEReactions=NotNeeded, Reflect] attribute boolean noModule;
[CEReactions=NotNeeded, Reflect, EnabledBySetting=SubresourceIntegrity] attribute DOMString integrity;
+ [EnabledAtRuntime=ReferrerPolicyAttribute, ImplementedAs=referrerPolicyForBindings, CEReactions=NotNeeded] attribute DOMString referrerPolicy;
};
if (!url.isEmpty()) {
URL baseElementURL; // FIXME: This should be passed in from the HTMLPreloadScanner via scan(): without it we will get relative URLs wrong.
// FIXME: Should this be including the charset in the preload request?
- m_requests->append(std::make_unique<PreloadRequest>("css", url, baseElementURL, CachedResource::Type::CSSStyleSheet, String(), PreloadRequest::ModuleScript::No));
+ m_requests->append(std::make_unique<PreloadRequest>("css", url, baseElementURL, CachedResource::Type::CSSStyleSheet, String(), PreloadRequest::ModuleScript::No, ReferrerPolicy::EmptyString));
}
m_state = Initial;
} else if (equalLettersIgnoringASCIICase(rule, "charset"))
if (!LinkLoader::isSupportedType(type.value(), m_typeAttribute))
return nullptr;
- auto request = std::make_unique<PreloadRequest>(initiatorFor(m_tagId), m_urlToLoad, predictedBaseURL, type.value(), m_mediaAttribute, m_moduleScript);
+ auto request = std::make_unique<PreloadRequest>(initiatorFor(m_tagId), m_urlToLoad, predictedBaseURL, type.value(), m_mediaAttribute, m_moduleScript, m_referrerPolicy);
request->setCrossOriginMode(m_crossOriginMode);
request->setNonce(m_nonceAttribute);
if (match(attributeName, typeAttr)) {
m_moduleScript = equalLettersIgnoringASCIICase(attributeValue, "module") ? PreloadRequest::ModuleScript::Yes : PreloadRequest::ModuleScript::No;
break;
- } else if (match(attributeName, nonceAttr))
+ } else if (match(attributeName, nonceAttr)) {
m_nonceAttribute = attributeValue;
+ break;
+ } else if (match(attributeName, referrerpolicyAttr)) {
+ m_referrerPolicy = parseReferrerPolicy(attributeValue, ReferrerPolicySource::ReferrerPolicyAttribute).valueOr(ReferrerPolicy::EmptyString);
+ break;
+ }
processImageAndScriptAttribute(attributeName, attributeValue);
break;
case TagId::Link:
bool m_inputIsImage;
float m_deviceScaleFactor;
PreloadRequest::ModuleScript m_moduleScript { PreloadRequest::ModuleScript::No };
+ ReferrerPolicy m_referrerPolicy { ReferrerPolicy::EmptyString };
};
TokenPreloadScanner::TokenPreloadScanner(const URL& documentURL, float deviceScaleFactor)
if (crossOriginMode.isNull())
crossOriginMode = "omit"_s;
}
+ if (m_resourceType == CachedResource::Type::Script)
+ options.referrerPolicy = m_referrerPolicy;
auto request = createPotentialAccessControlRequest(completeURL(document), document, crossOriginMode, WTFMove(options));
request.setInitiator(m_initiator);
return request;
Yes,
No,
};
- PreloadRequest(const String& initiator, const String& resourceURL, const URL& baseURL, CachedResource::Type resourceType, const String& mediaAttribute, ModuleScript moduleScript)
+ PreloadRequest(const String& initiator, const String& resourceURL, const URL& baseURL, CachedResource::Type resourceType, const String& mediaAttribute, ModuleScript moduleScript, const ReferrerPolicy& referrerPolicy)
: m_initiator(initiator)
, m_resourceURL(resourceURL)
, m_baseURL(baseURL.isolatedCopy())
, m_resourceType(resourceType)
, m_mediaAttribute(mediaAttribute)
, m_moduleScript(moduleScript)
+ , m_referrerPolicy(referrerPolicy)
{
}
String m_crossOriginMode;
String m_nonceAttribute;
ModuleScript m_moduleScript;
+ ReferrerPolicy m_referrerPolicy;
};
typedef Vector<std::unique_ptr<PreloadRequest>> PreloadRequestStream;
return WTF::nullopt;
}
+String referrerPolicyToString(const ReferrerPolicy& referrerPolicy)
+{
+ switch (referrerPolicy) {
+ case ReferrerPolicy::NoReferrer:
+ return "no-referrer"_s;
+ case ReferrerPolicy::UnsafeUrl:
+ return "unsafe-url"_s;
+ case ReferrerPolicy::Origin:
+ return "origin"_s;
+ case ReferrerPolicy::OriginWhenCrossOrigin:
+ return "origin-when-cross-origin"_s;
+ case ReferrerPolicy::SameOrigin:
+ return "same-origin"_s;
+ case ReferrerPolicy::StrictOrigin:
+ return "strict-origin"_s;
+ case ReferrerPolicy::StrictOriginWhenCrossOrigin:
+ return "strict-origin-when-cross-origin"_s;
+ case ReferrerPolicy::NoReferrerWhenDowngrade:
+ return "no-referrer-when-downgrade"_s;
+ case ReferrerPolicy::EmptyString:
+ return { };
+ }
+ ASSERT_NOT_REACHED();
+ return { };
+}
+
} // namespace WebCore
enum class ReferrerPolicySource : uint8_t { MetaTag, HTTPHeader, ReferrerPolicyAttribute };
Optional<ReferrerPolicy> parseReferrerPolicy(StringView, ReferrerPolicySource);
+String referrerPolicyToString(const ReferrerPolicy&);
}
bool hasAsyncAttribute() const final { return false; }
bool hasDeferAttribute() const final { return false; }
bool hasNoModuleAttribute() const final { return false; }
+ ReferrerPolicy referrerPolicy() const final { return ReferrerPolicy::EmptyString; }
bool hasSourceAttribute() const final { return hasAttribute(SVGNames::hrefAttr) || hasAttribute(XLinkNames::hrefAttr); }
void dispatchLoadEvent() final { SVGExternalResourcesRequired::dispatchLoadEvent(); }