Disallow cross-origin subresources from asking for credentials
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 14 Feb 2018 22:27:52 +0000 (22:27 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 14 Feb 2018 22:27:52 +0000 (22:27 +0000)
https://bugs.webkit.org/show_bug.cgi?id=182579
<rdar://problem/36162271>

Reviewed by Andy Estes.

Source/WebCore:

Prompts for credentials to load cross-origin subresources are typically seen as unexpected
by a person that navigates to- or interacts with- a web page. The cross-origin and implicit
loading nature of these subresources makes asking for credentials questionable because they
are not being served by the same origin of the page a person explicitly loaded and are not
guaranteed to correspond to an explicit user interaction other than the initial load of the
page. We know that subresources that ask for credentials can be abused as part of a phishing
attack. It seems reasonable to disallow cross-origin subresources from asking for credentials
due to their questionable nature and the risk for abuse. This will also make the behavior
of WebKit match the behavior of Chrome.

Tests: http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials.html
       http/tests/security/basic-auth-subresource.html
       http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html
       http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.html
       http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html
       http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html
       http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html

* loader/ResourceLoader.cpp:
(WebCore::ResourceLoader::isSubresourceLoader const): Formerly non-const.
(WebCore::ResourceLoader::shouldAllowResourceToAskForCredentials const): Added.
(WebCore::ResourceLoader::didBlockAuthenticationChallenge): Emit Web Inspector console message if
the authentication challenge was blocked because the request is cross origin.
(WebCore::ResourceLoader::isAllowedToAskUserForCredentials const): Disallow a cross-origin
request from prompting for credentials.
(WebCore::ResourceLoader::isSubresourceLoader): Deleted; made const.
* loader/ResourceLoader.h:
* loader/SubresourceLoader.cpp:
(WebCore::SubresourceLoader::SubresourceLoader): Update ResourceLoader state so that block cross-origin
subresources from prompting for credentials, if applicable.
(WebCore::SubresourceLoader::isSubresourceLoader const): Formerly non-const.
(WebCore::SubresourceLoader::isSubresourceLoader): Deleted; made const.
* loader/SubresourceLoader.h:
* page/Settings.yaml: Add setting allowCrossOriginSubresourcesToAskForCredentials (defaults: false -
do not allow cross origin subresources to ask for credentials).

Source/WebKit:

Add a private preference to toggle allowing non-mixed content cross-origin subresources to load.
WebKitTestRunner toggles this preference when it sees the test option allowCrossOriginSubresourcesToAskForCredential.

* Shared/WebPreferences.yaml:
* UIProcess/API/C/WKPreferences.cpp:
(WKPreferencesSetAllowCrossOriginSubresourcesToAskForCredentials):
(WKPreferencesGetAllowCrossOriginSubresourcesToAskForCredentials):
* UIProcess/API/C/WKPreferencesRefPrivate.h:

Source/WebKitLegacy/mac:

Add a private preference to toggle allowing non-mixed content cross-origin subresources to load.
DumpRenderTree toggles this preference when it sees the test option allowCrossOriginSubresourcesToAskForCredential.

* WebView/WebPreferenceKeysPrivate.h:
* WebView/WebPreferences.mm:
(+[WebPreferences initialize]):
(-[WebPreferences allowCrossOriginSubresourcesToAskForCredentials]):
(-[WebPreferences setAllowCrossOriginSubresourcesToAskForCredentials:]):
* WebView/WebPreferencesPrivate.h:
* WebView/WebView.mm:
(-[WebView _preferencesChanged:]):

Tools:

Add test option allowCrossOriginSubresourcesToAskForCredential (defaults to false)
so that tests can toggle between the old behavior and new behavior.

* DumpRenderTree/TestOptions.h:
* DumpRenderTree/TestOptions.mm:
(TestOptions::TestOptions):
* DumpRenderTree/mac/DumpRenderTree.mm:
(setWebPreferencesForTestOptions):
* WebKitTestRunner/TestController.cpp:
(WTR::TestController::resetPreferencesToConsistentValues):
(WTR::updateTestOptionsFromTestHeader):
* WebKitTestRunner/TestOptions.h:
(WTR::TestOptions::hasSameInitializationOptions const):

LayoutTests:

Copied existing tests that depended on cross-origin subresources being able prompt for credentials
to files with suffix allowCrossOriginSubresourcesToAskForCredentials. These copies were modified
to set allowCrossOriginSubresourcesToAskForCredentials to false so as to opt-into the behavior
before this change. Updated existing tests to reflect the new behavior and added new tests to
ensure that we do not regress the new behavior.

* http/tests/media/video-auth-expected.txt:
* http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Copied from LayoutTests/http/tests/media/video-auth-expected.txt.
* http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials.html: Copied from LayoutTests/http/tests/media/video-auth.html.
* http/tests/media/video-auth.html:
* http/tests/security/basic-auth-subresource-expected.txt: Added.
* http/tests/security/basic-auth-subresource.html: Added.
* http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Renamed from LayoutTests/platform/mac-wk1/http/tests/security/credentials-iframes-expected.txt.
* http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials.html: Added.
* http/tests/security/credentials-iframes-expected.txt:
* http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image.https-expected.txt.
* http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html.
* http/tests/security/mixedContent/insecure-basic-auth-image.https-expected.txt:
* http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-expected.txt.
* http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.html: Added.
* http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-expected.txt:
* http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image.https-expected.txt.
* http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html.
* http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image.https-expected.txt:
* http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image.https-expected.txt.
* http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html.
* http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image.https-expected.txt:
* http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Renamed from LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt.
* http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html.
* http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt:
* http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html:
* http/tests/security/resources/basic-auth-subresource.html: Added.
* http/tests/security/resources/subresource1/protected-image.php: Added.
* http/tests/security/resources/subresource2/protected-image.php: Added.
* platform/win/TestExpectations: Skip allowCrossOriginSubresourcesToAskForCredentials-suffixed tests as
DumpRenderTree on Windows does not support parsing test options. See <https://bugs.webkit.org/show_bug.cgi?id=173281>.
* platform/win/http/tests/security/basic-auth-subresource-expected.txt: Added Windows-specific result. For some reason
connections to localhost:8443 are not allowed. See <https://bugs.webkit.org/show_bug.cgi?id=182609> for more details.
* platform/wk2/http/tests/media/video-auth-expected.txt:
* platform/wk2/http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Copied from LayoutTests/platform/wk2/http/tests/media/video-auth-expected.txt.
* platform/wk2/http/tests/security/basic-auth-subresource-expected.txt: Added.
* platform/wk2/http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Copied from LayoutTests/http/tests/security/credentials-iframes-expected.txt.
* platform/wk2/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@228486 268f45cc-cd09-0410-ab3c-d52691b4dbfc

57 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/media/video-auth-expected.txt
LayoutTests/http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials.html [new file with mode: 0644]
LayoutTests/http/tests/media/video-auth.html
LayoutTests/http/tests/security/basic-auth-subresource-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/basic-auth-subresource.html [new file with mode: 0644]
LayoutTests/http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials-expected.txt [moved from LayoutTests/platform/mac-wk1/http/tests/security/credentials-iframes-expected.txt with 100% similarity]
LayoutTests/http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials.html [new file with mode: 0644]
LayoutTests/http/tests/security/credentials-iframes-expected.txt
LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image.https-expected.txt
LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-expected.txt
LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image.https-expected.txt
LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image.https-expected.txt
LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt [moved from LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt with 100% similarity]
LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html [new file with mode: 0644]
LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt
LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html
LayoutTests/http/tests/security/resources/basic-auth-subresource.html [new file with mode: 0644]
LayoutTests/http/tests/security/resources/subresource1/protected-image.php [new file with mode: 0644]
LayoutTests/http/tests/security/resources/subresource2/protected-image.php [new file with mode: 0644]
LayoutTests/platform/win/TestExpectations
LayoutTests/platform/win/http/tests/security/basic-auth-subresource-expected.txt [new file with mode: 0644]
LayoutTests/platform/wk2/http/tests/media/video-auth-expected.txt
LayoutTests/platform/wk2/http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials-expected.txt [new file with mode: 0644]
LayoutTests/platform/wk2/http/tests/security/basic-auth-subresource-expected.txt [new file with mode: 0644]
LayoutTests/platform/wk2/http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials-expected.txt [new file with mode: 0644]
LayoutTests/platform/wk2/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/loader/ResourceLoader.cpp
Source/WebCore/loader/ResourceLoader.h
Source/WebCore/loader/SubresourceLoader.cpp
Source/WebCore/loader/SubresourceLoader.h
Source/WebCore/page/Settings.yaml
Source/WebKit/ChangeLog
Source/WebKit/Shared/WebPreferences.yaml
Source/WebKit/UIProcess/API/C/WKPreferences.cpp
Source/WebKit/UIProcess/API/C/WKPreferencesRefPrivate.h
Source/WebKitLegacy/mac/ChangeLog
Source/WebKitLegacy/mac/WebView/WebPreferenceKeysPrivate.h
Source/WebKitLegacy/mac/WebView/WebPreferences.mm
Source/WebKitLegacy/mac/WebView/WebPreferencesPrivate.h
Source/WebKitLegacy/mac/WebView/WebView.mm
Tools/ChangeLog
Tools/DumpRenderTree/TestOptions.h
Tools/DumpRenderTree/TestOptions.mm
Tools/DumpRenderTree/mac/DumpRenderTree.mm
Tools/WebKitTestRunner/TestController.cpp
Tools/WebKitTestRunner/TestOptions.h

index bf77fce..485f3b9 100644 (file)
@@ -1,3 +1,55 @@
+2018-02-14  Daniel Bates  <dabates@apple.com>
+
+        Disallow cross-origin subresources from asking for credentials
+        https://bugs.webkit.org/show_bug.cgi?id=182579
+        <rdar://problem/36162271>
+
+        Reviewed by Andy Estes.
+
+        Copied existing tests that depended on cross-origin subresources being able prompt for credentials
+        to files with suffix allowCrossOriginSubresourcesToAskForCredentials. These copies were modified
+        to set allowCrossOriginSubresourcesToAskForCredentials to false so as to opt-into the behavior
+        before this change. Updated existing tests to reflect the new behavior and added new tests to
+        ensure that we do not regress the new behavior.
+
+        * http/tests/media/video-auth-expected.txt:
+        * http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Copied from LayoutTests/http/tests/media/video-auth-expected.txt.
+        * http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials.html: Copied from LayoutTests/http/tests/media/video-auth.html.
+        * http/tests/media/video-auth.html:
+        * http/tests/security/basic-auth-subresource-expected.txt: Added.
+        * http/tests/security/basic-auth-subresource.html: Added.
+        * http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Renamed from LayoutTests/platform/mac-wk1/http/tests/security/credentials-iframes-expected.txt.
+        * http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials.html: Added.
+        * http/tests/security/credentials-iframes-expected.txt:
+        * http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image.https-expected.txt.
+        * http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html.
+        * http/tests/security/mixedContent/insecure-basic-auth-image.https-expected.txt:
+        * http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-expected.txt.
+        * http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.html: Added.
+        * http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-expected.txt:
+        * http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image.https-expected.txt.
+        * http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html.
+        * http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image.https-expected.txt:
+        * http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image.https-expected.txt.
+        * http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html.
+        * http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image.https-expected.txt:
+        * http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Renamed from LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt.
+        * http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html.
+        * http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt:
+        * http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html:
+        * http/tests/security/resources/basic-auth-subresource.html: Added.
+        * http/tests/security/resources/subresource1/protected-image.php: Added.
+        * http/tests/security/resources/subresource2/protected-image.php: Added.
+        * platform/win/TestExpectations: Skip allowCrossOriginSubresourcesToAskForCredentials-suffixed tests as
+        DumpRenderTree on Windows does not support parsing test options. See <https://bugs.webkit.org/show_bug.cgi?id=173281>.
+        * platform/win/http/tests/security/basic-auth-subresource-expected.txt: Added Windows-specific result. For some reason
+        connections to localhost:8443 are not allowed. See <https://bugs.webkit.org/show_bug.cgi?id=182609> for more details.
+        * platform/wk2/http/tests/media/video-auth-expected.txt:
+        * platform/wk2/http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Copied from LayoutTests/platform/wk2/http/tests/media/video-auth-expected.txt.
+        * platform/wk2/http/tests/security/basic-auth-subresource-expected.txt: Added.
+        * platform/wk2/http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Copied from LayoutTests/http/tests/security/credentials-iframes-expected.txt.
+        * platform/wk2/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt.
+
 2018-02-14  Matt Lewis  <jlewis3@apple.com>
 
         Marked imported/w3c/web-platform-tests/service-workers/cache-storage/worker/cache-storage-match.https.html as flaky on macOS WK2.
index fcfdcba..89f5f02 100644 (file)
@@ -1,10 +1,7 @@
 http://127.0.0.1:8000/media/resources/video-auth.php?name=test.mp4&type=video/mp4 - didReceiveAuthenticationChallenge - Responding with username:password
-http://localhost:8000/media/resources/video-auth.php?name=test.mp4&type=video/mp4 - didReceiveAuthenticationChallenge - Responding with username:password
  
 Tests that the media player sends authorization credentials when requesting a media file.
 Testing same domain (127.0.0.1)
 EVENT(canplay)
-Testing cross domain (localhost)
-EVENT(canplay)
 END OF TEST
 
diff --git a/LayoutTests/http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials-expected.txt b/LayoutTests/http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials-expected.txt
new file mode 100644 (file)
index 0000000..fcfdcba
--- /dev/null
@@ -0,0 +1,10 @@
+http://127.0.0.1:8000/media/resources/video-auth.php?name=test.mp4&type=video/mp4 - didReceiveAuthenticationChallenge - Responding with username:password
+http://localhost:8000/media/resources/video-auth.php?name=test.mp4&type=video/mp4 - didReceiveAuthenticationChallenge - Responding with username:password
+Tests that the media player sends authorization credentials when requesting a media file.
+Testing same domain (127.0.0.1)
+EVENT(canplay)
+Testing cross domain (localhost)
+EVENT(canplay)
+END OF TEST
+
diff --git a/LayoutTests/http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials.html b/LayoutTests/http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials.html
new file mode 100644 (file)
index 0000000..728acab
--- /dev/null
@@ -0,0 +1,62 @@
+<!DOCTYPE html><!-- webkit-test-runner [ allowCrossOriginSubresourcesToAskForCredentials=true ] -->
+<html>
+    <head>
+        <script src=../../media-resources/video-test.js></script>
+        <script src=../../media-resources/media-file.js></script>
+        <script>
+
+            if (window.testRunner) {
+                testRunner.setHandlesAuthenticationChallenges(true);
+                testRunner.setAuthenticationUsername("username");
+                testRunner.setAuthenticationPassword("password");
+            }
+
+            var tests;
+            var media = findMediaFile('video', 'test');
+            var type = mimeTypeForExtension(media.split('.').pop());
+
+            function startTests()
+            {
+                findMediaElement();
+                waitForEventAndFail('error');
+                waitForEvent('canplay', runNextTest);
+
+                tests = [
+                    testSameDomain,
+                    testCrossDomain,
+                ];
+
+                runNextTest();
+            }
+
+            function runNextTest()
+            {
+                var test = tests.shift();
+                if (test)
+                    test();
+                else
+                    endTest();
+            }
+
+            function testSameDomain()
+            {
+                consoleWrite('Testing same domain (127.0.0.1)');
+                video.src = 'http://127.0.0.1:8000/media/resources/video-auth.php?name=' + media + '&type=' + type;
+                video.load();
+            }
+
+            function testCrossDomain()
+            {
+                consoleWrite('Testing cross domain (localhost)');
+                video.src = 'http://localhost:8000/media/resources/video-auth.php?name=' + media + '&type=' + type;
+                video.load();
+            }
+        </script>
+    </head>
+
+    <body onload="startTests()">
+        <video></video>
+        <br>
+        Tests that the media player sends authorization credentials when requesting a media file.
+    </body>
+</html>
index 78a2a69..356265b 100644 (file)
@@ -1,3 +1,4 @@
+<!DOCTYPE html>
 <html>
     <head>
         <script src=../../media-resources/video-test.js></script>
             {
                 findMediaElement();
                 waitForEventAndFail('error');
-                waitForEvent('canplay', runNextTest);
+                waitForEventAndEnd('canplay');
 
-                tests = [
-                    testSameDomain,
-                    testCrossDomain,
-                ];
-
-                runNextTest();
-            }
-
-            function runNextTest()
-            {
-                var test = tests.shift();
-                if (test)
-                    test();
-                else
-                    endTest();
+                testSameDomain();
             }
 
             function testSameDomain()
                 video.src = 'http://127.0.0.1:8000/media/resources/video-auth.php?name=' + media + '&type=' + type;
                 video.load();
             }
-
-            function testCrossDomain()
-            {
-                consoleWrite('Testing cross domain (localhost)');
-                video.src = 'http://localhost:8000/media/resources/video-auth.php?name=' + media + '&type=' + type;
-                video.load();
-            }
         </script>
     </head>
 
diff --git a/LayoutTests/http/tests/security/basic-auth-subresource-expected.txt b/LayoutTests/http/tests/security/basic-auth-subresource-expected.txt
new file mode 100644 (file)
index 0000000..c54e2a5
--- /dev/null
@@ -0,0 +1,55 @@
+http://127.0.0.1:8000/security/resources/subresource1/protected-image.php - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
+CONSOLE MESSAGE: Blocked http://localhost:8000/security/resources/subresource1/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked https://localhost:8443/security/resources/subresource1/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked http://localhost:8000/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+http://127.0.0.1:8000/security/resources/subresource2/protected-image.php - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
+CONSOLE MESSAGE: Blocked https://127.0.0.1:8443/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked https://localhost:8443/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked https://127.0.0.1:8443/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked https://localhost:8443/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked http://localhost:8000/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked https://127.0.0.1:8443/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked https://localhost:8443/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+Tests whether credentials are requested for protected subresources. Credentials should be requested if and only if the origin of the subresource matches the origin of the top-most frame.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Images loaded from top-level frame:
+PASS did load image with origin http://127.0.0.1:8000.
+
+PASS did not load image with origin http://localhost:8000.
+
+PASS did not load image with origin https://localhost:8443.
+
+Images loaded from cross-origin iframe:
+PASS did not load image with origin http://localhost:8000.
+
+PASS did load image with origin http://127.0.0.1:8000.
+
+PASS did not load image with origin https://127.0.0.1:8443.
+
+PASS did not load image with origin https://localhost:8443.
+
+Images loaded from sandboxed same-origin iframe:
+PASS did load image with origin http://127.0.0.1:8000.
+
+PASS did load image with origin http://127.0.0.1:8000.
+
+PASS did not load image with origin https://127.0.0.1:8443.
+
+PASS did not load image with origin https://localhost:8443.
+
+Images loaded from sandboxed cross-origin iframe:
+PASS did not load image with origin http://localhost:8000.
+
+PASS did load image with origin http://127.0.0.1:8000.
+
+PASS did not load image with origin https://127.0.0.1:8443.
+
+PASS did not load image with origin https://localhost:8443.
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/security/basic-auth-subresource.html b/LayoutTests/http/tests/security/basic-auth-subresource.html
new file mode 100644 (file)
index 0000000..454295b
--- /dev/null
@@ -0,0 +1,163 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="/js-test-resources/js-test.js"></script>
+<script>
+if (window.testRunner) {
+    testRunner.setHandlesAuthenticationChallenges(true);
+    testRunner.setAuthenticationUsername("testUser");
+    testRunner.setAuthenticationPassword("testPassword");
+}
+
+window.jsTestIsAsync = true;
+
+var indexOfIFrameTest = 0;
+var testContainer;
+
+function handleMessage(messageEvent)
+{
+    let framePrefix = "[Frame]";
+    let message = event.data;
+    let indexOfSeparator = message.indexOf(":");
+    if (indexOfSeparator == -1) {
+        debug(framePrefix + message);
+        return;
+    }
+    let command = message.substr(0, indexOfSeparator);
+    let description = message.substr(indexOfSeparator + 1);
+    if (command == "PASS") {
+        testPassed(description);
+        debug("");
+    } else if (command == "FAIL") {
+        testFailed(description);
+        debug("");
+    } else if (command == "DEBUG")
+        debug(description);
+    else if (command == "DONE")
+        runNextIFrameTest();
+    else
+        debug(framePrefix + message);
+}
+
+function pass(image, messagePrefix)
+{
+    testPassed(`${messagePrefix} with origin ${(new URL(image.src)).origin}.`);
+    debug("");
+    runNextImageTest();
+}
+
+function fail(image, messagePrefix)
+{
+    testFailed(`${messagePrefix} with origin ${(new URL(image.src)).origin}.`);
+    debug("");
+    runNextImageTest();
+}
+
+function done()
+{
+    if (window.testRunner)
+        document.body.removeChild(testContainer);
+    finishJSTest();
+}
+
+function testBasicAuthImagesInCrossOriginIframe()
+{
+    debug("Images loaded from cross-origin iframe:");
+    let iframe = document.createElement("iframe");
+    iframe.src = "http://localhost:8000/security/resources/basic-auth-subresource.html?top-origin=" + window.top.location.origin;
+    testContainer.appendChild(iframe);
+}
+
+function testBasicAuthImagesInSandboxedSameOriginIFrame()
+{
+    debug("Images loaded from sandboxed same-origin iframe:");
+    let iframe = document.createElement("iframe");
+    iframe.sandbox = "allow-scripts";
+    iframe.src = "http://127.0.0.1:8000/security/resources/basic-auth-subresource.html?top-origin=" + window.top.location.origin;
+    testContainer.appendChild(iframe);
+}
+
+function testBasicAuthImagesInSandboxedCrossOriginIFrame()
+{
+    debug("Images loaded from sandboxed cross-origin iframe:");
+    let iframe = document.createElement("iframe");
+    iframe.sandbox = "allow-scripts";
+    iframe.src = "http://localhost:8000/security/resources/basic-auth-subresource.html?top-origin=" + window.top.location.origin;
+    testContainer.appendChild(iframe);
+}
+
+function runNextIFrameTest()
+{
+    if (indexOfIFrameTest >= NumberOfIFrameTests) {
+        done();
+        return;
+    }
+    var testNumber = indexOfIFrameTest++;
+    switch (testNumber) {
+    case 0:
+        testBasicAuthImagesInCrossOriginIframe();
+        return;
+    case 1:
+        testBasicAuthImagesInSandboxedSameOriginIFrame();
+        return;
+    case 2:
+        testBasicAuthImagesInSandboxedCrossOriginIFrame();
+        return;
+    }
+}
+
+function runNextImageTest()
+{
+    var test = imageTests.shift();
+    if (!test) {
+        runNextIFrameTest();
+        return;
+    }
+    var image = new Image;
+    image.onload = () => test.onload(image);
+    image.onerror = () => test.onerror(image);
+    image.src = test.src;
+    testContainer.appendChild(image);
+}
+
+window.onload = () => {
+    testContainer = document.getElementById("test-container");
+    window.onmessage = handleMessage;
+
+    debug("Images loaded from top-level frame:");
+    runNextImageTest();
+};
+
+// Tests
+
+const DidLoadImage = "did load image";
+const DidNotLoadImage = "did not load image";
+
+const NumberOfIFrameTests = 3;
+
+var imageTests = [
+{
+    src: "resources/subresource1/protected-image.php",
+    onload: (image) => pass(image, DidLoadImage),
+    onerror: (image) => fail(image, DidNotLoadImage),
+},
+{
+    src: "http://localhost:8000/security/resources/subresource1/protected-image.php",
+    onload: (image) => fail(image, DidLoadImage),
+    onerror: (image) => pass(image, DidNotLoadImage),
+},
+{
+    src: "https://localhost:8443/security/resources/subresource1/protected-image.php",
+    onload: (image) => fail(image, DidLoadImage),
+    onerror: (image) => pass(image, DidNotLoadImage),
+},
+];
+</script>
+</head>
+<body>
+<script>
+description("Tests whether credentials are requested for protected subresources. Credentials should be requested if and only if the origin of the subresource matches the origin of the top-most frame.");
+</script>
+<div id="test-container"></div>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials.html b/LayoutTests/http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials.html
new file mode 100644 (file)
index 0000000..d020086
--- /dev/null
@@ -0,0 +1,21 @@
+<!DOCTYPE html><!-- webkit-test-runner [ allowCrossOriginSubresourcesToAskForCredentials=true ] -->
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+    testRunner.setCanOpenWindows();
+    internals.settings.setStorageBlockingPolicy('BlockThirdParty');
+}
+
+window.addEventListener("message", function (event) {
+    alert("parent host: " + window.location.hostname + event.data);
+    window.open("http://localhost:8000/security/resources/credentials-iframes-continued.html");
+}, false);
+</script>
+</head>
+<body>
+<iframe src="resources/credentials-iframes-same-domain.html"></iframe>
+</body>
+</html>
\ No newline at end of file
index a19746e..c1f0dd2 100644 (file)
@@ -1,4 +1,4 @@
 ALERT: parent host: 127.0.0.1 iframe host: 127.0.0.1 credentials:User: same-domain-user, password: same-domain-password.
-127.0.0.1:8000 - didReceiveAuthenticationChallenge - Simulating cancelled authentication sheet
+CONSOLE MESSAGE: Blocked http://127.0.0.1:8000/security/resources/cors-basic-auth.php from asking for credentials because it is a cross-origin request.
 ALERT: parent host: localhost iframe host: 127.0.0.1 credentials:Authentication canceled
 
diff --git a/LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt b/LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt
new file mode 100644 (file)
index 0000000..d0551b6
--- /dev/null
@@ -0,0 +1,13 @@
+CONSOLE MESSAGE: line 33: The page at https://127.0.0.1:8443/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html was allowed to display insecure content from http://localhost:8000/security/mixedContent/resources/subresource2/protected-image.php.
+
+CONSOLE MESSAGE: Blocked http://localhost:8000/security/mixedContent/resources/subresource2/protected-image.php from asking for credentials because it is insecure content.
+Tests that we do not ask for credentials when loading an insecure image that requires basic authentication.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS did not load image.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html b/LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html
new file mode 100644 (file)
index 0000000..24878c7
--- /dev/null
@@ -0,0 +1,45 @@
+<!DOCTYPE html><!-- webkit-test-runner [ allowCrossOriginSubresourcesToAskForCredentials=true ] -->
+<html>
+<head>
+<script src="/js-test-resources/js-test.js"></script>
+<script>
+if (window.testRunner) {
+    testRunner.setHandlesAuthenticationChallenges(true);
+    testRunner.setAuthenticationUsername("testUser");
+    testRunner.setAuthenticationPassword("testPassword");
+}
+
+window.jsTestIsAsync = true;
+
+function pass()
+{
+    testPassed("did not load image.");
+    finishJSTest();
+}
+
+function fail()
+{
+    testFailed("did load image.");
+    finishJSTest();
+}
+
+function runTest()
+{
+    // Load the image programmatically instead of declaratively to avoid output flakiness caused by
+    // the preload scanner performing mixed content checks as part of preloading the image.
+    let image = new Image;
+    image.onload = fail;
+    image.onerror = pass;
+    image.src = "http://localhost:8000/security/mixedContent/resources/subresource2/protected-image.php";
+    document.body.appendChild(image);
+}
+
+window.onload = runTest;
+</script>
+</head>
+<body>
+<script>
+description("Tests that we do not ask for credentials when loading an insecure image that requires basic authentication.");
+</script>
+</body>
+</html>
index 81a4291..a607113 100644 (file)
@@ -1,6 +1,6 @@
 CONSOLE MESSAGE: line 33: The page at https://127.0.0.1:8443/security/mixedContent/insecure-basic-auth-image.https.html was allowed to display insecure content from http://localhost:8000/security/mixedContent/resources/subresource2/protected-image.php.
 
-CONSOLE MESSAGE: Blocked http://localhost:8000/security/mixedContent/resources/subresource2/protected-image.php from asking for credentials because it is insecure content.
+CONSOLE MESSAGE: Blocked http://localhost:8000/security/mixedContent/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
 Tests that we do not ask for credentials when loading an insecure image that requires basic authentication.
 
 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
diff --git a/LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials-expected.txt b/LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials-expected.txt
new file mode 100644 (file)
index 0000000..63d3177
--- /dev/null
@@ -0,0 +1,6 @@
+CONSOLE MESSAGE: line 17: The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image-redirects-to-basic-auth-secure-image.html was allowed to display insecure content from http://127.0.0.1:8080/resources/redirect.php?url=https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php.
+
+CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it was loaded via an insecure redirect from http://127.0.0.1:8080/resources/redirect.php?url=https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php.
+This test opens a new window to a secure page that loads an insecure image that redirects to a secure image guarded by basic authentication. The secure image should be blocked because it requires credentials and was loaded via an insecure redirect.
+
+PASS did not load image.
diff --git a/LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.html b/LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.html
new file mode 100644 (file)
index 0000000..a5c37dc
--- /dev/null
@@ -0,0 +1,29 @@
+<!DOCTYPE html><!-- webkit-test-runner [ allowCrossOriginSubresourcesToAskForCredentials=true ] -->
+<html>
+<body>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.setCanOpenWindows();
+    testRunner.setCloseRemainingWindowsWhenComplete(true);
+    testRunner.setHandlesAuthenticationChallenges(true);
+    testRunner.setAuthenticationUsername("testUser");
+    testRunner.setAuthenticationPassword("testPassword");
+    testRunner.waitUntilDone();
+}
+
+function receiveMessage(messageEvent) {
+    document.getElementById("result").textContent = messageEvent.data;
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+
+window.addEventListener("message", receiveMessage, false);
+</script>
+<p>This test opens a new window to a secure page that loads an insecure image that redirects to a secure image guarded by basic authentication. The secure image should be blocked because it requires credentials and was loaded via an insecure redirect.</p>
+<div id="result"></div>
+<script>
+window.open("https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image-redirects-to-basic-auth-secure-image.html");
+</script>
+</body>
+</html>
index 63d3177..7e63a5d 100644 (file)
@@ -1,6 +1,6 @@
 CONSOLE MESSAGE: line 17: The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image-redirects-to-basic-auth-secure-image.html was allowed to display insecure content from http://127.0.0.1:8080/resources/redirect.php?url=https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php.
 
-CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it was loaded via an insecure redirect from http://127.0.0.1:8080/resources/redirect.php?url=https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php.
+CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it is a cross-origin request.
 This test opens a new window to a secure page that loads an insecure image that redirects to a secure image guarded by basic authentication. The secure image should be blocked because it requires credentials and was loaded via an insecure redirect.
 
 PASS did not load image.
diff --git a/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt b/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt
new file mode 100644 (file)
index 0000000..80bd692
--- /dev/null
@@ -0,0 +1,13 @@
+CONSOLE MESSAGE: The page at https://127.0.0.1:8443/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html was allowed to display insecure content from http://127.0.0.1:8080/resources/redirect.php?url=https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php.
+
+CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it was loaded via an insecure redirect from https://127.0.0.1:8443/resources/redirect.php?url=http%3A//127.0.0.1%3A8080/resources/redirect.php%3Furl%3Dhttps%3A//localhost%3A8443/security/mixedContent/resources/subresource/protected-image.php.
+This test loads a secure image that redirects to an insecure image that redirects to a secure image guarded by basic authentication. The secure image should be blocked because it requires credentials and was loaded via an insecure redirect.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS did not load image.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html b/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html
new file mode 100644 (file)
index 0000000..cfc5b09
--- /dev/null
@@ -0,0 +1,43 @@
+<!DOCTYPE html><!-- webkit-test-runner [ allowCrossOriginSubresourcesToAskForCredentials=true ] -->
+<html>
+<body>
+<script src="/js-test-resources/js-test.js"></script>
+<script>
+if (window.testRunner) {
+    testRunner.setHandlesAuthenticationChallenges(true);
+    testRunner.setAuthenticationUsername("testUser");
+    testRunner.setAuthenticationPassword("testPassword");
+}
+
+window.jsTestIsAsync = true;
+
+function pass()
+{
+    testPassed("did not load image.");
+    finishJSTest();
+}
+
+function fail()
+{
+    testFailed("did load image.");
+    finishJSTest();
+}
+
+function runTest()
+{
+    // Load the image programmatically instead of declaratively to avoid output flakiness caused by
+    // the preload scanner performing mixed content checks as part of preloading the image.
+    let image = new Image;
+    image.onload = fail;
+    image.onerror = pass;
+    image.src = "https://127.0.0.1:8443/resources/redirect.php?url=http%3A//127.0.0.1%3A8080/resources/redirect.php%3Furl%3Dhttps%3A//localhost%3A8443/security/mixedContent/resources/subresource/protected-image.php";
+    document.body.appendChild(image);
+}
+
+window.onload = runTest;
+</script>
+<script>
+description("This test loads a secure image that redirects to an insecure image that redirects to a secure image guarded by basic authentication. The secure image should be blocked because it requires credentials and was loaded via an insecure redirect.");
+</script>
+</body>
+</html>
index 7959f08..2107b1c 100644 (file)
@@ -1,6 +1,6 @@
 CONSOLE MESSAGE: The page at https://127.0.0.1:8443/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image.https.html was allowed to display insecure content from http://127.0.0.1:8080/resources/redirect.php?url=https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php.
 
-CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it was loaded via an insecure redirect from https://127.0.0.1:8443/resources/redirect.php?url=http%3A//127.0.0.1%3A8080/resources/redirect.php%3Furl%3Dhttps%3A//localhost%3A8443/security/mixedContent/resources/subresource/protected-image.php.
+CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it is a cross-origin request.
 This test loads a secure image that redirects to an insecure image that redirects to a secure image guarded by basic authentication. The secure image should be blocked because it requires credentials and was loaded via an insecure redirect.
 
 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
diff --git a/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt b/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt
new file mode 100644 (file)
index 0000000..331dceb
--- /dev/null
@@ -0,0 +1,13 @@
+CONSOLE MESSAGE: The page at https://127.0.0.1:8443/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html was allowed to display insecure content from http://localhost:8080/security/mixedContent/resources/subresource/protected-image.php.
+
+CONSOLE MESSAGE: Blocked http://localhost:8080/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it is insecure content that was loaded via a redirect from https://127.0.0.1:8443/resources/redirect.php?url=https%3A//localhost%3A8443/resources/redirect.php%3Furl%3Dhttp%3A//localhost%3A8080/security/mixedContent/resources/subresource/protected-image.php.
+This test loads a secure image that redirects to an secure image that redirects to an insecure image guarded by basic authentication. The insecure image should be blocked because it requires credentials.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS did not load image.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html b/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html
new file mode 100644 (file)
index 0000000..1e94f53
--- /dev/null
@@ -0,0 +1,43 @@
+<!DOCTYPE html><!-- webkit-test-runner [ allowCrossOriginSubresourcesToAskForCredentials=true ] -->
+<html>
+<body>
+<script src="/js-test-resources/js-test.js"></script>
+<script>
+if (window.testRunner) {
+    testRunner.setHandlesAuthenticationChallenges(true);
+    testRunner.setAuthenticationUsername("testUser");
+    testRunner.setAuthenticationPassword("testPassword");
+}
+
+window.jsTestIsAsync = true;
+
+function pass()
+{
+    testPassed("did not load image.");
+    finishJSTest();
+}
+
+function fail()
+{
+    testFailed("did load image.");
+    finishJSTest();
+}
+
+function runTest()
+{
+    // Load the image programmatically instead of declaratively to avoid output flakiness caused by
+    // the preload scanner performing mixed content checks as part of preloading the image.
+    let image = new Image;
+    image.onload = fail;
+    image.onerror = pass;
+    image.src = "https://127.0.0.1:8443/resources/redirect.php?url=https%3A//localhost%3A8443/resources/redirect.php%3Furl%3Dhttp%3A//localhost%3A8080/security/mixedContent/resources/subresource/protected-image.php";
+    document.body.appendChild(image);
+}
+
+window.onload = runTest;
+</script>
+<script>
+description("This test loads a secure image that redirects to an secure image that redirects to an insecure image guarded by basic authentication. The insecure image should be blocked because it requires credentials.");
+</script>
+</body>
+</html>
index 321882e..94cf71a 100644 (file)
@@ -1,6 +1,6 @@
 CONSOLE MESSAGE: The page at https://127.0.0.1:8443/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image.https.html was allowed to display insecure content from http://localhost:8080/security/mixedContent/resources/subresource/protected-image.php.
 
-CONSOLE MESSAGE: Blocked http://localhost:8080/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it is insecure content that was loaded via a redirect from https://127.0.0.1:8443/resources/redirect.php?url=https%3A//localhost%3A8443/resources/redirect.php%3Furl%3Dhttp%3A//localhost%3A8080/security/mixedContent/resources/subresource/protected-image.php.
+CONSOLE MESSAGE: Blocked http://localhost:8080/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it is a cross-origin request.
 This test loads a secure image that redirects to an secure image that redirects to an insecure image guarded by basic authentication. The insecure image should be blocked because it requires credentials.
 
 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
diff --git a/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html b/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html
new file mode 100644 (file)
index 0000000..c3a34ba
--- /dev/null
@@ -0,0 +1,43 @@
+<!DOCTYPE html><!-- webkit-test-runner [ allowCrossOriginSubresourcesToAskForCredentials=true ] -->
+<html>
+<body>
+<script src="/js-test-resources/js-test.js"></script>
+<script>
+if (window.testRunner) {
+    testRunner.setHandlesAuthenticationChallenges(true);
+    testRunner.setAuthenticationUsername("testUser");
+    testRunner.setAuthenticationPassword("testPassword");
+}
+
+window.jsTestIsAsync = true;
+
+function pass()
+{
+    testPassed("did load image.");
+    finishJSTest();
+}
+
+function fail()
+{
+    testFailed("did not load image.");
+    finishJSTest();
+}
+
+function runTest()
+{
+    // Load the image programmatically instead of declaratively to avoid output flakiness caused by
+    // the preload scanner performing mixed content checks as part of preloading the image.
+    let image = new Image;
+    image.onload = pass;
+    image.onerror = fail;
+    image.src = "https://127.0.0.1:8443/resources/redirect.php?url=https%3A//127.0.0.1%3A8443/resources/redirect.php%3Furl%3Dhttps%3A//localhost%3A8443/security/mixedContent/resources/subresource/protected-image.php";
+    document.body.appendChild(image);
+}
+
+window.onload = runTest;
+</script>
+<script>
+description("This test loads a secure image that redirects to a secure image that redirects to a secure image guarded by basic authentication. The secure image should load.");
+</script>
+</body>
+</html>
index 3f96a8a..efeb587 100644 (file)
@@ -1,10 +1,10 @@
-localhost:8443 - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
-This test loads a secure image that redirects to a secure image that redirects to a secure image guarded by basic authentication. The secure image should load.
+CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it is a cross-origin request.
+This test loads a secure image that redirects to a secure image that redirects to a secure image guarded by basic authentication. The secure image should not load because it is cross-origin.
 
 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
 
 
-PASS did load image.
+PASS did not load image.
 PASS successfullyParsed is true
 
 TEST COMPLETE
index e374855..6b2d133 100644 (file)
@@ -13,13 +13,13 @@ window.jsTestIsAsync = true;
 
 function pass()
 {
-    testPassed("did load image.");
+    testPassed("did not load image.");
     finishJSTest();
 }
 
 function fail()
 {
-    testFailed("did not load image.");
+    testFailed("did load image.");
     finishJSTest();
 }
 
@@ -28,8 +28,8 @@ function runTest()
     // Load the image programmatically instead of declaratively to avoid output flakiness caused by
     // the preload scanner performing mixed content checks as part of preloading the image.
     let image = new Image;
-    image.onload = pass;
-    image.onerror = fail;
+    image.onload = fail;
+    image.onerror = pass;
     image.src = "https://127.0.0.1:8443/resources/redirect.php?url=https%3A//127.0.0.1%3A8443/resources/redirect.php%3Furl%3Dhttps%3A//localhost%3A8443/security/mixedContent/resources/subresource/protected-image.php";
     document.body.appendChild(image);
 }
@@ -37,7 +37,7 @@ function runTest()
 window.onload = runTest;
 </script>
 <script>
-description("This test loads a secure image that redirects to a secure image that redirects to a secure image guarded by basic authentication. The secure image should load.");
+description("This test loads a secure image that redirects to a secure image that redirects to a secure image guarded by basic authentication. The secure image should not load because it is cross-origin.");
 </script>
 </body>
 </html>
diff --git a/LayoutTests/http/tests/security/resources/basic-auth-subresource.html b/LayoutTests/http/tests/security/resources/basic-auth-subresource.html
new file mode 100644 (file)
index 0000000..e11a859
--- /dev/null
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+function pass(image, messagePrefix)
+{
+    window.top.postMessage(`PASS:${messagePrefix} with origin ${(new URL(image.src)).origin}.`, "*");
+    runNextImageTest();
+}
+
+function fail(image, messagePrefix)
+{
+    window.top.postMessage(`FAIL:${messagePrefix} with origin ${(new URL(image.src)).origin}.`, "*");
+    runNextImageTest();
+}
+
+function finishJSTest()
+{
+    window.top.postMessage("DONE:", "*");
+}
+
+function runNextImageTest()
+{
+    var test = imageTests.shift();
+    if (!test) {
+        finishJSTest();
+        return;
+    }
+    var image = new Image;
+    image.onload = () => test.onload(image);
+    image.onerror = () => test.onerror(image);
+    image.src = test.src;
+    document.getElementById("test-container").appendChild(image);
+}
+
+window.onload = runNextImageTest;
+
+// Tests
+
+const DidLoadImage = "did load image";
+const DidNotLoadImage = "did not load image";
+
+var searchParams = new URLSearchParams(document.location.search);
+
+var imageTests = [
+{
+    src: "subresource2/protected-image.php",
+    onload: (image) => {
+        if (document.location.origin === searchParams.get("top-origin"))
+            pass(image, DidLoadImage);
+        else
+            fail(image, DidLoadImage);
+    },
+    onerror: (image) => {
+        if (document.location.origin === searchParams.get("top-origin"))
+            fail(image, DidNotLoadImage);
+        else
+            pass(image, DidNotLoadImage);
+    },
+},
+{
+    src: "http://127.0.0.1:8000/security/resources/subresource2/protected-image.php",
+    onload: (image) => pass(image, DidLoadImage),
+    onerror: (image) => fail(image, DidNotLoadImage),
+},
+{
+    src: "https://127.0.0.1:8443/security/resources/subresource2/protected-image.php",
+    onload: (image) => fail(image, DidLoadImage),
+    onerror: (image) => pass(image, DidNotLoadImage),
+},
+{
+    src: "https://localhost:8443/security/resources/subresource2/protected-image.php",
+    onload: (image) => fail(image, DidLoadImage),
+    onerror: (image) => pass(image, DidNotLoadImage),
+},
+];
+</script>
+</head>
+<body>
+<div id="test-container"></div>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/resources/subresource1/protected-image.php b/LayoutTests/http/tests/security/resources/subresource1/protected-image.php
new file mode 100644 (file)
index 0000000..7806b72
--- /dev/null
@@ -0,0 +1,12 @@
+<?php
+header("Cache-Control: no-store");
+header("Connection: close");
+if (!isset($_SERVER["PHP_AUTH_USER"])) {
+    header("WWW-authenticate: Basic realm=\"" . $_SERVER["REQUEST_URI"] . "\"");
+    header("HTTP/1.0 401 Unauthorized");
+    exit;
+}
+// Authenticated
+header("Content-Type: image/png");
+echo file_get_contents("../../contentSecurityPolicy/block-all-mixed-content/resources/red-square.png");
+?>
diff --git a/LayoutTests/http/tests/security/resources/subresource2/protected-image.php b/LayoutTests/http/tests/security/resources/subresource2/protected-image.php
new file mode 100644 (file)
index 0000000..7806b72
--- /dev/null
@@ -0,0 +1,12 @@
+<?php
+header("Cache-Control: no-store");
+header("Connection: close");
+if (!isset($_SERVER["PHP_AUTH_USER"])) {
+    header("WWW-authenticate: Basic realm=\"" . $_SERVER["REQUEST_URI"] . "\"");
+    header("HTTP/1.0 401 Unauthorized");
+    exit;
+}
+// Authenticated
+header("Content-Type: image/png");
+echo file_get_contents("../../contentSecurityPolicy/block-all-mixed-content/resources/red-square.png");
+?>
index 55a80b7..186473b 100644 (file)
@@ -91,6 +91,13 @@ webkit.org/b/178337 fast/replaced/width100percent-image.html [ Skip ]
 
 # FIXME: Implement test options parsing (<!-- webkit-test-runner [ ... ] -->).
 webkit.org/b/173281 security/isSecureContext-disabled.html [ Skip ]
+webkit.org/b/173281 http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials.html [ Skip ]
+webkit.org/b/173281 http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials.html [ Skip ]
+webkit.org/b/173281 http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html [ Skip ]
+webkit.org/b/173281 http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.html [ Skip ]
+webkit.org/b/173281 http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html [ Skip ]
+webkit.org/b/173281 http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html [ Skip ]
+webkit.org/b/173281 http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html [ Skip ]
 
 # TODO HW filters not yet supported on Windows
 webkit.org/b/74716 css3/filters/effect-blur-hw.html [ Skip ]
diff --git a/LayoutTests/platform/win/http/tests/security/basic-auth-subresource-expected.txt b/LayoutTests/platform/win/http/tests/security/basic-auth-subresource-expected.txt
new file mode 100644 (file)
index 0000000..509512b
--- /dev/null
@@ -0,0 +1,51 @@
+http://127.0.0.1:8000/security/resources/subresource1/protected-image.php - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
+CONSOLE MESSAGE: Blocked http://localhost:8000/security/resources/subresource1/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked http://localhost:8000/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+http://127.0.0.1:8000/security/resources/subresource2/protected-image.php - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
+CONSOLE MESSAGE: Blocked https://127.0.0.1:8443/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked https://127.0.0.1:8443/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked http://localhost:8000/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked https://127.0.0.1:8443/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+Tests whether credentials are requested for protected subresources. Credentials should be requested if and only if the origin of the subresource matches the origin of the top-most frame.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Images loaded from top-level frame:
+PASS did load image with origin http://127.0.0.1:8000.
+
+PASS did not load image with origin http://localhost:8000.
+
+PASS did not load image with origin https://localhost:8443.
+
+Images loaded from cross-origin iframe:
+PASS did not load image with origin http://localhost:8000.
+
+PASS did load image with origin http://127.0.0.1:8000.
+
+PASS did not load image with origin https://127.0.0.1:8443.
+
+PASS did not load image with origin https://localhost:8443.
+
+Images loaded from sandboxed same-origin iframe:
+PASS did load image with origin http://127.0.0.1:8000.
+
+PASS did load image with origin http://127.0.0.1:8000.
+
+PASS did not load image with origin https://127.0.0.1:8443.
+
+PASS did not load image with origin https://localhost:8443.
+
+Images loaded from sandboxed cross-origin iframe:
+PASS did not load image with origin http://localhost:8000.
+
+PASS did load image with origin http://127.0.0.1:8000.
+
+PASS did not load image with origin https://127.0.0.1:8443.
+
+PASS did not load image with origin https://localhost:8443.
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
index 00e0753..dc8012b 100644 (file)
@@ -1,10 +1,7 @@
 127.0.0.1:8000 - didReceiveAuthenticationChallenge - Responding with username:password
-localhost:8000 - didReceiveAuthenticationChallenge - Responding with username:password
  
 Tests that the media player sends authorization credentials when requesting a media file.
 Testing same domain (127.0.0.1)
 EVENT(canplay)
-Testing cross domain (localhost)
-EVENT(canplay)
 END OF TEST
 
diff --git a/LayoutTests/platform/wk2/http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials-expected.txt b/LayoutTests/platform/wk2/http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials-expected.txt
new file mode 100644 (file)
index 0000000..00e0753
--- /dev/null
@@ -0,0 +1,10 @@
+127.0.0.1:8000 - didReceiveAuthenticationChallenge - Responding with username:password
+localhost:8000 - didReceiveAuthenticationChallenge - Responding with username:password
+Tests that the media player sends authorization credentials when requesting a media file.
+Testing same domain (127.0.0.1)
+EVENT(canplay)
+Testing cross domain (localhost)
+EVENT(canplay)
+END OF TEST
+
diff --git a/LayoutTests/platform/wk2/http/tests/security/basic-auth-subresource-expected.txt b/LayoutTests/platform/wk2/http/tests/security/basic-auth-subresource-expected.txt
new file mode 100644 (file)
index 0000000..3aa9943
--- /dev/null
@@ -0,0 +1,55 @@
+127.0.0.1:8000 - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
+CONSOLE MESSAGE: Blocked http://localhost:8000/security/resources/subresource1/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked https://localhost:8443/security/resources/subresource1/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked http://localhost:8000/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+127.0.0.1:8000 - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
+CONSOLE MESSAGE: Blocked https://127.0.0.1:8443/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked https://localhost:8443/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked https://127.0.0.1:8443/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked https://localhost:8443/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked http://localhost:8000/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked https://127.0.0.1:8443/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked https://localhost:8443/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+Tests whether credentials are requested for protected subresources. Credentials should be requested if and only if the origin of the subresource matches the origin of the top-most frame.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Images loaded from top-level frame:
+PASS did load image with origin http://127.0.0.1:8000.
+
+PASS did not load image with origin http://localhost:8000.
+
+PASS did not load image with origin https://localhost:8443.
+
+Images loaded from cross-origin iframe:
+PASS did not load image with origin http://localhost:8000.
+
+PASS did load image with origin http://127.0.0.1:8000.
+
+PASS did not load image with origin https://127.0.0.1:8443.
+
+PASS did not load image with origin https://localhost:8443.
+
+Images loaded from sandboxed same-origin iframe:
+PASS did load image with origin http://127.0.0.1:8000.
+
+PASS did load image with origin http://127.0.0.1:8000.
+
+PASS did not load image with origin https://127.0.0.1:8443.
+
+PASS did not load image with origin https://localhost:8443.
+
+Images loaded from sandboxed cross-origin iframe:
+PASS did not load image with origin http://localhost:8000.
+
+PASS did load image with origin http://127.0.0.1:8000.
+
+PASS did not load image with origin https://127.0.0.1:8443.
+
+PASS did not load image with origin https://localhost:8443.
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/platform/wk2/http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials-expected.txt b/LayoutTests/platform/wk2/http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials-expected.txt
new file mode 100644 (file)
index 0000000..a19746e
--- /dev/null
@@ -0,0 +1,4 @@
+ALERT: parent host: 127.0.0.1 iframe host: 127.0.0.1 credentials:User: same-domain-user, password: same-domain-password.
+127.0.0.1:8000 - didReceiveAuthenticationChallenge - Simulating cancelled authentication sheet
+ALERT: parent host: localhost iframe host: 127.0.0.1 credentials:Authentication canceled
+
diff --git a/LayoutTests/platform/wk2/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt b/LayoutTests/platform/wk2/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt
new file mode 100644 (file)
index 0000000..3f96a8a
--- /dev/null
@@ -0,0 +1,11 @@
+localhost:8443 - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
+This test loads a secure image that redirects to a secure image that redirects to a secure image guarded by basic authentication. The secure image should load.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS did load image.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
index dcde1f2..70226a6 100644 (file)
@@ -1,3 +1,47 @@
+2018-02-14  Daniel Bates  <dabates@apple.com>
+
+        Disallow cross-origin subresources from asking for credentials
+        https://bugs.webkit.org/show_bug.cgi?id=182579
+        <rdar://problem/36162271>
+
+        Reviewed by Andy Estes.
+
+        Prompts for credentials to load cross-origin subresources are typically seen as unexpected
+        by a person that navigates to- or interacts with- a web page. The cross-origin and implicit
+        loading nature of these subresources makes asking for credentials questionable because they
+        are not being served by the same origin of the page a person explicitly loaded and are not
+        guaranteed to correspond to an explicit user interaction other than the initial load of the
+        page. We know that subresources that ask for credentials can be abused as part of a phishing
+        attack. It seems reasonable to disallow cross-origin subresources from asking for credentials
+        due to their questionable nature and the risk for abuse. This will also make the behavior
+        of WebKit match the behavior of Chrome.
+
+        Tests: http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials.html
+               http/tests/security/basic-auth-subresource.html
+               http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html
+               http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.html
+               http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html
+               http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html
+               http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html
+
+        * loader/ResourceLoader.cpp:
+        (WebCore::ResourceLoader::isSubresourceLoader const): Formerly non-const.
+        (WebCore::ResourceLoader::shouldAllowResourceToAskForCredentials const): Added.
+        (WebCore::ResourceLoader::didBlockAuthenticationChallenge): Emit Web Inspector console message if
+        the authentication challenge was blocked because the request is cross origin.
+        (WebCore::ResourceLoader::isAllowedToAskUserForCredentials const): Disallow a cross-origin
+        request from prompting for credentials.
+        (WebCore::ResourceLoader::isSubresourceLoader): Deleted; made const.
+        * loader/ResourceLoader.h:
+        * loader/SubresourceLoader.cpp:
+        (WebCore::SubresourceLoader::SubresourceLoader): Update ResourceLoader state so that block cross-origin
+        subresources from prompting for credentials, if applicable.
+        (WebCore::SubresourceLoader::isSubresourceLoader const): Formerly non-const.
+        (WebCore::SubresourceLoader::isSubresourceLoader): Deleted; made const.
+        * loader/SubresourceLoader.h:
+        * page/Settings.yaml: Add setting allowCrossOriginSubresourcesToAskForCredentials (defaults: false -
+        do not allow cross origin subresources to ask for credentials).
+
 2018-02-14  Don Olmstead  <don.olmstead@sony.com>
 
         WebCore headers should not include config.h or PlatformExportMacros.h
index 8557d7c..461b19e 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2007, 2010-2011, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2018 Apple Inc. All rights reserved.
  *           (C) 2007 Graham Dennis (graham.dennis@gmail.com)
  *
  * Redistribution and use in source and binary forms, with or without
@@ -326,7 +326,7 @@ void ResourceLoader::clearResourceData()
         m_resourceData->clear();
 }
 
-bool ResourceLoader::isSubresourceLoader()
+bool ResourceLoader::isSubresourceLoader() const
 {
     return false;
 }
@@ -463,6 +463,11 @@ static void logResourceResponseSource(Frame* frame, ResourceResponse::Source sou
     frame->page()->diagnosticLoggingClient().logDiagnosticMessage(DiagnosticLoggingKeys::resourceResponseSourceKey(), sourceKey, ShouldSample::Yes);
 }
 
+bool ResourceLoader::shouldAllowResourceToAskForCredentials() const
+{
+    return m_canCrossOriginRequestsAskUserForCredentials || m_frame->tree().top().document()->securityOrigin().canRequest(m_request.url());
+}
+
 void ResourceLoader::didBlockAuthenticationChallenge()
 {
     m_wasAuthenticationChallengeBlocked = true;
@@ -470,6 +475,11 @@ void ResourceLoader::didBlockAuthenticationChallenge()
     if (!m_canAskClientForCredentials)
         return;
 
+    if (!shouldAllowResourceToAskForCredentials()) {
+        FrameLoader::reportAuthenticationChallengeBlocked(m_frame.get(), m_request.url(), ASCIILiteral("it is a cross-origin request"));
+        return;
+    }
+
     if (!m_wasInsecureRequestSeen)
         return;
 
@@ -739,6 +749,8 @@ bool ResourceLoader::isAllowedToAskUserForCredentials() const
 {
     if (!m_canAskClientForCredentials)
         return false;
+    if (!shouldAllowResourceToAskForCredentials())
+        return false;
     if (m_wasInsecureRequestSeen)
         return false;
     return m_options.credentials == FetchOptions::Credentials::Include || (m_options.credentials == FetchOptions::Credentials::SameOrigin && m_frame->document()->securityOrigin().canRequest(originalRequest().url()));
index 09598a8..343c194 100644 (file)
@@ -98,7 +98,7 @@ public:
     SharedBuffer* resourceData() const { return m_resourceData.get(); }
     void clearResourceData();
     
-    virtual bool isSubresourceLoader();
+    virtual bool isSubresourceLoader() const;
 
     virtual void willSendRequest(ResourceRequest&&, const ResourceResponse& redirectResponse, CompletionHandler<void(ResourceRequest&&)>&& callback);
     virtual void didSendData(unsigned long long bytesSent, unsigned long long totalBytesToBeSent);
@@ -177,6 +177,7 @@ protected:
 #if USE(QUICK_LOOK)
     std::unique_ptr<PreviewLoader> m_previewLoader;
 #endif
+    bool m_canCrossOriginRequestsAskUserForCredentials { true };
 
 private:
     virtual void willCancel(const ResourceError&) = 0;
@@ -186,6 +187,8 @@ private:
     void loadDataURL();
     void finishNetworkLoad();
 
+    bool shouldAllowResourceToAskForCredentials() const;
+
     // ResourceHandleClient
     void didSendData(ResourceHandle*, unsigned long long bytesSent, unsigned long long totalBytesToBeSent) override;
     void didReceiveResponseAsync(ResourceHandle*, ResourceResponse&&, CompletionHandler<void()>&&) override;
index e6796af..54397e0 100644 (file)
@@ -45,6 +45,7 @@
 #include "ResourceLoadObserver.h"
 #include "ResourceTiming.h"
 #include "RuntimeEnabledFeatures.h"
+#include "Settings.h"
 #include <wtf/CompletionHandler.h>
 #include <wtf/Ref.h>
 #include <wtf/RefCountedLeakCounter.h>
@@ -92,6 +93,7 @@ SubresourceLoader::SubresourceLoader(Frame& frame, CachedResource& resource, con
 #if ENABLE(CONTENT_EXTENSIONS)
     m_resourceType = toResourceType(resource.type());
 #endif
+    m_canCrossOriginRequestsAskUserForCredentials = resource.type() == CachedResource::MainResource || frame.settings().allowCrossOriginSubresourcesToAskForCredentials();
 }
 
 SubresourceLoader::~SubresourceLoader()
@@ -162,7 +164,7 @@ void SubresourceLoader::init(ResourceRequest&& request, CompletionHandler<void(b
     });
 }
 
-bool SubresourceLoader::isSubresourceLoader()
+bool SubresourceLoader::isSubresourceLoader() const
 {
     return true;
 }
index 084739d..1216b0b 100644 (file)
@@ -47,7 +47,7 @@ public:
     virtual ~SubresourceLoader();
 
     void cancelIfNotFinishing();
-    bool isSubresourceLoader() override;
+    bool isSubresourceLoader() const override;
     CachedResource* cachedResource();
 
     SecurityOrigin* origin() { return m_origin.get(); }
index 2be2892..dc34331 100644 (file)
@@ -101,6 +101,8 @@ allowFileAccessFromFileURLs:
   initial: true
 allowSettingAnyXHRHeaderFromFileURLs:
   initial: false
+allowCrossOriginSubresourcesToAskForCredentials:
+  initial: false
 needsStorageAccessFromFileURLsQuirk:
   initial: true
 javaScriptCanOpenWindowsAutomatically:
index 698be28..233984a 100644 (file)
@@ -1,3 +1,20 @@
+2018-02-14  Daniel Bates  <dabates@apple.com>
+
+        Disallow cross-origin subresources from asking for credentials
+        https://bugs.webkit.org/show_bug.cgi?id=182579
+        <rdar://problem/36162271>
+
+        Reviewed by Andy Estes.
+
+        Add a private preference to toggle allowing non-mixed content cross-origin subresources to load.
+        WebKitTestRunner toggles this preference when it sees the test option allowCrossOriginSubresourcesToAskForCredential.
+
+        * Shared/WebPreferences.yaml:
+        * UIProcess/API/C/WKPreferences.cpp:
+        (WKPreferencesSetAllowCrossOriginSubresourcesToAskForCredentials):
+        (WKPreferencesGetAllowCrossOriginSubresourcesToAskForCredentials):
+        * UIProcess/API/C/WKPreferencesRefPrivate.h:
+
 2018-02-14  John Wilander  <wilander@apple.com>
 
         Make maximumParallelReadCount static to fix lambda capture error in WebKit::NetworkCache::Storage::traverse()
index 1c51a36..b826e4b 100644 (file)
@@ -183,6 +183,10 @@ AllowSettingAnyXHRHeaderFromFileURLs:
   type: bool
   defaultValue: false
 
+AllowCrossOriginSubresourcesToAskForCredentials:
+  type: bool
+  defaultValue: false
+
 AVFoundationEnabled:
   type: bool
   defaultValue: true
index 03b8e43..8a73bdb 100644 (file)
@@ -1934,3 +1934,12 @@ bool WKPreferencesGetMediaCapabilitiesEnabled(WKPreferencesRef preferencesRef)
     return toImpl(preferencesRef)->mediaCapabilitiesEnabled();
 }
 
+void WKPreferencesSetAllowCrossOriginSubresourcesToAskForCredentials(WKPreferencesRef preferencesRef, bool flag)
+{
+    toImpl(preferencesRef)->setAllowCrossOriginSubresourcesToAskForCredentials(flag);
+}
+
+bool WKPreferencesGetAllowCrossOriginSubresourcesToAskForCredentials(WKPreferencesRef preferencesRef)
+{
+    return toImpl(preferencesRef)->allowCrossOriginSubresourcesToAskForCredentials();
+}
index a4193e0..0a85f69 100644 (file)
@@ -552,7 +552,11 @@ WK_EXPORT bool WKPreferencesGetAccessibilityObjectModelEnabled(WKPreferencesRef)
 // Defaults to false.
 WK_EXPORT void WKPreferencesSetShouldAllowUserInstalledFonts(WKPreferencesRef, bool flag);
 WK_EXPORT bool WKPreferencesGetShouldAllowUserInstalledFonts(WKPreferencesRef);
-    
+
+// Defaults to false.
+WK_EXPORT void WKPreferencesSetAllowCrossOriginSubresourcesToAskForCredentials(WKPreferencesRef, bool flag);
+WK_EXPORT bool WKPreferencesGetAllowCrossOriginSubresourcesToAskForCredentials(WKPreferencesRef);
+
 #ifdef __cplusplus
 }
 #endif
index 96ca10c..8c3a734 100644 (file)
@@ -1,3 +1,23 @@
+2018-02-14  Daniel Bates  <dabates@apple.com>
+
+        Disallow cross-origin subresources from asking for credentials
+        https://bugs.webkit.org/show_bug.cgi?id=182579
+        <rdar://problem/36162271>
+
+        Reviewed by Andy Estes.
+
+        Add a private preference to toggle allowing non-mixed content cross-origin subresources to load.
+        DumpRenderTree toggles this preference when it sees the test option allowCrossOriginSubresourcesToAskForCredential.
+
+        * WebView/WebPreferenceKeysPrivate.h:
+        * WebView/WebPreferences.mm:
+        (+[WebPreferences initialize]):
+        (-[WebPreferences allowCrossOriginSubresourcesToAskForCredentials]):
+        (-[WebPreferences setAllowCrossOriginSubresourcesToAskForCredentials:]):
+        * WebView/WebPreferencesPrivate.h:
+        * WebView/WebView.mm:
+        (-[WebView _preferencesChanged:]):
+
 2018-02-14  Ross Kirsling  <ross.kirsling@sony.com>
 
         Remove ForwardingHeaders directory from WebKitLegacy/mac.
index 75e71b5..64d672a 100644 (file)
@@ -56,6 +56,7 @@
 #define WebKitWebSecurityEnabledPreferenceKey @"WebKitWebSecurityEnabled"
 #define WebKitAllowUniversalAccessFromFileURLsPreferenceKey @"WebKitAllowUniversalAccessFromFileURLs"
 #define WebKitAllowFileAccessFromFileURLsPreferenceKey @"WebKitAllowFileAccessFromFileURLs"
+#define WebKitAllowCrossOriginSubresourcesToAskForCredentialsKey @"WebKitAllowCrossOriginSubresourcesToAskForCredentials"
 #define WebKitNeedsStorageAccessFromFileURLsQuirkKey @"WebKitNeedsStorageAccessFromFileURLsQuirk"
 #define WebKitJavaScriptCanOpenWindowsAutomaticallyPreferenceKey @"WebKitJavaScriptCanOpenWindowsAutomatically"
 #define WebKitPluginsEnabledPreferenceKey @"WebKitPluginsEnabled"
index 6fbea89..95dee9c 100644 (file)
@@ -650,6 +650,7 @@ public:
         [NSNumber numberWithBool:NO], WebKitVisualViewportAPIEnabledPreferenceKey,
 
         [NSNumber numberWithBool:YES], WebKitNeedsStorageAccessFromFileURLsQuirkKey,
+        [NSNumber numberWithBool:NO], WebKitAllowCrossOriginSubresourcesToAskForCredentialsKey,
 #if ENABLE(MEDIA_STREAM)
         [NSNumber numberWithBool:NO], WebKitMediaDevicesEnabledPreferenceKey,
         [NSNumber numberWithBool:YES], WebKitMediaStreamEnabledPreferenceKey,
@@ -1499,6 +1500,16 @@ public:
     [self _setBoolValue: flag forKey: WebKitAllowFileAccessFromFileURLsPreferenceKey];
 }
 
+- (BOOL)allowCrossOriginSubresourcesToAskForCredentials
+{
+    return [self _boolValueForKey:WebKitAllowCrossOriginSubresourcesToAskForCredentialsKey];
+}
+
+- (void)setAllowCrossOriginSubresourcesToAskForCredentials:(BOOL)flag
+{
+    [self _setBoolValue:flag forKey:WebKitAllowCrossOriginSubresourcesToAskForCredentialsKey];
+}
+
 - (BOOL)needsStorageAccessFromFileURLsQuirk
 {
     return [self _boolValueForKey: WebKitNeedsStorageAccessFromFileURLsQuirkKey];
index 2958b40..4fffc59 100644 (file)
@@ -144,6 +144,9 @@ extern NSString *WebPreferencesCacheModelChangedInternalNotification;
 - (BOOL)allowFileAccessFromFileURLs;
 - (void)setAllowFileAccessFromFileURLs:(BOOL)flag;
 
+- (BOOL)allowCrossOriginSubresourcesToAskForCredentials;
+- (void)setAllowCrossOriginSubresourcesToAskForCredentials:(BOOL)flag;
+
 - (BOOL)needsStorageAccessFromFileURLsQuirk;
 - (void)setNeedsStorageAccessFromFileURLsQuirk:(BOOL)flag;
 
@@ -598,6 +601,7 @@ extern NSString *WebPreferencesCacheModelChangedInternalNotification;
 @property (nonatomic) BOOL allowMediaContentTypesRequiringHardwareSupportAsFallback;
 @property (nonatomic) BOOL accessibilityObjectModelEnabled;
 @property (nonatomic) BOOL mediaCapabilitiesEnabled;
+@property (nonatomic) BOOL allowCrossOriginSubresourcesToAskForCredentials;
 
 #if TARGET_OS_IPHONE
 @property (nonatomic) BOOL quickLookDocumentSavingEnabled;
index d7400fc..4d67265 100644 (file)
@@ -2760,6 +2760,7 @@ static bool needsSelfRetainWhileLoadingQuirk()
     settings.setWebSecurityEnabled([preferences isWebSecurityEnabled]);
     settings.setAllowUniversalAccessFromFileURLs([preferences allowUniversalAccessFromFileURLs]);
     settings.setAllowFileAccessFromFileURLs([preferences allowFileAccessFromFileURLs]);
+    settings.setAllowCrossOriginSubresourcesToAskForCredentials([preferences allowCrossOriginSubresourcesToAskForCredentials]);
     settings.setNeedsStorageAccessFromFileURLsQuirk([preferences needsStorageAccessFromFileURLsQuirk]);
     settings.setMinimumFontSize([preferences minimumFontSize]);
     settings.setMinimumLogicalFontSize([preferences minimumLogicalFontSize]);
index df86b04..cb8b0e9 100644 (file)
@@ -1,3 +1,25 @@
+2018-02-14  Daniel Bates  <dabates@apple.com>
+
+        Disallow cross-origin subresources from asking for credentials
+        https://bugs.webkit.org/show_bug.cgi?id=182579
+        <rdar://problem/36162271>
+
+        Reviewed by Andy Estes.
+
+        Add test option allowCrossOriginSubresourcesToAskForCredential (defaults to false)
+        so that tests can toggle between the old behavior and new behavior.
+
+        * DumpRenderTree/TestOptions.h:
+        * DumpRenderTree/TestOptions.mm:
+        (TestOptions::TestOptions):
+        * DumpRenderTree/mac/DumpRenderTree.mm:
+        (setWebPreferencesForTestOptions):
+        * WebKitTestRunner/TestController.cpp:
+        (WTR::TestController::resetPreferencesToConsistentValues):
+        (WTR::updateTestOptionsFromTestHeader):
+        * WebKitTestRunner/TestOptions.h:
+        (WTR::TestOptions::hasSameInitializationOptions const):
+
 2018-02-12  Ryosuke Niwa  <rniwa@webkit.org>
 
         REGRESSION (r223440): Copying & pasting a list from Microsoft Word to TinyMCE fails
index 2941e3f..5d4ca95 100644 (file)
@@ -41,6 +41,7 @@ struct TestOptions {
     bool enableIsSecureContextAttribute { true };
     bool enableInspectorAdditions { false };
     bool dumpJSConsoleLogInStdErr { false };
+    bool allowCrossOriginSubresourcesToAskForCredentials { false };
 
     TestOptions(NSURL*, const TestCommand&);
     bool webViewIsCompatibleWithOptions(const TestOptions&) const;
index cfdbd8e..2be3c2d 100644 (file)
@@ -102,6 +102,8 @@ TestOptions::TestOptions(NSURL *testURL, const TestCommand& command)
             this->enableInspectorAdditions = parseBooleanTestHeaderValue(value);
         else if (key == "dumpJSConsoleLogInStdErr")
             this->dumpJSConsoleLogInStdErr = parseBooleanTestHeaderValue(value);
+        else if (key == "allowCrossOriginSubresourcesToAskForCredentials")
+            this->allowCrossOriginSubresourcesToAskForCredentials = parseBooleanTestHeaderValue(value);
         pairStart = pairEnd + 1;
     }
 }
index fec0194..f98fb7e 100644 (file)
@@ -994,6 +994,7 @@ static void setWebPreferencesForTestOptions(const TestOptions& options)
     preferences.webAuthenticationEnabled = options.enableWebAuthentication;
     preferences.isSecureContextAttributeEnabled = options.enableIsSecureContextAttribute;
     preferences.inspectorAdditionsEnabled = options.enableInspectorAdditions;
+    preferences.allowCrossOriginSubresourcesToAskForCredentials = options.allowCrossOriginSubresourcesToAskForCredentials;
 }
 
 // Called once on DumpRenderTree startup.
index 417fde6..e446017 100644 (file)
@@ -692,6 +692,7 @@ void TestController::resetPreferencesToConsistentValues(const TestOptions& optio
     WKPreferencesSetModernMediaControlsEnabled(preferences, options.enableModernMediaControls);
     WKPreferencesSetWebAuthenticationEnabled(preferences, options.enableWebAuthentication);
     WKPreferencesSetIsSecureContextAttributeEnabled(preferences, options.enableIsSecureContextAttribute);
+    WKPreferencesSetAllowCrossOriginSubresourcesToAskForCredentials(preferences, options.allowCrossOriginSubresourcesToAskForCredentials);
 
     static WKStringRef defaultTextEncoding = WKStringCreateWithUTF8CString("ISO-8859-1");
     WKPreferencesSetDefaultTextEncodingName(preferences, defaultTextEncoding);
@@ -1068,6 +1069,8 @@ static void updateTestOptionsFromTestHeader(TestOptions& testOptions, const std:
             testOptions.dumpJSConsoleLogInStdErr = parseBooleanTestHeaderValue(value);
         if (key == "applicationManifest")
             testOptions.applicationManifest = parseStringTestHeaderValueAsRelativePath(value, pathOrURL);
+        if (key == "allowCrossOriginSubresourcesToAskForCredentials")
+            testOptions.allowCrossOriginSubresourcesToAskForCredentials = parseBooleanTestHeaderValue(value);
         pairStart = pairEnd + 1;
     }
 }
index 85dcfc7..0132b71 100644 (file)
@@ -54,6 +54,7 @@ struct TestOptions {
     bool enableInspectorAdditions { false };
     bool shouldShowTouches { false };
     bool dumpJSConsoleLogInStdErr { false };
+    bool allowCrossOriginSubresourcesToAskForCredentials { false };
 
     float deviceScaleFactor { 1 };
     Vector<String> overrideLanguages;
@@ -82,7 +83,8 @@ struct TestOptions {
             || enableIsSecureContextAttribute != options.enableIsSecureContextAttribute
             || enableInspectorAdditions != options.enableInspectorAdditions
             || dumpJSConsoleLogInStdErr != options.dumpJSConsoleLogInStdErr
-            || applicationManifest != options.applicationManifest)
+            || applicationManifest != options.applicationManifest
+            || allowCrossOriginSubresourcesToAskForCredentials != options.allowCrossOriginSubresourcesToAskForCredentials)
             return false;
 
         return true;