Pass FetchOptions and SecurityOrigin as load parameters from WebProcess to NetworkProcess
authoryouenn@apple.com <youenn@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 11 Apr 2018 19:05:08 +0000 (19:05 +0000)
committeryouenn@apple.com <youenn@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 11 Apr 2018 19:05:08 +0000 (19:05 +0000)
https://bugs.webkit.org/show_bug.cgi?id=184374

Reviewed by Chris Dumez.

Source/WebCore:

Add support for SecurityOrigin encode/decode routines.

* page/SecurityOrigin.h:

Source/WebKit:

Pass full FetchOptions parameters as part of NetworkResourceLoadParameters.
This will allow handling redirection mode as well as credentials in case of cross origin redirections.
In case of SameOrigin credentials and there is a redirection from same-origin to cross-origin,
we will be able to stop using credentials without going to WebProcess.

To handle properly cross-origin checks, we have to be able to use SecurityOrigin as in WebProcess.
We make WebProcess sends Origin Access White list information to NetworkProcess.
This allows supporting the white list when doing loading in NetworkProcess.
This only works consistently if all WebProcesses share the same whitelist.

* NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::loadPing):
(WebKit::NetworkConnectionToWebProcess::addOriginAccessWhitelistEntry):
(WebKit::NetworkConnectionToWebProcess::removeOriginAccessWhitelistEntry):
(WebKit::NetworkConnectionToWebProcess::resetOriginAccessWhitelists):
* NetworkProcess/NetworkConnectionToWebProcess.h:
* NetworkProcess/NetworkConnectionToWebProcess.messages.in:
* NetworkProcess/NetworkLoadChecker.cpp:
(WebKit::NetworkLoadChecker::NetworkLoadChecker):
(WebKit::NetworkLoadChecker::checkRedirection):
(WebKit::NetworkLoadChecker::continueCheckingRequest):
(WebKit::NetworkLoadChecker::checkCORSRequest):
(WebKit::NetworkLoadChecker::checkCORSRedirectedRequest):
(WebKit::NetworkLoadChecker::checkCORSRequestWithPreflight):
(WebKit::NetworkLoadChecker::doesNotNeedCORSCheck const):
* NetworkProcess/NetworkLoadChecker.h:
(WebKit::NetworkLoadChecker::create):
* NetworkProcess/NetworkResourceLoadParameters.cpp:
(WebKit::NetworkResourceLoadParameters::encode const):
(WebKit::NetworkResourceLoadParameters::decode):
* NetworkProcess/NetworkResourceLoadParameters.h:
* NetworkProcess/PingLoad.cpp:
(WebKit::PingLoad::PingLoad):
(WebKit::PingLoad::willPerformHTTPRedirection):
* NetworkProcess/PingLoad.h:
* WebProcess/InjectedBundle/InjectedBundle.cpp:
(WebKit::InjectedBundle::addOriginAccessWhitelistEntry):
(WebKit::InjectedBundle::removeOriginAccessWhitelistEntry):
(WebKit::InjectedBundle::resetOriginAccessWhitelists):
* WebProcess/Network/WebLoaderStrategy.cpp:
(WebKit::WebLoaderStrategy::startPingLoad):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230541 268f45cc-cd09-0410-ab3c-d52691b4dbfc

15 files changed:
Source/WebCore/ChangeLog
Source/WebCore/page/SecurityOrigin.h
Source/WebKit/ChangeLog
Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h
Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in
Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp
Source/WebKit/NetworkProcess/NetworkLoadChecker.h
Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.cpp
Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.h
Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp
Source/WebKit/NetworkProcess/PingLoad.cpp
Source/WebKit/NetworkProcess/PingLoad.h
Source/WebKit/WebProcess/InjectedBundle/InjectedBundle.cpp
Source/WebKit/WebProcess/Network/WebLoaderStrategy.cpp

index 9b6b96c..119c9f9 100644 (file)
@@ -1,3 +1,14 @@
+2018-04-11  Youenn Fablet  <youenn@apple.com>
+
+        Pass FetchOptions and SecurityOrigin as load parameters from WebProcess to NetworkProcess
+        https://bugs.webkit.org/show_bug.cgi?id=184374
+
+        Reviewed by Chris Dumez.
+
+        Add support for SecurityOrigin encode/decode routines.
+
+        * page/SecurityOrigin.h:
+
 2018-04-11  Thibault Saunier  <tsaunier@igalia.com>
 
         [GStreamer] Use of playbin3 when USE_PLAYBIN3 environment variable is set
index dcc1527..9b72d66 100644 (file)
@@ -206,6 +206,9 @@ public:
 
     const SecurityOriginData& data() const { return m_data; }
 
+    template<class Encoder> void encode(Encoder&) const;
+    template<class Decoder> static RefPtr<SecurityOrigin> decode(Decoder&);
+
 private:
     SecurityOrigin();
     explicit SecurityOrigin(const URL&);
@@ -241,4 +244,55 @@ bool shouldTreatAsPotentiallyTrustworthy(const URL&);
 bool originsMatch(const SecurityOrigin&, const SecurityOrigin&);
 bool originsMatch(const SecurityOrigin*, const SecurityOrigin*);
 
+template<class Encoder> inline void SecurityOrigin::encode(Encoder& encoder) const
+{
+    encoder << m_data;
+    encoder << m_domain;
+    encoder << m_filePath;
+    encoder << m_isUnique;
+    encoder << m_universalAccess;
+    encoder << m_domainWasSetInDOM;
+    encoder << m_canLoadLocalResources;
+    encoder.encodeEnum(m_storageBlockingPolicy);
+    encoder << m_enforcesFilePathSeparation;
+    encoder << m_needsStorageAccessFromFileURLsQuirk;
+    encoder << m_isPotentiallyTrustworthy;
+    encoder << m_isLocal;
+}
+
+template<class Decoder> inline RefPtr<SecurityOrigin> SecurityOrigin::decode(Decoder& decoder)
+{
+    std::optional<SecurityOriginData> data;
+    decoder >> data;
+    if (!data)
+        return nullptr;
+
+    auto origin = SecurityOrigin::create(data->protocol, data->host, data->port);
+
+    if (!decoder.decode(origin->m_domain))
+        return nullptr;
+    if (!decoder.decode(origin->m_filePath))
+        return nullptr;
+    if (!decoder.decode(origin->m_isUnique))
+        return nullptr;
+    if (!decoder.decode(origin->m_universalAccess))
+        return nullptr;
+    if (!decoder.decode(origin->m_domainWasSetInDOM))
+        return nullptr;
+    if (!decoder.decode(origin->m_canLoadLocalResources))
+        return nullptr;
+    if (!decoder.decodeEnum(origin->m_storageBlockingPolicy))
+        return nullptr;
+    if (!decoder.decode(origin->m_enforcesFilePathSeparation))
+        return nullptr;
+    if (!decoder.decode(origin->m_needsStorageAccessFromFileURLsQuirk))
+        return nullptr;
+    if (!decoder.decode(origin->m_isPotentiallyTrustworthy))
+        return nullptr;
+    if (!decoder.decode(origin->m_isLocal))
+        return nullptr;
+
+    return WTFMove(origin);
+}
+
 } // namespace WebCore
index 844bfa8..817742c 100644 (file)
@@ -1,3 +1,52 @@
+2018-04-11  Youenn Fablet  <youenn@apple.com>
+
+        Pass FetchOptions and SecurityOrigin as load parameters from WebProcess to NetworkProcess
+        https://bugs.webkit.org/show_bug.cgi?id=184374
+
+        Reviewed by Chris Dumez.
+
+        Pass full FetchOptions parameters as part of NetworkResourceLoadParameters.
+        This will allow handling redirection mode as well as credentials in case of cross origin redirections.
+        In case of SameOrigin credentials and there is a redirection from same-origin to cross-origin,
+        we will be able to stop using credentials without going to WebProcess.
+
+        To handle properly cross-origin checks, we have to be able to use SecurityOrigin as in WebProcess.
+        We make WebProcess sends Origin Access White list information to NetworkProcess.
+        This allows supporting the white list when doing loading in NetworkProcess.
+        This only works consistently if all WebProcesses share the same whitelist.
+
+        * NetworkProcess/NetworkConnectionToWebProcess.cpp:
+        (WebKit::NetworkConnectionToWebProcess::loadPing):
+        (WebKit::NetworkConnectionToWebProcess::addOriginAccessWhitelistEntry):
+        (WebKit::NetworkConnectionToWebProcess::removeOriginAccessWhitelistEntry):
+        (WebKit::NetworkConnectionToWebProcess::resetOriginAccessWhitelists):
+        * NetworkProcess/NetworkConnectionToWebProcess.h:
+        * NetworkProcess/NetworkConnectionToWebProcess.messages.in:
+        * NetworkProcess/NetworkLoadChecker.cpp:
+        (WebKit::NetworkLoadChecker::NetworkLoadChecker):
+        (WebKit::NetworkLoadChecker::checkRedirection):
+        (WebKit::NetworkLoadChecker::continueCheckingRequest):
+        (WebKit::NetworkLoadChecker::checkCORSRequest):
+        (WebKit::NetworkLoadChecker::checkCORSRedirectedRequest):
+        (WebKit::NetworkLoadChecker::checkCORSRequestWithPreflight):
+        (WebKit::NetworkLoadChecker::doesNotNeedCORSCheck const):
+        * NetworkProcess/NetworkLoadChecker.h:
+        (WebKit::NetworkLoadChecker::create):
+        * NetworkProcess/NetworkResourceLoadParameters.cpp:
+        (WebKit::NetworkResourceLoadParameters::encode const):
+        (WebKit::NetworkResourceLoadParameters::decode):
+        * NetworkProcess/NetworkResourceLoadParameters.h:
+        * NetworkProcess/PingLoad.cpp:
+        (WebKit::PingLoad::PingLoad):
+        (WebKit::PingLoad::willPerformHTTPRedirection):
+        * NetworkProcess/PingLoad.h:
+        * WebProcess/InjectedBundle/InjectedBundle.cpp:
+        (WebKit::InjectedBundle::addOriginAccessWhitelistEntry):
+        (WebKit::InjectedBundle::removeOriginAccessWhitelistEntry):
+        (WebKit::InjectedBundle::resetOriginAccessWhitelists):
+        * WebProcess/Network/WebLoaderStrategy.cpp:
+        (WebKit::WebLoaderStrategy::startPingLoad):
+
 2018-04-11  Michael Catanzaro  <mcatanzaro@igalia.com>
 
         [GTK] WaylandCompositorDisplay leaks its wl_display
index 1c3799e..e7d5926 100644 (file)
@@ -55,6 +55,7 @@
 #include <WebCore/PlatformCookieJar.h>
 #include <WebCore/ResourceLoaderOptions.h>
 #include <WebCore/ResourceRequest.h>
+#include <WebCore/SecurityPolicy.h>
 #include <pal/SessionID.h>
 
 using namespace WebCore;
@@ -248,14 +249,14 @@ void NetworkConnectionToWebProcess::performSynchronousLoad(NetworkResourceLoadPa
     loader->start();
 }
 
-void NetworkConnectionToWebProcess::loadPing(NetworkResourceLoadParameters&& loadParameters, HTTPHeaderMap&& originalRequestHeaders)
+void NetworkConnectionToWebProcess::loadPing(NetworkResourceLoadParameters&& loadParameters)
 {
     auto completionHandler = [this, protectedThis = makeRef(*this), identifier = loadParameters.identifier] (const ResourceError& error, const ResourceResponse& response) {
         didFinishPingLoad(identifier, error, response);
     };
 
     // PingLoad manages its own lifetime, deleting itself when its purpose has been fulfilled.
-    new PingLoad(WTFMove(loadParameters), WTFMove(originalRequestHeaders), WTFMove(completionHandler));
+    new PingLoad(WTFMove(loadParameters), WTFMove(completionHandler));
 }
 
 void NetworkConnectionToWebProcess::didFinishPingLoad(uint64_t pingLoadIdentifier, const ResourceError& error, const ResourceResponse& response)
@@ -513,4 +514,19 @@ void NetworkConnectionToWebProcess::removeStorageAccessForAllFramesOnPage(PAL::S
 #endif
 }
 
+void NetworkConnectionToWebProcess::addOriginAccessWhitelistEntry(const String& sourceOrigin, const String& destinationProtocol, const String& destinationHost, bool allowDestinationSubdomains)
+{
+    SecurityPolicy::addOriginAccessWhitelistEntry(SecurityOrigin::createFromString(sourceOrigin).get(), destinationProtocol, destinationHost, allowDestinationSubdomains);
+}
+
+void NetworkConnectionToWebProcess::removeOriginAccessWhitelistEntry(const String& sourceOrigin, const String& destinationProtocol, const String& destinationHost, bool allowDestinationSubdomains)
+{
+    SecurityPolicy::removeOriginAccessWhitelistEntry(SecurityOrigin::createFromString(sourceOrigin).get(), destinationProtocol, destinationHost, allowDestinationSubdomains);
+}
+
+void NetworkConnectionToWebProcess::resetOriginAccessWhitelists()
+{
+    SecurityPolicy::resetOriginAccessWhitelists();
+}
+
 } // namespace WebKit
index 38043d0..4fdfbf0 100644 (file)
@@ -92,7 +92,7 @@ private:
 
     void scheduleResourceLoad(NetworkResourceLoadParameters&&);
     void performSynchronousLoad(NetworkResourceLoadParameters&&, Ref<Messages::NetworkConnectionToWebProcess::PerformSynchronousLoad::DelayedReply>&&);
-    void loadPing(NetworkResourceLoadParameters&&, WebCore::HTTPHeaderMap&& originalRequestHeaders);
+    void loadPing(NetworkResourceLoadParameters&&);
     void prefetchDNS(const String&);
     void preconnectTo(uint64_t preconnectionIdentifier, NetworkLoadParameters&&);
 
@@ -140,6 +140,10 @@ private:
     void removeStorageAccessForFrame(PAL::SessionID, uint64_t frameID, uint64_t pageID);
     void removeStorageAccessForAllFramesOnPage(PAL::SessionID, uint64_t pageID);
 
+    void addOriginAccessWhitelistEntry(const String& sourceOrigin, const String& destinationProtocol, const String& destinationHost, bool allowDestinationSubdomains);
+    void removeOriginAccessWhitelistEntry(const String& sourceOrigin, const String& destinationProtocol, const String& destinationHost, bool allowDestinationSubdomains);
+    void resetOriginAccessWhitelists();
+
     Ref<IPC::Connection> m_connection;
 
     HashMap<uint64_t, RefPtr<NetworkSocketStream>> m_networkSocketStreams;
index 163ff03..0273821 100644 (file)
@@ -24,7 +24,7 @@ messages -> NetworkConnectionToWebProcess LegacyReceiver {
 
     ScheduleResourceLoad(WebKit::NetworkResourceLoadParameters resourceLoadParameters)
     PerformSynchronousLoad(WebKit::NetworkResourceLoadParameters resourceLoadParameters) -> (WebCore::ResourceError error, WebCore::ResourceResponse response, Vector<char> data) Delayed
-    LoadPing(WebKit::NetworkResourceLoadParameters resourceLoadParameters, WebCore::HTTPHeaderMap originalRequestHeaders)
+    LoadPing(WebKit::NetworkResourceLoadParameters resourceLoadParameters)
     RemoveLoadIdentifier(uint64_t resourceLoadIdentifier)
     SetDefersLoading(uint64_t resourceLoadIdentifier, bool defers)
     PrefetchDNS(String hostname)
@@ -60,4 +60,8 @@ messages -> NetworkConnectionToWebProcess LegacyReceiver {
 
     RemoveStorageAccessForFrame(PAL::SessionID sessionID, uint64_t frameID, uint64_t pageID);
     RemoveStorageAccessForAllFramesOnPage(PAL::SessionID sessionID, uint64_t pageID);
+
+    AddOriginAccessWhitelistEntry(String sourceOrigin, String destinationProtocol, String destinationHost, bool allowDestinationSubdomains);
+    RemoveOriginAccessWhitelistEntry(String sourceOrigin, String destinationProtocol, String destinationHost, bool allowDestinationSubdomains);
+    ResetOriginAccessWhitelists();
 }
index 82549ee..6b14943 100644 (file)
@@ -41,17 +41,26 @@ namespace WebKit {
 
 using namespace WebCore;
 
-NetworkLoadChecker::NetworkLoadChecker(WebCore::FetchOptions::Mode mode, bool shouldFollowRedirects, WebCore::StoredCredentialsPolicy storedCredentialsPolicy, PAL::SessionID sessionID, WebCore::HTTPHeaderMap&& originalRequestHeaders, URL&& url, RefPtr<SecurityOrigin>&& sourceOrigin)
-    : m_mode(mode)
-    , m_shouldFollowRedirects(shouldFollowRedirects)
-    , m_storedCredentialsPolicy(storedCredentialsPolicy)
+NetworkLoadChecker::NetworkLoadChecker(WebCore::FetchOptions&& options, PAL::SessionID sessionID, WebCore::HTTPHeaderMap&& originalRequestHeaders, URL&& url, RefPtr<SecurityOrigin>&& sourceOrigin)
+    : m_options(WTFMove(options))
     , m_sessionID(sessionID)
     , m_originalRequestHeaders(WTFMove(originalRequestHeaders))
     , m_url(WTFMove(url))
     , m_origin(WTFMove(sourceOrigin))
 {
-    if (m_mode == FetchOptions::Mode::Cors || m_mode == FetchOptions::Mode::SameOrigin)
-        m_isSameOriginRequest = m_origin->canRequest(m_url);
+    if (m_options.mode == FetchOptions::Mode::Cors || m_options.mode == FetchOptions::Mode::SameOrigin)
+        m_isSameOriginRequest = m_url.protocolIsData() || m_url.protocolIsBlob() || m_origin->canRequest(m_url);
+    switch (options.credentials) {
+    case FetchOptions::Credentials::Include:
+        m_storedCredentialsPolicy = StoredCredentialsPolicy::Use;
+        break;
+    case FetchOptions::Credentials::SameOrigin:
+        m_storedCredentialsPolicy = m_isSameOriginRequest ? StoredCredentialsPolicy::Use : StoredCredentialsPolicy::DoNotUse;
+        break;
+    case FetchOptions::Credentials::Omit:
+        m_storedCredentialsPolicy = StoredCredentialsPolicy::DoNotUse;
+        break;
+    }
 }
 
 NetworkLoadChecker::~NetworkLoadChecker() = default;
@@ -77,7 +86,7 @@ void NetworkLoadChecker::checkRedirection(WebCore::ResourceResponse& redirectRes
     m_previousURL = WTFMove(m_url);
     m_url = request.url();
 
-    if (!m_shouldFollowRedirects) {
+    if (m_options.redirect != FetchOptions::Redirect::Follow) {
         handler(returnError(ASCIILiteral("Load parameters do not allow following redirections")));
         return;
     }
@@ -105,12 +114,12 @@ ResourceError NetworkLoadChecker::validateResponse(ResourceResponse& response)
         return { };
     }
 
-    if (m_mode == FetchOptions::Mode::NoCors) {
+    if (m_options.mode == FetchOptions::Mode::NoCors) {
         response.setTainting(ResourceResponse::Tainting::Opaque);
         return { };
     }
 
-    ASSERT(m_mode == FetchOptions::Mode::Cors);
+    ASSERT(m_options.mode == FetchOptions::Mode::Cors);
 
     String errorMessage;
     if (!WebCore::passesAccessControlCheck(response, m_storedCredentialsPolicy, *m_origin, errorMessage))
@@ -145,7 +154,7 @@ void NetworkLoadChecker::continueCheckingRequest(ResourceRequest&& request, Vali
     if (auto* contentSecurityPolicy = this->contentSecurityPolicy()) {
         if (isRedirected()) {
             URL url = request.url();
-            auto type = m_mode == FetchOptions::Mode::Navigate ? ContentSecurityPolicy::InsecureRequestType::Navigation : ContentSecurityPolicy::InsecureRequestType::Load;
+            auto type = m_options.mode == FetchOptions::Mode::Navigate ? ContentSecurityPolicy::InsecureRequestType::Navigation : ContentSecurityPolicy::InsecureRequestType::Load;
             contentSecurityPolicy->upgradeInsecureRequestIfNeeded(url, type);
             if (url != request.url())
                 request.setURL(url);
@@ -156,12 +165,15 @@ void NetworkLoadChecker::continueCheckingRequest(ResourceRequest&& request, Vali
         }
     }
 
+    if (m_options.credentials == FetchOptions::Credentials::SameOrigin)
+        m_storedCredentialsPolicy =  (m_isSameOriginRequest && m_origin->canRequest(request.url())) ? StoredCredentialsPolicy::Use : StoredCredentialsPolicy::DoNotUse;
+
     if (doesNotNeedCORSCheck(request.url())) {
         handler(WTFMove(request));
         return;
     }
 
-    if (m_mode == FetchOptions::Mode::SameOrigin) {
+    if (m_options.mode == FetchOptions::Mode::SameOrigin) {
         handler(returnError(ASCIILiteral("SameOrigin mode does not allow cross origin requests")));
         return;
     }
@@ -177,7 +189,7 @@ void NetworkLoadChecker::continueCheckingRequest(ResourceRequest&& request, Vali
 
 void NetworkLoadChecker::checkCORSRequest(ResourceRequest&& request, ValidationHandler&& handler)
 {
-    ASSERT(m_mode == FetchOptions::Mode::Cors);
+    ASSERT(m_options.mode == FetchOptions::Mode::Cors);
 
     // Except in case where preflight is needed, loading should be able to continue on its own.
     if (m_isSimpleRequest && isSimpleCrossOriginAccessRequest(request.httpMethod(), m_originalRequestHeaders)) {
@@ -190,7 +202,7 @@ void NetworkLoadChecker::checkCORSRequest(ResourceRequest&& request, ValidationH
 
 void NetworkLoadChecker::checkCORSRedirectedRequest(ResourceRequest&& request, ValidationHandler&& handler)
 {
-    ASSERT(m_mode == FetchOptions::Mode::Cors);
+    ASSERT(m_options.mode == FetchOptions::Mode::Cors);
     ASSERT(isRedirected());
 
     // Force any subsequent request to use these checks.
@@ -215,7 +227,7 @@ void NetworkLoadChecker::checkCORSRedirectedRequest(ResourceRequest&& request, V
 
 void NetworkLoadChecker::checkCORSRequestWithPreflight(ResourceRequest&& request, ValidationHandler&& handler)
 {
-    ASSERT(m_mode == FetchOptions::Mode::Cors);
+    ASSERT(m_options.mode == FetchOptions::Mode::Cors);
 
     m_isSimpleRequest = false;
     // FIXME: We should probably partition preflight result cache by session ID.
@@ -254,7 +266,7 @@ void NetworkLoadChecker::checkCORSRequestWithPreflight(ResourceRequest&& request
 
 bool NetworkLoadChecker::doesNotNeedCORSCheck(const URL& url) const
 {
-    if (m_mode == FetchOptions::Mode::NoCors || m_mode == FetchOptions::Mode::Navigate)
+    if (m_options.mode == FetchOptions::Mode::NoCors || m_options.mode == FetchOptions::Mode::Navigate)
         return true;
 
     return m_isSameOriginRequest && m_origin->canRequest(url);
index 40da590..5fac363 100644 (file)
@@ -42,9 +42,9 @@ class NetworkCORSPreflightChecker;
 
 class NetworkLoadChecker : public RefCounted<NetworkLoadChecker> {
 public:
-    static Ref<NetworkLoadChecker> create(WebCore::FetchOptions::Mode mode, bool shouldFollowRedirects, WebCore::StoredCredentialsPolicy storedCredentialsPolicy, PAL::SessionID sessionID, WebCore::HTTPHeaderMap&& originalHeaders, WebCore::URL&& url, RefPtr<WebCore::SecurityOrigin>&& sourceOrigin)
+    static Ref<NetworkLoadChecker> create(WebCore::FetchOptions&& options, PAL::SessionID sessionID, WebCore::HTTPHeaderMap&& originalHeaders, WebCore::URL&& url, RefPtr<WebCore::SecurityOrigin>&& sourceOrigin)
     {
-        return adoptRef(*new NetworkLoadChecker { mode, shouldFollowRedirects, storedCredentialsPolicy, sessionID, WTFMove(originalHeaders), WTFMove(url), WTFMove(sourceOrigin) });
+        return adoptRef(*new NetworkLoadChecker { WTFMove(options), sessionID, WTFMove(originalHeaders), WTFMove(url), WTFMove(sourceOrigin) });
     }
     ~NetworkLoadChecker();
 
@@ -68,7 +68,7 @@ public:
     WebCore::StoredCredentialsPolicy storedCredentialsPolicy() const { return m_storedCredentialsPolicy; }
 
 private:
-    NetworkLoadChecker(WebCore::FetchOptions::Mode, bool shouldFollowRedirects, WebCore::StoredCredentialsPolicy, PAL::SessionID, WebCore::HTTPHeaderMap&&, WebCore::URL&&, RefPtr<WebCore::SecurityOrigin>&&);
+    NetworkLoadChecker(WebCore::FetchOptions&&, PAL::SessionID, WebCore::HTTPHeaderMap&&, WebCore::URL&&, RefPtr<WebCore::SecurityOrigin>&&);
 
     WebCore::ContentSecurityPolicy* contentSecurityPolicy() const;
     bool isChecking() const { return !!m_corsPreflightChecker; }
@@ -89,8 +89,7 @@ private:
     void processContentExtensionRulesForLoad(WebCore::ResourceRequest&&, CompletionHandler<void(WebCore::ResourceRequest&&, const WebCore::ContentExtensions::BlockedStatus&)>&&);
 #endif
 
-    WebCore::FetchOptions::Mode m_mode;
-    bool m_shouldFollowRedirects;
+    WebCore::FetchOptions m_options;
     WebCore::StoredCredentialsPolicy m_storedCredentialsPolicy;
     PAL::SessionID m_sessionID;
     WebCore::HTTPHeaderMap m_originalRequestHeaders; // Needed for CORS checks.
index 23b8123..79c827c 100644 (file)
@@ -87,10 +87,10 @@ void NetworkResourceLoadParameters::encode(IPC::Encoder& encoder) const
 
     encoder << static_cast<bool>(sourceOrigin);
     if (sourceOrigin)
-        encoder << sourceOrigin->data();
-    encoder.encodeEnum(mode);
-    encoder.encodeEnum(destination);
+        encoder << *sourceOrigin;
+    encoder << options;
     encoder << cspResponseHeaders;
+    encoder << originalRequestHeaders;
 
 #if ENABLE(CONTENT_EXTENSIONS)
     encoder << mainDocumentURL;
@@ -171,19 +171,21 @@ bool NetworkResourceLoadParameters::decode(IPC::Decoder& decoder, NetworkResourc
     if (!decoder.decode(hasSourceOrigin))
         return false;
     if (hasSourceOrigin) {
-        std::optional<SecurityOriginData> sourceOriginData;
-        decoder >> sourceOriginData;
-        if (!sourceOriginData)
+        result.sourceOrigin = SecurityOrigin::decode(decoder);
+        if (!result.sourceOrigin)
             return false;
-        ASSERT(!sourceOriginData->isEmpty());
-        result.sourceOrigin = sourceOriginData->securityOrigin();
     }
-    if (!decoder.decodeEnum(result.mode))
-        return false;
-    if (!decoder.decodeEnum(result.destination))
+
+    std::optional<FetchOptions> options;
+    decoder >> options;
+    if (!options)
         return false;
+    result.options = *options;
+
     if (!decoder.decode(result.cspResponseHeaders))
         return false;
+    if (!decoder.decode(result.originalRequestHeaders))
+        return false;
 
 #if ENABLE(CONTENT_EXTENSIONS)
     if (!decoder.decode(result.mainDocumentURL))
index 964fd05..74290ce 100644 (file)
@@ -56,9 +56,9 @@ public:
     Seconds maximumBufferingTime;
     Vector<String> derivedCachedDataTypesToRetrieve;
     RefPtr<WebCore::SecurityOrigin> sourceOrigin;
-    WebCore::FetchOptions::Mode mode;
-    WebCore::FetchOptions::Destination destination;
+    WebCore::FetchOptions options;
     std::optional<WebCore::ContentSecurityPolicyResponseHeaders> cspResponseHeaders;
+    WebCore::HTTPHeaderMap originalRequestHeaders;
     bool shouldRestrictHTTPResponseAccess { false };
 
 #if ENABLE(CONTENT_EXTENSIONS)
index f1cb5ab..bcb3430 100644 (file)
@@ -472,7 +472,7 @@ ResourceResponse NetworkResourceLoader::sanitizeResponseIfPossible(ResourceRespo
             // We reduce filtering when it would otherwise be visible to scripts.
             // FIXME: We should use response tainting once computed in Network Process.
             bool isSameOrigin = m_parameters.sourceOrigin ? m_parameters.sourceOrigin->canRequest(response.url()) : protocolHostAndPortAreEqual(response.url(), m_parameters.request.url());
-            if (isSameOrigin && m_parameters.destination == FetchOptions::Destination::EmptyString)
+            if (isSameOrigin && m_parameters.options.destination == FetchOptions::Destination::EmptyString)
                 type = ResourceResponse::SanitizationType::RemoveCookies;
         }
         response.sanitizeHTTPHeaderFields(type);
index 7885b9f..3efbadb 100644 (file)
@@ -38,11 +38,11 @@ namespace WebKit {
 
 using namespace WebCore;
 
-PingLoad::PingLoad(NetworkResourceLoadParameters&& parameters, HTTPHeaderMap&& originalRequestHeaders, WTF::CompletionHandler<void(const ResourceError&, const ResourceResponse&)>&& completionHandler)
+PingLoad::PingLoad(NetworkResourceLoadParameters&& parameters, WTF::CompletionHandler<void(const ResourceError&, const ResourceResponse&)>&& completionHandler)
     : m_parameters(WTFMove(parameters))
     , m_completionHandler(WTFMove(completionHandler))
     , m_timeoutTimer(*this, &PingLoad::timeoutTimerFired)
-    , m_networkLoadChecker(NetworkLoadChecker::create(m_parameters.mode, m_parameters.shouldFollowRedirects, m_parameters.storedCredentialsPolicy, m_parameters.sessionID, WTFMove(originalRequestHeaders), URL { m_parameters.request.url() }, m_parameters.sourceOrigin.copyRef()))
+    , m_networkLoadChecker(NetworkLoadChecker::create(FetchOptions { m_parameters.options}, m_parameters.sessionID, WTFMove(m_parameters.originalRequestHeaders), URL { m_parameters.request.url() }, m_parameters.sourceOrigin.copyRef()))
 {
 
     if (m_parameters.cspResponseHeaders)
index a1ef6e7..d194592 100644 (file)
@@ -44,7 +44,7 @@ class NetworkLoadChecker;
 
 class PingLoad final : private NetworkDataTaskClient {
 public:
-    PingLoad(NetworkResourceLoadParameters&&, WebCore::HTTPHeaderMap&& originalRequestHeaders, WTF::CompletionHandler<void(const WebCore::ResourceError&, const WebCore::ResourceResponse&)>&&);
+    PingLoad(NetworkResourceLoadParameters&&, WTF::CompletionHandler<void(const WebCore::ResourceError&, const WebCore::ResourceResponse&)>&&);
     
 private:
     ~PingLoad();
index a7c4c1a..5c4ecd8 100644 (file)
@@ -29,6 +29,8 @@
 #include "APIArray.h"
 #include "APIData.h"
 #include "InjectedBundleScriptWorld.h"
+#include "NetworkConnectionToWebProcessMessages.h"
+#include "NetworkProcessConnection.h"
 #include "NetworkSessionCreationParameters.h"
 #include "NotificationPermissionRequestManager.h"
 #include "SessionTracker.h"
@@ -375,16 +377,20 @@ void InjectedBundle::setSpatialNavigationEnabled(WebPageGroupProxy* pageGroup, b
 void InjectedBundle::addOriginAccessWhitelistEntry(const String& sourceOrigin, const String& destinationProtocol, const String& destinationHost, bool allowDestinationSubdomains)
 {
     SecurityPolicy::addOriginAccessWhitelistEntry(SecurityOrigin::createFromString(sourceOrigin).get(), destinationProtocol, destinationHost, allowDestinationSubdomains);
+    WebProcess::singleton().ensureNetworkProcessConnection().connection().send(Messages::NetworkConnectionToWebProcess::AddOriginAccessWhitelistEntry { sourceOrigin, destinationProtocol, destinationHost, allowDestinationSubdomains }, 0);
+
 }
 
 void InjectedBundle::removeOriginAccessWhitelistEntry(const String& sourceOrigin, const String& destinationProtocol, const String& destinationHost, bool allowDestinationSubdomains)
 {
     SecurityPolicy::removeOriginAccessWhitelistEntry(SecurityOrigin::createFromString(sourceOrigin).get(), destinationProtocol, destinationHost, allowDestinationSubdomains);
+    WebProcess::singleton().ensureNetworkProcessConnection().connection().send(Messages::NetworkConnectionToWebProcess::RemoveOriginAccessWhitelistEntry { sourceOrigin, destinationProtocol, destinationHost, allowDestinationSubdomains }, 0);
 }
 
 void InjectedBundle::resetOriginAccessWhitelists()
 {
     SecurityPolicy::resetOriginAccessWhitelists();
+    WebProcess::singleton().ensureNetworkProcessConnection().connection().send(Messages::NetworkConnectionToWebProcess::ResetOriginAccessWhitelists { }, 0);
 }
 
 void InjectedBundle::setAsynchronousSpellCheckingEnabled(WebPageGroupProxy* pageGroup, bool enabled)
index d056319..d1ffa63 100644 (file)
@@ -273,7 +273,7 @@ void WebLoaderStrategy::scheduleLoadFromNetworkProcess(ResourceLoader& resourceL
     loadParameters.needsCertificateInfo = resourceLoader.shouldIncludeCertificateInfo();
     loadParameters.maximumBufferingTime = maximumBufferingTime;
     loadParameters.derivedCachedDataTypesToRetrieve = resourceLoader.options().derivedCachedDataTypesToRetrieve;
-    loadParameters.destination = resourceLoader.options().destination;
+    loadParameters.options = resourceLoader.options();
 
     // FIXME: We should also sanitize redirect response for navigations.
     loadParameters.shouldRestrictHTTPResponseAccess = RuntimeEnabledFeatures::sharedFeatures().restrictedHTTPResponseAccess() && resourceLoader.options().mode != FetchOptions::Mode::Navigate;
@@ -434,7 +434,7 @@ void WebLoaderStrategy::loadResourceSynchronously(FrameLoader& frameLoader, unsi
     loadParameters.shouldClearReferrerOnHTTPSToHTTPRedirect = shouldClearReferrerOnHTTPSToHTTPRedirect(webFrame ? webFrame->coreFrame() : nullptr);
     loadParameters.shouldRestrictHTTPResponseAccess = RuntimeEnabledFeatures::sharedFeatures().restrictedHTTPResponseAccess();
     // FIXME: Use the proper destination once all fetch options are passed.
-    loadParameters.destination = FetchOptions::Destination::EmptyString;
+    loadParameters.options.destination = FetchOptions::Destination::EmptyString;
 
     data.shrink(0);
 
@@ -470,8 +470,8 @@ void WebLoaderStrategy::startPingLoad(Frame& frame, ResourceRequest& request, co
     loadParameters.sourceOrigin = &document->securityOrigin();
     loadParameters.sessionID = frame.page() ? frame.page()->sessionID() : PAL::SessionID::defaultSessionID();
     loadParameters.storedCredentialsPolicy = options.credentials == FetchOptions::Credentials::Omit ? StoredCredentialsPolicy::DoNotUse : StoredCredentialsPolicy::Use;
-    loadParameters.mode = options.mode;
-    loadParameters.shouldFollowRedirects = options.redirect == FetchOptions::Redirect::Follow;
+    loadParameters.options = options;
+    loadParameters.originalRequestHeaders = originalRequestHeaders;
     loadParameters.shouldClearReferrerOnHTTPSToHTTPRedirect = shouldClearReferrerOnHTTPSToHTTPRedirect(&frame);
     loadParameters.shouldRestrictHTTPResponseAccess = RuntimeEnabledFeatures::sharedFeatures().restrictedHTTPResponseAccess();
     if (!document->shouldBypassMainWorldContentSecurityPolicy()) {
@@ -492,7 +492,7 @@ void WebLoaderStrategy::startPingLoad(Frame& frame, ResourceRequest& request, co
     if (completionHandler)
         m_pingLoadCompletionHandlers.add(loadParameters.identifier, WTFMove(completionHandler));
 
-    WebProcess::singleton().ensureNetworkProcessConnection().connection().send(Messages::NetworkConnectionToWebProcess::LoadPing(WTFMove(loadParameters), originalRequestHeaders), 0);
+    WebProcess::singleton().ensureNetworkProcessConnection().connection().send(Messages::NetworkConnectionToWebProcess::LoadPing { loadParameters }, 0);
 }
 
 void WebLoaderStrategy::didFinishPingLoad(uint64_t pingLoadIdentifier, ResourceError&& error, ResourceResponse&& response)
@@ -532,7 +532,7 @@ void WebLoaderStrategy::preconnectTo(FrameLoader& frameLoader, const WebCore::UR
     parameters.shouldPreconnectOnly = PreconnectOnly::Yes;
     parameters.shouldRestrictHTTPResponseAccess = RuntimeEnabledFeatures::sharedFeatures().restrictedHTTPResponseAccess();
     // FIXME: Use the proper destination once all fetch options are passed.
-    parameters.destination = FetchOptions::Destination::EmptyString;
+    parameters.options.destination = FetchOptions::Destination::EmptyString;
 
     WebProcess::singleton().ensureNetworkProcessConnection().connection().send(Messages::NetworkConnectionToWebProcess::PreconnectTo(preconnectionIdentifier, WTFMove(parameters)), 0);
 }