AssociatedURLLoader does not support Cross Origin Redirects when using
authorbbudge@chromium.org <bbudge@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 28 Mar 2012 00:19:47 +0000 (00:19 +0000)
committerbbudge@chromium.org <bbudge@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 28 Mar 2012 00:19:47 +0000 (00:19 +0000)
Access Control.
https://bugs.webkit.org/show_bug.cgi?id=82354

AssociatedURLLoader's internal adapter now overrides didFailRedirectCheck,
which cancels the load, causing didFail to notify the client that the
load failed. AssociatedURLLoaderTest adds test cases for CORS requests
that receive redirects and pass or fail the redirect access check.

Reviewed by Adam Barth.

* src/AssociatedURLLoader.cpp:
(AssociatedURLLoader::ClientAdapter):
(WebKit::AssociatedURLLoader::ClientAdapter::didFailRedirectCheck):
(WebKit):
* tests/AssociatedURLLoaderTest.cpp:
(WebKit::TEST_F):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@112339 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit/chromium/ChangeLog
Source/WebKit/chromium/src/AssociatedURLLoader.cpp
Source/WebKit/chromium/tests/AssociatedURLLoaderTest.cpp

index 87869ae..d4eba02 100644 (file)
@@ -1,3 +1,23 @@
+2012-03-27  Bill Budge  <bbudge@chromium.org>
+
+        AssociatedURLLoader does not support Cross Origin Redirects when using
+        Access Control.
+        https://bugs.webkit.org/show_bug.cgi?id=82354
+
+        AssociatedURLLoader's internal adapter now overrides didFailRedirectCheck,
+        which cancels the load, causing didFail to notify the client that the
+        load failed. AssociatedURLLoaderTest adds test cases for CORS requests
+        that receive redirects and pass or fail the redirect access check.
+
+        Reviewed by Adam Barth.
+
+        * src/AssociatedURLLoader.cpp:
+        (AssociatedURLLoader::ClientAdapter):
+        (WebKit::AssociatedURLLoader::ClientAdapter::didFailRedirectCheck):
+        (WebKit):
+        * tests/AssociatedURLLoaderTest.cpp:
+        (WebKit::TEST_F):
+
 2012-03-27  Dana Jansens  <danakj@chromium.org>
 
         [chromium] Unknown transforms should be treated as non-axis aligned on main thread
index 0c3a0cf..f1c2aab 100644 (file)
@@ -140,6 +140,7 @@ public:
     virtual void didReceiveCachedMetadata(const char*, int /*dataLength*/);
     virtual void didFinishLoading(unsigned long /*identifier*/, double /*finishTime*/);
     virtual void didFail(const ResourceError&);
+    virtual void didFailRedirectCheck();
 
     virtual bool isDocumentThreadableLoaderClient() { return true; }
 
@@ -263,6 +264,11 @@ void AssociatedURLLoader::ClientAdapter::didFail(const ResourceError& error)
         notifyError(&m_errorTimer);
 }
 
+void AssociatedURLLoader::ClientAdapter::didFailRedirectCheck()
+{
+    m_loader->cancel();
+}
+
 void AssociatedURLLoader::ClientAdapter::setDelayedError(const ResourceError& error)
 {
     didFail(error);
index a168ebc..19d04cd 100644 (file)
@@ -104,7 +104,6 @@ public:
 
     void TearDown()
     {
-        webkit_support::UnregisterAllMockedURLs();
         m_webView->close();
     }
 
@@ -432,23 +431,66 @@ TEST_F(AssociatedURLLoaderTest, RedirectSuccess)
     EXPECT_TRUE(m_didFinishLoading);
 }
 
-// Test a successful redirect and cross-origin load using CORS.
-// FIXME: Enable this when DocumentThreadableLoader supports cross-origin redirects.
-TEST_F(AssociatedURLLoaderTest, DISABLED_RedirectCrossOriginWithAccessControlSuccess)
+// Test that a cross origin redirect response without CORS headers fails.
+TEST_F(AssociatedURLLoaderTest, RedirectCrossOriginWithAccessControlFailure)
+{
+    GURL url = GURL("http://www.test.com/RedirectCrossOriginWithAccessControlFailure.html");
+    char redirect[] = "http://www.other.com/RedirectCrossOriginWithAccessControlFailure2.html";  // Cross-origin
+    GURL redirectURL = GURL(redirect);
+
+    WebURLRequest request;
+    request.initialize();
+    request.setURL(url);
+
+    // Create a redirect response without CORS headers.
+    m_expectedRedirectResponse = WebURLResponse();
+    m_expectedRedirectResponse.initialize();
+    m_expectedRedirectResponse.setMIMEType("text/html");
+    m_expectedRedirectResponse.setHTTPStatusCode(301);
+    m_expectedRedirectResponse.setHTTPHeaderField("Location", redirect);
+    webkit_support::RegisterMockedURL(url, m_expectedRedirectResponse, m_frameFilePath);
+
+    m_expectedNewRequest = WebURLRequest();
+    m_expectedNewRequest.initialize();
+    m_expectedNewRequest.setURL(redirectURL);
+
+    m_expectedResponse = WebURLResponse();
+    m_expectedResponse.initialize();
+    m_expectedResponse.setMIMEType("text/html");
+    m_expectedResponse.addHTTPHeaderField("access-control-allow-origin", "*");
+    webkit_support::RegisterMockedURL(redirectURL, m_expectedResponse, m_frameFilePath);
+
+    WebURLLoaderOptions options;
+    options.crossOriginRequestPolicy = WebURLLoaderOptions::CrossOriginRequestPolicyUseAccessControl;
+    m_expectedLoader = createAssociatedURLLoader(options);
+    EXPECT_TRUE(m_expectedLoader);
+    m_expectedLoader->loadAsynchronously(request, this);
+    serveRequests();
+    // We should not receive a notification for the redirect or any response.
+    EXPECT_FALSE(m_willSendRequest);
+    EXPECT_FALSE(m_didReceiveResponse);
+    EXPECT_FALSE(m_didReceiveData);
+    EXPECT_FALSE(m_didFail);
+}
+
+// Test that a cross origin redirect response with CORS headers that allow the requesting origin succeeds.
+TEST_F(AssociatedURLLoaderTest, RedirectCrossOriginWithAccessControlSuccess)
 {
     GURL url = GURL("http://www.test.com/RedirectCrossOriginWithAccessControlSuccess.html");
-    char redirect[] = "http://www.other.com/RedirectCrossOriginWithAccessControlSuccess.html";  // Cross-origin
+    char redirect[] = "http://www.other.com/RedirectCrossOriginWithAccessControlSuccess2.html";  // Cross-origin
     GURL redirectURL = GURL(redirect);
 
     WebURLRequest request;
     request.initialize();
     request.setURL(url);
 
+    // Create a redirect response that allows the redirect to pass the access control checks.
     m_expectedRedirectResponse = WebURLResponse();
     m_expectedRedirectResponse.initialize();
     m_expectedRedirectResponse.setMIMEType("text/html");
     m_expectedRedirectResponse.setHTTPStatusCode(301);
     m_expectedRedirectResponse.setHTTPHeaderField("Location", redirect);
+    m_expectedRedirectResponse.addHTTPHeaderField("access-control-allow-origin", "*");
     webkit_support::RegisterMockedURL(url, m_expectedRedirectResponse, m_frameFilePath);
 
     m_expectedNewRequest = WebURLRequest();
@@ -467,7 +509,8 @@ TEST_F(AssociatedURLLoaderTest, DISABLED_RedirectCrossOriginWithAccessControlSuc
     EXPECT_TRUE(m_expectedLoader);
     m_expectedLoader->loadAsynchronously(request, this);
     serveRequests();
-    EXPECT_TRUE(m_willSendRequest);
+    // We should not receive a notification for the redirect.
+    EXPECT_FALSE(m_willSendRequest);
     EXPECT_TRUE(m_didReceiveResponse);
     EXPECT_TRUE(m_didReceiveData);
     EXPECT_TRUE(m_didFinishLoading);