Add missing origin check for Service-Worker-Allowed header
authorcdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 10 Sep 2019 21:43:41 +0000 (21:43 +0000)
committercdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 10 Sep 2019 21:43:41 +0000 (21:43 +0000)
https://bugs.webkit.org/show_bug.cgi?id=201653

Reviewed by Geoffrey Garen.

LayoutTests/imported/w3c:

Rebaseline WPT test that is now passing.

* web-platform-tests/service-workers/service-worker/Service-Worker-Allowed-header.https-expected.txt:

Source/WebCore:

Add missing origin check for Service-Worker-Allowed header:
- https://w3c.github.io/ServiceWorker/#update-algorithm (step 15. 2.)

* workers/service/ServiceWorkerJob.cpp:
(WebCore::ServiceWorkerJob::didReceiveResponse):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249733 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/imported/w3c/ChangeLog
LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/Service-Worker-Allowed-header.https-expected.txt
Source/WebCore/ChangeLog
Source/WebCore/workers/service/ServiceWorkerJob.cpp

index 8b38058..af98d38 100644 (file)
@@ -1,5 +1,16 @@
 2019-09-10  Chris Dumez  <cdumez@apple.com>
 
+        Add missing origin check for Service-Worker-Allowed header
+        https://bugs.webkit.org/show_bug.cgi?id=201653
+
+        Reviewed by Geoffrey Garen.
+
+        Rebaseline WPT test that is now passing.
+
+        * web-platform-tests/service-workers/service-worker/Service-Worker-Allowed-header.https-expected.txt:
+
+2019-09-10  Chris Dumez  <cdumez@apple.com>
+
         Re-sync web-platform-tests IDL interfaces from upstream
         https://bugs.webkit.org/show_bug.cgi?id=201630
 
index 618b92d..e1759e0 100644 (file)
@@ -4,7 +4,7 @@ PASS Registering within Service-Worker-Allowed path (absolute URL)
 PASS Registering within Service-Worker-Allowed path with parent reference 
 PASS Registering outside Service-Worker-Allowed path 
 PASS Registering outside Service-Worker-Allowed path with parent reference 
-FAIL Service-Worker-Allowed is cross-origin to script, registering on a normally allowed scope assert_unreached: Should have rejected: undefined Reached unreachable code
-FAIL Service-Worker-Allowed is cross-origin to script, registering on a normally disallowed scope assert_unreached: Should have rejected: undefined Reached unreachable code
+PASS Service-Worker-Allowed is cross-origin to script, registering on a normally allowed scope 
+PASS Service-Worker-Allowed is cross-origin to script, registering on a normally disallowed scope 
 PASS Service-Worker-Allowed is cross-origin to page, same-origin to script 
 
index 0d3c008..c6393b6 100644 (file)
@@ -1,3 +1,16 @@
+2019-09-10  Chris Dumez  <cdumez@apple.com>
+
+        Add missing origin check for Service-Worker-Allowed header
+        https://bugs.webkit.org/show_bug.cgi?id=201653
+
+        Reviewed by Geoffrey Garen.
+
+        Add missing origin check for Service-Worker-Allowed header:
+        - https://w3c.github.io/ServiceWorker/#update-algorithm (step 15. 2.)
+
+        * workers/service/ServiceWorkerJob.cpp:
+        (WebCore::ServiceWorkerJob::didReceiveResponse):
+
 2019-09-10  Sihui Liu  <sihui_liu@apple.com>
 
         IndexedDB: cache prepared SQLiteStatement in SQLiteIDBCursor
index af2daec..b3dc58f 100644 (file)
@@ -134,7 +134,8 @@ void ServiceWorkerJob::didReceiveResponse(unsigned long, const ResourceResponse&
         maxScopeString = path.substring(0, path.reverseFind('/') + 1);
     } else {
         auto maxScope = URL(m_jobData.scriptURL, serviceWorkerAllowed);
-        maxScopeString = maxScope.path();
+        if (SecurityOrigin::create(maxScope)->isSameOriginAs(SecurityOrigin::create(m_jobData.scriptURL)))
+            maxScopeString = maxScope.path();
     }
 
     String scopeString = m_jobData.scopeURL.path();