Fix problems with cross-origin redirects
authoryouenn.fablet@crf.canon.fr <youenn.fablet@crf.canon.fr@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 14 Jan 2016 08:39:13 +0000 (08:39 +0000)
committeryouenn.fablet@crf.canon.fr <youenn.fablet@crf.canon.fr@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 14 Jan 2016 08:39:13 +0000 (08:39 +0000)
https://bugs.webkit.org/show_bug.cgi?id=116075

Reviewed by Daniel Bates.

LayoutTests/imported/w3c:

Rebasing test expectations.
These tests cannot work as expected as WTR/DRT block access to www2.localhost and example.not.

* web-platform-tests/XMLHttpRequest/send-redirect-bogus-expected.txt:
* web-platform-tests/XMLHttpRequest/send-redirect-to-cors-expected.txt:
* web-platform-tests/XMLHttpRequest/send-redirect-to-non-cors-expected.txt:

Source/WebCore:

Merging https://chromium.googlesource.com/chromium/blink/+/7ea774e478f84f355748108d2aaabca15355d512 by Ken Russell
Same origin redirect responses leading to cross-origin requests were checked as cross-origin redirect responses.
Introduced ClientRequestedCredentials to manage whether credentials are needed or not in the cross-origin request.

In addition to Blink patch, it was needed to update some loaders with the newly introduced ClientRequestedCredentials parameter.
Added the clearing of "Accept-Encoding" header from cross-origin requests as Mac HTTP network layer is adding it for same-origin requests.

Test: http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin.html

* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::startLoadingMainResource): Added new security parameter (from Blink patch).
* loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::redirectReceived): Updated checks so that same origin redirections are not treated as cross origin redirections (from Blink patch).
* loader/MediaResourceLoader.cpp:
(WebCore::MediaResourceLoader::start):
* loader/NetscapePlugInStreamLoader.cpp:
(WebCore::NetscapePlugInStreamLoader::NetscapePlugInStreamLoader): Added new security parameter.
* loader/ResourceLoaderOptions.h:
(WebCore::ResourceLoaderOptions::ResourceLoaderOptions): Added new security parameter (from Blink patch).
(WebCore::ResourceLoaderOptions::credentialRequest):
(WebCore::ResourceLoaderOptions::setCredentialRequest):
* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::requestUserCSSStyleSheet): Ditto.
(WebCore::CachedResourceLoader::defaultCachedResourceOptions): Ditto.
* loader/icon/IconLoader.cpp:
(WebCore::IconLoader::startLoading): Added new security parameter.
* page/EventSource.cpp:
(WebCore::EventSource::connect): Added new security parameter (from Blink patch).
* platform/graphics/avfoundation/cf/WebCoreAVCFResourceLoader.cpp:
(WebCore::WebCoreAVCFResourceLoader::startLoading): Added new security parameter.
* platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm:
(WebCore::WebCoreAVFResourceLoader::startLoading): Ditto.
* platform/network/ResourceHandleTypes.h: Added new security parameter constants (from Blink patch).
* platform/network/ResourceRequestBase.cpp:
(WebCore::ResourceRequestBase::clearHTTPAcceptEncoding): Function to remove "Accept-Encoding" header.
* platform/network/ResourceRequestBase.h: Ditto.
* xml/XMLHttpRequest.cpp:
(WebCore::XMLHttpRequest::createRequest): Added new security parameter.

LayoutTests:

Merging https://chromium.googlesource.com/chromium/blink/+/7ea774e478f84f355748108d2aaabca15355d512 by Ken Russell
This merge adds tests for cross origin requests triggered from same origin redirection responses with and without credentials).
Rebaseline of some tests due to console error messages generated from newly hit CORS checks.

* TestExpectations: Disabled WPT tests that require access to non localhost URLs which are currently blocked by DTR/WTR.
* http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt:
* http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin-expected.txt: Added.
* http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin.html: Added.
* http/tests/xmlhttprequest/access-control-and-redirects-async.html:
* http/tests/xmlhttprequest/access-control-and-redirects-expected.txt:
* http/tests/xmlhttprequest/access-control-and-redirects.html:
* http/tests/xmlhttprequest/redirect-cross-origin-2-expected.txt:
* http/tests/xmlhttprequest/redirect-cross-origin-expected.txt:
* http/tests/xmlhttprequest/redirect-cross-origin-post-expected.txt:
* http/tests/xmlhttprequest/redirect-cross-origin-tripmine-expected.txt:
* http/tests/xmlhttprequest/resources/access-control-basic-allow-no-credentials.cgi: Added.
* http/tests/xmlhttprequest/xmlhttprequest-unsafe-redirect-expected.txt:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@195010 268f45cc-cd09-0410-ab3c-d52691b4dbfc

31 files changed:
LayoutTests/ChangeLog
LayoutTests/TestExpectations
LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt
LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin.html [new file with mode: 0644]
LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async.html
LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-expected.txt
LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects.html
LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-2-expected.txt
LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-expected.txt
LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-post-expected.txt
LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-tripmine-expected.txt
LayoutTests/http/tests/xmlhttprequest/resources/access-control-basic-allow-no-credentials.cgi [new file with mode: 0755]
LayoutTests/http/tests/xmlhttprequest/xmlhttprequest-unsafe-redirect-expected.txt
LayoutTests/imported/w3c/ChangeLog
LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-to-cors-expected.txt
Source/WebCore/ChangeLog
Source/WebCore/loader/DocumentLoader.cpp
Source/WebCore/loader/DocumentThreadableLoader.cpp
Source/WebCore/loader/MediaResourceLoader.cpp
Source/WebCore/loader/NetscapePlugInStreamLoader.cpp
Source/WebCore/loader/ResourceLoaderOptions.h
Source/WebCore/loader/cache/CachedResourceLoader.cpp
Source/WebCore/loader/icon/IconLoader.cpp
Source/WebCore/page/EventSource.cpp
Source/WebCore/platform/graphics/avfoundation/cf/WebCoreAVCFResourceLoader.cpp
Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm
Source/WebCore/platform/network/ResourceHandleTypes.h
Source/WebCore/platform/network/ResourceRequestBase.cpp
Source/WebCore/platform/network/ResourceRequestBase.h
Source/WebCore/xml/XMLHttpRequest.cpp

index 47f68af..c742ca7 100644 (file)
@@ -1,3 +1,28 @@
+2016-01-14  Youenn Fablet  <youenn.fablet@crf.canon.fr>
+
+        Fix problems with cross-origin redirects
+        https://bugs.webkit.org/show_bug.cgi?id=116075
+
+        Reviewed by Daniel Bates.
+
+        Merging https://chromium.googlesource.com/chromium/blink/+/7ea774e478f84f355748108d2aaabca15355d512 by Ken Russell
+        This merge adds tests for cross origin requests triggered from same origin redirection responses with and without credentials).
+        Rebaseline of some tests due to console error messages generated from newly hit CORS checks.
+
+        * TestExpectations: Disabled WPT tests that require access to non localhost URLs which are currently blocked by DTR/WTR.
+        * http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt:
+        * http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin-expected.txt: Added.
+        * http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin.html: Added.
+        * http/tests/xmlhttprequest/access-control-and-redirects-async.html:
+        * http/tests/xmlhttprequest/access-control-and-redirects-expected.txt:
+        * http/tests/xmlhttprequest/access-control-and-redirects.html:
+        * http/tests/xmlhttprequest/redirect-cross-origin-2-expected.txt:
+        * http/tests/xmlhttprequest/redirect-cross-origin-expected.txt:
+        * http/tests/xmlhttprequest/redirect-cross-origin-post-expected.txt:
+        * http/tests/xmlhttprequest/redirect-cross-origin-tripmine-expected.txt:
+        * http/tests/xmlhttprequest/resources/access-control-basic-allow-no-credentials.cgi: Added.
+        * http/tests/xmlhttprequest/xmlhttprequest-unsafe-redirect-expected.txt:
+
 2016-01-13  Ryan Haddad  <ryanhaddad@apple.com>
 
         Marking test as flaky: sputnik/Conformance/15_Native_Objects/15.1_The_Global_Object/15.1.3/15.1.3.3_encodeURI/S15.1.3.3_A2.4_T2.html
 2016-01-13  Ryan Haddad  <ryanhaddad@apple.com>
 
         Marking test as flaky: sputnik/Conformance/15_Native_Objects/15.1_The_Global_Object/15.1.3/15.1.3.3_encodeURI/S15.1.3.3_A2.4_T2.html
index 5295a58..1cefc0a 100644 (file)
@@ -299,6 +299,11 @@ imported/w3c/web-platform-tests/XMLHttpRequest/xmlhttprequest-timeout-worker-ove
 imported/w3c/web-platform-tests/XMLHttpRequest/xmlhttprequest-timeout-worker-simple.html [ Slow ]
 imported/w3c/web-platform-tests/XMLHttpRequest/xmlhttprequest-timeout-worker-synconworker.html [ Slow ]
 imported/w3c/web-platform-tests/XMLHttpRequest/xmlhttprequest-timeout-worker-twice.html [ Slow ]
 imported/w3c/web-platform-tests/XMLHttpRequest/xmlhttprequest-timeout-worker-simple.html [ Slow ]
 imported/w3c/web-platform-tests/XMLHttpRequest/xmlhttprequest-timeout-worker-synconworker.html [ Slow ]
 imported/w3c/web-platform-tests/XMLHttpRequest/xmlhttprequest-timeout-worker-twice.html [ Slow ]
+# XMLHttpRequest tests requiring DTR/WTR to allow other URLs than localhost to not be blocked and be reachable (www2.localhost)
+imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-bogus.htm [ Skip ]
+imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-to-cors.htm [ Skip ]
+imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-to-non-cors.htm [ Skip ]
+
 
 # New W3C ref tests that are failing.
 webkit.org/b/148856 imported/w3c/web-platform-tests/html/semantics/embedded-content/the-video-element/video_initially_paused.html [ ImageOnlyFailure ]
 
 # New W3C ref tests that are failing.
 webkit.org/b/148856 imported/w3c/web-platform-tests/html/semantics/embedded-content/the-video-element/video_initially_paused.html [ ImageOnlyFailure ]
index 062da2d..9051404 100644 (file)
@@ -1,33 +1,24 @@
 Tests that asynchronous XMLHttpRequests handle redirects according to the CORS standard.
 
 Tests that asynchronous XMLHttpRequests handle redirects according to the CORS standard.
 
-Testing resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi
+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi without credentials
 Expecting success: false
 PASS: 0
 Expecting success: false
 PASS: 0
-Testing resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&  access-control-allow-origin=http://localhost:8000&  access-control-allow-credentials=true
-Expecting success: false
-PASS: 0
-Testing resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi&  access-control-allow-origin=http://localhost:8000&  access-control-allow-credentials=true
-Expecting success: false
-PASS: 0
-Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi
-Expecting success: false
-PASS: 0
-Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&  access-control-allow-origin=http://localhost:8000
+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&  access-control-allow-origin=http://localhost:8000 without credentials
 Expecting success: true
 FAIL: 0
 Expecting success: true
 FAIL: 0
-Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://username:password@localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&  access-control-allow-origin=http://localhost:8000
+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://username:password@localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&  access-control-allow-origin=http://localhost:8000 without credentials
 Expecting success: false
 PASS: 0
 Expecting success: false
 PASS: 0
-Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi&  access-control-allow-origin=http://localhost:8000
+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi&  access-control-allow-origin=http://localhost:8000 without credentials
 Expecting success: false
 PASS: 0
 Expecting success: false
 PASS: 0
-Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true&  url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&  access-control-allow-origin=*
+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true&  url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&  access-control-allow-origin=* without credentials
 Expecting success: false
 PASS: 0
 Expecting success: false
 PASS: 0
-Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=false&  url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&  access-control-allow-origin=*&  access-control-allow-headers=x-webkit
+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=false&  url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&  access-control-allow-origin=*&  access-control-allow-headers=x-webkit without credentials
 Expecting success: false
 PASS: 0
 Expecting success: false
 PASS: 0
-Testing resources/redirect-cors.php?url=http://127.0.0.1:8000/xmlhttprequest/resources/get.txt
+Testing resources/redirect-cors.php?url=http://127.0.0.1:8000/xmlhttprequest/resources/get.txt without credentials
 Expecting success: true
 PASS: PASS
 
 Expecting success: true
 PASS: PASS
 
diff --git a/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin-expected.txt b/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin-expected.txt
new file mode 100644 (file)
index 0000000..4c70d32
--- /dev/null
@@ -0,0 +1,27 @@
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi. Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-no-credentials.cgi. Credentials flag is true, but Access-Control-Allow-Credentials is not "true".
+Tests that asynchronous XMLHttpRequests handle redirects according to the CORS standard.
+
+Testing ../resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi without credentials
+Expecting success: true
+PASS: PASS: Cross-domain access allowed.
+
+Testing ../resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi with credentials
+Expecting success: false
+PASS: 0
+Testing ../resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi without credentials
+Expecting success: true
+PASS: PASS: Cross-domain access allowed.
+
+Testing ../resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi with credentials
+Expecting success: true
+PASS: PASS: Cross-domain access allowed.
+
+Testing ../resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-no-credentials.cgi without credentials
+Expecting success: true
+PASS: PASS: Cross-domain access allowed.
+
+Testing ../resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-no-credentials.cgi with credentials
+Expecting success: false
+PASS: 0
+
diff --git a/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin.html b/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin.html
new file mode 100644 (file)
index 0000000..5dfd8cd
--- /dev/null
@@ -0,0 +1,88 @@
+<p>Tests that asynchronous XMLHttpRequests handle redirects according to the CORS standard.</p>
+
+<pre id="console"></pre>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+function log(message)
+{
+    document.getElementById('console').appendChild(document.createTextNode(message + '\n'));
+}
+
+function runTestAsync(url, credentials, addCustomHeader, expectSuccess) {
+    log("Testing " + url + (credentials ? " with " : " without ") + "credentials");
+    log("Expecting success: " + expectSuccess);
+
+    xhr = new XMLHttpRequest();
+    xhr.withCredentials = credentials;
+    xhr.open("GET", url, true);
+    if (addCustomHeader)
+        xhr.setRequestHeader("x-webkit", "foo");
+
+    xhr.onload = function() {
+        log((expectSuccess ? "PASS" : "FAIL") + ": " + xhr.responseText);
+        nextTest();
+    }
+    xhr.onerror = function() {
+        log((expectSuccess ? "FAIL" : "PASS") + ": " + xhr.status);
+        nextTest();
+    }
+    xhr.send(null);
+}
+
+var withoutCredentials = false;
+var withCredentials = true;
+var noCustomHeader = false;
+var addCustomHeader = true;
+var succeeds = true;
+var fails = false;
+
+var tests = [
+// Test simple same origin requests that receive cross origin redirects.
+
+// Request without credentials is redirected to a cross-origin response with Access-Control-Allow-Origin=*.
+// The redirect response passes the access check.
+["../resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi",
+  withoutCredentials, noCustomHeader, succeeds],
+
+// Request with credentials is redirected to a cross-origin response with Access-Control-Allow-Origin=*.
+// The redirect response fails the access check because credentials were sent.
+["../resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi",
+  withCredentials, noCustomHeader, fails],
+
+// Request without credentials is redirected to a cross-origin response with a specific Access-Control-Allow-Origin.
+// The redirect response passes the access check.
+["../resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi",
+  withoutCredentials, noCustomHeader, succeeds],
+
+// Request with credentials is redirected to a cross-origin response with a specific Access-Control-Allow-Origin.
+// The redirect response passes the access check.
+["../resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi",
+  withCredentials, noCustomHeader, succeeds],
+
+// Request without credentials is redirected to a cross-origin response with a specific Access-Control-Allow-Origin
+// forbidding credentials. The redirect response passes the access check.
+["../resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-no-credentials.cgi",
+  withoutCredentials, noCustomHeader, succeeds],
+
+// Request with credentials is redirected to a cross-origin response with a specific Access-Control-Allow-Origin
+// forbidding credentials. The redirect response fails the access check.
+["../resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-no-credentials.cgi",
+  withCredentials, noCustomHeader, fails],
+
+]
+
+var currentTest = 0;
+
+function nextTest() {
+    if (currentTest < tests.length)
+        runTestAsync.apply(null, tests[currentTest++]);
+    else if (window.testRunner)
+        testRunner.notifyDone();
+}
+
+nextTest();
+</script>
index 086a16c..83fc3b6 100644 (file)
@@ -12,11 +12,12 @@ function log(message)
     document.getElementById('console').appendChild(document.createTextNode(message + '\n'));
 }
 
     document.getElementById('console').appendChild(document.createTextNode(message + '\n'));
 }
 
-function runTestAsync(url, addCustomHeader, expectSuccess) {
-    log("Testing " + url);
+function runTestAsync(url, credentials, addCustomHeader, expectSuccess) {
+    log("Testing " + url + (credentials ? " with " : " without ") + "credentials");
     log("Expecting success: " + expectSuccess);
 
     xhr = new XMLHttpRequest();
     log("Expecting success: " + expectSuccess);
 
     xhr = new XMLHttpRequest();
+    xhr.withCredentials = credentials;
     xhr.open("GET", url, true);
     if (addCustomHeader)
         xhr.setRequestHeader("x-webkit", "foo");
     xhr.open("GET", url, true);
     if (addCustomHeader)
         xhr.setRequestHeader("x-webkit", "foo");
@@ -32,72 +33,57 @@ function runTestAsync(url, addCustomHeader, expectSuccess) {
     xhr.send(null);
 }
 
     xhr.send(null);
 }
 
+var withoutCredentials = false;
+var withCredentials = true;
 var noCustomHeader = false;
 var addCustomHeader = true;
 var succeeds = true;
 var fails = false;
 
 var tests = [
 var noCustomHeader = false;
 var addCustomHeader = true;
 var succeeds = true;
 var fails = false;
 
 var tests = [
-// 1) Test simple same origin requests that receive cross origin redirects.
-
-// Request receives a cross-origin redirect response without CORS headers. The redirect response fails the access check.
-["resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi",
-  noCustomHeader, fails],
-
-// Request receives a cross-origin redirect response with CORS headers. The redirect response passes the access check,
-// but  the resource response fails its access check because the security origin is a globally unique identifier after
-// the redirect and the same origin XHR has 'allowCredentials' true.
-["resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&\
-  access-control-allow-origin=http://localhost:8000&\
-  access-control-allow-credentials=true",
-  noCustomHeader, fails],
-
-// Same as above, but to a less permissive resource that only allows the requesting origin.
-["resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi&\
-  access-control-allow-origin=http://localhost:8000&\
-  access-control-allow-credentials=true",
-  noCustomHeader, fails],
-
-// 2) Test simple cross origin requests that receive redirects.
+// 1) Test simple cross origin requests that receive redirects.
 
 // Receives a redirect response without CORS headers. The redirect response fails the access check.
 ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi",
 
 // Receives a redirect response without CORS headers. The redirect response fails the access check.
 ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi",
-  noCustomHeader, fails],
+  withoutCredentials, noCustomHeader, fails],
 
 // Receives a redirect response with CORS headers. The redirect response passes the access check and the resource response
 // passes the access check.
 
 // Receives a redirect response with CORS headers. The redirect response passes the access check and the resource response
 // passes the access check.
+// FIXME: this test fails because the redirect is vetoed. There are continued bugs with redirects when the original
+// request was cross-origin.
 ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&\
   access-control-allow-origin=http://localhost:8000",
 ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&\
   access-control-allow-origin=http://localhost:8000",
-  noCustomHeader, succeeds],
+  withoutCredentials, noCustomHeader, succeeds],
 
 // Receives a redirect response with a URL containing the userinfo production.
 ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://username:password@localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&\
   access-control-allow-origin=http://localhost:8000",
 
 // Receives a redirect response with a URL containing the userinfo production.
 ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://username:password@localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&\
   access-control-allow-origin=http://localhost:8000",
-  noCustomHeader, fails],
+  withoutCredentials, noCustomHeader, fails],
 
 // Receives a redirect response with a URL with an unsupported scheme.
 ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi&\
   access-control-allow-origin=http://localhost:8000",
 
 // Receives a redirect response with a URL with an unsupported scheme.
 ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi&\
   access-control-allow-origin=http://localhost:8000",
-  noCustomHeader, fails],
+  withoutCredentials, noCustomHeader, fails],
 
 
-// 3) Test preflighted cross origin requests that receive redirects.
+// 2) Test preflighted cross origin requests that receive redirects.
 
 // Receives a redirect response to the preflight request and fails.
 ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true&\
   url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&\
   access-control-allow-origin=*",
 
 // Receives a redirect response to the preflight request and fails.
 ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true&\
   url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&\
   access-control-allow-origin=*",
-  addCustomHeader, fails],
+  withoutCredentials, addCustomHeader, fails],
 
 // Successful preflight and receives a redirect response to the actual request and fails.
 ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=false&\
   url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&\
   access-control-allow-origin=*&\
   access-control-allow-headers=x-webkit",
 
 // Successful preflight and receives a redirect response to the actual request and fails.
 ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=false&\
   url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&\
   access-control-allow-origin=*&\
   access-control-allow-headers=x-webkit",
-  addCustomHeader, fails],
+  withoutCredentials, addCustomHeader, fails],
 
 
-// 4) Test same origin requests with a custom header that receive a same origin redirect.
+// 3) Test same origin requests with a custom header that receive a same origin redirect.
 ["resources/redirect-cors.php?url=http://127.0.0.1:8000/xmlhttprequest/resources/get.txt",
 ["resources/redirect-cors.php?url=http://127.0.0.1:8000/xmlhttprequest/resources/get.txt",
-  addCustomHeader, succeeds],
+  withoutCredentials, addCustomHeader, succeeds],
+
 ]
 
 var currentTest = 0;
 ]
 
 var currentTest = 0;
index cd6e3ad..0a44df2 100644 (file)
@@ -6,8 +6,9 @@ Testing /resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resourc
 Expecting success: false
 PASS: Error: NETWORK_ERR: XMLHttpRequest Exception 101
 Testing /resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi(async)
 Expecting success: false
 PASS: Error: NETWORK_ERR: XMLHttpRequest Exception 101
 Testing /resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi(async)
-Expecting success: false
-PASS: 0
+Expecting success: true
+PASS: PASS: Cross-domain access allowed.
+
 Testing http://localhost:8000/resources/redirect.php?url=http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi (sync)
 Expecting success: false
 PASS: Error: NETWORK_ERR: XMLHttpRequest Exception 101
 Testing http://localhost:8000/resources/redirect.php?url=http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi (sync)
 Expecting success: false
 PASS: Error: NETWORK_ERR: XMLHttpRequest Exception 101
index 27f55be..9792c36 100644 (file)
@@ -45,7 +45,7 @@ function runTest(url, expectSyncSuccess, expectAsyncSuccess)
 }
 
 var tests = [
 }
 
 var tests = [
-    ["/resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi", false, false],
+    ["/resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi", false, true],
     ["http://localhost:8000/resources/redirect.php?url=http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi", false, false],
     ["http://localhost:8000/resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi", false, false]
 ]
     ["http://localhost:8000/resources/redirect.php?url=http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi", false, false],
     ["http://localhost:8000/resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi", false, false]
 ]
index 14ecdda..a187ec2 100644 (file)
@@ -1,3 +1,4 @@
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/reply.xml. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
 Test that a cross-origin redirect to a server that responds is indistinguishable from one that does not. Should say PASS:
 
 PASS
 Test that a cross-origin redirect to a server that responds is indistinguishable from one that does not. Should say PASS:
 
 PASS
index 14ecdda..a187ec2 100644 (file)
@@ -1,3 +1,4 @@
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/reply.xml. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
 Test that a cross-origin redirect to a server that responds is indistinguishable from one that does not. Should say PASS:
 
 PASS
 Test that a cross-origin redirect to a server that responds is indistinguishable from one that does not. Should say PASS:
 
 PASS
index 14ecdda..a187ec2 100644 (file)
@@ -1,3 +1,4 @@
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/reply.xml. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
 Test that a cross-origin redirect to a server that responds is indistinguishable from one that does not. Should say PASS:
 
 PASS
 Test that a cross-origin redirect to a server that responds is indistinguishable from one that does not. Should say PASS:
 
 PASS
index a507a97..abe6a01 100644 (file)
@@ -1,3 +1,13 @@
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cross-origin-tripmine.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cross-origin-tripmine.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cross-origin-tripmine.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cross-origin-tripmine.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cross-origin-tripmine.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cross-origin-tripmine.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cross-origin-tripmine.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cross-origin-tripmine.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cross-origin-tripmine.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cross-origin-tripmine.php. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
 Test that a cross-origin redirect does not result in a non-simple request being sent to the target.
 
 Asynchronous XMLHttpRequest 307 POST redirect:
 Test that a cross-origin redirect does not result in a non-simple request being sent to the target.
 
 Asynchronous XMLHttpRequest 307 POST redirect:
diff --git a/LayoutTests/http/tests/xmlhttprequest/resources/access-control-basic-allow-no-credentials.cgi b/LayoutTests/http/tests/xmlhttprequest/resources/access-control-basic-allow-no-credentials.cgi
new file mode 100755 (executable)
index 0000000..da20100
--- /dev/null
@@ -0,0 +1,7 @@
+#!/usr/bin/perl -wT
+use strict;
+
+print "Content-Type: text/plain\n";
+print "Access-Control-Allow-Origin: http://127.0.0.1:8000\n\n";
+
+print "PASS: Cross-domain access allowed.\n";
index 1d65fce..52c3a1b 100644 (file)
@@ -1,3 +1,4 @@
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8080/xmlhttprequest/resources/forbidden.txt. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
 This tests that unsafe redirects won't be allowed when making an XMLHttpRequest.
 Sync XHR started.
 readyState change 1
 This tests that unsafe redirects won't be allowed when making an XMLHttpRequest.
 Sync XHR started.
 readyState change 1
index 2c16fd6..9f8a52b 100644 (file)
@@ -1,3 +1,17 @@
+2016-01-14  Youenn Fablet  <youenn.fablet@crf.canon.fr>
+
+        Fix problems with cross-origin redirects
+        https://bugs.webkit.org/show_bug.cgi?id=116075
+
+        Reviewed by Daniel Bates.
+
+        Rebasing test expectations.
+        These tests cannot work as expected as WTR/DRT block access to www2.localhost and example.not.
+
+        * web-platform-tests/XMLHttpRequest/send-redirect-bogus-expected.txt:
+        * web-platform-tests/XMLHttpRequest/send-redirect-to-cors-expected.txt:
+        * web-platform-tests/XMLHttpRequest/send-redirect-to-non-cors-expected.txt:
+
 2016-01-12  Ryosuke Niwa  <rniwa@webkit.org>
 
         formaction must return document's address when formaction is missing
 2016-01-12  Ryosuke Niwa  <rniwa@webkit.org>
 
         formaction must return document's address when formaction is missing
index f7507bf..ffc5949 100644 (file)
@@ -1,6 +1,6 @@
 
 
-FAIL XMLHttpRequest: send() - Redirect to CORS-enabled resource (301) assert_equals: expected (string) "GET" but got (object) null
-FAIL XMLHttpRequest: send() - Redirect to CORS-enabled resource (302) assert_equals: expected (string) "GET" but got (object) null
-FAIL XMLHttpRequest: send() - Redirect to CORS-enabled resource (303) assert_equals: expected (string) "GET" but got (object) null
-FAIL XMLHttpRequest: send() - Redirect to CORS-enabled resource (307) assert_equals: expected (string) "GET" but got (object) null
+PASS XMLHttpRequest: send() - Redirect to CORS-enabled resource (301) 
+PASS XMLHttpRequest: send() - Redirect to CORS-enabled resource (302) 
+PASS XMLHttpRequest: send() - Redirect to CORS-enabled resource (303) 
+PASS XMLHttpRequest: send() - Redirect to CORS-enabled resource (307) 
 
 
index fcfb1f7..5928733 100644 (file)
@@ -1,3 +1,49 @@
+2016-01-14  Youenn Fablet  <youenn.fablet@crf.canon.fr>
+
+        Fix problems with cross-origin redirects
+        https://bugs.webkit.org/show_bug.cgi?id=116075
+
+        Reviewed by Daniel Bates.
+
+        Merging https://chromium.googlesource.com/chromium/blink/+/7ea774e478f84f355748108d2aaabca15355d512 by Ken Russell
+        Same origin redirect responses leading to cross-origin requests were checked as cross-origin redirect responses.
+        Introduced ClientRequestedCredentials to manage whether credentials are needed or not in the cross-origin request.
+
+        In addition to Blink patch, it was needed to update some loaders with the newly introduced ClientRequestedCredentials parameter.
+        Added the clearing of "Accept-Encoding" header from cross-origin requests as Mac HTTP network layer is adding it for same-origin requests.
+
+        Test: http/tests/xmlhttprequest/access-control-and-redirects-async-same-origin.html
+
+        * loader/DocumentLoader.cpp:
+        (WebCore::DocumentLoader::startLoadingMainResource): Added new security parameter (from Blink patch).
+        * loader/DocumentThreadableLoader.cpp:
+        (WebCore::DocumentThreadableLoader::redirectReceived): Updated checks so that same origin redirections are not treated as cross origin redirections (from Blink patch).
+        * loader/MediaResourceLoader.cpp:
+        (WebCore::MediaResourceLoader::start):
+        * loader/NetscapePlugInStreamLoader.cpp:
+        (WebCore::NetscapePlugInStreamLoader::NetscapePlugInStreamLoader): Added new security parameter.
+        * loader/ResourceLoaderOptions.h:
+        (WebCore::ResourceLoaderOptions::ResourceLoaderOptions): Added new security parameter (from Blink patch).
+        (WebCore::ResourceLoaderOptions::credentialRequest):
+        (WebCore::ResourceLoaderOptions::setCredentialRequest):
+        * loader/cache/CachedResourceLoader.cpp:
+        (WebCore::CachedResourceLoader::requestUserCSSStyleSheet): Ditto.
+        (WebCore::CachedResourceLoader::defaultCachedResourceOptions): Ditto.
+        * loader/icon/IconLoader.cpp:
+        (WebCore::IconLoader::startLoading): Added new security parameter.
+        * page/EventSource.cpp:
+        (WebCore::EventSource::connect): Added new security parameter (from Blink patch).
+        * platform/graphics/avfoundation/cf/WebCoreAVCFResourceLoader.cpp:
+        (WebCore::WebCoreAVCFResourceLoader::startLoading): Added new security parameter.
+        * platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm:
+        (WebCore::WebCoreAVFResourceLoader::startLoading): Ditto.
+        * platform/network/ResourceHandleTypes.h: Added new security parameter constants (from Blink patch).
+        * platform/network/ResourceRequestBase.cpp:
+        (WebCore::ResourceRequestBase::clearHTTPAcceptEncoding): Function to remove "Accept-Encoding" header.
+        * platform/network/ResourceRequestBase.h: Ditto.
+        * xml/XMLHttpRequest.cpp:
+        (WebCore::XMLHttpRequest::createRequest): Added new security parameter.
+
 2016-01-13  Myles C. Maxfield  <mmaxfield@apple.com>
 
         Addressing more post-review comments after r194566
 2016-01-13  Myles C. Maxfield  <mmaxfield@apple.com>
 
         Addressing more post-review comments after r194566
index 46ad9e5..d753083 100644 (file)
@@ -1471,7 +1471,7 @@ void DocumentLoader::startLoadingMainResource()
     // If this is a reload the cache layer might have made the previous request conditional. DocumentLoader can't handle 304 responses itself.
     request.makeUnconditional();
 
     // If this is a reload the cache layer might have made the previous request conditional. DocumentLoader can't handle 304 responses itself.
     request.makeUnconditional();
 
-    static NeverDestroyed<ResourceLoaderOptions> mainResourceLoadOptions(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForAllCredentials, SkipSecurityCheck, UseDefaultOriginRestrictionsForType, IncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading);
+    static NeverDestroyed<ResourceLoaderOptions> mainResourceLoadOptions(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForAllCredentials, ClientRequestedCredentials, SkipSecurityCheck, UseDefaultOriginRestrictionsForType, IncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading);
     CachedResourceRequest cachedResourceRequest(request, mainResourceLoadOptions);
     cachedResourceRequest.setInitiator(*this);
     m_mainResource = m_cachedResourceLoader->requestMainResource(cachedResourceRequest);
     CachedResourceRequest cachedResourceRequest(request, mainResourceLoadOptions);
     cachedResourceRequest.setInitiator(*this);
     m_mainResource = m_cachedResourceLoader->requestMainResource(cachedResourceRequest);
index 469175a..4404fd1 100644 (file)
@@ -182,7 +182,8 @@ void DocumentThreadableLoader::redirectReceived(CachedResource* resource, Resour
         return;
 
     // When using access control, only simple cross origin requests are allowed to redirect. The new request URL must have a supported
         return;
 
     // When using access control, only simple cross origin requests are allowed to redirect. The new request URL must have a supported
-    // scheme and not contain the userinfo production. In addition, the redirect response must pass the access control check.
+    // scheme and not contain the userinfo production. In addition, the redirect response must pass the access control check if the
+    // original request was not same-origin.
     if (m_options.crossOriginRequestPolicy == UseAccessControl) {
         bool allowRedirect = false;
         if (m_simpleRequest) {
     if (m_options.crossOriginRequestPolicy == UseAccessControl) {
         bool allowRedirect = false;
         if (m_simpleRequest) {
@@ -190,7 +191,7 @@ void DocumentThreadableLoader::redirectReceived(CachedResource* resource, Resour
             allowRedirect = SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(request.url().protocol())
                             && request.url().user().isEmpty()
                             && request.url().pass().isEmpty()
             allowRedirect = SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(request.url().protocol())
                             && request.url().user().isEmpty()
                             && request.url().pass().isEmpty()
-                            && passesAccessControlCheck(redirectResponse, m_options.allowCredentials(), securityOrigin(), accessControlErrorDescription);
+                            && (m_sameOriginRequest || passesAccessControlCheck(redirectResponse, m_options.allowCredentials(), securityOrigin(), accessControlErrorDescription));
         }
 
         if (allowRedirect) {
         }
 
         if (allowRedirect) {
@@ -199,18 +200,26 @@ void DocumentThreadableLoader::redirectReceived(CachedResource* resource, Resour
 
             RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::createFromString(redirectResponse.url());
             RefPtr<SecurityOrigin> requestOrigin = SecurityOrigin::createFromString(request.url());
 
             RefPtr<SecurityOrigin> originalOrigin = SecurityOrigin::createFromString(redirectResponse.url());
             RefPtr<SecurityOrigin> requestOrigin = SecurityOrigin::createFromString(request.url());
-            // If the request URL origin is not same origin with the original URL origin, set source origin to a globally unique identifier.
-            if (!originalOrigin->isSameSchemeHostPort(requestOrigin.get()))
+            // If the original request wasn't same-origin, then if the request URL origin is not same origin with the original URL origin,
+            // set the source origin to a globally unique identifier. (If the original request was same-origin, the origin of the new request
+            // should be the original URL origin.)
+            if (!m_sameOriginRequest && !originalOrigin->isSameSchemeHostPort(requestOrigin.get()))
                 m_options.securityOrigin = SecurityOrigin::createUnique();
                 m_options.securityOrigin = SecurityOrigin::createUnique();
-            // Force any subsequent requests to use these checks.
+            // Force any subsequent request to use these checks.
             m_sameOriginRequest = false;
 
             m_sameOriginRequest = false;
 
+            // Since the request is no longer same-origin, if the user didn't request credentials in
+            // the first place, update our state so we neither request them nor expect they must be allowed.
+            if (m_options.credentialRequest() == ClientDidNotRequestCredentials)
+                m_options.setAllowCredentials(DoNotAllowStoredCredentials);
+
             // Remove any headers that may have been added by the network layer that cause access control to fail.
             request.clearHTTPContentType();
             request.clearHTTPReferrer();
             request.clearHTTPOrigin();
             request.clearHTTPUserAgent();
             request.clearHTTPAccept();
             // Remove any headers that may have been added by the network layer that cause access control to fail.
             request.clearHTTPContentType();
             request.clearHTTPReferrer();
             request.clearHTTPOrigin();
             request.clearHTTPUserAgent();
             request.clearHTTPAccept();
+            request.clearHTTPAcceptEncoding();
             makeCrossOriginAccessRequest(request);
             return;
         }
             makeCrossOriginAccessRequest(request);
             return;
         }
index 0f296ed..d7cc48d 100644 (file)
@@ -61,7 +61,7 @@ bool MediaResourceLoader::start(const ResourceRequest& request, LoadOptions opti
     StoredCredentials allowCredentials = m_crossOriginMode.isNull() || equalIgnoringCase(m_crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
 
     // ContentSecurityPolicyImposition::DoPolicyCheck is a placeholder value. It does not affect the request since Content Security Policy does not apply to raw resources.
     StoredCredentials allowCredentials = m_crossOriginMode.isNull() || equalIgnoringCase(m_crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
 
     // ContentSecurityPolicyImposition::DoPolicyCheck is a placeholder value. It does not affect the request since Content Security Policy does not apply to raw resources.
-    CachedResourceRequest cacheRequest(request, ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, bufferingPolicy, allowCredentials, DoNotAskClientForCrossOriginCredentials, DoSecurityCheck, corsPolicy, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading));
+    CachedResourceRequest cacheRequest(request, ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, bufferingPolicy, allowCredentials, DoNotAskClientForCrossOriginCredentials, ClientDidNotRequestCredentials, DoSecurityCheck, corsPolicy, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading));
 
     if (!m_crossOriginMode.isNull())
         updateRequestForAccessControl(cacheRequest.mutableResourceRequest(), m_document.securityOrigin(), allowCredentials);
 
     if (!m_crossOriginMode.isNull())
         updateRequestForAccessControl(cacheRequest.mutableResourceRequest(), m_document.securityOrigin(), allowCredentials);
index d30d369..cb35e22 100644 (file)
@@ -43,7 +43,7 @@ namespace WebCore {
 // FIXME: Skip Content Security Policy check when associated plugin element is in a user agent shadow tree.
 // See <https://bugs.webkit.org/show_bug.cgi?id=146663>.
 NetscapePlugInStreamLoader::NetscapePlugInStreamLoader(Frame* frame, NetscapePlugInStreamLoaderClient* client)
 // FIXME: Skip Content Security Policy check when associated plugin element is in a user agent shadow tree.
 // See <https://bugs.webkit.org/show_bug.cgi?id=146663>.
 NetscapePlugInStreamLoader::NetscapePlugInStreamLoader(Frame* frame, NetscapePlugInStreamLoaderClient* client)
-    : ResourceLoader(frame, ResourceLoaderOptions(SendCallbacks, SniffContent, DoNotBufferData, AllowStoredCredentials, AskClientForAllCredentials, SkipSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading))
+    : ResourceLoader(frame, ResourceLoaderOptions(SendCallbacks, SniffContent, DoNotBufferData, AllowStoredCredentials, AskClientForAllCredentials, ClientRequestedCredentials, SkipSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading))
     , m_client(client)
 {
 #if ENABLE(CONTENT_EXTENSIONS)
     , m_client(client)
 {
 #if ENABLE(CONTENT_EXTENSIONS)
index ec8e89c..185d1cc 100644 (file)
@@ -83,18 +83,20 @@ struct ResourceLoaderOptions {
         , m_dataBufferingPolicy(BufferData)
         , m_allowCredentials(DoNotAllowStoredCredentials)
         , m_clientCredentialPolicy(DoNotAskClientForAnyCredentials)
         , m_dataBufferingPolicy(BufferData)
         , m_allowCredentials(DoNotAllowStoredCredentials)
         , m_clientCredentialPolicy(DoNotAskClientForAnyCredentials)
+        , m_credentialRequest(ClientDidNotRequestCredentials)
         , m_securityCheck(DoSecurityCheck)
         , m_requestOriginPolicy(UseDefaultOriginRestrictionsForType)
         , m_certificateInfoPolicy(DoNotIncludeCertificateInfo)
     {
     }
 
         , m_securityCheck(DoSecurityCheck)
         , m_requestOriginPolicy(UseDefaultOriginRestrictionsForType)
         , m_certificateInfoPolicy(DoNotIncludeCertificateInfo)
     {
     }
 
-    ResourceLoaderOptions(SendCallbackPolicy sendLoadCallbacks, ContentSniffingPolicy sniffContent, DataBufferingPolicy dataBufferingPolicy, StoredCredentials allowCredentials, ClientCredentialPolicy credentialPolicy, SecurityCheckPolicy securityCheck, RequestOriginPolicy requestOriginPolicy, CertificateInfoPolicy certificateInfoPolicy, ContentSecurityPolicyImposition contentSecurityPolicyImposition, DefersLoadingPolicy defersLoadingPolicy)
+    ResourceLoaderOptions(SendCallbackPolicy sendLoadCallbacks, ContentSniffingPolicy sniffContent, DataBufferingPolicy dataBufferingPolicy, StoredCredentials allowCredentials, ClientCredentialPolicy credentialPolicy, CredentialRequest credentialRequest, SecurityCheckPolicy securityCheck, RequestOriginPolicy requestOriginPolicy, CertificateInfoPolicy certificateInfoPolicy, ContentSecurityPolicyImposition contentSecurityPolicyImposition, DefersLoadingPolicy defersLoadingPolicy)
         : m_sendLoadCallbacks(sendLoadCallbacks)
         , m_sniffContent(sniffContent)
         , m_dataBufferingPolicy(dataBufferingPolicy)
         , m_allowCredentials(allowCredentials)
         , m_clientCredentialPolicy(credentialPolicy)
         : m_sendLoadCallbacks(sendLoadCallbacks)
         , m_sniffContent(sniffContent)
         , m_dataBufferingPolicy(dataBufferingPolicy)
         , m_allowCredentials(allowCredentials)
         , m_clientCredentialPolicy(credentialPolicy)
+        , m_credentialRequest(credentialRequest)
         , m_securityCheck(securityCheck)
         , m_requestOriginPolicy(requestOriginPolicy)
         , m_certificateInfoPolicy(certificateInfoPolicy)
         , m_securityCheck(securityCheck)
         , m_requestOriginPolicy(requestOriginPolicy)
         , m_certificateInfoPolicy(certificateInfoPolicy)
@@ -113,6 +115,8 @@ struct ResourceLoaderOptions {
     void setAllowCredentials(StoredCredentials allow) { m_allowCredentials = allow; }
     ClientCredentialPolicy clientCredentialPolicy() const { return static_cast<ClientCredentialPolicy>(m_clientCredentialPolicy); }
     void setClientCredentialPolicy(ClientCredentialPolicy policy) { m_clientCredentialPolicy = policy; }
     void setAllowCredentials(StoredCredentials allow) { m_allowCredentials = allow; }
     ClientCredentialPolicy clientCredentialPolicy() const { return static_cast<ClientCredentialPolicy>(m_clientCredentialPolicy); }
     void setClientCredentialPolicy(ClientCredentialPolicy policy) { m_clientCredentialPolicy = policy; }
+    CredentialRequest credentialRequest() { return static_cast<CredentialRequest>(m_credentialRequest); }
+    void setCredentialRequest(CredentialRequest credentialRequest) { m_credentialRequest = credentialRequest; }
     SecurityCheckPolicy securityCheck() const { return static_cast<SecurityCheckPolicy>(m_securityCheck); }
     void setSecurityCheck(SecurityCheckPolicy check) { m_securityCheck = check; }
     RequestOriginPolicy requestOriginPolicy() const { return static_cast<RequestOriginPolicy>(m_requestOriginPolicy); }
     SecurityCheckPolicy securityCheck() const { return static_cast<SecurityCheckPolicy>(m_securityCheck); }
     void setSecurityCheck(SecurityCheckPolicy check) { m_securityCheck = check; }
     RequestOriginPolicy requestOriginPolicy() const { return static_cast<RequestOriginPolicy>(m_requestOriginPolicy); }
@@ -129,6 +133,7 @@ struct ResourceLoaderOptions {
     unsigned m_dataBufferingPolicy : 1;
     unsigned m_allowCredentials : 1; // Whether HTTP credentials and cookies are sent with the request.
     unsigned m_clientCredentialPolicy : 2; // When we should ask the client for credentials (if we allow credentials at all).
     unsigned m_dataBufferingPolicy : 1;
     unsigned m_allowCredentials : 1; // Whether HTTP credentials and cookies are sent with the request.
     unsigned m_clientCredentialPolicy : 2; // When we should ask the client for credentials (if we allow credentials at all).
+    unsigned m_credentialRequest: 1; // Whether the client (e.g. XHR) wanted credentials in the first place.
     unsigned m_securityCheck : 1;
     unsigned m_requestOriginPolicy : 2;
     unsigned m_certificateInfoPolicy : 1; // Whether the response should include certificate info.
     unsigned m_securityCheck : 1;
     unsigned m_requestOriginPolicy : 2;
     unsigned m_certificateInfoPolicy : 1; // Whether the response should include certificate info.
index b9faede..e34fd7d 100644 (file)
@@ -234,7 +234,7 @@ CachedResourceHandle<CachedCSSStyleSheet> CachedResourceLoader::requestUserCSSSt
     memoryCache.add(*userSheet);
     // FIXME: loadResource calls setOwningCachedResourceLoader() if the resource couldn't be added to cache. Does this function need to call it, too?
 
     memoryCache.add(*userSheet);
     // FIXME: loadResource calls setOwningCachedResourceLoader() if the resource couldn't be added to cache. Does this function need to call it, too?
 
-    userSheet->load(*this, ResourceLoaderOptions(DoNotSendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForAllCredentials, SkipSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::SkipPolicyCheck, DefersLoadingPolicy::AllowDefersLoading));
+    userSheet->load(*this, ResourceLoaderOptions(DoNotSendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForAllCredentials, ClientRequestedCredentials, SkipSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::SkipPolicyCheck, DefersLoadingPolicy::AllowDefersLoading));
     
     return userSheet;
 }
     
     return userSheet;
 }
@@ -1169,7 +1169,7 @@ void CachedResourceLoader::printPreloadStats()
 
 const ResourceLoaderOptions& CachedResourceLoader::defaultCachedResourceOptions()
 {
 
 const ResourceLoaderOptions& CachedResourceLoader::defaultCachedResourceOptions()
 {
-    static ResourceLoaderOptions options(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForAllCredentials, DoSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading);
+    static ResourceLoaderOptions options(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForAllCredentials, ClientRequestedCredentials, DoSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading);
     return options;
 }
 
     return options;
 }
 
index e826a9c..77cabf7 100644 (file)
@@ -59,7 +59,7 @@ void IconLoader::startLoading()
         return;
 
     // ContentSecurityPolicyImposition::DoPolicyCheck is a placeholder value. It does not affect the request since Content Security Policy does not apply to raw resources.
         return;
 
     // ContentSecurityPolicyImposition::DoPolicyCheck is a placeholder value. It does not affect the request since Content Security Policy does not apply to raw resources.
-    CachedResourceRequest request(ResourceRequest(m_frame.loader().icon().url()), ResourceLoaderOptions(SendCallbacks, SniffContent, BufferData, DoNotAllowStoredCredentials, DoNotAskClientForAnyCredentials, DoSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading));
+    CachedResourceRequest request(ResourceRequest(m_frame.loader().icon().url()), ResourceLoaderOptions(SendCallbacks, SniffContent, BufferData, DoNotAllowStoredCredentials, DoNotAskClientForAnyCredentials, ClientDidNotRequestCredentials, DoSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading));
 
     request.mutableResourceRequest().setPriority(ResourceLoadPriority::Low);
     request.setInitiator(cachedResourceRequestInitiators().icon);
 
     request.mutableResourceRequest().setPriority(ResourceLoadPriority::Low);
     request.setInitiator(cachedResourceRequestInitiators().icon);
index 2013c08..553f1a8 100644 (file)
@@ -125,6 +125,7 @@ void EventSource::connect()
     options.setSendLoadCallbacks(SendCallbacks);
     options.setSniffContent(DoNotSniffContent);
     options.setAllowCredentials((origin->canRequest(m_url) || m_withCredentials) ? AllowStoredCredentials : DoNotAllowStoredCredentials);
     options.setSendLoadCallbacks(SendCallbacks);
     options.setSniffContent(DoNotSniffContent);
     options.setAllowCredentials((origin->canRequest(m_url) || m_withCredentials) ? AllowStoredCredentials : DoNotAllowStoredCredentials);
+    options.setCredentialRequest(m_withCredentials ? ClientRequestedCredentials : ClientDidNotRequestCredentials);
     options.preflightPolicy = PreventPreflight;
     options.crossOriginRequestPolicy = UseAccessControl;
     options.setDataBufferingPolicy(DoNotBufferData);
     options.preflightPolicy = PreventPreflight;
     options.crossOriginRequestPolicy = UseAccessControl;
     options.setDataBufferingPolicy(DoNotBufferData);
index 35ef74e..274b1e1 100644 (file)
@@ -72,7 +72,7 @@ void WebCoreAVCFResourceLoader::startLoading()
     URL requestURL = CFURLRequestGetURL(urlRequest.get());
 
     // ContentSecurityPolicyImposition::DoPolicyCheck is a placeholder value. It does not affect the request since Content Security Policy does not apply to raw resources.
     URL requestURL = CFURLRequestGetURL(urlRequest.get());
 
     // ContentSecurityPolicyImposition::DoPolicyCheck is a placeholder value. It does not affect the request since Content Security Policy does not apply to raw resources.
-    CachedResourceRequest request(ResourceRequest(requestURL), ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, BufferData, DoNotAllowStoredCredentials, DoNotAskClientForCrossOriginCredentials, DoSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading));
+    CachedResourceRequest request(ResourceRequest(requestURL), ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, BufferData, DoNotAllowStoredCredentials, DoNotAskClientForCrossOriginCredentials, ClientDidNotRequestCredentials, DoSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading));
 
     request.mutableResourceRequest().setPriority(ResourceLoadPriority::Low);
     CachedResourceLoader* loader = m_parent->player()->cachedResourceLoader();
 
     request.mutableResourceRequest().setPriority(ResourceLoadPriority::Low);
     CachedResourceLoader* loader = m_parent->player()->cachedResourceLoader();
index fc1e48a..0384822 100644 (file)
@@ -68,7 +68,7 @@ void WebCoreAVFResourceLoader::startLoading()
     URL requestURL = [[m_avRequest.get() request] URL];
 
     // ContentSecurityPolicyImposition::DoPolicyCheck is a placeholder value. It does not affect the request since Content Security Policy does not apply to raw resources.
     URL requestURL = [[m_avRequest.get() request] URL];
 
     // ContentSecurityPolicyImposition::DoPolicyCheck is a placeholder value. It does not affect the request since Content Security Policy does not apply to raw resources.
-    CachedResourceRequest request(ResourceRequest(requestURL), ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, BufferData, DoNotAllowStoredCredentials, DoNotAskClientForCrossOriginCredentials, DoSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading));
+    CachedResourceRequest request(ResourceRequest(requestURL), ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, BufferData, DoNotAllowStoredCredentials, DoNotAskClientForCrossOriginCredentials, ClientDidNotRequestCredentials, DoSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading));
 
     request.mutableResourceRequest().setPriority(ResourceLoadPriority::Low);
     CachedResourceLoader* loader = m_parent->player()->cachedResourceLoader();
 
     request.mutableResourceRequest().setPriority(ResourceLoadPriority::Low);
     CachedResourceLoader* loader = m_parent->player()->cachedResourceLoader();
index 0c31f92..95b09cd 100644 (file)
@@ -39,6 +39,15 @@ enum ClientCredentialPolicy {
     DoNotAskClientForAnyCredentials
 };
 
     DoNotAskClientForAnyCredentials
 };
 
+// APIs like XMLHttpRequest and EventSource let the user decide
+// whether to send credentials, but they're always sent for
+// same-origin requests. Additional information is needed to handle
+// cross-origin redirects correctly.
+enum CredentialRequest {
+    ClientRequestedCredentials,
+    ClientDidNotRequestCredentials
+};
+
 } // namespace WebCore
 
 #endif // ResourceHandleTypes_h
 } // namespace WebCore
 
 #endif // ResourceHandleTypes_h
index fb31089..a10338a 100644 (file)
@@ -379,6 +379,16 @@ void ResourceRequestBase::clearHTTPAccept()
         m_platformRequestUpdated = false;
 }
 
         m_platformRequestUpdated = false;
 }
 
+void ResourceRequestBase::clearHTTPAcceptEncoding()
+{
+    updateResourceRequest();
+
+    m_httpHeaderFields.remove(HTTPHeaderName::AcceptEncoding);
+
+    if (url().protocolIsInHTTPFamily())
+        m_platformRequestUpdated = false;
+}
+
 void ResourceRequestBase::setResponseContentDispositionEncodingFallbackArray(const String& encoding1, const String& encoding2, const String& encoding3)
 {
     updateResourceRequest(); 
 void ResourceRequestBase::setResponseContentDispositionEncodingFallbackArray(const String& encoding1, const String& encoding2, const String& encoding3)
 {
     updateResourceRequest(); 
index 7e8137e..e2ace6e 100644 (file)
@@ -115,6 +115,8 @@ namespace WebCore {
         void setHTTPAccept(const String&);
         void clearHTTPAccept();
 
         void setHTTPAccept(const String&);
         void clearHTTPAccept();
 
+        void clearHTTPAcceptEncoding();
+
         const Vector<String>& responseContentDispositionEncodingFallbackArray() const { return m_responseContentDispositionEncodingFallbackArray; }
         WEBCORE_EXPORT void setResponseContentDispositionEncodingFallbackArray(const String& encoding1, const String& encoding2 = String(), const String& encoding3 = String());
 
         const Vector<String>& responseContentDispositionEncodingFallbackArray() const { return m_responseContentDispositionEncodingFallbackArray; }
         WEBCORE_EXPORT void setResponseContentDispositionEncodingFallbackArray(const String& encoding1, const String& encoding2 = String(), const String& encoding3 = String());
 
index 58f82fa..2095893 100644 (file)
@@ -754,6 +754,7 @@ void XMLHttpRequest::createRequest(ExceptionCode& ec)
     options.setSniffContent(DoNotSniffContent);
     options.preflightPolicy = uploadEvents ? ForcePreflight : ConsiderPreflight;
     options.setAllowCredentials((m_sameOriginRequest || m_includeCredentials) ? AllowStoredCredentials : DoNotAllowStoredCredentials);
     options.setSniffContent(DoNotSniffContent);
     options.preflightPolicy = uploadEvents ? ForcePreflight : ConsiderPreflight;
     options.setAllowCredentials((m_sameOriginRequest || m_includeCredentials) ? AllowStoredCredentials : DoNotAllowStoredCredentials);
+    options.setCredentialRequest(m_includeCredentials ? ClientRequestedCredentials : ClientDidNotRequestCredentials);
     options.crossOriginRequestPolicy = UseAccessControl;
     options.securityOrigin = securityOrigin();
     options.initiator = cachedResourceRequestInitiators().xmlhttprequest;
     options.crossOriginRequestPolicy = UseAccessControl;
     options.securityOrigin = securityOrigin();
     options.initiator = cachedResourceRequestInitiators().xmlhttprequest;