NetworkProcess should use CSP/content blockers for sync XHR
authoryouenn@apple.com <youenn@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 19 Apr 2018 17:54:35 +0000 (17:54 +0000)
committeryouenn@apple.com <youenn@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 19 Apr 2018 17:54:35 +0000 (17:54 +0000)
https://bugs.webkit.org/show_bug.cgi?id=184760

Reviewed by Chris Dumez.

Source/WebKit:

Setting CSP/ContentBlockers parameters for sync XHR loads.
* NetworkProcess/NetworkResourceLoader.cpp:

LayoutTests:

* http/tests/contentextensions/sync-xhr-redirection-blocked-expected.txt: Added.
* http/tests/contentextensions/sync-xhr-redirection-blocked.html: Added.
* http/tests/contentextensions/sync-xhr-redirection-blocked.html.json: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-sync-xhr-in-main-frame-window.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-sync-xhr-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-sync-xhr-in-main-frame.html: Added.
* platform/mac-wk1/TestExpectations:
* platform/win/TestExpectations:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230810 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/contentextensions/sync-xhr-redirection-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/contentextensions/sync-xhr-redirection-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/contentextensions/sync-xhr-redirection-blocked.html.json [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-sync-xhr-in-main-frame-window.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-sync-xhr-in-main-frame-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-sync-xhr-in-main-frame.html [new file with mode: 0644]
LayoutTests/platform/mac-wk1/TestExpectations
LayoutTests/platform/win/TestExpectations
Source/WebKit/ChangeLog
Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp

index 6b78eab..f168d1b 100644 (file)
@@ -1,3 +1,19 @@
+2018-04-19  Youenn Fablet  <youenn@apple.com>
+
+        NetworkProcess should use CSP/content blockers for sync XHR
+        https://bugs.webkit.org/show_bug.cgi?id=184760
+
+        Reviewed by Chris Dumez.
+
+        * http/tests/contentextensions/sync-xhr-redirection-blocked-expected.txt: Added.
+        * http/tests/contentextensions/sync-xhr-redirection-blocked.html: Added.
+        * http/tests/contentextensions/sync-xhr-redirection-blocked.html.json: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-sync-xhr-in-main-frame-window.html: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-sync-xhr-in-main-frame-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-sync-xhr-in-main-frame.html: Added.
+        * platform/mac-wk1/TestExpectations:
+        * platform/win/TestExpectations:
+
 2018-04-19  Ryan Haddad  <ryanhaddad@apple.com>
 
         Unreviewed test gardening for iOS simulator.
diff --git a/LayoutTests/http/tests/contentextensions/sync-xhr-redirection-blocked-expected.txt b/LayoutTests/http/tests/contentextensions/sync-xhr-redirection-blocked-expected.txt
new file mode 100644 (file)
index 0000000..98cf29c
--- /dev/null
@@ -0,0 +1,6 @@
+CONSOLE MESSAGE: line 22: Content blocker prevented frame displaying http://127.0.0.1:8000/contentextensions/sync-xhr-redirection-blocked.html from loading a resource from http://127.0.0.1:8000/resources/redirect.php?url=/contentextensions/resources/url-blocking-test.js
+CONSOLE MESSAGE: line 22: XMLHttpRequest cannot load http://127.0.0.1:8000/resources/redirect.php?url=/contentextensions/resources/url-blocking-test.js. 
+Synchronous status: 0, readyState:1, responseText: 
+Synchronous status: 0, readyState:4, responseText: 
+Synchronous error: NetworkError: A network error occurred.
+
diff --git a/LayoutTests/http/tests/contentextensions/sync-xhr-redirection-blocked.html b/LayoutTests/http/tests/contentextensions/sync-xhr-redirection-blocked.html
new file mode 100644 (file)
index 0000000..6934ae7
--- /dev/null
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+function log(text) {
+    document.body.appendChild(document.createTextNode(text));
+    document.body.appendChild(document.createElement("br"));
+}
+
+function runTest() {
+    var xhr = new XMLHttpRequest();
+    xhr.onreadystatechange = function() {
+        log("Synchronous status: " + xhr.status + ", readyState:" + xhr.readyState + ", responseText: " + xhr.responseText);
+    }
+
+    xhr.open("GET", "/resources/redirect.php?url=/contentextensions/resources/url-blocking-test.js", false);
+    try {
+        xhr.send();
+    } catch (error) {
+        log("Synchronous error: " + error);
+    }
+
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+</script>
+</head>
+<body onload="runTest()">
+</body>
diff --git a/LayoutTests/http/tests/contentextensions/sync-xhr-redirection-blocked.html.json b/LayoutTests/http/tests/contentextensions/sync-xhr-redirection-blocked.html.json
new file mode 100644 (file)
index 0000000..309e66d
--- /dev/null
@@ -0,0 +1,10 @@
+[
+    {
+        "action": {
+            "type": "block"
+        },
+        "trigger": {
+            "url-filter": "url-blocking-test"
+        }
+    }
+]
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-sync-xhr-in-main-frame-window.html b/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-sync-xhr-in-main-frame-window.html
new file mode 100644 (file)
index 0000000..c37973b
--- /dev/null
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
+</head>
+<body>
+<script>
+window.onload = function() {
+    const xhr = new XMLHttpRequest();
+    xhr.open("GET", "/resources/redirect.php?url=http://127.0.0.1:8443/", false);
+    xhr.send();
+    alert("PASS: upgraded sync XHR after redirection");
+
+    if (window.testRunner)
+        testRunner.notifyDone();
+};
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-sync-xhr-in-main-frame-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-sync-xhr-in-main-frame-expected.txt
new file mode 100644 (file)
index 0000000..a6096d6
--- /dev/null
@@ -0,0 +1,2 @@
+ALERT: PASS: upgraded sync XHR after redirection
+This test opens a HTTPS window that loads insecure data via XHR. We should upgrade this request and thereby avoid a mixed content callback.
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-sync-xhr-in-main-frame.html b/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-sync-xhr-in-main-frame.html
new file mode 100644 (file)
index 0000000..5ad14b2
--- /dev/null
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner) {
+    testRunner.waitUntilDone();
+    testRunner.dumpAsText();
+    testRunner.setCanOpenWindows();
+    testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+
+</script>
+<p>This test opens a HTTPS window that loads insecure data via XHR.  We should upgrade
+this request and thereby avoid a mixed content callback.</p>
+<script>
+onload = function() {
+    window.open("https://127.0.0.1:8443/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-sync-xhr-in-main-frame-window.html");
+}
+</script>
+</body>
+</html>
index 68c1a4c..a6fa18a 100644 (file)
@@ -97,6 +97,9 @@ webkit.org/b/178272 [ Sierra ] http/tests/security/video-cross-origin-caching.ht
 # rdar://problem/34716163 Breaks subsequent tests using response.xml
 [ HighSierra+ ] http/tests/xmlhttprequest/range-test.html [ Skip ]
 
+# WK1 does not support sync XHR redirections as does WK2
+http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-sync-xhr-in-main-frame.html [ Skip ]
+
 ### END OF (1) Failures with bug reports
 ########################################
 
index b0c3d2f..d5a9406 100644 (file)
@@ -2211,6 +2211,9 @@ webkit.org/b/140703 http/tests/security/XFrameOptions/x-frame-options-parent-sam
 webkit.org/b/140703 http/tests/xmlhttprequest/remember-bad-password.html [ Failure ]
 webkit.org/b/140703 http/tests/xmlhttprequest/failed-auth.html [ Failure ]
 
+# WK1 does not support sync XHR redirections as does WK2
+http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-sync-xhr-in-main-frame.html [ Skip ]
+
 # CSP Stuff
 http/tests/security/contentSecurityPolicy/block-mixed-content-hides-warning.html [ Failure ]
 http/tests/security/contentSecurityPolicy/object-src-url-allowed.html [ Failure ]
index c08ecb7..8be6fcd 100644 (file)
@@ -1,3 +1,13 @@
+2018-04-19  Youenn Fablet  <youenn@apple.com>
+
+        NetworkProcess should use CSP/content blockers for sync XHR
+        https://bugs.webkit.org/show_bug.cgi?id=184760
+
+        Reviewed by Chris Dumez.
+
+        Setting CSP/ContentBlockers parameters for sync XHR loads.
+        * NetworkProcess/NetworkResourceLoader.cpp:
+
 2018-04-19  Nan Wang  <n_wang@apple.com>
 
         AX: AOM: respect the accessibility setting for dispatching the accessible events
index b28e153..cb805e0 100644 (file)
@@ -109,6 +109,11 @@ NetworkResourceLoader::NetworkResourceLoader(NetworkResourceLoadParameters&& par
 
     if (synchronousReply) {
         m_networkLoadChecker = NetworkLoadChecker::create(FetchOptions { m_parameters.options }, m_parameters.sessionID, HTTPHeaderMap { m_parameters.originalRequestHeaders }, URL { m_parameters.request.url() }, m_parameters.sourceOrigin.copyRef());
+        if (m_parameters.cspResponseHeaders)
+            m_networkLoadChecker->setCSPResponseHeaders(ContentSecurityPolicyResponseHeaders { m_parameters.cspResponseHeaders.value() });
+#if ENABLE(CONTENT_EXTENSIONS)
+        m_networkLoadChecker->setContentExtensionController(URL { m_parameters.mainDocumentURL }, m_parameters.userContentControllerIdentifier);
+#endif
         m_synchronousLoadData = std::make_unique<SynchronousLoadData>(WTFMove(synchronousReply));
     }
 }