Parent service worker controller should be used for child iframe as per https://w3c...
authoryouenn@apple.com <youenn@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 11 Feb 2020 23:32:10 +0000 (23:32 +0000)
committeryouenn@apple.com <youenn@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 11 Feb 2020 23:32:10 +0000 (23:32 +0000)
https://bugs.webkit.org/show_bug.cgi?id=207506

Reviewed by Darin Adler.

LayoutTests/imported/w3c:

* web-platform-tests/service-workers/service-worker/local-url-inherit-controller.https-expected.txt:

Source/WebCore:

Instead of checking document URL protocol, implement the rules as per spec, in particular:
- If http/https, do not reuse controller
- If iframe has a unique origin, do not reuse controller
- If iframe does not have same origin as parent, do not reuse controller.

Covered by rebased test.

* loader/DocumentLoader.cpp:
(WebCore::isInheritingControllerFromParent):
(WebCore::DocumentLoader::commitData):
(WebCore::isLocalURL): Deleted.

LayoutTests:

* http/tests/workers/service/serviceworkerclients-claim.https-expected.txt:
Rebased test since now the frame is doing a fetch that is no longer intercepted by the service worker,
and is thus failing due to CORS.
* http/tests/workers/service/serviceworkerclients-claim.https.html:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@256381 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/workers/service/serviceworkerclients-claim.https-expected.txt
LayoutTests/http/tests/workers/service/serviceworkerclients-claim.https.html
LayoutTests/imported/w3c/ChangeLog
LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/local-url-inherit-controller.https-expected.txt
Source/WebCore/ChangeLog
Source/WebCore/loader/DocumentLoader.cpp

index 81cd3bf..06a1444 100644 (file)
@@ -1,3 +1,15 @@
+2020-02-11  Youenn Fablet  <youenn@apple.com>
+
+        Parent service worker controller should be used for child iframe as per https://w3c.github.io/ServiceWorker/#control-and-use-window-client
+        https://bugs.webkit.org/show_bug.cgi?id=207506
+
+        Reviewed by Darin Adler.
+
+        * http/tests/workers/service/serviceworkerclients-claim.https-expected.txt:
+        Rebased test since now the frame is doing a fetch that is no longer intercepted by the service worker,
+        and is thus failing due to CORS.
+        * http/tests/workers/service/serviceworkerclients-claim.https.html:
+
 2020-02-11  Jason Lawrence  <lawrence.j@apple.com>
 
         [ iOS wk2 ] http/wpt/service-workers/service-worker-spinning-fetch.https.html is flaky failing.
index 6e7876b..dccf803 100644 (file)
@@ -1,3 +1,6 @@
+CONSOLE MESSAGE: Origin null is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Fetch API cannot load https://127.0.0.1:8443/pinkelephant due to access control checks.
+CONSOLE MESSAGE: line 1: Unhandled Promise Rejection: TypeError: Origin null is not allowed by Access-Control-Allow-Origin.
 
 
 PASS Setup worker 
index 6396de6..fb16947 100644 (file)
@@ -60,13 +60,12 @@ var htmlString = '<html><script>async function doTest() { ' +
 promise_test(async (test) => {
     var promise = new Promise((resolve, reject) => {
         window.addEventListener("message", (event) => {
-            resolve(event.data);
+            reject("Received a message from iframe:" + event.data);
         }, false);
-        setTimeout(() => {  reject("Did not receive any message from iframe"); }, 5000);
+        setTimeout(resolve, 100);
     });
     var frame = await withFrame("data:text/html," + htmlString);
-    var result = await promise;
-    assert_equals(result, "PASS");
+    return promise;
 }, "Test data URL frame");
 
 promise_test(async (test) => {
index a0667bc..0aec8a1 100644 (file)
@@ -1,3 +1,12 @@
+2020-02-11  Youenn Fablet  <youenn@apple.com>
+
+        Parent service worker controller should be used for child iframe as per https://w3c.github.io/ServiceWorker/#control-and-use-window-client
+        https://bugs.webkit.org/show_bug.cgi?id=207506
+
+        Reviewed by Darin Adler.
+
+        * web-platform-tests/service-workers/service-worker/local-url-inherit-controller.https-expected.txt:
+
 2020-02-07  Ryosuke Niwa  <rniwa@webkit.org>
 
         Don't update selection when calling setSelectionRange on a disconnected input element
index b3c61e1..74d93f4 100644 (file)
@@ -3,7 +3,7 @@ PASS Same-origin blob URL iframe should inherit service worker controller.
 PASS Same-origin blob URL iframe should intercept fetch(). 
 FAIL Same-origin blob URL worker should inherit service worker controller. assert_equals: blob URL worker should inherit controller expected (string) "https://localhost:9443/service-workers/service-worker/resources/local-url-inherit-controller-worker.js" but got (object) null
 PASS Same-origin blob URL worker should intercept fetch(). 
-FAIL Data URL iframe should not intercept fetch(). assert_equals: data URL iframe should not intercept fetch expected "" but got "intercepted"
+PASS Data URL iframe should not intercept fetch(). 
 FAIL Data URL worker should not inherit service worker controller. promise_test: Unhandled rejection with value: object "SecurityError: The operation is insecure."
 FAIL Data URL worker should not intercept fetch(). promise_test: Unhandled rejection with value: object "SecurityError: The operation is insecure."
 
index 985086c..6f5b324 100644 (file)
@@ -1,3 +1,22 @@
+2020-02-11  Youenn Fablet  <youenn@apple.com>
+
+        Parent service worker controller should be used for child iframe as per https://w3c.github.io/ServiceWorker/#control-and-use-window-client
+        https://bugs.webkit.org/show_bug.cgi?id=207506
+
+        Reviewed by Darin Adler.
+
+        Instead of checking document URL protocol, implement the rules as per spec, in particular:
+        - If http/https, do not reuse controller
+        - If iframe has a unique origin, do not reuse controller
+        - If iframe does not have same origin as parent, do not reuse controller.
+
+        Covered by rebased test.
+
+        * loader/DocumentLoader.cpp:
+        (WebCore::isInheritingControllerFromParent):
+        (WebCore::DocumentLoader::commitData):
+        (WebCore::isLocalURL): Deleted.
+
 2020-02-11  Zalan Bujtas  <zalan@apple.com>
 
         [LFC] Introduce Layout::ReplacedBox
index bc6b90e..c654b42 100644 (file)
@@ -1057,11 +1057,10 @@ void DocumentLoader::stopLoadingForPolicyChange()
 }
 
 #if ENABLE(SERVICE_WORKER)
-static inline bool isLocalURL(const URL& url)
+// https://w3c.github.io/ServiceWorker/#control-and-use-window-client
+static inline bool shouldUseActiveServiceWorkerFromParent(const Document& document, const Document& parent)
 {
-    // https://fetch.spec.whatwg.org/#is-local
-    auto protocol = url.protocol().toStringWithoutCopying();
-    return equalLettersIgnoringASCIICase(protocol, "data") || equalLettersIgnoringASCIICase(protocol, "blob") || equalLettersIgnoringASCIICase(protocol, "about");
+    return !document.url().protocolIsInHTTPFamily() && !document.securityOrigin().isUnique() && parent.securityOrigin().canAccess(document.securityOrigin());
 }
 #endif
 
@@ -1092,8 +1091,8 @@ void DocumentLoader::commitData(const char* bytes, size_t length)
             if (m_serviceWorkerRegistrationData && m_serviceWorkerRegistrationData->activeWorker) {
                 m_frame->document()->setActiveServiceWorker(ServiceWorker::getOrCreate(*m_frame->document(), WTFMove(m_serviceWorkerRegistrationData->activeWorker.value())));
                 m_serviceWorkerRegistrationData = { };
-            } else if (isLocalURL(m_frame->document()->url())) {
-                if (auto* parent = m_frame->document()->parentDocument())
+            } else if (auto* parent = m_frame->document()->parentDocument()) {
+                if (shouldUseActiveServiceWorkerFromParent(*m_frame->document(), *parent))
                     m_frame->document()->setActiveServiceWorker(parent->activeServiceWorker());
             }