[Curl] Stop sending request with credential if no authorization requested.
authorBasuke.Suzuki@sony.com <Basuke.Suzuki@sony.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 8 Sep 2018 00:32:11 +0000 (00:32 +0000)
committerBasuke.Suzuki@sony.com <Basuke.Suzuki@sony.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 8 Sep 2018 00:32:11 +0000 (00:32 +0000)
https://bugs.webkit.org/show_bug.cgi?id=189057

Reviewed by Alex Christensen.

Source/WebCore:

When 401 response returns without 'www-authenticate' header, suppress another request with credential.

Test: http/tests/xmlhttprequest/unauthorized-without-authenticate-header.html

* platform/network/curl/CurlResourceHandleDelegate.cpp:
(WebCore::CurlResourceHandleDelegate::curlDidReceiveResponse):

Source/WebKit:

When 401 response returns without 'www-authenticate' header, suppress another request with credential.
Same fix for proxy authentication.

* NetworkProcess/curl/NetworkDataTaskCurl.cpp:
(WebKit::NetworkDataTaskCurl::curlDidReceiveResponse):

LayoutTests:

* http/tests/xmlhttprequest/resources/no-authenticate-header-401.php: Added.
* http/tests/xmlhttprequest/unauthorized-without-authenticate-header-expected.txt: Added.
* http/tests/xmlhttprequest/unauthorized-without-authenticate-header.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235821 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/xmlhttprequest/resources/no-authenticate-header-401.php [new file with mode: 0644]
LayoutTests/http/tests/xmlhttprequest/unauthorized-without-authenticate-header-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/xmlhttprequest/unauthorized-without-authenticate-header.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/platform/network/curl/CurlResourceHandleDelegate.cpp
Source/WebKit/ChangeLog
Source/WebKit/NetworkProcess/curl/NetworkDataTaskCurl.cpp

index 7819ddd..942313c 100644 (file)
@@ -1,3 +1,14 @@
+2018-09-07  Basuke Suzuki  <Basuke.Suzuki@sony.com>
+
+        [Curl] Stop sending request with credential if no authorization requested.
+        https://bugs.webkit.org/show_bug.cgi?id=189057
+
+        Reviewed by Alex Christensen.
+
+        * http/tests/xmlhttprequest/resources/no-authenticate-header-401.php: Added.
+        * http/tests/xmlhttprequest/unauthorized-without-authenticate-header-expected.txt: Added.
+        * http/tests/xmlhttprequest/unauthorized-without-authenticate-header.html: Added.
+
 2018-09-07  Youenn Fablet  <youenn@apple.com>
 
         Tests checking document GC in case of ActiveDOMObjects are flaky
diff --git a/LayoutTests/http/tests/xmlhttprequest/resources/no-authenticate-header-401.php b/LayoutTests/http/tests/xmlhttprequest/resources/no-authenticate-header-401.php
new file mode 100644 (file)
index 0000000..8bcf1a7
--- /dev/null
@@ -0,0 +1,3 @@
+<?php
+
+header('HTTP/1.1 401 UNAUTHORIZED');
diff --git a/LayoutTests/http/tests/xmlhttprequest/unauthorized-without-authenticate-header-expected.txt b/LayoutTests/http/tests/xmlhttprequest/unauthorized-without-authenticate-header-expected.txt
new file mode 100644 (file)
index 0000000..839da32
--- /dev/null
@@ -0,0 +1,9 @@
+This tests that the request doesn't sends another request for 401 response without www-authenticate header. If it does, the request never stops by repeated request sending. Test passes if the request returns without displaying authentication callenge UI.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+PASS () => xhr.status is 401
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/xmlhttprequest/unauthorized-without-authenticate-header.html b/LayoutTests/http/tests/xmlhttprequest/unauthorized-without-authenticate-header.html
new file mode 100644 (file)
index 0000000..318a1e4
--- /dev/null
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/js-test-resources/js-test.js"></script>
+    <script>
+        function doTest() {
+            description(`This tests that the request doesn't sends another request for 401 response
+                        without www-authenticate header. If it does, the request never stops by
+                        repeated request sending. Test passes if the request returns without 
+                        displaying authentication callenge UI.`);
+            window.jsTestIsAsync = true;
+
+            const xhr = new XMLHttpRequest();
+            xhr.onload = xhr.onerror = function() {
+                shouldBe(() => xhr.status, "401");
+                finishJSTest();
+            }
+
+            xhr.open('GET', 'resources/no-authenticate-header-401.php');
+            xhr.send(null);
+        }
+    </script>
+</head>
+
+<body onload="doTest()">
+    <div id="description"></div>
+    <div id="console"></div>
+</body>
+
+</html>
\ No newline at end of file
index fa54b48..7b6927f 100644 (file)
@@ -1,3 +1,17 @@
+2018-09-07  Basuke Suzuki  <Basuke.Suzuki@sony.com>
+
+        [Curl] Stop sending request with credential if no authorization requested.
+        https://bugs.webkit.org/show_bug.cgi?id=189057
+
+        Reviewed by Alex Christensen.
+
+        When 401 response returns without 'www-authenticate' header, suppress another request with credential.
+
+        Test: http/tests/xmlhttprequest/unauthorized-without-authenticate-header.html
+
+        * platform/network/curl/CurlResourceHandleDelegate.cpp:
+        (WebCore::CurlResourceHandleDelegate::curlDidReceiveResponse):
+
 2018-09-07  Fujii Hironori  <Hironori.Fujii@sony.com>
 
         [Win][Clang] duplicated variable name `advance` in UniscribeController::shapeAndPlaceItem
index 6a06f19..cf8e99f 100644 (file)
@@ -119,7 +119,7 @@ void CurlResourceHandleDelegate::curlDidReceiveResponse(CurlRequest& request, co
         return;
     }
 
-    if (m_response.isUnauthorized()) {
+    if (m_response.isUnauthorized() && receivedResponse.availableHttpAuth) {
         AuthenticationChallenge challenge(receivedResponse, d()->m_authFailureCount, m_response, &m_handle);
         m_handle.didReceiveAuthenticationChallenge(challenge);
         d()->m_authFailureCount++;
index 77cce94..736453b 100644 (file)
@@ -1,3 +1,16 @@
+2018-09-07  Basuke Suzuki  <Basuke.Suzuki@sony.com>
+
+        [Curl] Stop sending request with credential if no authorization requested.
+        https://bugs.webkit.org/show_bug.cgi?id=189057
+
+        Reviewed by Alex Christensen.
+
+        When 401 response returns without 'www-authenticate' header, suppress another request with credential.
+        Same fix for proxy authentication.
+
+        * NetworkProcess/curl/NetworkDataTaskCurl.cpp:
+        (WebKit::NetworkDataTaskCurl::curlDidReceiveResponse):
+
 2018-09-07  Brent Fulgham  <bfulgham@apple.com>
 
         Allow WebContent access to AVCSupported IOKit property in sandbox
index a903569..f7d49c2 100644 (file)
@@ -161,13 +161,13 @@ void NetworkDataTaskCurl::curlDidReceiveResponse(CurlRequest& request, const Cur
         return;
     }
 
-    if (m_response.isUnauthorized()) {
+    if (m_response.isUnauthorized() && receivedResponse.availableHttpAuth) {
         tryHttpAuthentication(AuthenticationChallenge(receivedResponse, m_authFailureCount, m_response));
         m_authFailureCount++;
         return;
     }
 
-    if (m_response.isProxyAuthenticationRequired()) {
+    if (m_response.isProxyAuthenticationRequired() && receivedResponse.availableProxyAuth) {
         tryProxyAuthentication(AuthenticationChallenge(receivedResponse, 0, m_response));
         return;
     }