Response headers should be filtered when sent from NetworkProcess to WebProcess
authoryouenn@apple.com <youenn@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 7 Apr 2018 03:48:55 +0000 (03:48 +0000)
committeryouenn@apple.com <youenn@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 7 Apr 2018 03:48:55 +0000 (03:48 +0000)
https://bugs.webkit.org/show_bug.cgi?id=184310

Reviewed by Ryosuke Niwa.

Source/WebCore:

Did some refactoring to allow ResourceResponse to use header value parsing routines.
We add sanitization levels for regular responses in case responses might be exposed to scripts or not.
If not exposed to scripts, additional filtering is done.

Add internal API to get unfiltered response headers from a fetch response.
Test: http/wpt/service-workers/header-filtering.https.html

* Modules/fetch/FetchResponse.h:
* loader/CrossOriginPreflightResultCache.cpp:
(WebCore::CrossOriginPreflightResultCacheItem::parse):
* platform/network/HTTPParsers.h:
(WebCore::addToAccessControlAllowList):
(WebCore::parseAccessControlAllowList):
* platform/network/ResourceResponseBase.cpp:
(WebCore::isSafeToKeepRedirectionResponseHeader):
(WebCore::isCrossOriginSafeToKeepResponseHeader):
(WebCore::ResourceResponseBase::sanitizeHTTPHeaderFields):
* platform/network/ResourceResponseBase.h:
* testing/ServiceWorkerInternals.cpp:
(WebCore::ServiceWorkerInternals::fetchResponseHeaderList):
* testing/ServiceWorkerInternals.h:
* testing/ServiceWorkerInternals.idl:

Source/WebKit:

Pass destination parameter to NetworkResourceLoader.
Use new sanitization routine to filter response headers as needed:
- Cross-origin routines are filtered by removing any non CORS allowed headers.
- Same-origin responses are filtered by removing non used headers, except when filtering would be visible by JS (XHR, fetch).
In all cases, Set-Cookie/Set-Cookie2 headers are filtered out.

* NetworkProcess/NetworkResourceLoadParameters.cpp:
(WebKit::NetworkResourceLoadParameters::encode const):
(WebKit::NetworkResourceLoadParameters::decode):
* NetworkProcess/NetworkResourceLoadParameters.h:
* NetworkProcess/NetworkResourceLoader.cpp:
(WebKit::NetworkResourceLoader::didReceiveResponse):
(WebKit::NetworkResourceLoader::willSendRedirectedRequest):
(WebKit::NetworkResourceLoader::sanitizeResponseIfPossible):
(WebKit::NetworkResourceLoader::didRetrieveCacheEntry):
(WebKit::NetworkResourceLoader::dispatchWillSendRequestForCacheEntry):
* NetworkProcess/NetworkResourceLoader.h:
* WebProcess/Network/WebLoaderStrategy.cpp:
(WebKit::WebLoaderStrategy::scheduleLoadFromNetworkProcess):
* WebProcess/Storage/WebSWContextManagerConnection.cpp:
(WebKit::WebSWContextManagerConnection::updatePreferencesStore):

LayoutTests:

Rebased tests for WK2 as Server response header is now filtered out for cross-origin and not fetch/XHR loads.

* http/wpt/service-workers/header-filtering-worker.js: Added.
* http/wpt/service-workers/header-filtering.https-expected.txt: Added.
Some tests are failing as navigation loads are not yet filtered and we
have no good way yet to detect cross origin loads.
* http/wpt/service-workers/header-filtering.https.html: Added.
* http/wpt/service-workers/resources/header-filtering-iframe.html: Added.
* http/wpt/service-workers/resources/response-full-of-headers.py: Added.
* http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt: Added.
* http/tests/webarchive/test-preload-resources-expected.txt: Added.
* platform/mac-wk1/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt: Added.
* platform/mac-wk1/http/tests/webarchive/test-preload-resources-expected.txt: Added.
* platform/win/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt: Added.
* platform/win/http/tests/webarchive/test-preload-resources-expected.txt: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@230365 268f45cc-cd09-0410-ab3c-d52691b4dbfc

28 files changed:
LayoutTests/ChangeLog
LayoutTests/http/wpt/service-workers/header-filtering-worker.js [new file with mode: 0644]
LayoutTests/http/wpt/service-workers/header-filtering.https-expected.txt [new file with mode: 0644]
LayoutTests/http/wpt/service-workers/header-filtering.https.html [new file with mode: 0644]
LayoutTests/http/wpt/service-workers/resources/header-filtering-iframe.html [new file with mode: 0644]
LayoutTests/http/wpt/service-workers/resources/response-full-of-headers.py [new file with mode: 0644]
LayoutTests/platform/mac-wk1/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt [new file with mode: 0644]
LayoutTests/platform/mac-wk1/http/tests/webarchive/test-preload-resources-expected.txt [new file with mode: 0644]
LayoutTests/platform/mac/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt
LayoutTests/platform/mac/http/tests/webarchive/test-preload-resources-expected.txt
LayoutTests/platform/win/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt [new file with mode: 0644]
LayoutTests/platform/win/http/tests/webarchive/test-preload-resources-expected.txt [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/Modules/fetch/FetchResponse.h
Source/WebCore/loader/CrossOriginPreflightResultCache.cpp
Source/WebCore/platform/network/HTTPParsers.h
Source/WebCore/platform/network/ResourceResponseBase.cpp
Source/WebCore/platform/network/ResourceResponseBase.h
Source/WebCore/testing/ServiceWorkerInternals.cpp
Source/WebCore/testing/ServiceWorkerInternals.h
Source/WebCore/testing/ServiceWorkerInternals.idl
Source/WebKit/ChangeLog
Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.cpp
Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.h
Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp
Source/WebKit/NetworkProcess/NetworkResourceLoader.h
Source/WebKit/WebProcess/Network/WebLoaderStrategy.cpp
Source/WebKit/WebProcess/Storage/WebSWContextManagerConnection.cpp

index 0a06807..aac36b2 100644 (file)
@@ -1,3 +1,26 @@
+2018-04-06  Youenn Fablet  <youenn@apple.com>
+
+        Response headers should be filtered when sent from NetworkProcess to WebProcess
+        https://bugs.webkit.org/show_bug.cgi?id=184310
+
+        Reviewed by Ryosuke Niwa.
+
+        Rebased tests for WK2 as Server response header is now filtered out for cross-origin and not fetch/XHR loads.
+
+        * http/wpt/service-workers/header-filtering-worker.js: Added.
+        * http/wpt/service-workers/header-filtering.https-expected.txt: Added.
+        Some tests are failing as navigation loads are not yet filtered and we
+        have no good way yet to detect cross origin loads.
+        * http/wpt/service-workers/header-filtering.https.html: Added.
+        * http/wpt/service-workers/resources/header-filtering-iframe.html: Added.
+        * http/wpt/service-workers/resources/response-full-of-headers.py: Added.
+        * http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt: Added.
+        * http/tests/webarchive/test-preload-resources-expected.txt: Added.
+        * platform/mac-wk1/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt: Added.
+        * platform/mac-wk1/http/tests/webarchive/test-preload-resources-expected.txt: Added.
+        * platform/win/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt: Added.
+        * platform/win/http/tests/webarchive/test-preload-resources-expected.txt: Added.
+
 2018-04-06  Ryan Haddad  <ryanhaddad@apple.com>
 
         Mark fast/loader/submit-form-while-parsing-2.html as flaky.
diff --git a/LayoutTests/http/wpt/service-workers/header-filtering-worker.js b/LayoutTests/http/wpt/service-workers/header-filtering-worker.js
new file mode 100644 (file)
index 0000000..21346ba
--- /dev/null
@@ -0,0 +1,16 @@
+var source;
+addEventListener("message", (e) => {
+    source = e.source;
+    source.postMessage(e.data === "ready?" ? "ready" : "not ready");
+});
+
+addEventListener("fetch", async (e) => {
+    var promise = fetch(e.request);
+    e.respondWith(promise.then((response) => {
+        if (self.internals)
+            source.postMessage(internals.fetchResponseHeaderList(response).sort());
+        else
+            source.postMessage("Test requires internals API to get all response headers");
+        return response;
+    }));
+});
diff --git a/LayoutTests/http/wpt/service-workers/header-filtering.https-expected.txt b/LayoutTests/http/wpt/service-workers/header-filtering.https-expected.txt
new file mode 100644 (file)
index 0000000..c97d51a
--- /dev/null
@@ -0,0 +1,13 @@
+
+
+PASS Setup worker 
+PASS Frame controlled by service worker 
+PASS Test same-origin fetch 
+FAIL Test cors cross-origin fetch assert_array_equals: lengths differ, expected 13 got 15
+FAIL Test no-cors cross-origin fetch assert_array_equals: lengths differ, expected 13 got 15
+PASS Test same-origin script load 
+PASS Test no-cors script load 
+PASS Test cors script load 
+FAIL Test HTML load assert_array_equals: lengths differ, expected 13 got 17
+PASS Clean-up 
+
diff --git a/LayoutTests/http/wpt/service-workers/header-filtering.https.html b/LayoutTests/http/wpt/service-workers/header-filtering.https.html
new file mode 100644 (file)
index 0000000..fb48964
--- /dev/null
@@ -0,0 +1,155 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Service Worker Header Filtering</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+ <script src="/common/get-host-info.sub.js"></script>
+</head>
+<body>
+<script>
+var scope = "resources";
+var registration;
+var frame;
+
+var url1 = "/WebKit/service-workers/resources/response-full-of-headers.py";
+var url2 = get_host_info().HTTPS_REMOTE_ORIGIN + url1;
+
+function withFrame(url)
+{
+    return new Promise((resolve) => {
+        const frame = document.createElement('iframe');
+        frame.src = url;
+        frame.onload = function() { resolve(frame); };
+        document.body.appendChild(frame);
+    });
+}
+
+async function registerServiceWorker(scope)
+{
+    const registration = await navigator.serviceWorker.register("header-filtering-worker.js", { scope : scope });
+    const activeWorker = registration.active;
+    if (activeWorker)
+        return registration;
+    activeWorker = registration.installing;
+    return new Promise(resolve => {
+        activeWorker.addEventListener('statechange', () => {
+            if (activeWorker.state === "activated")
+                resolve(registration);
+        });
+    });
+}
+
+promise_test(async (test) => {
+    registration = await registerServiceWorker(scope);
+    registration.active.postMessage("ready?");
+    return new Promise((resolve) => {
+        navigator.serviceWorker.onmessage = (event) => {
+            assert_equals(event.data, "ready");
+            navigator.serviceWorker.onmessage = undefined;
+            resolve();
+        };
+    });
+}, "Setup worker and register the client");
+
+var processMessage;
+promise_test(async (test) => {
+    frame = await withFrame(scope + "/header-filtering-iframe.html");
+    navigator.serviceWorker.onmessage = (event) => {
+        processMessage(event.data);
+    };
+}, "Add a frame controlled by service worker");
+
+promise_test(async (test) => {
+    const promise = new Promise((resolve) => {
+        processMessage = (data) => {
+            resolve(data);
+        };
+    });
+    frame.contentWindow.fetch(url1 + "?fetch");
+    assert_array_equals(await promise, ["Access-Control-Allow-Credentials","Access-Control-Allow-Methods","Access-Control-Allow-Origin",
+        "Access-Control-Expose-Headers","Cache-Control","Content-Length","Content-Type","Date","Referrer-Policy","Server",
+        "SourceMap","Timing-Allow-Origin","X-SourceMap","x-header1","x-header2"]);
+}, "Test same-origin fetch");
+
+promise_test(async (test) => {
+    const data = new Promise((resolve) => {
+        processMessage = (data) => {
+            resolve(data);
+        };
+    });
+    frame.contentWindow.fetch(url2 + "?fetch-cors", { mode : "cors" });
+    assert_array_equals(await data, ["Access-Control-Allow-Credentials","Access-Control-Allow-Methods","Access-Control-Allow-Origin",
+        "Access-Control-Expose-Headers","Cache-Control","Content-Length","Content-Type","Date","Referrer-Policy",
+        "SourceMap","Timing-Allow-Origin","X-SourceMap","x-Header1"]);
+}, "Test cors cross-origin fetch");
+
+promise_test(async (test) => {
+    const data = new Promise((resolve) => {
+        processMessage = (data) => {
+            resolve(data);
+        };
+    });
+    frame.contentWindow.fetch(url2 + "?fetch-no-cors", { mode : "no-cors" });
+    assert_array_equals(await data, ["Access-Control-Allow-Credentials","Access-Control-Allow-Methods","Access-Control-Allow-Origin",
+        "Access-Control-Expose-Headers","Cache-Control","Content-Length","Content-Type","Date","Referrer-Policy",
+        "SourceMap","Timing-Allow-Origin","X-SourceMap","x-Header1"]);
+}, "Test no-cors cross-origin fetch");
+
+promise_test(async (test) => {
+    const data = new Promise((resolve) => {
+        processMessage = (data) => {
+            resolve(data);
+        };
+    });
+    frame.contentWindow.loadScript(url1 + "?script");
+    assert_array_equals(await data, ["Access-Control-Allow-Credentials","Access-Control-Allow-Methods","Access-Control-Allow-Origin",
+        "Access-Control-Expose-Headers","Cache-Control","Content-Length","Content-Type","Date","Referrer-Policy",
+        "SourceMap","Timing-Allow-Origin","X-SourceMap","x-Header1"]);
+}, "Test same-origin script load");
+
+promise_test(async (test) => {
+    const data = new Promise((resolve) => {
+        processMessage = (data) => {
+            resolve(data);
+        };
+    });
+    frame.contentWindow.loadScript(url2 + "?script-nocors");
+    assert_array_equals(await data, ["Access-Control-Allow-Credentials","Access-Control-Allow-Methods","Access-Control-Allow-Origin",
+        "Access-Control-Expose-Headers","Cache-Control","Content-Length","Content-Type","Date","Referrer-Policy",
+        "SourceMap","Timing-Allow-Origin","X-SourceMap","x-Header1"]);
+}, "Test no-cors script load");
+
+promise_test(async (test) => {
+    const data = new Promise((resolve) => {
+        processMessage = (data) => {
+            resolve(data);
+        };
+    });
+    frame.contentWindow.loadScript(url2 + "?script-cors", "anonymous");
+    assert_array_equals(await data, ["Access-Control-Allow-Credentials","Access-Control-Allow-Methods","Access-Control-Allow-Origin",
+        "Access-Control-Expose-Headers","Cache-Control","Content-Length","Content-Type","Date","Referrer-Policy",
+        "SourceMap","Timing-Allow-Origin","X-SourceMap","x-Header1"]);
+}, "Test cors script load");
+
+promise_test(async (test) => {
+    const data = new Promise((resolve) => {
+        processMessage = (data) => {
+            resolve(data);
+        };
+    });
+    let frame = await withFrame(url1 + "?html");
+    assert_array_equals(await data, ["Access-Control-Allow-Credentials","Access-Control-Allow-Methods","Access-Control-Allow-Origin",
+        "Access-Control-Expose-Headers","Cache-Control","Content-Length","Content-Type","Date","Referrer-Policy",
+        "SourceMap","Timing-Allow-Origin","X-SourceMap","x-Header1"]);
+    frame.remove();
+}, "Test HTML load");
+
+promise_test(async (test) => {
+    await registration.unregister();
+    frame.remove();
+}, "Do some clean-up");
+
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/wpt/service-workers/resources/header-filtering-iframe.html b/LayoutTests/http/wpt/service-workers/resources/header-filtering-iframe.html
new file mode 100644 (file)
index 0000000..ebd9785
--- /dev/null
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+function loadScript(url, mode)
+{
+    let script = document.createElement("script");
+    script.src = url;
+    if (mode)
+        script.crossOrigin = mode;
+    document.body.appendChild(script);
+}
+</script>
+</head>
+<body>
+Ready
+</body>
+</html>
diff --git a/LayoutTests/http/wpt/service-workers/resources/response-full-of-headers.py b/LayoutTests/http/wpt/service-workers/resources/response-full-of-headers.py
new file mode 100644 (file)
index 0000000..92515d2
--- /dev/null
@@ -0,0 +1,18 @@
+def main(request, response):
+    headers = [("Content-type", "text/javascript"),
+        ("Set-Cookie", "1"),
+        ("Set-Cookie2", "2"),
+        ("Access-Control-Allow-Origin", "*"),
+        ("Access-Control-Allow-Credentials", "true"),
+        ("Access-Control-Allow-Methods", "GET, POST, HEAD"),
+        ("Timing-Allow-Origin", "*"),
+        ("Referrer-Policy", "whatever"),
+        ("SourceMap", "1"),
+        ("x-sourcemap", "2"),
+        ("Access-Control-Expose-Headers", "x-Header1, content-length"),
+        ("x-header1", "x-value1"),
+        ("x-header2", "x-value2"),
+        ("Content-Length", "13"),
+        ("Cache-Control", "no-store")
+    ]
+    return headers, "document.body"
diff --git a/LayoutTests/platform/mac-wk1/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt b/LayoutTests/platform/mac-wk1/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt
new file mode 100644 (file)
index 0000000..9832fe8
--- /dev/null
@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+       <key>WebMainResource</key>
+       <dict>
+               <key>WebResourceData</key>
+               <string>&lt;html&gt;&lt;head&gt;
+&lt;script&gt;
+if (window.testRunner)
+    testRunner.dumpDOMAsWebArchive();
+&lt;/script&gt;
+&lt;link rel="stylesheet" href="http://localhost:8000/webarchive/resources/localhost-stylesheet.css" type="text/css"&gt;
+&lt;/head&gt;
+&lt;body&gt;
+This HTML links to an external stylesheet from a different security origin.&lt;br&gt;
+Making a webarchive of this page should not crash.
+
+
+&lt;/body&gt;&lt;/html&gt;</string>
+               <key>WebResourceFrameName</key>
+               <string></string>
+               <key>WebResourceMIMEType</key>
+               <string>text/html</string>
+               <key>WebResourceTextEncodingName</key>
+               <string>UTF-8</string>
+               <key>WebResourceURL</key>
+               <string>http://127.0.0.1:8000/webarchive/cross-origin-stylesheet-crash.html</string>
+       </dict>
+       <key>WebSubresources</key>
+       <array>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://localhost:8000/webarchive/resources/localhost-stylesheet.css</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>1</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>1</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://localhost:8000/webarchive/resources/localhost-stylesheet.css</string>
+               </dict>
+       </array>
+</dict>
+</plist>
diff --git a/LayoutTests/platform/mac-wk1/http/tests/webarchive/test-preload-resources-expected.txt b/LayoutTests/platform/mac-wk1/http/tests/webarchive/test-preload-resources-expected.txt
new file mode 100644 (file)
index 0000000..6718fc6
--- /dev/null
@@ -0,0 +1,303 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+       <key>WebMainResource</key>
+       <dict>
+               <key>WebResourceData</key>
+               <string>&lt;html&gt;&lt;head&gt;
+
+&lt;link rel="stylesheet" type="text/css" href="resources/test-preload-resources.css"&gt;
+&lt;link rel="alternate stylesheet" type="text/css" href="resources/test-preload-resources.css?1" title="green"&gt;
+&lt;link rel="alternate stylesheet" type="text/css" href="resources/test-preload-resources.css?2" title="blue"&gt;
+&lt;link rel="alternate stylesheet" type="text/css" href="resources/test-preload-resources.css?3" title="yellow"&gt;
+&lt;link rel="alternate stylesheet" type="text/css" href="resources/test-preload-resources.css?4" title="pink"&gt;
+&lt;link rel="alternate stylesheet" type="text/css" href="resources/test-preload-resources.css?5" title="purple"&gt;
+&lt;link rel="alternate stylesheet" type="text/css" href="resources/test-preload-resources.css?6" title="gray"&gt;
+
+&lt;script&gt;
+if (window.testRunner)
+    testRunner.dumpDOMAsWebArchive();
+&lt;/script&gt;
+
+&lt;/head&gt;&lt;body&gt;
+&lt;div&gt;
+Test for &lt;a href="https://bugs.webkit.org/show_bug.cgi?id=22466"&gt;Bug 22466:
+REGRESSION (35867): Many resources missing when saving webarchive of webkit.org&lt;/a&gt;
+&lt;/div&gt;
+&lt;p&gt;Some resources are missing when saving this page as a webarchive.&lt;/p&gt;
+
+&lt;/body&gt;&lt;/html&gt;</string>
+               <key>WebResourceFrameName</key>
+               <string></string>
+               <key>WebResourceMIMEType</key>
+               <string>text/html</string>
+               <key>WebResourceTextEncodingName</key>
+               <string>UTF-8</string>
+               <key>WebResourceURL</key>
+               <string>http://127.0.0.1:8000/webarchive/test-preload-resources.html</string>
+       </dict>
+       <key>WebSubresources</key>
+       <array>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>/* test-preload-resources.css */
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>33</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>33</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css</string>
+               </dict>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>/* test-preload-resources.css */
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?1</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>33</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>33</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?1</string>
+               </dict>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>/* test-preload-resources.css */
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?2</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>33</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>33</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?2</string>
+               </dict>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>/* test-preload-resources.css */
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?3</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>33</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>33</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?3</string>
+               </dict>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>/* test-preload-resources.css */
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?4</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>33</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>33</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?4</string>
+               </dict>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>/* test-preload-resources.css */
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?5</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>33</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>33</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?5</string>
+               </dict>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>/* test-preload-resources.css */
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?6</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>33</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>33</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?6</string>
+               </dict>
+       </array>
+</dict>
+</plist>
index 9832fe8..47be3de 100644 (file)
@@ -55,8 +55,6 @@ Making a webarchive of this page should not crash.
                                        <string>"301925-21-45c7d72d3e780"</string>
                                        <key>Last-Modified</key>
                                        <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
-                                       <key>Server</key>
-                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
                                </dict>
                                <key>expectedContentLength</key>
                                <integer>1</integer>
index 6718fc6..43da624 100644 (file)
@@ -65,8 +65,6 @@ REGRESSION (35867): Many resources missing when saving webarchive of webkit.org&
                                        <string>"301925-21-45c7d72d3e780"</string>
                                        <key>Last-Modified</key>
                                        <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
-                                       <key>Server</key>
-                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
                                </dict>
                                <key>expectedContentLength</key>
                                <integer>33</integer>
@@ -102,8 +100,6 @@ REGRESSION (35867): Many resources missing when saving webarchive of webkit.org&
                                        <string>"301925-21-45c7d72d3e780"</string>
                                        <key>Last-Modified</key>
                                        <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
-                                       <key>Server</key>
-                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
                                </dict>
                                <key>expectedContentLength</key>
                                <integer>33</integer>
@@ -139,8 +135,6 @@ REGRESSION (35867): Many resources missing when saving webarchive of webkit.org&
                                        <string>"301925-21-45c7d72d3e780"</string>
                                        <key>Last-Modified</key>
                                        <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
-                                       <key>Server</key>
-                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
                                </dict>
                                <key>expectedContentLength</key>
                                <integer>33</integer>
@@ -176,8 +170,6 @@ REGRESSION (35867): Many resources missing when saving webarchive of webkit.org&
                                        <string>"301925-21-45c7d72d3e780"</string>
                                        <key>Last-Modified</key>
                                        <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
-                                       <key>Server</key>
-                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
                                </dict>
                                <key>expectedContentLength</key>
                                <integer>33</integer>
@@ -213,8 +205,6 @@ REGRESSION (35867): Many resources missing when saving webarchive of webkit.org&
                                        <string>"301925-21-45c7d72d3e780"</string>
                                        <key>Last-Modified</key>
                                        <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
-                                       <key>Server</key>
-                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
                                </dict>
                                <key>expectedContentLength</key>
                                <integer>33</integer>
@@ -250,8 +240,6 @@ REGRESSION (35867): Many resources missing when saving webarchive of webkit.org&
                                        <string>"301925-21-45c7d72d3e780"</string>
                                        <key>Last-Modified</key>
                                        <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
-                                       <key>Server</key>
-                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
                                </dict>
                                <key>expectedContentLength</key>
                                <integer>33</integer>
@@ -287,8 +275,6 @@ REGRESSION (35867): Many resources missing when saving webarchive of webkit.org&
                                        <string>"301925-21-45c7d72d3e780"</string>
                                        <key>Last-Modified</key>
                                        <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
-                                       <key>Server</key>
-                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
                                </dict>
                                <key>expectedContentLength</key>
                                <integer>33</integer>
diff --git a/LayoutTests/platform/win/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt b/LayoutTests/platform/win/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt
new file mode 100644 (file)
index 0000000..9832fe8
--- /dev/null
@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+       <key>WebMainResource</key>
+       <dict>
+               <key>WebResourceData</key>
+               <string>&lt;html&gt;&lt;head&gt;
+&lt;script&gt;
+if (window.testRunner)
+    testRunner.dumpDOMAsWebArchive();
+&lt;/script&gt;
+&lt;link rel="stylesheet" href="http://localhost:8000/webarchive/resources/localhost-stylesheet.css" type="text/css"&gt;
+&lt;/head&gt;
+&lt;body&gt;
+This HTML links to an external stylesheet from a different security origin.&lt;br&gt;
+Making a webarchive of this page should not crash.
+
+
+&lt;/body&gt;&lt;/html&gt;</string>
+               <key>WebResourceFrameName</key>
+               <string></string>
+               <key>WebResourceMIMEType</key>
+               <string>text/html</string>
+               <key>WebResourceTextEncodingName</key>
+               <string>UTF-8</string>
+               <key>WebResourceURL</key>
+               <string>http://127.0.0.1:8000/webarchive/cross-origin-stylesheet-crash.html</string>
+       </dict>
+       <key>WebSubresources</key>
+       <array>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://localhost:8000/webarchive/resources/localhost-stylesheet.css</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>1</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>1</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://localhost:8000/webarchive/resources/localhost-stylesheet.css</string>
+               </dict>
+       </array>
+</dict>
+</plist>
diff --git a/LayoutTests/platform/win/http/tests/webarchive/test-preload-resources-expected.txt b/LayoutTests/platform/win/http/tests/webarchive/test-preload-resources-expected.txt
new file mode 100644 (file)
index 0000000..6718fc6
--- /dev/null
@@ -0,0 +1,303 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+       <key>WebMainResource</key>
+       <dict>
+               <key>WebResourceData</key>
+               <string>&lt;html&gt;&lt;head&gt;
+
+&lt;link rel="stylesheet" type="text/css" href="resources/test-preload-resources.css"&gt;
+&lt;link rel="alternate stylesheet" type="text/css" href="resources/test-preload-resources.css?1" title="green"&gt;
+&lt;link rel="alternate stylesheet" type="text/css" href="resources/test-preload-resources.css?2" title="blue"&gt;
+&lt;link rel="alternate stylesheet" type="text/css" href="resources/test-preload-resources.css?3" title="yellow"&gt;
+&lt;link rel="alternate stylesheet" type="text/css" href="resources/test-preload-resources.css?4" title="pink"&gt;
+&lt;link rel="alternate stylesheet" type="text/css" href="resources/test-preload-resources.css?5" title="purple"&gt;
+&lt;link rel="alternate stylesheet" type="text/css" href="resources/test-preload-resources.css?6" title="gray"&gt;
+
+&lt;script&gt;
+if (window.testRunner)
+    testRunner.dumpDOMAsWebArchive();
+&lt;/script&gt;
+
+&lt;/head&gt;&lt;body&gt;
+&lt;div&gt;
+Test for &lt;a href="https://bugs.webkit.org/show_bug.cgi?id=22466"&gt;Bug 22466:
+REGRESSION (35867): Many resources missing when saving webarchive of webkit.org&lt;/a&gt;
+&lt;/div&gt;
+&lt;p&gt;Some resources are missing when saving this page as a webarchive.&lt;/p&gt;
+
+&lt;/body&gt;&lt;/html&gt;</string>
+               <key>WebResourceFrameName</key>
+               <string></string>
+               <key>WebResourceMIMEType</key>
+               <string>text/html</string>
+               <key>WebResourceTextEncodingName</key>
+               <string>UTF-8</string>
+               <key>WebResourceURL</key>
+               <string>http://127.0.0.1:8000/webarchive/test-preload-resources.html</string>
+       </dict>
+       <key>WebSubresources</key>
+       <array>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>/* test-preload-resources.css */
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>33</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>33</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css</string>
+               </dict>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>/* test-preload-resources.css */
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?1</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>33</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>33</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?1</string>
+               </dict>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>/* test-preload-resources.css */
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?2</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>33</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>33</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?2</string>
+               </dict>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>/* test-preload-resources.css */
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?3</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>33</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>33</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?3</string>
+               </dict>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>/* test-preload-resources.css */
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?4</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>33</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>33</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?4</string>
+               </dict>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>/* test-preload-resources.css */
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?5</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>33</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>33</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?5</string>
+               </dict>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>/* test-preload-resources.css */
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?6</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>33</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>33</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?6</string>
+               </dict>
+       </array>
+</dict>
+</plist>
index ceac1b2..a6497d7 100644 (file)
@@ -1,3 +1,33 @@
+2018-04-06  Youenn Fablet  <youenn@apple.com>
+
+        Response headers should be filtered when sent from NetworkProcess to WebProcess
+        https://bugs.webkit.org/show_bug.cgi?id=184310
+
+        Reviewed by Ryosuke Niwa.
+
+        Did some refactoring to allow ResourceResponse to use header value parsing routines.
+        We add sanitization levels for regular responses in case responses might be exposed to scripts or not.
+        If not exposed to scripts, additional filtering is done.
+
+        Add internal API to get unfiltered response headers from a fetch response.
+        Test: http/wpt/service-workers/header-filtering.https.html
+
+        * Modules/fetch/FetchResponse.h:
+        * loader/CrossOriginPreflightResultCache.cpp:
+        (WebCore::CrossOriginPreflightResultCacheItem::parse):
+        * platform/network/HTTPParsers.h:
+        (WebCore::addToAccessControlAllowList):
+        (WebCore::parseAccessControlAllowList):
+        * platform/network/ResourceResponseBase.cpp:
+        (WebCore::isSafeToKeepRedirectionResponseHeader):
+        (WebCore::isCrossOriginSafeToKeepResponseHeader):
+        (WebCore::ResourceResponseBase::sanitizeHTTPHeaderFields):
+        * platform/network/ResourceResponseBase.h:
+        * testing/ServiceWorkerInternals.cpp:
+        (WebCore::ServiceWorkerInternals::fetchResponseHeaderList):
+        * testing/ServiceWorkerInternals.h:
+        * testing/ServiceWorkerInternals.idl:
+
 2018-04-06  Michael Catanzaro  <mcatanzaro@igalia.com>
 
         Unreviewed, fix unused parameter warning when credential storage is disabled
index acdf268..47e2eba 100644 (file)
@@ -109,6 +109,8 @@ public:
 
     const std::optional<ResourceError>& loadingError() const { return m_loadingError; }
 
+    const HTTPHeaderMap& internalResponseHeaders() const { return m_internalResponse.httpHeaderFields(); }
+
 private:
     FetchResponse(ScriptExecutionContext&, std::optional<FetchBody>&&, Ref<FetchHeaders>&&, ResourceResponse&&);
 
index 6d40213..7087ab0 100644 (file)
@@ -52,57 +52,23 @@ static bool parseAccessControlMaxAge(const String& string, Seconds& expiryDelta)
     return ok;
 }
 
-template<class HashType>
-static void addToAccessControlAllowList(const String& string, unsigned start, unsigned end, HashSet<String, HashType>& set)
-{
-    StringImpl* stringImpl = string.impl();
-    if (!stringImpl)
-        return;
-
-    // Skip white space from start.
-    while (start <= end && isSpaceOrNewline((*stringImpl)[start]))
-        ++start;
-
-    // only white space
-    if (start > end) 
-        return;
-
-    // Skip white space from end.
-    while (end && isSpaceOrNewline((*stringImpl)[end]))
-        --end;
-
-    set.add(string.substring(start, end - start + 1));
-}
-
-template<class HashType>
-static bool parseAccessControlAllowList(const String& string, HashSet<String, HashType>& set)
-{
-    unsigned start = 0;
-    size_t end;
-    while ((end = string.find(',', start)) != notFound) {
-        if (start != end)
-            addToAccessControlAllowList(string, start, end - 1, set);
-        start = end + 1;
-    }
-    if (start != string.length())
-        addToAccessControlAllowList(string, start, string.length() - 1, set);
-
-    return true;
-}
-
 bool CrossOriginPreflightResultCacheItem::parse(const ResourceResponse& response, String& errorDescription)
 {
     m_methods.clear();
-    if (!parseAccessControlAllowList(response.httpHeaderField(HTTPHeaderName::AccessControlAllowMethods), m_methods)) {
+    auto methods = parseAccessControlAllowList(response.httpHeaderField(HTTPHeaderName::AccessControlAllowMethods));
+    if (!methods) {
         errorDescription = "Cannot parse Access-Control-Allow-Methods response header field.";
         return false;
     }
+    m_methods = WTFMove(methods.value());
 
     m_headers.clear();
-    if (!parseAccessControlAllowList(response.httpHeaderField(HTTPHeaderName::AccessControlAllowHeaders), m_headers)) {
+    auto headers = parseAccessControlAllowList<ASCIICaseInsensitiveHash>(response.httpHeaderField(HTTPHeaderName::AccessControlAllowHeaders));
+    if (!headers) {
         errorDescription = "Cannot parse Access-Control-Allow-Headers response header field.";
         return false;
     }
+    m_headers = WTFMove(headers.value());
 
     Seconds expiryDelta = 0_s;
     if (parseAccessControlMaxAge(response.httpHeaderField(HTTPHeaderName::AccessControlMaxAge), expiryDelta)) {
index d6051e2..ffddf34 100644 (file)
@@ -119,4 +119,43 @@ inline StringView stripLeadingAndTrailingHTTPSpaces(StringView string)
     return string.stripLeadingAndTrailingMatchedCharacters(isHTTPSpace);
 }
 
+template<class HashType>
+void addToAccessControlAllowList(const String& string, unsigned start, unsigned end, HashSet<String, HashType>& set)
+{
+    StringImpl* stringImpl = string.impl();
+    if (!stringImpl)
+        return;
+
+    // Skip white space from start.
+    while (start <= end && isSpaceOrNewline((*stringImpl)[start]))
+        ++start;
+
+    // only white space
+    if (start > end)
+        return;
+
+    // Skip white space from end.
+    while (end && isSpaceOrNewline((*stringImpl)[end]))
+        --end;
+
+    set.add(string.substring(start, end - start + 1));
+}
+
+template<class HashType = DefaultHash<String>::Hash>
+std::optional<HashSet<String, HashType>> parseAccessControlAllowList(const String& string)
+{
+    HashSet<String, HashType> set;
+    unsigned start = 0;
+    size_t end;
+    while ((end = string.find(',', start)) != notFound) {
+        if (start != end)
+            addToAccessControlAllowList(string, start, end - 1, set);
+        start = end + 1;
+    }
+    if (start != string.length())
+        addToAccessControlAllowList(string, start, string.length() - 1, set);
+
+    return set;
+}
+
 }
index 4cb0ce8..da83b61 100644 (file)
@@ -317,7 +317,7 @@ void ResourceResponseBase::setHTTPVersion(const String& versionText)
     // FIXME: Should invalidate or update platform response if present.
 }
 
-static bool isSafeToKeepRedirectionHeader(HTTPHeaderName name)
+static bool isSafeRedirectionResponseHeader(HTTPHeaderName name)
 {
     // WebCore needs to keep location and cache related headers as it does caching.
     // We also keep CORS/ReferrerPolicy headers until CORS checks/Referrer computation are done in NetworkProcess.
@@ -330,6 +330,7 @@ static bool isSafeToKeepRedirectionHeader(HTTPHeaderName name)
         || name == HTTPHeaderName::LastModified
         || name == HTTPHeaderName::Age
         || name == HTTPHeaderName::Pragma
+        || name == HTTPHeaderName::ReferrerPolicy
         || name == HTTPHeaderName::Refresh
         || name == HTTPHeaderName::Vary
         || name == HTTPHeaderName::AccessControlAllowCredentials
@@ -341,16 +342,90 @@ static bool isSafeToKeepRedirectionHeader(HTTPHeaderName name)
         || name == HTTPHeaderName::TimingAllowOrigin;
 }
 
-void ResourceResponseBase::sanitizeRedirectionHTTPHeaderFields()
+static bool isSafeCrossOriginResponseHeader(HTTPHeaderName name)
+{
+    // All known response headers used in WebProcesses.
+    return name == HTTPHeaderName::AcceptRanges
+        || name == HTTPHeaderName::AccessControlAllowCredentials
+        || name == HTTPHeaderName::AccessControlAllowHeaders
+        || name == HTTPHeaderName::AccessControlAllowMethods
+        || name == HTTPHeaderName::AccessControlAllowOrigin
+        || name == HTTPHeaderName::AccessControlExposeHeaders
+        || name == HTTPHeaderName::AccessControlMaxAge
+        || name == HTTPHeaderName::AccessControlRequestHeaders
+        || name == HTTPHeaderName::AccessControlRequestMethod
+        || name == HTTPHeaderName::Age
+        || name == HTTPHeaderName::CacheControl
+        || name == HTTPHeaderName::ContentDisposition
+        || name == HTTPHeaderName::ContentEncoding
+        || name == HTTPHeaderName::ContentLanguage
+        || name == HTTPHeaderName::ContentLength
+        || name == HTTPHeaderName::ContentRange
+        || name == HTTPHeaderName::ContentSecurityPolicy
+        || name == HTTPHeaderName::ContentSecurityPolicyReportOnly
+        || name == HTTPHeaderName::ContentType
+        || name == HTTPHeaderName::Date
+        || name == HTTPHeaderName::ETag
+        || name == HTTPHeaderName::Expires
+        || name == HTTPHeaderName::IcyMetaInt
+        || name == HTTPHeaderName::IcyMetadata
+        || name == HTTPHeaderName::LastEventID
+        || name == HTTPHeaderName::LastModified
+        || name == HTTPHeaderName::Link
+        || name == HTTPHeaderName::Pragma
+        || name == HTTPHeaderName::Range
+        || name == HTTPHeaderName::ReferrerPolicy
+        || name == HTTPHeaderName::Refresh
+        || name == HTTPHeaderName::SourceMap
+        || name == HTTPHeaderName::XSourceMap
+        || name == HTTPHeaderName::TimingAllowOrigin
+        || name == HTTPHeaderName::Trailer
+        || name == HTTPHeaderName::Vary
+        || name == HTTPHeaderName::XContentTypeOptions
+        || name == HTTPHeaderName::XDNSPrefetchControl
+        || name == HTTPHeaderName::XFrameOptions
+        || name == HTTPHeaderName::XWebKitCSP
+        || name == HTTPHeaderName::XWebKitCSPReportOnly
+        || name == HTTPHeaderName::XXSSProtection;
+}
+
+void ResourceResponseBase::sanitizeHTTPHeaderFields(SanitizationType type)
 {
     lazyInit(AllFields);
 
-    auto commonHeaders = WTFMove(m_httpHeaderFields.commonHeaders());
-    for (auto& header : commonHeaders) {
-        if (isSafeToKeepRedirectionHeader(header.key))
-            m_httpHeaderFields.add(header.key, WTFMove(header.value));
+    m_httpHeaderFields.commonHeaders().remove(HTTPHeaderName::SetCookie);
+    m_httpHeaderFields.commonHeaders().remove(HTTPHeaderName::SetCookie2);
+
+    switch (type) {
+    case SanitizationType::RemoveCookies:
+        return;
+    case SanitizationType::Redirection: {
+        auto commonHeaders = WTFMove(m_httpHeaderFields.commonHeaders());
+        for (auto& header : commonHeaders) {
+            if (isSafeRedirectionResponseHeader(header.key))
+                m_httpHeaderFields.add(header.key, WTFMove(header.value));
+        }
+        m_httpHeaderFields.uncommonHeaders().clear();
+        return;
+    }
+    case SanitizationType::CrossOriginSafe: {
+        HTTPHeaderMap filteredHeaders;
+        for (auto& header : m_httpHeaderFields.commonHeaders()) {
+            if (isSafeCrossOriginResponseHeader(header.key))
+                filteredHeaders.add(header.key, WTFMove(header.value));
+        }
+        if (auto corsSafeHeaderSet = parseAccessControlAllowList(httpHeaderField(HTTPHeaderName::AccessControlExposeHeaders))) {
+            for (auto& headerName : *corsSafeHeaderSet) {
+                if (!filteredHeaders.contains(headerName)) {
+                    auto value = m_httpHeaderFields.get(headerName);
+                    if (!value.isNull())
+                        filteredHeaders.add(headerName, value);
+                }
+            }
+        }
+        m_httpHeaderFields = WTFMove(filteredHeaders);
+    }
     }
-    m_httpHeaderFields.uncommonHeaders().clear();
 }
 
 bool ResourceResponseBase::isHTTP09() const
index 78bda89..858faa1 100644 (file)
@@ -102,7 +102,9 @@ public:
 
     WEBCORE_EXPORT const HTTPHeaderMap& httpHeaderFields() const;
     void setHTTPHeaderFields(HTTPHeaderMap&&);
-    WEBCORE_EXPORT void sanitizeRedirectionHTTPHeaderFields();
+
+    enum class SanitizationType { Redirection, RemoveCookies, CrossOriginSafe };
+    WEBCORE_EXPORT void sanitizeHTTPHeaderFields(SanitizationType);
 
     String httpHeaderField(const String& name) const;
     WEBCORE_EXPORT String httpHeaderField(HTTPHeaderName) const;
index 6d8e0f2..da1c4fb 100644 (file)
@@ -80,6 +80,15 @@ Ref<FetchResponse> ServiceWorkerInternals::createOpaqueWithBlobBodyResponse(Scri
     return fetchResponse;
 }
 
+Vector<String> ServiceWorkerInternals::fetchResponseHeaderList(FetchResponse& response)
+{
+    Vector<String> headerNames;
+    headerNames.reserveInitialCapacity(response.internalResponseHeaders().size());
+    for (auto keyValue : response.internalResponseHeaders())
+        headerNames.uncheckedAppend(keyValue.key);
+    return headerNames;
+}
+
 } // namespace WebCore
 
 #endif
index 9b03c62..da287e1 100644 (file)
@@ -47,6 +47,8 @@ public:
     Ref<FetchEvent> createBeingDispatchedFetchEvent(ScriptExecutionContext&);
     Ref<FetchResponse> createOpaqueWithBlobBodyResponse(ScriptExecutionContext&);
 
+    Vector<String> fetchResponseHeaderList(FetchResponse&);
+
 private:
     explicit ServiceWorkerInternals(ServiceWorkerIdentifier);
 
index 42c1db8..d0e2de5 100644 (file)
@@ -33,4 +33,6 @@
     Promise<Response> waitForFetchEventToFinish(FetchEvent event);
     [CallWith=ScriptExecutionContext] FetchEvent createBeingDispatchedFetchEvent();
     [CallWith=ScriptExecutionContext] FetchResponse createOpaqueWithBlobBodyResponse();
+
+    sequence<ByteString> fetchResponseHeaderList(FetchResponse response);
 };
index c2e98bc..8552812 100644 (file)
@@ -1,3 +1,32 @@
+2018-04-06  Youenn Fablet  <youenn@apple.com>
+
+        Response headers should be filtered when sent from NetworkProcess to WebProcess
+        https://bugs.webkit.org/show_bug.cgi?id=184310
+
+        Reviewed by Ryosuke Niwa.
+
+        Pass destination parameter to NetworkResourceLoader.
+        Use new sanitization routine to filter response headers as needed:
+        - Cross-origin routines are filtered by removing any non CORS allowed headers.
+        - Same-origin responses are filtered by removing non used headers, except when filtering would be visible by JS (XHR, fetch).
+        In all cases, Set-Cookie/Set-Cookie2 headers are filtered out.
+
+        * NetworkProcess/NetworkResourceLoadParameters.cpp:
+        (WebKit::NetworkResourceLoadParameters::encode const):
+        (WebKit::NetworkResourceLoadParameters::decode):
+        * NetworkProcess/NetworkResourceLoadParameters.h:
+        * NetworkProcess/NetworkResourceLoader.cpp:
+        (WebKit::NetworkResourceLoader::didReceiveResponse):
+        (WebKit::NetworkResourceLoader::willSendRedirectedRequest):
+        (WebKit::NetworkResourceLoader::sanitizeResponseIfPossible):
+        (WebKit::NetworkResourceLoader::didRetrieveCacheEntry):
+        (WebKit::NetworkResourceLoader::dispatchWillSendRequestForCacheEntry):
+        * NetworkProcess/NetworkResourceLoader.h:
+        * WebProcess/Network/WebLoaderStrategy.cpp:
+        (WebKit::WebLoaderStrategy::scheduleLoadFromNetworkProcess):
+        * WebProcess/Storage/WebSWContextManagerConnection.cpp:
+        (WebKit::WebSWContextManagerConnection::updatePreferencesStore):
+
 2018-04-05  Ryosuke Niwa  <rniwa@webkit.org>
 
         Make all sync IPCs during ScriptDisallowedScope set DoNotProcessIncomingMessagesWhenWaitingForSyncReply
index 5d08934..23b8123 100644 (file)
@@ -89,6 +89,7 @@ void NetworkResourceLoadParameters::encode(IPC::Encoder& encoder) const
     if (sourceOrigin)
         encoder << sourceOrigin->data();
     encoder.encodeEnum(mode);
+    encoder.encodeEnum(destination);
     encoder << cspResponseHeaders;
 
 #if ENABLE(CONTENT_EXTENSIONS)
@@ -179,6 +180,8 @@ bool NetworkResourceLoadParameters::decode(IPC::Decoder& decoder, NetworkResourc
     }
     if (!decoder.decodeEnum(result.mode))
         return false;
+    if (!decoder.decodeEnum(result.destination))
+        return false;
     if (!decoder.decode(result.cspResponseHeaders))
         return false;
 
index 2230219..964fd05 100644 (file)
@@ -57,6 +57,7 @@ public:
     Vector<String> derivedCachedDataTypesToRetrieve;
     RefPtr<WebCore::SecurityOrigin> sourceOrigin;
     WebCore::FetchOptions::Mode mode;
+    WebCore::FetchOptions::Destination destination;
     std::optional<WebCore::ContentSecurityPolicyResponseHeaders> cspResponseHeaders;
     bool shouldRestrictHTTPResponseAccess { false };
 
index d3ca9cb..78b066f 100644 (file)
@@ -335,10 +335,12 @@ auto NetworkResourceLoader::didReceiveResponse(ResourceResponse&& receivedRespon
 
     bool shouldWaitContinueDidReceiveResponse = isMainResource();
     if (shouldSendDidReceiveResponse) {
+        // FIXME: Sanitize response.
+        auto response = sanitizeResponseIfPossible(ResourceResponse { m_response }, ResourceResponse::SanitizationType::CrossOriginSafe);
         if (isSynchronous())
-            m_synchronousLoadData->response = m_response;
+            m_synchronousLoadData->response = WTFMove(response);
         else
-            send(Messages::WebResourceLoader::DidReceiveResponse(m_response, shouldWaitContinueDidReceiveResponse));
+            send(Messages::WebResourceLoader::DidReceiveResponse { response, shouldWaitContinueDidReceiveResponse });
     }
 
     // For main resources, the web process is responsible for sending back a NetworkResourceLoader::ContinueDidReceiveResponse message.
@@ -459,13 +461,21 @@ void NetworkResourceLoader::willSendRedirectedRequest(ResourceRequest&& request,
     if (canUseCachedRedirect(request))
         m_cache->storeRedirect(request, redirectResponse, redirectRequest);
 
-    send(Messages::WebResourceLoader::WillSendRequest(redirectRequest, sanitizeRedirectResponseIfPossible(WTFMove(redirectResponse))));
+    send(Messages::WebResourceLoader::WillSendRequest(redirectRequest, sanitizeResponseIfPossible(WTFMove(redirectResponse), ResourceResponse::SanitizationType::Redirection)));
 }
 
-ResourceResponse NetworkResourceLoader::sanitizeRedirectResponseIfPossible(ResourceResponse&& response)
+ResourceResponse NetworkResourceLoader::sanitizeResponseIfPossible(ResourceResponse&& response, ResourceResponse::SanitizationType type)
 {
-    if (m_parameters.shouldRestrictHTTPResponseAccess)
-        response.sanitizeRedirectionHTTPHeaderFields();
+    if (m_parameters.shouldRestrictHTTPResponseAccess) {
+        if (type == ResourceResponse::SanitizationType::CrossOriginSafe) {
+            // We reduce filtering when it would otherwise be visible to scripts.
+            // FIXME: We should use response tainting once computed in Network Process.
+            bool isSameOrigin = m_parameters.sourceOrigin ? m_parameters.sourceOrigin->canRequest(response.url()) : protocolHostAndPortAreEqual(response.url(), m_parameters.request.url());
+            if (isSameOrigin && m_parameters.destination == FetchOptions::Destination::EmptyString)
+                type = ResourceResponse::SanitizationType::RemoveCookies;
+        }
+        response.sanitizeHTTPHeaderFields(type);
+    }
     return WTFMove(response);
 }
 
@@ -568,15 +578,16 @@ void NetworkResourceLoader::tryStoreAsCacheEntry()
 
 void NetworkResourceLoader::didRetrieveCacheEntry(std::unique_ptr<NetworkCache::Entry> entry)
 {
+    auto response = sanitizeResponseIfPossible(ResourceResponse { entry->response() }, ResourceResponse::SanitizationType::CrossOriginSafe);
     if (isSynchronous()) {
-        m_synchronousLoadData->response = entry->response();
+        m_synchronousLoadData->response = WTFMove(response);
         sendReplyToSynchronousRequest(*m_synchronousLoadData, entry->buffer());
         cleanup();
         return;
     }
 
     bool needsContinueDidReceiveResponseMessage = isMainResource();
-    send(Messages::WebResourceLoader::DidReceiveResponse(entry->response(), needsContinueDidReceiveResponseMessage));
+    send(Messages::WebResourceLoader::DidReceiveResponse { response, needsContinueDidReceiveResponseMessage });
 
     if (needsContinueDidReceiveResponseMessage)
         m_cacheEntryWaitingForContinueDidReceiveResponse = WTFMove(entry);
@@ -672,7 +683,7 @@ void NetworkResourceLoader::dispatchWillSendRequestForCacheEntry(std::unique_ptr
     LOG(NetworkCache, "(NetworkProcess) Executing cached redirect");
 
     ++m_redirectCount;
-    send(Messages::WebResourceLoader::WillSendRequest { *entry->redirectRequest(), sanitizeRedirectResponseIfPossible(ResourceResponse { entry->response() }) });
+    send(Messages::WebResourceLoader::WillSendRequest { *entry->redirectRequest(), sanitizeResponseIfPossible(ResourceResponse { entry->response() }, ResourceResponse::SanitizationType::Redirection) });
     m_isWaitingContinueWillSendRequestForCachedRedirect = true;
 }
 
index e9f2b06..102039e 100644 (file)
@@ -32,6 +32,7 @@
 #include "NetworkLoadClient.h"
 #include "NetworkResourceLoadParameters.h"
 #include "ShareableResource.h"
+#include <WebCore/ResourceResponse.h>
 #include <WebCore/Timer.h>
 
 namespace WebCore {
@@ -146,7 +147,7 @@ private:
     void logCookieInformation() const;
 #endif
 
-    WebCore::ResourceResponse sanitizeRedirectResponseIfPossible(WebCore::ResourceResponse&&);
+    WebCore::ResourceResponse sanitizeResponseIfPossible(WebCore::ResourceResponse&&, WebCore::ResourceResponse::SanitizationType);
 
     const NetworkResourceLoadParameters m_parameters;
 
index 26fb6b7..d056319 100644 (file)
@@ -273,6 +273,7 @@ void WebLoaderStrategy::scheduleLoadFromNetworkProcess(ResourceLoader& resourceL
     loadParameters.needsCertificateInfo = resourceLoader.shouldIncludeCertificateInfo();
     loadParameters.maximumBufferingTime = maximumBufferingTime;
     loadParameters.derivedCachedDataTypesToRetrieve = resourceLoader.options().derivedCachedDataTypesToRetrieve;
+    loadParameters.destination = resourceLoader.options().destination;
 
     // FIXME: We should also sanitize redirect response for navigations.
     loadParameters.shouldRestrictHTTPResponseAccess = RuntimeEnabledFeatures::sharedFeatures().restrictedHTTPResponseAccess() && resourceLoader.options().mode != FetchOptions::Mode::Navigate;
@@ -432,6 +433,8 @@ void WebLoaderStrategy::loadResourceSynchronously(FrameLoader& frameLoader, unsi
     loadParameters.clientCredentialPolicy = clientCredentialPolicy;
     loadParameters.shouldClearReferrerOnHTTPSToHTTPRedirect = shouldClearReferrerOnHTTPSToHTTPRedirect(webFrame ? webFrame->coreFrame() : nullptr);
     loadParameters.shouldRestrictHTTPResponseAccess = RuntimeEnabledFeatures::sharedFeatures().restrictedHTTPResponseAccess();
+    // FIXME: Use the proper destination once all fetch options are passed.
+    loadParameters.destination = FetchOptions::Destination::EmptyString;
 
     data.shrink(0);
 
@@ -528,6 +531,8 @@ void WebLoaderStrategy::preconnectTo(FrameLoader& frameLoader, const WebCore::UR
     parameters.storedCredentialsPolicy = storedCredentialsPolicy;
     parameters.shouldPreconnectOnly = PreconnectOnly::Yes;
     parameters.shouldRestrictHTTPResponseAccess = RuntimeEnabledFeatures::sharedFeatures().restrictedHTTPResponseAccess();
+    // FIXME: Use the proper destination once all fetch options are passed.
+    parameters.destination = FetchOptions::Destination::EmptyString;
 
     WebProcess::singleton().ensureNetworkProcessConnection().connection().send(Messages::NetworkConnectionToWebProcess::PreconnectTo(preconnectionIdentifier, WTFMove(parameters)), 0);
 }
index 9473eef..015d70e 100644 (file)
@@ -128,6 +128,7 @@ void WebSWContextManagerConnection::updatePreferencesStore(const WebPreferencesS
     RuntimeEnabledFeatures::sharedFeatures().setUserTimingEnabled(store.getBoolValueForKey(WebPreferencesKey::userTimingEnabledKey()));
     RuntimeEnabledFeatures::sharedFeatures().setResourceTimingEnabled(store.getBoolValueForKey(WebPreferencesKey::resourceTimingEnabledKey()));
     RuntimeEnabledFeatures::sharedFeatures().setFetchAPIKeepAliveEnabled(store.getBoolValueForKey(WebPreferencesKey::fetchAPIKeepAliveEnabledKey()));
+    RuntimeEnabledFeatures::sharedFeatures().setRestrictedHTTPResponseAccess(store.getBoolValueForKey(WebPreferencesKey::restrictedHTTPResponseAccessKey()));
 
     m_storageBlockingPolicy = static_cast<SecurityOrigin::StorageBlockingPolicy>(store.getUInt32ValueForKey(WebPreferencesKey::storageBlockingPolicyKey()));
 }