CORS-disabling SPI introduced in r253978 should make responses non-opaque
authorachristensen@apple.com <achristensen@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 20 Mar 2020 23:24:33 +0000 (23:24 +0000)
committerachristensen@apple.com <achristensen@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 20 Mar 2020 23:24:33 +0000 (23:24 +0000)
https://bugs.webkit.org/show_bug.cgi?id=209351
<rdar://problem/60024850>

Reviewed by Chris Dumez.

Source/WebCore:

Covered by making the API test actually check that response content is readable.

* loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::responseReceived):

Tools:

* TestWebKitAPI/Tests/WebKitCocoa/WKURLSchemeHandler-1.mm:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@258798 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/loader/DocumentThreadableLoader.cpp
Source/WebCore/loader/DocumentThreadableLoader.h
Tools/ChangeLog
Tools/TestWebKitAPI/Tests/WebKitCocoa/WKURLSchemeHandler-1.mm

index 4a14164..552cef8 100644 (file)
@@ -1,3 +1,16 @@
+2020-03-20  Alex Christensen  <achristensen@webkit.org>
+
+        CORS-disabling SPI introduced in r253978 should make responses non-opaque
+        https://bugs.webkit.org/show_bug.cgi?id=209351
+        <rdar://problem/60024850>
+
+        Reviewed by Chris Dumez.
+
+        Covered by making the API test actually check that response content is readable.
+
+        * loader/DocumentThreadableLoader.cpp:
+        (WebCore::DocumentThreadableLoader::responseReceived):
+
 2020-03-20  Jer Noble  <jer.noble@apple.com>
 
         Ensure media cache directory is created before passing to AVURLAsset.
index 46a2e75..2177f4b 100644 (file)
@@ -161,6 +161,7 @@ DocumentThreadableLoader::DocumentThreadableLoader(Document& document, Threadabl
     if (shouldDisableCORS) {
         m_options.mode = FetchOptions::Mode::NoCors;
         m_options.filteringPolicy = ResponseFilteringPolicy::Disable;
+        m_responsesCanBeOpaque = false;
     }
 
     m_options.cspResponseHeaders = m_options.contentSecurityPolicyEnforcement != ContentSecurityPolicyEnforcement::DoNotEnforce ? this->contentSecurityPolicy().responseHeaders() : ContentSecurityPolicyResponseHeaders { };
@@ -371,7 +372,12 @@ void DocumentThreadableLoader::dataSent(CachedResource& resource, unsigned long
 void DocumentThreadableLoader::responseReceived(CachedResource& resource, const ResourceResponse& response, CompletionHandler<void()>&& completionHandler)
 {
     ASSERT_UNUSED(resource, &resource == m_resource);
-    didReceiveResponse(m_resource->identifier(), response);
+    if (!m_responsesCanBeOpaque) {
+        ResourceResponse responseWithoutTainting = response;
+        responseWithoutTainting.setTainting(ResourceResponse::Tainting::Basic);
+        didReceiveResponse(m_resource->identifier(), responseWithoutTainting);
+    } else
+        didReceiveResponse(m_resource->identifier(), response);
 
     if (completionHandler)
         completionHandler();
index 22ea4df..8772c13 100644 (file)
@@ -123,6 +123,7 @@ namespace WebCore {
         ThreadableLoaderClient* m_client;
         Document& m_document;
         ThreadableLoaderOptions m_options;
+        bool m_responsesCanBeOpaque { true };
         RefPtr<SecurityOrigin> m_origin;
         String m_referrer;
         bool m_sameOriginRequest;
index c4f8eda..711dc2d 100644 (file)
@@ -1,3 +1,13 @@
+2020-03-20  Alex Christensen  <achristensen@webkit.org>
+
+        CORS-disabling SPI introduced in r253978 should make responses non-opaque
+        https://bugs.webkit.org/show_bug.cgi?id=209351
+        <rdar://problem/60024850>
+
+        Reviewed by Chris Dumez.
+
+        * TestWebKitAPI/Tests/WebKitCocoa/WKURLSchemeHandler-1.mm:
+
 2020-03-20  Aakash Jain  <aakash_jain@apple.com>
 
         commit-queue should skip building and testing if patch already passed tests on mac-wk2 queue
index 2f8e6d3..da9217e 100644 (file)
@@ -836,7 +836,7 @@ TEST(URLSchemeHandler, CORS)
 TEST(URLSchemeHandler, DisableCORS)
 {
     TestWebKitAPI::HTTPServer server({
-        { "/subresource", { "subresourcecontent" } }
+        { "/subresource", { {{ "Content-Type", "application/json" }}, "{\"testkey\":\"testvalue\"}" } }
     });
 
     bool corssuccess = false;
@@ -850,7 +850,18 @@ TEST(URLSchemeHandler, DisableCORS)
 
     [handler setStartURLSchemeTaskHandler:[&](WKWebView *, id<WKURLSchemeTask> task) {
         if ([task.request.URL.path isEqualToString:@"/main.html"]) {
-            NSData *data = [[NSString stringWithFormat:@"<script>fetch('http://127.0.0.1:%d/subresource').then(function(){fetch('/corssuccess')}).catch(function(){fetch('/corsfailure')})</script>", server.port()] dataUsingEncoding:NSUTF8StringEncoding];
+            NSData *data = [[NSString stringWithFormat:
+                @"<script>"
+                    "fetch('http://127.0.0.1:%d/subresource').then(function(r){"
+                        "r.json().then(function(object) {"
+                            "if (object.testkey == 'testvalue') {"
+                                "fetch('/corssuccess')"
+                            "} else {"
+                                "fetch('/corsfailure')"
+                            "}"
+                        "}).catch(function(){fetch('/corsfailure')})"
+                    "}).catch(function(){fetch('/corsfailure')})"
+                "</script>", server.port()] dataUsingEncoding:NSUTF8StringEncoding];
             [task didReceiveResponse:[[[NSURLResponse alloc] initWithURL:task.request.URL MIMEType:@"text/html" expectedContentLength:data.length textEncodingName:nil] autorelease]];
             [task didReceiveData:data];
             [task didFinish];