Diff
Modified: trunk/LayoutTests/imported/w3c/ChangeLog (226083 => 226084)
--- trunk/LayoutTests/imported/w3c/ChangeLog 2017-12-19 00:14:24 UTC (rev 226083)
+++ trunk/LayoutTests/imported/w3c/ChangeLog 2017-12-19 00:15:33 UTC (rev 226084)
@@ -1,3 +1,13 @@
+2017-12-18 Youenn Fablet <you...@apple.com>
+
+ SameOrigin and CORS fetch should fail on opaque responses served from ServiceWorker
+ https://bugs.webkit.org/show_bug.cgi?id=180941
+
+ Reviewed by Chris Dumez.
+
+ * web-platform-tests/service-workers/service-worker/fetch-response-taint.https-expected.txt:
+ * web-platform-tests/service-workers/service-worker/opaque-response-preloaded.https-expected.txt:
+
2017-12-18 Chris Dumez <cdu...@apple.com>
ExtendableMessageEvent.data should return the value it was initialized to
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-frame-resource.https-expected.txt (226083 => 226084)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-frame-resource.https-expected.txt 2017-12-19 00:14:24 UTC (rev 226083)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-frame-resource.https-expected.txt 2017-12-19 00:15:33 UTC (rev 226084)
@@ -1,6 +1,4 @@
-CONSOLE MESSAGE: line 51: Blocked a frame with origin "https://localhost:9443" from accessing a frame with origin "null". The frame requesting access has a protocol of "https", the frame being accessed has a protocol of "https". Protocols must match.
-
PASS Basic type response could be loaded in the iframe.
PASS CORS type response could be loaded in the iframe.
PASS Opaque type response could not be loaded in the iframe.
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-response-taint.https-expected.txt (226083 => 226084)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-response-taint.https-expected.txt 2017-12-19 00:14:24 UTC (rev 226083)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-response-taint.https-expected.txt 2017-12-19 00:15:33 UTC (rev 226084)
@@ -76,15 +76,15 @@
PASS url:"https://127.0.0.1:9443/?url="" mode:"cors" credentials:"omit" should fail.
PASS url:"https://127.0.0.1:9443/?url="" mode:"cors" credentials:"same-origin" should fail.
PASS url:"https://127.0.0.1:9443/?url="" mode:"cors" credentials:"include" should fail.
-FAIL url:"https://localhost:9443/?url="" mode:"same-origin" credentials:"omit" should fail. assert_unreached: Should have rejected: undefined Reached unreachable code
-FAIL url:"https://localhost:9443/?url="" mode:"same-origin" credentials:"same-origin" should fail. assert_unreached: Should have rejected: undefined Reached unreachable code
-FAIL url:"https://localhost:9443/?url="" mode:"same-origin" credentials:"include" should fail. assert_unreached: Should have rejected: undefined Reached unreachable code
+PASS url:"https://localhost:9443/?url="" mode:"same-origin" credentials:"omit" should fail.
+PASS url:"https://localhost:9443/?url="" mode:"same-origin" credentials:"same-origin" should fail.
+PASS url:"https://localhost:9443/?url="" mode:"same-origin" credentials:"include" should fail.
PASS fetching url:"https://localhost:9443/?url="" mode:"no-cors" credentials:"omit" should succeed.
PASS fetching url:"https://localhost:9443/?url="" mode:"no-cors" credentials:"same-origin" should succeed.
PASS fetching url:"https://localhost:9443/?url="" mode:"no-cors" credentials:"include" should succeed.
-FAIL url:"https://localhost:9443/?url="" mode:"cors" credentials:"omit" should fail. assert_unreached: Should have rejected: undefined Reached unreachable code
-FAIL url:"https://localhost:9443/?url="" mode:"cors" credentials:"same-origin" should fail. assert_unreached: Should have rejected: undefined Reached unreachable code
-FAIL url:"https://localhost:9443/?url="" mode:"cors" credentials:"include" should fail. assert_unreached: Should have rejected: undefined Reached unreachable code
+PASS url:"https://localhost:9443/?url="" mode:"cors" credentials:"omit" should fail.
+PASS url:"https://localhost:9443/?url="" mode:"cors" credentials:"same-origin" should fail.
+PASS url:"https://localhost:9443/?url="" mode:"cors" credentials:"include" should fail.
PASS url:"https://127.0.0.1:9443/?url="" mode:"same-origin" credentials:"omit" should fail.
PASS url:"https://127.0.0.1:9443/?url="" mode:"same-origin" credentials:"same-origin" should fail.
PASS url:"https://127.0.0.1:9443/?url="" mode:"same-origin" credentials:"include" should fail.
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/opaque-response-preloaded.https-expected.txt (226083 => 226084)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/opaque-response-preloaded.https-expected.txt 2017-12-19 00:14:24 UTC (rev 226083)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/opaque-response-preloaded.https-expected.txt 2017-12-19 00:15:33 UTC (rev 226084)
@@ -1,4 +1,6 @@
+CONSOLE MESSAGE: XMLHttpRequest cannot load https://127.0.0.1:9443/service-workers/service-worker/resources/simple.txt. Response served by service worker is opaque
+CONSOLE MESSAGE: XMLHttpRequest cannot load https://127.0.0.1:9443/service-workers/service-worker/resources/simple.txt. Response served by service worker is opaque
-FAIL Opaque responses should not be reused for XHRs, loading case assert_equals: expected "PASS" but got "FAIL: a simple text file\n"
-FAIL Opaque responses should not be reused for XHRs, done case assert_equals: expected "PASS" but got "FAIL: a simple text file\n"
+PASS Opaque responses should not be reused for XHRs, loading case
+PASS Opaque responses should not be reused for XHRs, done case
Modified: trunk/Source/WebCore/ChangeLog (226083 => 226084)
--- trunk/Source/WebCore/ChangeLog 2017-12-19 00:14:24 UTC (rev 226083)
+++ trunk/Source/WebCore/ChangeLog 2017-12-19 00:15:33 UTC (rev 226084)
@@ -1,3 +1,15 @@
+2017-12-18 Youenn Fablet <you...@apple.com>
+
+ SameOrigin and CORS fetch should fail on opaque responses served from ServiceWorker
+ https://bugs.webkit.org/show_bug.cgi?id=180941
+
+ Reviewed by Chris Dumez.
+
+ Covered by rebased tests.
+
+ * loader/SubresourceLoader.cpp:
+ (WebCore::SubresourceLoader::checkResponseCrossOriginAccessControl):
+
2017-12-18 Dean Jackson <d...@apple.com>
Make some functions in GraphicsContextCG use call_once for statics
Modified: trunk/Source/WebCore/platform/network/ResourceErrorBase.h (226083 => 226084)
--- trunk/Source/WebCore/platform/network/ResourceErrorBase.h 2017-12-19 00:14:24 UTC (rev 226083)
+++ trunk/Source/WebCore/platform/network/ResourceErrorBase.h 2017-12-19 00:15:33 UTC (rev 226084)
@@ -33,7 +33,7 @@
class ResourceError;
-extern const char* const errorDomainWebKitInternal; // Used for errors that won't be exposed to clients.
+WEBCORE_EXPORT extern const char* const errorDomainWebKitInternal; // Used for errors that won't be exposed to clients.
class ResourceErrorBase {
public:
Modified: trunk/Source/WebKit/WebProcess/Storage/ServiceWorkerClientFetch.cpp (226083 => 226084)
--- trunk/Source/WebKit/WebProcess/Storage/ServiceWorkerClientFetch.cpp 2017-12-19 00:14:24 UTC (rev 226083)
+++ trunk/Source/WebKit/WebProcess/Storage/ServiceWorkerClientFetch.cpp 2017-12-19 00:15:33 UTC (rev 226084)
@@ -65,6 +65,26 @@
m_connection->startFetch(m_loader, m_loader->identifier());
}
+// https://fetch.spec.whatwg.org/#http-fetch step 3.3
+std::optional<ResourceError> ServiceWorkerClientFetch::validateResponse(const ResourceResponse& response)
+{
+ // FIXME: make a better error reporting.
+ if (response.type() == ResourceResponse::Type::Error)
+ return ResourceError { ResourceError::Type::General };
+
+ auto& options = m_loader->options();
+ if (options.mode != FetchOptions::Mode::NoCors && response.tainting() == ResourceResponse::Tainting::Opaque)
+ return ResourceError { errorDomainWebKitInternal, 0, response.url(), ASCIILiteral("Response served by service worker is opaque"), ResourceError::Type::AccessControl };
+
+ if (options.redirect != FetchOptions::Redirect::Manual && response.tainting() == ResourceResponse::Tainting::Opaqueredirect)
+ return ResourceError { errorDomainWebKitInternal, 0, response.url(), ASCIILiteral("Response served by service worker is opaque redirect"), ResourceError::Type::AccessControl };
+
+ if (options.redirect != FetchOptions::Redirect::Follow && response.isRedirected())
+ return ResourceError { errorDomainWebKitInternal, 0, response.url(), ASCIILiteral("Response served by service worker has redirections"), ResourceError::Type::AccessControl };
+
+ return std::nullopt;
+}
+
void ServiceWorkerClientFetch::didReceiveResponse(ResourceResponse&& response)
{
auto protectedThis = makeRef(*this);
@@ -86,9 +106,8 @@
return;
}
- if (response.type() == ResourceResponse::Type::Error) {
- // Add support for a better error.
- m_loader->didFail({ ResourceError::Type::General });
+ if (auto error = validateResponse(response)) {
+ m_loader->didFail(error.value());
if (auto callback = WTFMove(m_callback))
callback(Result::Succeeded);
return;
@@ -101,6 +120,7 @@
response.setMimeType(ASCIILiteral("text/html"));
}
response.setSource(ResourceResponse::Source::ServiceWorker);
+
m_loader->didReceiveResponse(response);
if (auto callback = WTFMove(m_callback))
callback(Result::Succeeded);
Modified: trunk/Source/WebKit/WebProcess/Storage/ServiceWorkerClientFetch.h (226083 => 226084)
--- trunk/Source/WebKit/WebProcess/Storage/ServiceWorkerClientFetch.h 2017-12-19 00:14:24 UTC (rev 226083)
+++ trunk/Source/WebKit/WebProcess/Storage/ServiceWorkerClientFetch.h 2017-12-19 00:15:33 UTC (rev 226084)
@@ -57,6 +57,8 @@
private:
ServiceWorkerClientFetch(WebServiceWorkerProvider&, Ref<WebCore::ResourceLoader>&&, uint64_t identifier, Ref<WebSWClientConnection>&&, bool shouldClearReferrerOnHTTPSToHTTPRedirect, Callback&&);
+ std::optional<WebCore::ResourceError> validateResponse(const WebCore::ResourceResponse&);
+
void didReceiveResponse(WebCore::ResourceResponse&&);
void didReceiveData(const IPC::DataReference&, int64_t encodedDataLength);
void didReceiveFormData(const IPC::FormDataReference&);
