Diff
Modified: trunk/LayoutTests/ChangeLog (206254 => 206255)
--- trunk/LayoutTests/ChangeLog 2016-09-22 08:28:37 UTC (rev 206254)
+++ trunk/LayoutTests/ChangeLog 2016-09-22 08:57:12 UTC (rev 206255)
@@ -1,3 +1,16 @@
+2016-09-22 Youenn Fablet <you...@apple.com>
+
+ CachedResourceRequest should store a SecurityOrigin
+ https://bugs.webkit.org/show_bug.cgi?id=162258
+
+ Reviewed by Sam Weinig.
+
+ Updated test to expect load even though CORS checks should fail as the document origin has universal access.
+
+ * http/tests/local/script-crossorigin-loads-fail-origin-expected.txt: Removed.
+ * http/tests/local/script-crossorigin-loads-file-scheme-expected.txt: Added.
+ * http/tests/local/script-crossorigin-loads-file-scheme.html: Renamed from LayoutTests/http/tests/local/script-crossorigin-loads-fail-origin.html.
+
2016-09-19 Sergio Villar Senin <svil...@igalia.com>
[css-grid] Remove the x2 computation of row sizes with indefinite heights
Deleted: trunk/LayoutTests/http/tests/local/script-crossorigin-loads-fail-origin-expected.txt (206254 => 206255)
--- trunk/LayoutTests/http/tests/local/script-crossorigin-loads-fail-origin-expected.txt 2016-09-22 08:28:37 UTC (rev 206254)
+++ trunk/LayoutTests/http/tests/local/script-crossorigin-loads-fail-origin-expected.txt 2016-09-22 08:57:12 UTC (rev 206255)
@@ -1,5 +0,0 @@
-CONSOLE MESSAGE: Origin is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: Cross-origin script load denied by Cross-Origin Resource Sharing policy.
-This test fails if the script loads correctly.
-
-PASS
Deleted: trunk/LayoutTests/http/tests/local/script-crossorigin-loads-fail-origin.html (206254 => 206255)
--- trunk/LayoutTests/http/tests/local/script-crossorigin-loads-fail-origin.html 2016-09-22 08:28:37 UTC (rev 206254)
+++ trunk/LayoutTests/http/tests/local/script-crossorigin-loads-fail-origin.html 2016-09-22 08:57:12 UTC (rev 206255)
@@ -1,23 +0,0 @@
-<body>
-<p>This test fails if the script loads correctly.</p>
-<pre></pre>
-<script>
-if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.waitUntilDone();
-}
-
-function done(msg) {
- document.querySelector("pre").innerHTML = msg;
- if (window.testRunner)
- testRunner.notifyDone();
-}
-
-var script = document.createElement("script");
-script.crossOrigin = "use-credentials";
-// We are serving the test from the filesystem, so it should fail as authorized origin is 127.0.0.1:8000.
-script.src = ""
-script._onload_ = function() { done("FAIL"); }
-script._onerror_ = function() { done("PASS");}
-document.body.appendChild(script);
-</script>
Added: trunk/LayoutTests/http/tests/local/script-crossorigin-loads-file-scheme-expected.txt (0 => 206255)
--- trunk/LayoutTests/http/tests/local/script-crossorigin-loads-file-scheme-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/local/script-crossorigin-loads-file-scheme-expected.txt 2016-09-22 08:57:12 UTC (rev 206255)
@@ -0,0 +1,4 @@
+ALERT: script ran.
+This test passes if the script loads correctly.
+
+PASS
Copied: trunk/LayoutTests/http/tests/local/script-crossorigin-loads-file-scheme.html (from rev 206254, trunk/LayoutTests/http/tests/local/script-crossorigin-loads-fail-origin.html) (0 => 206255)
--- trunk/LayoutTests/http/tests/local/script-crossorigin-loads-file-scheme.html (rev 0)
+++ trunk/LayoutTests/http/tests/local/script-crossorigin-loads-file-scheme.html 2016-09-22 08:57:12 UTC (rev 206255)
@@ -0,0 +1,24 @@
+<body>
+<p>This test passes if the script loads correctly.</p>
+<pre></pre>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+function done(msg) {
+ document.querySelector("pre").innerHTML = msg;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+var script = document.createElement("script");
+script.crossOrigin = "use-credentials";
+// We are serving the test from the filesystem and file URLs are granted universal access.
+// This bypasses CORS checks and will allow access to 127.0.0.1:8000.
+script.src = ""
+script._onload_ = function() { done("PASS"); }
+script._onerror_ = function() { done("FAIL");}
+document.body.appendChild(script);
+</script>
Modified: trunk/Source/WebCore/ChangeLog (206254 => 206255)
--- trunk/Source/WebCore/ChangeLog 2016-09-22 08:28:37 UTC (rev 206254)
+++ trunk/Source/WebCore/ChangeLog 2016-09-22 08:57:12 UTC (rev 206255)
@@ -1,5 +1,38 @@
2016-09-22 Youenn Fablet <you...@apple.com>
+ CachedResourceRequest should store a SecurityOrigin
+ https://bugs.webkit.org/show_bug.cgi?id=162258
+
+ Reviewed by Sam Weinig.
+
+ Test: http/tests/local/script-crossorigin-loads-file-scheme.html
+
+ Passing SecurityOrigin from loader clients to CachedResource through CachedResourceRequest.
+ This ensures that specific origin properties like universal access are well preserved.
+
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::loadRequest): Set origin to the request.
+ * loader/cache/CachedResource.cpp:
+ (WebCore::CachedResource::CachedResource): Setting origin from the request.
+ Computing CORS state based on that origin.
+ (WebCore::CachedResource::load): Removing origin computation.
+ (WebCore::CachedResource::loadFrom): Ditto.
+ (WebCore::CachedResource::computeOrigin): Deleted.
+ * loader/cache/CachedResource.h:
+ * loader/cache/CachedResourceLoader.cpp:
+ (WebCore::CachedResourceLoader::updateCachedResourceWithCurrentRequest):
+ (WebCore::CachedResourceLoader::prepareFetch): Introduced to implement step 1 to 7 of https://fetch.spec.whatwg.org/#fetching.
+ (WebCore::CachedResourceLoader::requestResource):
+ * loader/cache/CachedResourceLoader.h:
+ * loader/cache/CachedResourceRequest.cpp:
+ (WebCore::CachedResourceRequest::setAsPotentiallyCrossOrigin): Storing origin.
+ * loader/cache/CachedResourceRequest.h:
+ (WebCore::CachedResourceRequest::setOrigin):
+ (WebCore::CachedResourceRequest::releaseOrigin):
+ (WebCore::CachedResourceRequest::origin):
+
+2016-09-22 Youenn Fablet <you...@apple.com>
+
Refactor ContentSecurityPolicy::allow* methods
https://bugs.webkit.org/show_bug.cgi?id=162335
Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp (206254 => 206255)
--- trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2016-09-22 08:28:37 UTC (rev 206254)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2016-09-22 08:57:12 UTC (rev 206255)
@@ -370,6 +370,7 @@
if (RuntimeEnabledFeatures::sharedFeatures().resourceTimingEnabled())
newRequest.setInitiator(m_options.initiator);
newRequest.mutableResourceRequest().setAllowCookies(m_options.allowCredentials == AllowStoredCredentials);
+ newRequest.setOrigin(&securityOrigin());
ASSERT(!m_resource);
// We create an URL here as the request will be moved in requestRawResource
Modified: trunk/Source/WebCore/loader/cache/CachedResource.cpp (206254 => 206255)
--- trunk/Source/WebCore/loader/cache/CachedResource.cpp 2016-09-22 08:28:37 UTC (rev 206254)
+++ trunk/Source/WebCore/loader/cache/CachedResource.cpp 2016-09-22 08:57:12 UTC (rev 206255)
@@ -121,6 +121,7 @@
, m_sessionID(sessionID)
, m_loadPriority(defaultPriorityForResourceType(type))
, m_responseTimestamp(std::chrono::system_clock::now())
+ , m_origin(request.releaseOrigin())
, m_lastDecodedAccessTime(0)
, m_loadFinishTime(0)
, m_encodedSize(0)
@@ -148,7 +149,14 @@
#ifndef NDEBUG
cachedResourceLeakCounter.increment();
#endif
+ // FIXME: We should have a better way of checking for Navigation loads, maybe FetchMode::Options::Navigate.
+ ASSERT(m_origin || m_type == CachedResource::MainResource);
+ if (m_options.mode != FetchOptions::Mode::SameOrigin && m_origin
+ && !(m_resourceRequest.url().protocolIsData() && m_options.sameOriginDataURLFlag == SameOriginDataURLFlag::Set)
+ && !m_origin->canRequest(m_resourceRequest.url()))
+ setCrossOrigin();
+
if (!m_resourceRequest.url().hasFragmentIdentifier())
return;
URL urlForCache = MemoryCache::removeFragmentIdentifierIfNeeded(m_resourceRequest.url());
@@ -244,24 +252,6 @@
addAdditionalRequestHeadersToRequest(m_resourceRequest, loader, *this);
}
-void CachedResource::computeOrigin(CachedResourceLoader& loader)
-{
- if (type() == MainResource)
- return;
-
- ASSERT(loader.document());
- if (m_resourceRequest.hasHTTPOrigin())
- m_origin = SecurityOrigin::createFromString(m_resourceRequest.httpOrigin());
- else
- m_origin = loader.document()->securityOrigin();
- ASSERT(m_origin);
-
- if (!(m_resourceRequest.url().protocolIsData() && m_options.sameOriginDataURLFlag == SameOriginDataURLFlag::Set) && !m_origin->canRequest(m_resourceRequest.url()))
- setCrossOrigin();
-
- addAdditionalRequestHeaders(loader);
-}
-
void CachedResource::load(CachedResourceLoader& cachedResourceLoader)
{
if (!cachedResourceLoader.frame()) {
@@ -330,7 +320,7 @@
#endif
m_resourceRequest.setPriority(loadPriority());
- computeOrigin(cachedResourceLoader);
+ addAdditionalRequestHeaders(cachedResourceLoader);
// FIXME: It's unfortunate that the cache layer and below get to know anything about fragment identifiers.
// We should look into removing the expectation of that knowledge from the platform network stacks.
@@ -352,14 +342,12 @@
m_status = Pending;
}
-void CachedResource::loadFrom(const CachedResource& resource, CachedResourceLoader& cachedResourceLoader)
+void CachedResource::loadFrom(const CachedResource& resource)
{
ASSERT(url() == resource.url());
ASSERT(type() == resource.type());
ASSERT(resource.status() == Status::Cached);
- computeOrigin(cachedResourceLoader);
-
if (isCrossOrigin() && m_options.mode == FetchOptions::Mode::Cors) {
ASSERT(m_origin);
String errorMessage;
Modified: trunk/Source/WebCore/loader/cache/CachedResource.h (206254 => 206255)
--- trunk/Source/WebCore/loader/cache/CachedResource.h 2016-09-22 08:28:37 UTC (rev 206254)
+++ trunk/Source/WebCore/loader/cache/CachedResource.h 2016-09-22 08:57:12 UTC (rev 206255)
@@ -211,7 +211,7 @@
bool isClean() const;
ResourceResponse::Tainting responseTainting() const { return m_responseTainting; }
- void loadFrom(const CachedResource&, CachedResourceLoader&);
+ void loadFrom(const CachedResource&);
SecurityOrigin* origin() const { return m_origin.get(); }
@@ -309,7 +309,6 @@
std::chrono::microseconds freshnessLifetime(const ResourceResponse&) const;
void addAdditionalRequestHeaders(CachedResourceLoader&);
- void computeOrigin(CachedResourceLoader&);
void failBeforeStarting();
HashMap<CachedResourceClient*, std::unique_ptr<Callback>> m_clientsAwaitingCallback;
Modified: trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp (206254 => 206255)
--- trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2016-09-22 08:28:37 UTC (rev 206254)
+++ trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2016-09-22 08:57:12 UTC (rev 206255)
@@ -556,7 +556,7 @@
}
auto resourceHandle = createResource(resource.type(), WTFMove(request), sessionID());
- resourceHandle->loadFrom(resource, *this);
+ resourceHandle->loadFrom(resource);
return resourceHandle;
}
@@ -595,6 +595,9 @@
{
// Implementing step 1 to 7 of https://fetch.spec.whatwg.org/#fetching
+ if (!request.origin() && document())
+ request.setOrigin(document()->securityOrigin());
+
if (!request.resourceRequest().hasHTTPHeader(HTTPHeaderName::Accept))
request.mutableResourceRequest().setHTTPHeaderField(HTTPHeaderName::Accept, acceptHeaderValueFromType(type));
Modified: trunk/Source/WebCore/loader/cache/CachedResourceRequest.cpp (206254 => 206255)
--- trunk/Source/WebCore/loader/cache/CachedResourceRequest.cpp 2016-09-22 08:28:37 UTC (rev 206254)
+++ trunk/Source/WebCore/loader/cache/CachedResourceRequest.cpp 2016-09-22 08:57:12 UTC (rev 206255)
@@ -79,6 +79,10 @@
void CachedResourceRequest::setAsPotentiallyCrossOrigin(const String& mode, Document& document)
{
ASSERT(m_options.mode == FetchOptions::Mode::NoCors);
+ ASSERT(document.securityOrigin());
+
+ m_origin = document.securityOrigin();
+
if (mode.isNull())
return;
m_options.mode = FetchOptions::Mode::Cors;
@@ -85,7 +89,6 @@
m_options.credentials = equalLettersIgnoringASCIICase(mode, "use-credentials") ? FetchOptions::Credentials::Include : FetchOptions::Credentials::SameOrigin;
m_options.allowCredentials = equalLettersIgnoringASCIICase(mode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
- ASSERT(document.securityOrigin());
updateRequestForAccessControl(m_resourceRequest, *document.securityOrigin(), m_options.allowCredentials);
}
Modified: trunk/Source/WebCore/loader/cache/CachedResourceRequest.h (206254 => 206255)
--- trunk/Source/WebCore/loader/cache/CachedResourceRequest.h 2016-09-22 08:28:37 UTC (rev 206254)
+++ trunk/Source/WebCore/loader/cache/CachedResourceRequest.h 2016-09-22 08:57:12 UTC (rev 206255)
@@ -31,6 +31,7 @@
#include "ResourceLoadPriority.h"
#include "ResourceLoaderOptions.h"
#include "ResourceRequest.h"
+#include "SecurityOrigin.h"
#include <wtf/RefPtr.h>
#include <wtf/text/AtomicString.h>
@@ -62,6 +63,9 @@
void setCachingPolicy(CachingPolicy policy) { m_options.cachingPolicy = policy; }
void setAsPotentiallyCrossOrigin(const String&, Document&);
+ void setOrigin(RefPtr<SecurityOrigin>&& origin) { ASSERT(!m_origin); m_origin = WTFMove(origin); }
+ RefPtr<SecurityOrigin> releaseOrigin() { return WTFMove(m_origin); }
+ SecurityOrigin* origin() const { return m_origin.get(); }
private:
ResourceRequest m_resourceRequest;
@@ -72,6 +76,7 @@
DeferOption m_defer;
RefPtr<Element> m_initiatorElement;
AtomicString m_initiatorName;
+ RefPtr<SecurityOrigin> m_origin;
};
} // namespace WebCore