Diff
Modified: trunk/LayoutTests/ChangeLog (228485 => 228486)
--- trunk/LayoutTests/ChangeLog 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/LayoutTests/ChangeLog 2018-02-14 22:27:52 UTC (rev 228486)
@@ -1,3 +1,55 @@
+2018-02-14 Daniel Bates <daba...@apple.com>
+
+ Disallow cross-origin subresources from asking for credentials
+ https://bugs.webkit.org/show_bug.cgi?id=182579
+ <rdar://problem/36162271>
+
+ Reviewed by Andy Estes.
+
+ Copied existing tests that depended on cross-origin subresources being able prompt for credentials
+ to files with suffix allowCrossOriginSubresourcesToAskForCredentials. These copies were modified
+ to set allowCrossOriginSubresourcesToAskForCredentials to false so as to opt-into the behavior
+ before this change. Updated existing tests to reflect the new behavior and added new tests to
+ ensure that we do not regress the new behavior.
+
+ * http/tests/media/video-auth-expected.txt:
+ * http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Copied from LayoutTests/http/tests/media/video-auth-expected.txt.
+ * http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials.html: Copied from LayoutTests/http/tests/media/video-auth.html.
+ * http/tests/media/video-auth.html:
+ * http/tests/security/basic-auth-subresource-expected.txt: Added.
+ * http/tests/security/basic-auth-subresource.html: Added.
+ * http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Renamed from LayoutTests/platform/mac-wk1/http/tests/security/credentials-iframes-expected.txt.
+ * http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials.html: Added.
+ * http/tests/security/credentials-iframes-expected.txt:
+ * http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image.https-expected.txt.
+ * http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html.
+ * http/tests/security/mixedContent/insecure-basic-auth-image.https-expected.txt:
+ * http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-expected.txt.
+ * http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.html: Added.
+ * http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-expected.txt:
+ * http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image.https-expected.txt.
+ * http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html.
+ * http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image.https-expected.txt:
+ * http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image.https-expected.txt.
+ * http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html.
+ * http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image.https-expected.txt:
+ * http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Renamed from LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt.
+ * http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html.
+ * http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt:
+ * http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html:
+ * http/tests/security/resources/basic-auth-subresource.html: Added.
+ * http/tests/security/resources/subresource1/protected-image.php: Added.
+ * http/tests/security/resources/subresource2/protected-image.php: Added.
+ * platform/win/TestExpectations: Skip allowCrossOriginSubresourcesToAskForCredentials-suffixed tests as
+ DumpRenderTree on Windows does not support parsing test options. See <https://bugs.webkit.org/show_bug.cgi?id=173281>.
+ * platform/win/http/tests/security/basic-auth-subresource-expected.txt: Added Windows-specific result. For some reason
+ connections to localhost:8443 are not allowed. See <https://bugs.webkit.org/show_bug.cgi?id=182609> for more details.
+ * platform/wk2/http/tests/media/video-auth-expected.txt:
+ * platform/wk2/http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Copied from LayoutTests/platform/wk2/http/tests/media/video-auth-expected.txt.
+ * platform/wk2/http/tests/security/basic-auth-subresource-expected.txt: Added.
+ * platform/wk2/http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Copied from LayoutTests/http/tests/security/credentials-iframes-expected.txt.
+ * platform/wk2/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt.
+
2018-02-14 Matt Lewis <jlew...@apple.com>
Marked imported/w3c/web-platform-tests/service-workers/cache-storage/worker/cache-storage-match.https.html as flaky on macOS WK2.
Modified: trunk/LayoutTests/http/tests/media/video-auth-expected.txt (228485 => 228486)
--- trunk/LayoutTests/http/tests/media/video-auth-expected.txt 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/LayoutTests/http/tests/media/video-auth-expected.txt 2018-02-14 22:27:52 UTC (rev 228486)
@@ -1,10 +1,7 @@
http://127.0.0.1:8000/media/resources/video-auth.php?name=test.mp4&type=video/mp4 - didReceiveAuthenticationChallenge - Responding with username:password
-http://localhost:8000/media/resources/video-auth.php?name=test.mp4&type=video/mp4 - didReceiveAuthenticationChallenge - Responding with username:password
Tests that the media player sends authorization credentials when requesting a media file.
Testing same domain (127.0.0.1)
EVENT(canplay)
-Testing cross domain (localhost)
-EVENT(canplay)
END OF TEST
Copied: trunk/LayoutTests/http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials-expected.txt (from rev 228484, trunk/LayoutTests/http/tests/media/video-auth-expected.txt) (0 => 228486)
--- trunk/LayoutTests/http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials-expected.txt 2018-02-14 22:27:52 UTC (rev 228486)
@@ -0,0 +1,10 @@
+http://127.0.0.1:8000/media/resources/video-auth.php?name=test.mp4&type=video/mp4 - didReceiveAuthenticationChallenge - Responding with username:password
+http://localhost:8000/media/resources/video-auth.php?name=test.mp4&type=video/mp4 - didReceiveAuthenticationChallenge - Responding with username:password
+
+Tests that the media player sends authorization credentials when requesting a media file.
+Testing same domain (127.0.0.1)
+EVENT(canplay)
+Testing cross domain (localhost)
+EVENT(canplay)
+END OF TEST
+
Copied: trunk/LayoutTests/http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials.html (from rev 228484, trunk/LayoutTests/http/tests/media/video-auth.html) (0 => 228486)
--- trunk/LayoutTests/http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials.html (rev 0)
+++ trunk/LayoutTests/http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials.html 2018-02-14 22:27:52 UTC (rev 228486)
@@ -0,0 +1,62 @@
+<!DOCTYPE html><!-- webkit-test-runner [ allowCrossOriginSubresourcesToAskForCredentials=true ] -->
+<html>
+ <head>
+ <script src=""
+ <script src=""
+ <script>
+
+ if (window.testRunner) {
+ testRunner.setHandlesAuthenticationChallenges(true);
+ testRunner.setAuthenticationUsername("username");
+ testRunner.setAuthenticationPassword("password");
+ }
+
+ var tests;
+ var media = findMediaFile('video', 'test');
+ var type = mimeTypeForExtension(media.split('.').pop());
+
+ function startTests()
+ {
+ findMediaElement();
+ waitForEventAndFail('error');
+ waitForEvent('canplay', runNextTest);
+
+ tests = [
+ testSameDomain,
+ testCrossDomain,
+ ];
+
+ runNextTest();
+ }
+
+ function runNextTest()
+ {
+ var test = tests.shift();
+ if (test)
+ test();
+ else
+ endTest();
+ }
+
+ function testSameDomain()
+ {
+ consoleWrite('Testing same domain (127.0.0.1)');
+ video.src = '' + media + '&type=' + type;
+ video.load();
+ }
+
+ function testCrossDomain()
+ {
+ consoleWrite('Testing cross domain (localhost)');
+ video.src = '' + media + '&type=' + type;
+ video.load();
+ }
+ </script>
+ </head>
+
+ <body _onload_="startTests()">
+ <video></video>
+ <br>
+ Tests that the media player sends authorization credentials when requesting a media file.
+ </body>
+</html>
Modified: trunk/LayoutTests/http/tests/media/video-auth.html (228485 => 228486)
--- trunk/LayoutTests/http/tests/media/video-auth.html 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/LayoutTests/http/tests/media/video-auth.html 2018-02-14 22:27:52 UTC (rev 228486)
@@ -1,3 +1,4 @@
+<!DOCTYPE html>
<html>
<head>
<script src=""
@@ -18,25 +19,11 @@
{
findMediaElement();
waitForEventAndFail('error');
- waitForEvent('canplay', runNextTest);
+ waitForEventAndEnd('canplay');
- tests = [
- testSameDomain,
- testCrossDomain,
- ];
-
- runNextTest();
+ testSameDomain();
}
- function runNextTest()
- {
- var test = tests.shift();
- if (test)
- test();
- else
- endTest();
- }
-
function testSameDomain()
{
consoleWrite('Testing same domain (127.0.0.1)');
@@ -43,13 +30,6 @@
video.src = '' + media + '&type=' + type;
video.load();
}
-
- function testCrossDomain()
- {
- consoleWrite('Testing cross domain (localhost)');
- video.src = '' + media + '&type=' + type;
- video.load();
- }
</script>
</head>
Added: trunk/LayoutTests/http/tests/security/basic-auth-subresource-expected.txt (0 => 228486)
--- trunk/LayoutTests/http/tests/security/basic-auth-subresource-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/basic-auth-subresource-expected.txt 2018-02-14 22:27:52 UTC (rev 228486)
@@ -0,0 +1,55 @@
+http://127.0.0.1:8000/security/resources/subresource1/protected-image.php - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
+CONSOLE MESSAGE: Blocked http://localhost:8000/security/resources/subresource1/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked https://localhost:8443/security/resources/subresource1/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked http://localhost:8000/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+http://127.0.0.1:8000/security/resources/subresource2/protected-image.php - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
+CONSOLE MESSAGE: Blocked https://127.0.0.1:8443/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked https://localhost:8443/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked https://127.0.0.1:8443/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked https://localhost:8443/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked http://localhost:8000/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked https://127.0.0.1:8443/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked https://localhost:8443/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+Tests whether credentials are requested for protected subresources. Credentials should be requested if and only if the origin of the subresource matches the origin of the top-most frame.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Images loaded from top-level frame:
+PASS did load image with origin http://127.0.0.1:8000.
+
+PASS did not load image with origin http://localhost:8000.
+
+PASS did not load image with origin https://localhost:8443.
+
+Images loaded from cross-origin iframe:
+PASS did not load image with origin http://localhost:8000.
+
+PASS did load image with origin http://127.0.0.1:8000.
+
+PASS did not load image with origin https://127.0.0.1:8443.
+
+PASS did not load image with origin https://localhost:8443.
+
+Images loaded from sandboxed same-origin iframe:
+PASS did load image with origin http://127.0.0.1:8000.
+
+PASS did load image with origin http://127.0.0.1:8000.
+
+PASS did not load image with origin https://127.0.0.1:8443.
+
+PASS did not load image with origin https://localhost:8443.
+
+Images loaded from sandboxed cross-origin iframe:
+PASS did not load image with origin http://localhost:8000.
+
+PASS did load image with origin http://127.0.0.1:8000.
+
+PASS did not load image with origin https://127.0.0.1:8443.
+
+PASS did not load image with origin https://localhost:8443.
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/http/tests/security/basic-auth-subresource.html (0 => 228486)
--- trunk/LayoutTests/http/tests/security/basic-auth-subresource.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/basic-auth-subresource.html 2018-02-14 22:27:52 UTC (rev 228486)
@@ -0,0 +1,163 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script>
+if (window.testRunner) {
+ testRunner.setHandlesAuthenticationChallenges(true);
+ testRunner.setAuthenticationUsername("testUser");
+ testRunner.setAuthenticationPassword("testPassword");
+}
+
+window.jsTestIsAsync = true;
+
+var indexOfIFrameTest = 0;
+var testContainer;
+
+function handleMessage(messageEvent)
+{
+ let framePrefix = "[Frame]";
+ let message = event.data;
+ let indexOfSeparator = message.indexOf(":");
+ if (indexOfSeparator == -1) {
+ debug(framePrefix + message);
+ return;
+ }
+ let command = message.substr(0, indexOfSeparator);
+ let description = message.substr(indexOfSeparator + 1);
+ if (command == "PASS") {
+ testPassed(description);
+ debug("");
+ } else if (command == "FAIL") {
+ testFailed(description);
+ debug("");
+ } else if (command == "DEBUG")
+ debug(description);
+ else if (command == "DONE")
+ runNextIFrameTest();
+ else
+ debug(framePrefix + message);
+}
+
+function pass(image, messagePrefix)
+{
+ testPassed(`${messagePrefix} with origin ${(new URL(image.src)).origin}.`);
+ debug("");
+ runNextImageTest();
+}
+
+function fail(image, messagePrefix)
+{
+ testFailed(`${messagePrefix} with origin ${(new URL(image.src)).origin}.`);
+ debug("");
+ runNextImageTest();
+}
+
+function done()
+{
+ if (window.testRunner)
+ document.body.removeChild(testContainer);
+ finishJSTest();
+}
+
+function testBasicAuthImagesInCrossOriginIframe()
+{
+ debug("Images loaded from cross-origin iframe:");
+ let iframe = document.createElement("iframe");
+ iframe.src = "" + window.top.location.origin;
+ testContainer.appendChild(iframe);
+}
+
+function testBasicAuthImagesInSandboxedSameOriginIFrame()
+{
+ debug("Images loaded from sandboxed same-origin iframe:");
+ let iframe = document.createElement("iframe");
+ iframe.sandbox = "allow-scripts";
+ iframe.src = "" + window.top.location.origin;
+ testContainer.appendChild(iframe);
+}
+
+function testBasicAuthImagesInSandboxedCrossOriginIFrame()
+{
+ debug("Images loaded from sandboxed cross-origin iframe:");
+ let iframe = document.createElement("iframe");
+ iframe.sandbox = "allow-scripts";
+ iframe.src = "" + window.top.location.origin;
+ testContainer.appendChild(iframe);
+}
+
+function runNextIFrameTest()
+{
+ if (indexOfIFrameTest >= NumberOfIFrameTests) {
+ done();
+ return;
+ }
+ var testNumber = indexOfIFrameTest++;
+ switch (testNumber) {
+ case 0:
+ testBasicAuthImagesInCrossOriginIframe();
+ return;
+ case 1:
+ testBasicAuthImagesInSandboxedSameOriginIFrame();
+ return;
+ case 2:
+ testBasicAuthImagesInSandboxedCrossOriginIFrame();
+ return;
+ }
+}
+
+function runNextImageTest()
+{
+ var test = imageTests.shift();
+ if (!test) {
+ runNextIFrameTest();
+ return;
+ }
+ var image = new Image;
+ image._onload_ = () => test.onload(image);
+ image._onerror_ = () => test.onerror(image);
+ image.src = ""
+ testContainer.appendChild(image);
+}
+
+window._onload_ = () => {
+ testContainer = document.getElementById("test-container");
+ window._onmessage_ = handleMessage;
+
+ debug("Images loaded from top-level frame:");
+ runNextImageTest();
+};
+
+// Tests
+
+const DidLoadImage = "did load image";
+const DidNotLoadImage = "did not load image";
+
+const NumberOfIFrameTests = 3;
+
+var imageTests = [
+{
+ src: "resources/subresource1/protected-image.php",
+ onload: (image) => pass(image, DidLoadImage),
+ onerror: (image) => fail(image, DidNotLoadImage),
+},
+{
+ src: "http://localhost:8000/security/resources/subresource1/protected-image.php",
+ onload: (image) => fail(image, DidLoadImage),
+ onerror: (image) => pass(image, DidNotLoadImage),
+},
+{
+ src: "https://localhost:8443/security/resources/subresource1/protected-image.php",
+ onload: (image) => fail(image, DidLoadImage),
+ onerror: (image) => pass(image, DidNotLoadImage),
+},
+];
+</script>
+</head>
+<body>
+<script>
+description("Tests whether credentials are requested for protected subresources. Credentials should be requested if and only if the origin of the subresource matches the origin of the top-most frame.");
+</script>
+<div id="test-container"></div>
+</body>
+</html>
Copied: trunk/LayoutTests/http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials-expected.txt (from rev 228484, trunk/LayoutTests/platform/mac-wk1/http/tests/security/credentials-iframes-expected.txt) (0 => 228486)
--- trunk/LayoutTests/http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials-expected.txt 2018-02-14 22:27:52 UTC (rev 228486)
@@ -0,0 +1,4 @@
+ALERT: parent host: 127.0.0.1 iframe host: 127.0.0.1 credentials:User: same-domain-user, password: same-domain-password.
+http://127.0.0.1:8000/security/resources/cors-basic-auth.php - didReceiveAuthenticationChallenge - Simulating cancelled authentication sheet
+ALERT: parent host: localhost iframe host: 127.0.0.1 credentials:Authentication canceled
+
Added: trunk/LayoutTests/http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials.html (0 => 228486)
--- trunk/LayoutTests/http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials.html 2018-02-14 22:27:52 UTC (rev 228486)
@@ -0,0 +1,21 @@
+<!DOCTYPE html><!-- webkit-test-runner [ allowCrossOriginSubresourcesToAskForCredentials=true ] -->
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ testRunner.setCanOpenWindows();
+ internals.settings.setStorageBlockingPolicy('BlockThirdParty');
+}
+
+window.addEventListener("message", function (event) {
+ alert("parent host: " + window.location.hostname + event.data);
+ window.open("http://localhost:8000/security/resources/credentials-iframes-continued.html");
+}, false);
+</script>
+</head>
+<body>
+<iframe src=""
+</body>
+</html>
\ No newline at end of file
Modified: trunk/LayoutTests/http/tests/security/credentials-iframes-expected.txt (228485 => 228486)
--- trunk/LayoutTests/http/tests/security/credentials-iframes-expected.txt 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/LayoutTests/http/tests/security/credentials-iframes-expected.txt 2018-02-14 22:27:52 UTC (rev 228486)
@@ -1,4 +1,4 @@
ALERT: parent host: 127.0.0.1 iframe host: 127.0.0.1 credentials:User: same-domain-user, password: same-domain-password.
-127.0.0.1:8000 - didReceiveAuthenticationChallenge - Simulating cancelled authentication sheet
+CONSOLE MESSAGE: Blocked http://127.0.0.1:8000/security/resources/cors-basic-auth.php from asking for credentials because it is a cross-origin request.
ALERT: parent host: localhost iframe host: 127.0.0.1 credentials:Authentication canceled
Copied: trunk/LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt (from rev 228484, trunk/LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image.https-expected.txt) (0 => 228486)
--- trunk/LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt 2018-02-14 22:27:52 UTC (rev 228486)
@@ -0,0 +1,13 @@
+CONSOLE MESSAGE: line 33: The page at https://127.0.0.1:8443/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html was allowed to display insecure content from http://localhost:8000/security/mixedContent/resources/subresource2/protected-image.php.
+
+CONSOLE MESSAGE: Blocked http://localhost:8000/security/mixedContent/resources/subresource2/protected-image.php from asking for credentials because it is insecure content.
+Tests that we do not ask for credentials when loading an insecure image that requires basic authentication.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS did not load image.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: trunk/LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html (from rev 228484, trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html) (0 => 228486)
--- trunk/LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html 2018-02-14 22:27:52 UTC (rev 228486)
@@ -0,0 +1,45 @@
+<!DOCTYPE html><!-- webkit-test-runner [ allowCrossOriginSubresourcesToAskForCredentials=true ] -->
+<html>
+<head>
+<script src=""
+<script>
+if (window.testRunner) {
+ testRunner.setHandlesAuthenticationChallenges(true);
+ testRunner.setAuthenticationUsername("testUser");
+ testRunner.setAuthenticationPassword("testPassword");
+}
+
+window.jsTestIsAsync = true;
+
+function pass()
+{
+ testPassed("did not load image.");
+ finishJSTest();
+}
+
+function fail()
+{
+ testFailed("did load image.");
+ finishJSTest();
+}
+
+function runTest()
+{
+ // Load the image programmatically instead of declaratively to avoid output flakiness caused by
+ // the preload scanner performing mixed content checks as part of preloading the image.
+ let image = new Image;
+ image._onload_ = fail;
+ image._onerror_ = pass;
+ image.src = ""
+ document.body.appendChild(image);
+}
+
+window._onload_ = runTest;
+</script>
+</head>
+<body>
+<script>
+description("Tests that we do not ask for credentials when loading an insecure image that requires basic authentication.");
+</script>
+</body>
+</html>
Modified: trunk/LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image.https-expected.txt (228485 => 228486)
--- trunk/LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image.https-expected.txt 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image.https-expected.txt 2018-02-14 22:27:52 UTC (rev 228486)
@@ -1,6 +1,6 @@
CONSOLE MESSAGE: line 33: The page at https://127.0.0.1:8443/security/mixedContent/insecure-basic-auth-image.https.html was allowed to display insecure content from http://localhost:8000/security/mixedContent/resources/subresource2/protected-image.php.
-CONSOLE MESSAGE: Blocked http://localhost:8000/security/mixedContent/resources/subresource2/protected-image.php from asking for credentials because it is insecure content.
+CONSOLE MESSAGE: Blocked http://localhost:8000/security/mixedContent/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
Tests that we do not ask for credentials when loading an insecure image that requires basic authentication.
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
Copied: trunk/LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials-expected.txt (from rev 228484, trunk/LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-expected.txt) (0 => 228486)
--- trunk/LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials-expected.txt 2018-02-14 22:27:52 UTC (rev 228486)
@@ -0,0 +1,6 @@
+CONSOLE MESSAGE: line 17: The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image-redirects-to-basic-auth-secure-image.html was allowed to display insecure content from http://127.0.0.1:8080/resources/redirect.php?url=""
+
+CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it was loaded via an insecure redirect from http://127.0.0.1:8080/resources/redirect.php?url=""
+This test opens a new window to a secure page that loads an insecure image that redirects to a secure image guarded by basic authentication. The secure image should be blocked because it requires credentials and was loaded via an insecure redirect.
+
+PASS did not load image.
Added: trunk/LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.html (0 => 228486)
--- trunk/LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.html 2018-02-14 22:27:52 UTC (rev 228486)
@@ -0,0 +1,29 @@
+<!DOCTYPE html><!-- webkit-test-runner [ allowCrossOriginSubresourcesToAskForCredentials=true ] -->
+<html>
+<body>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.setCanOpenWindows();
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+ testRunner.setHandlesAuthenticationChallenges(true);
+ testRunner.setAuthenticationUsername("testUser");
+ testRunner.setAuthenticationPassword("testPassword");
+ testRunner.waitUntilDone();
+}
+
+function receiveMessage(messageEvent) {
+ document.getElementById("result").textContent = messageEvent.data;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+window.addEventListener("message", receiveMessage, false);
+</script>
+<p>This test opens a new window to a secure page that loads an insecure image that redirects to a secure image guarded by basic authentication. The secure image should be blocked because it requires credentials and was loaded via an insecure redirect.</p>
+<div id="result"></div>
+<script>
+window.open("https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image-redirects-to-basic-auth-secure-image.html");
+</script>
+</body>
+</html>
Modified: trunk/LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-expected.txt (228485 => 228486)
--- trunk/LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-expected.txt 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-expected.txt 2018-02-14 22:27:52 UTC (rev 228486)
@@ -1,6 +1,6 @@
CONSOLE MESSAGE: line 17: The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image-redirects-to-basic-auth-secure-image.html was allowed to display insecure content from http://127.0.0.1:8080/resources/redirect.php?url=""
-CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it was loaded via an insecure redirect from http://127.0.0.1:8080/resources/redirect.php?url=""
+CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it is a cross-origin request.
This test opens a new window to a secure page that loads an insecure image that redirects to a secure image guarded by basic authentication. The secure image should be blocked because it requires credentials and was loaded via an insecure redirect.
PASS did not load image.
Copied: trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt (from rev 228484, trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image.https-expected.txt) (0 => 228486)
--- trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt 2018-02-14 22:27:52 UTC (rev 228486)
@@ -0,0 +1,13 @@
+CONSOLE MESSAGE: The page at https://127.0.0.1:8443/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html was allowed to display insecure content from http://127.0.0.1:8080/resources/redirect.php?url=""
+
+CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it was loaded via an insecure redirect from https://127.0.0.1:8443/resources/redirect.php?url=""
+This test loads a secure image that redirects to an insecure image that redirects to a secure image guarded by basic authentication. The secure image should be blocked because it requires credentials and was loaded via an insecure redirect.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS did not load image.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html (from rev 228484, trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html) (0 => 228486)
--- trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html 2018-02-14 22:27:52 UTC (rev 228486)
@@ -0,0 +1,43 @@
+<!DOCTYPE html><!-- webkit-test-runner [ allowCrossOriginSubresourcesToAskForCredentials=true ] -->
+<html>
+<body>
+<script src=""
+<script>
+if (window.testRunner) {
+ testRunner.setHandlesAuthenticationChallenges(true);
+ testRunner.setAuthenticationUsername("testUser");
+ testRunner.setAuthenticationPassword("testPassword");
+}
+
+window.jsTestIsAsync = true;
+
+function pass()
+{
+ testPassed("did not load image.");
+ finishJSTest();
+}
+
+function fail()
+{
+ testFailed("did load image.");
+ finishJSTest();
+}
+
+function runTest()
+{
+ // Load the image programmatically instead of declaratively to avoid output flakiness caused by
+ // the preload scanner performing mixed content checks as part of preloading the image.
+ let image = new Image;
+ image._onload_ = fail;
+ image._onerror_ = pass;
+ image.src = ""
+ document.body.appendChild(image);
+}
+
+window._onload_ = runTest;
+</script>
+<script>
+description("This test loads a secure image that redirects to an insecure image that redirects to a secure image guarded by basic authentication. The secure image should be blocked because it requires credentials and was loaded via an insecure redirect.");
+</script>
+</body>
+</html>
Modified: trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image.https-expected.txt (228485 => 228486)
--- trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image.https-expected.txt 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image.https-expected.txt 2018-02-14 22:27:52 UTC (rev 228486)
@@ -1,6 +1,6 @@
CONSOLE MESSAGE: The page at https://127.0.0.1:8443/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image.https.html was allowed to display insecure content from http://127.0.0.1:8080/resources/redirect.php?url=""
-CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it was loaded via an insecure redirect from https://127.0.0.1:8443/resources/redirect.php?url=""
+CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it is a cross-origin request.
This test loads a secure image that redirects to an insecure image that redirects to a secure image guarded by basic authentication. The secure image should be blocked because it requires credentials and was loaded via an insecure redirect.
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
Copied: trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt (from rev 228484, trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image.https-expected.txt) (0 => 228486)
--- trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt 2018-02-14 22:27:52 UTC (rev 228486)
@@ -0,0 +1,13 @@
+CONSOLE MESSAGE: The page at https://127.0.0.1:8443/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html was allowed to display insecure content from http://localhost:8080/security/mixedContent/resources/subresource/protected-image.php.
+
+CONSOLE MESSAGE: Blocked http://localhost:8080/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it is insecure content that was loaded via a redirect from https://127.0.0.1:8443/resources/redirect.php?url=""
+This test loads a secure image that redirects to an secure image that redirects to an insecure image guarded by basic authentication. The insecure image should be blocked because it requires credentials.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS did not load image.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html (from rev 228484, trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html) (0 => 228486)
--- trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html 2018-02-14 22:27:52 UTC (rev 228486)
@@ -0,0 +1,43 @@
+<!DOCTYPE html><!-- webkit-test-runner [ allowCrossOriginSubresourcesToAskForCredentials=true ] -->
+<html>
+<body>
+<script src=""
+<script>
+if (window.testRunner) {
+ testRunner.setHandlesAuthenticationChallenges(true);
+ testRunner.setAuthenticationUsername("testUser");
+ testRunner.setAuthenticationPassword("testPassword");
+}
+
+window.jsTestIsAsync = true;
+
+function pass()
+{
+ testPassed("did not load image.");
+ finishJSTest();
+}
+
+function fail()
+{
+ testFailed("did load image.");
+ finishJSTest();
+}
+
+function runTest()
+{
+ // Load the image programmatically instead of declaratively to avoid output flakiness caused by
+ // the preload scanner performing mixed content checks as part of preloading the image.
+ let image = new Image;
+ image._onload_ = fail;
+ image._onerror_ = pass;
+ image.src = ""
+ document.body.appendChild(image);
+}
+
+window._onload_ = runTest;
+</script>
+<script>
+description("This test loads a secure image that redirects to an secure image that redirects to an insecure image guarded by basic authentication. The insecure image should be blocked because it requires credentials.");
+</script>
+</body>
+</html>
Modified: trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image.https-expected.txt (228485 => 228486)
--- trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image.https-expected.txt 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image.https-expected.txt 2018-02-14 22:27:52 UTC (rev 228486)
@@ -1,6 +1,6 @@
CONSOLE MESSAGE: The page at https://127.0.0.1:8443/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image.https.html was allowed to display insecure content from http://localhost:8080/security/mixedContent/resources/subresource/protected-image.php.
-CONSOLE MESSAGE: Blocked http://localhost:8080/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it is insecure content that was loaded via a redirect from https://127.0.0.1:8443/resources/redirect.php?url=""
+CONSOLE MESSAGE: Blocked http://localhost:8080/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it is a cross-origin request.
This test loads a secure image that redirects to an secure image that redirects to an insecure image guarded by basic authentication. The insecure image should be blocked because it requires credentials.
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
Copied: trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt (from rev 228484, trunk/LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt) (0 => 228486)
--- trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt 2018-02-14 22:27:52 UTC (rev 228486)
@@ -0,0 +1,11 @@
+https://127.0.0.1:8443/resources/redirect.php?url="" - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
+This test loads a secure image that redirects to a secure image that redirects to a secure image guarded by basic authentication. The secure image should load.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS did load image.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html (from rev 228484, trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html) (0 => 228486)
--- trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html 2018-02-14 22:27:52 UTC (rev 228486)
@@ -0,0 +1,43 @@
+<!DOCTYPE html><!-- webkit-test-runner [ allowCrossOriginSubresourcesToAskForCredentials=true ] -->
+<html>
+<body>
+<script src=""
+<script>
+if (window.testRunner) {
+ testRunner.setHandlesAuthenticationChallenges(true);
+ testRunner.setAuthenticationUsername("testUser");
+ testRunner.setAuthenticationPassword("testPassword");
+}
+
+window.jsTestIsAsync = true;
+
+function pass()
+{
+ testPassed("did load image.");
+ finishJSTest();
+}
+
+function fail()
+{
+ testFailed("did not load image.");
+ finishJSTest();
+}
+
+function runTest()
+{
+ // Load the image programmatically instead of declaratively to avoid output flakiness caused by
+ // the preload scanner performing mixed content checks as part of preloading the image.
+ let image = new Image;
+ image._onload_ = pass;
+ image._onerror_ = fail;
+ image.src = ""
+ document.body.appendChild(image);
+}
+
+window._onload_ = runTest;
+</script>
+<script>
+description("This test loads a secure image that redirects to a secure image that redirects to a secure image guarded by basic authentication. The secure image should load.");
+</script>
+</body>
+</html>
Modified: trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt (228485 => 228486)
--- trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt 2018-02-14 22:27:52 UTC (rev 228486)
@@ -1,10 +1,10 @@
-localhost:8443 - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
-This test loads a secure image that redirects to a secure image that redirects to a secure image guarded by basic authentication. The secure image should load.
+CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it is a cross-origin request.
+This test loads a secure image that redirects to a secure image that redirects to a secure image guarded by basic authentication. The secure image should not load because it is cross-origin.
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-PASS did load image.
+PASS did not load image.
PASS successfullyParsed is true
TEST COMPLETE
Modified: trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html (228485 => 228486)
--- trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html 2018-02-14 22:27:52 UTC (rev 228486)
@@ -13,13 +13,13 @@
function pass()
{
- testPassed("did load image.");
+ testPassed("did not load image.");
finishJSTest();
}
function fail()
{
- testFailed("did not load image.");
+ testFailed("did load image.");
finishJSTest();
}
@@ -28,8 +28,8 @@
// Load the image programmatically instead of declaratively to avoid output flakiness caused by
// the preload scanner performing mixed content checks as part of preloading the image.
let image = new Image;
- image._onload_ = pass;
- image._onerror_ = fail;
+ image._onload_ = fail;
+ image._onerror_ = pass;
image.src = ""
document.body.appendChild(image);
}
@@ -37,7 +37,7 @@
window._onload_ = runTest;
</script>
<script>
-description("This test loads a secure image that redirects to a secure image that redirects to a secure image guarded by basic authentication. The secure image should load.");
+description("This test loads a secure image that redirects to a secure image that redirects to a secure image guarded by basic authentication. The secure image should not load because it is cross-origin.");
</script>
</body>
</html>
Added: trunk/LayoutTests/http/tests/security/resources/basic-auth-subresource.html (0 => 228486)
--- trunk/LayoutTests/http/tests/security/resources/basic-auth-subresource.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/resources/basic-auth-subresource.html 2018-02-14 22:27:52 UTC (rev 228486)
@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+function pass(image, messagePrefix)
+{
+ window.top.postMessage(`PASS:${messagePrefix} with origin ${(new URL(image.src)).origin}.`, "*");
+ runNextImageTest();
+}
+
+function fail(image, messagePrefix)
+{
+ window.top.postMessage(`FAIL:${messagePrefix} with origin ${(new URL(image.src)).origin}.`, "*");
+ runNextImageTest();
+}
+
+function finishJSTest()
+{
+ window.top.postMessage("DONE:", "*");
+}
+
+function runNextImageTest()
+{
+ var test = imageTests.shift();
+ if (!test) {
+ finishJSTest();
+ return;
+ }
+ var image = new Image;
+ image._onload_ = () => test.onload(image);
+ image._onerror_ = () => test.onerror(image);
+ image.src = ""
+ document.getElementById("test-container").appendChild(image);
+}
+
+window._onload_ = runNextImageTest;
+
+// Tests
+
+const DidLoadImage = "did load image";
+const DidNotLoadImage = "did not load image";
+
+var searchParams = new URLSearchParams(document.location.search);
+
+var imageTests = [
+{
+ src: "subresource2/protected-image.php",
+ onload: (image) => {
+ if (document.location.origin === searchParams.get("top-origin"))
+ pass(image, DidLoadImage);
+ else
+ fail(image, DidLoadImage);
+ },
+ onerror: (image) => {
+ if (document.location.origin === searchParams.get("top-origin"))
+ fail(image, DidNotLoadImage);
+ else
+ pass(image, DidNotLoadImage);
+ },
+},
+{
+ src: "http://127.0.0.1:8000/security/resources/subresource2/protected-image.php",
+ onload: (image) => pass(image, DidLoadImage),
+ onerror: (image) => fail(image, DidNotLoadImage),
+},
+{
+ src: "https://127.0.0.1:8443/security/resources/subresource2/protected-image.php",
+ onload: (image) => fail(image, DidLoadImage),
+ onerror: (image) => pass(image, DidNotLoadImage),
+},
+{
+ src: "https://localhost:8443/security/resources/subresource2/protected-image.php",
+ onload: (image) => fail(image, DidLoadImage),
+ onerror: (image) => pass(image, DidNotLoadImage),
+},
+];
+</script>
+</head>
+<body>
+<div id="test-container"></div>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/resources/subresource1/protected-image.php (0 => 228486)
--- trunk/LayoutTests/http/tests/security/resources/subresource1/protected-image.php (rev 0)
+++ trunk/LayoutTests/http/tests/security/resources/subresource1/protected-image.php 2018-02-14 22:27:52 UTC (rev 228486)
@@ -0,0 +1,12 @@
+<?php
+header("Cache-Control: no-store");
+header("Connection: close");
+if (!isset($_SERVER["PHP_AUTH_USER"])) {
+ header("WWW-authenticate: Basic realm=\"" . $_SERVER["REQUEST_URI"] . "\"");
+ header("HTTP/1.0 401 Unauthorized");
+ exit;
+}
+// Authenticated
+header("Content-Type: image/png");
+echo file_get_contents("../../contentSecurityPolicy/block-all-mixed-content/resources/red-square.png");
+?>
Added: trunk/LayoutTests/http/tests/security/resources/subresource2/protected-image.php (0 => 228486)
--- trunk/LayoutTests/http/tests/security/resources/subresource2/protected-image.php (rev 0)
+++ trunk/LayoutTests/http/tests/security/resources/subresource2/protected-image.php 2018-02-14 22:27:52 UTC (rev 228486)
@@ -0,0 +1,12 @@
+<?php
+header("Cache-Control: no-store");
+header("Connection: close");
+if (!isset($_SERVER["PHP_AUTH_USER"])) {
+ header("WWW-authenticate: Basic realm=\"" . $_SERVER["REQUEST_URI"] . "\"");
+ header("HTTP/1.0 401 Unauthorized");
+ exit;
+}
+// Authenticated
+header("Content-Type: image/png");
+echo file_get_contents("../../contentSecurityPolicy/block-all-mixed-content/resources/red-square.png");
+?>
Modified: trunk/LayoutTests/platform/win/TestExpectations (228485 => 228486)
--- trunk/LayoutTests/platform/win/TestExpectations 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/LayoutTests/platform/win/TestExpectations 2018-02-14 22:27:52 UTC (rev 228486)
@@ -91,6 +91,13 @@
# FIXME: Implement test options parsing (<!-- webkit-test-runner [ ... ] -->).
webkit.org/b/173281 security/isSecureContext-disabled.html [ Skip ]
+webkit.org/b/173281 http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials.html [ Skip ]
+webkit.org/b/173281 http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials.html [ Skip ]
+webkit.org/b/173281 http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html [ Skip ]
+webkit.org/b/173281 http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.html [ Skip ]
+webkit.org/b/173281 http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html [ Skip ]
+webkit.org/b/173281 http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html [ Skip ]
+webkit.org/b/173281 http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html [ Skip ]
# TODO HW filters not yet supported on Windows
webkit.org/b/74716 css3/filters/effect-blur-hw.html [ Skip ]
Added: trunk/LayoutTests/platform/win/http/tests/security/basic-auth-subresource-expected.txt (0 => 228486)
--- trunk/LayoutTests/platform/win/http/tests/security/basic-auth-subresource-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/win/http/tests/security/basic-auth-subresource-expected.txt 2018-02-14 22:27:52 UTC (rev 228486)
@@ -0,0 +1,51 @@
+http://127.0.0.1:8000/security/resources/subresource1/protected-image.php - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
+CONSOLE MESSAGE: Blocked http://localhost:8000/security/resources/subresource1/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked http://localhost:8000/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+http://127.0.0.1:8000/security/resources/subresource2/protected-image.php - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
+CONSOLE MESSAGE: Blocked https://127.0.0.1:8443/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked https://127.0.0.1:8443/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked http://localhost:8000/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked https://127.0.0.1:8443/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+Tests whether credentials are requested for protected subresources. Credentials should be requested if and only if the origin of the subresource matches the origin of the top-most frame.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Images loaded from top-level frame:
+PASS did load image with origin http://127.0.0.1:8000.
+
+PASS did not load image with origin http://localhost:8000.
+
+PASS did not load image with origin https://localhost:8443.
+
+Images loaded from cross-origin iframe:
+PASS did not load image with origin http://localhost:8000.
+
+PASS did load image with origin http://127.0.0.1:8000.
+
+PASS did not load image with origin https://127.0.0.1:8443.
+
+PASS did not load image with origin https://localhost:8443.
+
+Images loaded from sandboxed same-origin iframe:
+PASS did load image with origin http://127.0.0.1:8000.
+
+PASS did load image with origin http://127.0.0.1:8000.
+
+PASS did not load image with origin https://127.0.0.1:8443.
+
+PASS did not load image with origin https://localhost:8443.
+
+Images loaded from sandboxed cross-origin iframe:
+PASS did not load image with origin http://localhost:8000.
+
+PASS did load image with origin http://127.0.0.1:8000.
+
+PASS did not load image with origin https://127.0.0.1:8443.
+
+PASS did not load image with origin https://localhost:8443.
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Modified: trunk/LayoutTests/platform/wk2/http/tests/media/video-auth-expected.txt (228485 => 228486)
--- trunk/LayoutTests/platform/wk2/http/tests/media/video-auth-expected.txt 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/LayoutTests/platform/wk2/http/tests/media/video-auth-expected.txt 2018-02-14 22:27:52 UTC (rev 228486)
@@ -1,10 +1,7 @@
127.0.0.1:8000 - didReceiveAuthenticationChallenge - Responding with username:password
-localhost:8000 - didReceiveAuthenticationChallenge - Responding with username:password
Tests that the media player sends authorization credentials when requesting a media file.
Testing same domain (127.0.0.1)
EVENT(canplay)
-Testing cross domain (localhost)
-EVENT(canplay)
END OF TEST
Copied: trunk/LayoutTests/platform/wk2/http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials-expected.txt (from rev 228484, trunk/LayoutTests/platform/wk2/http/tests/media/video-auth-expected.txt) (0 => 228486)
--- trunk/LayoutTests/platform/wk2/http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/wk2/http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials-expected.txt 2018-02-14 22:27:52 UTC (rev 228486)
@@ -0,0 +1,10 @@
+127.0.0.1:8000 - didReceiveAuthenticationChallenge - Responding with username:password
+localhost:8000 - didReceiveAuthenticationChallenge - Responding with username:password
+
+Tests that the media player sends authorization credentials when requesting a media file.
+Testing same domain (127.0.0.1)
+EVENT(canplay)
+Testing cross domain (localhost)
+EVENT(canplay)
+END OF TEST
+
Added: trunk/LayoutTests/platform/wk2/http/tests/security/basic-auth-subresource-expected.txt (0 => 228486)
--- trunk/LayoutTests/platform/wk2/http/tests/security/basic-auth-subresource-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/wk2/http/tests/security/basic-auth-subresource-expected.txt 2018-02-14 22:27:52 UTC (rev 228486)
@@ -0,0 +1,55 @@
+127.0.0.1:8000 - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
+CONSOLE MESSAGE: Blocked http://localhost:8000/security/resources/subresource1/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked https://localhost:8443/security/resources/subresource1/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked http://localhost:8000/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+127.0.0.1:8000 - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
+CONSOLE MESSAGE: Blocked https://127.0.0.1:8443/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked https://localhost:8443/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked https://127.0.0.1:8443/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked https://localhost:8443/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked http://localhost:8000/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked https://127.0.0.1:8443/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+CONSOLE MESSAGE: Blocked https://localhost:8443/security/resources/subresource2/protected-image.php from asking for credentials because it is a cross-origin request.
+Tests whether credentials are requested for protected subresources. Credentials should be requested if and only if the origin of the subresource matches the origin of the top-most frame.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Images loaded from top-level frame:
+PASS did load image with origin http://127.0.0.1:8000.
+
+PASS did not load image with origin http://localhost:8000.
+
+PASS did not load image with origin https://localhost:8443.
+
+Images loaded from cross-origin iframe:
+PASS did not load image with origin http://localhost:8000.
+
+PASS did load image with origin http://127.0.0.1:8000.
+
+PASS did not load image with origin https://127.0.0.1:8443.
+
+PASS did not load image with origin https://localhost:8443.
+
+Images loaded from sandboxed same-origin iframe:
+PASS did load image with origin http://127.0.0.1:8000.
+
+PASS did load image with origin http://127.0.0.1:8000.
+
+PASS did not load image with origin https://127.0.0.1:8443.
+
+PASS did not load image with origin https://localhost:8443.
+
+Images loaded from sandboxed cross-origin iframe:
+PASS did not load image with origin http://localhost:8000.
+
+PASS did load image with origin http://127.0.0.1:8000.
+
+PASS did not load image with origin https://127.0.0.1:8443.
+
+PASS did not load image with origin https://localhost:8443.
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: trunk/LayoutTests/platform/wk2/http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials-expected.txt (from rev 228484, trunk/LayoutTests/http/tests/security/credentials-iframes-expected.txt) (0 => 228486)
--- trunk/LayoutTests/platform/wk2/http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/wk2/http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials-expected.txt 2018-02-14 22:27:52 UTC (rev 228486)
@@ -0,0 +1,4 @@
+ALERT: parent host: 127.0.0.1 iframe host: 127.0.0.1 credentials:User: same-domain-user, password: same-domain-password.
+127.0.0.1:8000 - didReceiveAuthenticationChallenge - Simulating cancelled authentication sheet
+ALERT: parent host: localhost iframe host: 127.0.0.1 credentials:Authentication canceled
+
Copied: trunk/LayoutTests/platform/wk2/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt (from rev 228484, trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt) (0 => 228486)
--- trunk/LayoutTests/platform/wk2/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/wk2/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt 2018-02-14 22:27:52 UTC (rev 228486)
@@ -0,0 +1,11 @@
+localhost:8443 - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
+This test loads a secure image that redirects to a secure image that redirects to a secure image guarded by basic authentication. The secure image should load.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS did load image.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Modified: trunk/Source/WebCore/ChangeLog (228485 => 228486)
--- trunk/Source/WebCore/ChangeLog 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/Source/WebCore/ChangeLog 2018-02-14 22:27:52 UTC (rev 228486)
@@ -1,3 +1,47 @@
+2018-02-14 Daniel Bates <daba...@apple.com>
+
+ Disallow cross-origin subresources from asking for credentials
+ https://bugs.webkit.org/show_bug.cgi?id=182579
+ <rdar://problem/36162271>
+
+ Reviewed by Andy Estes.
+
+ Prompts for credentials to load cross-origin subresources are typically seen as unexpected
+ by a person that navigates to- or interacts with- a web page. The cross-origin and implicit
+ loading nature of these subresources makes asking for credentials questionable because they
+ are not being served by the same origin of the page a person explicitly loaded and are not
+ guaranteed to correspond to an explicit user interaction other than the initial load of the
+ page. We know that subresources that ask for credentials can be abused as part of a phishing
+ attack. It seems reasonable to disallow cross-origin subresources from asking for credentials
+ due to their questionable nature and the risk for abuse. This will also make the behavior
+ of WebKit match the behavior of Chrome.
+
+ Tests: http/tests/media/video-auth-with-allowCrossOriginSubresourcesToAskForCredentials.html
+ http/tests/security/basic-auth-subresource.html
+ http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html
+ http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.html
+ http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html
+ http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html
+ http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html
+
+ * loader/ResourceLoader.cpp:
+ (WebCore::ResourceLoader::isSubresourceLoader const): Formerly non-const.
+ (WebCore::ResourceLoader::shouldAllowResourceToAskForCredentials const): Added.
+ (WebCore::ResourceLoader::didBlockAuthenticationChallenge): Emit Web Inspector console message if
+ the authentication challenge was blocked because the request is cross origin.
+ (WebCore::ResourceLoader::isAllowedToAskUserForCredentials const): Disallow a cross-origin
+ request from prompting for credentials.
+ (WebCore::ResourceLoader::isSubresourceLoader): Deleted; made const.
+ * loader/ResourceLoader.h:
+ * loader/SubresourceLoader.cpp:
+ (WebCore::SubresourceLoader::SubresourceLoader): Update ResourceLoader state so that block cross-origin
+ subresources from prompting for credentials, if applicable.
+ (WebCore::SubresourceLoader::isSubresourceLoader const): Formerly non-const.
+ (WebCore::SubresourceLoader::isSubresourceLoader): Deleted; made const.
+ * loader/SubresourceLoader.h:
+ * page/Settings.yaml: Add setting allowCrossOriginSubresourcesToAskForCredentials (defaults: false -
+ do not allow cross origin subresources to ask for credentials).
+
2018-02-14 Don Olmstead <don.olmst...@sony.com>
WebCore headers should not include config.h or PlatformExportMacros.h
Modified: trunk/Source/WebCore/loader/ResourceLoader.cpp (228485 => 228486)
--- trunk/Source/WebCore/loader/ResourceLoader.cpp 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/Source/WebCore/loader/ResourceLoader.cpp 2018-02-14 22:27:52 UTC (rev 228486)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006-2007, 2010-2011, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2018 Apple Inc. All rights reserved.
* (C) 2007 Graham Dennis (graham.den...@gmail.com)
*
* Redistribution and use in source and binary forms, with or without
@@ -326,7 +326,7 @@
m_resourceData->clear();
}
-bool ResourceLoader::isSubresourceLoader()
+bool ResourceLoader::isSubresourceLoader() const
{
return false;
}
@@ -463,6 +463,11 @@
frame->page()->diagnosticLoggingClient().logDiagnosticMessage(DiagnosticLoggingKeys::resourceResponseSourceKey(), sourceKey, ShouldSample::Yes);
}
+bool ResourceLoader::shouldAllowResourceToAskForCredentials() const
+{
+ return m_canCrossOriginRequestsAskUserForCredentials || m_frame->tree().top().document()->securityOrigin().canRequest(m_request.url());
+}
+
void ResourceLoader::didBlockAuthenticationChallenge()
{
m_wasAuthenticationChallengeBlocked = true;
@@ -470,6 +475,11 @@
if (!m_canAskClientForCredentials)
return;
+ if (!shouldAllowResourceToAskForCredentials()) {
+ FrameLoader::reportAuthenticationChallengeBlocked(m_frame.get(), m_request.url(), ASCIILiteral("it is a cross-origin request"));
+ return;
+ }
+
if (!m_wasInsecureRequestSeen)
return;
@@ -739,6 +749,8 @@
{
if (!m_canAskClientForCredentials)
return false;
+ if (!shouldAllowResourceToAskForCredentials())
+ return false;
if (m_wasInsecureRequestSeen)
return false;
return m_options.credentials == FetchOptions::Credentials::Include || (m_options.credentials == FetchOptions::Credentials::SameOrigin && m_frame->document()->securityOrigin().canRequest(originalRequest().url()));
Modified: trunk/Source/WebCore/loader/ResourceLoader.h (228485 => 228486)
--- trunk/Source/WebCore/loader/ResourceLoader.h 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/Source/WebCore/loader/ResourceLoader.h 2018-02-14 22:27:52 UTC (rev 228486)
@@ -98,7 +98,7 @@
SharedBuffer* resourceData() const { return m_resourceData.get(); }
void clearResourceData();
- virtual bool isSubresourceLoader();
+ virtual bool isSubresourceLoader() const;
virtual void willSendRequest(ResourceRequest&&, const ResourceResponse& redirectResponse, CompletionHandler<void(ResourceRequest&&)>&& callback);
virtual void didSendData(unsigned long long bytesSent, unsigned long long totalBytesToBeSent);
@@ -177,6 +177,7 @@
#if USE(QUICK_LOOK)
std::unique_ptr<PreviewLoader> m_previewLoader;
#endif
+ bool m_canCrossOriginRequestsAskUserForCredentials { true };
private:
virtual void willCancel(const ResourceError&) = 0;
@@ -186,6 +187,8 @@
void loadDataURL();
void finishNetworkLoad();
+ bool shouldAllowResourceToAskForCredentials() const;
+
// ResourceHandleClient
void didSendData(ResourceHandle*, unsigned long long bytesSent, unsigned long long totalBytesToBeSent) override;
void didReceiveResponseAsync(ResourceHandle*, ResourceResponse&&, CompletionHandler<void()>&&) override;
Modified: trunk/Source/WebCore/loader/SubresourceLoader.cpp (228485 => 228486)
--- trunk/Source/WebCore/loader/SubresourceLoader.cpp 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/Source/WebCore/loader/SubresourceLoader.cpp 2018-02-14 22:27:52 UTC (rev 228486)
@@ -45,6 +45,7 @@
#include "ResourceLoadObserver.h"
#include "ResourceTiming.h"
#include "RuntimeEnabledFeatures.h"
+#include "Settings.h"
#include <wtf/CompletionHandler.h>
#include <wtf/Ref.h>
#include <wtf/RefCountedLeakCounter.h>
@@ -92,6 +93,7 @@
#if ENABLE(CONTENT_EXTENSIONS)
m_resourceType = toResourceType(resource.type());
#endif
+ m_canCrossOriginRequestsAskUserForCredentials = resource.type() == CachedResource::MainResource || frame.settings().allowCrossOriginSubresourcesToAskForCredentials();
}
SubresourceLoader::~SubresourceLoader()
@@ -162,7 +164,7 @@
});
}
-bool SubresourceLoader::isSubresourceLoader()
+bool SubresourceLoader::isSubresourceLoader() const
{
return true;
}
Modified: trunk/Source/WebCore/loader/SubresourceLoader.h (228485 => 228486)
--- trunk/Source/WebCore/loader/SubresourceLoader.h 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/Source/WebCore/loader/SubresourceLoader.h 2018-02-14 22:27:52 UTC (rev 228486)
@@ -47,7 +47,7 @@
virtual ~SubresourceLoader();
void cancelIfNotFinishing();
- bool isSubresourceLoader() override;
+ bool isSubresourceLoader() const override;
CachedResource* cachedResource();
SecurityOrigin* origin() { return m_origin.get(); }
Modified: trunk/Source/WebCore/page/Settings.yaml (228485 => 228486)
--- trunk/Source/WebCore/page/Settings.yaml 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/Source/WebCore/page/Settings.yaml 2018-02-14 22:27:52 UTC (rev 228486)
@@ -101,6 +101,8 @@
initial: true
allowSettingAnyXHRHeaderFromFileURLs:
initial: false
+allowCrossOriginSubresourcesToAskForCredentials:
+ initial: false
needsStorageAccessFromFileURLsQuirk:
initial: true
_javascript_CanOpenWindowsAutomatically:
Modified: trunk/Source/WebKit/ChangeLog (228485 => 228486)
--- trunk/Source/WebKit/ChangeLog 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/Source/WebKit/ChangeLog 2018-02-14 22:27:52 UTC (rev 228486)
@@ -1,3 +1,20 @@
+2018-02-14 Daniel Bates <daba...@apple.com>
+
+ Disallow cross-origin subresources from asking for credentials
+ https://bugs.webkit.org/show_bug.cgi?id=182579
+ <rdar://problem/36162271>
+
+ Reviewed by Andy Estes.
+
+ Add a private preference to toggle allowing non-mixed content cross-origin subresources to load.
+ WebKitTestRunner toggles this preference when it sees the test option allowCrossOriginSubresourcesToAskForCredential.
+
+ * Shared/WebPreferences.yaml:
+ * UIProcess/API/C/WKPreferences.cpp:
+ (WKPreferencesSetAllowCrossOriginSubresourcesToAskForCredentials):
+ (WKPreferencesGetAllowCrossOriginSubresourcesToAskForCredentials):
+ * UIProcess/API/C/WKPreferencesRefPrivate.h:
+
2018-02-14 John Wilander <wilan...@apple.com>
Make maximumParallelReadCount static to fix lambda capture error in WebKit::NetworkCache::Storage::traverse()
Modified: trunk/Source/WebKit/Shared/WebPreferences.yaml (228485 => 228486)
--- trunk/Source/WebKit/Shared/WebPreferences.yaml 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/Source/WebKit/Shared/WebPreferences.yaml 2018-02-14 22:27:52 UTC (rev 228486)
@@ -183,6 +183,10 @@
type: bool
defaultValue: false
+AllowCrossOriginSubresourcesToAskForCredentials:
+ type: bool
+ defaultValue: false
+
AVFoundationEnabled:
type: bool
defaultValue: true
Modified: trunk/Source/WebKit/UIProcess/API/C/WKPreferences.cpp (228485 => 228486)
--- trunk/Source/WebKit/UIProcess/API/C/WKPreferences.cpp 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/Source/WebKit/UIProcess/API/C/WKPreferences.cpp 2018-02-14 22:27:52 UTC (rev 228486)
@@ -1934,3 +1934,12 @@
return toImpl(preferencesRef)->mediaCapabilitiesEnabled();
}
+void WKPreferencesSetAllowCrossOriginSubresourcesToAskForCredentials(WKPreferencesRef preferencesRef, bool flag)
+{
+ toImpl(preferencesRef)->setAllowCrossOriginSubresourcesToAskForCredentials(flag);
+}
+
+bool WKPreferencesGetAllowCrossOriginSubresourcesToAskForCredentials(WKPreferencesRef preferencesRef)
+{
+ return toImpl(preferencesRef)->allowCrossOriginSubresourcesToAskForCredentials();
+}
Modified: trunk/Source/WebKit/UIProcess/API/C/WKPreferencesRefPrivate.h (228485 => 228486)
--- trunk/Source/WebKit/UIProcess/API/C/WKPreferencesRefPrivate.h 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/Source/WebKit/UIProcess/API/C/WKPreferencesRefPrivate.h 2018-02-14 22:27:52 UTC (rev 228486)
@@ -552,7 +552,11 @@
// Defaults to false.
WK_EXPORT void WKPreferencesSetShouldAllowUserInstalledFonts(WKPreferencesRef, bool flag);
WK_EXPORT bool WKPreferencesGetShouldAllowUserInstalledFonts(WKPreferencesRef);
-
+
+// Defaults to false.
+WK_EXPORT void WKPreferencesSetAllowCrossOriginSubresourcesToAskForCredentials(WKPreferencesRef, bool flag);
+WK_EXPORT bool WKPreferencesGetAllowCrossOriginSubresourcesToAskForCredentials(WKPreferencesRef);
+
#ifdef __cplusplus
}
#endif
Modified: trunk/Source/WebKitLegacy/mac/ChangeLog (228485 => 228486)
--- trunk/Source/WebKitLegacy/mac/ChangeLog 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/Source/WebKitLegacy/mac/ChangeLog 2018-02-14 22:27:52 UTC (rev 228486)
@@ -1,3 +1,23 @@
+2018-02-14 Daniel Bates <daba...@apple.com>
+
+ Disallow cross-origin subresources from asking for credentials
+ https://bugs.webkit.org/show_bug.cgi?id=182579
+ <rdar://problem/36162271>
+
+ Reviewed by Andy Estes.
+
+ Add a private preference to toggle allowing non-mixed content cross-origin subresources to load.
+ DumpRenderTree toggles this preference when it sees the test option allowCrossOriginSubresourcesToAskForCredential.
+
+ * WebView/WebPreferenceKeysPrivate.h:
+ * WebView/WebPreferences.mm:
+ (+[WebPreferences initialize]):
+ (-[WebPreferences allowCrossOriginSubresourcesToAskForCredentials]):
+ (-[WebPreferences setAllowCrossOriginSubresourcesToAskForCredentials:]):
+ * WebView/WebPreferencesPrivate.h:
+ * WebView/WebView.mm:
+ (-[WebView _preferencesChanged:]):
+
2018-02-14 Ross Kirsling <ross.kirsl...@sony.com>
Remove ForwardingHeaders directory from WebKitLegacy/mac.
Modified: trunk/Source/WebKitLegacy/mac/WebView/WebPreferenceKeysPrivate.h (228485 => 228486)
--- trunk/Source/WebKitLegacy/mac/WebView/WebPreferenceKeysPrivate.h 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/Source/WebKitLegacy/mac/WebView/WebPreferenceKeysPrivate.h 2018-02-14 22:27:52 UTC (rev 228486)
@@ -56,6 +56,7 @@
#define WebKitWebSecurityEnabledPreferenceKey @"WebKitWebSecurityEnabled"
#define WebKitAllowUniversalAccessFromFileURLsPreferenceKey @"WebKitAllowUniversalAccessFromFileURLs"
#define WebKitAllowFileAccessFromFileURLsPreferenceKey @"WebKitAllowFileAccessFromFileURLs"
+#define WebKitAllowCrossOriginSubresourcesToAskForCredentialsKey @"WebKitAllowCrossOriginSubresourcesToAskForCredentials"
#define WebKitNeedsStorageAccessFromFileURLsQuirkKey @"WebKitNeedsStorageAccessFromFileURLsQuirk"
#define WebKitJavaScriptCanOpenWindowsAutomaticallyPreferenceKey @"WebKitJavaScriptCanOpenWindowsAutomatically"
#define WebKitPluginsEnabledPreferenceKey @"WebKitPluginsEnabled"
Modified: trunk/Source/WebKitLegacy/mac/WebView/WebPreferences.mm (228485 => 228486)
--- trunk/Source/WebKitLegacy/mac/WebView/WebPreferences.mm 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/Source/WebKitLegacy/mac/WebView/WebPreferences.mm 2018-02-14 22:27:52 UTC (rev 228486)
@@ -650,6 +650,7 @@
[NSNumber numberWithBool:NO], WebKitVisualViewportAPIEnabledPreferenceKey,
[NSNumber numberWithBool:YES], WebKitNeedsStorageAccessFromFileURLsQuirkKey,
+ [NSNumber numberWithBool:NO], WebKitAllowCrossOriginSubresourcesToAskForCredentialsKey,
#if ENABLE(MEDIA_STREAM)
[NSNumber numberWithBool:NO], WebKitMediaDevicesEnabledPreferenceKey,
[NSNumber numberWithBool:YES], WebKitMediaStreamEnabledPreferenceKey,
@@ -1499,6 +1500,16 @@
[self _setBoolValue: flag forKey: WebKitAllowFileAccessFromFileURLsPreferenceKey];
}
+- (BOOL)allowCrossOriginSubresourcesToAskForCredentials
+{
+ return [self _boolValueForKey:WebKitAllowCrossOriginSubresourcesToAskForCredentialsKey];
+}
+
+- (void)setAllowCrossOriginSubresourcesToAskForCredentials:(BOOL)flag
+{
+ [self _setBoolValue:flag forKey:WebKitAllowCrossOriginSubresourcesToAskForCredentialsKey];
+}
+
- (BOOL)needsStorageAccessFromFileURLsQuirk
{
return [self _boolValueForKey: WebKitNeedsStorageAccessFromFileURLsQuirkKey];
Modified: trunk/Source/WebKitLegacy/mac/WebView/WebPreferencesPrivate.h (228485 => 228486)
--- trunk/Source/WebKitLegacy/mac/WebView/WebPreferencesPrivate.h 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/Source/WebKitLegacy/mac/WebView/WebPreferencesPrivate.h 2018-02-14 22:27:52 UTC (rev 228486)
@@ -144,6 +144,9 @@
- (BOOL)allowFileAccessFromFileURLs;
- (void)setAllowFileAccessFromFileURLs:(BOOL)flag;
+- (BOOL)allowCrossOriginSubresourcesToAskForCredentials;
+- (void)setAllowCrossOriginSubresourcesToAskForCredentials:(BOOL)flag;
+
- (BOOL)needsStorageAccessFromFileURLsQuirk;
- (void)setNeedsStorageAccessFromFileURLsQuirk:(BOOL)flag;
@@ -598,6 +601,7 @@
@property (nonatomic) BOOL allowMediaContentTypesRequiringHardwareSupportAsFallback;
@property (nonatomic) BOOL accessibilityObjectModelEnabled;
@property (nonatomic) BOOL mediaCapabilitiesEnabled;
+@property (nonatomic) BOOL allowCrossOriginSubresourcesToAskForCredentials;
#if TARGET_OS_IPHONE
@property (nonatomic) BOOL quickLookDocumentSavingEnabled;
Modified: trunk/Source/WebKitLegacy/mac/WebView/WebView.mm (228485 => 228486)
--- trunk/Source/WebKitLegacy/mac/WebView/WebView.mm 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/Source/WebKitLegacy/mac/WebView/WebView.mm 2018-02-14 22:27:52 UTC (rev 228486)
@@ -2760,6 +2760,7 @@
settings.setWebSecurityEnabled([preferences isWebSecurityEnabled]);
settings.setAllowUniversalAccessFromFileURLs([preferences allowUniversalAccessFromFileURLs]);
settings.setAllowFileAccessFromFileURLs([preferences allowFileAccessFromFileURLs]);
+ settings.setAllowCrossOriginSubresourcesToAskForCredentials([preferences allowCrossOriginSubresourcesToAskForCredentials]);
settings.setNeedsStorageAccessFromFileURLsQuirk([preferences needsStorageAccessFromFileURLsQuirk]);
settings.setMinimumFontSize([preferences minimumFontSize]);
settings.setMinimumLogicalFontSize([preferences minimumLogicalFontSize]);
Modified: trunk/Tools/ChangeLog (228485 => 228486)
--- trunk/Tools/ChangeLog 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/Tools/ChangeLog 2018-02-14 22:27:52 UTC (rev 228486)
@@ -1,3 +1,25 @@
+2018-02-14 Daniel Bates <daba...@apple.com>
+
+ Disallow cross-origin subresources from asking for credentials
+ https://bugs.webkit.org/show_bug.cgi?id=182579
+ <rdar://problem/36162271>
+
+ Reviewed by Andy Estes.
+
+ Add test option allowCrossOriginSubresourcesToAskForCredential (defaults to false)
+ so that tests can toggle between the old behavior and new behavior.
+
+ * DumpRenderTree/TestOptions.h:
+ * DumpRenderTree/TestOptions.mm:
+ (TestOptions::TestOptions):
+ * DumpRenderTree/mac/DumpRenderTree.mm:
+ (setWebPreferencesForTestOptions):
+ * WebKitTestRunner/TestController.cpp:
+ (WTR::TestController::resetPreferencesToConsistentValues):
+ (WTR::updateTestOptionsFromTestHeader):
+ * WebKitTestRunner/TestOptions.h:
+ (WTR::TestOptions::hasSameInitializationOptions const):
+
2018-02-12 Ryosuke Niwa <rn...@webkit.org>
REGRESSION (r223440): Copying & pasting a list from Microsoft Word to TinyMCE fails
Modified: trunk/Tools/DumpRenderTree/TestOptions.h (228485 => 228486)
--- trunk/Tools/DumpRenderTree/TestOptions.h 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/Tools/DumpRenderTree/TestOptions.h 2018-02-14 22:27:52 UTC (rev 228486)
@@ -41,6 +41,7 @@
bool enableIsSecureContextAttribute { true };
bool enableInspectorAdditions { false };
bool dumpJSConsoleLogInStdErr { false };
+ bool allowCrossOriginSubresourcesToAskForCredentials { false };
TestOptions(NSURL*, const TestCommand&);
bool webViewIsCompatibleWithOptions(const TestOptions&) const;
Modified: trunk/Tools/DumpRenderTree/TestOptions.mm (228485 => 228486)
--- trunk/Tools/DumpRenderTree/TestOptions.mm 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/Tools/DumpRenderTree/TestOptions.mm 2018-02-14 22:27:52 UTC (rev 228486)
@@ -102,6 +102,8 @@
this->enableInspectorAdditions = parseBooleanTestHeaderValue(value);
else if (key == "dumpJSConsoleLogInStdErr")
this->dumpJSConsoleLogInStdErr = parseBooleanTestHeaderValue(value);
+ else if (key == "allowCrossOriginSubresourcesToAskForCredentials")
+ this->allowCrossOriginSubresourcesToAskForCredentials = parseBooleanTestHeaderValue(value);
pairStart = pairEnd + 1;
}
}
Modified: trunk/Tools/DumpRenderTree/mac/DumpRenderTree.mm (228485 => 228486)
--- trunk/Tools/DumpRenderTree/mac/DumpRenderTree.mm 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/Tools/DumpRenderTree/mac/DumpRenderTree.mm 2018-02-14 22:27:52 UTC (rev 228486)
@@ -994,6 +994,7 @@
preferences.webAuthenticationEnabled = options.enableWebAuthentication;
preferences.isSecureContextAttributeEnabled = options.enableIsSecureContextAttribute;
preferences.inspectorAdditionsEnabled = options.enableInspectorAdditions;
+ preferences.allowCrossOriginSubresourcesToAskForCredentials = options.allowCrossOriginSubresourcesToAskForCredentials;
}
// Called once on DumpRenderTree startup.
Modified: trunk/Tools/WebKitTestRunner/TestController.cpp (228485 => 228486)
--- trunk/Tools/WebKitTestRunner/TestController.cpp 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/Tools/WebKitTestRunner/TestController.cpp 2018-02-14 22:27:52 UTC (rev 228486)
@@ -692,6 +692,7 @@
WKPreferencesSetModernMediaControlsEnabled(preferences, options.enableModernMediaControls);
WKPreferencesSetWebAuthenticationEnabled(preferences, options.enableWebAuthentication);
WKPreferencesSetIsSecureContextAttributeEnabled(preferences, options.enableIsSecureContextAttribute);
+ WKPreferencesSetAllowCrossOriginSubresourcesToAskForCredentials(preferences, options.allowCrossOriginSubresourcesToAskForCredentials);
static WKStringRef defaultTextEncoding = WKStringCreateWithUTF8CString("ISO-8859-1");
WKPreferencesSetDefaultTextEncodingName(preferences, defaultTextEncoding);
@@ -1068,6 +1069,8 @@
testOptions.dumpJSConsoleLogInStdErr = parseBooleanTestHeaderValue(value);
if (key == "applicationManifest")
testOptions.applicationManifest = parseStringTestHeaderValueAsRelativePath(value, pathOrURL);
+ if (key == "allowCrossOriginSubresourcesToAskForCredentials")
+ testOptions.allowCrossOriginSubresourcesToAskForCredentials = parseBooleanTestHeaderValue(value);
pairStart = pairEnd + 1;
}
}
Modified: trunk/Tools/WebKitTestRunner/TestOptions.h (228485 => 228486)
--- trunk/Tools/WebKitTestRunner/TestOptions.h 2018-02-14 21:26:53 UTC (rev 228485)
+++ trunk/Tools/WebKitTestRunner/TestOptions.h 2018-02-14 22:27:52 UTC (rev 228486)
@@ -54,6 +54,7 @@
bool enableInspectorAdditions { false };
bool shouldShowTouches { false };
bool dumpJSConsoleLogInStdErr { false };
+ bool allowCrossOriginSubresourcesToAskForCredentials { false };
float deviceScaleFactor { 1 };
Vector<String> overrideLanguages;
@@ -82,7 +83,8 @@
|| enableIsSecureContextAttribute != options.enableIsSecureContextAttribute
|| enableInspectorAdditions != options.enableInspectorAdditions
|| dumpJSConsoleLogInStdErr != options.dumpJSConsoleLogInStdErr
- || applicationManifest != options.applicationManifest)
+ || applicationManifest != options.applicationManifest
+ || allowCrossOriginSubresourcesToAskForCredentials != options.allowCrossOriginSubresourcesToAskForCredentials)
return false;
return true;
