Diff
Modified: trunk/LayoutTests/ChangeLog (228702 => 228703)
--- trunk/LayoutTests/ChangeLog 2018-02-19 19:06:25 UTC (rev 228702)
+++ trunk/LayoutTests/ChangeLog 2018-02-19 19:10:44 UTC (rev 228703)
@@ -1,3 +1,35 @@
+2018-02-19 Daniel Bates <daba...@apple.com>
+
+ Do not block authentication challenge to navigated resources
+ https://bugs.webkit.org/show_bug.cgi?id=182807
+ <rdar://problem/37481619>
+
+ Reviewed by Brent Fulgham.
+
+ Update tests based on the new behavior.
+
+ * http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt:
+ * http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html:
+ * http/tests/security/mixedContent/insecure-download-redirects-to-basic-auth-secure-download.https-expected.txt: Removed.
+ * http/tests/security/mixedContent/insecure-download-redirects-to-basic-auth-secure-download.https.html: Removed.
+ * http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials-expected.txt:
+ * http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.html:
+ * http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-expected.txt:
+ * http/tests/security/mixedContent/resources/frame-with-insecure-image-redirects-to-basic-auth-secure-image.html:
+ * http/tests/security/mixedContent/resources/subresource/protected-pdf.php: Removed.
+ * http/tests/security/mixedContent/secure-page-navigates-to-basic-auth-insecure-page.https-expected.txt:
+ * http/tests/security/mixedContent/secure-page-navigates-to-basic-auth-secure-page-via-insecure-redirect.https-expected.txt:
+ * http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt:
+ * http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html:
+ * http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt:
+ * http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html:
+ * platform/wk2/http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt.
+ * platform/wk2/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials-expected.txt: Added.
+ * platform/wk2/http/tests/security/mixedContent/secure-page-navigates-to-basic-auth-insecure-page.https-expected.txt: Added.
+ * platform/wk2/http/tests/security/mixedContent/secure-page-navigates-to-basic-auth-secure-page-via-insecure-redirect.https-expected.txt: Added.
+ * platform/wk2/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt.
+ * platform/wk2/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt: Copied from LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt.
+
2018-02-19 Ryan Haddad <ryanhad...@apple.com>
Mark media/track/track-css-matching-default.html as flaky.
Modified: trunk/LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt (228702 => 228703)
--- trunk/LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt 2018-02-19 19:06:25 UTC (rev 228702)
+++ trunk/LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt 2018-02-19 19:10:44 UTC (rev 228703)
@@ -1,12 +1,12 @@
CONSOLE MESSAGE: line 33: The page at https://127.0.0.1:8443/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html was allowed to display insecure content from http://localhost:8000/security/mixedContent/resources/subresource2/protected-image.php.
-CONSOLE MESSAGE: Blocked http://localhost:8000/security/mixedContent/resources/subresource2/protected-image.php from asking for credentials because it is insecure content.
+http://localhost:8000/security/mixedContent/resources/subresource2/protected-image.php - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
Tests that we do not ask for credentials when loading an insecure image that requires basic authentication.
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-PASS did not load image.
+PASS did load image.
PASS successfullyParsed is true
TEST COMPLETE
Modified: trunk/LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html (228702 => 228703)
--- trunk/LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html 2018-02-19 19:06:25 UTC (rev 228702)
+++ trunk/LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html 2018-02-19 19:10:44 UTC (rev 228703)
@@ -13,13 +13,13 @@
function pass()
{
- testPassed("did not load image.");
+ testPassed("did load image.");
finishJSTest();
}
function fail()
{
- testFailed("did load image.");
+ testFailed("did not load image.");
finishJSTest();
}
@@ -28,8 +28,8 @@
// Load the image programmatically instead of declaratively to avoid output flakiness caused by
// the preload scanner performing mixed content checks as part of preloading the image.
let image = new Image;
- image._onload_ = fail;
- image._onerror_ = pass;
+ image._onload_ = pass;
+ image._onerror_ = fail;
image.src = ""
document.body.appendChild(image);
}
Deleted: trunk/LayoutTests/http/tests/security/mixedContent/insecure-download-redirects-to-basic-auth-secure-download.https-expected.txt (228702 => 228703)
--- trunk/LayoutTests/http/tests/security/mixedContent/insecure-download-redirects-to-basic-auth-secure-download.https-expected.txt 2018-02-19 19:06:25 UTC (rev 228702)
+++ trunk/LayoutTests/http/tests/security/mixedContent/insecure-download-redirects-to-basic-auth-secure-download.https-expected.txt 2018-02-19 19:10:44 UTC (rev 228703)
@@ -1,4 +0,0 @@
-CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-pdf.php from asking for credentials because it was loaded via an insecure redirect from http://127.0.0.1:8080/resources/redirect.php?url=""
-CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-pdf.php from asking for credentials because it was navigated to from a secure page or went through an insecure redirect.
-ALERT: Unauthorized
-
Deleted: trunk/LayoutTests/http/tests/security/mixedContent/insecure-download-redirects-to-basic-auth-secure-download.https.html (228702 => 228703)
--- trunk/LayoutTests/http/tests/security/mixedContent/insecure-download-redirects-to-basic-auth-secure-download.https.html 2018-02-19 19:06:25 UTC (rev 228702)
+++ trunk/LayoutTests/http/tests/security/mixedContent/insecure-download-redirects-to-basic-auth-secure-download.https.html 2018-02-19 19:10:44 UTC (rev 228703)
@@ -1,30 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-<script src=""
-<script>
-if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.waitUntilDone();
- testRunner.setHandlesAuthenticationChallenges(true);
- testRunner.setAuthenticationUsername("testUser");
- testRunner.setAuthenticationPassword("testPassword");
- if (testRunner.isWebKit2)
- testRunner.setShouldLogDownloadCallbacks(true);
-}
-</script>
-</head>
-<body>
-<p>
-<p>This test loads an insecure resource that redirects to a secure PDF guarded by basic authentication. The secure PDF should not be downloaded because it requires credentials and was loaded via an insecure redirect. This test PASSED if you see a _javascript_ alert with message "Unauthorized". Otherwise, it FAILED.</p>
-<a id="link" href="" link</a>.
-<script>
-function runTest()
-{
- var link = document.getElementById("link");
- UIHelper.activateAt(link.offsetLeft + 5, link.offsetTop + 5);
-}
-runTest();
-</script>
-</body>
-</html>
Modified: trunk/LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials-expected.txt (228702 => 228703)
--- trunk/LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials-expected.txt 2018-02-19 19:06:25 UTC (rev 228702)
+++ trunk/LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials-expected.txt 2018-02-19 19:10:44 UTC (rev 228703)
@@ -1,6 +1,6 @@
-CONSOLE MESSAGE: line 17: The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image-redirects-to-basic-auth-secure-image.html was allowed to display insecure content from http://127.0.0.1:8080/resources/redirect.php?url=""
+CONSOLE MESSAGE: line 18: The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image-redirects-to-basic-auth-secure-image.html?allowCrossOriginSubresourcesToAskForCredentials=1 was allowed to display insecure content from http://127.0.0.1:8080/resources/redirect.php?url=""
-CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it was loaded via an insecure redirect from http://127.0.0.1:8080/resources/redirect.php?url=""
-This test opens a new window to a secure page that loads an insecure image that redirects to a secure image guarded by basic authentication. The secure image should be blocked because it requires credentials and was loaded via an insecure redirect.
+http://127.0.0.1:8080/resources/redirect.php?url="" - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
+This test opens a new window to a secure page that loads an insecure image that redirects to a secure image guarded by basic authentication. The image should load.
-PASS did not load image.
+PASS did load image.
Modified: trunk/LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.html (228702 => 228703)
--- trunk/LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.html 2018-02-19 19:06:25 UTC (rev 228702)
+++ trunk/LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.html 2018-02-19 19:10:44 UTC (rev 228703)
@@ -20,10 +20,10 @@
window.addEventListener("message", receiveMessage, false);
</script>
-<p>This test opens a new window to a secure page that loads an insecure image that redirects to a secure image guarded by basic authentication. The secure image should be blocked because it requires credentials and was loaded via an insecure redirect.</p>
+<p>This test opens a new window to a secure page that loads an insecure image that redirects to a secure image guarded by basic authentication. The image should load.</p>
<div id="result"></div>
<script>
-window.open("https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image-redirects-to-basic-auth-secure-image.html");
+window.open("https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image-redirects-to-basic-auth-secure-image.html?allowCrossOriginSubresourcesToAskForCredentials=1");
</script>
</body>
</html>
Modified: trunk/LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-expected.txt (228702 => 228703)
--- trunk/LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-expected.txt 2018-02-19 19:06:25 UTC (rev 228702)
+++ trunk/LayoutTests/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-expected.txt 2018-02-19 19:10:44 UTC (rev 228703)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: line 17: The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image-redirects-to-basic-auth-secure-image.html was allowed to display insecure content from http://127.0.0.1:8080/resources/redirect.php?url=""
+CONSOLE MESSAGE: line 18: The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image-redirects-to-basic-auth-secure-image.html was allowed to display insecure content from http://127.0.0.1:8080/resources/redirect.php?url=""
CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it is a cross-origin request.
This test opens a new window to a secure page that loads an insecure image that redirects to a secure image guarded by basic authentication. The secure image should be blocked because it requires credentials and was loaded via an insecure redirect.
Modified: trunk/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-image-redirects-to-basic-auth-secure-image.html (228702 => 228703)
--- trunk/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-image-redirects-to-basic-auth-secure-image.html 2018-02-19 19:06:25 UTC (rev 228702)
+++ trunk/LayoutTests/http/tests/security/mixedContent/resources/frame-with-insecure-image-redirects-to-basic-auth-secure-image.html 2018-02-19 19:10:44 UTC (rev 228703)
@@ -2,18 +2,19 @@
<html>
<head>
<script>
-function pass()
-{
- window.opener.postMessage("PASS did not load image.", "*");
-}
-function fail()
+var allowCrossOriginSubresourcesToAskForCredentials = document.location.search.includes("?allowCrossOriginSubresourcesToAskForCredentials");
+
+function checkResult(event)
{
- window.opener.postMessage("FAIL did load image.", "*");
+ if (event.type == "error")
+ window.opener.postMessage((allowCrossOriginSubresourcesToAskForCredentials ? "FAIL" : "PASS") + " did not load image.", "*");
+ else if (event.type == "load")
+ window.opener.postMessage((allowCrossOriginSubresourcesToAskForCredentials ? "PASS" : "FAIL") + " did load image.", "*");
}
</script>
</head>
<body>
-<img src="" _onerror_="pass()" _onload_="fail()">
+<img src="" _onerror_="checkResult(event)" _onload_="checkResult(event)">
</body>
</html>
Deleted: trunk/LayoutTests/http/tests/security/mixedContent/resources/subresource/protected-pdf.php (228702 => 228703)
--- trunk/LayoutTests/http/tests/security/mixedContent/resources/subresource/protected-pdf.php 2018-02-19 19:06:25 UTC (rev 228702)
+++ trunk/LayoutTests/http/tests/security/mixedContent/resources/subresource/protected-pdf.php 2018-02-19 19:10:44 UTC (rev 228703)
@@ -1,14 +0,0 @@
-<?php
-header("Cache-Control: no-store");
-header("Connection: close");
-if (!isset($_SERVER["PHP_AUTH_USER"])) {
- header("WWW-authenticate: Basic realm=\"" . $_SERVER["REQUEST_URI"] . "\"");
- header("HTTP/1.0 401 Unauthorized");
- echo "<script>alert('Unauthorized'); window.testRunner && window.testRunner.notifyDone()</script>";
- exit;
-}
-// Authenticated
-header("Content-Type: application/pdf");
-header("Content-Disposition: attachment; filename=test.pdf");
-echo file_get_contents("../../../../media/resources/test.pdf");
-?>
Modified: trunk/LayoutTests/http/tests/security/mixedContent/secure-page-navigates-to-basic-auth-insecure-page.https-expected.txt (228702 => 228703)
--- trunk/LayoutTests/http/tests/security/mixedContent/secure-page-navigates-to-basic-auth-insecure-page.https-expected.txt 2018-02-19 19:06:25 UTC (rev 228702)
+++ trunk/LayoutTests/http/tests/security/mixedContent/secure-page-navigates-to-basic-auth-insecure-page.https-expected.txt 2018-02-19 19:10:44 UTC (rev 228703)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: Blocked http://127.0.0.1:8000/security/mixedContent/resources/subresource/protected-page.php from asking for credentials because it is insecure content.
-CONSOLE MESSAGE: Blocked http://127.0.0.1:8000/security/mixedContent/resources/subresource/protected-page.php from asking for credentials because it was navigated to from a secure page or went through an insecure redirect.
-Unauthorized.
+http://127.0.0.1:8000/security/mixedContent/resources/subresource/protected-page.php - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
+Authenticated with username testUser.
Modified: trunk/LayoutTests/http/tests/security/mixedContent/secure-page-navigates-to-basic-auth-secure-page-via-insecure-redirect.https-expected.txt (228702 => 228703)
--- trunk/LayoutTests/http/tests/security/mixedContent/secure-page-navigates-to-basic-auth-secure-page-via-insecure-redirect.https-expected.txt 2018-02-19 19:06:25 UTC (rev 228702)
+++ trunk/LayoutTests/http/tests/security/mixedContent/secure-page-navigates-to-basic-auth-secure-page-via-insecure-redirect.https-expected.txt 2018-02-19 19:10:44 UTC (rev 228703)
@@ -1,3 +1,2 @@
-CONSOLE MESSAGE: Blocked https://127.0.0.1:8443/security/mixedContent/resources/subresource/protected-page.php from asking for credentials because it was loaded via an insecure redirect from http://127.0.0.1:8000/resources/redirect.php?url=""
-CONSOLE MESSAGE: Blocked https://127.0.0.1:8443/security/mixedContent/resources/subresource/protected-page.php from asking for credentials because it was navigated to from a secure page or went through an insecure redirect.
-Unauthorized.
+http://127.0.0.1:8000/resources/redirect.php?url="" - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
+Authenticated with username testUser.
Modified: trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt (228702 => 228703)
--- trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt 2018-02-19 19:06:25 UTC (rev 228702)
+++ trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt 2018-02-19 19:10:44 UTC (rev 228703)
@@ -1,12 +1,12 @@
CONSOLE MESSAGE: The page at https://127.0.0.1:8443/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html was allowed to display insecure content from http://127.0.0.1:8080/resources/redirect.php?url=""
-CONSOLE MESSAGE: Blocked https://localhost:8443/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it was loaded via an insecure redirect from https://127.0.0.1:8443/resources/redirect.php?url=""
-This test loads a secure image that redirects to an insecure image that redirects to a secure image guarded by basic authentication. The secure image should be blocked because it requires credentials and was loaded via an insecure redirect.
+https://127.0.0.1:8443/resources/redirect.php?url="" - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
+This test loads a secure image that redirects to an insecure image that redirects to a secure image guarded by basic authentication. The image should load.
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-PASS did not load image.
+PASS did load image.
PASS successfullyParsed is true
TEST COMPLETE
Modified: trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html (228702 => 228703)
--- trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html 2018-02-19 19:06:25 UTC (rev 228702)
+++ trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html 2018-02-19 19:10:44 UTC (rev 228703)
@@ -13,13 +13,13 @@
function pass()
{
- testPassed("did not load image.");
+ testPassed("did load image.");
finishJSTest();
}
function fail()
{
- testFailed("did load image.");
+ testFailed("did not load image.");
finishJSTest();
}
@@ -28,8 +28,8 @@
// Load the image programmatically instead of declaratively to avoid output flakiness caused by
// the preload scanner performing mixed content checks as part of preloading the image.
let image = new Image;
- image._onload_ = fail;
- image._onerror_ = pass;
+ image._onload_ = pass;
+ image._onerror_ = fail;
image.src = ""
document.body.appendChild(image);
}
@@ -37,7 +37,7 @@
window._onload_ = runTest;
</script>
<script>
-description("This test loads a secure image that redirects to an insecure image that redirects to a secure image guarded by basic authentication. The secure image should be blocked because it requires credentials and was loaded via an insecure redirect.");
+description("This test loads a secure image that redirects to an insecure image that redirects to a secure image guarded by basic authentication. The image should load.");
</script>
</body>
</html>
Modified: trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt (228702 => 228703)
--- trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt 2018-02-19 19:06:25 UTC (rev 228702)
+++ trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt 2018-02-19 19:10:44 UTC (rev 228703)
@@ -1,12 +1,12 @@
CONSOLE MESSAGE: The page at https://127.0.0.1:8443/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html was allowed to display insecure content from http://localhost:8080/security/mixedContent/resources/subresource/protected-image.php.
-CONSOLE MESSAGE: Blocked http://localhost:8080/security/mixedContent/resources/subresource/protected-image.php from asking for credentials because it is insecure content that was loaded via a redirect from https://127.0.0.1:8443/resources/redirect.php?url=""
-This test loads a secure image that redirects to an secure image that redirects to an insecure image guarded by basic authentication. The insecure image should be blocked because it requires credentials.
+https://127.0.0.1:8443/resources/redirect.php?url="" - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
+This test loads a secure image that redirects to an secure image that redirects to an insecure image guarded by basic authentication. The image should load.
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-PASS did not load image.
+PASS did load image.
PASS successfullyParsed is true
TEST COMPLETE
Modified: trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html (228702 => 228703)
--- trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html 2018-02-19 19:06:25 UTC (rev 228702)
+++ trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html 2018-02-19 19:10:44 UTC (rev 228703)
@@ -13,13 +13,13 @@
function pass()
{
- testPassed("did not load image.");
+ testPassed("did load image.");
finishJSTest();
}
function fail()
{
- testFailed("did load image.");
+ testFailed("did not load image.");
finishJSTest();
}
@@ -28,8 +28,8 @@
// Load the image programmatically instead of declaratively to avoid output flakiness caused by
// the preload scanner performing mixed content checks as part of preloading the image.
let image = new Image;
- image._onload_ = fail;
- image._onerror_ = pass;
+ image._onload_ = pass;
+ image._onerror_ = fail;
image.src = ""
document.body.appendChild(image);
}
@@ -37,7 +37,7 @@
window._onload_ = runTest;
</script>
<script>
-description("This test loads a secure image that redirects to an secure image that redirects to an insecure image guarded by basic authentication. The insecure image should be blocked because it requires credentials.");
+description("This test loads a secure image that redirects to an secure image that redirects to an insecure image guarded by basic authentication. The image should load.");
</script>
</body>
</html>
Copied: trunk/LayoutTests/platform/wk2/http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt (from rev 228702, trunk/LayoutTests/http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt) (0 => 228703)
--- trunk/LayoutTests/platform/wk2/http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/wk2/http/tests/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt 2018-02-19 19:10:44 UTC (rev 228703)
@@ -0,0 +1,13 @@
+CONSOLE MESSAGE: line 33: The page at https://127.0.0.1:8443/security/mixedContent/insecure-basic-auth-image-allowCrossOriginSubresourcesToAskForCredentials.https.html was allowed to display insecure content from http://localhost:8000/security/mixedContent/resources/subresource2/protected-image.php.
+
+localhost:8000 - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
+Tests that we do not ask for credentials when loading an insecure image that requires basic authentication.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS did load image.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/platform/wk2/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials-expected.txt (0 => 228703)
--- trunk/LayoutTests/platform/wk2/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/wk2/http/tests/security/mixedContent/insecure-image-redirects-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials-expected.txt 2018-02-19 19:10:44 UTC (rev 228703)
@@ -0,0 +1,6 @@
+CONSOLE MESSAGE: line 18: The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image-redirects-to-basic-auth-secure-image.html?allowCrossOriginSubresourcesToAskForCredentials=1 was allowed to display insecure content from http://127.0.0.1:8080/resources/redirect.php?url=""
+
+localhost:8443 - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
+This test opens a new window to a secure page that loads an insecure image that redirects to a secure image guarded by basic authentication. The image should load.
+
+PASS did load image.
Added: trunk/LayoutTests/platform/wk2/http/tests/security/mixedContent/secure-page-navigates-to-basic-auth-insecure-page.https-expected.txt (0 => 228703)
--- trunk/LayoutTests/platform/wk2/http/tests/security/mixedContent/secure-page-navigates-to-basic-auth-insecure-page.https-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/wk2/http/tests/security/mixedContent/secure-page-navigates-to-basic-auth-insecure-page.https-expected.txt 2018-02-19 19:10:44 UTC (rev 228703)
@@ -0,0 +1,2 @@
+127.0.0.1:8000 - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
+Authenticated with username testUser.
Added: trunk/LayoutTests/platform/wk2/http/tests/security/mixedContent/secure-page-navigates-to-basic-auth-secure-page-via-insecure-redirect.https-expected.txt (0 => 228703)
--- trunk/LayoutTests/platform/wk2/http/tests/security/mixedContent/secure-page-navigates-to-basic-auth-secure-page-via-insecure-redirect.https-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/wk2/http/tests/security/mixedContent/secure-page-navigates-to-basic-auth-secure-page-via-insecure-redirect.https-expected.txt 2018-02-19 19:10:44 UTC (rev 228703)
@@ -0,0 +1,2 @@
+127.0.0.1:8443 - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
+Authenticated with username testUser.
Copied: trunk/LayoutTests/platform/wk2/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt (from rev 228702, trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt) (0 => 228703)
--- trunk/LayoutTests/platform/wk2/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/wk2/http/tests/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt 2018-02-19 19:10:44 UTC (rev 228703)
@@ -0,0 +1,13 @@
+CONSOLE MESSAGE: The page at https://127.0.0.1:8443/security/mixedContent/secure-redirect-to-insecure-redirect-to-basic-auth-secure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html was allowed to display insecure content from http://127.0.0.1:8080/resources/redirect.php?url=""
+
+localhost:8443 - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
+This test loads a secure image that redirects to an insecure image that redirects to a secure image guarded by basic authentication. The image should load.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS did load image.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: trunk/LayoutTests/platform/wk2/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt (from rev 228702, trunk/LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt) (0 => 228703)
--- trunk/LayoutTests/platform/wk2/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/wk2/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https-expected.txt 2018-02-19 19:10:44 UTC (rev 228703)
@@ -0,0 +1,13 @@
+CONSOLE MESSAGE: The page at https://127.0.0.1:8443/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-insecure-image-allowCrossOriginSubresourcesToAskForCredentials.https.html was allowed to display insecure content from http://localhost:8080/security/mixedContent/resources/subresource/protected-image.php.
+
+localhost:8080 - didReceiveAuthenticationChallenge - Responding with testUser:testPassword
+This test loads a secure image that redirects to an secure image that redirects to an insecure image guarded by basic authentication. The image should load.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS did load image.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Modified: trunk/Source/WebCore/ChangeLog (228702 => 228703)
--- trunk/Source/WebCore/ChangeLog 2018-02-19 19:06:25 UTC (rev 228702)
+++ trunk/Source/WebCore/ChangeLog 2018-02-19 19:10:44 UTC (rev 228703)
@@ -1,3 +1,27 @@
+2018-02-19 Daniel Bates <daba...@apple.com>
+
+ Do not block authentication challenge to navigated resources
+ https://bugs.webkit.org/show_bug.cgi?id=182807
+ <rdar://problem/37481619>
+
+ Reviewed by Brent Fulgham.
+
+ Blocking the main resource from asking for credentials depending on how it was
+ navigated to could be confusing to a person and breaks web compatibility. Restore
+ the behavior before r224134.
+
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::receivedFirstData):
+ * loader/ResourceLoader.cpp:
+ (WebCore::ResourceLoader::init):
+ (WebCore::ResourceLoader::willSendRequestInternal):
+ (WebCore::ResourceLoader::didBlockAuthenticationChallenge):
+ (WebCore::ResourceLoader::isAllowedToAskUserForCredentials const):
+ (WebCore::ResourceLoader::isMixedContent const): Deleted.
+ * loader/ResourceLoader.h:
+ (WebCore::ResourceLoader::wasAuthenticationChallengeBlocked const):
+ (WebCore::ResourceLoader::wasInsecureRequestSeen const): Deleted.
+
2018-02-17 Antoine Quint <grao...@apple.com>
[Web Animations] Store all parsed keyframe input information in a single structure
Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (228702 => 228703)
--- trunk/Source/WebCore/loader/FrameLoader.cpp 2018-02-19 19:06:25 UTC (rev 228702)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2018-02-19 19:10:44 UTC (rev 228703)
@@ -679,10 +679,6 @@
ASSERT(m_frame.document());
auto& document = *m_frame.document();
- auto* mainResourceLoader = documentLoader.mainResourceLoader();
- if (mainResourceLoader && mainResourceLoader->wasAuthenticationChallengeBlocked() && mainResourceLoader->wasInsecureRequestSeen())
- reportAuthenticationChallengeBlocked(&m_frame, document.url(), ASCIILiteral { "it was navigated to from a secure page or went through an insecure redirect" });
-
LinkLoader::loadLinksFromHeader(documentLoader.response().httpHeaderField(HTTPHeaderName::Link), document.url(), document, LinkLoader::MediaAttributeCheck::MediaAttributeEmpty);
double delay;
Modified: trunk/Source/WebCore/loader/ResourceLoader.cpp (228702 => 228703)
--- trunk/Source/WebCore/loader/ResourceLoader.cpp 2018-02-19 19:06:25 UTC (rev 228702)
+++ trunk/Source/WebCore/loader/ResourceLoader.cpp 2018-02-19 19:10:44 UTC (rev 228703)
@@ -42,7 +42,6 @@
#include "InspectorInstrumentation.h"
#include "LoaderStrategy.h"
#include "MainFrame.h"
-#include "MixedContentChecker.h"
#include "Page.h"
#include "PlatformStrategies.h"
#include "ProgressTracker.h"
@@ -68,7 +67,6 @@
: m_frame { &frame }
, m_documentLoader { frame.loader().activeDocumentLoader() }
, m_defersLoading { options.defersLoadingPolicy == DefersLoadingPolicy::AllowDefersLoading && frame.page()->defersLoading() }
- , m_canAskClientForCredentials { options.clientCredentialPolicy == ClientCredentialPolicy::MayAskClientForCredentials }
, m_options { options }
{
}
@@ -133,8 +131,6 @@
#endif
m_defersLoading = m_options.defersLoadingPolicy == DefersLoadingPolicy::AllowDefersLoading && m_frame->page()->defersLoading();
- m_canAskClientForCredentials = m_options.clientCredentialPolicy == ClientCredentialPolicy::MayAskClientForCredentials;
- m_wasInsecureRequestSeen = isMixedContent(clientRequest.url());
if (m_options.securityCheck == DoSecurityCheck && !m_frame->document()->securityOrigin().canDisplay(clientRequest.url())) {
FrameLoader::reportLocalLoadFailed(m_frame.get(), clientRequest.url().string());
@@ -331,16 +327,6 @@
return false;
}
-bool ResourceLoader::isMixedContent(const URL& url) const
-{
- if (MixedContentChecker::isMixedContent(m_frame->document()->securityOrigin(), url))
- return true;
- Frame& topFrame = m_frame->tree().top();
- if (&topFrame != m_frame && MixedContentChecker::isMixedContent(topFrame.document()->securityOrigin(), url))
- return true;
- return false;
-}
-
void ResourceLoader::willSendRequestInternal(ResourceRequest&& request, const ResourceResponse& redirectResponse, CompletionHandler<void(ResourceRequest&&)>&& completionHandler)
{
// Protect this in this delegate method since the additional processing can do
@@ -403,10 +389,6 @@
#endif
bool isRedirect = !redirectResponse.isNull();
-
- if (isMixedContent(m_request.url()) || (isRedirect && isMixedContent(request.url())))
- m_wasInsecureRequestSeen = true;
-
if (isRedirect)
platformStrategies()->loaderStrategy()->crossOriginRedirectReceived(this, request.url());
@@ -471,31 +453,10 @@
void ResourceLoader::didBlockAuthenticationChallenge()
{
m_wasAuthenticationChallengeBlocked = true;
-
- if (!m_canAskClientForCredentials)
+ if (m_options.clientCredentialPolicy == ClientCredentialPolicy::CannotAskClientForCredentials)
return;
-
- if (!shouldAllowResourceToAskForCredentials()) {
- FrameLoader::reportAuthenticationChallengeBlocked(m_frame.get(), m_request.url(), ASCIILiteral("it is a cross-origin request"));
- return;
- }
-
- if (!m_wasInsecureRequestSeen)
- return;
-
- // Comparing the initial request URL and final request URL does not tell us whether a redirect happened or not since
- // a server can serve a redirect to the same URL that was requested. However, this is good enough for our purpose.
- bool wasRedirected = m_request.url() != originalRequest().url();
-
- bool isMixedContent = this->isMixedContent(m_request.url());
- String reason;
- if (isMixedContent && wasRedirected)
- reason = makeString("it is insecure content that was loaded via a redirect from ", originalRequest().url().stringCenterEllipsizedToLength());
- else if (isMixedContent)
- reason = ASCIILiteral { "it is insecure content" };
- else
- reason = makeString("it was loaded via an insecure redirect from ", originalRequest().url().stringCenterEllipsizedToLength());
- FrameLoader::reportAuthenticationChallengeBlocked(m_frame.get(), m_request.url(), reason);
+ ASSERT(!shouldAllowResourceToAskForCredentials());
+ FrameLoader::reportAuthenticationChallengeBlocked(m_frame.get(), m_request.url(), ASCIILiteral("it is a cross-origin request"));
}
void ResourceLoader::didReceiveResponse(const ResourceResponse& r)
@@ -747,12 +708,10 @@
bool ResourceLoader::isAllowedToAskUserForCredentials() const
{
- if (!m_canAskClientForCredentials)
+ if (m_options.clientCredentialPolicy == ClientCredentialPolicy::CannotAskClientForCredentials)
return false;
if (!shouldAllowResourceToAskForCredentials())
return false;
- if (m_wasInsecureRequestSeen)
- return false;
return m_options.credentials == FetchOptions::Credentials::Include || (m_options.credentials == FetchOptions::Credentials::SameOrigin && m_frame->document()->securityOrigin().canRequest(originalRequest().url()));
}
Modified: trunk/Source/WebCore/loader/ResourceLoader.h (228702 => 228703)
--- trunk/Source/WebCore/loader/ResourceLoader.h 2018-02-19 19:06:25 UTC (rev 228702)
+++ trunk/Source/WebCore/loader/ResourceLoader.h 2018-02-19 19:10:44 UTC (rev 228703)
@@ -90,7 +90,6 @@
unsigned long identifier() const { return m_identifier; }
bool wasAuthenticationChallengeBlocked() const { return m_wasAuthenticationChallengeBlocked; }
- bool wasInsecureRequestSeen() const { return m_wasInsecureRequestSeen; }
virtual void releaseResources();
const ResourceResponse& response() const { return m_response; }
@@ -154,8 +153,6 @@
protected:
ResourceLoader(Frame&, ResourceLoaderOptions);
- bool isMixedContent(const URL&) const;
-
void didFinishLoadingOnePart(const NetworkLoadMetrics&);
void cleanupForError(const ResourceError&);
@@ -231,8 +228,6 @@
CancellationStatus m_cancellationStatus { NotCancelled };
bool m_defersLoading;
- bool m_canAskClientForCredentials;
- bool m_wasInsecureRequestSeen { false };
bool m_wasAuthenticationChallengeBlocked { false };
ResourceRequest m_deferredRequest;
ResourceLoaderOptions m_options;