Skip to site navigation (Press enter)

[webkit-changes] [202466] trunk

jer . noble Fri, 24 Jun 2016 17:46:59 -0700

Title: [202466] trunk

Revision: 202466
Author: [email protected]
Date: 2016-06-24 17:46:26 -0700 (Fri, 24 Jun 2016)

Log Message

Consider exposing or hiding knowledge of a redirect from clients of WebCoreNSURLSession
https://bugs.webkit.org/show_bug.cgi?id=156722
<rdar://problem/25780035>


Reviewed by Alex Christensen.

Source/WebCore:

Fixes tests: http/tests/security/contentSecurityPolicy/audio-redirect-allowed2.html
             http/tests/security/contentSecurityPolicy/video-redirect-allowed2.html

When receieving a NSURLResponse containing a redirected URL, AVFoundadtion will use the
URL in the response for subsequent requests. This violates the HTTP specification if the
redirect was temporary, and it also breaks two CSP tests by bypassing the redirect step
for subsequent requests.

Work around this behavior in AVFoundation by recreating the NSURLResponse with the original
request URL in the case of a temporary redirect.

* platform/network/cocoa/WebCoreNSURLSession.mm:
(-[WebCoreNSURLSessionDataTask resource:receivedResponse:]):
(-[WebCoreNSURLSessionDataTask resource:receivedRedirect:request:]):

LayoutTests:

Un-skip http/tests/security/contentSecurityPolicy/audio-redirect-allowed2.html &
http/tests/security/contentSecurityPolicy/video-redirect-allowed2.html.

* platform/mac/TestExpectations:

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/LayoutTests/platform/mac/TestExpectations
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/platform/network/cocoa/WebCoreNSURLSession.mm

Diff

Modified: trunk/LayoutTests/ChangeLog (202465 => 202466)


--- trunk/LayoutTests/ChangeLog	2016-06-25 00:40:38 UTC (rev 202465)
+++ trunk/LayoutTests/ChangeLog	2016-06-25 00:46:26 UTC (rev 202466)
@@ -1,3 +1,16 @@
+2016-06-24  Jer Noble  <[email protected]>
+
+        Consider exposing or hiding knowledge of a redirect from clients of WebCoreNSURLSession
+        https://bugs.webkit.org/show_bug.cgi?id=156722
+        <rdar://problem/25780035>
+
+        Reviewed by Alex Christensen.
+
+        Un-skip http/tests/security/contentSecurityPolicy/audio-redirect-allowed2.html & 
+        http/tests/security/contentSecurityPolicy/video-redirect-allowed2.html.
+
+        * platform/mac/TestExpectations:
+
 2016-06-24  Mark Lam  <[email protected]>
 
         [JSC] Error prototypes are called on remote scripts.

Modified: trunk/LayoutTests/platform/mac/TestExpectations (202465 => 202466)


--- trunk/LayoutTests/platform/mac/TestExpectations	2016-06-25 00:40:38 UTC (rev 202465)
+++ trunk/LayoutTests/platform/mac/TestExpectations	2016-06-25 00:46:26 UTC (rev 202466)
@@ -1404,10 +1404,6 @@
 [ Sierra+ ] http/tests/security/anchor-download-allow-sameorigin.html [ Skip ]
 [ Sierra+ ] http/tests/security/anchor-download-allow-blob.html [ Skip ]
 
-# <rdar://problem/25780035> CSP does not ignore paths for media redirects
-[ Sierra+ ] http/tests/security/contentSecurityPolicy/audio-redirect-allowed2.html [ Skip ]
-[ Sierra+ ] http/tests/security/contentSecurityPolicy/video-redirect-allowed2.html [ Skip ]
-
 # <rdar://problem/26590623> LayoutTest http/tests/preload/single_download_preload_runner.html failing
 [ Sierra+ ] http/tests/preload/single_download_preload_runner.html [ Pass Failure ]

Modified: trunk/Source/WebCore/ChangeLog (202465 => 202466)


--- trunk/Source/WebCore/ChangeLog	2016-06-25 00:40:38 UTC (rev 202465)
+++ trunk/Source/WebCore/ChangeLog	2016-06-25 00:46:26 UTC (rev 202466)
@@ -1,5 +1,28 @@
 2016-06-24  Jer Noble  <[email protected]>
 
+        Consider exposing or hiding knowledge of a redirect from clients of WebCoreNSURLSession
+        https://bugs.webkit.org/show_bug.cgi?id=156722
+        <rdar://problem/25780035>
+
+        Reviewed by Alex Christensen.
+
+        Fixes tests: http/tests/security/contentSecurityPolicy/audio-redirect-allowed2.html
+                     http/tests/security/contentSecurityPolicy/video-redirect-allowed2.html
+
+        When receieving a NSURLResponse containing a redirected URL, AVFoundadtion will use the
+        URL in the response for subsequent requests. This violates the HTTP specification if the
+        redirect was temporary, and it also breaks two CSP tests by bypassing the redirect step
+        for subsequent requests.
+
+        Work around this behavior in AVFoundation by recreating the NSURLResponse with the original
+        request URL in the case of a temporary redirect.
+
+        * platform/network/cocoa/WebCoreNSURLSession.mm:
+        (-[WebCoreNSURLSessionDataTask resource:receivedResponse:]):
+        (-[WebCoreNSURLSessionDataTask resource:receivedRedirect:request:]):
+
+2016-06-24  Jer Noble  <[email protected]>
+
         MSE gets confused by in-band text tracks
         https://bugs.webkit.org/show_bug.cgi?id=159107
         <rdar://problem/26871330>

Modified: trunk/Source/WebCore/platform/network/cocoa/WebCoreNSURLSession.mm (202465 => 202466)


--- trunk/Source/WebCore/platform/network/cocoa/WebCoreNSURLSession.mm	2016-06-25 00:40:38 UTC (rev 202465)
+++ trunk/Source/WebCore/platform/network/cocoa/WebCoreNSURLSession.mm	2016-06-25 00:46:26 UTC (rev 202466)
@@ -527,6 +527,18 @@
     self.countOfBytesExpectedToReceive = response.expectedContentLength();
     [self _setDefersLoading:YES];
     RetainPtr<NSURLResponse> strongResponse { response.nsURLResponse() };
+
+    if (response.url() != URL(self.currentRequest.URL)) {
+        // FIXME(<rdar://problem/27000361>):
+        // Work around a bug in CoreMedia: CM will pull the URL out of the ResourceResponse
+        // and use that URL for all future requests for the same piece of media. This breaks
+        // certain features of CORS, as well as being against the HTTP spec in the case of
+        // non-permanent redirects.
+        auto responseData = response.crossThreadData();
+        responseData.url = ""
+        strongResponse = ResourceResponseBase::fromCrossThreadData(WTFMove(responseData)).nsURLResponse();
+    }
+
     RetainPtr<WebCoreNSURLSessionDataTask> strongSelf { self };
     [self.session addDelegateOperation:[strongSelf, strongResponse] {
         strongSelf->_response = strongResponse.get();
@@ -590,6 +602,12 @@
     // delegate handles the callback and responds via a completion handler. If, in
     // the future, the ResourceLoader exposes a callback-based willSendResponse
     // API, this can be implemented.
+
+    // FIXME(<rdar://problem/27000361>):
+    // Do not update the current request if the redirect is temporary; use this
+    // current request during responseReceieved: to work around a CoreMedia bug.
+    if (response.httpStatusCode() != 302 && response.httpStatusCode() != 307)
+        self.currentRequest = [NSURLRequest requestWithURL:request.url()];
 }
 
 - (void)_resource:(PlatformMediaResource&)resource loadFinishedWithError:(NSError *)error

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes