Diff
Modified: trunk/LayoutTests/ChangeLog (202479 => 202480)
--- trunk/LayoutTests/ChangeLog 2016-06-27 05:10:05 UTC (rev 202479)
+++ trunk/LayoutTests/ChangeLog 2016-06-27 08:28:30 UTC (rev 202480)
@@ -1,3 +1,16 @@
+2016-06-27 Youenn Fablet <[email protected]>
+
+ Remove didFailRedirectCheck ThreadableLoaderClient callback
+ https://bugs.webkit.org/show_bug.cgi?id=159085
+
+ Reviewed by Daniel Bates.
+
+ * http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt:
+ * http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt:
+ * http/tests/xmlhttprequest/access-control-and-redirects-expected.txt:
+
2016-06-26 Chris Dumez <[email protected]>
Regression: HTMLOptionsCollection's named properties have precedence over indexed properties
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt (202479 => 202480)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt 2016-06-27 05:10:05 UTC (rev 202479)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt 2016-06-27 08:28:30 UTC (rev 202480)
@@ -1,4 +1,5 @@
CONSOLE MESSAGE: Refused to connect to http://localhost:8000/eventsource/resources/simple-event-stream.asis because it does not appear in the connect-src directive of the Content Security Policy.
+CONSOLE MESSAGE: EventSource cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url="" Cross-origin redirection denied by Content Security Policy.
PASS EventSource() did not follow the disallowed redirect.
PASS successfullyParsed is true
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt (202479 => 202480)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt 2016-06-27 05:10:05 UTC (rev 202479)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt 2016-06-27 08:28:30 UTC (rev 202480)
@@ -1,4 +1,5 @@
CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.pl because it does not appear in the connect-src directive of the Content Security Policy.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url="" Cross-origin redirection denied by Content Security Policy.
PASS XMLHttpRequest.send() did not follow the disallowed redirect.
PASS successfullyParsed is true
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt (202479 => 202480)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt 2016-06-27 05:10:05 UTC (rev 202479)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt 2016-06-27 08:28:30 UTC (rev 202480)
@@ -1,3 +1,4 @@
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url="" Cross-origin redirection denied by Content Security Policy.
This tests an XHR request made from a worker is blocked if it redirects to a cross-origin resource that is not listed as a connect-src in the CSP of the worker.
PASS threw exception Error: NetworkError: DOM Exception 19.
Modified: trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt (202479 => 202480)
--- trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt 2016-06-27 05:10:05 UTC (rev 202479)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt 2016-06-27 08:28:30 UTC (rev 202480)
@@ -1,4 +1,9 @@
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url="" Cross-origin redirection denied by Cross-Origin Resource Sharing policy.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url="" Cross-origin redirection denied by Cross-Origin Resource Sharing policy.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url="" Cross-origin redirection denied by Cross-Origin Resource Sharing policy.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url="" Cross-origin redirection denied by Cross-Origin Resource Sharing policy.
CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true&%20%20url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&%20%20access-control-allow-origin=*. Preflight response is not successful
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=false&%20%20url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&%20%20access-control-allow-origin=*&%20%20access-control-allow-headers=x-webkit. Cross-origin redirection denied by Cross-Origin Resource Sharing policy.
Tests that asynchronous XMLHttpRequests handle redirects according to the CORS standard.
Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url="" without credentials
Modified: trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-expected.txt (202479 => 202480)
--- trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-expected.txt 2016-06-27 05:10:05 UTC (rev 202479)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-expected.txt 2016-06-27 08:28:30 UTC (rev 202480)
@@ -1,3 +1,6 @@
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/resources/redirect.php?url="" Cross-origin redirection denied by Cross-Origin Resource Sharing policy.
+CONSOLE MESSAGE: line 25: XMLHttpRequest cannot load http://localhost:8000/resources/redirect.php?url="" Cross-origin redirection denied by Cross-Origin Resource Sharing policy.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/resources/redirect.php?url="" Cross-origin redirection denied by Cross-Origin Resource Sharing policy.
Tests that redirects between origins are never allowed, even when access control is involved.
Per the spec, these test cases should be allowed, but cross-origin redirects are currently unsupported in WebCore.
Modified: trunk/Source/WebCore/ChangeLog (202479 => 202480)
--- trunk/Source/WebCore/ChangeLog 2016-06-27 05:10:05 UTC (rev 202479)
+++ trunk/Source/WebCore/ChangeLog 2016-06-27 08:28:30 UTC (rev 202480)
@@ -1,3 +1,34 @@
+2016-06-27 Youenn Fablet <[email protected]>
+
+ Remove didFailRedirectCheck ThreadableLoaderClient callback
+ https://bugs.webkit.org/show_bug.cgi?id=159085
+
+ Reviewed by Daniel Bates.
+
+ Removing didFailRedirectCheck and using didFailAccessControlCheck instead.
+ The change in behavior is that additional error messages are outputted in the console.
+ These messages give additional debugging information.
+
+ Covered by rebased tests.
+
+ * Modules/fetch/FetchLoader.cpp: Removing didFailRedirectCheck.
+ * Modules/fetch/FetchLoader.h: Ditto.
+ * inspector/InspectorNetworkAgent.cpp: Ditto.
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::redirectReceived): Calling didFailAccessControlCheck with information on failing
+ URL.
+ (WebCore::DocumentThreadableLoader::loadRequest): Ditto.
+ * loader/ThreadableLoaderClient.h: Removing didFailRedirectCheck.
+ * loader/ThreadableLoaderClientWrapper.h: Ditto.
+ * loader/WorkerThreadableLoader.cpp: Ditto.
+ * loader/WorkerThreadableLoader.h: Ditto.
+ * page/EventSource.cpp: Ditto.
+ * page/EventSource.h: Ditto.
+ * workers/WorkerScriptLoader.cpp: Ditto.
+ * workers/WorkerScriptLoader.h: Ditto.
+ * xml/XMLHttpRequest.cpp: Ditto.
+ * xml/XMLHttpRequest.h: Ditto.
+
2016-06-26 Gyuyoung Kim <[email protected]>
[EFL] Fix build warning when using geoclue2
Modified: trunk/Source/WebCore/Modules/fetch/FetchLoader.cpp (202479 => 202480)
--- trunk/Source/WebCore/Modules/fetch/FetchLoader.cpp 2016-06-27 05:10:05 UTC (rev 202479)
+++ trunk/Source/WebCore/Modules/fetch/FetchLoader.cpp 2016-06-27 08:28:30 UTC (rev 202480)
@@ -144,11 +144,6 @@
m_client.didFail();
}
-void FetchLoader::didFailRedirectCheck()
-{
- m_client.didFail();
-}
-
} // namespace WebCore
#endif // ENABLE(FETCH_API)
Modified: trunk/Source/WebCore/Modules/fetch/FetchLoader.h (202479 => 202480)
--- trunk/Source/WebCore/Modules/fetch/FetchLoader.h 2016-06-27 05:10:05 UTC (rev 202479)
+++ trunk/Source/WebCore/Modules/fetch/FetchLoader.h 2016-06-27 08:28:30 UTC (rev 202480)
@@ -62,7 +62,6 @@
void didReceiveData(const char*, int) final;
void didFinishLoading(unsigned long, double) final;
void didFail(const ResourceError&) final;
- void didFailRedirectCheck() final;
Type type() const { return m_type; }
Modified: trunk/Source/WebCore/inspector/InspectorNetworkAgent.cpp (202479 => 202480)
--- trunk/Source/WebCore/inspector/InspectorNetworkAgent.cpp 2016-06-27 05:10:05 UTC (rev 202479)
+++ trunk/Source/WebCore/inspector/InspectorNetworkAgent.cpp 2016-06-27 08:28:30 UTC (rev 202480)
@@ -128,9 +128,9 @@
dispose();
}
- void didFailRedirectCheck() override
+ void didFailAccessControlCheck(const ResourceError&) final
{
- m_callback->sendFailure(ASCIILiteral("Loading resource for inspector failed redirect check"));
+ m_callback->sendFailure(ASCIILiteral("Loading resource for inspector failed access control check"));
dispose();
}
Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp (202479 => 202480)
--- trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2016-06-27 05:10:05 UTC (rev 202479)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2016-06-27 08:28:30 UTC (rev 202480)
@@ -192,6 +192,16 @@
m_preflightChecker = Nullopt;
}
+static inline void reportContentSecurityPolicyError(ThreadableLoaderClient& client, const URL& url)
+{
+ client.didFailAccessControlCheck(ResourceError(errorDomainWebKitInternal, 0, url, "Cross-origin redirection denied by Content Security Policy."));
+}
+
+static inline void reportCrossOriginResourceSharingError(ThreadableLoaderClient& client, const URL& url)
+{
+ client.didFailAccessControlCheck(ResourceError(errorDomainWebKitInternal, 0, url, "Cross-origin redirection denied by Cross-Origin Resource Sharing policy."));
+}
+
void DocumentThreadableLoader::redirectReceived(CachedResource* resource, ResourceRequest& request, const ResourceResponse& redirectResponse)
{
ASSERT(m_client);
@@ -199,7 +209,7 @@
Ref<DocumentThreadableLoader> protectedThis(*this);
if (!isAllowedByContentSecurityPolicy(request.url(), !redirectResponse.isNull())) {
- m_client->didFailRedirectCheck();
+ reportContentSecurityPolicyError(*m_client, redirectResponse.url());
request = ResourceRequest();
return;
}
@@ -245,7 +255,7 @@
}
}
- m_client->didFailRedirectCheck();
+ reportCrossOriginResourceSharingError(*m_client, redirectResponse.url());
request = ResourceRequest();
}
@@ -381,9 +391,15 @@
// request and response URLs. This isn't a perfect test though, since a server can serve a redirect to the same URL that was
// requested. Also comparing the request and response URLs as strings will fail if the requestURL still has its credentials.
bool didRedirect = requestURL != response.url();
- if (didRedirect && (!isAllowedByContentSecurityPolicy(response.url(), didRedirect) || !isAllowedRedirect(response.url()))) {
- m_client->didFailRedirectCheck();
- return;
+ if (didRedirect) {
+ if (!isAllowedByContentSecurityPolicy(response.url(), didRedirect)) {
+ reportContentSecurityPolicyError(*m_client, requestURL);
+ return;
+ }
+ if (!isAllowedRedirect(response.url())) {
+ reportCrossOriginResourceSharingError(*m_client, requestURL);
+ return;
+ }
}
didReceiveResponse(identifier, response);
Modified: trunk/Source/WebCore/loader/ThreadableLoaderClient.h (202479 => 202480)
--- trunk/Source/WebCore/loader/ThreadableLoaderClient.h 2016-06-27 05:10:05 UTC (rev 202479)
+++ trunk/Source/WebCore/loader/ThreadableLoaderClient.h 2016-06-27 08:28:30 UTC (rev 202480)
@@ -47,7 +47,6 @@
virtual void didFinishLoading(unsigned long /*identifier*/, double /*finishTime*/) { }
virtual void didFail(const ResourceError&) { }
virtual void didFailAccessControlCheck(const ResourceError& error) { didFail(error); }
- virtual void didFailRedirectCheck() { }
protected:
ThreadableLoaderClient() { }
Modified: trunk/Source/WebCore/loader/ThreadableLoaderClientWrapper.h (202479 => 202480)
--- trunk/Source/WebCore/loader/ThreadableLoaderClientWrapper.h 2016-06-27 05:10:05 UTC (rev 202479)
+++ trunk/Source/WebCore/loader/ThreadableLoaderClientWrapper.h 2016-06-27 08:28:30 UTC (rev 202480)
@@ -95,13 +95,6 @@
m_client->didFailAccessControlCheck(error);
}
- void didFailRedirectCheck()
- {
- m_done = true;
- if (m_client)
- m_client->didFailRedirectCheck();
- }
-
void didReceiveAuthenticationCancellation(unsigned long identifier, const ResourceResponse& response)
{
if (m_client)
Modified: trunk/Source/WebCore/loader/WorkerThreadableLoader.cpp (202479 => 202480)
--- trunk/Source/WebCore/loader/WorkerThreadableLoader.cpp 2016-06-27 05:10:05 UTC (rev 202479)
+++ trunk/Source/WebCore/loader/WorkerThreadableLoader.cpp 2016-06-27 08:28:30 UTC (rev 202480)
@@ -206,14 +206,4 @@
}, m_taskMode);
}
-void WorkerThreadableLoader::MainThreadBridge::didFailRedirectCheck()
-{
- m_loadingFinished = true;
- Ref<ThreadableLoaderClientWrapper> protectedWorkerClientWrapper = *m_workerClientWrapper;
- m_loaderProxy.postTaskForModeToWorkerGlobalScope([protectedWorkerClientWrapper = WTFMove(protectedWorkerClientWrapper)] (ScriptExecutionContext& context) mutable {
- ASSERT_UNUSED(context, context.isWorkerGlobalScope());
- protectedWorkerClientWrapper->didFailRedirectCheck();
- }, m_taskMode);
-}
-
} // namespace WebCore
Modified: trunk/Source/WebCore/loader/WorkerThreadableLoader.h (202479 => 202480)
--- trunk/Source/WebCore/loader/WorkerThreadableLoader.h 2016-06-27 05:10:05 UTC (rev 202479)
+++ trunk/Source/WebCore/loader/WorkerThreadableLoader.h 2016-06-27 08:28:30 UTC (rev 202480)
@@ -105,7 +105,6 @@
void didFinishLoading(unsigned long identifier, double finishTime) override;
void didFail(const ResourceError&) override;
void didFailAccessControlCheck(const ResourceError&) override;
- void didFailRedirectCheck() override;
// Only to be used on the main thread.
RefPtr<ThreadableLoader> m_mainThreadLoader;
Modified: trunk/Source/WebCore/page/EventSource.cpp (202479 => 202480)
--- trunk/Source/WebCore/page/EventSource.cpp 2016-06-27 05:10:05 UTC (rev 202479)
+++ trunk/Source/WebCore/page/EventSource.cpp 2016-06-27 08:28:30 UTC (rev 202480)
@@ -261,11 +261,6 @@
abortConnectionAttempt();
}
-void EventSource::didFailRedirectCheck()
-{
- abortConnectionAttempt();
-}
-
void EventSource::abortConnectionAttempt()
{
ASSERT(m_state == CONNECTING);
Modified: trunk/Source/WebCore/page/EventSource.h (202479 => 202480)
--- trunk/Source/WebCore/page/EventSource.h 2016-06-27 05:10:05 UTC (rev 202479)
+++ trunk/Source/WebCore/page/EventSource.h 2016-06-27 08:28:30 UTC (rev 202480)
@@ -82,7 +82,6 @@
void didFinishLoading(unsigned long, double) final;
void didFail(const ResourceError&) final;
void didFailAccessControlCheck(const ResourceError&) final;
- void didFailRedirectCheck() final;
void stop() final;
const char* activeDOMObjectName() const final;
Modified: trunk/Source/WebCore/workers/WorkerScriptLoader.cpp (202479 => 202480)
--- trunk/Source/WebCore/workers/WorkerScriptLoader.cpp 2016-06-27 05:10:05 UTC (rev 202479)
+++ trunk/Source/WebCore/workers/WorkerScriptLoader.cpp 2016-06-27 08:28:30 UTC (rev 202480)
@@ -161,11 +161,6 @@
notifyError();
}
-void WorkerScriptLoader::didFailRedirectCheck()
-{
- notifyError();
-}
-
void WorkerScriptLoader::notifyError()
{
m_failed = true;
Modified: trunk/Source/WebCore/workers/WorkerScriptLoader.h (202479 => 202480)
--- trunk/Source/WebCore/workers/WorkerScriptLoader.h 2016-06-27 05:10:05 UTC (rev 202479)
+++ trunk/Source/WebCore/workers/WorkerScriptLoader.h 2016-06-27 08:28:30 UTC (rev 202480)
@@ -69,7 +69,6 @@
void didReceiveData(const char* data, int dataLength) override;
void didFinishLoading(unsigned long identifier, double) override;
void didFail(const ResourceError&) override;
- void didFailRedirectCheck() override;
private:
friend class WTF::RefCounted<WorkerScriptLoader>;
Modified: trunk/Source/WebCore/xml/XMLHttpRequest.cpp (202479 => 202480)
--- trunk/Source/WebCore/xml/XMLHttpRequest.cpp 2016-06-27 05:10:05 UTC (rev 202479)
+++ trunk/Source/WebCore/xml/XMLHttpRequest.cpp 2016-06-27 08:28:30 UTC (rev 202480)
@@ -1038,11 +1038,6 @@
networkError();
}
-void XMLHttpRequest::didFailRedirectCheck()
-{
- networkError();
-}
-
void XMLHttpRequest::didFinishLoading(unsigned long identifier, double)
{
if (m_error)
Modified: trunk/Source/WebCore/xml/XMLHttpRequest.h (202479 => 202480)
--- trunk/Source/WebCore/xml/XMLHttpRequest.h 2016-06-27 05:10:05 UTC (rev 202479)
+++ trunk/Source/WebCore/xml/XMLHttpRequest.h 2016-06-27 08:28:30 UTC (rev 202480)
@@ -151,7 +151,6 @@
void didReceiveData(const char* data, int dataLength) override;
void didFinishLoading(unsigned long identifier, double finishTime) override;
void didFail(const ResourceError&) override;
- void didFailRedirectCheck() override;
bool responseIsXML() const;
