Diff
Modified: trunk/LayoutTests/ChangeLog (203942 => 203943)
--- trunk/LayoutTests/ChangeLog 2016-07-30 14:16:37 UTC (rev 203942)
+++ trunk/LayoutTests/ChangeLog 2016-07-30 19:27:09 UTC (rev 203943)
@@ -1,3 +1,15 @@
+2016-07-30 Youenn Fablet <[email protected]>
+
+ Synchronous preflight should check for successful responses
+ https://bugs.webkit.org/show_bug.cgi?id=159350
+
+ Reviewed by Darin Adler.
+
+ * http/tests/xmlhttprequest/access-control-preflight-not-successful-expected.txt: Added.
+ * http/tests/xmlhttprequest/access-control-preflight-not-successful.html: Added, not all tests are passing as CORS checks.
+ for redirections are not well supported for synchronous loading.
+ * http/tests/xmlhttprequest/resources/status-404-without-body.php:
+
2016-07-30 Chris Dumez <[email protected]>
[WebIDL] Enable strict type checking for operations' nullable parameters of wrapper types
Added: trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-not-successful-expected.txt (0 => 203943)
--- trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-not-successful-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-not-successful-expected.txt 2016-07-30 19:27:09 UTC (rev 203943)
@@ -0,0 +1,33 @@
+CONSOLE MESSAGE: line 26: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true&access-control-allow-headers=x-webkit&access-control-allow-origin=*&url="" Cross-origin redirection denied by Cross-Origin Resource Sharing policy.
+CONSOLE MESSAGE: line 26: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true&access-control-allow-headers=x-webkit&access-control-allow-origin=*&url="" Preflight response is not successful
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true&access-control-allow-headers=x-webkit&access-control-allow-origin=*&url="" Preflight response is not successful
+CONSOLE MESSAGE: line 26: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/status-404-without-body.php. Preflight response is not successful
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/status-404-without-body.php. Preflight response is not successful
+Tests that not successful preflight responses make preflight failing
+
+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true&access-control-allow-headers=x-webkit&access-control-allow-origin=*&url="" (sync)
+Expecting success: true
+FAIL: NetworkError (DOM Exception 19): A network error occurred.
+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true&access-control-allow-headers=x-webkit&access-control-allow-origin=*&url=""
+Expecting success: true
+PASS: PASS: Cross-domain access allowed.
+
+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true&access-control-allow-headers=x-webkit&access-control-allow-origin=*&url="" (sync)
+Expecting success: false
+PASS: NetworkError (DOM Exception 19): A network error occurred.
+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true&access-control-allow-headers=x-webkit&access-control-allow-origin=*&url=""
+Expecting success: false
+PASS: 0
+Testing http://localhost:8000/xmlhttprequest/resources/status-404-without-body.php (sync)
+Expecting success: true
+PASS:
+Testing http://localhost:8000/xmlhttprequest/resources/status-404-without-body.php(async)
+Expecting success: true
+PASS:
+Testing http://localhost:8000/xmlhttprequest/resources/status-404-without-body.php (sync)
+Expecting success: false
+PASS: NetworkError (DOM Exception 19): A network error occurred.
+Testing http://localhost:8000/xmlhttprequest/resources/status-404-without-body.php(async)
+Expecting success: false
+PASS: 0
+
Added: trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-not-successful.html (0 => 203943)
--- trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-not-successful.html (rev 0)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-not-successful.html 2016-07-30 19:27:09 UTC (rev 203943)
@@ -0,0 +1,74 @@
+<p>Tests that not successful preflight responses make preflight failing</p>
+
+<pre id="console"></pre>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+function log(message)
+{
+ document.getElementById('console').appendChild(document.createTextNode(message + '\n'));
+}
+
+function runTest(url, expectSyncSuccess, expectAsyncSuccess, triggerPreflight)
+{
+ log("Testing " + url + " (sync)");
+ log("Expecting success: " + expectSyncSuccess);
+
+ var req = new XMLHttpRequest();
+ req.open("GET", url, false);
+ if (triggerPreflight)
+ req.setRequestHeader("x-webkit", "foo");
+
+ try {
+ req.send(null);
+ log((expectSyncSuccess ? "PASS" : "FAIL") + ": " + req.responseText);
+ } catch (ex) {
+ log((expectSyncSuccess ? "FAIL" : "PASS") + ": " + ex);
+ }
+
+ log("Testing " + url + "(async)");
+ log("Expecting success: " + expectAsyncSuccess);
+
+ req = new XMLHttpRequest();
+ req.open("GET", url, true);
+ if (triggerPreflight)
+ req.setRequestHeader("x-webkit", "foo");
+
+ req._onload_ = function() {
+ log((expectAsyncSuccess ? "PASS" : "FAIL") + ": " + req.responseText);
+ nextTest();
+ }
+ req._onerror_ = function() {
+ log((expectAsyncSuccess ? "FAIL" : "PASS") + ": " + req.status);
+ nextTest();
+ }
+ req.send(null);
+}
+
+var tests = [
+ // No preflight, hence ok
+ ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true&access-control-allow-headers=x-webkit&access-control-allow-origin=*&url=""
+ true, true, false],
+ // Preflight receiving redirection hence failing at preflight step, which should be shown by console log message.
+ ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true&access-control-allow-headers=x-webkit&access-control-allow-origin=*&url=""
+ false, false, true],
+ // Receiving a 404, no preflight, hence ok
+ ["http://localhost:8000/xmlhttprequest/resources/status-404-without-body.php", true, true, false],
+ // Receiving a 404 as preflight response, hence ko at preflight step, which should be shown by console log message.
+ ["http://localhost:8000/xmlhttprequest/resources/status-404-without-body.php", false, false, true],
+]
+
+var currentTest = 0;
+
+function nextTest() {
+ if (currentTest < tests.length)
+ runTest.apply(null, tests[currentTest++]);
+ else if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+nextTest();
+</script>
Modified: trunk/LayoutTests/http/tests/xmlhttprequest/resources/status-404-without-body.php (203942 => 203943)
--- trunk/LayoutTests/http/tests/xmlhttprequest/resources/status-404-without-body.php 2016-07-30 14:16:37 UTC (rev 203942)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/resources/status-404-without-body.php 2016-07-30 19:27:09 UTC (rev 203943)
@@ -1,4 +1,5 @@
<?php
header('http/1.1 404 Not Found');
+ header("Access-Control-Allow-Origin: *");
exit();
?>
Modified: trunk/Source/WebCore/ChangeLog (203942 => 203943)
--- trunk/Source/WebCore/ChangeLog 2016-07-30 14:16:37 UTC (rev 203942)
+++ trunk/Source/WebCore/ChangeLog 2016-07-30 19:27:09 UTC (rev 203943)
@@ -1,3 +1,16 @@
+2016-07-30 Youenn Fablet <[email protected]>
+
+ Synchronous preflight should check for successful responses
+ https://bugs.webkit.org/show_bug.cgi?id=159350
+
+ Reviewed by Darin Adler.
+
+ Test: http/tests/xmlhttprequest/access-control-preflight-not-successful.html
+
+ * loader/CrossOriginPreflightChecker.cpp:
+ (WebCore::CrossOriginPreflightChecker::doPreflight): Adding successful response check for synchronous
+ preflighting.
+
2016-07-30 Chris Dumez <[email protected]>
[WebIDL] Enable strict type checking for operations' nullable parameters of wrapper types
Modified: trunk/Source/WebCore/loader/CrossOriginPreflightChecker.cpp (203942 => 203943)
--- trunk/Source/WebCore/loader/CrossOriginPreflightChecker.cpp 2016-07-30 14:16:37 UTC (rev 203942)
+++ trunk/Source/WebCore/loader/CrossOriginPreflightChecker.cpp 2016-07-30 19:27:09 UTC (rev 203943)
@@ -132,11 +132,20 @@
RefPtr<SharedBuffer> data;
unsigned identifier = loader.document().frame()->loader().loadResourceSynchronously(preflightRequest, DoNotAllowStoredCredentials, ClientCredentialPolicy::CannotAskClientForCredentials, error, response, data);
+ // FIXME: Investigate why checking for response httpStatusCode here. In particular, can we have a not-null error and a 2XX response.
if (!error.isNull() && response.httpStatusCode() <= 0) {
error.setType(ResourceError::Type::AccessControl);
loader.preflightFailure(identifier, error);
return;
}
+
+ // FIXME: Ideally, we should ask platformLoadResourceSynchronously to set ResourceResponse isRedirected and use it here.
+ bool isRedirect = preflightRequest.url().strippedForUseAsReferrer() != response.url().strippedForUseAsReferrer();
+ if (isRedirect || !response.isSuccessful()) {
+ loader.preflightFailure(identifier, ResourceError(errorDomainWebKitInternal, 0, request.url(), ASCIILiteral("Preflight response is not successful"), ResourceError::Type::AccessControl));
+ return;
+ }
+
validatePreflightResponse(loader, WTFMove(request), identifier, response);
}
